Skip to main content

Supported Vulnerabilities

Here is an exhaustive list of the vulnerabilities supported by GitGuardian:

Policy NameIDSeverityCategories
Unrestricted egress traffic might lead to remote code executionGG_IAC_0002HIGHNETWORK
Unrestricted ingress traffic leaves assets exposed to remote attacksGG_IAC_0003HIGHNETWORK
Publicly accessible database are exposed to remote attacksGG_IAC_0004HIGHNETWORK
Unrestricted ingress traffic leave assets exposed to remote attacksGG_IAC_0005HIGHNETWORK
Some internal services might be listening to remote requestsGG_IAC_0006HIGHNETWORK
Exposing a sensitive environment variable in the configuration can lead to credentials leakGG_IAC_0007CRITICALSECRET
Unencrypted S3 bucket can lead to data leakGG_IAC_0008HIGHPERMISSION
Leaving remote access accessible from the internet increases the attack surfaceGG_IAC_0009CRITICALNETWORK
Giving sudo rights to a user allows privilege escalation attacksGG_IAC_0010CRITICALPERMISSION
Using the default service account on a compute instance allows an attacker to spread through the networkGG_IAC_0011CRITICALPERMISSION
Using outdated TLS policies can allow an attacker to decrypt traffic or impersonate a serverGG_IAC_0012HIGHNETWORK
Using outdated TLS policies can allow an attacker to decrypt traffic or impersonate a serverGG_IAC_0013HIGHNETWORK
Using outdated TLS policies can allow an attacker to decrypt traffic or impersonate a serverGG_IAC_0014HIGHNETWORK
Not setting deny as a default rule for a storage account's network access can lead to data leaksGG_IAC_0015HIGHNETWORK
Unrestricted egress traffic might lead to remote code executionGG_IAC_0016HIGHNETWORK
A DigitalOcean spaces bucket has public read Access Control List whichcan lead to private data exposureGG_IAC_0017CRITICALDATA, PERMISSION
A GCP persistent disk is encrypted with a key specified in plain textGG_IAC_0018CRITICALDATA, SECRET
An AWS CloudFront distribution allows unencrypted communications over HTTPGG_IAC_0019CRITICALDATA, NETWORK
Defining a GCP BigQuery dataset as publicly accessible can lead to data exposureGG_IAC_0020CRITICALDATA, PERMISSION
Unrestricted ingress traffic leave assets exposed to remote attacksGG_IAC_0021HIGHNETWORK
Leaving public access open exposes your service to the internetGG_IAC_0022MEDIUMNETWORK
Leaving public access open exposes your service to the internetGG_IAC_0024HIGHNETWORK
An AWS CloudFront distribution does not have a WAF (Web Application Firewall) in frontGG_IAC_0025HIGHNETWORK
An AWS CloudFront distribution uses a deprecated version of SSL/TLSGG_IAC_0026HIGHNETWORK
Cloudtrail logs are not encrypted using AWS KMS-managed keysGG_IAC_0027HIGHDATA, PERMISSION
Cloudtrail logs validation is not enabledGG_IAC_0028HIGHPERMISSION
CodeBuild build artifacts encryption should not be disabledGG_IAC_0029HIGHDATA, PERMISSION
Using outdated TLS policies can allow an attacker to decrypt traffic or impersonate a serverGG_IAC_0030HIGHNETWORK
Not encrypting Athena query results can lead to data leakGG_IAC_0031HIGHDATA
Not enforcing Workgroup configuration in Athena can allow clients to disable encryption settingsGG_IAC_0032HIGHDATA
EC2 instances use unencrypted block deviceGG_IAC_0033HIGHDATA
Assigning public IP addresses expose your instances to public internetGG_IAC_0034HIGHNETWORK
The Instance Metadata Service should not be available through IMDSv1GG_IAC_0035HIGHDATA, PERMISSION
DocumentDB cluster encryption should not be disabledGG_IAC_0036HIGHDATA, PERMISSION
DAX cluster encryption should not be disabledGG_IAC_0037HIGHDATA, PERMISSION
EBS volume encryption should not be disabledGG_IAC_0038HIGHDATA, PERMISSION
ECR image scanning should be enabledGG_IAC_0039HIGHSECRET
ECR registry with mutable tags can lead to code injectionGG_IAC_0040HIGHOTHER
ECR registry with public access can lead to code and data leakGG_IAC_0041HIGHPERMISSION
Not encrypting EFS mount can lead to data leakGG_IAC_0042HIGHDATA
Not encrypting data at rest can lead to data leakGG_IAC_0043HIGHDATA
Encrypting EKS secrets with AWS KMS adds another layer of securityGG_IAC_0044HIGHSECRET
ElasticSearch should use node-to-node encryptionGG_IAC_0045HIGHDATA, NETWORK, PERMISSION
ElastiCache data should be encrypted at restGG_IAC_0046HIGHDATA, PERMISSION
Elasticsearch data should be encrypted at restGG_IAC_0047HIGHDATA, PERMISSION
ElastiCache should use in-transit encryptionGG_IAC_0048HIGHDATA, NETWORK, PERMISSION
ELB load balancers should drop invalid headersGG_IAC_0049HIGHNETWORK
ELB load balancers should be internalGG_IAC_0050HIGHNETWORK
IAM policies should avoid using wildcardsGG_IAC_0051HIGHPERMISSION
Kinesis should use in-transit encryptionGG_IAC_0052HIGHDATA, NETWORK, PERMISSION
MQ brokers should not be publicly accessibleGG_IAC_0053HIGHNETWORK
MSK clusters should use in-transit encryptionGG_IAC_0054HIGHDATA, NETWORK, PERMISSION
Allowing public exposure of a S3 bucket can lead to data leakageGG_IAC_0055HIGHDATA
Not restricting public access on a S3 bucket can lead to data leakageGG_IAC_0056HIGHDATA
Granting public ACL rights on a bucket can lead to data leakageGG_IAC_0057HIGHDATA
AWS RDS Performance Insights should be encryptedGG_IAC_0058HIGHDATA, PERMISSION
AWS RDS Aurora cluster should be encryptedGG_IAC_0059HIGHDATA, PERMISSION
AWS RDS DB instance should be encryptedGG_IAC_0060HIGHDATA, PERMISSION
AWS SNS topic should be encryptedGG_IAC_0061HIGHDATA, PERMISSION
AWS SQS queue should be encryptedGG_IAC_0062HIGHDATA, PERMISSION
Neptune storage should be encrypted at restGG_IAC_0063HIGHDATA, PERMISSION
Redshift clusters should be encrypted at restGG_IAC_0064HIGHDATA, PERMISSION
SQS policy documents should avoid using wildcardsGG_IAC_0065HIGHPERMISSION
AWS Elasticsearch domain endpoints should not use a deprecated versionof SSL/TLSGG_IAC_0066HIGHNETWORK
Root and User Workspaces volumes should be encryptedGG_IAC_0067HIGHDATA, PERMISSION
Redshift cluster should use a specific VPCGG_IAC_0068HIGHPERMISSION
Neptune storage encryption should use KMS keysGG_IAC_0069LOWDATA, PERMISSION
IAM policies should remove root access keysGG_IAC_0070CRITICALPERMISSION
A CloudTrail bucket has public read Access Control List whichcan lead to private data exposureGG_IAC_0071CRITICALDATA
EMR clusters should be encrypted at restGG_IAC_0072HIGHDATA, PERMISSION
EMR clusters should use in-transit encryptionGG_IAC_0073HIGHDATA, NETWORK, PERMISSION
HTTP data block can be used to leak secrets or variables outside of the organizationGG_IAC_0074CRITICALSECRET
EMR cluster local storage should be encrypted to prevent sensitive data leaksGG_IAC_0075HIGHDATA
EC2 subnet instance should not expose public IPGG_IAC_0076HIGHNETWORK
Key vault has no network ACL specifiedGG_IAC_0077CRITICALNETWORK
Data Factory should not be publicly exposedGG_IAC_0078CRITICALDATA
Image should not have 'root' userGG_IAC_0079HIGHPERMISSION
Default network exposes the project to external attacksGG_IAC_0080HIGHNETWORK
Enabling local data loading may allow attackers to read server filesGG_IAC_0081HIGHDATA
Traffic to /0. allowed in firewall outbound ruleGG_IAC_0082CRITICALNETWORK
Traffic from /0. allowed in firewall inbound ruleGG_IAC_0083CRITICALNETWORK
Cloud Storage bucket is anonymously or publicly accessibleGG_IAC_0084HIGHPERMISSION
No SSL connection on SQL database might lead to data exposureGG_IAC_0085HIGHDATA, NETWORK
SQL database should not be publicly exposedGG_IAC_0086HIGHDATA
Instance should not expose public IPGG_IAC_0087HIGHNETWORK
No IP-forwardingGG_IAC_0088HIGHNETWORK
GKE Control Plane should not be publicly accessibleGG_IAC_0089HIGHNETWORK
Stale CryptoKeys make encrypted data insecureGG_IAC_0090HIGHSECRET
Node should be shieldedGG_IAC_0091HIGHDATA
GKE metadata is not concealedGG_IAC_0092HIGHSECRET
Too many Service account permissions may compromise servicesGG_IAC_0093HIGHPERMISSION
Master authorized networks are not configuredGG_IAC_0094HIGHNETWORK
Legacy metadata endpoints should not be explicitly enabledGG_IAC_0095HIGHDATA
Legacy authentication should not be usedGG_IAC_0096HIGHPERMISSION
Use RBAC permissions rather than ABACGG_IAC_0097HIGHPERMISSION
TLS version is outdatedGG_IAC_0098HIGHNETWORK
Container should not have privileged rightsGG_IAC_0099HIGHPERMISSION
Tiller Helm component is deployedGG_IAC_0100CRITICALOTHER
SYS_ADMIN capability should not be added to the containerGG_IAC_0101HIGHPERMISSION
Containers should not use the host IPC namespaceGG_IAC_0102HIGHPERMISSION
Containers should not use the host network namespaceGG_IAC_0103HIGHPERMISSION
Containers should not use the host PID namespaceGG_IAC_0104HIGHPERMISSION
Docker socket should not be mounted into containersGG_IAC_0105HIGHNETWORK
Do not allow public ingress via network policiesGG_IAC_0106HIGHNETWORK
Pod ports should not be exposed through host portsGG_IAC_0107HIGHPERMISSION
Do not grant public access on storage containersGG_IAC_0108HIGHNETWORK
Storage account should disallow insecure transfersGG_IAC_0109HIGHNETWORK
Database is publicly accessibleGG_IAC_0110HIGHNETWORK
Data at rest should be encryptedGG_IAC_0111HIGHDATA
Disk encryption should be enabledGG_IAC_0112HIGHDATA
Password authentication should be disabled on virtual machinesGG_IAC_0113HIGHPERMISSION
Role-based access control should be enabled on clustersGG_IAC_0114HIGHPERMISSION
AKS cluster should have Network Policy configuredGG_IAC_0115HIGHNETWORK