Skip to main content

Supported Vulnerabilities

Here is an exhaustive list of the vulnerabilities supported by GitGuardian:

Policy NameIDSeverityCategories
Plain HTTP is usedGG_IAC_0001HIGHNETWORK
Unrestricted egress traffic might lead to remote code executionGG_IAC_0002HIGHNETWORK
Unrestricted ingress traffic leaves assets exposed to remote attacksGG_IAC_0003HIGHNETWORK
Publicly accessible database are exposed to remote attacksGG_IAC_0004HIGHNETWORK
Unrestricted ingress traffic leave assets exposed to remote attacksGG_IAC_0005HIGHNETWORK
Some internal services might be listening to remote requestsGG_IAC_0006HIGHNETWORK
Exposing a sensitive environment variable in the configuration can lead to credentials leakGG_IAC_0007CRITICALSECRET
Unencrypted S3 bucket can lead to data leakGG_IAC_0008HIGHPERMISSION
Leaving remote access accessible from the internet increases the attack surfaceGG_IAC_0009CRITICALNETWORK
Giving sudo rights to a user allows privilege escalation attacksGG_IAC_0010CRITICALPERMISSION
Using the default service account on a compute instance allows an attacker to spread through the networkGG_IAC_0011CRITICALPERMISSION
Using outdated TLS policies can allow an attacker to decrypt traffic or impersonate a serverGG_IAC_0012HIGHNETWORK
Using outdated TLS policies can allow an attacker to decrypt traffic or impersonate a serverGG_IAC_0013HIGHNETWORK
Using outdated TLS policies can allow an attacker to decrypt traffic or impersonate a serverGG_IAC_0014HIGHNETWORK
Not setting deny as a default rule for a storage account's network access can lead to data leaksGG_IAC_0015HIGHNETWORK
Unrestricted egress traffic might lead to remote code executionGG_IAC_0016HIGHNETWORK
A DigitalOcean spaces bucket has public read Access Control List whichcan lead to private data exposureGG_IAC_0017CRITICALDATA, PERMISSION
A GCP persistent disk is encrypted with a key specified in plain textGG_IAC_0018CRITICALDATA, SECRET
An AWS CloudFront distribution allows unencrypted communications over HTTPGG_IAC_0019CRITICALDATA, NETWORK
Defining a GCP BigQuery dataset as publicly accessible can lead to data exposureGG_IAC_0020CRITICALDATA, PERMISSION
Unrestricted ingress traffic leave assets exposed to remote attacksGG_IAC_0021HIGHNETWORK
Leaving public access open exposes your service to the internetGG_IAC_0022MEDIUMNETWORK
Leaving public access open exposes your service to the internetGG_IAC_0024HIGHNETWORK
An AWS CloudFront distribution does not have a WAF (Web Application Firewall) in frontGG_IAC_0025HIGHNETWORK
An AWS CloudFront distribution uses a deprecated version of SSL/TLSGG_IAC_0026HIGHNETWORK
Cloudtrail logs are not encrypted using AWS KMS-managed keysGG_IAC_0027HIGHDATA, PERMISSION
Cloudtrail logs validation is not enabledGG_IAC_0028HIGHPERMISSION
CodeBuild build artifacts encryption should not be disabledGG_IAC_0029HIGHDATA, PERMISSION
Using outdated TLS policies can allow an attacker to decrypt traffic or impersonate a serverGG_IAC_0030HIGHNETWORK
Not encrypting Athena query results can lead to data leakGG_IAC_0031HIGHDATA
Not enforcing Workgroup configuration in Athena can allow clients to disable encryption settingsGG_IAC_0032HIGHDATA
EC2 instances use unencrypted block deviceGG_IAC_0033HIGHDATA
Assigning public IP addresses expose your instances to public internetGG_IAC_0034HIGHNETWORK
The Instance Metadata Service should not be available through IMDSv1GG_IAC_0035HIGHDATA, PERMISSION
DocumentDB cluster encryption should not be disabledGG_IAC_0036HIGHDATA, PERMISSION
DAX cluster encryption should not be disabledGG_IAC_0037HIGHDATA, PERMISSION
EBS volume encryption should not be disabledGG_IAC_0038HIGHDATA, PERMISSION
ECR image scanning should be enabledGG_IAC_0039HIGHSECRET
ECR registry with mutable tags can lead to code injectionGG_IAC_0040HIGHOTHER
ECR registry with public access can lead to code and data leakGG_IAC_0041HIGHPERMISSION
Not encrypting EFS mount can lead to data leakGG_IAC_0042HIGHDATA
Not encrypting data at rest can lead to data leakGG_IAC_0043HIGHDATA
Encrypting EKS secrets with AWS KMS adds another layer of securityGG_IAC_0044HIGHSECRET
ElasticSearch should use node-to-node encryptionGG_IAC_0045HIGHDATA, NETWORK, PERMISSION
ElastiCache data should be encrypted at restGG_IAC_0046HIGHDATA, PERMISSION
Elasticsearch data should be encrypted at restGG_IAC_0047HIGHDATA, PERMISSION
ElastiCache should use in-transit encryptionGG_IAC_0048HIGHDATA, NETWORK, PERMISSION
ELB load balancers should drop invalid headersGG_IAC_0049HIGHNETWORK
ELB load balancers should be internalGG_IAC_0050HIGHNETWORK
IAM policies should avoid using wildcardsGG_IAC_0051HIGHPERMISSION
Kinesis should use in-transit encryptionGG_IAC_0052HIGHDATA, NETWORK, PERMISSION
MQ brokers should not be publicly accessibleGG_IAC_0053HIGHNETWORK
MSK clusters should use in-transit encryptionGG_IAC_0054HIGHDATA, NETWORK, PERMISSION
Allowing public exposure of a S3 bucket can lead to data leakageGG_IAC_0055HIGHDATA
Not restricting public access on a S3 bucket can lead to data leakageGG_IAC_0056HIGHDATA
Granting public ACL rights on a bucket can lead to data leakageGG_IAC_0057HIGHDATA
AWS RDS Performance Insights should be encryptedGG_IAC_0058HIGHDATA, PERMISSION
AWS RDS Aurora cluster should be encryptedGG_IAC_0059HIGHDATA, PERMISSION
AWS RDS DB instance should be encryptedGG_IAC_0060HIGHDATA, PERMISSION
AWS SNS topic should be encryptedGG_IAC_0061HIGHDATA, PERMISSION
AWS SQS queue should be encryptedGG_IAC_0062HIGHDATA, PERMISSION
Neptune storage should be encrypted at restGG_IAC_0063HIGHDATA, PERMISSION
Redshift clusters should be encrypted at restGG_IAC_0064HIGHDATA, PERMISSION
SQS policy documents should avoid using wildcardsGG_IAC_0065HIGHPERMISSION
AWS Elasticsearch domain endpoints should not use a deprecated versionof SSL/TLSGG_IAC_0066HIGHNETWORK
Root and User Workspaces volumes should be encryptedGG_IAC_0067HIGHDATA, PERMISSION
Redshift cluster should use a specific VPCGG_IAC_0068HIGHPERMISSION
Neptune storage encryption should use KMS keysGG_IAC_0069LOWDATA, PERMISSION
IAM policies should remove root access keysGG_IAC_0070CRITICALPERMISSION
A CloudTrail bucket has public read Access Control List whichcan lead to private data exposureGG_IAC_0071CRITICALDATA
EMR clusters should be encrypted at restGG_IAC_0072HIGHDATA, PERMISSION
EMR clusters should use in-transit encryptionGG_IAC_0073HIGHDATA, NETWORK, PERMISSION