Merge remote-tracking branch 'origin/develop' into claudio/rule-license

.github/workflows/pre-commit.yml

@@ -10,9 +10,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
-    - uses: actions/setup-python@v2
+    - uses: actions/setup-python@v5
       with:
-        python-version: '3.7'
+        python-version: '3.10'
     - uses: pre-commit/action@v2.0.0
       env:
         SKIP: yamlfmt

javascript/aws-lambda/security/tainted-sql-string.yaml

@@ -24,7 +24,7 @@ rules:
     - vuln
     likelihood: LOW
     impact: MEDIUM
-    confidence: MEDIUM
+    confidence: LOW
   languages:
   - javascript
   - typescript

terraform/gcp/security/gcp-sql-database-require-ssl.tf

@@ -1,4 +1,3 @@
-# fail
 # ruleid: gcp-sql-database-require-ssl
 resource "google_sql_database_instance" "fail" {
   database_version = "MYSQL_8_0"
@@ -18,4 +17,17 @@ resource "google_sql_database_instance" "success" {
       ipv4_enabled = true
       require_ssl = true
   }
-}
+}
+
+# ok: gcp-sql-database-require-ssl
+resource "google_sql_database_instance" "main" {
+  name      = "some-example-name"
+  database_version  = "POSTGRES_15"
+  region      = "europe-west3"
+  settings {
+    tier = "db-f1-micro"
+    ip_configuration {
+      ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"
+    }
+  }
+}

terraform/gcp/security/gcp-sql-database-require-ssl.yaml

@@ -16,6 +16,16 @@ rules:
           }
           ...
       }
+  - pattern-not-inside: |
+      resource "google_sql_database_instance" "..." {
+          ...
+          ip_configuration {
+              ...
+              ssl_mode = ...
+              ...
+          }
+          ...
+      }
   message: >-
     Ensure all Cloud SQL database instance requires all incoming connections to use SSL
   metadata: