deprecated
Simplifying severity management by deprecating the “Info” severity ℹ️
over 2 years ago by Gilad Mark
To make severity management easier, Bridgecrew has removed the “Info” severity for both out-of-the-box and custom policies. The following modifications will be made:
- We now support four severity levels: Low, Medium, High, and Critical
- All policies that had the Info severity, including out-of-the-box and custom policies, are now labeled Low severity
- The Info severity will no longer be an option for custom policies
- If you set your alerting level to Info and above for Code Reviews or pull request comments the level will now be set to Low and above automatically
This change is applied across all pages, compliance reports, and code repository settings.
The following policies were changed from INFO to LOW:
Bridgecrew Policy ID | Bridgecrew Policy Name |
---|---|
BC_AWS_GENERAL_21 | Ensure all unused Elastic Load Balancer are deleted |
BC_AWS_GENERAL_26 | Ensure taggable resources are tagged |
BC_AWS_GENERAL_31 | Ensure Instance Metadata Service Version 1 is not enabled |
BC_AWS_GENERAL_35 | Take action on EC2 instances with scheduled maintenance to prevent downtime |
BC_AWS_GENERAL_44 | Ensure that Auto Scaling is enabled on your DynamoDB tables |
BC_AWS_GENERAL_45 | Ensure that Amazon ElastiCache Redis clusters have automatic backup turned on |
BC_AWS_GENERAL_47 | Ensure that Redshift clusters has backup plan of AWS Backup |
BC_AWS_GENERAL_48 | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup |
BC_AWS_GENERAL_49 | Ensure that RDS clusters has backup plan of AWS Backup |
BC_AWS_GENERAL_50 | Ensure that EBS are added in the backup plans of AWS Backup |
BC_AWS_GENERAL_52 | Ensure DynamoDB Tables are encrypted using KMS |
BC_AWS_GENERAL_53 | Ensure that ECR repositories are encrypted using KMS |
BC_AWS_GENERAL_54 | Ensure that RDS global clusters are encrypted |
BC_AWS_GENERAL_55 | Ensure that Redshift cluster is encrypted by KMS |
BC_AWS_GENERAL_56 | Ensure that S3 buckets are encrypted with KMS by default |
BC_AWS_GENERAL_60 | Ensure that only encrypted EBS volumes are attached to EC2 instances |
BC_AWS_GENERAL_66 | Ensure GuardDuty is enbaled to specific org/region |
BC_AWS_GENERAL_68 | Ensure that EC2 is EBS optimized |
BC_AWS_GENERAL_69 | Ensure that RDS clusters have deletion protection enabled |
BC_AWS_GENERAL_70 | Ensured that redshift cluster allowing version upgrade by default |
BC_AWS_GENERAL_71 | Ensure that S3 bucket has lock configuration enabled by default |
BC_AWS_GENERAL_72 | Ensure that S3 bucket has cross-region replication enabled |
BC_AWS_IAM_21 | Ensure a support role has been created to manage incidents with AWS Support |
BC_AWS_IAM_54 | Ensure IAM policies does not allow credentials exposure |
BC_AWS_IAM_55 | Ensure IAM policies does not allow data exfiltration |
BC_AWS_IAM_56 | Ensure IAM policies does not allow permissions management / resource exposure without constraints |
BC_AWS_IAM_57 | Ensure IAM policies does not allow write access without constraints |
BC_AWS_IAM_59 | Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled |
BC_AWS_IAM_60 | Ensure that that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled |
BC_AWS_IAM_61 | Ensure that IAM groups includes at least one IAM user |
BC_AWS_IAM_62 | Ensure that all IAM users are members of at least one IAM group. |
BC_AWS_KUBERNETES_3 | Ensure EKS Cluster has Secrets Encryption Enabled |
BC_AWS_LOGGING_15 | Ensure API Gateway has X-Ray Tracing enabled |
BC_AWS_LOGGING_16 | Ensure Global Accelerator has flow logs enabled |
BC_AWS_LOGGING_17 | Ensure API Gateway has Access Logging enabled |
BC_AWS_LOGGING_29 | Ensure API Gateway stage have logging level defined as appropiate |
BC_AWS_MONITORING_14 | Ensure a log metric filter and alarm exist for VPC changes |
BC_AWS_NETWORKING_27 | Default VPC should not be used |
BC_AWS_NETWORKING_40 | Ensure that Amazon EMR clusters' security groups are not open to the world |
BC_AWS_NETWORKING_42 | Ensure that Elasticsearch is configured inside a VPC |
BC_AWS_NETWORKING_43 | Ensure that ELB is cross-zone-load-balancing enabled |
BC_AWS_NETWORKING_46 | Ensure that auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks. |
BC_AWS_NETWORKING_48 | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances or NAT Gateways |
BC_AWS_NETWORKING_49 | Ensure that ALB redirects HTTP requests into HTTPS ones |
BC_AWS_NETWORKING_50 | Ensure that all NACL are attached to subnets |
BC_AWS_NETWORKING_51 | Ensure that Security Groups are attached to another resource |
BC_AWS_NETWORKING_52 | Ensure that S3 bucket has a Public Access block |
BC_AWS_PUBLIC_6 | Ensure there is no open access to back-end resources through API |
BC_AZR_GENERAL_16 | Ensure that PostgreSQL server enables geo-redundant backups |
BC_AZR_GENERAL_17 | Ensure that key vault key is backed by HSM |
BC_AZR_GENERAL_18 | Ensure that MariaDB server enables geo-redundant backups |
BC_AZR_GENERAL_19 | Ensure that My SQL server enables geo-redundant backups |
BC_AZR_GENERAL_20 | Ensure that virtual machines are backed up using Azure Backup |
BC_AZR_GENERAL_21 | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest |
BC_AZR_GENERAL_24 | Ensure that PostgreSQL server enables infrastructure encryption |
BC_AZR_GENERAL_25 | Ensure that Automation account variables are encrypted |
BC_AZR_GENERAL_26 | Ensure that Azure Data Explorer uses disk encryption |
BC_AZR_GENERAL_27 | Ensure that Azure Data Explorer uses double encryption |
BC_AZR_GENERAL_28 | Ensure that Azure Batch account uses key vault to encrypt data |
BC_AZR_GENERAL_29 | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption |
BC_AZR_GENERAL_30 | Ensure that MySQL server enables infrastructure encryption |
BC_AZR_GENERAL_31 | Ensure that Virtual machine scale sets have encryption at host enabled |
BC_AZR_GENERAL_33 | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key |
BC_AZR_GENERAL_34 | Ensure that Unattached disks are encrypted |
BC_AZR_GENERAL_35 | Ensure that Azure data factories are encrypted with a customer-managed key |
BC_AZR_GENERAL_36 | Ensure that MySQL server enables customer-managed key for encryption |
BC_AZR_GENERAL_37 | Ensure that PostgreSQL server enables customer-managed key for encryption |
BC_AZR_GENERAL_38 | Ensure that Storage Accounts use customer-managed key for encryption |
BC_AZR_GENERAL_39 | Ensure that Azure Data Factory uses Git repository for source control |
BC_AZR_GENERAL_40 | Ensure that key vault enables purge protection |
BC_AZR_GENERAL_41 | Ensure that key vault enables soft delete |
BC_AZR_GENERAL_42 | Ensure that key vault secrets have "content_type" set |
BC_AZR_GENERAL_44 | Ensure that My SQL server enables Threat detection policy |
BC_AZR_GENERAL_45 | Ensure that PostgreSQL server enables Threat detection policy |
BC_AZR_GENERAL_47 | Ensure that function apps enables Authentication |
BC_AZR_GENERAL_48 | Ensure that CORS disallows every resource to access app services |
BC_AZR_GENERAL_51 | Ensure function apps are not accessible from all regions |
BC_AZR_GENERAL_52 | Ensure that 'HTTP Version' is the latest, if used to run the Function app |
BC_AZR_GENERAL_54 | Ensure that Managed identity provider is enabled for app services |
BC_AZR_GENERAL_55 | Ensure that remote debugging is not enabled for app services |
BC_AZR_GENERAL_57 | Ensure that 'Net Framework' version is the latest, if used as a part of the web app |
BC_AZR_GENERAL_58 | Ensure that 'PHP version' is the latest, if used to run the web app |
BC_AZR_GENERAL_59 | Ensure that 'Python version' is the latest, if used to run the web app |
BC_AZR_GENERAL_60 | Ensure that 'Java version' is the latest, if used to run the web app |
BC_AZR_GENERAL_65 | Ensure that app services use Azure Files |
BC_AZR_GENERAL_66 | Ensure that Virtual Machines use managed disks |
BC_AZR_GENERAL_67 | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets |
BC_AZR_GENERAL_68 | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines |
BC_AZR_GENERAL_69 | Ensure that sql servers enables data security policy |
BC_AZR_GENERAL_70 | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account |
BC_AZR_GENERAL_71 | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server |
BC_AZR_GENERAL_72 | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server |
BC_AZR_GENERAL_73 | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server |
BC_AZR_GENERAL_74 | Ensure that Azure Active Directory Admin is configured |
BC_AZR_GENERAL_75 | Ensure Virtual Machines are utilizing Managed Disks |
BC_AZR_KUBERNETES_1 | Ensure AKS logging to Azure Monitoring is Configured |
BC_AZR_KUBERNETES_2 | Ensure RBAC is enabled on AKS clusters |
BC_AZR_KUBERNETES_3 | Ensure AKS has an API Server Authorized IP Ranges enabled |
BC_AZR_KUBERNETES_4 | Ensure AKS cluster has Network Policy configured |
BC_AZR_KUBERNETES_5 | Ensure Kube Dashboard is disabled |
BC_AZR_KUBERNETES_6 | Ensure that AKS enables private clusters |
BC_AZR_KUBERNETES_7 | Ensure that AKS uses Azure Policies Add-on |
BC_AZR_KUBERNETES_8 | Ensure that AKS uses disk encryption set |
BC_AZR_LOGGING_10 | Ensure that App service enables failed request tracing |
BC_AZR_LOGGING_11 | Ensure Storage logging is enabled for Blob service for read requests |
BC_AZR_LOGGING_12 | Ensure the storage container storing the activity logs is not publicly accessible |
BC_AZR_LOGGING_7 | Ensure Storage logging is enabled for Table service for read requests |
BC_AZR_LOGGING_8 | Ensure that App service enables HTTP logging |
BC_AZR_LOGGING_9 | Ensure that App service enables detailed error messages |
BC_AZR_NETWORKING_18 | Ensure that Storage accounts disallow public access |
BC_AZR_NETWORKING_20 | Ensure that PostgreSQL server disables public network access |
BC_AZR_NETWORKING_21 | Ensure that Function apps is only accessible over HTTPS |
BC_AZR_NETWORKING_23 | Ensure that Azure Cache for Redis disables public network access |
BC_AZR_NETWORKING_24 | Ensure that only SSL are enabled for Cache for Redis |
BC_AZR_NETWORKING_25 | Ensure that Azure Container group is deployed into virtual network |
BC_AZR_NETWORKING_26 | Ensure Cosmos DB accounts have restricted access |
BC_AZR_NETWORKING_27 | Ensure that Azure Synapse workspaces have no IP firewall rules attached |
BC_AZR_NETWORKING_28 | Ensure that Azure Cosmos DB disables public network access |
BC_AZR_NETWORKING_31 | Ensure that API management services use virtual networks |
BC_AZR_NETWORKING_34 | Ensure that SQL server disables public network access |
BC_AZR_NETWORKING_35 | Ensure that Network Interfaces disable IP forwarding |
BC_AZR_NETWORKING_36 | Ensure that Network Interfaces don't use public IPs |
BC_AZR_NETWORKING_37 | Ensure that Application Gateway enables WAF |
BC_AZR_NETWORKING_38 | Ensure that Azure Front Door enables WAF |
BC_AZR_NETWORKING_39 | Ensure that Application Gateway uses WAF in "Detection" or "Prevention" modes |
BC_AZR_NETWORKING_40 | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes |
BC_AZR_NETWORKING_41 | Ensure that Azure Cognitive Search disables public network access |
BC_AZR_NETWORKING_42 | Ensure that Azure File Sync disables public network access |
BC_AZR_NETWORKING_43 | Ensure that Azure Synapse workspaces enables managed virtual networks |
BC_AZR_NETWORKING_44 | Ensure that MySQL server disables public network access |
BC_DKR_1 | Ensure port 22 is not exposed |
BC_DKR_2 | Ensure that HEALTHCHECK instructions have been added to container images |
BC_DKR_3 | Ensure that a user for the container has been created |
BC_DKR_4 | Ensure update instructions are not use alone in the Dockerfile |
BC_DKR_5 | Ensure that COPY is used instead of ADD in Dockerfiles |
BC_DKR_IMG_1 | Docker image scan found vulnerabilities |
BC_GCP_GENERAL_8 | Ensure that there are only GCP-managed service account keys for each service account |
BC_GCP_GENERAL_9 | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible |
BC_GCP_IAM_11 | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges |
BC_GCP_KUBERNETES_1 | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters |
BC_GCP_KUBERNETES_10 | Ensure GKE Control Plane is not public |
BC_GCP_KUBERNETES_11 | Ensure GKE basic auth is disabled |
BC_GCP_KUBERNETES_12 | Ensure master authorized networks is set to enabled in GKE clusters |
BC_GCP_KUBERNETES_13 | Ensure Kubernetes Clusters are configured with Labels |
BC_GCP_KUBERNETES_14 | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image |
BC_GCP_KUBERNETES_15 | Ensure Kubernetes Cluster is created with Alias IP ranges enabled |
BC_GCP_KUBERNETES_16 | Ensure GKE clusters are not running using the Compute Engine default service account |
BC_GCP_KUBERNETES_17 | Ensure Secure Boot for Shielded GKE Nodes is Enabled |
BC_GCP_KUBERNETES_18 | Enable VPC Flow Logs and Intranode Visibility |
BC_GCP_KUBERNETES_19 | Ensure clusters are created with Private Nodes |
BC_GCP_KUBERNETES_2 | Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters |
BC_GCP_KUBERNETES_20 | Manage Kubernetes RBAC users with Google Groups for GKE |
BC_GCP_KUBERNETES_21 | Ensure use of Binary Authorization |
BC_GCP_KUBERNETES_22 | Ensure legacy Compute Engine instance metadata APIs are Disabled |
BC_GCP_KUBERNETES_23 | Ensure the GKE Metadata Server is Enabled |
BC_GCP_KUBERNETES_24 | Ensure Shielded GKE Nodes are Enabled |
BC_GCP_KUBERNETES_25 | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled |
BC_GCP_KUBERNETES_3 | Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters |
BC_GCP_KUBERNETES_4 | Ensure 'Automatic node repair' is enabled for Kubernetes Clusters |
BC_GCP_KUBERNETES_5 | Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters |
BC_GCP_KUBERNETES_6 | Ensure Kubernetes Cluster is created with Private cluster enabled |
BC_GCP_KUBERNETES_7 | Ensure Network Policy is enabled on Kubernetes Engine Clusters |
BC_GCP_KUBERNETES_8 | Ensure a client certificate is used by clients to authenticate to Kubernetes Engine Clusters |
BC_GCP_KUBERNETES_9 | Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters |
BC_GCP_LOGGING_4 | Ensure that retention policies on log buckets are configured using Bucket Lock |
BC_GCP_LOGGING_5 | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project |
BC_GCP_NETWORKING_13 | Ensure legacy networks do not exist for a project |
BC_K8S_100 | Ensure that the --protect-kernel-defaults argument is set to true |
BC_K8S_101 | Ensure that the --make-iptables-util-chains argument is set to true |
BC_K8S_102 | Ensure that the --hostname-override argument is not set |
BC_K8S_103 | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture |
BC_K8S_11 | Memory requests should be set |
BC_K8S_13 | Image Tag should be fixed - not latest or blank |
BC_K8S_14 | Image Pull Policy should be Always |
BC_K8S_20 | The default namespace should not be used |
BC_K8S_23 | Do not allow containers with added capability |
BC_K8S_24 | Minimize the admission of containers with added capability |
BC_K8S_25 | Do not specify hostPort unless absolutely necessary |
BC_K8S_27 | Minimize the admission of containers with the NET_RAW capability |
BC_K8S_28 | Apply security context to your pods and containers |
BC_K8S_29 | Ensure that the seccomp profile is set to docker/default or runtime/default |
BC_K8S_30 | Ensure default seccomp profile set to docker/default or runtime/default |
BC_K8S_31 | Ensure the Kubernetes dashboard is not deployed |
BC_K8S_32 | Ensure that Tiller (Helm v2) is not deployed |
BC_K8S_33 | Prefer using secrets as files over secrets as environment variables |
BC_K8S_34 | Minimize the admission of containers with capabilities assigned |
BC_K8S_35 | Ensure that Service Account Tokens are only mounted where necessary |
BC_K8S_38 | Ensure that default service accounts are not actively used |
BC_K8S_39 | Image should use digest |
BC_K8S_40 | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster |
BC_K8S_41 | Ensure that the Tiller Service (Helm v2) is deleted |
BC_K8S_43 | Apply security context to your pods and containers |
BC_K8S_44 | Minimize the admission of containers with capabilities assigned |
BC_K8S_45 | Ensure that default service accounts are not actively used |
BC_K8S_46 | Ensure that the --anonymous-auth argument is set to false |
BC_K8S_47 | Ensure that the --basic-auth-file argument is not set |
BC_K8S_48 | Ensure that the --token-auth-file argument is not set |
BC_K8S_54 | Ensure that the --authorization-mode argument includes RBAC |
BC_K8S_58 | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used |
BC_K8S_59 | Ensure that the admission control plugin ServiceAccount is set |
BC_K8S_6 | Do not admit containers with the NET_RAW capability |
BC_K8S_60 | Ensure that the admission control plugin NamespaceLifecycle is set |
BC_K8S_61 | Ensure that the admission control plugin PodSecurityPolicy is set |
BC_K8S_65 | Ensure that the --secure-port argument is not set to 0 |
BC_K8S_66 | Ensure that the --profiling argument is set to false |
BC_K8S_7 | Liveness Probe Should be Configured |
BC_K8S_70 | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate |
BC_K8S_76 | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers |
BC_K8S_8 | Readiness Probe Should be Configured |
BC_K8S_9 | CPU requests should be set |
BC_K8S_96 | Ensure that the --authorization-mode argument is not set to AlwaysAllow |
BC_K8S_97 | Ensure that the --client-ca-file argument is set as appropriate |
BC_K8S_98 | Ensure that the --read-only-port argument is set to 0 |
BC_K8S_99 | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 |