Simplifying severity management by deprecating the “Info” severity ℹ️

To make severity management easier, Bridgecrew has removed the “Info” severity for both out-of-the-box and custom policies. The following modifications will be made:

  • We now support four severity levels: Low, Medium, High, and Critical
  • All policies that had the Info severity, including out-of-the-box and custom policies, are now labeled Low severity
  • The Info severity will no longer be an option for custom policies
  • If you set your alerting level to Info and above for Code Reviews or pull request comments the level will now be set to Low and above automatically

This change is applied across all pages, compliance reports, and code repository settings.

The following policies were changed from INFO to LOW:

Bridgecrew Policy IDBridgecrew Policy Name
BC_AWS_GENERAL_21Ensure all unused Elastic Load Balancer are deleted
BC_AWS_GENERAL_26Ensure taggable resources are tagged
BC_AWS_GENERAL_31Ensure Instance Metadata Service Version 1 is not enabled
BC_AWS_GENERAL_35Take action on EC2 instances with scheduled maintenance to prevent downtime
BC_AWS_GENERAL_44Ensure that Auto Scaling is enabled on your DynamoDB tables
BC_AWS_GENERAL_45Ensure that Amazon ElastiCache Redis clusters have automatic backup turned on
BC_AWS_GENERAL_47Ensure that Redshift clusters has backup plan of AWS Backup
BC_AWS_GENERAL_48Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup
BC_AWS_GENERAL_49Ensure that RDS clusters has backup plan of AWS Backup
BC_AWS_GENERAL_50Ensure that EBS are added in the backup plans of AWS Backup
BC_AWS_GENERAL_52Ensure DynamoDB Tables are encrypted using KMS
BC_AWS_GENERAL_53Ensure that ECR repositories are encrypted using KMS
BC_AWS_GENERAL_54Ensure that RDS global clusters are encrypted
BC_AWS_GENERAL_55Ensure that Redshift cluster is encrypted by KMS
BC_AWS_GENERAL_56Ensure that S3 buckets are encrypted with KMS by default
BC_AWS_GENERAL_60Ensure that only encrypted EBS volumes are attached to EC2 instances
BC_AWS_GENERAL_66Ensure GuardDuty is enbaled to specific org/region
BC_AWS_GENERAL_68Ensure that EC2 is EBS optimized
BC_AWS_GENERAL_69Ensure that RDS clusters have deletion protection enabled
BC_AWS_GENERAL_70Ensured that redshift cluster allowing version upgrade by default
BC_AWS_GENERAL_71Ensure that S3 bucket has lock configuration enabled by default
BC_AWS_GENERAL_72Ensure that S3 bucket has cross-region replication enabled
BC_AWS_IAM_21Ensure a support role has been created to manage incidents with AWS Support
BC_AWS_IAM_54Ensure IAM policies does not allow credentials exposure
BC_AWS_IAM_55Ensure IAM policies does not allow data exfiltration
BC_AWS_IAM_56Ensure IAM policies does not allow permissions management / resource exposure without constraints
BC_AWS_IAM_57Ensure IAM policies does not allow write access without constraints
BC_AWS_IAM_59Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled
BC_AWS_IAM_60Ensure that that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled
BC_AWS_IAM_61Ensure that IAM groups includes at least one IAM user
BC_AWS_IAM_62Ensure that all IAM users are members of at least one IAM group.
BC_AWS_KUBERNETES_3Ensure EKS Cluster has Secrets Encryption Enabled
BC_AWS_LOGGING_15Ensure API Gateway has X-Ray Tracing enabled
BC_AWS_LOGGING_16Ensure Global Accelerator has flow logs enabled
BC_AWS_LOGGING_17Ensure API Gateway has Access Logging enabled
BC_AWS_LOGGING_29Ensure API Gateway stage have logging level defined as appropiate
BC_AWS_MONITORING_14Ensure a log metric filter and alarm exist for VPC changes
BC_AWS_NETWORKING_27Default VPC should not be used
BC_AWS_NETWORKING_40Ensure that Amazon EMR clusters' security groups are not open to the world
BC_AWS_NETWORKING_42Ensure that Elasticsearch is configured inside a VPC
BC_AWS_NETWORKING_43Ensure that ELB is cross-zone-load-balancing enabled
BC_AWS_NETWORKING_46Ensure that auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.
BC_AWS_NETWORKING_48Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances or NAT Gateways
BC_AWS_NETWORKING_49Ensure that ALB redirects HTTP requests into HTTPS ones
BC_AWS_NETWORKING_50Ensure that all NACL are attached to subnets
BC_AWS_NETWORKING_51Ensure that Security Groups are attached to another resource
BC_AWS_NETWORKING_52Ensure that S3 bucket has a Public Access block
BC_AWS_PUBLIC_6Ensure there is no open access to back-end resources through API
BC_AZR_GENERAL_16Ensure that PostgreSQL server enables geo-redundant backups
BC_AZR_GENERAL_17Ensure that key vault key is backed by HSM
BC_AZR_GENERAL_18Ensure that MariaDB server enables geo-redundant backups
BC_AZR_GENERAL_19Ensure that My SQL server enables geo-redundant backups
BC_AZR_GENERAL_20Ensure that virtual machines are backed up using Azure Backup
BC_AZR_GENERAL_21Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest
BC_AZR_GENERAL_24Ensure that PostgreSQL server enables infrastructure encryption
BC_AZR_GENERAL_25Ensure that Automation account variables are encrypted
BC_AZR_GENERAL_26Ensure that Azure Data Explorer uses disk encryption
BC_AZR_GENERAL_27Ensure that Azure Data Explorer uses double encryption
BC_AZR_GENERAL_28Ensure that Azure Batch account uses key vault to encrypt data
BC_AZR_GENERAL_29Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption
BC_AZR_GENERAL_30Ensure that MySQL server enables infrastructure encryption
BC_AZR_GENERAL_31Ensure that Virtual machine scale sets have encryption at host enabled
BC_AZR_GENERAL_33Ensure that Azure Data Explorer encryption at rest uses a customer-managed key
BC_AZR_GENERAL_34Ensure that Unattached disks are encrypted
BC_AZR_GENERAL_35Ensure that Azure data factories are encrypted with a customer-managed key
BC_AZR_GENERAL_36Ensure that MySQL server enables customer-managed key for encryption
BC_AZR_GENERAL_37Ensure that PostgreSQL server enables customer-managed key for encryption
BC_AZR_GENERAL_38Ensure that Storage Accounts use customer-managed key for encryption
BC_AZR_GENERAL_39Ensure that Azure Data Factory uses Git repository for source control
BC_AZR_GENERAL_40Ensure that key vault enables purge protection
BC_AZR_GENERAL_41Ensure that key vault enables soft delete
BC_AZR_GENERAL_42Ensure that key vault secrets have "content_type" set
BC_AZR_GENERAL_44Ensure that My SQL server enables Threat detection policy
BC_AZR_GENERAL_45Ensure that PostgreSQL server enables Threat detection policy
BC_AZR_GENERAL_47Ensure that function apps enables Authentication
BC_AZR_GENERAL_48Ensure that CORS disallows every resource to access app services
BC_AZR_GENERAL_51Ensure function apps are not accessible from all regions
BC_AZR_GENERAL_52Ensure that 'HTTP Version' is the latest, if used to run the Function app
BC_AZR_GENERAL_54Ensure that Managed identity provider is enabled for app services
BC_AZR_GENERAL_55Ensure that remote debugging is not enabled for app services
BC_AZR_GENERAL_57Ensure that 'Net Framework' version is the latest, if used as a part of the web app
BC_AZR_GENERAL_58Ensure that 'PHP version' is the latest, if used to run the web app
BC_AZR_GENERAL_59Ensure that 'Python version' is the latest, if used to run the web app
BC_AZR_GENERAL_60Ensure that 'Java version' is the latest, if used to run the web app
BC_AZR_GENERAL_65Ensure that app services use Azure Files
BC_AZR_GENERAL_66Ensure that Virtual Machines use managed disks
BC_AZR_GENERAL_67Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets
BC_AZR_GENERAL_68Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines
BC_AZR_GENERAL_69Ensure that sql servers enables data security policy
BC_AZR_GENERAL_70Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account
BC_AZR_GENERAL_71Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server
BC_AZR_GENERAL_72Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server
BC_AZR_GENERAL_73Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server
BC_AZR_GENERAL_74Ensure that Azure Active Directory Admin is configured
BC_AZR_GENERAL_75Ensure Virtual Machines are utilizing Managed Disks
BC_AZR_KUBERNETES_1Ensure AKS logging to Azure Monitoring is Configured
BC_AZR_KUBERNETES_2Ensure RBAC is enabled on AKS clusters
BC_AZR_KUBERNETES_3Ensure AKS has an API Server Authorized IP Ranges enabled
BC_AZR_KUBERNETES_4Ensure AKS cluster has Network Policy configured
BC_AZR_KUBERNETES_5Ensure Kube Dashboard is disabled
BC_AZR_KUBERNETES_6Ensure that AKS enables private clusters
BC_AZR_KUBERNETES_7Ensure that AKS uses Azure Policies Add-on
BC_AZR_KUBERNETES_8Ensure that AKS uses disk encryption set
BC_AZR_LOGGING_10Ensure that App service enables failed request tracing
BC_AZR_LOGGING_11Ensure Storage logging is enabled for Blob service for read requests
BC_AZR_LOGGING_12Ensure the storage container storing the activity logs is not publicly accessible
BC_AZR_LOGGING_7Ensure Storage logging is enabled for Table service for read requests
BC_AZR_LOGGING_8Ensure that App service enables HTTP logging
BC_AZR_LOGGING_9Ensure that App service enables detailed error messages
BC_AZR_NETWORKING_18Ensure that Storage accounts disallow public access
BC_AZR_NETWORKING_20Ensure that PostgreSQL server disables public network access
BC_AZR_NETWORKING_21Ensure that Function apps is only accessible over HTTPS
BC_AZR_NETWORKING_23Ensure that Azure Cache for Redis disables public network access
BC_AZR_NETWORKING_24Ensure that only SSL are enabled for Cache for Redis
BC_AZR_NETWORKING_25Ensure that Azure Container group is deployed into virtual network
BC_AZR_NETWORKING_26Ensure Cosmos DB accounts have restricted access
BC_AZR_NETWORKING_27Ensure that Azure Synapse workspaces have no IP firewall rules attached
BC_AZR_NETWORKING_28Ensure that Azure Cosmos DB disables public network access
BC_AZR_NETWORKING_31Ensure that API management services use virtual networks
BC_AZR_NETWORKING_34Ensure that SQL server disables public network access
BC_AZR_NETWORKING_35Ensure that Network Interfaces disable IP forwarding
BC_AZR_NETWORKING_36Ensure that Network Interfaces don't use public IPs
BC_AZR_NETWORKING_37Ensure that Application Gateway enables WAF
BC_AZR_NETWORKING_38Ensure that Azure Front Door enables WAF
BC_AZR_NETWORKING_39Ensure that Application Gateway uses WAF in "Detection" or "Prevention" modes
BC_AZR_NETWORKING_40Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes
BC_AZR_NETWORKING_41Ensure that Azure Cognitive Search disables public network access
BC_AZR_NETWORKING_42Ensure that Azure File Sync disables public network access
BC_AZR_NETWORKING_43Ensure that Azure Synapse workspaces enables managed virtual networks
BC_AZR_NETWORKING_44Ensure that MySQL server disables public network access
BC_DKR_1Ensure port 22 is not exposed
BC_DKR_2Ensure that HEALTHCHECK instructions have been added to container images
BC_DKR_3Ensure that a user for the container has been created
BC_DKR_4Ensure update instructions are not use alone in the Dockerfile
BC_DKR_5Ensure that COPY is used instead of ADD in Dockerfiles
BC_DKR_IMG_1Docker image scan found vulnerabilities
BC_GCP_GENERAL_8Ensure that there are only GCP-managed service account keys for each service account
BC_GCP_GENERAL_9Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible
BC_GCP_IAM_11Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges
BC_GCP_KUBERNETES_1Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters
BC_GCP_KUBERNETES_10Ensure GKE Control Plane is not public
BC_GCP_KUBERNETES_11Ensure GKE basic auth is disabled
BC_GCP_KUBERNETES_12Ensure master authorized networks is set to enabled in GKE clusters
BC_GCP_KUBERNETES_13Ensure Kubernetes Clusters are configured with Labels
BC_GCP_KUBERNETES_14Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image
BC_GCP_KUBERNETES_15Ensure Kubernetes Cluster is created with Alias IP ranges enabled
BC_GCP_KUBERNETES_16Ensure GKE clusters are not running using the Compute Engine default service account
BC_GCP_KUBERNETES_17Ensure Secure Boot for Shielded GKE Nodes is Enabled
BC_GCP_KUBERNETES_18Enable VPC Flow Logs and Intranode Visibility
BC_GCP_KUBERNETES_19Ensure clusters are created with Private Nodes
BC_GCP_KUBERNETES_2Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters
BC_GCP_KUBERNETES_20Manage Kubernetes RBAC users with Google Groups for GKE
BC_GCP_KUBERNETES_21Ensure use of Binary Authorization
BC_GCP_KUBERNETES_22Ensure legacy Compute Engine instance metadata APIs are Disabled
BC_GCP_KUBERNETES_23Ensure the GKE Metadata Server is Enabled
BC_GCP_KUBERNETES_24Ensure Shielded GKE Nodes are Enabled
BC_GCP_KUBERNETES_25Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled
BC_GCP_KUBERNETES_3Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters
BC_GCP_KUBERNETES_4Ensure 'Automatic node repair' is enabled for Kubernetes Clusters
BC_GCP_KUBERNETES_5Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters
BC_GCP_KUBERNETES_6Ensure Kubernetes Cluster is created with Private cluster enabled
BC_GCP_KUBERNETES_7Ensure Network Policy is enabled on Kubernetes Engine Clusters
BC_GCP_KUBERNETES_8Ensure a client certificate is used by clients to authenticate to Kubernetes Engine Clusters
BC_GCP_KUBERNETES_9Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters
BC_GCP_LOGGING_4Ensure that retention policies on log buckets are configured using Bucket Lock
BC_GCP_LOGGING_5Ensure that Cloud Audit Logging is configured properly across all services and all users from a project
BC_GCP_NETWORKING_13Ensure legacy networks do not exist for a project
BC_K8S_100Ensure that the --protect-kernel-defaults argument is set to true
BC_K8S_101Ensure that the --make-iptables-util-chains argument is set to true
BC_K8S_102Ensure that the --hostname-override argument is not set
BC_K8S_103Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture
BC_K8S_11Memory requests should be set
BC_K8S_13Image Tag should be fixed - not latest or blank
BC_K8S_14Image Pull Policy should be Always
BC_K8S_20The default namespace should not be used
BC_K8S_23Do not allow containers with added capability
BC_K8S_24Minimize the admission of containers with added capability
BC_K8S_25Do not specify hostPort unless absolutely necessary
BC_K8S_27Minimize the admission of containers with the NET_RAW capability
BC_K8S_28Apply security context to your pods and containers
BC_K8S_29Ensure that the seccomp profile is set to docker/default or runtime/default
BC_K8S_30Ensure default seccomp profile set to docker/default or runtime/default
BC_K8S_31Ensure the Kubernetes dashboard is not deployed
BC_K8S_32Ensure that Tiller (Helm v2) is not deployed
BC_K8S_33Prefer using secrets as files over secrets as environment variables
BC_K8S_34Minimize the admission of containers with capabilities assigned
BC_K8S_35Ensure that Service Account Tokens are only mounted where necessary
BC_K8S_38Ensure that default service accounts are not actively used
BC_K8S_39Image should use digest
BC_K8S_40Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster
BC_K8S_41Ensure that the Tiller Service (Helm v2) is deleted
BC_K8S_43Apply security context to your pods and containers
BC_K8S_44Minimize the admission of containers with capabilities assigned
BC_K8S_45Ensure that default service accounts are not actively used
BC_K8S_46Ensure that the --anonymous-auth argument is set to false
BC_K8S_47Ensure that the --basic-auth-file argument is not set
BC_K8S_48Ensure that the --token-auth-file argument is not set
BC_K8S_54Ensure that the --authorization-mode argument includes RBAC
BC_K8S_58Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used
BC_K8S_59Ensure that the admission control plugin ServiceAccount is set
BC_K8S_6Do not admit containers with the NET_RAW capability
BC_K8S_60Ensure that the admission control plugin NamespaceLifecycle is set
BC_K8S_61Ensure that the admission control plugin PodSecurityPolicy is set
BC_K8S_65Ensure that the --secure-port argument is not set to 0
BC_K8S_66Ensure that the --profiling argument is set to false
BC_K8S_7Liveness Probe Should be Configured
BC_K8S_70Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate
BC_K8S_76Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers
BC_K8S_8Readiness Probe Should be Configured
BC_K8S_9CPU requests should be set
BC_K8S_96Ensure that the --authorization-mode argument is not set to AlwaysAllow
BC_K8S_97Ensure that the --client-ca-file argument is set as appropriate
BC_K8S_98Ensure that the --read-only-port argument is set to 0
BC_K8S_99Ensure that the --streaming-connection-idle-timeout argument is not set to 0