feat(queries): add ingress whitelist open-to-all detection queries#8021
Open
cx-antero-silva wants to merge 7 commits intoCheckmarx:masterfrom
Open
feat(queries): add ingress whitelist open-to-all detection queries#8021cx-antero-silva wants to merge 7 commits intoCheckmarx:masterfrom
cx-antero-silva wants to merge 7 commits intoCheckmarx:masterfrom
Conversation
Add three new queries targeting undetected ingress exposure scenarios where source-IP whitelists are set to or effectively allow all addresses: - k8s/network_policy_ingress_not_restricted (HIGH): detects NetworkPolicy ingress rules that omit the 'from' block, allowing traffic from every source IP on the network. - terraform/aws/security_group_ingress_with_wide_cidr_range (HIGH): detects aws_security_group, aws_vpc_security_group_ingress_rule, and aws_security_group_rule resources whose ingress CIDR prefix length is between /1 and /8 (covering 16 M – 2 B IPs). Complements the existing unrestricted_security_group_ingress query (/0) without duplicating it. Excludes 10.0.0.0/8 (RFC 1918 Class-A private range). - k8s/ingress_whitelist_open_to_all (HIGH): detects Kubernetes Ingress resources (including Helm-rendered charts) where the nginx annotation 'nginx.ingress.kubernetes.io/whitelist-source-range' is explicitly set to '0.0.0.0/0' or '::/0', disabling source-IP restriction entirely. Each query includes positive/negative test fixtures and positive_expected_result.json. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…fixtures kubernetesjsonschema.dev has an invalid SSL certificate (resolves to netlify.app), causing kubeval to fail when fetching: - networkpolicy-networking-v1.json - ingress-networking-v1.json Add the four new query test files to the kubeval ignore list, consistent with the existing workaround used for hpa_targets_invalid_object. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
kubernetesjsonschema.dev has an invalid SSL certificate (the domain now resolves to Netlify but the cert covers only *.netlify.app), causing kubeval to hard-fail when fetching schemas for Pod, StatefulSet, NetworkPolicy, Ingress, PodSecurityPolicy, CronJob, and other kinds. Adding --ignore-missing-schemas tells kubeval to skip validation for resource types whose schema cannot be retrieved, rather than exiting with an error. This unblocks the check for all affected queries across the repository without requiring every broken fixture to be listed in the ignore file. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Reason for Proposed Changes
Security groups, Kubernetes NetworkPolicies, and nginx Ingress controllers can all be misconfigured to allow inbound traffic from any IP address. Three specific scenarios were identified as gaps in KICS coverage:
fromblock — an ingress rule that omits thefromselector allows traffic from every source, including the public internet. This is distinct from the existing Network Policy Is Not Targeting Any Pod query.10.0.0.0/1or0.0.0.0/7cover hundreds of millions of IP addresses yet are not caught by the existingunrestricted_security_group_ingressquery which only flags exact/0ranges.whitelist-source-rangeexplicitly set to all IPs — setting thenginx.ingress.kubernetes.io/whitelist-source-rangeannotation to0.0.0.0/0or::/0disables source-IP restriction entirely. This affects both raw Kubernetes manifests and Helm-rendered charts.Proposed Changes
assets/queries/k8s/network_policy_ingress_not_restricted(HIGH, CWE-668)NetworkPolicyingress rules with nofromblock (empty rule{}or rule with onlyports).policyTypes: [Ingress]and the implicit case wherepolicyTypesis absent.- {},- ports: [{protocol: TCP, port: 80}]from.ipBlock,from.podSelector,from.namespaceSelectorassets/queries/terraform/aws/security_group_ingress_with_wide_cidr_range(HIGH, CWE-668)/1–/8acrossaws_security_group,aws_vpc_security_group_ingress_rule, andaws_security_group_ruleresources.0.0.0.0/0(already covered byunrestricted_security_group_ingress) and10.0.0.0/8(RFC 1918 Class-A private range).10.0.0.0/1,0.0.0.0/7,128.0.0.0/110.0.0.0/16,192.168.0.0/24,10.0.0.0/8,0.0.0.0/0assets/queries/k8s/ingress_whitelist_open_to_all(HIGH, CWE-668)Ingressresources wherenginx.ingress.kubernetes.io/whitelist-source-rangecontains0.0.0.0/0or::/0.contains()to also catch combined strings like"10.0.0.0/16,0.0.0.0/0"."0.0.0.0/0","::/0","10.0.0.0/16,0.0.0.0/0""10.0.0.0/16,192.168.0.0/24","203.0.113.42/32"Each query includes
metadata.json,query.rego, positive/negative YAML or Terraform fixtures, andpositive_expected_result.json.I submit this contribution under the Apache-2.0 license.