Skip to content

fix(queries): better interpreter for gcp queries #7912

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
cx-andre-pereira wants to merge 12 commits into
base: master
Choose a base branch
from
Open

fix(queries): better interpreter for gcp queries #7912

cx-andre-pereira wants to merge 12 commits into from
+652 −94

Conversation

@cx-andre-pereira
Copy link
Contributor

@cx-andre-pereira cx-andre-pereira commented Dec 12, 2025
edited by cx-ricardo-jesus
Loading

Closes #

Reason for Proposed Changes

  • The current query implementations use a regex to determine whether a filter is valid or not. This was not the best approach, as the filter could not appear defined exactly as defined in the CIS_Google_Cloud_Platform_Foundation_Benchmark_v4.0.0.

Proposed Changes

  • All the three queries, does the same verifications:

    • There is at least one"google_logging_metric" resource in the project and none contain the correct filter.
    • There is at least one "google_monitoring_alert_policy" resource in the project and none contain the filter/reference a logging metric that contains the correct filter.
    • There is at least one "google_monitoring_alert_policy" resource that contains the filter but none of them declare "notification_channels".

  • The only thing that changes is the way they analyse the filter:

  • The query Beta - Logs And Alerts Missing Custom Role Changes checks if the resource.type includes the mandatory iam_role. Also checks through the contains_method helper function if all 4 target methods are included(protoPayload.methodName = ("google.iam.admin.v1.CreateRole", "google.iam.admin.v1.UndeleteRole", "google.iam.admin.v1.UpdateRole", "google.iam.admin.v1.DeleteRole")

  • If the methods are not all defined, there are two valid alternatives:

    • There isn’t a single protoPayload.methodName restriction in place.
    • The only “restriction” in place is the wildcard (*) : protoPayload.methodName = *

  • Also the filter will be considered improper if any contraditory condition is defined.

  • The query Beta - Logs And Alerts Missing Project Ownership Assignment And Changes uses a similar approach as above, but checking if the serviceName is defined to protoPayload.serviceName="cloudresourcemanager.googleapis.com", if it has ProjectOwnership OR projectOwnerInvitee (or vice versa). Also verifies that for the role roles/owner it has the actions "REMOVE" and "ADD".

  • The query Beta - Logs And Alerts Missing Audit Configuration Changes is simpler, it just checks if the methodName is defined to SetIamPolicy and if protoPayload.serviceData.policyDelta.auditConfigDeltas is defined to *.

I submit this contribution under the Apache-2.0 license.

@github-actions github-actions bot added query New query feature gcp PR related with GCP Cloud labels Dec 12, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Dec 12, 2025
edited
Loading

kics-logo

KICS version: v2.1.18

Category Results
CRITICAL CRITICAL 0
HIGH HIGH 0
MEDIUM MEDIUM 0
LOW LOW 0
INFO INFO 0
TRACE TRACE 0
TOTAL TOTAL 0
Metric Values
Files scanned placeholder 1
Files parsed placeholder 1
Files failed to scan placeholder 0
Total executed queries placeholder 47
Queries failed to execute placeholder 0
Execution time placeholder 0

cx-andre-pereira and others added 9 commits December 12, 2025 15:10
@cx-andre-pereira
Merge branch 'master' into AST-126467-update-metric-log-filter-to-be-…
0133255 
…more-permissive
@cx-andre-pereira
added support for double negative on resource type
b69840b
@cx-andre-pereira
Merge branch 'master' into AST-126467-update-metric-log-filter-to-be-…
5e54f70 
…more-permissive
@cx-andre-pereira
Merge branch 'AST-126467-update-metric-log-filter-to-be-more-permissi…
74a8831 
…ve' of https://github.com/Checkmarx/kics into AST-126467-update-metric-log-filter-to-be-more-permissive
@cx-andre-pereira
fix to prevent False Positives
c550bfd
@cx-ricardo-jesus
comments to better understand the query
a0fdf25
@cx-ricardo-jesus
Merge branch 'master' of https://github.com/Checkmarx/kics into AST-1…
04b3827 
…26467-update-metric-log-filter-to-be-more-permissive
@cx-ricardo-jesus
Merge branch 'master' of https://github.com/Checkmarx/kics into AST-1…
3a76463 
…26467-update-metric-log-filter-to-be-more-permissive
@cx-ricardo-jesus
updated query to be more permissive
d08a426
@github-actions github-actions bot added the community Community contribution label Jan 20, 2026
@cx-ricardo-jesus cx-ricardo-jesus changed the title fix(query): better interpreter for gcp queries fix(queries): better interpreter for gcp queries Jan 21, 2026
@github-actions github-actions bot added the terraform Terraform query label Jan 21, 2026
@cx-ricardo-jesus cx-ricardo-jesus marked this pull request as ready for review January 21, 2026 17:08
@cx-ricardo-jesus cx-ricardo-jesus requested a review from a team as a code owner January 21, 2026 17:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@cx-andre-pereira cx-andre-pereira

@cx-ricardo-jesus cx-ricardo-jesus

Labels

community Community contribution gcp PR related with GCP Cloud query New query feature terraform Terraform query

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cx-andre-pereira @cx-ricardo-jesus