SonarCloud detects security problems in Terraform for GCP files


After AWS and Azure, SonarCloud now supports GCP and detects security problems in Terraform for GCP files. The domains covered by the 14 new GCP specific rules are:

  • Encryption at Rest and at Transit:

    • S6401: Creating keys without a rotation period is security-sensitive
    • S6402: Creating DNS zones without DNSSEC enabled is security-sensitive
    • S6403: Creating GCP SQL instances without requiring TLS is security-sensitive
    • S6405: Enabling project-wide SSH keys to access VM instances is security-sensitive
    • S6407: Creating App Engine handlers without requiring TLS is security-sensitive
    • S6410: Google Cloud load balancers SSL policies should not offer weak cipher suites
  • Public Access, Permission and Access Control:

    • S6400: Granting highly privileged GCP resource rights is security-sensitive
    • S6321: Administration services access should be restricted to specific IP addresses
    • S6404: Granting public access to GCP resources is security-sensitive
    • S6302: Having policies that grant all privileges is security-sensitive
    • S6409: Enabling Attribute-Based Access Control for Kubernetes is security-sensitive
    • S6406: Excessive Granting Of GCP IAM Permissions Is Security-Sensitive
    • S6408: Creating custom roles allowing privilege escalation is security-sensitive
    • S6329: Allowing public network access to cloud resources is security-sensitive

Next step? We will detect security problems in Kubernetes config files.