Listing config rules

[rvillane]

Hi, Is there a simple way to get a list of all validation rules to detect misconfigurations ? Here I'm referring to the rules typically implemented in Rego, used when running trivy config command. I understand they are available in https://github.com/aquasecurity/defsec repo, however, getting the list from that repo is a tedious, manual work.

I have reviewed the trivy CLI help, but couldn't find anything evident.

thanks for your help

[knqyf263]

I think AVD helps.
https://avd.aquasec.com/misconfig/

@liamg may have other information.

[liamg]

Depending on what exactly you need to know about each rule, you could use something like this:

package main

import (
	"fmt"

	_ "github.com/aquasecurity/defsec/pkg/rego"
	"github.com/aquasecurity/defsec/pkg/rules"
)

func main() {

	for _, rule := range rules.GetRegistered() {
		r := rule.Rule()
		fmt.Printf("[%s] %s: %s\n", r.AVDID, r.Provider, r.Summary)
	}
}

This yields the following:

[AVD-KSV-0001] kubernetes: Process can elevate its own privileges
[AVD-KSV-0024] kubernetes: Access to host ports
[AVD-DS-0011] dockerfile: COPY with more than two arguments not ending with slash
[AVD-DS-0017] dockerfile: 'RUN <package-manager> update' instruction alone
[AVD-DS-0005] dockerfile: ADD instead of COPY
[AVD-KSV-0010] kubernetes: Access to host PID
[AVD-KSV-0104] kubernetes: Seccomp profile unconfined
[AVD-DS-0024] dockerfile: 'apt-get dist-upgrade' used
[AVD-KSV-0018] kubernetes: Memory not limited
[AVD-KSV-0008] kubernetes: Access to host IPC namespace
[AVD-DS-0016] dockerfile: Multiple CMD instructions listed
[AVD-KSV-0102] kubernetes: Tiller Is Deployed
[AVD-KSV-0037] kubernetes: User Pods should not be placed in kube-system namespace
[AVD-KSV-0023] kubernetes: hostPath volumes mounted
[AVD-KSV-0025] kubernetes: SELinux custom options set
[AVD-DS-0022] dockerfile: Deprecated MAINTAINER used
[AVD-DS-0006] dockerfile: COPY '--from' referring to the current image
[AVD-DS-0012] dockerfile: Duplicate aliases defined in different FROMs
[AVD-KSV-0028] kubernetes: Non-ephemeral volume types used
[AVD-KSV-0022] kubernetes: Non-default capabilities added
[AVD-KSV-0105] kubernetes: Containers must not set runAsUser to 0
[AVD-DS-0002] dockerfile: Image user should not be 'root'
[AVD-DS-0001] dockerfile: ':latest' tag used
[AVD-KSV-0027] kubernetes: Non-default /proc masks set
[AVD-DS-0014] dockerfile: RUN using 'wget' and 'curl'
[AVD-DS-0019] dockerfile: 'dnf clean all' missing
[AVD-DS-0023] dockerfile: Multiple HEALTHCHECK defined
[AVD-KSV-0106] kubernetes: Container capabilities must only include NET_BIND_SERVICE
[AVD-KSV-0014] kubernetes: Root file system is not read-only
[AVD-KSV-0020] kubernetes: Runs with low user ID
[AVD-KSV-0002] kubernetes: Default AppArmor profile not set
[AVD-DS-0013] dockerfile: 'RUN cd ...' to change directory
[AVD-DS-0008] dockerfile: Exposed port out of range
[AVD-KSV-0009] kubernetes: Access to host network
[AVD-KSV-0017] kubernetes: Privileged container
[AVD-KSV-0038] kubernetes: Selector usage in network policies
[AVD-KSV-0005] kubernetes: SYS_ADMIN capability added
[AVD-KSV-0016] kubernetes: Memory requests not specified
[AVD-KSV-0006] kubernetes: hostPath volume mounted with docker.sock
[AVD-KSV-0021] kubernetes: Runs with low group ID
[AVD-KSV-0036] kubernetes: Protecting Pod service account tokens
[AVD-KSV-0013] kubernetes: Image tag ':latest' used
[AVD-KSV-0011] kubernetes: CPU not limited
[AVD-KSV-0026] kubernetes: Unsafe sysctl options set
[AVD-KSV-0103] kubernetes: HostProcess container defined
[AVD-DS-0009] dockerfile: WORKDIR path not absolute
[AVD-DS-0010] dockerfile: RUN using 'sudo'
[AVD-KSV-0030] kubernetes: Default Seccomp profile not set
[AVD-DS-0004] dockerfile: Port 22 exposed
[AVD-DS-0020] dockerfile: 'zypper clean' missing
[AVD-KSV-0015] kubernetes: CPU requests not specified
[AVD-DS-0015] dockerfile: 'yum clean all' missing
[AVD-DS-0007] dockerfile: Multiple ENTRYPOINT instructions listed
[AVD-DS-0021] dockerfile: 'apt-get' missing '-y' to avoid manual input
[AVD-KSV-0012] kubernetes: Runs as root user
[AVD-KSV-0003] kubernetes: Default capabilities not dropped
[AVD-AWS-0001] aws: API Gateway stages for V1 and V2 should have access logging enabled
[AVD-AWS-0002] aws: API Gateway must have cache enabled
[AVD-AWS-0003] aws: API Gateway must have X-Ray tracing enabled
[AVD-AWS-0004] aws: No unauthorized access to API Gateway methods
[AVD-AWS-0005] aws: API Gateway domain name uses outdated SSL/TLS protocols.
[AVD-AWS-0006] aws: Athena databases and workgroup configurations are created unencrypted at rest by default, they should be encrypted
[AVD-AWS-0007] aws: Athena workgroups should enforce configuration to prevent client disabling encryption
[AVD-AWS-0008] aws: Launch configuration with unencrypted block device.
[AVD-AWS-0130] aws: aws_instance should activate session tokens for Instance Metadata Service.
[AVD-AWS-0009] aws: Launch configuration should not have a public IP address.
[AVD-AWS-0129] aws: User data for EC2 instances must not contain sensitive AWS keys
[AVD-AWS-0122] aws: Ensure all data stored in the launch configuration EBS is securely encrypted
[AVD-AWS-0010] aws: Cloudfront distribution should have Access Logging configured
[AVD-AWS-0011] aws: CloudFront distribution does not have a WAF in front.
[AVD-AWS-0012] aws: CloudFront distribution allows unencrypted (HTTP) communications.
[AVD-AWS-0013] aws: CloudFront distribution uses outdated SSL/TLS protocols.
[AVD-AWS-0014] aws: Cloudtrail should be enabled in all regions regardless of where your AWS resources are generally homed
[AVD-AWS-0015] aws: Cloudtrail should be encrypted at rest to secure access to sensitive trail data
[AVD-AWS-0016] aws: Cloudtrail log validation should be enabled to prevent tampering of log data
[AVD-AWS-0017] aws: CloudWatch log groups should be encrypted using CMK
[AVD-AWS-0018] aws: CodeBuild Project artifacts encryption should not be disabled
[AVD-AWS-0019] aws: Config configuration aggregator should be using all regions for source
[AVD-AWS-0020] aws: DocumentDB logs export should be enabled
[AVD-AWS-0021] aws: DocumentDB storage must be encrypted
[AVD-AWS-0022] aws: DocumentDB encryption should use Customer Managed Keys
[AVD-AWS-0023] aws: DAX Cluster and tables should always encrypt data at rest
[AVD-AWS-0024] aws: Point in time recovery should be enabled to protect DynamoDB table
[AVD-AWS-0025] aws: DynamoDB tables should use at rest encryption with a Customer Managed Key
[AVD-AWS-0026] aws: EBS volumes must be encrypted
[AVD-AWS-0027] aws: EBS volume encryption should use Customer Managed Keys
[AVD-AWS-0131] aws: Instance with unencrypted block device.
[AVD-AWS-0028] aws: aws_instance should activate session tokens for Instance Metadata Service.
[AVD-AWS-0029] aws: User data for EC2 instances must not contain sensitive AWS keys
[AVD-AWS-0030] aws: ECR repository has image scans disabled.
[AVD-AWS-0031] aws: ECR images tags shouldn't be mutable.
[AVD-AWS-0032] aws: ECR repository policy must block public access
[AVD-AWS-0033] aws: ECR Repository should use customer managed keys to allow more control
[AVD-AWS-0034] aws: ECS clusters should have container insights enabled
[AVD-AWS-0035] aws: ECS Task Definitions with EFS volumes should use in-transit encryption
[AVD-AWS-0036] aws: Task definition defines sensitive environment variable(s).
[AVD-AWS-0037] aws: EFS Encryption has not been enabled
[AVD-AWS-0038] aws: EKS Clusters should have cluster control plane logging turned on
[AVD-AWS-0039] aws: EKS should have the encryption of secrets enabled
[AVD-AWS-0040] aws: EKS Clusters should have the public access disabled
[AVD-AWS-0041] aws: EKS cluster should not have open CIDR range for public access
[AVD-AWS-0049] aws: Missing description for security group/security group rule.
[AVD-AWS-0045] aws: Elasticache Replication Group stores unencrypted data at-rest.
[AVD-AWS-0050] aws: Redis cluster should have backup retention turned on
[AVD-AWS-0051] aws: Elasticache Replication Group uses unencrypted traffic.
[AVD-AWS-0048] aws: Elasticsearch domain isn't encrypted at rest.
[AVD-AWS-0042] aws: Domain logging should be enabled for Elastic Search domains
[AVD-AWS-0043] aws: Elasticsearch domain uses plaintext traffic for node to node communication.
[AVD-AWS-0046] aws: Elasticsearch doesn't enforce HTTPS traffic.
[AVD-AWS-0126] aws: Elasticsearch domain endpoint is using outdated TLS policy.
[AVD-AWS-0053] aws: Load balancer is exposed to the internet.
[AVD-AWS-0052] aws: Load balancers should drop invalid headers
[AVD-AWS-0054] aws: Use of plain HTTP.
[AVD-AWS-0047] aws: An outdated SSL policy is in use by a load balancer.
[AVD-AWS-0137] aws: Enable at-rest encryption for EMR clusters.
[AVD-AWS-0138] aws: Enable in-transit encryption for EMR clusters.
[AVD-AWS-0139] aws: Enable local-disk encryption for EMR clusters.
[AVD-AWS-0123] aws: IAM Groups should have MFA enforcement activated.
[AVD-AWS-0056] aws: IAM Password policy should prevent password reuse.
[AVD-AWS-0057] aws: IAM policy should avoid use of wildcards and instead apply the principle of least privilege
[AVD-AWS-0058] aws: IAM Password policy should have requirement for at least one lowercase character.
[AVD-AWS-0059] aws: IAM Password policy should have requirement for at least one number in the password.
[AVD-AWS-0060] aws: IAM Password policy should have requirement for at least one symbol in the password.
[AVD-AWS-0061] aws: IAM Password policy should have requirement for at least one uppercase character.
[AVD-AWS-0062] aws: IAM Password policy should have expiry less than or equal to 90 days.
[AVD-AWS-0063] aws: IAM Password policy should have minimum password length of 14 or more characters.
[AVD-AWS-0064] aws: Kinesis stream is unencrypted.
[AVD-AWS-0065] aws: A KMS key is not configured to auto-rotate.
[AVD-AWS-0066] aws: Lambda functions should have X-Ray tracing enabled
[AVD-AWS-0067] aws: Ensure that lambda function permission has a source arn specified
[AVD-AWS-0070] aws: MQ Broker should have audit logging enabled
[AVD-AWS-0071] aws: MQ Broker should have general logging enabled
[AVD-AWS-0072] aws: Ensure MQ Broker is not publicly exposed
[AVD-AWS-0073] aws: A MSK cluster allows unencrypted data in transit.
[AVD-AWS-0074] aws: Ensure MSK Cluster logging is enabled
[AVD-AWS-0075] aws: Neptune logs export should be enabled
[AVD-AWS-0076] aws: Neptune storage must be encrypted at rest
[AVD-AWS-0128] aws: Neptune encryption should use Customer Managed Keys
[AVD-AWS-0133] aws: Enable Performance Insights to detect potential problems
[AVD-AWS-0078] aws: Encryption for RDS Performance Insights should be enabled.
[AVD-AWS-0079] aws: There is no encryption specified or encryption is disabled on the RDS Cluster.
[AVD-AWS-0080] aws: RDS encryption has not been enabled at a DB Instance level.
[AVD-AWS-0081] aws: AWS Classic resource usage.
[AVD-AWS-0082] aws: A database resource is marked as publicly accessible.
[AVD-AWS-0077] aws: RDS Cluster and RDS instance should have backup retention longer than default 1 day
[AVD-AWS-0083] aws: Missing description for security group/security group rule.
[AVD-AWS-0084] aws: Redshift clusters should use at rest encryption
[AVD-AWS-0085] aws: AWS Classic resource usage.
[AVD-AWS-0127] aws: Redshift cluster should be deployed into a specific VPC
[AVD-AWS-0086] aws: S3 Access block should block public ACL
[AVD-AWS-0087] aws: S3 Access block should block public policy
[AVD-AWS-0088] aws: Unencrypted S3 bucket.
[AVD-AWS-0089] aws: S3 Bucket does not have logging enabled.
[AVD-AWS-0090] aws: S3 Data should be versioned
[AVD-AWS-0132] aws: S3 encryption should use Customer Managed Keys
[AVD-AWS-0091] aws: S3 Access Block should Ignore Public Acl
[AVD-AWS-0092] aws: S3 Buckets not publicly accessible through ACL.
[AVD-AWS-0093] aws: S3 Access block should restrict public bucket to limit access
[AVD-AWS-0094] aws: S3 buckets should each define an aws_s3_bucket_public_access_block
[AVD-AWS-0112] aws: SAM API domain name uses outdated SSL/TLS protocols.
[AVD-AWS-0113] aws: SAM API stages for V1 and V2 should have access logging enabled
[AVD-AWS-0110] aws: SAM API must have data cache enabled
[AVD-AWS-0111] aws: SAM API must have X-Ray tracing enabled
[AVD-AWS-0125] aws: SAM Function must have X-Ray tracing enabled
[AVD-AWS-0116] aws: SAM HTTP API stages for V1 and V2 should have access logging enabled
[AVD-AWS-0119] aws: SAM State machine must have logging enabled
[AVD-AWS-0117] aws: SAM State machine must have X-Ray tracing enabled
[AVD-AWS-0121] aws: SAM Simple table must have server side encryption enabled.
[AVD-AWS-0114] aws: Function policies should avoid use of wildcards and instead apply the principle of least privilege
[AVD-AWS-0120] aws: State machine policies should avoid use of wildcards and instead apply the principle of least privilege
[AVD-AWS-0095] aws: Unencrypted SNS topic.
[AVD-AWS-0136] aws: SNS topic not encrypted with CMK.
[AVD-AWS-0096] aws: Unencrypted SQS queue.
[AVD-AWS-0097] aws: AWS SQS policy document has wildcard action statement.
[AVD-AWS-0135] aws: SQS queue should be encrypted with a CMK.
[AVD-AWS-0134] aws: Secrets should not be exfiltrated using Terraform HTTP data blocks
[AVD-AWS-0098] aws: Secrets Manager should use customer managed keys
[AVD-AWS-0099] aws: Missing description for security group.
[AVD-AWS-0124] aws: Missing description for security group rule.
[AVD-AWS-0101] aws: AWS best practice to not use the default VPC for workflows
[AVD-AWS-0102] aws: An ingress Network ACL rule allows ALL ports.
[AVD-AWS-0104] aws: An egress security group rule allows traffic to /0.
[AVD-AWS-0105] aws: An ingress Network ACL rule allows specific ports from /0.
[AVD-AWS-0107] aws: An ingress security group rule allows traffic from /0.
[AVD-AWS-0109] aws: Root and user volumes on Workspaces should be encrypted
[AVD-AZU-0002] azure: Web App has registration with AD enabled
[AVD-AZU-0003] azure: App Service authentication is activated
[AVD-AZU-0005] azure: Web App uses the latest HTTP version
[AVD-AZU-0004] azure: Ensure the Function App can only be accessed via HTTPS. The default is false.
[AVD-AZU-0001] azure: Web App accepts incoming client certificate
[AVD-AZU-0006] azure: Web App uses latest TLS version
[AVD-AZU-0030] azure: Roles limited to the required actions
[AVD-AZU-0039] azure: Password authentication should be disabled on Azure virtual machines
[AVD-AZU-0038] azure: Enable disk encryption on managed disk
[AVD-AZU-0037] azure: Ensure that no sensitive credentials are exposed in VM custom_data
[AVD-AZU-0043] azure: Ensure AKS cluster has Network Policy configured
[AVD-AZU-0041] azure: Ensure AKS has an API Server Authorized IP Ranges enabled
[AVD-AZU-0040] azure: Ensure AKS logging to Azure Monitoring is Configured
[AVD-AZU-0042] azure: Ensure RBAC is enabled on AKS clusters
[AVD-AZU-0028] azure: No threat detections are set
[AVD-AZU-0027] azure: Auditing should be enabled on Azure SQL Databases
[AVD-AZU-0020] azure: SSL should be enforced on database connections where applicable
[AVD-AZU-0022] azure: Ensure databases are not publicly accessible
[AVD-AZU-0029] azure: Ensure database firewalls do not permit public access
[AVD-AZU-0021] azure: Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
[AVD-AZU-0024] azure: Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
[AVD-AZU-0019] azure: Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
[AVD-AZU-0025] azure: Database auditing rentention period should be longer than 90 days
[AVD-AZU-0026] azure: Databases should have the minimum TLS set for connections
[AVD-AZU-0018] azure: At least one email address is set for threat alerts
[AVD-AZU-0023] azure: Security threat alerts go to subcription owners and co-administrators
[AVD-AZU-0035] azure: Data Factory should have public access disabled, the default is enabled.
[AVD-AZU-0036] azure: Unencrypted data lake storage.
[AVD-AZU-0015] azure: Key vault Secret should have a content type set
[AVD-AZU-0014] azure: Ensure that the expiration date is set on all keys
[AVD-AZU-0017] azure: Key Vault Secret should have an expiration date set
[AVD-AZU-0016] azure: Key vault should have purge protection enabled
[AVD-AZU-0013] azure: Key vault should have the network acl block specified
[AVD-AZU-0031] azure: Ensure the activity retention log is set to at least a year
[AVD-AZU-0033] azure: Ensure log profile captures all activities
[AVD-AZU-0032] azure: Ensure activitys are captured for all locations
[AVD-AZU-0048] azure: RDP access should not be accessible from the Internet, should be blocked on port 3389
[AVD-AZU-0051] azure: An outbound network security rule allows traffic to /0.
[AVD-AZU-0047] azure: An inbound network security rule allows traffic from /0.
[AVD-AZU-0049] azure: Retention policy for flow logs should be enabled and set to greater than 90 days
[AVD-AZU-0050] azure: SSH access should not be accessible from the Internet, should be blocked on port 22
[AVD-AZU-0044] azure: Send notification emails for high severity alerts
[AVD-AZU-0045] azure: Enable the standard security center subscription tier
[AVD-AZU-0046] azure: The required contact details should be set for security center
[AVD-AZU-0010] azure: Trusted Microsoft Services should have bypass access to Storage accounts
[AVD-AZU-0012] azure: The default action on Storage account network rules should be set to deny
[AVD-AZU-0008] azure: Storage accounts should be configured to only accept transfers that are over secure connections
[AVD-AZU-0007] azure: Storage containers in blob storage mode should not have public access
[AVD-AZU-0009] azure: When using Queue Services for a storage account, logging should be enabled.
[AVD-AZU-0011] azure: The minimum TLS version for Storage Accounts should be TLS1_2
[AVD-AZU-0034] azure: Synapse Workspace should have managed virtual network enabled, the default is disabled.
[AVD-CLDSTK-0001] cloudstack: No sensitive data stored in user_data
[AVD-DIG-0008] digitalocean: Kubernetes clusters should be auto-upgraded to ensure that they always contain the latest security patches.
[AVD-DIG-0002] digitalocean: The load balancer forwarding rule is using an insecure protocol as an entrypoint
[AVD-DIG-0005] digitalocean: The Kubernetes cluster does not enable surge upgrades
[AVD-DIG-0003] digitalocean: The firewall has an outbound rule with open access
[AVD-DIG-0001] digitalocean: The firewall has an inbound rule with open access
[AVD-DIG-0004] digitalocean: SSH Keys are the preferred way to connect to your droplet, no keys are supplied
[AVD-DIG-0006] digitalocean: Spaces bucket or bucket object has public read acl set
[AVD-DIG-0009] digitalocean: Force destroy is enabled on Spaces bucket which is dangerous
[AVD-DIG-0007] digitalocean: Spaces buckets should have versioning enabled
[AVD-GIT-0002] github: Ensure plaintext value is not used for GitHub Action Environment Secret.
[AVD-GIT-0003] github: GitHub repository has vulnerability alerts disabled.
[AVD-GIT-0001] github: Github repository shouldn't be public.
[AVD-GCP-0046] google: BigQuery datasets should only be accessible within the organisation
[AVD-GCP-0034] google: Disks should be encrypted with customer managed encryption keys
[AVD-GCP-0037] google: The encryption key used to encrypt a compute disk has been specified in plaintext.
[AVD-GCP-0045] google: Instances should have Shielded VM integrity monitoring enabled
[AVD-GCP-0041] google: Instances should have Shielded VM VTPM enabled
[AVD-GCP-0029] google: VPC flow logs should be enabled for all subnetworks
[AVD-GCP-0044] google: Instances should not use the default service account
[AVD-GCP-0043] google: Instances should not have IP forwarding enabled
[AVD-GCP-0036] google: Instances should not override the project setting for OS Login
[AVD-GCP-0030] google: Disable project-wide SSH keys for all instances
[AVD-GCP-0035] google: An outbound firewall rule allows traffic to /0.
[AVD-GCP-0027] google: An inbound firewall rule allows traffic from /0.
[AVD-GCP-0031] google: Instances should not have public IP addresses
[AVD-GCP-0032] google: Disable serial port connectivity for all instances
[AVD-GCP-0042] google: OS Login should be enabled at project level
[AVD-GCP-0039] google: SSL policies should enforce secure versions of TLS
[AVD-GCP-0033] google: VM disks should be encrypted with Customer Supplied Encryption Keys
[AVD-GCP-0013] google: Cloud DNS should use DNSSEC
[AVD-GCP-0012] google: Zone signing should not use RSA SHA1
[AVD-GCP-0063] google: Kubernetes should have 'Automatic repair' enabled
[AVD-GCP-0058] google: Kubernetes should have 'Automatic upgrade' enabled
[AVD-GCP-0049] google: Clusters should have IP aliasing enabled
[AVD-GCP-0061] google: Master authorized networks should be configured on GKE clusters
[AVD-GCP-0056] google: Network Policy should be enabled on GKE clusters
[AVD-GCP-0059] google: Clusters should be set to private
[AVD-GCP-0060] google: Stackdriver Logging should be enabled
[AVD-GCP-0052] google: Stackdriver Monitoring should be enabled
[AVD-GCP-0047] google: Pod security policy enforcement not defined.
[AVD-GCP-0048] google: Legacy metadata endpoints enabled.
[AVD-GCP-0064] google: Legacy client authentication methods utilized.
[AVD-GCP-0053] google: GKE Control Plane should not be publicly accessible
[AVD-GCP-0057] google: Node metadata value disables metadata concealment.
[AVD-GCP-0054] google: Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image
[AVD-GCP-0055] google: Shielded GKE nodes not enabled.
[AVD-GCP-0051] google: Clusters should be configured with Labels
[AVD-GCP-0062] google: Legacy ABAC permissions are enabled.
[AVD-GCP-0050] google: Checks for service account defined for GKE nodes
[AVD-GCP-0010] google: Default network should not be created at project level
[AVD-GCP-0004] google: Roles should not be assigned to default service accounts
[AVD-GCP-0005] google: Users should not be granted service account access at the folder level
[AVD-GCP-0008] google: Roles should not be assigned to default service accounts
[AVD-GCP-0009] google: Users should not be granted service account access at the organization level
[AVD-GCP-0007] google: Service accounts should not have roles assigned with excessive privileges
[AVD-GCP-0006] google: Roles should not be assigned to default service accounts
[AVD-GCP-0011] google: Users should not be granted service account access at the project level
[AVD-GCP-0003] google: IAM granted directly to user.
[AVD-GCP-0065] google: KMS keys should be rotated at least every 90 days
[AVD-GCP-0024] google: Enable automated backups to recover from data-loss
[AVD-GCP-0014] google: Temporary file logging should be enabled for all temporary files.
[AVD-GCP-0015] google: SSL connections to a SQL database instance should be enforced.
[AVD-GCP-0026] google: Disable local_infile setting in MySQL
[AVD-GCP-0023] google: Contained database authentication should be disabled
[AVD-GCP-0019] google: Cross-database ownership chaining should be disabled
[AVD-GCP-0017] google: Ensure that Cloud SQL Database Instances are not publicly exposed
[AVD-GCP-0025] google: Ensure that logging of checkpoints is enabled.
[AVD-GCP-0016] google: Ensure that logging of connections is enabled.
[AVD-GCP-0022] google: Ensure that logging of disconnections is enabled.
[AVD-GCP-0018] google: Ensure that Postgres errors are logged
[AVD-GCP-0020] google: Ensure that logging of lock waits is enabled.
[AVD-GCP-0021] google: Ensure that logging of long statements is disabled.
[AVD-GCP-0002] google: Ensure that Cloud Storage buckets have uniform bucket-level access enabled
[AVD-GCP-0001] google: Ensure that Cloud Storage bucket is not anonymously or publicly accessible.
[AVD-KUBE-0002] kubernetes: Public egress should not be allowed via network policies
[AVD-KUBE-0001] kubernetes: Public ingress should not be allowed via network policies
[AVD-OPNSTK-0001] openstack: No plaintext password for compute instance
[AVD-OPNSTK-0002] openstack: A firewall rule allows traffic from/to the public internet
[AVD-OPNSTK-0005] openstack: Missing description for security group.
[AVD-OPNSTK-0004] openstack: A security group rule allows egress traffic to multiple public addresses
[AVD-OPNSTK-0003] openstack: A security group rule allows ingress traffic from multiple public addresses
[AVD-OCI-0001] oracle: Compute instance requests an IP reservation from a public pool

[rvillane]

thanks a lot, that was exactly what I was looking for. Below is a modified version of the code that customizes the output for my specific needs in case it helps someone else.

package main

import (
	"fmt"

	_ "github.com/aquasecurity/defsec/pkg/rego"
	"github.com/aquasecurity/defsec/pkg/rules"
)

func main() {

	for _, rule := range rules.GetRegistered() {
		r := rule.Rule()
		if r.Provider == "kubernetes" {
			fmt.Printf("[%s] %s %s - %s: %s\n", r.AVDID,r.LegacyID, r.Severity, r.RegoPackage , r.Summary)			
		}
	}
}