rename to CMK

some rules use the term "unencrypted" but are actually encrypted with AWS provided keys and are therefore actually encrypted. This change renames several rules to be consistent with "encrypted-with-cmk" terminology.
semgrep · Aug 9, 2023 · 9d0f1f5 · 9d0f1f5
1 parent 4c49b7a
commit 9d0f1f5
Show file tree

Hide file tree

Showing 7 changed files with 10 additions and 8 deletions.
diff --git a/.gitignore b/.gitignore
@@ -4,3 +4,5 @@ __pycache__/
 .DS_Store
 .vscode/
 .venv
+.idea/
+*.iml
diff --git a/...y/aws-cloudwatch-log-group-unencrypted.tf → ...loudwatch-log-group-encrypted-with-cmk.tf b/...y/aws-cloudwatch-log-group-unencrypted.tf → ...loudwatch-log-group-encrypted-with-cmk.tf
@@ -2,7 +2,7 @@ resource "aws_cloudwatch_log_group" "pass" {
   retention_in_days = 1
   kms_key_id        = "someKey"
 }
-# ruleid: aws-cloudwatch-log-group-unencrypted
+# ruleid: aws-cloudwatch-log-group-encrypted-with-cmk
 resource "aws_cloudwatch_log_group" "fail" {
   retention_in_days = 1
 }
diff --git a/...aws-cloudwatch-log-group-unencrypted.yaml → ...udwatch-log-group-encrypted-with-cmk.yaml b/...aws-cloudwatch-log-group-unencrypted.yaml → ...udwatch-log-group-encrypted-with-cmk.yaml
@@ -1,5 +1,5 @@
 rules:
-- id: aws-cloudwatch-log-group-unencrypted
+- id: aws-cloudwatch-log-group-encrypted-with-cmk
   patterns:
   - pattern: |
       resource "aws_cloudwatch_log_group" $ANYTHING {

diff --git a/...ity/aws-lambda-environment-unencrypted.tf → ...-lambda-environment-encrypted-with-cmk.tf b/...ity/aws-lambda-environment-unencrypted.tf → ...-lambda-environment-encrypted-with-cmk.tf
@@ -10,7 +10,7 @@ resource "aws_lambda_function" "fail" {
       mode = "PassThrough"
    }
 
-   # ruleid: aws-lambda-environment-unencrypted
+   # ruleid: aws-lambda-environment-encrypted-with-cmk
    environment {
       test="true"
    }
@@ -26,7 +26,7 @@ resource "aws_lambda_function" "failkmsnovars" {
    tracing_config {
        mode = "PassThrough"
     }
-   # ruleid: aws-lambda-environment-unencrypted
+   # ruleid: aws-lambda-environment-encrypted-with-cmk
    kms_key_arn = aws_kms_key.anyoldguff.arn
 }
 
@@ -70,6 +70,6 @@ resource "aws_lambda_function" "failasempty" {
    tracing_config {
        mode = "PassThrough"
     }
-   # ruleid: aws-lambda-environment-unencrypted
+   # ruleid: aws-lambda-environment-encrypted-with-cmk
    kms_key_arn = ""
 }
diff --git a/...y/aws-lambda-environment-unencrypted.yaml → ...ambda-environment-encrypted-with-cmk.yaml b/...y/aws-lambda-environment-unencrypted.yaml → ...ambda-environment-encrypted-with-cmk.yaml
@@ -1,5 +1,5 @@
 rules:
-- id: aws-lambda-environment-unencrypted
+- id: aws-lambda-environment-encrypted-with-cmk
   patterns:
   - pattern-inside: |
       resource "aws_lambda_function" $ANYTHING {

diff --git a/.../aws-secretsmanager-secret-unencrypted.tf → ...cretsmanager-secret-encrypted-with-cmk.tf b/.../aws-secretsmanager-secret-unencrypted.tf → ...cretsmanager-secret-encrypted-with-cmk.tf
@@ -13,7 +13,7 @@ resource "aws_secretsmanager_secret" "enabled2" {
 }
 
 # failure
-# ruleid: aws-secretsmanager-secret-unencrypted
+# ruleid: aws-secretsmanager-secret-with-cmk
 resource "aws_secretsmanager_secret" "default" {
   name = "secret"
 }

diff --git a/...ws-secretsmanager-secret-unencrypted.yaml → ...etsmanager-secret-encrypted-with-cmk.yaml b/...ws-secretsmanager-secret-unencrypted.yaml → ...etsmanager-secret-encrypted-with-cmk.yaml
@@ -1,5 +1,5 @@
 rules:
-- id: aws-secretsmanager-secret-unencrypted
+- id: aws-secretsmanager-secret-encrypted-with-cmk
   patterns:
   - pattern: |
       resource "aws_secretsmanager_secret" $ANYTHING {
-Original file line number
+Diff line change
@@ Expand Up / @@ -4,3 +4,5 @@ __pycache__/ @@
     .DS_Store
     .vscode/
     .venv
+    .idea/
+    *.iml