SUMMARY.md

Table of contents

• Introduction to OpenRewrite

Getting Started

• Quickstart: Maven and Gradle
• Recipe Development Environment

Tutorials & Guides

• Common Static Analysis Issue Remediation
• Automatically Fix Checkstyle Violations
• Migrate to Java 11 from Java 8
• Migrate to JUnit 5 from JUnit 4
• Migrate to Spring Boot 2 from Spring Boot 1
• Migrate to Quarkus 2 from Quarkus 1
• Migrate to Micronaut 3 from Micronaut 2
• Migrate to SLF4J from Log4j
• Use SLF4J Parameterized Logging
• Writing a Java Refactoring Recipe
• Modifying Methods with JavaTemplate
• Refactoring with Declarative YAML Recipes
• Automating Maven Dependency Management
• Running Rewrite without build tool plugins
• Writing recipes over multiple source file types

Reference

• Latest versions of every OpenRewrite module
• Maven Plugin Configuration
• Gradle Plugin Configuration
• JsonPath and JsonPathMatcher Reference
• Declarative YAML Format
• Method Patterns
• Dependency Version Selectors
• Recipes
  • Gradle
    • Change Gradle dependency artifactId
    • Change Gradle dependency groupId
    • Change a Gradle dependency version
    • Remove repository
    • Update a Gradle plugin by id
    • Use Map notation for Gradle dependency declarations
    • Search
      • Find Gradle dependencies blocks
      • Find Gradle dependency
      • Find Gradle plugin
  • Hcl
    • Format
      • Format HCL code
      • Normalize format
      • Remove trailing whitespace
      • Spaces
      • Tabs and indents
  • Java
    • Add ASLv2 license header
    • Add license header
    • Add or update annotation attribute
    • Change method access level
    • Change method name
    • Change method target to static
    • Change method target to variable
    • Change static field access to static method access
    • Change type
    • Delete method argument
    • Generating an asciidoc report
    • Order imports
    • Remove annotation
    • Remove interface implementations
    • Remove static import
    • Remove unused imports
    • Rename package name
    • Reorder method arguments
    • Replace constant with literal value
    • Simplify a call chain
    • Update source positions
    • Use static import
    • Cleanup
      • Add missing @Override to overriding and implementing methods
      • Add serialVersionUID to a Serializable class when missing
      • Atomic Boolean, Integer, and Long equality checks compare their values
      • BigDecimal rounding constants to RoundingMode enums
      • Boolean checks should not be inverted
      • CaseInsensitive comparisons do not alter case
      • Catch clause should do more than just rethrow
      • Change StringBuilder and StringBuffer character constructor arg to String
      • Code cleanup
      • Common static analysis issues
      • Control flow statement indentation
      • Covariant equals
      • Default comes last
      • Equals avoids null
      • Explicit initialization
      • Externalizable classes have no-arguments constructor
      • Fall through
      • Fields in a Serializable class should either be transient or serializable
      • Finalize classes with private constructors
      • Finalize local variables
      • Fix missing braces
      • Hidden field
      • Hide utility class constructor
      • Jump statements should not be redundant
      • Method name casing
      • Method parameter padding
      • Modifier order
      • Multiple variable declarations
      • Nested enums are not static
      • No C-style array declarations
      • No double brace initialization
      • No primitive wrappers for #toString() or #compareTo(..)
      • No whitespace after
      • No whitespace before
      • Operator wrapping
      • Pad empty for loop components
      • Prefer while over for loops
      • Redundant file creation
      • Reformat local variable names to camelCase
      • Remove Nullable and CheckForNull annotations from primitives
      • Remove empty blocks
      • Remove extra semicolons
      • Remove finalize() method
      • Remove unnecessary parentheses
      • Remove unused local variables
      • Remove unused private methods
      • Rename methods named hashcode, equal, or tostring.
      • Replace duplicate String literals
      • Simplify boolean expression
      • Simplify boolean return
      • Simplify lambda blocks to expressions
      • Static methods not final
      • Typecast parenthesis padding
      • Unnecessary String#toString()
      • Unnecessary String#valueOf(..)
      • Unnecessary close in try-with-resources
      • Unnecessary explicit type arguments
      • Unnecessary throws
      • Use Collection interfaces
      • Use Collections#emptyList(), emptyMap(), and emptySet()
      • Use Collections#isEmpty() instead of comparing size()
      • Use String.equals() on String literals
      • Use comparison rather than equality checks in for conditions
      • Use diamond operator
      • Use explicit types on lambda arguments
      • Use indexOf(String, int)
      • Use lambdas where possible
      • Use primitive wrapper valueOf method
      • Write octal values as decimal
      • finalize() calls super
      • for loop counters incremented in update
      • for loop counters should use postfix operators
      • indexOf should not compare greater than zero
      • indexOf() replaceable by contains()
      • switch statements should have at least 3 case clauses
    • Format
      • Blank lines
      • End files with a single newline
      • Format Java code
      • Normalize format
      • Normalize the line breaks
      • Normalize to tabs or spaces
      • Remove trailing whitespace
      • Single line comments begin with a whitespace
      • Spaces
      • Tabs and indents
      • Wrapping and braces
    • JHipster
      • Fix CWE-338 with SecureRandom
    • Logging
      • Parameterize logging statements
      • Use logger instead of printStackTrace()
      • Use logger instead of system print statements
      • Use logger instead of system print statements
      • Use logger instead of system print statements
      • Log4j
        • Migrate Log4j 1.x to Log4j 2.x
        • Parameterize Log4j 2.x logging statements
        • Prepend a random name to each Log4J statement
      • Logback
        • Migrate Log4j 2.x Appender to logback-classic equivalents
        • Migrate Log4j 2.x Layout to logback-classic equivalents
        • Migrate Log4j 2.x to Logback
      • SLF4J
        • Convert Logger#error|warn(Throwable#message) to Logger#error|warn(, e)
        • Migrate Log4j 1.x to SLF4J 1.x
        • Migrate Log4j 2.x to SLF4J 1.x
        • Migrate Log4j to SLF4J
        • Parameterize SLF4J logging statements
        • SLF4J logging statements should begin with constants.
    • Micronaut
      • Add @Introspected to classes requiring a map representation
      • Change factory method return types to reflect their resolved return type
      • Convert OncePerRequestServerFilter extensions to HttpServerFilter
      • Copy non-inherited annotations from super class
      • De-capitalize BeanIntrospection getProperty(..) and getRequiredProperty(..) name arguments
      • Fix deprecated no-arg ExceptionHandler constructors
      • Migrate from Micronaut 2.x to 3.x
      • Provider implementation beans to Micronaut @Factory
      • Upgrade gradle.properties Micronaut version
      • Upgrade micronaut.version Maven property
    • Modernize
      • Add JDeprScan Maven Plug-in
      • Add Maven Jar Plugin to suppress Illegal Reflection Warnings
      • Migrate Java 8 to Java 11
      • Migrate deprecated javax packages to jakarta
      • Migrate deprecated javax.activation packages to jakarta.activation
      • Migrate deprecated javax.annotation packages to jakarta.annotation
      • Migrate deprecated javax.annotation packages to jakarta.annotation
      • Migrate deprecated javax.annotation packages to jakarta.annotation
      • Migrate deprecated javax.annotation.security packages to jakarta.annotation.security
      • Migrate deprecated javax.annotation.sql packages to jakarta.annotation.sql
      • Migrate deprecated javax.batch packages to jakarta.batch
      • Migrate deprecated javax.inject packages to jakarta.inject
      • Migrate deprecated javax.transaction packages to jakarta.transaction
      • Migrate deprecated javax.validation packages to jakarta.validation
      • Migrate deprecated javax.xml.bind packages to jakarta.xml.bind
      • Migrate deprecated javax.xml.ws packages to jakarta.xml.ws
      • Apache
        • Commons
          • Codec
            • Migrate apache.commons.codec.binary.Base64 to java.util.Base64
          • Io
            • Relocate org.apache.commons:commons-io to commons-io:commons-io
            • Use System.lineSeparator()
            • Use java.nio.charset.StandardCharsets
            • Use java.nio.file.Files
      • Guava
        • Construct a set from a new ConcurrentHashMap<>() instead of Guava
        • Prefer Char#compare
        • Prefer Integer#compare
        • Prefer Integer#compareUnsigned
        • Prefer Integer#divideUnsigned
        • Prefer Integer#parseUnsignedInt
        • Prefer Integer#remainderUnsigned
        • Prefer Long#compare
        • Prefer Long#compareUnsigned
        • Prefer Long#divideUnsigned
        • Prefer Long#parseUnsignedInt
        • Prefer Long#remainderUnsigned
        • Prefer Math#addExact
        • Prefer Math#multiplyExact
        • Prefer Math#subtractExact
        • Prefer Short#compare
        • Prefer java.util.Collections#synchronizedNavigableMap
        • Prefer java.util.Collections#unmodifiableNavigableMap
        • Prefer java.util.Objects#equals
        • Prefer java.util.Objects#hash
        • Prefer java.util.function.Function
        • Prefer java.util.function.Predicate
        • Prefer java.util.function.Supplier
        • Use Files#createTempDirectory() instead of Guava
        • Use Java SDK instead of MoreExecutors#directExecutor()
        • Use Java standard library instead of Guava
        • Use List.of(..) in Java 9 or higher
        • Use Map.of(..) in Java 9 or higher
        • Use Set.of(..) in Java 9 or higher
        • Use new ArrayList<>() instead of Guava
        • Use new AtomicReference<>() instead of Guava
        • Use new CopyOnWriteArrayList<>() instead of Guava
        • Use new HashSet<>() instead of Guava
        • Use new LinkedHashMap<>() instead of Guava
        • Use new LinkedHashSet<>() instead of Guava
        • Use new LinkedList<>() instead of Guava
      • Metrics
        • Micrometer
      • java.lang APIs
        • Migrate deprecated java.lang APIs
        • Use Character#isJavaIdentifierPart(char)
        • Use Character#isJavaIdentifierStart(char)
        • Use Character#isWhitespace(char)
        • Use Class#getDeclaredConstructor().newInstance()
        • Use ClassLoader#defineClass(String, byte[], int, int)
        • Use Map.of(..) where possible
        • Use Runtime.Version#feature()
        • Use Runtime.Version#interim()
        • Use Runtime.Version#update()
        • Use SecurityManager#checkMulticast(InetAddress)
      • java.net APIs
        • Migrate deprecated java.net APIs
        • Use java.net.HttpURLConnection.HTTP_INTERNAL_ERROR
        • Use java.net.MulticastSocket#getTimeToLive()
        • Use java.net.MulticastSocket#setTimeToLive(int)
        • Use java.net.URLDecoder#decode(String, StandardCharsets.UTF_8)
        • Use java.net.URLEncoder#encode(String, StandardCharsets.UTF_8)
      • java.sql APIs
        • Migrate deprecated java.sql APIs
        • Use DriverManager#setLogWriter(java.io.PrintWriter)
      • java.util.concurrent APIs
        • Migrate deprecated java.util.concurrent APIs
        • Use AtomicBoolean#weakCompareAndSetPlain(boolean, boolean)
        • Use AtomicInteger#weakCompareAndSetPlain(int, int)
        • Use AtomicIntegerArray#weakCompareAndSetPlain(int, int, int)
        • Use AtomicLong#weakCompareAndSetPlain(long, long)
        • Use AtomicLongArray#weakCompareAndSetPlain(int, long, long)
        • Use AtomicReference#weakCompareAndSetPlain(T, T)
        • Use AtomicReferenceArray#weakCompareAndSetPlain(int, T, T)
      • java.util.logging APIs
        • Migrate deprecated java.util.logging APIs
        • Use LogRecord#setInstant(Instant)
        • Use Logger#getGlobal()
        • Use Logger#logrb(.., ResourceBundle bundleName, ..)
        • Use ManagementFactory#getPlatformMXBean(PlatformLoggingMXBean.class)
        • Use PlatformLoggingMXBean
      • javax APIs
        • Add JAX-WS run-time dependency to a Maven project
        • Add JAXB run-time dependency to a Maven project
        • Add explicit Inject dependencies
        • Add explicit JAX-WS dependencies
        • Add explicit JAXB dependencies
        • Migrate deprecated javax.lang.model.util APIs in openjdk.
        • Migrate deprecated javax.management.monitor APIs
        • Migrate deprecated javax.xml.stream APIs
        • Replace javax.xml.bind:jaxb-api with jakarta.xml.bind:jakarta.xml.bind-api
        • Replace javax.xml.ws:jaxws-api with jakarta.xml.ws:jakarta.xml.ws-api
        • Use AbstractAnnotationValueVisitor9
        • Use AbstractElementVisitor9
        • Use AbstractTypeVisitor9
        • Use CounterMonitor#setInitThreshold(java.lang.Number)
        • Use ElementKindVisitor9
        • Use ElementScanner9
        • Use SimpleAnnotationValueVisitor9
        • Use SimpleElementVisitor9
        • Use SimpleTypeVisitor9
        • Use TypeKindVisitor9
        • Use javax.xml.stream.XMLEventFactory#newFactory(String, ClassLoader)
        • Use javax.xml.stream.XMLInputFactory#newFactory(String, ClassLoader)
        • Use javax.xml.stream.XMLOutputFactory#newFactory(String, ClassLoader)
    • Quarkus
      • Configure quarkus-maven-plugin with reasonable defaults
      • Quarkus 1.13 migration from Quarkus 1.11
      • Use @ConfigMapping
      • Use Mutiny multi.toHotStream()
      • Use native profile in quarkus-maven-plugin
      • Quarkus 2.x
        • Quarkus 2.x migration from Quarkus 1.x
        • Remove avro-maven-plugin
        • Use @GrpcClient
        • Use @Identifier("default-kafka-broker")
        • Use PanacheEntityBase static methods
        • Use Uni
        • Use Uni
    • Search
      • Find annotations
      • Find empty classes
      • Find fields
      • Find fields of type
      • Find method usages
      • Find missing type information on Java ASTs
      • Find plain text secrets
      • Find text
      • Find types
      • Find uses of deprecated classes
      • Find uses of deprecated classes
      • Find uses of deprecated fields
      • Find uses of deprecated methods
      • Result of method call ignored
    • Security
      • Find text-direction changes
      • Java security best practices
      • Secure random
      • SecureRandom seeds are not constant or predictable
      • Use Files#createTempDirectory
      • Use secure temporary file creation
      • XML parser XXE vulnerability
      • Marshalling
        • Secure the use of Jackson default typing
        • Secure the use of SnakeYAML's constructor
      • Search
        • Find Jackson default type mapping enablement
        • Find vulnerable uses of Jackson @JsonTypeInfo
      • Spring
        • Enable CSRF attack prevention
        • Prevent clickjacking
    • Spring
      • Expand Spring YAML properties
      • Normalize Spring YAML properties to kebab-case
      • Remove @RequestMapping annotations
      • Remove implicit web annotation names
      • Remove public from @Bean methods
      • Remove the @Autowired annotation on inferred constructor
      • Separate application YAML by profile
      • Update the API manifest
      • Spring Boot 2.x
        • Adds @DependsOnDatabaseInitialization to Spring Beans and Components depending on javax.sql.DataSour
        • JUnit Jupiter for Spring Boot 2.x projects
        • Merge Spring bootstrap.yml with application.yml
        • Migrate @OutputCaptureRule to @ExtendWith(OutputCaptureExtension.class)
        • Migrate RestTemplateBuilder
        • Migrate Spring Boot properties to 2.0
        • Migrate Spring Boot properties to 2.1
        • Migrate Spring Boot properties to 2.2
        • Migrate Spring Boot properties to 2.3
        • Migrate Spring Boot properties to 2.4
        • Migrate Spring Boot properties to 2.5
        • Migrate additional Spring Boot properties to 2.0
        • Migrate additional Spring Boot properties to 2.5
        • Migrate deprecated Spring-Boot EmbeddedDatabaseConnection.HSQL
        • Migrate flyway and liquibase credentials.
        • Migrate multi-condition @ConditionalOnBean annotations
        • Migrate to recommended constants in LogbackLoggingSystemProperties from deprecated values in Logging
        • Remove @SpringExtension
        • Remove obsolete Spring JUnit runners
        • Remove unnecessary Spring @RunWith
        • Replace EnvironmentTestUtils with TestPropertyValues
        • Spring Boot 2.x best practices
        • Spring Boot 2.x migration from Spring Boot 1.x
        • Upgrade to Spring Boot 2.0 from 1.x
        • Upgrade to Spring Boot 2.1
        • Upgrade to Spring Boot 2.2
        • Upgrade to Spring Boot 2.3
        • Upgrade to Spring Boot 2.4
        • Upgrade to Spring Boot 2.5
        • Use DiskSpaceHealthIndicator(File, DataSize)
        • Use EnableConfigurationProperties#VALIDATOR_BEAN_NAME
        • Use EntityManagerFactoryDependsOnPostProcessor
        • Use ErrorAttributes#getErrorAttributes(WebRequest, ErrorAttributeOptions)
        • Use ErrorController
        • Use ErrorProperties#IncludeStacktrace.ON_PARAM
        • Use HttpMessageConverters
        • Use MultipartConfigFactory with DataSize arguments
        • Use NotBlank
        • Use NotEmpty
        • Use PingHealthIndicator
        • Use RestClientBuilderCustomizer
        • Use RestTemplateBuilder#basicAuthentication
        • Use RestTemplateBuilder#setConnectTimeout(Duration) and RestTemplateBuilder#setReadTimeout(Duration)
        • Use SpringBootServletInitializer
        • Use WebTestClientBuilderCustomizer
        • Use isEagerFilterInit()
        • Use org.springframework.boot.web.server.LocalServerPort
        • Use setEagerFilterInit(boolean)
        • Use spring-boot.run.agents configuration key in spring-boot-maven-plugin
        • Search
          • Applications using logging shutdown hooks
          • Find projects affected by changes to the default error view message attribute
          • In Spring Boot 2.5 a DefaultConfigurationCustomizer can now be used in favour of defining one or mor
          • Integration Sceduler Pool Size
          • Spring Boot 2.5 upgrades plus any possible manual changes that need to be reviewed.
      • Spring Data
        • Upgrade to Spring Data 2.3
        • Upgrade to Spring Data 2.5
        • Use JpaRepository#deleteAllInBatch(Iterable entities)
        • Use JpaRepository#getById(ID id)
        • Use JpaSort.of(..)
        • Use QuerydslPredicateExecutor
      • Spring Framework
        • Convert InstantiationAwareBeanPostProcessorAdapter to SmartInstantiationAwareBeanPostProcessor
        • Migrate deprecated Spring-Web UTF8 MediaTypes
        • Upgrade to Spring Framework 5.1
        • Upgrade to Spring Framework 5.2
        • Upgrade to Spring Framework 5.3
        • Use Environment#acceptsProfiles(Profiles)
        • Use ObjectUtils#isEmpty(Object)
        • Use varargs equivalents for deprecated JdbcTemplate signatures
    • Testing
      • AssertJ
        • AssertJ best practices
        • JUnit AssertThrows to AssertJ exceptionType
        • JUnit assertArrayEquals To AssertJ
        • JUnit assertEquals to AssertJ
        • JUnit assertFalse to AssertJ
        • JUnit assertNotEquals to AssertJ
        • JUnit assertNotNull to AssertJ
        • JUnit assertNull to AssertJ
        • JUnit assertSame to AssertJ
        • JUnit assertTrue to AssertJ
        • JUnit fail to AssertJ
        • Migrate JUnit asserts to AssertJ
        • Statically import AssertJ's assertThat
      • Cleanup
        • Include an assertion in tests
        • Remove public visibility of JUnit5 tests
        • Testing best practices
      • Hamcrest
        • Add org.hamcrest:hamcrest if it is used.
      • JUnit Jupiter
        • Cleanup JUnit imports
        • JUnit 4 @RunWith to JUnit Jupiter @ExtendWith
        • JUnit 4 @RunWith(Parameterized.class) to JUnit Jupiter parameterized tests
        • JUnit 4 ExpectedException To JUnit Jupiter's assertThrows()
        • JUnit 4 MockitoJUnit to JUnit Jupiter MockitoExtension
        • JUnit Jupiter best practices
        • JUnit Jupiter migration from JUnit 4.x
        • JUnit TestName @Rule to JUnit Jupiter TestInfo
        • JUnit4 @Category to JUnit Jupiter @Tag
        • JUnit4 Assert To JUnit Jupiter Assertions
        • Migrate JUnit 4 @Test annotations to JUnit5
        • Migrate JUnit 4 TestCase to JUnit Jupiter
        • Migrate JUnit 4 lifecycle annotations to JUnit Jupiter
        • Migrate from JUnit4 @FixedMethodOrder to JUnit5 @TestMethodOrder
        • Pragmatists @RunWith(JUnitParamsRunner.class) to JUnit Jupiter Parameterized Tests
        • Remove JUnit 4 @RunWith annotations that do not require an @ExtendsWith replacement
        • Statically import JUnit Jupiter assertions
        • Use JUnit Jupiter @Disabled
        • Use JUnit Jupiter @TempDir
        • Use MatcherAssert#assertThat(..)
        • Use Mockito JUnit Jupiter extension
        • Use wiremock extension
        • okhttp3 3.x MockWebserver @Rule To 4.x MockWebServer
      • Mockito
        • Cleanup Mockito imports
        • Mockito 3.x migration from 1.x
        • Mockito 4.x migration from 3.x
        • Use static form of Mockito MockUtil
  • JSON
    • Change key
    • Change value
    • Delete key
    • Search
      • Find JSON object members
  • Maven
    • Add Maven dependency
    • Add Maven plugin
    • Add Maven plugin dependencies
    • Change Maven Parent Pom
    • Change Maven dependency groupId and artifactId
    • Change Maven dependency scope
    • Change Maven plugin configuration
    • Change Maven plugin dependencies
    • Change Maven plugin executions
    • Change Maven project property value
    • Exclude Maven dependency
    • Manage dependencies
    • Order POM elements
    • Remove Maven dependency
    • Remove Maven plugin
    • Remove Maven project property
    • Remove exclusion
    • Remove redundant explicit dependency versions
    • Set Maven project packaging
    • Upgrade Maven dependency version
    • Upgrade Maven parent project version
    • Upgrade Maven plugin version
    • Cleanup
      • Dependency management dependencies should have a version
    • Search
      • Find Maven dependency
      • Find Maven plugin
      • Find Maven project properties
      • Maven dependency insight
  • Properties
    • Add a new property
    • Change properties file property value
    • Change property key
    • Delete Property
    • Search
      • Find property
  • XML
    • Format XML
    • Search
      • Find XML tags
  • YAML
    • Change key
    • Change property key
    • Change value
    • Coalesce YAML properties
    • Copy YAML value
    • Delete key
    • Delete property
    • Merge YAML snippet
    • Cleanup
      • Remove unused YAML
    • Format
      • YAML indent
    • Search
      • Find YAML entries
      • Find YAML properties
  • CircleCI
    • Install an orb
    • Update CircleCI image
  • Concourse
    • Change Concourse value
    • Change resource version
    • Find resource
    • Update git resource source.uri references
    • Search
      • Find pinned resources by type
      • Find privileged resource_type definitions.
  • Github Actions
    • Add cron workflow trigger
    • Add manual workflow trigger
    • Cancel in-progress workflow when it is triggered again
    • Change dependabot schedule interval
    • Check for github-actions updates daily
    • Check for github-actions updates weekly
    • Setup Java dependency caching
    • Use actions/setup-java temurin distribution
  • Kubernetes
    • Add Kubernetes configuration
    • Ensure CPU limits are set
    • Ensure CPU request is set
    • Ensure image pull policy is Always
    • Ensure lifecycle rule on StorageBucket
    • Ensure liveness probe is configured
    • Ensure memory limits are set
    • Ensure memory request is set
    • Ensure readiness probe is configured
    • Kubernetes best practices
    • Limit root capabilities in a container
    • No host IPC sharing
    • No host network sharing
    • No host process ID sharing
    • No privilege escalation
    • No privileged containers
    • No root containers
    • Read-only root filesystem
    • Update image name
    • RBAC
      • Add RBAC rules
    • Resource
      • Cap exceeds resource value
      • Find exceeds resource limit
      • Find exceeds resource ratio
    • Search
      • Find annotation
      • Find annotation
      • Find disallowed image tags
      • Find image by name
      • Find label
      • Find missing configuration
      • Find missing image digest
      • Find non-TLS Ingresses
    • Services
      • Find uses of externalIP
      • Service type
      • Update Service externalIP
  • Terraform
    • Add Terraform configuration
    • Use a long enough byte length for random resources
    • AWS
      • Best practices for AWS
      • Disable Instance Metadata Service version 1
      • Enable API gateway caching
      • Enable point-in-time recovery for DynamoDB
      • Encrypt Aurora clusters
      • Encrypt CodeBuild projects
      • Encrypt DAX storage at rest
      • Encrypt DocumentDB storage
      • Encrypt EBS snapshots
      • Encrypt EBS volume launch configurations
      • Encrypt EBS volumes
      • Encrypt EFS Volumes in ECS Task Definitions in transit
      • Encrypt ElastiCache Redis at rest
      • Encrypt ElastiCache Redis in transit
      • Encrypt Neptune storage
      • Encrypt RDS clusters
      • Encrypt Redshift storage at rest
      • Ensure AWS CMK rotation is enabled
      • Ensure AWS EFS with encryption for data at rest is enabled
      • Ensure AWS EKS cluster endpoint access is publicly disabled
      • Ensure AWS Elasticsearch domain encryption for data at rest is enabled
      • Ensure AWS Elasticsearch domains have EnforceHTTPS enabled
      • Ensure AWS Elasticsearch has node-to-node encryption enabled
      • Ensure AWS IAM password policy has a minimum of 14 characters
      • Ensure AWS Lambda function is configured for function-level concurrent execution limit
      • Ensure AWS Lambda functions have tracing enabled
      • Ensure AWS RDS database instance is not publicly accessible
      • Ensure AWS S3 object versioning is enabled
      • Ensure Amazon EKS control plane logging enabled for all log types
      • Ensure CloudTrail log file validation is enabled
      • Ensure EC2 is EBS optimized
      • Ensure ECR repositories are encrypted
      • Ensure IAM password policy expires passwords within 90 days or less
      • Ensure IAM password policy prevents password reuse
      • Ensure IAM password policy requires at least one lowercase letter
      • Ensure IAM password policy requires at least one number
      • Ensure IAM password policy requires at least one symbol
      • Ensure IAM password policy requires at least one uppercase letter
      • Ensure Kinesis Stream is securely encrypted
      • Ensure RDS database has IAM authentication enabled
      • Ensure RDS instances have Multi-AZ enabled
      • Ensure VPC subnets do not assign public IP by default
      • Ensure data stored in an S3 bucket is securely encrypted at rest
      • Ensure detailed monitoring for EC2 instances is enabled
      • Ensure enhanced monitoring for Amazon RDS instances is enabled
      • Ensure respective logs of Amazon RDS are enabled
      • Ensure the S3 bucket has access logging enabled
      • Make ECR tags immutable
      • Scan images pushed to ECR
      • Use HTTPS for Cloudfront distribution
    • Azure
      • Best practices for Azure
      • Disable Kubernetes dashboard
      • Enable Azure Storage Account Trusted Microsoft Services access
      • Enable Azure Storage secure transfer required
      • Enable geo-redundant backups on PostgreSQL server
      • Encrypt Azure VM data disk with ADE/CMK
      • Ensure AKS policies add-on
      • Ensure AKV secrets have an expiration date set
      • Ensure Azure App Service Web app redirects HTTP to HTTPS
      • Ensure Azure Network Watcher NSG flow logs retention is greater than 90 days
      • Ensure Azure PostgreSQL database server with SSL connection is enabled
      • Ensure Azure SQL Server threat detection alerts are enabled for all threat types
      • Ensure Azure SQL server audit log retention is greater than 90 days
      • Ensure Azure SQL server send alerts to field value is set
      • Ensure Azure application gateway has WAF enabled
      • Ensure Azure key vault is recoverable
      • Ensure FTP Deployments are disabled
      • Ensure MSSQL servers have email service and co-administrators enabled
      • Ensure MySQL is using the latest version of TLS encryption
      • Ensure MySQL server databases have Enforce SSL connection enabled
      • Ensure MySQL server disables public network access
      • Ensure MySQL server enables Threat Detection policy
      • Ensure MySQL server enables geo-redundant backups
      • Ensure PostgreSQL server disables public network access
      • Ensure PostgreSQL server enables Threat Detection policy
      • Ensure PostgreSQL server enables infrastructure encryption
      • Ensure Send email notification for high severity alerts is enabled
      • Ensure Send email notification for high severity alerts to admins is enabled
      • Ensure Web App has incoming client certificates enabled
      • Ensure Web App uses the latest version of HTTP
      • Ensure Web App uses the latest version of TLS encryption
      • Ensure a security contact phone number is present
      • Ensure activity log retention is set to 365 days or greater
      • Ensure all keys have an expiration date
      • Ensure app service enables HTTP logging
      • Ensure app service enables detailed error messages
      • Ensure app service enables failed request tracing
      • Ensure app services use Azure files
      • Ensure key vault allows firewall rules settings
      • Ensure key vault enables purge protection
      • Ensure key vault key is backed by HSM
      • Ensure key vault secrets have content_type set
      • Ensure log profile is configured to capture all activities
      • Ensure managed identity provider is enabled for app services
      • Ensure public network access enabled is set to False for mySQL servers
      • Ensure standard pricing tier is selected
      • Ensure storage account uses latest TLS version
      • Ensure the storage container storing activity logs is not publicly accessible
      • Set Azure Storage Account default network access to deny
    • GCP
      • Best practices for GCP
      • Enable PodSecurityPolicy controller on Google Kubernetes Engine (GKE) clusters
      • Enable VPC Flow Logs for subnetworks
      • Enable VPC flow logs and intranode visibility
      • Ensure GCP Kubernetes cluster node auto-repair configuration is enabled
      • Ensure GCP Kubernetes engine clusters have legacy compute engine metadata endpoints disabled
      • Ensure GCP VM instances have block project-wide SSH keys feature enabled
      • Ensure GCP cloud storage bucket with uniform bucket-level access are enabled
      • Ensure IP forwarding on instances is disabled
      • Ensure binary authorization is used
      • Ensure compute instances launch with shielded VM enabled
      • Ensure private cluster is enabled when creating Kubernetes clusters
      • Ensure secure boot for shielded GKE nodes is enabled
      • Ensure shielded GKE nodes are enabled
      • Ensure the GKE metadata server is enabled
    • Search
      • Find Terraform resource

Concepts & Explanations

• Abstract Syntax Trees
• Recipes
• Visitors
• Styles
• Environment
• Markers
• JavaTemplate
• Pointcut Expressions

Design Partners

• Design Partner 1