feat: Add tests

Author: GeekMasher

ql/test/queries-tests/security/AKS/AKSInsecureNetworkPolicy.expected

@@ -0,0 +1,4 @@
+| aks-security-examples.bicep:2:1:30:1 | ManagedContainerResource | AKS cluster is configured with an insecure or missing network policy, which may allow unwanted pod-to-pod communication. |
+| aks-security-examples.bicep:32:1:62:1 | ManagedContainerResource | AKS cluster is configured with an insecure or missing network policy, which may allow unwanted pod-to-pod communication. |
+| app.bicep:287:1:307:1 | ManagedContainerResource | AKS cluster is configured with an insecure or missing network policy, which may allow unwanted pod-to-pod communication. |
+| app.bicep:310:1:330:1 | ManagedContainerResource | AKS cluster is configured with an insecure or missing network policy, which may allow unwanted pod-to-pod communication. |

ql/test/queries-tests/security/AKS/AKSInsecureNetworkPolicy.qlref

@@ -0,0 +1 @@
+security/CWE-668/AKSInsecureNetworkPolicy.ql

ql/test/queries-tests/security/AKS/AKSLocalAccountsEnabled.expected

@@ -0,0 +1,18 @@
+| aks-security-examples.bicep:2:1:30:1 | ManagedContainerResource | AKS cluster has local accounts enabled, which can lead to weaker authentication controls compared to Azure AD-backed authentication. |
+| aks-security-examples.bicep:32:1:62:1 | ManagedContainerResource | AKS cluster has local accounts enabled, which can lead to weaker authentication controls compared to Azure AD-backed authentication. |
+| app.bicep:6:1:22:1 | ManagedContainerResource | AKS cluster has local accounts enabled, which can lead to weaker authentication controls compared to Azure AD-backed authentication. |
+| app.bicep:25:1:41:1 | ManagedContainerResource | AKS cluster has local accounts enabled, which can lead to weaker authentication controls compared to Azure AD-backed authentication. |
+| app.bicep:46:1:66:1 | ManagedContainerResource | AKS cluster has local accounts enabled, which can lead to weaker authentication controls compared to Azure AD-backed authentication. |
+| app.bicep:69:1:86:1 | ManagedContainerResource | AKS cluster has local accounts enabled, which can lead to weaker authentication controls compared to Azure AD-backed authentication. |
+| app.bicep:89:1:106:1 | ManagedContainerResource | AKS cluster has local accounts enabled, which can lead to weaker authentication controls compared to Azure AD-backed authentication. |
+| app.bicep:111:1:130:1 | ManagedContainerResource | AKS cluster has local accounts enabled, which can lead to weaker authentication controls compared to Azure AD-backed authentication. |
+| app.bicep:133:1:150:1 | ManagedContainerResource | AKS cluster has local accounts enabled, which can lead to weaker authentication controls compared to Azure AD-backed authentication. |
+| app.bicep:153:1:170:1 | ManagedContainerResource | AKS cluster has local accounts enabled, which can lead to weaker authentication controls compared to Azure AD-backed authentication. |
+| app.bicep:199:1:216:1 | ManagedContainerResource | AKS cluster has local accounts enabled, which can lead to weaker authentication controls compared to Azure AD-backed authentication. |
+| app.bicep:219:1:236:1 | ManagedContainerResource | AKS cluster has local accounts enabled, which can lead to weaker authentication controls compared to Azure AD-backed authentication. |
+| app.bicep:241:1:261:1 | ManagedContainerResource | AKS cluster has local accounts enabled, which can lead to weaker authentication controls compared to Azure AD-backed authentication. |
+| app.bicep:264:1:284:1 | ManagedContainerResource | AKS cluster has local accounts enabled, which can lead to weaker authentication controls compared to Azure AD-backed authentication. |
+| app.bicep:287:1:307:1 | ManagedContainerResource | AKS cluster has local accounts enabled, which can lead to weaker authentication controls compared to Azure AD-backed authentication. |
+| app.bicep:310:1:330:1 | ManagedContainerResource | AKS cluster has local accounts enabled, which can lead to weaker authentication controls compared to Azure AD-backed authentication. |
+| app.bicep:349:1:366:1 | ManagedContainerResource | AKS cluster has local accounts enabled, which can lead to weaker authentication controls compared to Azure AD-backed authentication. |
+| app.bicep:369:1:386:1 | ManagedContainerResource | AKS cluster has local accounts enabled, which can lead to weaker authentication controls compared to Azure AD-backed authentication. |

ql/test/queries-tests/security/AKS/AKSLocalAccountsEnabled.qlref

@@ -0,0 +1 @@
+security/CWE-306/AKSLocalAccountsEnabled.ql

ql/test/queries-tests/security/AKS/AKSNodeAutoScalingDisabled.expected

@@ -0,0 +1,17 @@
+| aks-security-examples.bicep:9:7:16:7 | AgentPoolProfile | AKS agent pool 'agentpool' has auto-scaling disabled, which may lead to resource constraints during high load. |
+| app.bicep:14:7:19:7 | AgentPoolProfile | AKS agent pool 'agentpool' has auto-scaling disabled, which may lead to resource constraints during high load. |
+| app.bicep:33:7:38:7 | AgentPoolProfile | AKS agent pool 'agentpool' has auto-scaling disabled, which may lead to resource constraints during high load. |
+| app.bicep:58:7:63:7 | AgentPoolProfile | AKS agent pool 'agentpool' has auto-scaling disabled, which may lead to resource constraints during high load. |
+| app.bicep:78:7:83:7 | AgentPoolProfile | AKS agent pool 'agentpool' has auto-scaling disabled, which may lead to resource constraints during high load. |
+| app.bicep:98:7:103:7 | AgentPoolProfile | AKS agent pool 'agentpool' has auto-scaling disabled, which may lead to resource constraints during high load. |
+| app.bicep:141:7:147:7 | AgentPoolProfile | AKS agent pool 'agentpool' has auto-scaling disabled, which may lead to resource constraints during high load. |
+| app.bicep:161:7:167:7 | AgentPoolProfile | AKS agent pool 'agentpool' has auto-scaling disabled, which may lead to resource constraints during high load. |
+| app.bicep:188:7:193:7 | AgentPoolProfile | AKS agent pool 'agentpool' has auto-scaling disabled, which may lead to resource constraints during high load. |
+| app.bicep:208:7:213:7 | AgentPoolProfile | AKS agent pool 'agentpool' has auto-scaling disabled, which may lead to resource constraints during high load. |
+| app.bicep:228:7:233:7 | AgentPoolProfile | AKS agent pool 'agentpool' has auto-scaling disabled, which may lead to resource constraints during high load. |
+| app.bicep:253:7:258:7 | AgentPoolProfile | AKS agent pool 'agentpool' has auto-scaling disabled, which may lead to resource constraints during high load. |
+| app.bicep:276:7:281:7 | AgentPoolProfile | AKS agent pool 'agentpool' has auto-scaling disabled, which may lead to resource constraints during high load. |
+| app.bicep:299:7:304:7 | AgentPoolProfile | AKS agent pool 'agentpool' has auto-scaling disabled, which may lead to resource constraints during high load. |
+| app.bicep:322:7:327:7 | AgentPoolProfile | AKS agent pool 'agentpool' has auto-scaling disabled, which may lead to resource constraints during high load. |
+| app.bicep:358:7:363:7 | AgentPoolProfile | AKS agent pool 'agentpool' has auto-scaling disabled, which may lead to resource constraints during high load. |
+| app.bicep:378:7:383:7 | AgentPoolProfile | AKS agent pool 'agentpool' has auto-scaling disabled, which may lead to resource constraints during high load. |

ql/test/queries-tests/security/AKS/AKSNodeAutoScalingDisabled.qlref

@@ -0,0 +1 @@
+security/CWE-400/AKSNodeAutoScalingDisabled.ql

ql/test/queries-tests/security/AKS/AKSPrivateApiEnabled.expected

@@ -1 +1,2 @@
 | aks-security-examples.bicep:32:1:62:1 | ManagedContainerResource | AKS cluster API server is private (private cluster enabled). |
+| app.bicep:46:1:66:1 | ManagedContainerResource | AKS cluster API server is private (private cluster enabled). |

ql/test/queries-tests/security/AKS/AKSPublicNetworkAccess.expected

@@ -0,0 +1,17 @@
+| aks-security-examples.bicep:2:1:30:1 | ManagedContainerResource | AKS cluster has public network access enabled, which can expose the cluster to unauthorized access. |
+| app.bicep:6:1:22:1 | ManagedContainerResource | AKS cluster has public network access enabled, which can expose the cluster to unauthorized access. |
+| app.bicep:25:1:41:1 | ManagedContainerResource | AKS cluster has public network access enabled, which can expose the cluster to unauthorized access. |
+| app.bicep:69:1:86:1 | ManagedContainerResource | AKS cluster has public network access enabled, which can expose the cluster to unauthorized access. |
+| app.bicep:89:1:106:1 | ManagedContainerResource | AKS cluster has public network access enabled, which can expose the cluster to unauthorized access. |
+| app.bicep:111:1:130:1 | ManagedContainerResource | AKS cluster has public network access enabled, which can expose the cluster to unauthorized access. |
+| app.bicep:133:1:150:1 | ManagedContainerResource | AKS cluster has public network access enabled, which can expose the cluster to unauthorized access. |
+| app.bicep:153:1:170:1 | ManagedContainerResource | AKS cluster has public network access enabled, which can expose the cluster to unauthorized access. |
+| app.bicep:175:1:196:1 | ManagedContainerResource | AKS cluster has public network access enabled, which can expose the cluster to unauthorized access. |
+| app.bicep:199:1:216:1 | ManagedContainerResource | AKS cluster has public network access enabled, which can expose the cluster to unauthorized access. |
+| app.bicep:219:1:236:1 | ManagedContainerResource | AKS cluster has public network access enabled, which can expose the cluster to unauthorized access. |
+| app.bicep:241:1:261:1 | ManagedContainerResource | AKS cluster has public network access enabled, which can expose the cluster to unauthorized access. |
+| app.bicep:264:1:284:1 | ManagedContainerResource | AKS cluster has public network access enabled, which can expose the cluster to unauthorized access. |
+| app.bicep:287:1:307:1 | ManagedContainerResource | AKS cluster has public network access enabled, which can expose the cluster to unauthorized access. |
+| app.bicep:310:1:330:1 | ManagedContainerResource | AKS cluster has public network access enabled, which can expose the cluster to unauthorized access. |
+| app.bicep:349:1:366:1 | ManagedContainerResource | AKS cluster has public network access enabled, which can expose the cluster to unauthorized access. |
+| app.bicep:369:1:386:1 | ManagedContainerResource | AKS cluster has public network access enabled, which can expose the cluster to unauthorized access. |

ql/test/queries-tests/security/AKS/AKSPublicNetworkAccess.qlref

@@ -0,0 +1 @@
+security/CWE-284/AKSPublicNetworkAccess.ql

ql/test/queries-tests/security/AKS/AKSRbacDisabled.expected

@@ -0,0 +1 @@
+| app.bicep:25:1:41:1 | ManagedContainerResource | AKS cluster has RBAC disabled, which can lead to unauthorized access to the cluster. |

ql/test/queries-tests/security/AKS/AKSRbacDisabled.qlref

@@ -0,0 +1 @@
+security/CWE-284/AKSRbacDisabled.ql

ql/test/queries-tests/security/AKS/AKSWithoutDiskEncryption.expected

@@ -0,0 +1,19 @@
+| aks-security-examples.bicep:2:1:30:1 | ManagedContainerResource | AKS cluster is configured without disk encryption, which can expose sensitive data at rest. |
+| aks-security-examples.bicep:32:1:62:1 | ManagedContainerResource | AKS cluster is configured without disk encryption, which can expose sensitive data at rest. |
+| app.bicep:6:1:22:1 | ManagedContainerResource | AKS cluster is configured without disk encryption, which can expose sensitive data at rest. |
+| app.bicep:25:1:41:1 | ManagedContainerResource | AKS cluster is configured without disk encryption, which can expose sensitive data at rest. |
+| app.bicep:46:1:66:1 | ManagedContainerResource | AKS cluster is configured without disk encryption, which can expose sensitive data at rest. |
+| app.bicep:69:1:86:1 | ManagedContainerResource | AKS cluster is configured without disk encryption, which can expose sensitive data at rest. |
+| app.bicep:89:1:106:1 | ManagedContainerResource | AKS cluster is configured without disk encryption, which can expose sensitive data at rest. |
+| app.bicep:111:1:130:1 | ManagedContainerResource | AKS cluster is configured without disk encryption, which can expose sensitive data at rest. |
+| app.bicep:133:1:150:1 | ManagedContainerResource | AKS cluster is configured without disk encryption, which can expose sensitive data at rest. |
+| app.bicep:153:1:170:1 | ManagedContainerResource | AKS cluster is configured without disk encryption, which can expose sensitive data at rest. |
+| app.bicep:175:1:196:1 | ManagedContainerResource | AKS cluster is configured without disk encryption, which can expose sensitive data at rest. |
+| app.bicep:199:1:216:1 | ManagedContainerResource | AKS cluster is configured without disk encryption, which can expose sensitive data at rest. |
+| app.bicep:219:1:236:1 | ManagedContainerResource | AKS cluster is configured without disk encryption, which can expose sensitive data at rest. |
+| app.bicep:241:1:261:1 | ManagedContainerResource | AKS cluster is configured without disk encryption, which can expose sensitive data at rest. |
+| app.bicep:264:1:284:1 | ManagedContainerResource | AKS cluster is configured without disk encryption, which can expose sensitive data at rest. |
+| app.bicep:287:1:307:1 | ManagedContainerResource | AKS cluster is configured without disk encryption, which can expose sensitive data at rest. |
+| app.bicep:310:1:330:1 | ManagedContainerResource | AKS cluster is configured without disk encryption, which can expose sensitive data at rest. |
+| app.bicep:349:1:366:1 | ManagedContainerResource | AKS cluster is configured without disk encryption, which can expose sensitive data at rest. |
+| app.bicep:369:1:386:1 | ManagedContainerResource | AKS cluster is configured without disk encryption, which can expose sensitive data at rest. |

ql/test/queries-tests/security/AKS/AKSWithoutDiskEncryption.qlref

@@ -0,0 +1 @@
+security/CWE-311/AKSWithoutDiskEncryption.ql