﻿2025-11-28T06:49:50.7691414Z ##[group]Run github/codeql-action/upload-sarif@v3
2025-11-28T06:49:50.7691741Z with:
2025-11-28T06:49:50.7691928Z   sarif_file: checkov-results.sarif
2025-11-28T06:49:50.7692297Z   checkout_path: /home/runner/work/archie-platform-v3/archie-platform-v3
2025-11-28T06:49:50.7692770Z   token: ***
2025-11-28T06:49:50.7692956Z   matrix: null
2025-11-28T06:49:50.7693149Z   wait-for-processing: true
2025-11-28T06:49:50.7693356Z env:
2025-11-28T06:49:50.7815483Z   CHECKOV_RESULTS: 

       _               _
   ___| |__   ___  ___| | _______   __
  / __| '_ \ / _ \/ __| |/ / _ \ \ / /
 | (__| | | |  __/ (__|   < (_) \ V /
  \___|_| |_|\___|\___|_|\_\___/ \_/

By Prisma Cloud | version: 3.2.494 
Update available 3.2.494 -> 3.2.495
Run pip3 install -U checkov to update 

terraform scan results:

Passed checks: 44, Failed checks: 28, Skipped checks: 0

Check: CKV_GCP_84: "Ensure Artifact Registry Repositories are encrypted with Customer Supplied Encryption Keys (CSEK)"
	PASSED for resource: google_artifact_registry_repository.main
	File: /modules/artifact-registry/main.tf:34-88
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-artifact-registry-repositories-are-encrypted-with-customer-supplied-encryption-keys-csek
Check: CKV_GCP_101: "Ensure that Artifact Registry repositories are not anonymously or publicly accessible"
	PASSED for resource: google_artifact_registry_repository_iam_member.cloudbuild_writer
	File: /modules/artifact-registry/main.tf:139-147
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-public-policies/ensure-gcp-artifact-registry-repository-is-not-anonymously-or-publicly-accessible
Check: CKV_GCP_101: "Ensure that Artifact Registry repositories are not anonymously or publicly accessible"
	PASSED for resource: google_artifact_registry_repository_iam_member.cloudrun_reader
	File: /modules/artifact-registry/main.tf:150-158
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-public-policies/ensure-gcp-artifact-registry-repository-is-not-anonymously-or-publicly-accessible
Check: CKV_GCP_101: "Ensure that Artifact Registry repositories are not anonymously or publicly accessible"
	PASSED for resource: google_artifact_registry_repository_iam_member.custom_readers
	File: /modules/artifact-registry/main.tf:161-169
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-public-policies/ensure-gcp-artifact-registry-repository-is-not-anonymously-or-publicly-accessible
Check: CKV_GCP_101: "Ensure that Artifact Registry repositories are not anonymously or publicly accessible"
	PASSED for resource: google_artifact_registry_repository_iam_member.custom_writers
	File: /modules/artifact-registry/main.tf:172-180
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-public-policies/ensure-gcp-artifact-registry-repository-is-not-anonymously-or-publicly-accessible
Check: CKV_GCP_11: "Ensure that Cloud SQL database Instances are not open to the world"
	PASSED for resource: google_sql_database_instance.main
	File: /modules/cloudsql/main.tf:4-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-4
Check: CKV_GCP_55: "Ensure PostgreSQL database 'log_min_messages' flag is set to a valid value"
	PASSED for resource: google_sql_database_instance.main
	File: /modules/cloudsql/main.tf:4-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/cloud-sql-policies/bc-gcp-sql-6
Check: CKV_GCP_56: "Ensure PostgreSQL database 'log_temp_files flag is set to '0'"
	PASSED for resource: google_sql_database_instance.main
	File: /modules/cloudsql/main.tf:4-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/cloud-sql-policies/bc-gcp-sql-7
Check: CKV_GCP_60: "Ensure Cloud SQL database does not have public IP"
	PASSED for resource: google_sql_database_instance.main
	File: /modules/cloudsql/main.tf:4-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/cloud-sql-policies/bc-gcp-sql-11
Check: CKV_GCP_6: "Ensure all Cloud SQL database instance requires all incoming connections to use SSL"
	PASSED for resource: google_sql_database_instance.main
	File: /modules/cloudsql/main.tf:4-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-1
Check: CKV_GCP_14: "Ensure all Cloud SQL database instance have backup configuration enabled"
	PASSED for resource: google_sql_database_instance.main
	File: /modules/cloudsql/main.tf:4-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-2
Check: CKV_GCP_57: "Ensure PostgreSQL database 'log_min_duration_statement' flag is set to '-1'"
	PASSED for resource: google_sql_database_instance.main
	File: /modules/cloudsql/main.tf:4-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/cloud-sql-policies/bc-gcp-sql-8
Check: CKV_GCP_42: "Ensure that Service Account has no Admin privileges"
	PASSED for resource: module.cost_management.google_project_iam_member.scheduler_roles
	File: /modules/cost-management/main.tf:351-357
	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-4
Check: CKV_GCP_117: "Ensure basic roles are not used at project level."
	PASSED for resource: module.cost_management.google_project_iam_member.scheduler_roles
	File: /modules/cost-management/main.tf:351-357
	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-google-cloud-117
Check: CKV_GCP_49: "Ensure roles do not impersonate or manage Service Accounts used at project level"
	PASSED for resource: module.cost_management.google_project_iam_member.scheduler_roles
	File: /modules/cost-management/main.tf:351-357
	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-10
Check: CKV_GCP_46: "Ensure Default Service account is not used at a project level"
	PASSED for resource: module.cost_management.google_project_iam_member.scheduler_roles
	File: /modules/cost-management/main.tf:351-357
	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-7
Check: CKV_GCP_41: "Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level"
	PASSED for resource: module.cost_management.google_project_iam_member.scheduler_roles
	File: /modules/cost-management/main.tf:351-357
	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-3
Check: CKV_GCP_29: "Ensure that Cloud Storage buckets have uniform bucket-level access enabled"
	PASSED for resource: module.cost_management.google_storage_bucket.log_archive[0]
	File: /modules/cost-management/main.tf:181-215
	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-gcs-2
Check: CKV_GCP_28: "Ensure that Cloud Storage bucket is not anonymously or publicly accessible"
	PASSED for resource: module.cost_management.google_storage_bucket_iam_member.log_writer[0]
	File: /modules/cost-management/main.tf:218-224
	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-public-policies/bc-gcp-public-1
Check: CKV_GCP_15: "Ensure that BigQuery datasets are not anonymously or publicly accessible"
	PASSED for resource: module.cost_management.google_bigquery_dataset.cost_export[0]
	File: /modules/cost-management/main.tf:371-386
	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-3
Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
	PASSED for resource: module.logging.google_storage_bucket.audit_logs
	File: /modules/logging/main.tf:49-76
	Calling File: /modules/logging/examples/production/main.tf:26-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled
Check: CKV_GCP_29: "Ensure that Cloud Storage buckets have uniform bucket-level access enabled"
	PASSED for resource: module.logging.google_storage_bucket.audit_logs
	File: /modules/logging/main.tf:49-76
	Calling File: /modules/logging/examples/production/main.tf:26-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-gcs-2
Check: CKV_GCP_29: "Ensure that Cloud Storage buckets have uniform bucket-level access enabled"
	PASSED for resource: module.logging.google_storage_bucket.error_logs_storage
	File: /modules/logging/main.tf:79-102
	Calling File: /modules/logging/examples/production/main.tf:26-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-gcs-2
Check: CKV_GCP_28: "Ensure that Cloud Storage bucket is not anonymously or publicly accessible"
	PASSED for resource: module.logging.google_storage_bucket_iam_member.error_logs_writer
	File: /modules/logging/main.tf:144-150
	Calling File: /modules/logging/examples/production/main.tf:26-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-public-policies/bc-gcp-public-1
Check: CKV_GCP_28: "Ensure that Cloud Storage bucket is not anonymously or publicly accessible"
	PASSED for resource: module.logging.google_storage_bucket_iam_member.audit_logs_writer
	File: /modules/logging/main.tf:172-178
	Calling File: /modules/logging/examples/production/main.tf:26-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-public-policies/bc-gcp-public-1
Check: CKV_GCP_15: "Ensure that BigQuery datasets are not anonymously or publicly accessible"
	PASSED for resource: module.logging.google_bigquery_dataset.logs[0]
	File: /modules/logging/main.tf:181-197
	Calling File: /modules/logging/examples/production/main.tf:26-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-3
Check: CKV_GCP_97: "Ensure Memorystore for Redis uses intransit encryption"
	PASSED for resource: google_redis_instance.main
	File: /modules/redis/main.tf:4-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-memorystore-for-redis-uses-intransit-encryption
Check: CKV_GCP_95: "Ensure Memorystore for Redis has AUTH enabled"
	PASSED for resource: google_redis_instance.main
	File: /modules/redis/main.tf:4-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-memorystore-for-redis-is-auth-enabled
Check: CKV2_GCP_4: "Ensure that retention policies on log buckets are configured using Bucket Lock"
	PASSED for resource: module.cost_management.google_logging_project_sink.storage_export[0]
	File: /modules/cost-management/main.tf:168-178
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/ensure-that-retention-policies-on-log-buckets-are-configured-using-bucket-lock
Check: CKV2_GCP_4: "Ensure that retention policies on log buckets are configured using Bucket Lock"
	PASSED for resource: module.logging.google_logging_project_sink.all_logs
	File: /modules/logging/main.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/ensure-that-retention-policies-on-log-buckets-are-configured-using-bucket-lock
Check: CKV2_GCP_4: "Ensure that retention policies on log buckets are configured using Bucket Lock"
	PASSED for resource: module.logging.google_logging_project_sink.bigquery
	File: /modules/logging/main.tf:199-220
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/ensure-that-retention-policies-on-log-buckets-are-configured-using-bucket-lock
Check: CKV2_GCP_4: "Ensure that retention policies on log buckets are configured using Bucket Lock"
	PASSED for resource: module.logging.google_logging_project_sink.bigquery[0]
	File: /modules/logging/main.tf:199-220
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/ensure-that-retention-policies-on-log-buckets-are-configured-using-bucket-lock
Check: CKV2_GCP_20: "Ensure MySQL DB instance has point-in-time recovery backup configured"
	PASSED for resource: google_sql_database_instance.main
	File: /modules/cloudsql/main.tf:4-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-2-20
Check: CKV2_GCP_20: "Ensure MySQL DB instance has point-in-time recovery backup configured"
	PASSED for resource: google_sql_database_instance.read_replica
	File: /modules/cloudsql/main.tf:92-120
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-2-20
Check: CKV2_GCP_7: "Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges"
	PASSED for resource: google_sql_database_instance.main
	File: /modules/cloudsql/main.tf:4-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-iam-policies/ensure-that-a-mysql-database-instance-does-not-allow-anyone-to-connect-with-administrative-privileges
Check: CKV2_GCP_7: "Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges"
	PASSED for resource: google_sql_database_instance.read_replica
	File: /modules/cloudsql/main.tf:92-120
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-iam-policies/ensure-that-a-mysql-database-instance-does-not-allow-anyone-to-connect-with-administrative-privileges
Check: CKV2_GCP_14: "Ensure PostgreSQL database flag 'log_executor_stats' is set to 'off'"
	PASSED for resource: google_sql_database_instance.main
	File: /modules/cloudsql/main.tf:4-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-2-14
Check: CKV2_GCP_14: "Ensure PostgreSQL database flag 'log_executor_stats' is set to 'off'"
	PASSED for resource: google_sql_database_instance.read_replica
	File: /modules/cloudsql/main.tf:92-120
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-2-14
Check: CKV2_GCP_16: "Ensure PostgreSQL database flag 'log_planner_stats' is set to 'off'"
	PASSED for resource: google_sql_database_instance.main
	File: /modules/cloudsql/main.tf:4-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-2-16
Check: CKV2_GCP_16: "Ensure PostgreSQL database flag 'log_planner_stats' is set to 'off'"
	PASSED for resource: google_sql_database_instance.read_replica
	File: /modules/cloudsql/main.tf:92-120
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-2-16
Check: CKV2_GCP_15: "Ensure PostgreSQL database flag 'log_parser_stats' is set to 'off'"
	PASSED for resource: google_sql_database_instance.main
	File: /modules/cloudsql/main.tf:4-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-2-15
Check: CKV2_GCP_15: "Ensure PostgreSQL database flag 'log_parser_stats' is set to 'off'"
	PASSED for resource: google_sql_database_instance.read_replica
	File: /modules/cloudsql/main.tf:92-120
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-2-15
Check: CKV2_GCP_17: "Ensure PostgreSQL database flag 'log_statement_stats' is set to 'off'"
	PASSED for resource: google_sql_database_instance.main
	File: /modules/cloudsql/main.tf:4-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-2-17
Check: CKV2_GCP_17: "Ensure PostgreSQL database flag 'log_statement_stats' is set to 'off'"
	PASSED for resource: google_sql_database_instance.read_replica
	File: /modules/cloudsql/main.tf:92-120
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-2-17
Check: CKV_GCP_84: "Ensure Artifact Registry Repositories are encrypted with Customer Supplied Encryption Keys (CSEK)"
	FAILED for resource: google_artifact_registry_repository.replicas
	File: /modules/artifact-registry/main.tf:91-136
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-artifact-registry-repositories-are-encrypted-with-customer-supplied-encryption-keys-csek

		91  | resource "google_artifact_registry_repository" "replicas" {
		92  |   for_each = toset(var.replication_regions)
		93  | 
		94  |   location      = each.value
		95  |   repository_id = var.repository_id
		96  |   project       = var.project_id
		97  |   description   = "${var.description} (Replica in ${each.value})"
		98  |   format        = "DOCKER"
		99  | 
		100 |   # Match primary repository configuration
		101 |   docker_config {
		102 |     immutable_tags = var.immutable_tags
		103 |   }
		104 | 
		105 |   cleanup_policies {
		106 |     id     = "keep-last-n-versions"
		107 |     action = "DELETE"
		108 | 
		109 |     condition {
		110 |       tag_state  = "ANY"
		111 |       older_than = var.retention_days > 0 ? "${var.retention_days}d" : null
		112 |     }
		113 | 
		114 |     most_recent_versions {
		115 |       keep_count = var.keep_image_count
		116 |     }
		117 |   }
		118 | 
		119 |   cleanup_policies {
		120 |     id     = "delete-old-untagged"
		121 |     action = "DELETE"
		122 | 
		123 |     condition {
		124 |       tag_state  = "UNTAGGED"
		125 |       older_than = "${var.untagged_retention_days}d"
		126 |     }
		127 |   }
		128 | 
		129 |   labels = merge(var.labels, {
		130 |     replica_of = var.location
		131 |   })
		132 | 
		133 |   depends_on = [
		134 |     google_project_service.artifact_registry
		135 |   ]
		136 | }

Check: CKV_GCP_84: "Ensure Artifact Registry Repositories are encrypted with Customer Supplied Encryption Keys (CSEK)"
	FAILED for resource: google_artifact_registry_repository.remote
	File: /modules/artifact-registry/main.tf:290-315
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-artifact-registry-repositories-are-encrypted-with-customer-supplied-encryption-keys-csek

		290 | resource "google_artifact_registry_repository" "remote" {
		291 |   for_each = var.remote_repositories
		292 | 
		293 |   location      = var.location
		294 |   repository_id = "${var.repository_id}-${each.key}"
		295 |   project       = var.project_id
		296 |   description   = "Remote repository for ${each.key}"
		297 |   format        = "DOCKER"
		298 |   mode          = "REMOTE_REPOSITORY"
		299 | 
		300 |   remote_repository_config {
		301 |     description = "Mirror of ${each.value.upstream_url}"
		302 | 
		303 |     docker_repository {
		304 |       public_repository = each.value.upstream_url
		305 |     }
		306 |   }
		307 | 
		308 |   labels = merge(var.labels, {
		309 |     remote_source = each.key
		310 |   })
		311 | 
		312 |   depends_on = [
		313 |     google_project_service.artifact_registry
		314 |   ]
		315 | }

Check: CKV_GCP_51: "Ensure PostgreSQL database 'log_checkpoints' flag is set to 'on'"
	FAILED for resource: google_sql_database_instance.main
	File: /modules/cloudsql/main.tf:4-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/cloud-sql-policies/bc-gcp-sql-2

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_79: "Ensure SQL database is using latest Major version"
	FAILED for resource: google_sql_database_instance.main
	File: /modules/cloudsql/main.tf:4-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-sql-database-uses-the-latest-major-version

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_111: "Ensure GCP PostgreSQL logs SQL statements"
	FAILED for resource: google_sql_database_instance.main
	File: /modules/cloudsql/main.tf:4-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-google-cloud-111

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_108: "Ensure hostnames are logged for GCP PostgreSQL databases"
	FAILED for resource: google_sql_database_instance.main
	File: /modules/cloudsql/main.tf:4-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-google-cloud-108

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_109: "Ensure the GCP PostgreSQL database log levels are set to ERROR or lower"
	FAILED for resource: google_sql_database_instance.main
	File: /modules/cloudsql/main.tf:4-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-google-cloud-109

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_110: "Ensure pgAudit is enabled for your GCP PostgreSQL database"
	FAILED for resource: google_sql_database_instance.main
	File: /modules/cloudsql/main.tf:4-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-google-cloud-110

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_52: "Ensure PostgreSQL database 'log_connections' flag is set to 'on'"
	FAILED for resource: google_sql_database_instance.main
	File: /modules/cloudsql/main.tf:4-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/cloud-sql-policies/bc-gcp-sql-3

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_54: "Ensure PostgreSQL database 'log_lock_waits' flag is set to 'on'"
	FAILED for resource: google_sql_database_instance.main
	File: /modules/cloudsql/main.tf:4-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/cloud-sql-policies/bc-gcp-sql-5

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_53: "Ensure PostgreSQL database 'log_disconnections' flag is set to 'on'"
	FAILED for resource: google_sql_database_instance.main
	File: /modules/cloudsql/main.tf:4-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/cloud-sql-policies/bc-gcp-sql-4

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_84: "Ensure Artifact Registry Repositories are encrypted with Customer Supplied Encryption Keys (CSEK)"
	FAILED for resource: module.cost_management.google_artifact_registry_repository.images[0]
	File: /modules/cost-management/main.tf:227-271
	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-artifact-registry-repositories-are-encrypted-with-customer-supplied-encryption-keys-csek

		227 | resource "google_artifact_registry_repository" "images" {
		228 |   count = var.configure_artifact_registry ? 1 : 0
		229 | 
		230 |   location      = var.region
		231 |   repository_id = "${var.project_name}-${var.environment}-images"
		232 |   description   = "Container images with lifecycle policies"
		233 |   format        = "DOCKER"
		234 | 
		235 |   cleanup_policies {
		236 |     id     = "delete-old-untagged"
		237 |     action = "DELETE"
		238 | 
		239 |     condition {
		240 |       tag_state  = "UNTAGGED"
		241 |       older_than = "${var.artifact_untagged_retention_days}d"
		242 |     }
		243 |   }
		244 | 
		245 |   cleanup_policies {
		246 |     id     = "keep-minimum-versions"
		247 |     action = "KEEP"
		248 | 
		249 |     most_recent_versions {
		250 |       keep_count = var.artifact_minimum_versions
		251 |     }
		252 |   }
		253 | 
		254 |   cleanup_policies {
		255 |     id     = "delete-old-tagged"
		256 |     action = "DELETE"
		257 | 
		258 |     condition {
		259 |       tag_state    = "TAGGED"
		260 |       tag_prefixes = var.artifact_delete_tag_prefixes
		261 |       older_than   = "${var.artifact_tagged_retention_days}d"
		262 |     }
		263 |   }
		264 | 
		265 |   labels = merge(
		266 |     var.cost_labels,
		267 |     {
		268 |       purpose = "container-images"
		269 |     }
		270 |   )
		271 | }

Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
	FAILED for resource: module.cost_management.google_pubsub_topic.budget_alerts[0]
	File: /modules/cost-management/main.tf:75-86
	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek

		75 | resource "google_pubsub_topic" "budget_alerts" {
		76 |   count = var.create_pubsub_topic ? 1 : 0
		77 | 
		78 |   name = "${var.project_name}-${var.environment}-budget-alerts"
		79 | 
		80 |   labels = merge(
		81 |     var.cost_labels,
		82 |     {
		83 |       purpose = "budget-alerts"
		84 |     }
		85 |   )
		86 | }

Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
	FAILED for resource: module.cost_management.google_storage_bucket.log_archive[0]
	File: /modules/cost-management/main.tf:181-215
	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled

		181 | resource "google_storage_bucket" "log_archive" {
		182 |   count = var.export_logs_to_storage ? 1 : 0
		183 | 
		184 |   name          = "${var.project_id}-${var.environment}-log-archive"
		185 |   location      = var.region
		186 |   storage_class = "COLDLINE" # Cost-effective for infrequent access
		187 | 
		188 |   uniform_bucket_level_access = true
		189 | 
		190 |   lifecycle_rule {
		191 |     condition {
		192 |       age = var.log_archive_retention_days
		193 |     }
		194 |     action {
		195 |       type = "Delete"
		196 |     }
		197 |   }
		198 | 
		199 |   lifecycle_rule {
		200 |     condition {
		201 |       age = 90 # Move to archive after 90 days
		202 |     }
		203 |     action {
		204 |       type          = "SetStorageClass"
		205 |       storage_class = "ARCHIVE"
		206 |     }
		207 |   }
		208 | 
		209 |   labels = merge(
		210 |     var.cost_labels,
		211 |     {
		212 |       purpose = "log-archive"
		213 |     }
		214 |   )
		215 | }

Check: CKV_GCP_62: "Bucket should log access"
	FAILED for resource: module.cost_management.google_storage_bucket.log_archive[0]
	File: /modules/cost-management/main.tf:181-215
	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2

		181 | resource "google_storage_bucket" "log_archive" {
		182 |   count = var.export_logs_to_storage ? 1 : 0
		183 | 
		184 |   name          = "${var.project_id}-${var.environment}-log-archive"
		185 |   location      = var.region
		186 |   storage_class = "COLDLINE" # Cost-effective for infrequent access
		187 | 
		188 |   uniform_bucket_level_access = true
		189 | 
		190 |   lifecycle_rule {
		191 |     condition {
		192 |       age = var.log_archive_retention_days
		193 |     }
		194 |     action {
		195 |       type = "Delete"
		196 |     }
		197 |   }
		198 | 
		199 |   lifecycle_rule {
		200 |     condition {
		201 |       age = 90 # Move to archive after 90 days
		202 |     }
		203 |     action {
		204 |       type          = "SetStorageClass"
		205 |       storage_class = "ARCHIVE"
		206 |     }
		207 |   }
		208 | 
		209 |   labels = merge(
		210 |     var.cost_labels,
		211 |     {
		212 |       purpose = "log-archive"
		213 |     }
		214 |   )
		215 | }

Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
	FAILED for resource: module.cost_management.google_storage_bucket.log_archive[0]
	File: /modules/cost-management/main.tf:181-215
	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/bc-google-cloud-114

		181 | resource "google_storage_bucket" "log_archive" {
		182 |   count = var.export_logs_to_storage ? 1 : 0
		183 | 
		184 |   name          = "${var.project_id}-${var.environment}-log-archive"
		185 |   location      = var.region
		186 |   storage_class = "COLDLINE" # Cost-effective for infrequent access
		187 | 
		188 |   uniform_bucket_level_access = true
		189 | 
		190 |   lifecycle_rule {
		191 |     condition {
		192 |       age = var.log_archive_retention_days
		193 |     }
		194 |     action {
		195 |       type = "Delete"
		196 |     }
		197 |   }
		198 | 
		199 |   lifecycle_rule {
		200 |     condition {
		201 |       age = 90 # Move to archive after 90 days
		202 |     }
		203 |     action {
		204 |       type          = "SetStorageClass"
		205 |       storage_class = "ARCHIVE"
		206 |     }
		207 |   }
		208 | 
		209 |   labels = merge(
		210 |     var.cost_labels,
		211 |     {
		212 |       purpose = "log-archive"
		213 |     }
		214 |   )
		215 | }

Check: CKV_GCP_81: "Ensure Big Query Datasets are encrypted with Customer Supplied Encryption Keys (CSEK)"
	FAILED for resource: module.cost_management.google_bigquery_dataset.cost_export[0]
	File: /modules/cost-management/main.tf:371-386
	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-big-query-tables-are-encrypted-with-customer-supplied-encryption-keys-csek-1

		371 | resource "google_bigquery_dataset" "cost_export" {
		372 |   count = var.enable_bigquery_cost_export ? 1 : 0
		373 | 
		374 |   dataset_id                  = "${replace(var.project_name, "-", "_")}_${var.environment}_cost_data"
		375 |   friendly_name               = "${var.project_name} ${var.environment} Cost Data"
		376 |   description                 = "Cost and usage data for analysis"
		377 |   location                    = var.bigquery_location
		378 |   default_table_expiration_ms = var.bigquery_table_expiration_ms
		379 | 
		380 |   labels = merge(
		381 |     var.cost_labels,
		382 |     {
		383 |       purpose = "cost-analysis"
		384 |     }
		385 |   )
		386 | }

Check: CKV_GCP_62: "Bucket should log access"
	FAILED for resource: module.logging.google_storage_bucket.audit_logs
	File: /modules/logging/main.tf:49-76
	Calling File: /modules/logging/examples/production/main.tf:26-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2

		49 | resource "google_storage_bucket" "audit_logs" {
		50 |   name          = "${var.project_id}-audit-logs"
		51 |   location      = var.region
		52 |   project       = var.project_id
		53 |   force_destroy = false
		54 | 
		55 |   uniform_bucket_level_access = true
		56 | 
		57 |   lifecycle_rule {
		58 |     condition {
		59 |       age = 400
		60 |     }
		61 |     action {
		62 |       type = "Delete"
		63 |     }
		64 |   }
		65 | 
		66 |   versioning {
		67 |     enabled = true
		68 |   }
		69 | 
		70 |   labels = merge(var.labels, {
		71 |     purpose   = "audit-logs"
		72 |     retention = "400-days"
		73 |   })
		74 | 
		75 |   depends_on = [google_project_service.logging]
		76 | }

Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
	FAILED for resource: module.logging.google_storage_bucket.audit_logs
	File: /modules/logging/main.tf:49-76
	Calling File: /modules/logging/examples/production/main.tf:26-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/bc-google-cloud-114

		49 | resource "google_storage_bucket" "audit_logs" {
		50 |   name          = "${var.project_id}-audit-logs"
		51 |   location      = var.region
		52 |   project       = var.project_id
		53 |   force_destroy = false
		54 | 
		55 |   uniform_bucket_level_access = true
		56 | 
		57 |   lifecycle_rule {
		58 |     condition {
		59 |       age = 400
		60 |     }
		61 |     action {
		62 |       type = "Delete"
		63 |     }
		64 |   }
		65 | 
		66 |   versioning {
		67 |     enabled = true
		68 |   }
		69 | 
		70 |   labels = merge(var.labels, {
		71 |     purpose   = "audit-logs"
		72 |     retention = "400-days"
		73 |   })
		74 | 
		75 |   depends_on = [google_project_service.logging]
		76 | }

Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
	FAILED for resource: module.logging.google_storage_bucket.error_logs_storage
	File: /modules/logging/main.tf:79-102
	Calling File: /modules/logging/examples/production/main.tf:26-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled

		79  | resource "google_storage_bucket" "error_logs_storage" {
		80  |   name          = "${var.project_id}-error-logs"
		81  |   location      = var.region
		82  |   project       = var.project_id
		83  |   force_destroy = false
		84  | 
		85  |   uniform_bucket_level_access = true
		86  | 
		87  |   lifecycle_rule {
		88  |     condition {
		89  |       age = 30
		90  |     }
		91  |     action {
		92  |       type = "Delete"
		93  |     }
		94  |   }
		95  | 
		96  |   labels = merge(var.labels, {
		97  |     purpose   = "error-logs"
		98  |     retention = "30-days"
		99  |   })
		100 | 
		101 |   depends_on = [google_project_service.logging]
		102 | }

Check: CKV_GCP_62: "Bucket should log access"
	FAILED for resource: module.logging.google_storage_bucket.error_logs_storage
	File: /modules/logging/main.tf:79-102
	Calling File: /modules/logging/examples/production/main.tf:26-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2

		79  | resource "google_storage_bucket" "error_logs_storage" {
		80  |   name          = "${var.project_id}-error-logs"
		81  |   location      = var.region
		82  |   project       = var.project_id
		83  |   force_destroy = false
		84  | 
		85  |   uniform_bucket_level_access = true
		86  | 
		87  |   lifecycle_rule {
		88  |     condition {
		89  |       age = 30
		90  |     }
		91  |     action {
		92  |       type = "Delete"
		93  |     }
		94  |   }
		95  | 
		96  |   labels = merge(var.labels, {
		97  |     purpose   = "error-logs"
		98  |     retention = "30-days"
		99  |   })
		100 | 
		101 |   depends_on = [google_project_service.logging]
		102 | }

Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
	FAILED for resource: module.logging.google_storage_bucket.error_logs_storage
	File: /modules/logging/main.tf:79-102
	Calling File: /modules/logging/examples/production/main.tf:26-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/bc-google-cloud-114

		79  | resource "google_storage_bucket" "error_logs_storage" {
		80  |   name          = "${var.project_id}-error-logs"
		81  |   location      = var.region
		82  |   project       = var.project_id
		83  |   force_destroy = false
		84  | 
		85  |   uniform_bucket_level_access = true
		86  | 
		87  |   lifecycle_rule {
		88  |     condition {
		89  |       age = 30
		90  |     }
		91  |     action {
		92  |       type = "Delete"
		93  |     }
		94  |   }
		95  | 
		96  |   labels = merge(var.labels, {
		97  |     purpose   = "error-logs"
		98  |     retention = "30-days"
		99  |   })
		100 | 
		101 |   depends_on = [google_project_service.logging]
		102 | }

Check: CKV_GCP_81: "Ensure Big Query Datasets are encrypted with Customer Supplied Encryption Keys (CSEK)"
	FAILED for resource: module.logging.google_bigquery_dataset.logs[0]
	File: /modules/logging/main.tf:181-197
	Calling File: /modules/logging/examples/production/main.tf:26-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-big-query-tables-are-encrypted-with-customer-supplied-encryption-keys-csek-1

		181 | resource "google_bigquery_dataset" "logs" {
		182 |   count = var.enable_bigquery_export ? 1 : 0
		183 | 
		184 |   dataset_id    = "cloud_logs"
		185 |   project       = var.project_id
		186 |   location      = var.region
		187 |   friendly_name = "Cloud Logs Dataset"
		188 |   description   = "Dataset for exported Cloud Logs"
		189 | 
		190 |   default_table_expiration_ms = 2592000000 # 30 days
		191 | 
		192 |   labels = merge(var.labels, {
		193 |     purpose = "log-analysis"
		194 |   })
		195 | 
		196 |   depends_on = [google_project_service.logging]
		197 | }

Check: CKV2_GCP_13: "Ensure PostgreSQL database flag 'log_duration' is set to 'on'"
	FAILED for resource: google_sql_database_instance.main
	File: /modules/cloudsql/main.tf:4-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-2-13

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_GCP_13: "Ensure PostgreSQL database flag 'log_duration' is set to 'on'"
	FAILED for resource: google_sql_database_instance.read_replica
	File: /modules/cloudsql/main.tf:92-120
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-2-13

		92  | resource "google_sql_database_instance" "read_replica" {
		93  |   count = var.create_read_replica ? 1 : 0
		94  | 
		95  |   name                 = "${var.instance_name}-read-replica"
		96  |   database_version     = var.database_version
		97  |   region               = var.replica_region != null ? var.replica_region : var.region
		98  |   master_instance_name = google_sql_database_instance.main.name
		99  |   project              = var.project_id
		100 | 
		101 |   replica_configuration {
		102 |     failover_target = false
		103 |   }
		104 | 
		105 |   settings {
		106 |     tier              = var.replica_tier != null ? var.replica_tier : var.tier
		107 |     availability_type = "ZONAL"
		108 |     disk_size         = var.disk_size
		109 |     disk_type         = var.disk_type
		110 |     disk_autoresize   = var.disk_autoresize
		111 | 
		112 |     ip_configuration {
		113 |       ipv4_enabled    = var.ipv4_enabled
		114 |       private_network = var.private_network
		115 |       require_ssl     = var.require_ssl
		116 |     }
		117 |   }
		118 | 
		119 |   deletion_protection = var.deletion_protection
		120 | }

Check: CKV2_GCP_4: "Ensure that retention policies on log buckets are configured using Bucket Lock"
	FAILED for resource: module.cost_management.google_logging_project_sink.storage_export
	File: /modules/cost-management/main.tf:168-178
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/ensure-that-retention-policies-on-log-buckets-are-configured-using-bucket-lock

		168 | resource "google_logging_project_sink" "storage_export" {
		169 |   count = var.export_logs_to_storage ? 1 : 0
		170 | 
		171 |   name        = "${var.project_name}-${var.environment}-log-export"
		172 |   destination = "storage.googleapis.com/${google_storage_bucket.log_archive[0].name}"
		173 | 
		174 |   # Export only specific log types to reduce costs
		175 |   filter = var.log_export_filter
		176 | 
		177 |   unique_writer_identity = true
		178 | }

Check: CKV2_GCP_4: "Ensure that retention policies on log buckets are configured using Bucket Lock"
	FAILED for resource: module.logging.google_logging_project_sink.error_logs
	File: /modules/logging/main.tf:125-141
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/ensure-that-retention-policies-on-log-buckets-are-configured-using-bucket-lock

		125 | resource "google_logging_project_sink" "error_logs" {
		126 |   name        = "error-logs-sink"
		127 |   project     = var.project_id
		128 |   destination = "storage.googleapis.com/${google_storage_bucket.error_logs_storage.name}"
		129 | 
		130 |   filter = <<-EOT
		131 |     severity >= ERROR
		132 |     NOT (${join(" OR ", var.excluded_log_filters)})
		133 |   EOT
		134 | 
		135 |   unique_writer_identity = true
		136 | 
		137 |   depends_on = [
		138 |     google_project_service.logging,
		139 |     google_storage_bucket.error_logs_storage
		140 |   ]
		141 | }

Check: CKV2_GCP_4: "Ensure that retention policies on log buckets are configured using Bucket Lock"
	FAILED for resource: module.logging.google_logging_project_sink.audit_logs
	File: /modules/logging/main.tf:153-169
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/ensure-that-retention-policies-on-log-buckets-are-configured-using-bucket-lock

		153 | resource "google_logging_project_sink" "audit_logs" {
		154 |   name        = "audit-logs-sink"
		155 |   project     = var.project_id
		156 |   destination = "storage.googleapis.com/${google_storage_bucket.audit_logs.name}"
		157 | 
		158 |   filter = <<-EOT
		159 |     logName =~ "projects/${var.project_id}/logs/cloudaudit.googleapis.com"
		160 |     OR protoPayload.@type = "type.googleapis.com/google.cloud.audit.AuditLog"
		161 |   EOT
		162 | 
		163 |   unique_writer_identity = true
		164 | 
		165 |   depends_on = [
		166 |     google_project_service.logging,
		167 |     google_storage_bucket.audit_logs
		168 |   ]
		169 | }
2025-11-28T06:49:50.7940538Z ##[endgroup]
2025-11-28T06:49:50.9545912Z ##[warning]CodeQL Action v3 will be deprecated in December 2026. Please update all occurrences of the CodeQL Action in your workflow files to v4. For more information, see https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/
2025-11-28T06:49:51.5413719Z Post-processing sarif files: ["/home/runner/work/archie-platform-v3/archie-platform-v3/checkov-results.sarif/results_sarif.sarif"]
2025-11-28T06:49:51.5418934Z Validating /home/runner/work/archie-platform-v3/archie-platform-v3/checkov-results.sarif/results_sarif.sarif
2025-11-28T06:49:51.6632821Z Adding fingerprints to SARIF file. See https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#providing-data-to-track-code-scanning-alerts-across-runs for more information.
2025-11-28T06:49:51.7120551Z ##[group]Uploading code scanning results
2025-11-28T06:49:51.7400722Z Uploading results
2025-11-28T06:49:51.8626959Z ##[warning]Code Security must be enabled for this repository to use code scanning. - https://docs.github.com/rest
2025-11-28T06:49:51.8633804Z ##[error]Please verify that the necessary features are enabled: Code Security must be enabled for this repository to use code scanning. - https://docs.github.com/rest
