feat(queries): add 78 custom Terraform queries for Azure, GCP, IBM Cloud, and OCI

[cx-antero-silva]

Summary

This PR adds 78 new Terraform queries covering four cloud providers, identified through a gap analysis of IaC scanner coverage:

• 20 Azure queries — App Service (Application Insights not configured); Backup Vault (cross-region restore disabled, identity/CMK not configured); Bastion Host (missing or missing ip_configuration); Elastic SAN (volume group network rules not configured); IoT Hub (Defender for IoT disabled); Key Vault (key rotation disabled); Managed Lustre (CMK encryption disabled); PaaS (private endpoint missing); production workload on basic/consumption SKU; Recovery Services Vault (cross-region restore disabled, infrastructure encryption disabled); Storage Account (geo-redundancy disabled, infrastructure encryption disabled, immutability not locked, read-only lock missing, versioning disabled); Storage logging (blob, queue, table)
• 13 GCP queries — Access Approval disabled; API key (restrictions, targets); App Engine HTTPS enforcement; Compute logging service disabled; GKE (default service account, metadata server, sandbox, secrets CMEK); HTTP load balancer logging disabled; IAP backend service disabled; Cloud SQL PostgreSQL (log error verbosity, log statement setting)
• 18 IBM Cloud queries — Activity Tracker (global events, platform logs); Certificate Manager auto-renewal; CIS (DNS proxy, WAF); Cloudant CMK; Container (cluster entitlement, registry VA alerts); Database CMK; IAM (IP restrictions, MFA, session expiration); IKS (logging, monitoring); Instance OS disk encryption; KMS key rotation; LogDNA (archiving, view alerting)
• 27 OCI queries — Cloud Guard (problem events, root compartment); Compute (legacy metadata, secure boot); Default tags; IAM (group/policy/user change events, password expiration, password policy length, password reuse, service admins); IDP (change events, group mapping events); Instance transit encryption; Local user authentication events; Network (gateway/NSG/route table/security list/VCN change events); Notification topic subscription; Object Storage (logging, versioning); Resource in root compartment; Storage admin delete policy; Subnet flow logging

New provider directories created: assets/queries/terraform/ibm/ and assets/queries/terraform/oci/

Each query follows the standard KICS structure:

<query_name>/
├── metadata.json
├── query.rego
├── README.md
└── test/
    ├── positive1.tf
    ├── negative1.tf
    └── positive_expected_result.json

Test plan

• Verify metadata.json IDs are unique across the full query set
• Run KICS e2e tests against each new query's test fixtures
• Confirm no regressions on existing Azure and GCP queries
• Validate IBM and OCI queries load correctly with the new provider directories
• Review severity and category classifications per provider guidelines

I submit this contribution under the Apache-2.0 license.

[cx-artur-ribeiro]

Hi @cx-antero-silva,

Great initiative to address coverage gaps in the KICS queries, it's good to see this area getting attention. Thanks for the effort.
I have reviewed some of the Azure queries specifically. The GCP, IBM Cloud, and OCI queries are yet to be reviewed and may share similar issues.

General notes across all queries

• Broken RiskScore values - should be aligned with decision and documentation;
• CWE field uses CWE-value format instead of the numeric value only;
• Remediate field missing in most queries;
• README.md files should be removed - this is not part of the standard KICS query structure per official or internal documentation. The PR description references this as standard, but no source is provided to support that claim;
• Code comments written in Spanish;
  search_line not defined in any query;
• All queries missing the experimental metadata field and "BETA -" prefix in the query name;
• Several query descriptions do not match the actual query code logic;
• Several queries (azure_defender_easm_enabled_manual, azure_mysql_audit_log_enabled_manual, azure_mysql_audit_log_events_connection_manual) flag conditions that cannot be evaluated from IaC - KICS is an IaC scanner, not a runtime compliance tool. These should be removed or fundamentally reconsidered;
• Insufficient or absent documentation supporting the security claim behind several queries;
• Broken or incorrect documentation links in several queries;
• Tests missing or not aligned with query logic in several queries;
• CMK encryption queries follow inconsistent patterns - some check only property existence, others validate specific values. A common standard should be applied;
• Existing KICS queries covering the same properties were not consulted before writing new ones - missed reuse and consistency opportunities;
• azure_app_service_http_logs_disabled was already tackled in PR feat(queries): add 20 new Terraform AWS queries with auto-remediation support #7991 and could be removed from this PR;

I will share detailed per-query notes, covering each Azure query individually with specific guidance.
Thanks again for the significant effort on this!