[ { "message": "Current secret version is readable", "metadata": { "event_code": "Current secret version is readable", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@CCC.SecMgmt", "@CCC.SecMgmt.CN01", "@PerService", "@tlp-amber", "@tlp-red", "@Behavioural", "@secrets", "@SANITY", "@OPT_IN" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{config}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"secrets\"\n✓ I refer to \"{result}\" as \"svc\"\n✓ I call \"{svc}\" with \"RetrieveSecretVersion\" using arguments \"{uid}\" and \"latest\"\n✓ \"{result}\" is not an error\n✓ I refer to \"{result}\" as \"currentSecret\"\n✓ I attach \"{currentSecret}\" to the test output as \"Current Secret Version\"\n✓ \"{currentSecret.Denied}\" is \"false\"", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.SecMgmt.CN01.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1781624985, "created_time_dt": "2026-06-16T15:49:45Z", "desc": "Compliance test scenario: Current secret version is readable", "title": "Current secret version is readable", "types": [], "uid": "ccc-test-33-1781624985" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1781624985, "time_dt": "2026-06-16T15:49:45Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "finos-ccc-integration-secret-main", "status": "ACTIVE", "findings": [], "tags": [], "type": "secrets", "region": "eastus" } }, "group": { "name": "secrets" }, "name": "finos-ccc-integration-secret-main", "type": "secrets", "uid": "finos-ccc-integration-secret-main" } ] }, { "message": "Stale secret version retrieve is denied", "metadata": { "event_code": "Stale secret version retrieve is denied", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@CCC.SecMgmt", "@CCC.SecMgmt.CN01", "@PerService", "@tlp-amber", "@tlp-red", "@Behavioural", "@secrets", "@MAIN" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{config}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"secrets\"\n✓ I refer to \"{result}\" as \"svc\"\n✓ I call \"{svc}\" with \"RetrieveSecretVersion\" using arguments \"{uid}\" and \"{stale-version-id}\"\n✗ \"{result}\" is an error - Error: expected {result} to be an error, got *secrets.SecretValue", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.SecMgmt.CN01.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1781624986, "created_time_dt": "2026-06-16T15:49:46Z", "desc": "Compliance test scenario: Stale secret version retrieve is denied", "title": "Stale secret version retrieve is denied", "types": [], "uid": "ccc-test-39-1781624986" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1781624986, "time_dt": "2026-06-16T15:49:46Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "finos-ccc-integration-secret-main", "status": "ACTIVE", "findings": [], "tags": [], "type": "secrets", "region": "eastus" } }, "group": { "name": "secrets" }, "name": "finos-ccc-integration-secret-main", "type": "secrets", "uid": "finos-ccc-integration-secret-main" } ] }, { "message": "Authorized region read succeeds", "metadata": { "event_code": "Authorized region read succeeds", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@CCC.SecMgmt", "@CCC.SecMgmt.CN02", "@PerService", "@tlp-amber", "@tlp-red", "@Behavioural", "@secrets", "@SANITY", "@OPT_IN" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{config}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"secrets\"\n✓ I refer to \"{result}\" as \"svc\"\n✓ I call \"{svc}\" with \"RetrieveSecretInRegion\" using arguments \"{uid}\" and \"{authorized-region}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: access denied: Get \"https://finos-ccc-integration-missing-westus2.vault.azure.net/secrets/finos-ccc-integration-secret-main/?api-version=2025-07-01\": dial tcp: lookup finos-ccc-integration-missing-westus2.vault.azure.net on 127.0.0.53:53: no such host\n⊘ I refer to \"{result}\" as \"authorizedRead\" (skipped)\n⊘ I attach \"{authorizedRead}\" to the test output as \"Authorized Region Read\" (skipped)\n⊘ \"{authorizedRead.Denied}\" is \"false\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.SecMgmt.CN02.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1781624986, "created_time_dt": "2026-06-16T15:49:46Z", "desc": "Compliance test scenario: Authorized region read succeeds", "title": "Authorized region read succeeds", "types": [], "uid": "ccc-test-73-1781624986" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1781624986, "time_dt": "2026-06-16T15:49:46Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "finos-ccc-integration-secret-main", "status": "ACTIVE", "findings": [], "tags": [], "type": "secrets", "region": "eastus" } }, "group": { "name": "secrets" }, "name": "finos-ccc-integration-secret-main", "type": "secrets", "uid": "finos-ccc-integration-secret-main" } ] }, { "message": "Unauthorized region read is denied", "metadata": { "event_code": "Unauthorized region read is denied", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@CCC.SecMgmt", "@CCC.SecMgmt.CN02", "@PerService", "@tlp-amber", "@tlp-red", "@Behavioural", "@secrets", "@MAIN" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{config}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"secrets\"\n✓ I refer to \"{result}\" as \"svc\"\n✓ I call \"{svc}\" with \"RetrieveSecretInRegion\" using arguments \"{uid}\" and \"{unauthorized-region}\"\n✓ \"{result}\" is an error", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.SecMgmt.CN02.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1781624997, "created_time_dt": "2026-06-16T15:49:57Z", "desc": "Compliance test scenario: Unauthorized region read is denied", "title": "Unauthorized region read is denied", "types": [], "uid": "ccc-test-79-1781624997" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1781624997, "time_dt": "2026-06-16T15:49:57Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "finos-ccc-integration-secret-main", "status": "ACTIVE", "findings": [], "tags": [], "type": "secrets", "region": "eastus" } }, "group": { "name": "secrets" }, "name": "finos-ccc-integration-secret-main", "type": "secrets", "uid": "finos-ccc-integration-secret-main" } ] } ]