From b77b85c0254bba6789e787844f0585cde1e56320 Mon Sep 17 00:00:00 2001 From: Brandon Helms <5178129+Cr0n1c@users.noreply.github.com> Date: Wed, 25 Oct 2023 12:39:02 -0500 Subject: [PATCH 01/16] Update Dockerfile to 0.46.0 (#274) * Update Dockerfile to 0.46.0 This will address bugs before 0.46.0 * updating tests --- Dockerfile | 2 +- test/data/image-trivyignores.test | 20 +++++++++++++++---- test/data/image.test | 32 +++++++++++++++++++++++++++---- 3 files changed, 45 insertions(+), 9 deletions(-) diff --git a/Dockerfile b/Dockerfile index 1032d3e7..81ec36e5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM ghcr.io/aquasecurity/trivy:0.45.0 +FROM ghcr.io/aquasecurity/trivy:0.46.0 COPY entrypoint.sh / RUN apk --no-cache add bash curl npm RUN chmod +x /entrypoint.sh diff --git a/test/data/image-trivyignores.test b/test/data/image-trivyignores.test index f2a567c8..aa3d4aee 100644 --- a/test/data/image-trivyignores.test +++ b/test/data/image-trivyignores.test @@ -27,10 +27,10 @@ Total: 19 (CRITICAL: 19) │ │ CVE-2019-5481 │ │ │ │ 7.61.1-r3 │ curl: double free due to subsequent call of realloc() │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5481 │ │ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤ -│ │ CVE-2019-5482 │ │ │ │ │ curl: heap buffer overflow in function tftp_receive_packet() │ +│ │ CVE-2019-5482 │ │ │ │ │ heap buffer overflow in function tftp_receive_packet() │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5482 │ ├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ -│ git │ CVE-2018-17456 │ │ │ 2.15.2-r0 │ 2.15.3-r0 │ git: arbitrary code execution via .gitmodules │ +│ git │ CVE-2018-17456 │ │ │ 2.15.2-r0 │ 2.15.3-r0 │ arbitrary code execution via .gitmodules │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-17456 │ │ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2019-1353 │ │ │ │ 2.15.4-r0 │ git: NTFS protections inactive when running Git in the │ @@ -58,7 +58,7 @@ Total: 19 (CRITICAL: 19) │ │ CVE-2019-5481 │ │ │ │ 7.61.1-r3 │ curl: double free due to subsequent call of realloc() │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5481 │ │ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤ -│ │ CVE-2019-5482 │ │ │ │ │ curl: heap buffer overflow in function tftp_receive_packet() │ +│ │ CVE-2019-5482 │ │ │ │ │ heap buffer overflow in function tftp_receive_packet() │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5482 │ ├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ musl │ CVE-2019-14697 │ │ │ 1.1.18-r3 │ 1.1.18-r4 │ musl libc through 1.1.23 has an x87 floating-point stack │ @@ -69,6 +69,18 @@ Total: 19 (CRITICAL: 19) │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ ├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ -│ sqlite-libs │ CVE-2019-8457 │ │ │ 3.21.0-r1 │ 3.25.3-r1 │ sqlite: heap out-of-bound read in function rtreenode() │ +│ sqlite-libs │ CVE-2019-8457 │ │ │ 3.21.0-r1 │ 3.25.3-r1 │ heap out-of-bound read in function rtreenode() │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-8457 │ └─────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘ + +rust-app/Cargo.lock (cargo) +=========================== +Total: 1 (CRITICAL: 1) + +┌──────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐ +│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ +├──────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤ +│ smallvec │ CVE-2021-25900 │ CRITICAL │ fixed │ 0.6.9 │ 0.6.14, 1.6.1 │ An issue was discovered in the smallvec crate before 0.6.14 │ +│ │ │ │ │ │ │ and 1.x... │ +│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-25900 │ +└──────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘ diff --git a/test/data/image.test b/test/data/image.test index f2a567c8..d954ed1b 100644 --- a/test/data/image.test +++ b/test/data/image.test @@ -27,10 +27,10 @@ Total: 19 (CRITICAL: 19) │ │ CVE-2019-5481 │ │ │ │ 7.61.1-r3 │ curl: double free due to subsequent call of realloc() │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5481 │ │ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤ -│ │ CVE-2019-5482 │ │ │ │ │ curl: heap buffer overflow in function tftp_receive_packet() │ +│ │ CVE-2019-5482 │ │ │ │ │ heap buffer overflow in function tftp_receive_packet() │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5482 │ ├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ -│ git │ CVE-2018-17456 │ │ │ 2.15.2-r0 │ 2.15.3-r0 │ git: arbitrary code execution via .gitmodules │ +│ git │ CVE-2018-17456 │ │ │ 2.15.2-r0 │ 2.15.3-r0 │ arbitrary code execution via .gitmodules │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-17456 │ │ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2019-1353 │ │ │ │ 2.15.4-r0 │ git: NTFS protections inactive when running Git in the │ @@ -58,7 +58,7 @@ Total: 19 (CRITICAL: 19) │ │ CVE-2019-5481 │ │ │ │ 7.61.1-r3 │ curl: double free due to subsequent call of realloc() │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5481 │ │ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤ -│ │ CVE-2019-5482 │ │ │ │ │ curl: heap buffer overflow in function tftp_receive_packet() │ +│ │ CVE-2019-5482 │ │ │ │ │ heap buffer overflow in function tftp_receive_packet() │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5482 │ ├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ musl │ CVE-2019-14697 │ │ │ 1.1.18-r3 │ 1.1.18-r4 │ musl libc through 1.1.23 has an x87 floating-point stack │ @@ -69,6 +69,30 @@ Total: 19 (CRITICAL: 19) │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ ├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ -│ sqlite-libs │ CVE-2019-8457 │ │ │ 3.21.0-r1 │ 3.25.3-r1 │ sqlite: heap out-of-bound read in function rtreenode() │ +│ sqlite-libs │ CVE-2019-8457 │ │ │ 3.21.0-r1 │ 3.25.3-r1 │ heap out-of-bound read in function rtreenode() │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-8457 │ └─────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘ + +rust-app/Cargo.lock (cargo) +=========================== +Total: 4 (CRITICAL: 4) + +┌───────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐ +│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ +├───────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤ +│ rand_core │ CVE-2020-25576 │ CRITICAL │ fixed │ 0.4.0 │ 0.4.2, 0.3.1 │ An issue was discovered in the rand_core crate before 0.4.2 │ +│ │ │ │ │ │ │ for Rust.... │ +│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-25576 │ +├───────────┼────────────────┤ │ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤ +│ smallvec │ CVE-2019-15551 │ │ │ 0.6.9 │ 0.6.10 │ An issue was discovered in the smallvec crate before 0.6.10 │ +│ │ │ │ │ │ │ for Rust.... │ +│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-15551 │ +│ ├────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤ +│ │ CVE-2019-15554 │ │ │ │ │ An issue was discovered in the smallvec crate before 0.6.10 │ +│ │ │ │ │ │ │ for Rust.... │ +│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-15554 │ +│ ├────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤ +│ │ CVE-2021-25900 │ │ │ │ 0.6.14, 1.6.1 │ An issue was discovered in the smallvec crate before 0.6.14 │ +│ │ │ │ │ │ │ and 1.x... │ +│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-25900 │ +└───────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘ From f78e9ecf42a1271402d4f484518b9313235990e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Witold=20=C5=9Al=C4=99czkowski?= Date: Tue, 31 Oct 2023 01:28:16 +0100 Subject: [PATCH 02/16] Update Dockerfile to 0.46.1 (#277) This update fixes https://github.com/aquasecurity/trivy/issues/5441 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 81ec36e5..b50ba87a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM ghcr.io/aquasecurity/trivy:0.46.0 +FROM ghcr.io/aquasecurity/trivy:0.46.1 COPY entrypoint.sh / RUN apk --no-cache add bash curl npm RUN chmod +x /entrypoint.sh From 7b07fa7d6a864cd3631a0a6f3273c6f7cd91522b Mon Sep 17 00:00:00 2001 From: Liam MacPherson <11508628+LiamMacP@users.noreply.github.com> Date: Tue, 7 Nov 2023 01:32:48 +0000 Subject: [PATCH 03/16] fix: set return code after each Trivy call (#247) This change moves the return code to outside the trivy call. This fixes #228 as the return code was not being propagated. --- entrypoint.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 26a9dae0..b7be8b39 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -181,13 +181,12 @@ if [ "${format}" == "sarif" ] && [ "${limitSeveritiesForSARIF}" != "true" ]; the elif [ $trivyConfig ]; then echo "Running Trivy with trivy.yaml config from: " $trivyConfig trivy --config $trivyConfig ${scanType} ${artifactRef} - returnCode=$? else echo "Running trivy with options: trivy ${scanType} ${ARGS}" "${artifactRef}" echo "Global options: " "${GLOBAL_ARGS}" trivy $GLOBAL_ARGS ${scanType} ${ARGS} ${artifactRef} - returnCode=$? fi +returnCode=$? set -e if [[ "${format}" == "github" ]]; then From 47e481a3883f5619fb508efe5c5c7f4f2ba2073d Mon Sep 17 00:00:00 2001 From: Victor Sollerhed Date: Tue, 7 Nov 2023 02:35:08 +0100 Subject: [PATCH 04/16] Update to `trivy` version `0.47.0` in Dockerfile (#280) See: - https://github.com/aquasecurity/trivy/releases/tag/v0.47.0 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index b50ba87a..05cd4a6a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM ghcr.io/aquasecurity/trivy:0.46.1 +FROM ghcr.io/aquasecurity/trivy:0.47.0 COPY entrypoint.sh / RUN apk --no-cache add bash curl npm RUN chmod +x /entrypoint.sh From 2b6a709cf9c4025c5438138008beaddbb02086f0 Mon Sep 17 00:00:00 2001 From: Kyle Davies <98526301+kderck@users.noreply.github.com> Date: Tue, 7 Nov 2023 01:35:42 +0000 Subject: [PATCH 05/16] Add filesystem alias (#269) --- entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index b7be8b39..22befadf 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -77,7 +77,7 @@ done scanType=$(echo $scanType | tr -d '\r') export artifactRef="${imageRef}" -if [ "${scanType}" = "repo" ] || [ "${scanType}" = "fs" ] || [ "${scanType}" = "config" ] || [ "${scanType}" = "rootfs" ];then +if [ "${scanType}" = "repo" ] || [ "${scanType}" = "fs" ] || [ "${scanType}" = "filesystem" ] || [ "${scanType}" = "config" ] || [ "${scanType}" = "rootfs" ];then artifactRef=$(echo $scanRef | tr -d '\r') fi input=$(echo $input | tr -d '\r') From 22d2755f774d925b191a185b74e782a4b0638a41 Mon Sep 17 00:00:00 2001 From: Kyle Davies <98526301+kderck@users.noreply.github.com> Date: Mon, 4 Dec 2023 23:27:47 +0000 Subject: [PATCH 06/16] feature(config): add terraform variable files (#285) * Action now takes an input for terraform variable filess * added tf-vars * updated README.md * Updated yamlconfig test to latest version of trivy output for that container * updated for correct cpu type * test trivy version change to 0.45.0 * run scan with correct parameters * Added test for terraform tfvars * Updated output for other tests * use test data as path and updated tf vars to be relative * removed quiet --- README.md | 1 + action.yaml | 5 + entrypoint.sh | 9 +- test/data/config-sarif.test | 486 ++++++++++++++++++++++++++++++ test/data/config.test | 581 ++++++++++++++++++++++++++++++++++++ test/data/dev.tfvars | 2 + test/data/fs-scheck.test | 581 ++++++++++++++++++++++++++++++++++++ test/data/main.tf | 18 ++ test/data/tfvars.test | 39 +++ test/data/yamlconfig.test | 10 +- test/test.bats | 8 + 11 files changed, 1734 insertions(+), 6 deletions(-) create mode 100644 test/data/dev.tfvars create mode 100644 test/data/main.tf create mode 100644 test/data/tfvars.test diff --git a/README.md b/README.md index eba39ff0..69cc0c00 100644 --- a/README.md +++ b/README.md @@ -491,6 +491,7 @@ Following inputs can be used as `step.with` keys: | `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` | | `format` | String | `table` | Output format (`table`, `json`, `sarif`, `github`) | | `template` | String | | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`) | +| `tf-vars` | String | | path to Terraform variables file | | `output` | String | | Save results to a file | | `exit-code` | String | `0` | Exit code when specified vulnerabilities are found | | `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities | diff --git a/action.yaml b/action.yaml index 3e37c9ba..c6f457a5 100644 --- a/action.yaml +++ b/action.yaml @@ -88,6 +88,9 @@ inputs: trivy-config: description: 'path to trivy.yaml config' required: false + tf-vars: + description: "path to terraform tfvars file" + required: false limit-severities-for-sarif: description: 'limit severities for SARIF format' required: false @@ -118,4 +121,6 @@ runs: - '-t ${{ inputs.trivyignores }}' - '-u ${{ inputs.github-pat }}' - '-v ${{ inputs.trivy-config }}' + - '-x ${{ inputs.tf-vars }}' - '-z ${{ inputs.limit-severities-for-sarif }}' + \ No newline at end of file diff --git a/entrypoint.sh b/entrypoint.sh index 22befadf..8d3563db 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,6 +1,6 @@ #!/bin/bash set -e -while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:z:" o; do +while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:x:z:" o; do case "${o}" in a) export scanType=${OPTARG} @@ -68,6 +68,9 @@ while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:z:" o; do v) export trivyConfig=${OPTARG} ;; + x) + export tfVars=${OPTARG} + ;; z) export limitSeveritiesForSARIF=${OPTARG} ;; @@ -132,6 +135,10 @@ if [ $skipDirs ];then SARIF_ARGS="$SARIF_ARGS --skip-dirs $i" done fi +if [ $tfVars ] && [ "$scanType" == "config" ];then + ARGS="$ARGS --tf-vars $tfVars" +fi + if [ $trivyIgnores ];then for f in $(echo $trivyIgnores | tr "," "\n") do diff --git a/test/data/config-sarif.test b/test/data/config-sarif.test index 79500ae4..a3ce2473 100644 --- a/test/data/config-sarif.test +++ b/test/data/config-sarif.test @@ -62,6 +62,249 @@ "LOW" ] } + }, + { + "id": "AVD-AWS-0086", + "name": "Misconfiguration", + "shortDescription": { + "text": "S3 Access block should block public ACL" + }, + "fullDescription": { + "text": "\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0086", + "help": { + "text": "Misconfiguration AVD-AWS-0086\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 Access block should block public ACL\nMessage: No public access block so not blocking public acls\nLink: [AVD-AWS-0086](https://avd.aquasec.com/misconfig/avd-aws-0086)\n\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n", + "markdown": "**Misconfiguration AVD-AWS-0086**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 Access block should block public ACL|No public access block so not blocking public acls|[AVD-AWS-0086](https://avd.aquasec.com/misconfig/avd-aws-0086)|\n\n\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n" + }, + "properties": { + "precision": "very-high", + "security-severity": "8.0", + "tags": [ + "misconfiguration", + "security", + "HIGH" + ] + } + }, + { + "id": "AVD-AWS-0087", + "name": "Misconfiguration", + "shortDescription": { + "text": "S3 Access block should block public policy" + }, + "fullDescription": { + "text": "\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0087", + "help": { + "text": "Misconfiguration AVD-AWS-0087\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 Access block should block public policy\nMessage: No public access block so not blocking public policies\nLink: [AVD-AWS-0087](https://avd.aquasec.com/misconfig/avd-aws-0087)\n\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n", + "markdown": "**Misconfiguration AVD-AWS-0087**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 Access block should block public policy|No public access block so not blocking public policies|[AVD-AWS-0087](https://avd.aquasec.com/misconfig/avd-aws-0087)|\n\n\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n" + }, + "properties": { + "precision": "very-high", + "security-severity": "8.0", + "tags": [ + "misconfiguration", + "security", + "HIGH" + ] + } + }, + { + "id": "AVD-AWS-0088", + "name": "Misconfiguration", + "shortDescription": { + "text": "Unencrypted S3 bucket." + }, + "fullDescription": { + "text": "S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised." + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0088", + "help": { + "text": "Misconfiguration AVD-AWS-0088\nType: Terraform Security Check\nSeverity: HIGH\nCheck: Unencrypted S3 bucket.\nMessage: Bucket does not have encryption enabled\nLink: [AVD-AWS-0088](https://avd.aquasec.com/misconfig/avd-aws-0088)\nS3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.", + "markdown": "**Misconfiguration AVD-AWS-0088**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|Unencrypted S3 bucket.|Bucket does not have encryption enabled|[AVD-AWS-0088](https://avd.aquasec.com/misconfig/avd-aws-0088)|\n\nS3 Buckets should be encrypted to protect the data that is stored within them if access is compromised." + }, + "properties": { + "precision": "very-high", + "security-severity": "8.0", + "tags": [ + "misconfiguration", + "security", + "HIGH" + ] + } + }, + { + "id": "AVD-AWS-0089", + "name": "Misconfiguration", + "shortDescription": { + "text": "S3 Bucket Logging" + }, + "fullDescription": { + "text": "Ensures S3 bucket logging is enabled for S3 buckets" + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0089", + "help": { + "text": "Misconfiguration AVD-AWS-0089\nType: Terraform Security Check\nSeverity: LOW\nCheck: S3 Bucket Logging\nMessage: Bucket has logging disabled\nLink: [AVD-AWS-0089](https://avd.aquasec.com/misconfig/avd-aws-0089)\nEnsures S3 bucket logging is enabled for S3 buckets", + "markdown": "**Misconfiguration AVD-AWS-0089**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|LOW|S3 Bucket Logging|Bucket has logging disabled|[AVD-AWS-0089](https://avd.aquasec.com/misconfig/avd-aws-0089)|\n\nEnsures S3 bucket logging is enabled for S3 buckets" + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "misconfiguration", + "security", + "LOW" + ] + } + }, + { + "id": "AVD-AWS-0090", + "name": "Misconfiguration", + "shortDescription": { + "text": "S3 Data should be versioned" + }, + "fullDescription": { + "text": "\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0090", + "help": { + "text": "Misconfiguration AVD-AWS-0090\nType: Terraform Security Check\nSeverity: MEDIUM\nCheck: S3 Data should be versioned\nMessage: Bucket does not have versioning enabled\nLink: [AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)\n\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n", + "markdown": "**Misconfiguration AVD-AWS-0090**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|MEDIUM|S3 Data should be versioned|Bucket does not have versioning enabled|[AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)|\n\n\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n" + }, + "properties": { + "precision": "very-high", + "security-severity": "5.5", + "tags": [ + "misconfiguration", + "security", + "MEDIUM" + ] + } + }, + { + "id": "AVD-AWS-0091", + "name": "Misconfiguration", + "shortDescription": { + "text": "S3 Access Block should Ignore Public Acl" + }, + "fullDescription": { + "text": "\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0091", + "help": { + "text": "Misconfiguration AVD-AWS-0091\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 Access Block should Ignore Public Acl\nMessage: No public access block so not ignoring public acls\nLink: [AVD-AWS-0091](https://avd.aquasec.com/misconfig/avd-aws-0091)\n\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n", + "markdown": "**Misconfiguration AVD-AWS-0091**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 Access Block should Ignore Public Acl|No public access block so not ignoring public acls|[AVD-AWS-0091](https://avd.aquasec.com/misconfig/avd-aws-0091)|\n\n\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n" + }, + "properties": { + "precision": "very-high", + "security-severity": "8.0", + "tags": [ + "misconfiguration", + "security", + "HIGH" + ] + } + }, + { + "id": "AVD-AWS-0093", + "name": "Misconfiguration", + "shortDescription": { + "text": "S3 Access block should restrict public bucket to limit access" + }, + "fullDescription": { + "text": "S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy." + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0093", + "help": { + "text": "Misconfiguration AVD-AWS-0093\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 Access block should restrict public bucket to limit access\nMessage: No public access block so not restricting public buckets\nLink: [AVD-AWS-0093](https://avd.aquasec.com/misconfig/avd-aws-0093)\nS3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.", + "markdown": "**Misconfiguration AVD-AWS-0093**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 Access block should restrict public bucket to limit access|No public access block so not restricting public buckets|[AVD-AWS-0093](https://avd.aquasec.com/misconfig/avd-aws-0093)|\n\nS3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy." + }, + "properties": { + "precision": "very-high", + "security-severity": "8.0", + "tags": [ + "misconfiguration", + "security", + "HIGH" + ] + } + }, + { + "id": "AVD-AWS-0094", + "name": "Misconfiguration", + "shortDescription": { + "text": "S3 buckets should each define an aws_s3_bucket_public_access_block" + }, + "fullDescription": { + "text": "The \u0026#34;block public access\u0026#34; settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it." + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0094", + "help": { + "text": "Misconfiguration AVD-AWS-0094\nType: Terraform Security Check\nSeverity: LOW\nCheck: S3 buckets should each define an aws_s3_bucket_public_access_block\nMessage: Bucket does not have a corresponding public access block.\nLink: [AVD-AWS-0094](https://avd.aquasec.com/misconfig/avd-aws-0094)\nThe \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.", + "markdown": "**Misconfiguration AVD-AWS-0094**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|LOW|S3 buckets should each define an aws_s3_bucket_public_access_block|Bucket does not have a corresponding public access block.|[AVD-AWS-0094](https://avd.aquasec.com/misconfig/avd-aws-0094)|\n\nThe \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it." + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "misconfiguration", + "security", + "LOW" + ] + } + }, + { + "id": "AVD-AWS-0132", + "name": "Misconfiguration", + "shortDescription": { + "text": "S3 encryption should use Customer Managed Keys" + }, + "fullDescription": { + "text": "Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys." + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0132", + "help": { + "text": "Misconfiguration AVD-AWS-0132\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 encryption should use Customer Managed Keys\nMessage: Bucket does not encrypt data with a customer managed key.\nLink: [AVD-AWS-0132](https://avd.aquasec.com/misconfig/avd-aws-0132)\nEncryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.", + "markdown": "**Misconfiguration AVD-AWS-0132**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 encryption should use Customer Managed Keys|Bucket does not encrypt data with a customer managed key.|[AVD-AWS-0132](https://avd.aquasec.com/misconfig/avd-aws-0132)|\n\nEncryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys." + }, + "properties": { + "precision": "very-high", + "security-severity": "8.0", + "tags": [ + "misconfiguration", + "security", + "HIGH" + ] + } } ], "version": "0.45.0" @@ -121,6 +364,249 @@ } } ] + }, + { + "ruleId": "AVD-AWS-0086", + "ruleIndex": 2, + "level": "error", + "message": { + "text": "Artifact: test/data/main.tf\nType: terraform\nVulnerability AVD-AWS-0086\nSeverity: HIGH\nMessage: No public access block so not blocking public acls\nLink: [AVD-AWS-0086](https://avd.aquasec.com/misconfig/avd-aws-0086)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "test/data/main.tf", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 8, + "startColumn": 1, + "endLine": 10, + "endColumn": 1 + } + }, + "message": { + "text": "test/data/main.tf" + } + } + ] + }, + { + "ruleId": "AVD-AWS-0087", + "ruleIndex": 3, + "level": "error", + "message": { + "text": "Artifact: test/data/main.tf\nType: terraform\nVulnerability AVD-AWS-0087\nSeverity: HIGH\nMessage: No public access block so not blocking public policies\nLink: [AVD-AWS-0087](https://avd.aquasec.com/misconfig/avd-aws-0087)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "test/data/main.tf", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 8, + "startColumn": 1, + "endLine": 10, + "endColumn": 1 + } + }, + "message": { + "text": "test/data/main.tf" + } + } + ] + }, + { + "ruleId": "AVD-AWS-0088", + "ruleIndex": 4, + "level": "error", + "message": { + "text": "Artifact: test/data/main.tf\nType: terraform\nVulnerability AVD-AWS-0088\nSeverity: HIGH\nMessage: Bucket does not have encryption enabled\nLink: [AVD-AWS-0088](https://avd.aquasec.com/misconfig/avd-aws-0088)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "test/data/main.tf", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 8, + "startColumn": 1, + "endLine": 10, + "endColumn": 1 + } + }, + "message": { + "text": "test/data/main.tf" + } + } + ] + }, + { + "ruleId": "AVD-AWS-0089", + "ruleIndex": 5, + "level": "note", + "message": { + "text": "Artifact: test/data/main.tf\nType: terraform\nVulnerability AVD-AWS-0089\nSeverity: LOW\nMessage: Bucket has logging disabled\nLink: [AVD-AWS-0089](https://avd.aquasec.com/misconfig/avd-aws-0089)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "test/data/main.tf", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 8, + "startColumn": 1, + "endLine": 10, + "endColumn": 1 + } + }, + "message": { + "text": "test/data/main.tf" + } + } + ] + }, + { + "ruleId": "AVD-AWS-0090", + "ruleIndex": 6, + "level": "warning", + "message": { + "text": "Artifact: test/data/main.tf\nType: terraform\nVulnerability AVD-AWS-0090\nSeverity: MEDIUM\nMessage: Bucket does not have versioning enabled\nLink: [AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "test/data/main.tf", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 16, + "startColumn": 1, + "endLine": 16, + "endColumn": 1 + } + }, + "message": { + "text": "test/data/main.tf" + } + } + ] + }, + { + "ruleId": "AVD-AWS-0091", + "ruleIndex": 7, + "level": "error", + "message": { + "text": "Artifact: test/data/main.tf\nType: terraform\nVulnerability AVD-AWS-0091\nSeverity: HIGH\nMessage: No public access block so not ignoring public acls\nLink: [AVD-AWS-0091](https://avd.aquasec.com/misconfig/avd-aws-0091)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "test/data/main.tf", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 8, + "startColumn": 1, + "endLine": 10, + "endColumn": 1 + } + }, + "message": { + "text": "test/data/main.tf" + } + } + ] + }, + { + "ruleId": "AVD-AWS-0093", + "ruleIndex": 8, + "level": "error", + "message": { + "text": "Artifact: test/data/main.tf\nType: terraform\nVulnerability AVD-AWS-0093\nSeverity: HIGH\nMessage: No public access block so not restricting public buckets\nLink: [AVD-AWS-0093](https://avd.aquasec.com/misconfig/avd-aws-0093)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "test/data/main.tf", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 8, + "startColumn": 1, + "endLine": 10, + "endColumn": 1 + } + }, + "message": { + "text": "test/data/main.tf" + } + } + ] + }, + { + "ruleId": "AVD-AWS-0094", + "ruleIndex": 9, + "level": "note", + "message": { + "text": "Artifact: test/data/main.tf\nType: terraform\nVulnerability AVD-AWS-0094\nSeverity: LOW\nMessage: Bucket does not have a corresponding public access block.\nLink: [AVD-AWS-0094](https://avd.aquasec.com/misconfig/avd-aws-0094)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "test/data/main.tf", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 8, + "startColumn": 1, + "endLine": 10, + "endColumn": 1 + } + }, + "message": { + "text": "test/data/main.tf" + } + } + ] + }, + { + "ruleId": "AVD-AWS-0132", + "ruleIndex": 10, + "level": "error", + "message": { + "text": "Artifact: test/data/main.tf\nType: terraform\nVulnerability AVD-AWS-0132\nSeverity: HIGH\nMessage: Bucket does not encrypt data with a customer managed key.\nLink: [AVD-AWS-0132](https://avd.aquasec.com/misconfig/avd-aws-0132)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "test/data/main.tf", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 8, + "startColumn": 1, + "endLine": 10, + "endColumn": 1 + } + }, + "message": { + "text": "test/data/main.tf" + } + } + ] } ], "columnKind": "utf16CodeUnits", diff --git a/test/data/config.test b/test/data/config.test index bc7c3578..33de38a4 100644 --- a/test/data/config.test +++ b/test/data/config.test @@ -78,6 +78,587 @@ } } ] + }, + { + "Target": "test/data", + "Class": "config", + "Type": "terraform", + "MisconfSummary": { + "Successes": 2, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "test/data/main.tf", + "Class": "config", + "Type": "terraform", + "MisconfSummary": { + "Successes": 1, + "Failures": 9, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Terraform Security Check", + "ID": "AVD-AWS-0086", + "AVDID": "AVD-AWS-0086", + "Title": "S3 Access block should block public ACL", + "Description": "\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n", + "Message": "No public access block so not blocking public acls", + "Query": "data..", + "Resolution": "Enable blocking any PUT calls with a public ACL specified", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0086", + "References": [ + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html", + "https://avd.aquasec.com/misconfig/avd-aws-0086" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Resource": "aws_s3_bucket.bucket", + "Provider": "AWS", + "Service": "s3", + "StartLine": 8, + "EndLine": 10, + "Code": { + "Lines": [ + { + "Number": 8, + "Content": "resource \"aws_s3_bucket\" \"bucket\" {", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": true, + "LastCause": false + }, + { + "Number": 9, + "Content": " bucket = \"trivy-action-bucket\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 10, + "Content": "}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Terraform Security Check", + "ID": "AVD-AWS-0087", + "AVDID": "AVD-AWS-0087", + "Title": "S3 Access block should block public policy", + "Description": "\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n", + "Message": "No public access block so not blocking public policies", + "Query": "data..", + "Resolution": "Prevent policies that allow public access being PUT", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0087", + "References": [ + "https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html", + "https://avd.aquasec.com/misconfig/avd-aws-0087" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Resource": "aws_s3_bucket.bucket", + "Provider": "AWS", + "Service": "s3", + "StartLine": 8, + "EndLine": 10, + "Code": { + "Lines": [ + { + "Number": 8, + "Content": "resource \"aws_s3_bucket\" \"bucket\" {", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": true, + "LastCause": false + }, + { + "Number": 9, + "Content": " bucket = \"trivy-action-bucket\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 10, + "Content": "}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Terraform Security Check", + "ID": "AVD-AWS-0088", + "AVDID": "AVD-AWS-0088", + "Title": "Unencrypted S3 bucket.", + "Description": "S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.", + "Message": "Bucket does not have encryption enabled", + "Query": "data..", + "Resolution": "Configure bucket encryption", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0088", + "References": [ + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html", + "https://avd.aquasec.com/misconfig/avd-aws-0088" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Resource": "aws_s3_bucket.bucket", + "Provider": "AWS", + "Service": "s3", + "StartLine": 8, + "EndLine": 10, + "Code": { + "Lines": [ + { + "Number": 8, + "Content": "resource \"aws_s3_bucket\" \"bucket\" {", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": true, + "LastCause": false + }, + { + "Number": 9, + "Content": " bucket = \"trivy-action-bucket\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 10, + "Content": "}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Terraform Security Check", + "ID": "AVD-AWS-0089", + "AVDID": "AVD-AWS-0089", + "Title": "S3 Bucket Logging", + "Description": "Ensures S3 bucket logging is enabled for S3 buckets", + "Message": "Bucket has logging disabled", + "Namespace": "builtin.aws.s3.aws0089", + "Query": "data.builtin.aws.s3.aws0089.deny", + "Resolution": "Add a logging block to the resource to enable access logging", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0089", + "References": [ + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html", + "https://avd.aquasec.com/misconfig/avd-aws-0089" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Resource": "aws_s3_bucket.bucket", + "Provider": "AWS", + "Service": "s3", + "StartLine": 8, + "EndLine": 10, + "Code": { + "Lines": [ + { + "Number": 8, + "Content": "resource \"aws_s3_bucket\" \"bucket\" {", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": true, + "LastCause": false + }, + { + "Number": 9, + "Content": " bucket = \"trivy-action-bucket\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 10, + "Content": "}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Terraform Security Check", + "ID": "AVD-AWS-0090", + "AVDID": "AVD-AWS-0090", + "Title": "S3 Data should be versioned", + "Description": "\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n", + "Message": "Bucket does not have versioning enabled", + "Query": "data..", + "Resolution": "Enable versioning to protect against accidental/malicious removal or modification", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0090", + "References": [ + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html", + "https://avd.aquasec.com/misconfig/avd-aws-0090" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Resource": "aws_s3_bucket_versioning.bucket_versioning", + "Provider": "AWS", + "Service": "s3", + "StartLine": 16, + "EndLine": 16, + "Code": { + "Lines": [ + { + "Number": 12, + "Content": "resource \"aws_s3_bucket_versioning\" \"bucket_versioning\" {", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 13, + "Content": " bucket = aws_s3_bucket.bucket.id", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 14, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " versioning_configuration {", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " status = var.bucket_versioning_enabled", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": true, + "LastCause": true + }, + { + "Number": 17, + "Content": " }", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": "}", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + } + ] + }, + "Occurrences": [ + { + "Resource": "versioning_configuration", + "Filename": "test/data/main.tf", + "Location": { + "StartLine": 15, + "EndLine": 17 + } + }, + { + "Resource": "aws_s3_bucket_versioning.bucket_versioning", + "Filename": "test/data/main.tf", + "Location": { + "StartLine": 12, + "EndLine": 18 + } + } + ] + } + }, + { + "Type": "Terraform Security Check", + "ID": "AVD-AWS-0091", + "AVDID": "AVD-AWS-0091", + "Title": "S3 Access Block should Ignore Public Acl", + "Description": "\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n", + "Message": "No public access block so not ignoring public acls", + "Query": "data..", + "Resolution": "Enable ignoring the application of public ACLs in PUT calls", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0091", + "References": [ + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html", + "https://avd.aquasec.com/misconfig/avd-aws-0091" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Resource": "aws_s3_bucket.bucket", + "Provider": "AWS", + "Service": "s3", + "StartLine": 8, + "EndLine": 10, + "Code": { + "Lines": [ + { + "Number": 8, + "Content": "resource \"aws_s3_bucket\" \"bucket\" {", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": true, + "LastCause": false + }, + { + "Number": 9, + "Content": " bucket = \"trivy-action-bucket\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 10, + "Content": "}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Terraform Security Check", + "ID": "AVD-AWS-0093", + "AVDID": "AVD-AWS-0093", + "Title": "S3 Access block should restrict public bucket to limit access", + "Description": "S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.", + "Message": "No public access block so not restricting public buckets", + "Query": "data..", + "Resolution": "Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0093", + "References": [ + "https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html", + "https://avd.aquasec.com/misconfig/avd-aws-0093" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Resource": "aws_s3_bucket.bucket", + "Provider": "AWS", + "Service": "s3", + "StartLine": 8, + "EndLine": 10, + "Code": { + "Lines": [ + { + "Number": 8, + "Content": "resource \"aws_s3_bucket\" \"bucket\" {", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": true, + "LastCause": false + }, + { + "Number": 9, + "Content": " bucket = \"trivy-action-bucket\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 10, + "Content": "}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Terraform Security Check", + "ID": "AVD-AWS-0094", + "AVDID": "AVD-AWS-0094", + "Title": "S3 buckets should each define an aws_s3_bucket_public_access_block", + "Description": "The \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.", + "Message": "Bucket does not have a corresponding public access block.", + "Query": "data..", + "Resolution": "Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0094", + "References": [ + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html", + "https://avd.aquasec.com/misconfig/avd-aws-0094" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Resource": "aws_s3_bucket.bucket", + "Provider": "AWS", + "Service": "s3", + "StartLine": 8, + "EndLine": 10, + "Code": { + "Lines": [ + { + "Number": 8, + "Content": "resource \"aws_s3_bucket\" \"bucket\" {", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": true, + "LastCause": false + }, + { + "Number": 9, + "Content": " bucket = \"trivy-action-bucket\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 10, + "Content": "}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Terraform Security Check", + "ID": "AVD-AWS-0132", + "AVDID": "AVD-AWS-0132", + "Title": "S3 encryption should use Customer Managed Keys", + "Description": "Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.", + "Message": "Bucket does not encrypt data with a customer managed key.", + "Query": "data..", + "Resolution": "Enable encryption using customer managed keys", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0132", + "References": [ + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html", + "https://avd.aquasec.com/misconfig/avd-aws-0132" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Resource": "aws_s3_bucket.bucket", + "Provider": "AWS", + "Service": "s3", + "StartLine": 8, + "EndLine": 10, + "Code": { + "Lines": [ + { + "Number": 8, + "Content": "resource \"aws_s3_bucket\" \"bucket\" {", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": true, + "LastCause": false + }, + { + "Number": 9, + "Content": " bucket = \"trivy-action-bucket\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 10, + "Content": "}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": true + } + ] + } + } + } + ] } ] } diff --git a/test/data/dev.tfvars b/test/data/dev.tfvars new file mode 100644 index 00000000..6fc5f84b --- /dev/null +++ b/test/data/dev.tfvars @@ -0,0 +1,2 @@ +# test data for trivy config with terraform variables +bucket_versioning_enabled="Enabled" \ No newline at end of file diff --git a/test/data/fs-scheck.test b/test/data/fs-scheck.test index bc7c3578..33de38a4 100644 --- a/test/data/fs-scheck.test +++ b/test/data/fs-scheck.test @@ -78,6 +78,587 @@ } } ] + }, + { + "Target": "test/data", + "Class": "config", + "Type": "terraform", + "MisconfSummary": { + "Successes": 2, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "test/data/main.tf", + "Class": "config", + "Type": "terraform", + "MisconfSummary": { + "Successes": 1, + "Failures": 9, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Terraform Security Check", + "ID": "AVD-AWS-0086", + "AVDID": "AVD-AWS-0086", + "Title": "S3 Access block should block public ACL", + "Description": "\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n", + "Message": "No public access block so not blocking public acls", + "Query": "data..", + "Resolution": "Enable blocking any PUT calls with a public ACL specified", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0086", + "References": [ + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html", + "https://avd.aquasec.com/misconfig/avd-aws-0086" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Resource": "aws_s3_bucket.bucket", + "Provider": "AWS", + "Service": "s3", + "StartLine": 8, + "EndLine": 10, + "Code": { + "Lines": [ + { + "Number": 8, + "Content": "resource \"aws_s3_bucket\" \"bucket\" {", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": true, + "LastCause": false + }, + { + "Number": 9, + "Content": " bucket = \"trivy-action-bucket\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 10, + "Content": "}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Terraform Security Check", + "ID": "AVD-AWS-0087", + "AVDID": "AVD-AWS-0087", + "Title": "S3 Access block should block public policy", + "Description": "\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n", + "Message": "No public access block so not blocking public policies", + "Query": "data..", + "Resolution": "Prevent policies that allow public access being PUT", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0087", + "References": [ + "https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html", + "https://avd.aquasec.com/misconfig/avd-aws-0087" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Resource": "aws_s3_bucket.bucket", + "Provider": "AWS", + "Service": "s3", + "StartLine": 8, + "EndLine": 10, + "Code": { + "Lines": [ + { + "Number": 8, + "Content": "resource \"aws_s3_bucket\" \"bucket\" {", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": true, + "LastCause": false + }, + { + "Number": 9, + "Content": " bucket = \"trivy-action-bucket\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 10, + "Content": "}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Terraform Security Check", + "ID": "AVD-AWS-0088", + "AVDID": "AVD-AWS-0088", + "Title": "Unencrypted S3 bucket.", + "Description": "S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.", + "Message": "Bucket does not have encryption enabled", + "Query": "data..", + "Resolution": "Configure bucket encryption", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0088", + "References": [ + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html", + "https://avd.aquasec.com/misconfig/avd-aws-0088" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Resource": "aws_s3_bucket.bucket", + "Provider": "AWS", + "Service": "s3", + "StartLine": 8, + "EndLine": 10, + "Code": { + "Lines": [ + { + "Number": 8, + "Content": "resource \"aws_s3_bucket\" \"bucket\" {", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": true, + "LastCause": false + }, + { + "Number": 9, + "Content": " bucket = \"trivy-action-bucket\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 10, + "Content": "}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Terraform Security Check", + "ID": "AVD-AWS-0089", + "AVDID": "AVD-AWS-0089", + "Title": "S3 Bucket Logging", + "Description": "Ensures S3 bucket logging is enabled for S3 buckets", + "Message": "Bucket has logging disabled", + "Namespace": "builtin.aws.s3.aws0089", + "Query": "data.builtin.aws.s3.aws0089.deny", + "Resolution": "Add a logging block to the resource to enable access logging", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0089", + "References": [ + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html", + "https://avd.aquasec.com/misconfig/avd-aws-0089" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Resource": "aws_s3_bucket.bucket", + "Provider": "AWS", + "Service": "s3", + "StartLine": 8, + "EndLine": 10, + "Code": { + "Lines": [ + { + "Number": 8, + "Content": "resource \"aws_s3_bucket\" \"bucket\" {", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": true, + "LastCause": false + }, + { + "Number": 9, + "Content": " bucket = \"trivy-action-bucket\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 10, + "Content": "}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Terraform Security Check", + "ID": "AVD-AWS-0090", + "AVDID": "AVD-AWS-0090", + "Title": "S3 Data should be versioned", + "Description": "\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n", + "Message": "Bucket does not have versioning enabled", + "Query": "data..", + "Resolution": "Enable versioning to protect against accidental/malicious removal or modification", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0090", + "References": [ + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html", + "https://avd.aquasec.com/misconfig/avd-aws-0090" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Resource": "aws_s3_bucket_versioning.bucket_versioning", + "Provider": "AWS", + "Service": "s3", + "StartLine": 16, + "EndLine": 16, + "Code": { + "Lines": [ + { + "Number": 12, + "Content": "resource \"aws_s3_bucket_versioning\" \"bucket_versioning\" {", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 13, + "Content": " bucket = aws_s3_bucket.bucket.id", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 14, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " versioning_configuration {", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " status = var.bucket_versioning_enabled", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": true, + "LastCause": true + }, + { + "Number": 17, + "Content": " }", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": "}", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + } + ] + }, + "Occurrences": [ + { + "Resource": "versioning_configuration", + "Filename": "test/data/main.tf", + "Location": { + "StartLine": 15, + "EndLine": 17 + } + }, + { + "Resource": "aws_s3_bucket_versioning.bucket_versioning", + "Filename": "test/data/main.tf", + "Location": { + "StartLine": 12, + "EndLine": 18 + } + } + ] + } + }, + { + "Type": "Terraform Security Check", + "ID": "AVD-AWS-0091", + "AVDID": "AVD-AWS-0091", + "Title": "S3 Access Block should Ignore Public Acl", + "Description": "\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n", + "Message": "No public access block so not ignoring public acls", + "Query": "data..", + "Resolution": "Enable ignoring the application of public ACLs in PUT calls", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0091", + "References": [ + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html", + "https://avd.aquasec.com/misconfig/avd-aws-0091" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Resource": "aws_s3_bucket.bucket", + "Provider": "AWS", + "Service": "s3", + "StartLine": 8, + "EndLine": 10, + "Code": { + "Lines": [ + { + "Number": 8, + "Content": "resource \"aws_s3_bucket\" \"bucket\" {", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": true, + "LastCause": false + }, + { + "Number": 9, + "Content": " bucket = \"trivy-action-bucket\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 10, + "Content": "}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Terraform Security Check", + "ID": "AVD-AWS-0093", + "AVDID": "AVD-AWS-0093", + "Title": "S3 Access block should restrict public bucket to limit access", + "Description": "S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.", + "Message": "No public access block so not restricting public buckets", + "Query": "data..", + "Resolution": "Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0093", + "References": [ + "https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html", + "https://avd.aquasec.com/misconfig/avd-aws-0093" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Resource": "aws_s3_bucket.bucket", + "Provider": "AWS", + "Service": "s3", + "StartLine": 8, + "EndLine": 10, + "Code": { + "Lines": [ + { + "Number": 8, + "Content": "resource \"aws_s3_bucket\" \"bucket\" {", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": true, + "LastCause": false + }, + { + "Number": 9, + "Content": " bucket = \"trivy-action-bucket\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 10, + "Content": "}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Terraform Security Check", + "ID": "AVD-AWS-0094", + "AVDID": "AVD-AWS-0094", + "Title": "S3 buckets should each define an aws_s3_bucket_public_access_block", + "Description": "The \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.", + "Message": "Bucket does not have a corresponding public access block.", + "Query": "data..", + "Resolution": "Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0094", + "References": [ + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html", + "https://avd.aquasec.com/misconfig/avd-aws-0094" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Resource": "aws_s3_bucket.bucket", + "Provider": "AWS", + "Service": "s3", + "StartLine": 8, + "EndLine": 10, + "Code": { + "Lines": [ + { + "Number": 8, + "Content": "resource \"aws_s3_bucket\" \"bucket\" {", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": true, + "LastCause": false + }, + { + "Number": 9, + "Content": " bucket = \"trivy-action-bucket\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 10, + "Content": "}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Terraform Security Check", + "ID": "AVD-AWS-0132", + "AVDID": "AVD-AWS-0132", + "Title": "S3 encryption should use Customer Managed Keys", + "Description": "Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.", + "Message": "Bucket does not encrypt data with a customer managed key.", + "Query": "data..", + "Resolution": "Enable encryption using customer managed keys", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0132", + "References": [ + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html", + "https://avd.aquasec.com/misconfig/avd-aws-0132" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Resource": "aws_s3_bucket.bucket", + "Provider": "AWS", + "Service": "s3", + "StartLine": 8, + "EndLine": 10, + "Code": { + "Lines": [ + { + "Number": 8, + "Content": "resource \"aws_s3_bucket\" \"bucket\" {", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": true, + "LastCause": false + }, + { + "Number": 9, + "Content": " bucket = \"trivy-action-bucket\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 10, + "Content": "}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": true + } + ] + } + } + } + ] } ] } diff --git a/test/data/main.tf b/test/data/main.tf new file mode 100644 index 00000000..85208bb2 --- /dev/null +++ b/test/data/main.tf @@ -0,0 +1,18 @@ +# test data for trivy config with terraform variables + +variable "bucket_versioning_enabled" { + type = string + default = "Disabled" +} + +resource "aws_s3_bucket" "bucket" { + bucket = "trivy-action-bucket" +} + +resource "aws_s3_bucket_versioning" "bucket_versioning" { + bucket = aws_s3_bucket.bucket.id + + versioning_configuration { + status = var.bucket_versioning_enabled + } +} \ No newline at end of file diff --git a/test/data/tfvars.test b/test/data/tfvars.test new file mode 100644 index 00000000..428b11b3 --- /dev/null +++ b/test/data/tfvars.test @@ -0,0 +1,39 @@ +{ + "SchemaVersion": 2, + "ArtifactName": "test/data", + "ArtifactType": "filesystem", + "Metadata": { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + }, + "Results": [ + { + "Target": ".", + "Class": "config", + "Type": "terraform", + "MisconfSummary": { + "Successes": 2, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "main.tf", + "Class": "config", + "Type": "terraform", + "MisconfSummary": { + "Successes": 1, + "Failures": 0, + "Exceptions": 0 + } + } + ] +} diff --git a/test/data/yamlconfig.test b/test/data/yamlconfig.test index b34ab8ab..d04683cf 100644 --- a/test/data/yamlconfig.test +++ b/test/data/yamlconfig.test @@ -98,15 +98,15 @@ "https://access.redhat.com/security/cve/CVE-2021-36159", "https://github.com/freebsd/freebsd-src/commits/main/lib/libfetch", "https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10749", - "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E", + "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cdev.kafka.apache.org%3E", + "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cusers.kafka.apache.org%3E", + "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cdev.kafka.apache.org%3E", + "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cusers.kafka.apache.org%3E", "https://nvd.nist.gov/vuln/detail/CVE-2021-36159", "https://www.cve.org/CVERecord?id=CVE-2021-36159" ], "PublishedDate": "2021-08-03T14:15:00Z", - "LastModifiedDate": "2021-10-18T12:19:00Z" + "LastModifiedDate": "2023-11-07T03:36:00Z" } ] } diff --git a/test/test.bats b/test/test.bats index 13a69ced..5301eab1 100644 --- a/test/test.bats +++ b/test/test.bats @@ -81,3 +81,11 @@ bats_load_library bats-file echo "$output" assert_files_equal yamlconfig.test ./test/data/yamlconfig.test } + +@test "trivy config with terraform variables" { + # trivy config --format json --severity MEDIUM --output tfvars.test --tf-vars ./test/data/dev.tfvars ./test/data + run ./entrypoint.sh "-a config" "-j ./test/data" "-h tfvars.test" "-g MEDIUM" "-x dev.tfvars" "-b json" + run diff tfvars.test ./test/data/tfvars.test + echo "$output" + assert_files_equal tfvars.test ./test/data/tfvars.test +} \ No newline at end of file From 91713af97dc80187565512baba96e4364e983601 Mon Sep 17 00:00:00 2001 From: Ivan Santos <301291+pragmaticivan@users.noreply.github.com> Date: Fri, 8 Dec 2023 12:08:35 -0600 Subject: [PATCH 07/16] Update to trivy version 0.48.0 (#289) * Update to trivy version 0.48.0 --------- Signed-off-by: Simar Co-authored-by: Simar --- .github/workflows/build.yaml | 4 +- Dockerfile | 2 +- test/data/config-sarif.test | 72 ++++++++++++++++++------------------ test/data/config.test | 31 ++++++++++++++++ test/data/fs-scheck.test | 31 ++++++++++++++++ test/data/image-sarif.test | 2 +- test/data/repo.test | 1 + test/data/tfvars.test | 1 + test/data/yamlconfig.test | 3 +- 9 files changed, 106 insertions(+), 41 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index f4d2a52f..46e63a86 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -1,7 +1,7 @@ name: "build" on: [push, pull_request] env: - TRIVY_VERSION: 0.45.0 + TRIVY_VERSION: 0.48.0 BATS_LIB_PATH: '/usr/lib/' jobs: build: @@ -25,4 +25,4 @@ jobs: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${{ env.TRIVY_VERSION }} - name: Test - run: BATS_LIB_PATH=${{ env.BATS_LIB_PATH }} bats --recursive --timing . \ No newline at end of file + run: BATS_LIB_PATH=${{ env.BATS_LIB_PATH }} bats --recursive --timing . diff --git a/Dockerfile b/Dockerfile index 05cd4a6a..ebbe6bd8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM ghcr.io/aquasecurity/trivy:0.47.0 +FROM ghcr.io/aquasecurity/trivy:0.48.0 COPY entrypoint.sh / RUN apk --no-cache add bash curl npm RUN chmod +x /entrypoint.sh diff --git a/test/data/config-sarif.test b/test/data/config-sarif.test index a3ce2473..5269f310 100644 --- a/test/data/config-sarif.test +++ b/test/data/config-sarif.test @@ -1,6 +1,6 @@ { "version": "2.1.0", - "$schema": "https://json.schemastore.org/sarif-2.1.0.json", + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", "runs": [ { "tool": { @@ -23,8 +23,8 @@ }, "helpUri": "https://avd.aquasec.com/misconfig/ds002", "help": { - "text": "Misconfiguration DS002\nType: Dockerfile Security Check\nSeverity: HIGH\nCheck: Image user should not be 'root'\nMessage: Specify at least 1 USER command in Dockerfile with non-root user as argument\nLink: [DS002](https://avd.aquasec.com/misconfig/ds002)\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.", - "markdown": "**Misconfiguration DS002**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Dockerfile Security Check|HIGH|Image user should not be 'root'|Specify at least 1 USER command in Dockerfile with non-root user as argument|[DS002](https://avd.aquasec.com/misconfig/ds002)|\n\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile." + "text": "Misconfiguration DS002\\nType: Dockerfile Security Check\\nSeverity: HIGH\\nCheck: Image user should not be 'root'\\nMessage: Specify at least 1 USER command in Dockerfile with non-root user as argument\\nLink: [DS002](https://avd.aquasec.com/misconfig/ds002)\\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.", + "markdown": "**Misconfiguration DS002**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Dockerfile Security Check|HIGH|Image user should not be 'root'|Specify at least 1 USER command in Dockerfile with non-root user as argument|[DS002](https://avd.aquasec.com/misconfig/ds002)|\\n\\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile." }, "properties": { "precision": "very-high", @@ -50,8 +50,8 @@ }, "helpUri": "https://avd.aquasec.com/misconfig/ds026", "help": { - "text": "Misconfiguration DS026\nType: Dockerfile Security Check\nSeverity: LOW\nCheck: No HEALTHCHECK defined\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)\nYou should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", - "markdown": "**Misconfiguration DS026**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Dockerfile Security Check|LOW|No HEALTHCHECK defined|Add HEALTHCHECK instruction in your Dockerfile|[DS026](https://avd.aquasec.com/misconfig/ds026)|\n\nYou should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers." + "text": "Misconfiguration DS026\\nType: Dockerfile Security Check\\nSeverity: LOW\\nCheck: No HEALTHCHECK defined\\nMessage: Add HEALTHCHECK instruction in your Dockerfile\\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)\\nYou should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", + "markdown": "**Misconfiguration DS026**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Dockerfile Security Check|LOW|No HEALTHCHECK defined|Add HEALTHCHECK instruction in your Dockerfile|[DS026](https://avd.aquasec.com/misconfig/ds026)|\\n\\nYou should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers." }, "properties": { "precision": "very-high", @@ -77,8 +77,8 @@ }, "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0086", "help": { - "text": "Misconfiguration AVD-AWS-0086\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 Access block should block public ACL\nMessage: No public access block so not blocking public acls\nLink: [AVD-AWS-0086](https://avd.aquasec.com/misconfig/avd-aws-0086)\n\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n", - "markdown": "**Misconfiguration AVD-AWS-0086**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 Access block should block public ACL|No public access block so not blocking public acls|[AVD-AWS-0086](https://avd.aquasec.com/misconfig/avd-aws-0086)|\n\n\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n" + "text": "Misconfiguration AVD-AWS-0086\\nType: Terraform Security Check\\nSeverity: HIGH\\nCheck: S3 Access block should block public ACL\\nMessage: No public access block so not blocking public acls\\nLink: [AVD-AWS-0086](https://avd.aquasec.com/misconfig/avd-aws-0086)\\n\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n", + "markdown": "**Misconfiguration AVD-AWS-0086**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Terraform Security Check|HIGH|S3 Access block should block public ACL|No public access block so not blocking public acls|[AVD-AWS-0086](https://avd.aquasec.com/misconfig/avd-aws-0086)|\\n\\n\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n" }, "properties": { "precision": "very-high", @@ -104,8 +104,8 @@ }, "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0087", "help": { - "text": "Misconfiguration AVD-AWS-0087\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 Access block should block public policy\nMessage: No public access block so not blocking public policies\nLink: [AVD-AWS-0087](https://avd.aquasec.com/misconfig/avd-aws-0087)\n\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n", - "markdown": "**Misconfiguration AVD-AWS-0087**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 Access block should block public policy|No public access block so not blocking public policies|[AVD-AWS-0087](https://avd.aquasec.com/misconfig/avd-aws-0087)|\n\n\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n" + "text": "Misconfiguration AVD-AWS-0087\\nType: Terraform Security Check\\nSeverity: HIGH\\nCheck: S3 Access block should block public policy\\nMessage: No public access block so not blocking public policies\\nLink: [AVD-AWS-0087](https://avd.aquasec.com/misconfig/avd-aws-0087)\\n\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n", + "markdown": "**Misconfiguration AVD-AWS-0087**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Terraform Security Check|HIGH|S3 Access block should block public policy|No public access block so not blocking public policies|[AVD-AWS-0087](https://avd.aquasec.com/misconfig/avd-aws-0087)|\\n\\n\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n" }, "properties": { "precision": "very-high", @@ -131,8 +131,8 @@ }, "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0088", "help": { - "text": "Misconfiguration AVD-AWS-0088\nType: Terraform Security Check\nSeverity: HIGH\nCheck: Unencrypted S3 bucket.\nMessage: Bucket does not have encryption enabled\nLink: [AVD-AWS-0088](https://avd.aquasec.com/misconfig/avd-aws-0088)\nS3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.", - "markdown": "**Misconfiguration AVD-AWS-0088**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|Unencrypted S3 bucket.|Bucket does not have encryption enabled|[AVD-AWS-0088](https://avd.aquasec.com/misconfig/avd-aws-0088)|\n\nS3 Buckets should be encrypted to protect the data that is stored within them if access is compromised." + "text": "Misconfiguration AVD-AWS-0088\\nType: Terraform Security Check\\nSeverity: HIGH\\nCheck: Unencrypted S3 bucket.\\nMessage: Bucket does not have encryption enabled\\nLink: [AVD-AWS-0088](https://avd.aquasec.com/misconfig/avd-aws-0088)\\nS3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.", + "markdown": "**Misconfiguration AVD-AWS-0088**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Terraform Security Check|HIGH|Unencrypted S3 bucket.|Bucket does not have encryption enabled|[AVD-AWS-0088](https://avd.aquasec.com/misconfig/avd-aws-0088)|\\n\\nS3 Buckets should be encrypted to protect the data that is stored within them if access is compromised." }, "properties": { "precision": "very-high", @@ -158,8 +158,8 @@ }, "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0089", "help": { - "text": "Misconfiguration AVD-AWS-0089\nType: Terraform Security Check\nSeverity: LOW\nCheck: S3 Bucket Logging\nMessage: Bucket has logging disabled\nLink: [AVD-AWS-0089](https://avd.aquasec.com/misconfig/avd-aws-0089)\nEnsures S3 bucket logging is enabled for S3 buckets", - "markdown": "**Misconfiguration AVD-AWS-0089**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|LOW|S3 Bucket Logging|Bucket has logging disabled|[AVD-AWS-0089](https://avd.aquasec.com/misconfig/avd-aws-0089)|\n\nEnsures S3 bucket logging is enabled for S3 buckets" + "text": "Misconfiguration AVD-AWS-0089\\nType: Terraform Security Check\\nSeverity: LOW\\nCheck: S3 Bucket Logging\\nMessage: Bucket has logging disabled\\nLink: [AVD-AWS-0089](https://avd.aquasec.com/misconfig/avd-aws-0089)\\nEnsures S3 bucket logging is enabled for S3 buckets", + "markdown": "**Misconfiguration AVD-AWS-0089**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Terraform Security Check|LOW|S3 Bucket Logging|Bucket has logging disabled|[AVD-AWS-0089](https://avd.aquasec.com/misconfig/avd-aws-0089)|\\n\\nEnsures S3 bucket logging is enabled for S3 buckets" }, "properties": { "precision": "very-high", @@ -185,8 +185,8 @@ }, "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0090", "help": { - "text": "Misconfiguration AVD-AWS-0090\nType: Terraform Security Check\nSeverity: MEDIUM\nCheck: S3 Data should be versioned\nMessage: Bucket does not have versioning enabled\nLink: [AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)\n\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n", - "markdown": "**Misconfiguration AVD-AWS-0090**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|MEDIUM|S3 Data should be versioned|Bucket does not have versioning enabled|[AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)|\n\n\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n" + "text": "Misconfiguration AVD-AWS-0090\\nType: Terraform Security Check\\nSeverity: MEDIUM\\nCheck: S3 Data should be versioned\\nMessage: Bucket does not have versioning enabled\\nLink: [AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)\\n\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n", + "markdown": "**Misconfiguration AVD-AWS-0090**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Terraform Security Check|MEDIUM|S3 Data should be versioned|Bucket does not have versioning enabled|[AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)|\\n\\n\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n" }, "properties": { "precision": "very-high", @@ -212,8 +212,8 @@ }, "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0091", "help": { - "text": "Misconfiguration AVD-AWS-0091\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 Access Block should Ignore Public Acl\nMessage: No public access block so not ignoring public acls\nLink: [AVD-AWS-0091](https://avd.aquasec.com/misconfig/avd-aws-0091)\n\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n", - "markdown": "**Misconfiguration AVD-AWS-0091**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 Access Block should Ignore Public Acl|No public access block so not ignoring public acls|[AVD-AWS-0091](https://avd.aquasec.com/misconfig/avd-aws-0091)|\n\n\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n" + "text": "Misconfiguration AVD-AWS-0091\\nType: Terraform Security Check\\nSeverity: HIGH\\nCheck: S3 Access Block should Ignore Public Acl\\nMessage: No public access block so not ignoring public acls\\nLink: [AVD-AWS-0091](https://avd.aquasec.com/misconfig/avd-aws-0091)\\n\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n", + "markdown": "**Misconfiguration AVD-AWS-0091**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Terraform Security Check|HIGH|S3 Access Block should Ignore Public Acl|No public access block so not ignoring public acls|[AVD-AWS-0091](https://avd.aquasec.com/misconfig/avd-aws-0091)|\\n\\n\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n" }, "properties": { "precision": "very-high", @@ -239,8 +239,8 @@ }, "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0093", "help": { - "text": "Misconfiguration AVD-AWS-0093\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 Access block should restrict public bucket to limit access\nMessage: No public access block so not restricting public buckets\nLink: [AVD-AWS-0093](https://avd.aquasec.com/misconfig/avd-aws-0093)\nS3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.", - "markdown": "**Misconfiguration AVD-AWS-0093**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 Access block should restrict public bucket to limit access|No public access block so not restricting public buckets|[AVD-AWS-0093](https://avd.aquasec.com/misconfig/avd-aws-0093)|\n\nS3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy." + "text": "Misconfiguration AVD-AWS-0093\\nType: Terraform Security Check\\nSeverity: HIGH\\nCheck: S3 Access block should restrict public bucket to limit access\\nMessage: No public access block so not restricting public buckets\\nLink: [AVD-AWS-0093](https://avd.aquasec.com/misconfig/avd-aws-0093)\\nS3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.", + "markdown": "**Misconfiguration AVD-AWS-0093**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Terraform Security Check|HIGH|S3 Access block should restrict public bucket to limit access|No public access block so not restricting public buckets|[AVD-AWS-0093](https://avd.aquasec.com/misconfig/avd-aws-0093)|\\n\\nS3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy." }, "properties": { "precision": "very-high", @@ -266,8 +266,8 @@ }, "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0094", "help": { - "text": "Misconfiguration AVD-AWS-0094\nType: Terraform Security Check\nSeverity: LOW\nCheck: S3 buckets should each define an aws_s3_bucket_public_access_block\nMessage: Bucket does not have a corresponding public access block.\nLink: [AVD-AWS-0094](https://avd.aquasec.com/misconfig/avd-aws-0094)\nThe \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.", - "markdown": "**Misconfiguration AVD-AWS-0094**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|LOW|S3 buckets should each define an aws_s3_bucket_public_access_block|Bucket does not have a corresponding public access block.|[AVD-AWS-0094](https://avd.aquasec.com/misconfig/avd-aws-0094)|\n\nThe \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it." + "text": "Misconfiguration AVD-AWS-0094\\nType: Terraform Security Check\\nSeverity: LOW\\nCheck: S3 buckets should each define an aws_s3_bucket_public_access_block\\nMessage: Bucket does not have a corresponding public access block.\\nLink: [AVD-AWS-0094](https://avd.aquasec.com/misconfig/avd-aws-0094)\\nThe \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.", + "markdown": "**Misconfiguration AVD-AWS-0094**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Terraform Security Check|LOW|S3 buckets should each define an aws_s3_bucket_public_access_block|Bucket does not have a corresponding public access block.|[AVD-AWS-0094](https://avd.aquasec.com/misconfig/avd-aws-0094)|\\n\\nThe \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it." }, "properties": { "precision": "very-high", @@ -293,8 +293,8 @@ }, "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0132", "help": { - "text": "Misconfiguration AVD-AWS-0132\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 encryption should use Customer Managed Keys\nMessage: Bucket does not encrypt data with a customer managed key.\nLink: [AVD-AWS-0132](https://avd.aquasec.com/misconfig/avd-aws-0132)\nEncryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.", - "markdown": "**Misconfiguration AVD-AWS-0132**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 encryption should use Customer Managed Keys|Bucket does not encrypt data with a customer managed key.|[AVD-AWS-0132](https://avd.aquasec.com/misconfig/avd-aws-0132)|\n\nEncryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys." + "text": "Misconfiguration AVD-AWS-0132\\nType: Terraform Security Check\\nSeverity: HIGH\\nCheck: S3 encryption should use Customer Managed Keys\\nMessage: Bucket does not encrypt data with a customer managed key.\\nLink: [AVD-AWS-0132](https://avd.aquasec.com/misconfig/avd-aws-0132)\\nEncryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.", + "markdown": "**Misconfiguration AVD-AWS-0132**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Terraform Security Check|HIGH|S3 encryption should use Customer Managed Keys|Bucket does not encrypt data with a customer managed key.|[AVD-AWS-0132](https://avd.aquasec.com/misconfig/avd-aws-0132)|\\n\\nEncryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys." }, "properties": { "precision": "very-high", @@ -307,7 +307,7 @@ } } ], - "version": "0.45.0" + "version": "0.48.0" } }, "results": [ @@ -316,7 +316,7 @@ "ruleIndex": 0, "level": "error", "message": { - "text": "Artifact: Dockerfile\nType: dockerfile\nVulnerability DS002\nSeverity: HIGH\nMessage: Specify at least 1 USER command in Dockerfile with non-root user as argument\nLink: [DS002](https://avd.aquasec.com/misconfig/ds002)" + "text": "Artifact: Dockerfile\\nType: dockerfile\\nVulnerability DS002\\nSeverity: HIGH\\nMessage: Specify at least 1 USER command in Dockerfile with non-root user as argument\\nLink: [DS002](https://avd.aquasec.com/misconfig/ds002)" }, "locations": [ { @@ -343,7 +343,7 @@ "ruleIndex": 1, "level": "note", "message": { - "text": "Artifact: Dockerfile\nType: dockerfile\nVulnerability DS026\nSeverity: LOW\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)" + "text": "Artifact: Dockerfile\\nType: dockerfile\\nVulnerability DS026\\nSeverity: LOW\\nMessage: Add HEALTHCHECK instruction in your Dockerfile\\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)" }, "locations": [ { @@ -370,7 +370,7 @@ "ruleIndex": 2, "level": "error", "message": { - "text": "Artifact: test/data/main.tf\nType: terraform\nVulnerability AVD-AWS-0086\nSeverity: HIGH\nMessage: No public access block so not blocking public acls\nLink: [AVD-AWS-0086](https://avd.aquasec.com/misconfig/avd-aws-0086)" + "text": "Artifact: test/data/main.tf\\nType: terraform\\nVulnerability AVD-AWS-0086\\nSeverity: HIGH\\nMessage: No public access block so not blocking public acls\\nLink: [AVD-AWS-0086](https://avd.aquasec.com/misconfig/avd-aws-0086)" }, "locations": [ { @@ -397,7 +397,7 @@ "ruleIndex": 3, "level": "error", "message": { - "text": "Artifact: test/data/main.tf\nType: terraform\nVulnerability AVD-AWS-0087\nSeverity: HIGH\nMessage: No public access block so not blocking public policies\nLink: [AVD-AWS-0087](https://avd.aquasec.com/misconfig/avd-aws-0087)" + "text": "Artifact: test/data/main.tf\\nType: terraform\\nVulnerability AVD-AWS-0087\\nSeverity: HIGH\\nMessage: No public access block so not blocking public policies\\nLink: [AVD-AWS-0087](https://avd.aquasec.com/misconfig/avd-aws-0087)" }, "locations": [ { @@ -424,7 +424,7 @@ "ruleIndex": 4, "level": "error", "message": { - "text": "Artifact: test/data/main.tf\nType: terraform\nVulnerability AVD-AWS-0088\nSeverity: HIGH\nMessage: Bucket does not have encryption enabled\nLink: [AVD-AWS-0088](https://avd.aquasec.com/misconfig/avd-aws-0088)" + "text": "Artifact: test/data/main.tf\\nType: terraform\\nVulnerability AVD-AWS-0088\\nSeverity: HIGH\\nMessage: Bucket does not have encryption enabled\\nLink: [AVD-AWS-0088](https://avd.aquasec.com/misconfig/avd-aws-0088)" }, "locations": [ { @@ -451,7 +451,7 @@ "ruleIndex": 5, "level": "note", "message": { - "text": "Artifact: test/data/main.tf\nType: terraform\nVulnerability AVD-AWS-0089\nSeverity: LOW\nMessage: Bucket has logging disabled\nLink: [AVD-AWS-0089](https://avd.aquasec.com/misconfig/avd-aws-0089)" + "text": "Artifact: test/data/main.tf\\nType: terraform\\nVulnerability AVD-AWS-0089\\nSeverity: LOW\\nMessage: Bucket has logging disabled\\nLink: [AVD-AWS-0089](https://avd.aquasec.com/misconfig/avd-aws-0089)" }, "locations": [ { @@ -478,7 +478,7 @@ "ruleIndex": 6, "level": "warning", "message": { - "text": "Artifact: test/data/main.tf\nType: terraform\nVulnerability AVD-AWS-0090\nSeverity: MEDIUM\nMessage: Bucket does not have versioning enabled\nLink: [AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)" + "text": "Artifact: test/data/main.tf\\nType: terraform\\nVulnerability AVD-AWS-0090\\nSeverity: MEDIUM\\nMessage: Bucket does not have versioning enabled\\nLink: [AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)" }, "locations": [ { @@ -505,7 +505,7 @@ "ruleIndex": 7, "level": "error", "message": { - "text": "Artifact: test/data/main.tf\nType: terraform\nVulnerability AVD-AWS-0091\nSeverity: HIGH\nMessage: No public access block so not ignoring public acls\nLink: [AVD-AWS-0091](https://avd.aquasec.com/misconfig/avd-aws-0091)" + "text": "Artifact: test/data/main.tf\\nType: terraform\\nVulnerability AVD-AWS-0091\\nSeverity: HIGH\\nMessage: No public access block so not ignoring public acls\\nLink: [AVD-AWS-0091](https://avd.aquasec.com/misconfig/avd-aws-0091)" }, "locations": [ { @@ -532,7 +532,7 @@ "ruleIndex": 8, "level": "error", "message": { - "text": "Artifact: test/data/main.tf\nType: terraform\nVulnerability AVD-AWS-0093\nSeverity: HIGH\nMessage: No public access block so not restricting public buckets\nLink: [AVD-AWS-0093](https://avd.aquasec.com/misconfig/avd-aws-0093)" + "text": "Artifact: test/data/main.tf\\nType: terraform\\nVulnerability AVD-AWS-0093\\nSeverity: HIGH\\nMessage: No public access block so not restricting public buckets\\nLink: [AVD-AWS-0093](https://avd.aquasec.com/misconfig/avd-aws-0093)" }, "locations": [ { @@ -559,7 +559,7 @@ "ruleIndex": 9, "level": "note", "message": { - "text": "Artifact: test/data/main.tf\nType: terraform\nVulnerability AVD-AWS-0094\nSeverity: LOW\nMessage: Bucket does not have a corresponding public access block.\nLink: [AVD-AWS-0094](https://avd.aquasec.com/misconfig/avd-aws-0094)" + "text": "Artifact: test/data/main.tf\\nType: terraform\\nVulnerability AVD-AWS-0094\\nSeverity: LOW\\nMessage: Bucket does not have a corresponding public access block.\\nLink: [AVD-AWS-0094](https://avd.aquasec.com/misconfig/avd-aws-0094)" }, "locations": [ { @@ -586,7 +586,7 @@ "ruleIndex": 10, "level": "error", "message": { - "text": "Artifact: test/data/main.tf\nType: terraform\nVulnerability AVD-AWS-0132\nSeverity: HIGH\nMessage: Bucket does not encrypt data with a customer managed key.\nLink: [AVD-AWS-0132](https://avd.aquasec.com/misconfig/avd-aws-0132)" + "text": "Artifact: test/data/main.tf\\nType: terraform\\nVulnerability AVD-AWS-0132\\nSeverity: HIGH\\nMessage: Bucket does not encrypt data with a customer managed key.\\nLink: [AVD-AWS-0132](https://avd.aquasec.com/misconfig/avd-aws-0132)" }, "locations": [ { @@ -612,7 +612,7 @@ "columnKind": "utf16CodeUnits", "originalUriBaseIds": { "ROOTPATH": { - "uri": "file:///" + "uri": "file:///Users/simarpreetsingh/repos/trivy-action/" } } } diff --git a/test/data/config.test b/test/data/config.test index 33de38a4..df498d2a 100644 --- a/test/data/config.test +++ b/test/data/config.test @@ -1,5 +1,6 @@ { "SchemaVersion": 2, + "CreatedAt": "2023-12-08T11:02:54.295987-07:00", "ArtifactName": ".", "ArtifactType": "filesystem", "Metadata": { @@ -130,6 +131,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {", "FirstCause": true, "LastCause": false }, @@ -139,6 +141,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"", "FirstCause": false, "LastCause": false }, @@ -148,6 +151,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[0m}", "FirstCause": false, "LastCause": true } @@ -186,6 +190,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {", "FirstCause": true, "LastCause": false }, @@ -195,6 +200,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"", "FirstCause": false, "LastCause": false }, @@ -204,6 +210,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[0m}", "FirstCause": false, "LastCause": true } @@ -242,6 +249,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {", "FirstCause": true, "LastCause": false }, @@ -251,6 +259,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"", "FirstCause": false, "LastCause": false }, @@ -260,6 +269,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[0m}", "FirstCause": false, "LastCause": true } @@ -299,6 +309,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {", "FirstCause": true, "LastCause": false }, @@ -308,6 +319,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"", "FirstCause": false, "LastCause": false }, @@ -317,6 +329,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[0m}", "FirstCause": false, "LastCause": true } @@ -355,6 +368,7 @@ "IsCause": false, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket_versioning\"\u001b[0m \u001b[38;5;37m\"bucket_versioning\"\u001b[0m {", "FirstCause": false, "LastCause": false }, @@ -364,6 +378,7 @@ "IsCause": false, "Annotation": "", "Truncated": false, + "Highlighted": " \u001b[38;5;245mbucket\u001b[0m = aws_s3_bucket.bucket.id", "FirstCause": false, "LastCause": false }, @@ -382,6 +397,7 @@ "IsCause": false, "Annotation": "", "Truncated": false, + "Highlighted": " versioning_configuration {", "FirstCause": false, "LastCause": false }, @@ -391,6 +407,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": " \u001b[38;5;245mstatus\u001b[0m = \u001b[38;5;33mvar\u001b[0m.bucket_versioning_enabled", "FirstCause": true, "LastCause": true }, @@ -400,6 +417,7 @@ "IsCause": false, "Annotation": "", "Truncated": false, + "Highlighted": " }", "FirstCause": false, "LastCause": false }, @@ -409,6 +427,7 @@ "IsCause": false, "Annotation": "", "Truncated": false, + "Highlighted": "}", "FirstCause": false, "LastCause": false } @@ -465,6 +484,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {", "FirstCause": true, "LastCause": false }, @@ -474,6 +494,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"", "FirstCause": false, "LastCause": false }, @@ -483,6 +504,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[0m}", "FirstCause": false, "LastCause": true } @@ -521,6 +543,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {", "FirstCause": true, "LastCause": false }, @@ -530,6 +553,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"", "FirstCause": false, "LastCause": false }, @@ -539,6 +563,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[0m}", "FirstCause": false, "LastCause": true } @@ -577,6 +602,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {", "FirstCause": true, "LastCause": false }, @@ -586,6 +612,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"", "FirstCause": false, "LastCause": false }, @@ -595,6 +622,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[0m}", "FirstCause": false, "LastCause": true } @@ -633,6 +661,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {", "FirstCause": true, "LastCause": false }, @@ -642,6 +671,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"", "FirstCause": false, "LastCause": false }, @@ -651,6 +681,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[0m}", "FirstCause": false, "LastCause": true } diff --git a/test/data/fs-scheck.test b/test/data/fs-scheck.test index 33de38a4..30474a40 100644 --- a/test/data/fs-scheck.test +++ b/test/data/fs-scheck.test @@ -1,5 +1,6 @@ { "SchemaVersion": 2, + "CreatedAt": "2023-12-08T11:02:56.571535-07:00", "ArtifactName": ".", "ArtifactType": "filesystem", "Metadata": { @@ -130,6 +131,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {", "FirstCause": true, "LastCause": false }, @@ -139,6 +141,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"", "FirstCause": false, "LastCause": false }, @@ -148,6 +151,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[0m}", "FirstCause": false, "LastCause": true } @@ -186,6 +190,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {", "FirstCause": true, "LastCause": false }, @@ -195,6 +200,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"", "FirstCause": false, "LastCause": false }, @@ -204,6 +210,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[0m}", "FirstCause": false, "LastCause": true } @@ -242,6 +249,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {", "FirstCause": true, "LastCause": false }, @@ -251,6 +259,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"", "FirstCause": false, "LastCause": false }, @@ -260,6 +269,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[0m}", "FirstCause": false, "LastCause": true } @@ -299,6 +309,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {", "FirstCause": true, "LastCause": false }, @@ -308,6 +319,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"", "FirstCause": false, "LastCause": false }, @@ -317,6 +329,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[0m}", "FirstCause": false, "LastCause": true } @@ -355,6 +368,7 @@ "IsCause": false, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket_versioning\"\u001b[0m \u001b[38;5;37m\"bucket_versioning\"\u001b[0m {", "FirstCause": false, "LastCause": false }, @@ -364,6 +378,7 @@ "IsCause": false, "Annotation": "", "Truncated": false, + "Highlighted": " \u001b[38;5;245mbucket\u001b[0m = aws_s3_bucket.bucket.id", "FirstCause": false, "LastCause": false }, @@ -382,6 +397,7 @@ "IsCause": false, "Annotation": "", "Truncated": false, + "Highlighted": " versioning_configuration {", "FirstCause": false, "LastCause": false }, @@ -391,6 +407,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": " \u001b[38;5;245mstatus\u001b[0m = \u001b[38;5;33mvar\u001b[0m.bucket_versioning_enabled", "FirstCause": true, "LastCause": true }, @@ -400,6 +417,7 @@ "IsCause": false, "Annotation": "", "Truncated": false, + "Highlighted": " }", "FirstCause": false, "LastCause": false }, @@ -409,6 +427,7 @@ "IsCause": false, "Annotation": "", "Truncated": false, + "Highlighted": "}", "FirstCause": false, "LastCause": false } @@ -465,6 +484,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {", "FirstCause": true, "LastCause": false }, @@ -474,6 +494,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"", "FirstCause": false, "LastCause": false }, @@ -483,6 +504,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[0m}", "FirstCause": false, "LastCause": true } @@ -521,6 +543,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {", "FirstCause": true, "LastCause": false }, @@ -530,6 +553,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"", "FirstCause": false, "LastCause": false }, @@ -539,6 +563,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[0m}", "FirstCause": false, "LastCause": true } @@ -577,6 +602,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {", "FirstCause": true, "LastCause": false }, @@ -586,6 +612,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"", "FirstCause": false, "LastCause": false }, @@ -595,6 +622,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[0m}", "FirstCause": false, "LastCause": true } @@ -633,6 +661,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {", "FirstCause": true, "LastCause": false }, @@ -642,6 +671,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"", "FirstCause": false, "LastCause": false }, @@ -651,6 +681,7 @@ "IsCause": true, "Annotation": "", "Truncated": false, + "Highlighted": "\u001b[0m}", "FirstCause": false, "LastCause": true } diff --git a/test/data/image-sarif.test b/test/data/image-sarif.test index 932ff7bc..c6295c9d 100644 --- a/test/data/image-sarif.test +++ b/test/data/image-sarif.test @@ -74,4 +74,4 @@ } } ] -} \ No newline at end of file +} diff --git a/test/data/repo.test b/test/data/repo.test index b7bc4dca..f39a664b 100644 --- a/test/data/repo.test +++ b/test/data/repo.test @@ -1,5 +1,6 @@ { "SchemaVersion": 2, + "CreatedAt": "2023-12-08T11:02:50.045151-07:00", "ArtifactName": "https://github.com/krol3/demo-trivy/", "ArtifactType": "repository", "Metadata": { diff --git a/test/data/tfvars.test b/test/data/tfvars.test index 428b11b3..1eaecaa3 100644 --- a/test/data/tfvars.test +++ b/test/data/tfvars.test @@ -1,5 +1,6 @@ { "SchemaVersion": 2, + "CreatedAt": "2023-12-08T11:03:02.76948-07:00", "ArtifactName": "test/data", "ArtifactType": "filesystem", "Metadata": { diff --git a/test/data/yamlconfig.test b/test/data/yamlconfig.test index d04683cf..498bb77e 100644 --- a/test/data/yamlconfig.test +++ b/test/data/yamlconfig.test @@ -1,5 +1,6 @@ { "SchemaVersion": 2, + "CreatedAt": "2023-12-08T11:03:01.877209-07:00", "ArtifactName": "alpine:3.10", "ArtifactType": "container_image", "Metadata": { @@ -76,7 +77,7 @@ "Name": "Alpine Secdb", "URL": "https://secdb.alpinelinux.org/" }, - "Title": "an out of boundary read while libfetch uses strtol to parse the relevant numbers into address bytes leads to information leak or crash", + "Title": "libfetch: an out of boundary read while libfetch uses strtol to parse the relevant numbers into address bytes leads to information leak or crash", "Description": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.", "Severity": "CRITICAL", "CweIDs": [ From 5f1841df8d34621a80bd1c6224be425990b2a8f6 Mon Sep 17 00:00:00 2001 From: Martin Kemp Date: Wed, 3 Jan 2024 00:51:04 +0000 Subject: [PATCH 08/16] Update Trivy to 0.48.1 (#291) * Update Trivy to 0.48.1 Signed-off-by: Martin Kemp * update tests --------- Signed-off-by: Martin Kemp Co-authored-by: Simar --- .github/workflows/build.yaml | 2 +- Dockerfile | 2 +- test/data/config-sarif.test | 4 ++-- test/data/config.test | 2 +- test/data/fs-scheck.test | 2 +- test/data/repo.test | 2 +- test/data/tfvars.test | 2 +- test/data/yamlconfig.test | 6 +++--- 8 files changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 46e63a86..817eb41e 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -1,7 +1,7 @@ name: "build" on: [push, pull_request] env: - TRIVY_VERSION: 0.48.0 + TRIVY_VERSION: 0.48.1 BATS_LIB_PATH: '/usr/lib/' jobs: build: diff --git a/Dockerfile b/Dockerfile index ebbe6bd8..f9fae013 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM ghcr.io/aquasecurity/trivy:0.48.0 +FROM ghcr.io/aquasecurity/trivy:0.48.1 COPY entrypoint.sh / RUN apk --no-cache add bash curl npm RUN chmod +x /entrypoint.sh diff --git a/test/data/config-sarif.test b/test/data/config-sarif.test index 5269f310..3189a576 100644 --- a/test/data/config-sarif.test +++ b/test/data/config-sarif.test @@ -307,7 +307,7 @@ } } ], - "version": "0.48.0" + "version": "0.48.1" } }, "results": [ @@ -612,7 +612,7 @@ "columnKind": "utf16CodeUnits", "originalUriBaseIds": { "ROOTPATH": { - "uri": "file:///Users/simarpreetsingh/repos/trivy-action/" + "uri": "file:///home/runner/work/trivy-action/trivy-action/" } } } diff --git a/test/data/config.test b/test/data/config.test index df498d2a..5a3b830e 100644 --- a/test/data/config.test +++ b/test/data/config.test @@ -1,6 +1,6 @@ { "SchemaVersion": 2, - "CreatedAt": "2023-12-08T11:02:54.295987-07:00", + "CreatedAt": "2024-01-02T23:40:12.036390742Z", "ArtifactName": ".", "ArtifactType": "filesystem", "Metadata": { diff --git a/test/data/fs-scheck.test b/test/data/fs-scheck.test index 30474a40..da0a280f 100644 --- a/test/data/fs-scheck.test +++ b/test/data/fs-scheck.test @@ -1,6 +1,6 @@ { "SchemaVersion": 2, - "CreatedAt": "2023-12-08T11:02:56.571535-07:00", + "CreatedAt": "2024-01-02T23:40:15.166517221Z", "ArtifactName": ".", "ArtifactType": "filesystem", "Metadata": { diff --git a/test/data/repo.test b/test/data/repo.test index f39a664b..2c483fdf 100644 --- a/test/data/repo.test +++ b/test/data/repo.test @@ -1,6 +1,6 @@ { "SchemaVersion": 2, - "CreatedAt": "2023-12-08T11:02:50.045151-07:00", + "CreatedAt": "2024-01-02T23:40:04.647712097Z", "ArtifactName": "https://github.com/krol3/demo-trivy/", "ArtifactType": "repository", "Metadata": { diff --git a/test/data/tfvars.test b/test/data/tfvars.test index 1eaecaa3..c2d09b88 100644 --- a/test/data/tfvars.test +++ b/test/data/tfvars.test @@ -1,6 +1,6 @@ { "SchemaVersion": 2, - "CreatedAt": "2023-12-08T11:03:02.76948-07:00", + "CreatedAt": "2024-01-02T16:27:32.841193-07:00", "ArtifactName": "test/data", "ArtifactType": "filesystem", "Metadata": { diff --git a/test/data/yamlconfig.test b/test/data/yamlconfig.test index 498bb77e..0edc4774 100644 --- a/test/data/yamlconfig.test +++ b/test/data/yamlconfig.test @@ -1,6 +1,6 @@ { "SchemaVersion": 2, - "CreatedAt": "2023-12-08T11:03:01.877209-07:00", + "CreatedAt": "2024-01-02T23:40:21.039454971Z", "ArtifactName": "alpine:3.10", "ArtifactType": "container_image", "Metadata": { @@ -106,8 +106,8 @@ "https://nvd.nist.gov/vuln/detail/CVE-2021-36159", "https://www.cve.org/CVERecord?id=CVE-2021-36159" ], - "PublishedDate": "2021-08-03T14:15:00Z", - "LastModifiedDate": "2023-11-07T03:36:00Z" + "PublishedDate": "2021-08-03T14:15:08.233Z", + "LastModifiedDate": "2023-11-07T03:36:43.337Z" } ] } From d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca Mon Sep 17 00:00:00 2001 From: Lucas Bickel <116588+hairmare@users.noreply.github.com> Date: Wed, 3 Jan 2024 10:53:48 +1000 Subject: [PATCH 09/16] docs: fix typo in README.md (#293) Signed-off-by: Lucas Bickel --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 69cc0c00..4ec967f1 100644 --- a/README.md +++ b/README.md @@ -86,7 +86,7 @@ It is possible to define all options in the `trivy.yaml` file. Specifying indivi - `image-ref`: If using `image` scan. - `scan-type`: To define the scan type, e.g. `image`, `fs`, `repo`, etc. -#### Order of prerference for options +#### Order of preference for options Trivy uses [Viper](https://github.com/spf13/viper) which has a defined precedence order for options. The order is as follows: - GitHub Action flag - Environment variable From 0b9d17b6b5fdec04f3d5b5b9c4cd20058c7e4cbf Mon Sep 17 00:00:00 2001 From: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com> Date: Fri, 12 Jan 2024 04:13:21 +0600 Subject: [PATCH 10/16] docs: add configuration info for flags not supported by inputs (#296) * docs: add information about configuration flags not supported by inputs * docs: add env and config file to Customizing --- README.md | 69 ++++++++++++++++++++++++++++++++++--------------------- 1 file changed, 43 insertions(+), 26 deletions(-) diff --git a/README.md b/README.md index 4ec967f1..284d520b 100644 --- a/README.md +++ b/README.md @@ -79,6 +79,8 @@ In this case `trivy.yaml` is a YAML configuration that is checked in as part of format: json exit-code: 1 severity: CRITICAL +secret: + config: config/trivy/secret.yaml ``` It is possible to define all options in the `trivy.yaml` file. Specifying individual options via the action are left for backward compatibility purposes. Defining the following is required as they cannot be defined with the config file: @@ -479,36 +481,49 @@ jobs: ## Customizing +Configuration priority: +- [Inputs](#inputs) +- [Environment variables](#environment-variables) +- [Trivy config file](#trivy-config-file) +- Default values + + ### inputs Following inputs can be used as `step.with` keys: -| Name | Type | Default | Description | -|-------------------|---------|------------------------------------|-------------------------------------------------------------------------------------------------| -| `scan-type` | String | `image` | Scan type, e.g. `image` or `fs` | -| `input` | String | | Tar reference, e.g. `alpine-latest.tar` | -| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` | -| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` | -| `format` | String | `table` | Output format (`table`, `json`, `sarif`, `github`) | -| `template` | String | | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`) | -| `tf-vars` | String | | path to Terraform variables file | -| `output` | String | | Save results to a file | -| `exit-code` | String | `0` | Exit code when specified vulnerabilities are found | -| `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities | -| `vuln-type` | String | `os,library` | Vulnerability types (os,library) | -| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed | -| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped | -| `skip-files` | String | | Comma separated list of files where traversal is skipped | -| `cache-dir` | String | | Cache directory | -| `timeout` | String | `5m0s` | Scan timeout duration | -| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language | -| `hide-progress` | String | `true` | Suppress progress bar | -| `list-all-pkgs` | String | | Output all packages regardless of vulnerability | -| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`) | -| `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files | -| `trivy-config` | String | | Path to trivy.yaml config | -| `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN | -| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** | +| Name | Type | Default | Description | +|------------------------------|---------|------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `scan-type` | String | `image` | Scan type, e.g. `image` or `fs` | +| `input` | String | | Tar reference, e.g. `alpine-latest.tar` | +| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` | +| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` | +| `format` | String | `table` | Output format (`table`, `json`, `sarif`, `github`) | +| `template` | String | | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`) | +| `tf-vars` | String | | path to Terraform variables file | +| `output` | String | | Save results to a file | +| `exit-code` | String | `0` | Exit code when specified vulnerabilities are found | +| `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities | +| `vuln-type` | String | `os,library` | Vulnerability types (os,library) | +| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed | +| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped | +| `skip-files` | String | | Comma separated list of files where traversal is skipped | +| `cache-dir` | String | | Cache directory | +| `timeout` | String | `5m0s` | Scan timeout duration | +| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language | +| `hide-progress` | String | `true` | Suppress progress bar | +| `list-all-pkgs` | String | | Output all packages regardless of vulnerability | +| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`) | +| `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files | +| `trivy-config` | String | | Path to trivy.yaml config | +| `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN | +| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** | + +### Environment variables +You can use [Trivy environment variables][trivy-env] to set the necessary options (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`). + +### Trivy config file +When using the `trivy-config` [Input](#inputs), you can set options using the [Trivy config file][trivy-config] (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`). [release]: https://github.com/aquasecurity/trivy-action/releases/latest [release-img]: https://img.shields.io/github/release/aquasecurity/trivy-action.svg?logo=github @@ -516,3 +531,5 @@ Following inputs can be used as `step.with` keys: [marketplace-img]: https://img.shields.io/badge/marketplace-trivy--action-blue?logo=github [license]: https://github.com/aquasecurity/trivy-action/blob/master/LICENSE [license-img]: https://img.shields.io/github/license/aquasecurity/trivy-action +[trivy-env]: https://aquasecurity.github.io/trivy/latest/docs/configuration/#environment-variables +[trivy-config]: https://aquasecurity.github.io/trivy/latest/docs/references/configuration/config-file/ \ No newline at end of file From f3d98514b056d8c71a3552e8328c225bc7f6f353 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sim=C3=A3o=20Silva?= <37107350+simao-silva@users.noreply.github.com> Date: Sun, 14 Jan 2024 21:28:49 +0000 Subject: [PATCH 11/16] fix: Fix `skip-files` and `hide-progress` options not being applied when using Sarif report format (#297) * Update entrypoint.sh * Update entrypoint.sh * Update entrypoint.sh --- entrypoint.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/entrypoint.sh b/entrypoint.sh index 8d3563db..38832fe1 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -163,6 +163,7 @@ if [ $ignorePolicy ];then fi if [ "$hideProgress" == "true" ];then ARGS="$ARGS --no-progress" + SARIF_ARGS="$SARIF_ARGS --no-progress" fi listAllPkgs=$(echo $listAllPkgs | tr -d '\r') @@ -173,6 +174,7 @@ if [ "$skipFiles" ];then for i in $(echo $skipFiles | tr "," "\n") do ARGS="$ARGS --skip-files $i" + SARIF_ARGS="$SARIF_ARGS --skip-files $i" done fi From 84384bd6e777ef152729993b8145ea352e9dd3ef Mon Sep 17 00:00:00 2001 From: Kyle Davies <98526301+kderck@users.noreply.github.com> Date: Tue, 6 Feb 2024 01:54:03 +0000 Subject: [PATCH 12/16] Upgraded Trivy from 0.48.1 to v0.49.0 (#304) --- .github/workflows/build.yaml | 2 +- Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 817eb41e..16915c2a 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -1,7 +1,7 @@ name: "build" on: [push, pull_request] env: - TRIVY_VERSION: 0.48.1 + TRIVY_VERSION: 0.49.0 BATS_LIB_PATH: '/usr/lib/' jobs: build: diff --git a/Dockerfile b/Dockerfile index f9fae013..81d2f323 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM ghcr.io/aquasecurity/trivy:0.48.1 +FROM ghcr.io/aquasecurity/trivy:0.49.0 COPY entrypoint.sh / RUN apk --no-cache add bash curl npm RUN chmod +x /entrypoint.sh From 1f6384b6ceecbbc6673526f865b818a2a06b07c9 Mon Sep 17 00:00:00 2001 From: Maxime Durand <72691393+Maxim-Durand@users.noreply.github.com> Date: Tue, 13 Feb 2024 23:20:36 +0100 Subject: [PATCH 13/16] docs(report): improve documentation around `Using Trivy to generate SBOM` and sending it to Github (#307) * Improved documentation with details on how to send output as an artifact on Github and giving an example of a private image scan * formatting * better name for job --- README.md | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/README.md b/README.md index 284d520b..0d971f68 100644 --- a/README.md +++ b/README.md @@ -337,6 +337,49 @@ jobs: github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT ``` +When scanning images you may want to parse the actual output JSON as Github Dependency doesn't show all details like the file path of each dependency for instance. + +You can upload the report as an artifact and download it, for instance using the [upload-artifact action](https://github.com/actions/upload-artifact): + +```yaml +--- +name: Pull Request +on: + push: + branches: + - main + +## GITHUB_TOKEN authentication, add only if you're not going to use a PAT +permissions: + contents: write + +jobs: + build: + name: Checks + runs-on: ubuntu-20.04 + steps: + - name: Scan image in a private registry + uses: aquasecurity/trivy-action@master + with: + image-ref: "private_image_registry/image_name:image_tag" + scan-type: image + format: 'github' + output: 'dependency-results.sbom.json' + github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT + severity: "MEDIUM,HIGH,CRITICAL" + scanners: "vuln" + env: + TRIVY_USERNAME: "image_registry_admin_username" + TRIVY_PASSWORD: "image_registry_admin_password" + + - name: Upload trivy report as a Github artifact + uses: actions/upload-artifact@v4 + with: + name: trivy-sbom-report + path: '${{ github.workspace }}/dependency-results.sbom.json' + retention-days: 20 # 90 is the default +``` + ### Using Trivy to scan your private registry It's also possible to scan your private registry with Trivy's built-in image scan. All you have to do is set ENV vars. From 062f2592684a31eb3aa050cc61e7ca1451cecd3d Mon Sep 17 00:00:00 2001 From: cococig <84442548+cococig@users.noreply.github.com> Date: Fri, 23 Feb 2024 06:28:04 +0900 Subject: [PATCH 14/16] fix: Refer to scan-ref when scan-type is "sbom" (#314) --- entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index 38832fe1..e6306f18 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -80,7 +80,7 @@ done scanType=$(echo $scanType | tr -d '\r') export artifactRef="${imageRef}" -if [ "${scanType}" = "repo" ] || [ "${scanType}" = "fs" ] || [ "${scanType}" = "filesystem" ] || [ "${scanType}" = "config" ] || [ "${scanType}" = "rootfs" ];then +if [ "${scanType}" = "repo" ] || [ "${scanType}" = "fs" ] || [ "${scanType}" = "filesystem" ] || [ "${scanType}" = "config" ] || [ "${scanType}" = "rootfs" ] || [ "${scanType}" = "sbom" ];then artifactRef=$(echo $scanRef | tr -d '\r') fi input=$(echo $input | tr -d '\r') From d710430a6722f083d3b36b8339ff66b32f22ee55 Mon Sep 17 00:00:00 2001 From: simar7 <1254783+simar7@users.noreply.github.com> Date: Wed, 27 Mar 2024 16:22:09 -0600 Subject: [PATCH 15/16] bump trivy version to v0.50.1 (#324) --- .github/workflows/build.yaml | 2 +- Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 16915c2a..e5bb34f9 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -1,7 +1,7 @@ name: "build" on: [push, pull_request] env: - TRIVY_VERSION: 0.49.0 + TRIVY_VERSION: 0.50.1 BATS_LIB_PATH: '/usr/lib/' jobs: build: diff --git a/Dockerfile b/Dockerfile index 81d2f323..5df7c410 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM ghcr.io/aquasecurity/trivy:0.49.0 +FROM ghcr.io/aquasecurity/trivy:0.50.1 COPY entrypoint.sh / RUN apk --no-cache add bash curl npm RUN chmod +x /entrypoint.sh From f72b7e8127f2e443feedad3c314e6fe75e5a8b84 Mon Sep 17 00:00:00 2001 From: uridium Date: Fri, 29 Mar 2024 02:06:30 +0100 Subject: [PATCH 16/16] Make 'hide-progress' input working again (#323) * Make hide-progress input working again * Unify 'hide-progress' default value --- README.md | 10 +++++----- action.yaml | 3 +-- entrypoint.sh | 6 +++--- 3 files changed, 9 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 0d971f68..648d08c6 100644 --- a/README.md +++ b/README.md @@ -115,7 +115,7 @@ jobs: run: | docker pull docker save -o vuln-image.tar - + - name: Run Trivy vulnerability scanner in tarball mode uses: aquasecurity/trivy-action@master with: @@ -287,7 +287,7 @@ jobs: uses: aquasecurity/trivy-action@master with: scan-type: 'config' - hide-progress: false + hide-progress: true format: 'sarif' output: 'trivy-results.sarif' exit-code: '1' @@ -303,7 +303,7 @@ jobs: ### Using Trivy to generate SBOM It's possible for Trivy to generate an [SBOM](https://www.aquasec.com/cloud-native-academy/supply-chain-security/sbom/) of your dependencies and submit them to a consumer like [GitHub Dependency Graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph). -The [sending of an SBOM to GitHub](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api) feature is only available if you currently have GitHub Dependency Graph [enabled in your repo](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph#enabling-and-disabling-the-dependency-graph-for-a-private-repository). +The [sending of an SBOM to GitHub](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api) feature is only available if you currently have GitHub Dependency Graph [enabled in your repo](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph#enabling-and-disabling-the-dependency-graph-for-a-private-repository). In order to send results to GitHub Dependency Graph, you will need to create a [GitHub PAT](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) or use the [GitHub installation access token](https://docs.github.com/en/actions/security-guides/automatic-token-authentication) (also known as `GITHUB_TOKEN`): @@ -554,7 +554,7 @@ Following inputs can be used as `step.with` keys: | `cache-dir` | String | | Cache directory | | `timeout` | String | `5m0s` | Scan timeout duration | | `ignore-policy` | String | | Filter vulnerabilities with OPA rego language | -| `hide-progress` | String | `true` | Suppress progress bar | +| `hide-progress` | String | `false` | Suppress progress bar and log output | | `list-all-pkgs` | String | | Output all packages regardless of vulnerability | | `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`) | | `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files | @@ -575,4 +575,4 @@ When using the `trivy-config` [Input](#inputs), you can set options using the [T [license]: https://github.com/aquasecurity/trivy-action/blob/master/LICENSE [license-img]: https://img.shields.io/github/license/aquasecurity/trivy-action [trivy-env]: https://aquasecurity.github.io/trivy/latest/docs/configuration/#environment-variables -[trivy-config]: https://aquasecurity.github.io/trivy/latest/docs/references/configuration/config-file/ \ No newline at end of file +[trivy-config]: https://aquasecurity.github.io/trivy/latest/docs/references/configuration/config-file/ diff --git a/action.yaml b/action.yaml index c6f457a5..02bcd34d 100644 --- a/action.yaml +++ b/action.yaml @@ -65,7 +65,7 @@ inputs: required: false default: '' hide-progress: - description: 'hide progress output' + description: 'suppress progress bar and log output' required: false list-all-pkgs: description: 'output all packages regardless of vulnerability' @@ -123,4 +123,3 @@ runs: - '-v ${{ inputs.trivy-config }}' - '-x ${{ inputs.tf-vars }}' - '-z ${{ inputs.limit-severities-for-sarif }}' - \ No newline at end of file diff --git a/entrypoint.sh b/entrypoint.sh index e6306f18..0b6f46ce 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -137,7 +137,7 @@ if [ $skipDirs ];then fi if [ $tfVars ] && [ "$scanType" == "config" ];then ARGS="$ARGS --tf-vars $tfVars" -fi +fi if [ $trivyIgnores ];then for f in $(echo $trivyIgnores | tr "," "\n") @@ -162,8 +162,8 @@ if [ $ignorePolicy ];then SARIF_ARGS="$SARIF_ARGS --ignore-policy $ignorePolicy" fi if [ "$hideProgress" == "true" ];then - ARGS="$ARGS --no-progress" - SARIF_ARGS="$SARIF_ARGS --no-progress" + ARGS="$ARGS --quiet" + SARIF_ARGS="$SARIF_ARGS --quiet" fi listAllPkgs=$(echo $listAllPkgs | tr -d '\r')