Skip to content

Commit

Permalink
fix examples
Browse files Browse the repository at this point in the history
Signed-off-by: Nikita Pivkin <[email protected]>
  • Loading branch information
nikpivkin committed Sep 24, 2024
1 parent 5631ba6 commit 02a0323
Show file tree
Hide file tree
Showing 24 changed files with 296 additions and 161 deletions.
4 changes: 2 additions & 2 deletions checks/cloud/aws/apigateway/no_public_access.rego
Original file line number Diff line number Diff line change
Expand Up @@ -35,11 +35,11 @@ deny contains res if {
isManaged(api)
some method in api.resources[_].methods
not method_is_option(method)
not is_apikey_required(api)
not is_apikey_required(method)
method.authorizationtype.value == authorization_none
res := result.new("Authorization is not enabled for this method.", method.authorizationtype)
}

method_is_option(method) := method.httpmethod.value == "OPTION"

is_apikey_required(api) := api.apikeyrequired.value
is_apikey_required(method) := method.apikeyrequired.value
2 changes: 1 addition & 1 deletion checks/cloud/aws/apigateway/no_public_access_test.rego
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ test_allow_get_method_with_auth if {
}

test_allow_if_api_required if {
test.assert_empty(check.deny) with input as input_with_method({"httpmethod": {"value": "GET"}, "authorizationtype": {"value": "AWS_IAM"}})
test.assert_empty(check.deny) with input as input_with_method({"httpmethod": {"value": "GET"}, "authorizationtype": {"value": "AWS_IAM"}, "apikeyrequired": {"value": true}})
}

input_with_method(method) = {"aws": {"apigateway": {"v1": {"apis": [{"resources": [{"methods": [method]}]}]}}}}
11 changes: 10 additions & 1 deletion checks/cloud/aws/cloudtrail/encryption_customer_key.tf.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,19 @@ package cloudtrail

var terraformEncryptionCustomerManagedKeyGoodExamples = []string{
`
resource "aws_kms_key" "trail" {
enable_key_rotation = true
}
resource "aws_kms_alias" "trail" {
name = "alias/trail"
target_key_id = aws_kms_key.trail.key_id
}
resource "aws_cloudtrail" "good_example" {
is_multi_region_trail = true
enable_log_file_validation = true
kms_key_id = var.kms_id
kms_key_id = aws_kms_alias.trail.arn
event_selector {
read_write_type = "All"
Expand Down
11 changes: 10 additions & 1 deletion checks/cloud/aws/cloudwatch/log_group_customer_key.tf.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,19 @@ package cloudwatch

var terraformLogGroupCustomerKeyGoodExamples = []string{
`
resource "aws_kms_key" "cloudwatch" {
enable_key_rotation = true
}
resource "aws_kms_alias" "cloudwatch" {
name = "alias/cloudwatch"
target_key_id = aws_kms_key.cloudwatch.key_id
}
resource "aws_cloudwatch_log_group" "good_example" {
name = "good_example"
kms_key_id = aws_kms_key.log_key.arn
kms_key_id = aws_kms_alias.cloudwatch.arn
}
`,
}
Expand Down
8 changes: 7 additions & 1 deletion checks/cloud/aws/ec2/encryption_customer_key.cf.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,12 +13,18 @@ Resources:
`,
`---
Resources:
MyKey:
Type: 'AWS::KMS::Key'
Properties:
KeyPolicy:
Version: 2012-10-17
Id: key-default-1
GoodExample:
Type: AWS::EC2::Volume
Properties:
Size: 100
Encrypted: true
KmsKeyId: !ImportValue "MyStack:Key"
KmsKeyId: !Ref MyKey
DeletionPolicy: Snapshot
`,
}
Expand Down
3 changes: 3 additions & 0 deletions checks/cloud/aws/ec2/no_default_vpc.tf.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@ package ec2
var terraformNoDefaultVpcGoodExamples = []string{
`
# no aws default vpc present
resource "aws_vpc" "main" {
cidr_block = "10.0.0.0/16"
}
`,
}

Expand Down
2 changes: 1 addition & 1 deletion checks/cloud/aws/ec2/no_excessive_port_access.cf.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ Resources:
Type: AWS::EC2::NetworkAcl
Properties:
VpcId: "something"
RuleAction: "allow"
RuleAction: "allow"
Rule:
Type: AWS::EC2::NetworkAclEntry
Properties:
Expand Down
4 changes: 2 additions & 2 deletions checks/cloud/aws/ec2/no_public_ingress_sgr.tf.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,9 @@ var terraformNoPublicIngressSgrGoodExamples = []string{
}
`,
`
resource "aws_security_group_rule" "allow_partner_rsync" {
resource "aws_security_group_rule" "example" {
type = "ingress"
security_group_id = aws_security_group.….id
security_group_id = "sg-123456"
from_port = 22
to_port = 22
protocol = "tcp"
Expand Down
8 changes: 4 additions & 4 deletions checks/cloud/aws/eks/encrypt_secrets.cf.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,10 +11,10 @@ Resources:
RoleArn: >-
arn:aws:iam::012345678910:role/eks-service-role-good-example
EncryptionConfig:
Provider:
KeyArn: alias/eks-kms
Resources:
- secrets
- Provider:
KeyArn: alias/eks-kms
Resources:
- secrets
ResourcesVpcConfig:
SecurityGroupIds:
- sg-6979fe18
Expand Down
19 changes: 14 additions & 5 deletions checks/cloud/aws/eks/encrypt_secrets.rego
Original file line number Diff line number Diff line change
Expand Up @@ -35,13 +35,22 @@ import rego.v1

deny contains res if {
some cluster in input.aws.eks.clusters
cluster.encryption.secrets.value == false
res := result.new("Cluster does not have secret encryption enabled.", cluster.encryption.secrets)
not has_secrets(cluster)
res := result.new(
"Cluster does not have secret encryption enabled.",
object.get(cluster, ["encryption", "secrets"], cluster),
)
}

deny contains res if {
some cluster in input.aws.eks.clusters
cluster.encryption.secrets.value == true
cluster.encryption.kmskeyid.value == ""
res := result.new("Cluster encryption requires a KMS key ID, which is missing", cluster.encryption.kmskeyid)
has_secrets(cluster)
not has_key(cluster)
res := result.new(
"Cluster encryption requires a KMS key ID, which is missing",
object.get(cluster, ["encryption", "kmskeyid"], cluster),
)
}

has_secrets(cluster) if cluster.encryption.secrets.value
has_key(cluster) if cluster.encryption.kmskeyid.value != ""
6 changes: 5 additions & 1 deletion checks/cloud/aws/eks/encrypt_secrets.tf.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,15 @@ package eks

var terraformEncryptSecretsGoodExamples = []string{
`
resource "aws_kms_key" "eks" {
enable_key_rotation = true
}
resource "aws_eks_cluster" "good_example" {
encryption_config {
resources = [ "secrets" ]
provider {
key_arn = var.kms_arn
key_arn = aws_kms_key.eks.arn
}
}
Expand Down
19 changes: 14 additions & 5 deletions checks/cloud/aws/kinesis/enable_in_transit_encryption.rego
Original file line number Diff line number Diff line change
Expand Up @@ -35,13 +35,22 @@ import rego.v1

deny contains res if {
some stream in input.aws.kinesis.streams
stream.encryption.type.value != "KMS"
res := result.new("Stream does not use KMS encryption.", stream.encryption.type)
not is_kms_encryption(stream)
res := result.new(
"Stream does not use KMS encryption.",
object.get(stream, ["encryption", "type"], stream),
)
}

deny contains res if {
some stream in input.aws.kinesis.streams
stream.encryption.type.value == "KMS"
stream.encryption.kmskeyid.value == ""
res := result.new("Stream does not use a custom-managed KMS key.", stream.encryption.kmskeyid)
is_kms_encryption(stream)
not has_kms_key(stream)
res := result.new(
"Stream does not use a custom-managed KMS key.",
object.get(stream, ["encryption", "kmskeyid"], stream),
)
}

is_kms_encryption(stream) if stream.encryption.type.value == "KMS"
has_kms_key(stream) if stream.encryption.kmskeyid.value != ""
9 changes: 7 additions & 2 deletions checks/cloud/aws/lambda/enable_tracing.rego
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,11 @@ import rego.v1

deny contains res if {
some func in input.aws.lambda.functions
func.tracing.mode.value != "Active"
res := result.new("Function does not have tracing enabled.", func.tracing.mode)
not is_active_mode(func)
res := result.new(
"Function does not have tracing enabled.",
object.get(func, ["tracing", "mode"], func),
)
}

is_active_mode(func) if func.tracing.mode.value == "Active"
7 changes: 5 additions & 2 deletions checks/cloud/aws/redshift/no_classic_resources.cf.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,10 @@ var cloudFormationNoClassicResourcesGoodExamples = []string{
AWSTemplateFormatVersion: 2010-09-09
Description: Good example of redshift sgr
Resources:
myCluster:
Type: "AWS::Redshift::Cluster"
Properties:
DBName: "mydb"
`,
}

Expand All @@ -14,7 +17,7 @@ var cloudFormationNoClassicResourcesBadExamples = []string{
AWSTemplateFormatVersion: 2010-09-09
Description: Bad example of redshift sgr
Resources:
Queue:
SecGroup:
Type: AWS::Redshift::ClusterSecurityGroup
Properties:
Description: ""
Expand Down
2 changes: 2 additions & 0 deletions checks/cloud/aws/redshift/no_classic_resources.rego
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,8 @@ package builtin.aws.redshift.aws0085

import rego.v1

# TODO: detection of classic resources needs to be improved. Most likely this check is not relevant for Rego
# https://github.com/aws-samples/ec2-classic-resource-finder/tree/main
deny contains res if {
some group in input.aws.redshift.securitygroups
res := result.new(
Expand Down
7 changes: 0 additions & 7 deletions checks/cloud/aws/s3/enable_bucket_encryption.cf.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,13 +19,6 @@ var cloudFormationEnableBucketEncryptionBadExamples = []string{
Resources:
BadExample:
Type: AWS::S3::Bucket
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- BucketKeyEnabled: false
ServerSideEncryptionByDefault:
KMSMasterKeyID: alias/alias-name
SSEAlgorithm: aws:kms
`,
}

Expand Down
2 changes: 1 addition & 1 deletion checks/cloud/aws/s3/no_public_buckets.cf.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,8 @@ Resources:
var cloudFormationNoPublicBucketsBadExamples = []string{
`---
Resources:
Type: AWS::S3::Bucket
BadExample:
Type: AWS::S3::Bucket
Properties:
AccessControl: AuthenticatedRead
`,
Expand Down
2 changes: 1 addition & 1 deletion checks/cloud/aws/s3/no_public_buckets.rego
Original file line number Diff line number Diff line change
Expand Up @@ -54,4 +54,4 @@ deny contains res if {
bucket.publicaccessblock,
),
)
}
}
2 changes: 1 addition & 1 deletion checks/cloud/aws/sns/enable_topic_encryption.cf.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ var cloudFormationEnableTopicEncryptionGoodExamples = []string{
`---
Resources:
GoodTopic:
Type: AWS::SQS::Topic
Type: AWS::SNS::Topic
Properties:
TopicName: blah
KmsMasterKeyId: some-key
Expand Down
9 changes: 7 additions & 2 deletions checks/cloud/nifcloud/computing/no_public_ingress_sgr.tf.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,14 @@ var terraformNoPublicIngressSgrGoodExamples = []string{
}
`,
`
resource "nifcloud_security_group_rule" "allow_partner_rsync" {
resource "nifcloud_security_group" "example" {
group_name = "allowtcp"
availability_zone = "east-11"
}
resource "nifcloud_security_group_rule" "example" {
type = "IN"
security_group_names = [nifcloud_security_group..group_name]
security_group_names = [nifcloud_security_group.example.group_name]
from_port = 22
to_port = 22
protocol = "TCP"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,11 @@ import rego.v1

deny contains res if {
some router in input.nifcloud.network.routers
router.securitygroup.value == ""
res := result.new("Router does not have a securiy group.", router.securitygroup)
not has_security_group(router)
res := result.new(
"Router does not have a securiy group.",
object.get(router, "securitygroup", router),
)
}

has_security_group(router) if router.securitygroup.value != ""
30 changes: 30 additions & 0 deletions internal/checks/checks.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
package checks

import (
"sort"

"github.com/aquasecurity/trivy/pkg/iac/framework"
"github.com/aquasecurity/trivy/pkg/iac/rego"
"github.com/aquasecurity/trivy/pkg/iac/rules"
"github.com/aquasecurity/trivy/pkg/iac/scan"
)

func LoadRegoChecks() []scan.Rule {
// Clean up all Go checks
rules.Reset()

// Load Rego checks
rego.LoadAndRegister()

var res []scan.Rule

for _, metadata := range rules.GetRegistered(framework.ALL) {
res = append(res, metadata.Rule)
}

sort.Slice(res, func(i, j int) bool {
return res[i].AVDID < res[j].AVDID
})

return res
}
Loading

0 comments on commit 02a0323

Please sign in to comment.