Merge remote-tracking branch 'origin' into bump-trivy

aquasecurity · Aug 21, 2024 · 6439cfc · 6439cfc
2 parents b29c5fd + 58709ff
commit 6439cfc
Show file tree

Hide file tree

Showing 263 changed files with 6,679 additions and 4,465 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -5,7 +5,23 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    ignore:
+      - dependency-name: "github.com/aquasecurity/trivy-*" ## `trivy-*` dependencies are updated manually
+    groups:
+      docker:
+        patterns:
+          - "github.com/docker/*"
+      common:
+        exclude-patterns:
+          - "github.com/aquasecurity/trivy-*"
+        patterns:
+          - "*"
   - package-ecosystem: github-actions
     directory: /
     schedule:
       interval: "monthly"
+    groups:
+      github-actions:
+        patterns:
+          - "*"
+
diff --git a/Makefile b/Makefile
@@ -45,5 +45,5 @@ create-bundle:
 .PHONY: verify-bundle
 verify-bundle:
 	cp bundle.tar.gz scripts/bundle.tar.gz
-	go run ./scripts/verify-bundle.go
+	cd scripts && go run verify-bundle.go
 	rm scripts/bundle.tar.gz
diff --git a/avd_docs/aws/s3/AVD-AWS-0086/docs.md b/avd_docs/aws/s3/AVD-AWS-0086/docs.md
@@ -1,10 +1,9 @@
 
-
 S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.
 
 
 ### Impact
-PUT calls with public ACLs specified can make objects public
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/aws/s3/AVD-AWS-0087/docs.md b/avd_docs/aws/s3/AVD-AWS-0087/docs.md
@@ -1,10 +1,9 @@
 
-
 S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
 
 
 ### Impact
-Users could put a policy that allows public access
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/aws/s3/AVD-AWS-0088/docs.md b/avd_docs/aws/s3/AVD-AWS-0088/docs.md
@@ -1,8 +1,9 @@
 
 S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.
 
+
 ### Impact
-The bucket objects could be read if compromised
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/aws/s3/AVD-AWS-0090/docs.md b/avd_docs/aws/s3/AVD-AWS-0090/docs.md
@@ -1,12 +1,13 @@
 
+Versioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket.
+
+You can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets.
 
-Versioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. 
-You can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. 
 With versioning you can recover more easily from both unintended user actions and application failures.
 
 
 ### Impact
-Deleted or modified data would not be recoverable
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/aws/s3/AVD-AWS-0091/docs.md b/avd_docs/aws/s3/AVD-AWS-0091/docs.md
@@ -1,10 +1,9 @@
 
-
 S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
 
 
 ### Impact
-PUT calls with public ACLs specified can make objects public
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/aws/s3/AVD-AWS-0092/docs.md b/avd_docs/aws/s3/AVD-AWS-0092/docs.md
@@ -1,10 +1,9 @@
 
-
 Buckets should not have ACLs that allow public access
 
 
 ### Impact
-Public access to the bucket can lead to data leakage
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/aws/s3/AVD-AWS-0093/docs.md b/avd_docs/aws/s3/AVD-AWS-0093/docs.md
@@ -1,8 +1,9 @@
 
 S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.
 
+
 ### Impact
-Public buckets can be accessed by anyone
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/aws/s3/AVD-AWS-0094/docs.md b/avd_docs/aws/s3/AVD-AWS-0094/docs.md
@@ -1,8 +1,9 @@
 
 The "block public access" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.
 
+
 ### Impact
-Public access policies may be applied to sensitive data buckets
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/aws/s3/AVD-AWS-0132/docs.md b/avd_docs/aws/s3/AVD-AWS-0132/docs.md
@@ -1,8 +1,9 @@
 
 Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
 
+
 ### Impact
-Using AWS managed keys does not allow for fine grained control
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/aws/s3/AVD-AWS-0170/docs.md b/avd_docs/aws/s3/AVD-AWS-0170/docs.md
@@ -1,10 +1,9 @@
 
-
 Adding MFA delete to an S3 bucket, requires additional authentication when you change the version state of your bucket or you delete an object version, adding another layer of security in the event your security credentials are compromised or unauthorized access is obtained.
 
 
 ### Impact
-Lessened protection against accidental/malicious deletion of data
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/aws/s3/AVD-AWS-0171/docs.md b/avd_docs/aws/s3/AVD-AWS-0171/docs.md
@@ -1,10 +1,9 @@
 
-
 Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity within your S3 Buckets using Amazon CloudWatch Events.
 
 
 ### Impact
-Difficult/impossible to audit bucket object/data changes.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/aws/s3/AVD-AWS-0172/docs.md b/avd_docs/aws/s3/AVD-AWS-0172/docs.md
@@ -1,10 +1,9 @@
 
-
 Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity within your S3 Buckets using Amazon CloudWatch Events.
 
 
 ### Impact
-Difficult/impossible to audit bucket object/data changes.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/azure/appservice/AVD-AZU-0001/docs.md b/avd_docs/azure/appservice/AVD-AZU-0001/docs.md
@@ -1,8 +1,9 @@
 
 The TLS mutual authentication technique in enterprise environments ensures the authenticity of clients to the server. If incoming client certificates are enabled only an authenticated client with valid certificates can access the app.
 
+
 ### Impact
-Mutual TLS is not being used
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/azure/appservice/AVD-AZU-0002/docs.md b/avd_docs/azure/appservice/AVD-AZU-0002/docs.md
@@ -1,8 +1,9 @@
 
 Registering the identity used by an App with AD allows it to interact with other services without using username and password
 
+
 ### Impact
-Interaction between services can't easily be achieved without username/password
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/azure/appservice/AVD-AZU-0003/docs.md b/avd_docs/azure/appservice/AVD-AZU-0003/docs.md
@@ -1,8 +1,9 @@
 
 Enabling authentication ensures that all communications in the application are authenticated. The auth_settings block needs to be filled out with the appropriate auth backend settings
 
+
 ### Impact
-Anonymous HTTP requests will be accepted
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/azure/appservice/AVD-AZU-0004/docs.md b/avd_docs/azure/appservice/AVD-AZU-0004/docs.md
@@ -1,8 +1,9 @@
 
 By default, clients can connect to function endpoints by using both HTTP or HTTPS. You should redirect HTTP to HTTPs because HTTPS uses the SSL/TLS protocol to provide a secure connection, which is both encrypted and authenticated.
 
+
 ### Impact
-Anyone can access the Function App using HTTP.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/azure/appservice/AVD-AZU-0005/docs.md b/avd_docs/azure/appservice/AVD-AZU-0005/docs.md
@@ -1,8 +1,9 @@
 
 Use the latest version of HTTP to ensure you are benefiting from security fixes
 
+
 ### Impact
-Outdated versions of HTTP has security vulnerabilities
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/azure/appservice/AVD-AZU-0006/docs.md b/avd_docs/azure/appservice/AVD-AZU-0006/docs.md
@@ -1,8 +1,9 @@
 
 Use a more recent TLS/SSL policy for the App Service
 
+
 ### Impact
-The minimum TLS version for apps should be TLS1_2
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/azure/authorization/AVD-AZU-0030/docs.md b/avd_docs/azure/authorization/AVD-AZU-0030/docs.md
@@ -1,8 +1,9 @@
 
 The permissions granted to a role should be kept to the minimum required to be able to do the task. Wildcard permissions must not be used.
 
+
 ### Impact
-Open permissions for subscriptions could result in an easily compromisable account
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/azure/container/AVD-AZU-0040/docs.md b/avd_docs/azure/container/AVD-AZU-0040/docs.md
@@ -1,8 +1,9 @@
 
 Ensure AKS logging to Azure Monitoring is configured for containers to monitor the performance of workloads.
 
+
 ### Impact
-Logging provides valuable information about access and usage
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/azure/container/AVD-AZU-0041/docs.md b/avd_docs/azure/container/AVD-AZU-0041/docs.md
@@ -1,8 +1,9 @@
 
 The API server is the central way to interact with and manage a cluster. To improve cluster security and minimize attacks, the API server should only be accessible from a limited set of IP address ranges.
 
+
 ### Impact
-Any IP can interact with the API server
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/azure/container/AVD-AZU-0042/docs.md b/avd_docs/azure/container/AVD-AZU-0042/docs.md
@@ -1,8 +1,9 @@
 
 Using Kubernetes role-based access control (RBAC), you can grant users, groups, and service accounts access to only the resources they need.
 
+
 ### Impact
-No role based access control is in place for the AKS cluster
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/azure/container/AVD-AZU-0043/docs.md b/avd_docs/azure/container/AVD-AZU-0043/docs.md
@@ -1,8 +1,9 @@
 
 The Kubernetes object type NetworkPolicy should be defined to have opportunity allow or block traffic to pods, as in a Kubernetes cluster configured with default settings, all pods can discover and communicate with each other without any restrictions.
 
+
 ### Impact
-No network policy is protecting the AKS cluster
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/azure/datafactory/AVD-AZU-0035/docs.md b/avd_docs/azure/datafactory/AVD-AZU-0035/docs.md
@@ -3,8 +3,9 @@ Data Factory has public access set to true by default.
 
 Disabling public network access is applicable only to the self-hosted integration runtime, not to Azure Integration Runtime and SQL Server Integration Services (SSIS) Integration Runtime.
 
+
 ### Impact
-Data factory is publicly accessible
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/azure/datalake/AVD-AZU-0036/docs.md b/avd_docs/azure/datalake/AVD-AZU-0036/docs.md
@@ -1,8 +1,9 @@
 
 Datalake storage encryption defaults to Enabled, it shouldn't be overridden to Disabled.
 
+
 ### Impact
-Data could be read if compromised
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/azure/keyvault/AVD-AZU-0013/docs.md b/avd_docs/azure/keyvault/AVD-AZU-0013/docs.md
@@ -1,10 +1,11 @@
 
-Network ACLs allow you to reduce your exposure to risk by limiting what can access your key vault. 
+Network ACLs allow you to reduce your exposure to risk by limiting what can access your key vault.
 
 The default action of the Network ACL should be set to deny for when IPs are not matched. Azure services can be allowed to bypass.
 
+
 ### Impact
-Without a network ACL the key vault is freely accessible
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/azure/keyvault/AVD-AZU-0014/docs.md b/avd_docs/azure/keyvault/AVD-AZU-0014/docs.md
@@ -3,8 +3,9 @@ Expiration Date is an optional Key Vault Key behavior and is not set by default.
 
 Set when the resource will be become inactive.
 
+
 ### Impact
-Long life keys increase the attack surface when compromised
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/azure/keyvault/AVD-AZU-0015/docs.md b/avd_docs/azure/keyvault/AVD-AZU-0015/docs.md
@@ -3,8 +3,9 @@ Content Type is an optional Key Vault Secret behavior and is not enabled by defa
 
 Clients may specify the content type of a secret to assist in interpreting the secret data when it's retrieved. The maximum length of this field is 255 characters. There are no pre-defined values. The suggested usage is as a hint for interpreting the secret data.
 
+
 ### Impact
-The secret's type is unclear without a content type
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/azure/keyvault/AVD-AZU-0016/docs.md b/avd_docs/azure/keyvault/AVD-AZU-0016/docs.md
@@ -3,8 +3,9 @@ Purge protection is an optional Key Vault behavior and is not enabled by default
 
 Purge protection can only be enabled once soft-delete is enabled. It can be turned on via CLI or PowerShell.
 
+
 ### Impact
-Keys could be purged from the vault without protection
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/azure/keyvault/AVD-AZU-0017/docs.md b/avd_docs/azure/keyvault/AVD-AZU-0017/docs.md
@@ -3,8 +3,9 @@ Expiration Date is an optional Key Vault Secret behavior and is not set by defau
 
 Set when the resource will be become inactive.
 
+
 ### Impact
-Long life secrets increase the opportunity for compromise
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/github/branchprotections/AVD-GIT-0004/Terraform.md b/avd_docs/github/branchprotections/AVD-GIT-0004/Terraform.md
@@ -0,0 +1,16 @@
+
+Require signed commits
+
+```hcl
+ resource "github_branch_protection" "good_example" {
+   repository_id = "example"
+   pattern       = "main"
+
+   require_signed_commits = true
+ }
+ 
+```
+
+#### Remediation Links
+ - https://registry.terraform.io/providers/integrations/github/latest/docs/resources/branch_protection
+