aws_instance resource sets IMDS session auth tokens to be optional.
-To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
-`,
-
- Links: []string{
- "https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service",
- },
-
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformASEnforceHttpTokenImdsGoodExamples,
- BadExamples: terraformASEnforceHttpTokenImdsBadExamples,
- Links: terraformASEnforceHttpTokenImdsLinks,
- RemediationMarkdown: terraformASEnforceHttpTokenImdsRemediationMarkdown,
- },
- CloudFormation: &scan.EngineMetadata{
- GoodExamples: cloudformationASEnforceHttpTokenImdsGoodExamples,
- BadExamples: cloudformationASEnforceHttpTokenImdsBadExamples,
- Links: cloudformationASEnforceHttpTokenImdsLinks,
- RemediationMarkdown: cloudformationASEnforceHttpTokenImdsRemediationMarkdown,
- },
- Severity: severity.High,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, configuration := range s.AWS.EC2.LaunchConfigurations {
- if !configuration.RequiresIMDSToken() && !configuration.HasHTTPEndpointDisabled() {
- results.Add(
- "Launch configuration does not require IMDS access to require a token",
- configuration.MetadataOptions.HttpTokens,
- )
- } else {
- results.AddPassed(&configuration)
- }
- }
- for _, instance := range s.AWS.EC2.LaunchTemplates {
- if !instance.RequiresIMDSToken() && !instance.HasHTTPEndpointDisabled() {
- results.Add(
- "Launch template does not require IMDS access to require a token",
- instance.MetadataOptions.HttpTokens,
- )
- } else {
- results.AddPassed(&instance)
- }
- }
- return results
- },
-)
diff --git a/checks/cloud/aws/ec2/as_enforce_http_token_imds.tf.go b/checks/cloud/aws/ec2/as_enforce_http_token_imds.tf.go
deleted file mode 100644
index 3f505134..00000000
--- a/checks/cloud/aws/ec2/as_enforce_http_token_imds.tf.go
+++ /dev/null
@@ -1,28 +0,0 @@
-package ec2
-
-var terraformASEnforceHttpTokenImdsGoodExamples = []string{
- `
- resource "aws_launch_template" "good_example" {
- image_id = "ami-005e54dee72cc1d00"
- instance_type = "t2.micro"
- metadata_options {
- http_tokens = "required"
- }
- }
- `,
-}
-
-var terraformASEnforceHttpTokenImdsBadExamples = []string{
- `
- resource "aws_launch_template" "bad_example" {
- image_id = "ami-005e54dee72cc1d00"
- instance_type = "t2.micro"
- }
- `,
-}
-
-var terraformASEnforceHttpTokenImdsLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#metadata-options`,
-}
-
-var terraformASEnforceHttpTokenImdsRemediationMarkdown = ``
diff --git a/checks/cloud/aws/ec2/as_no_secrets_in_user_data.cf.go b/checks/cloud/aws/ec2/as_no_secrets_in_user_data.cf.go
deleted file mode 100644
index 4accf01a..00000000
--- a/checks/cloud/aws/ec2/as_no_secrets_in_user_data.cf.go
+++ /dev/null
@@ -1,65 +0,0 @@
-package ec2
-
-var cloudFormationASNoSecretsInUserDataGoodExamples = []string{
- `---
-Resources:
- InstanceProfile:
- Type: AWS::IAM::InstanceProfile
- Properties:
- InstanceProfileName: MyIamInstanceProfile
- Path: "/"
- Roles:
- - MyAdminRole
- GoodExample:
- Type: AWS::EC2::LaunchTemplate
- Properties:
- LaunchTemplateName: MyLaunchTemplate
- LaunchTemplateData:
- IamInstanceProfile:
- Arn: !GetAtt
- - MyIamInstanceProfile
- - Arn
- DisableApiTermination: true
- ImageId: ami-04d5cc9b88example
- UserData: export SSM_PATH=/database/creds
- InstanceType: t2.micro
- KeyName: MyKeyPair
- MetadataOptions:
- - HttpTokens: required
- SecurityGroupIds:
- - sg-083cd3bfb8example
-`,
-}
-
-var cloudFormationASNoSecretsInUserDataBadExamples = []string{
- `---
-Resources:
- InstanceProfile:
- Type: AWS::IAM::InstanceProfile
- Properties:
- InstanceProfileName: MyIamInstanceProfile
- Path: "/"
- Roles:
- - MyAdminRole
- BadExample:
- Type: AWS::EC2::LaunchTemplate
- Properties:
- LaunchTemplateName: MyLaunchTemplate
- LaunchTemplateData:
- IamInstanceProfile:
- Arn: !GetAtt
- - MyIamInstanceProfile
- - Arn
- DisableApiTermination: true
- ImageId: ami-04d5cc9b88example
- UserData: export DATABASE_PASSWORD=password1234
- InstanceType: t2.micro
- KeyName: MyKeyPair
- SecurityGroupIds:
- - sg-083cd3bfb8example
-`,
-}
-
-var cloudFormationASNoSecretsInUserDataLinks = []string{}
-
-var cloudFormationASNoSecretsInUserDataRemediationMarkdown = ``
diff --git a/checks/cloud/aws/ec2/as_no_secrets_in_user_data.go b/checks/cloud/aws/ec2/as_no_secrets_in_user_data.go
deleted file mode 100755
index 549f587b..00000000
--- a/checks/cloud/aws/ec2/as_no_secrets_in_user_data.go
+++ /dev/null
@@ -1,66 +0,0 @@
-package ec2
-
-import (
- "fmt"
-
- "github.com/aquasecurity/trivy/pkg/iac/severity"
-
- "github.com/aquasecurity/trivy/pkg/iac/state"
-
- "github.com/aquasecurity/trivy/pkg/iac/scan"
-
- "github.com/aquasecurity/trivy-checks/pkg/rules"
-
- "github.com/aquasecurity/trivy/pkg/iac/providers"
-
- "github.com/owenrumney/squealer/pkg/squealer"
-)
-
-var scanner = squealer.NewStringScanner()
-
-var CheckASNoSecretsInUserData = rules.Register(
- scan.Rule{
- AVDID: "AVD-AWS-0129",
- Aliases: []string{"aws-autoscaling-no-secrets-in-user-data"},
- Provider: providers.AWSProvider,
- Service: "ec2",
- ShortCode: "no-secrets-in-launch-template-user-data",
- Summary: "User data for EC2 instances must not contain sensitive AWS keys",
- Impact: "User data is visible through the AWS Management console",
- Resolution: "Remove sensitive data from the EC2 instance user-data generated by launch templates",
- Explanation: `EC2 instance data is used to pass start up information into the EC2 instance. This userdata must not contain access key credentials. Instead use an IAM Instance Profile assigned to the instance to grant access to other AWS Services.`,
- Links: []string{
- "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-add-user-data.html",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformASNoSecretsInUserDataGoodExamples,
- BadExamples: terraformASNoSecretsInUserDataBadExamples,
- Links: terraformASNoSecretsInUserDataLinks,
- RemediationMarkdown: terraformASNoSecretsInUserDataRemediationMarkdown,
- },
- CloudFormation: &scan.EngineMetadata{
- GoodExamples: cloudFormationASNoSecretsInUserDataGoodExamples,
- BadExamples: cloudFormationASNoSecretsInUserDataBadExamples,
- Links: cloudFormationASNoSecretsInUserDataLinks,
- RemediationMarkdown: cloudFormationASNoSecretsInUserDataRemediationMarkdown,
- },
- Severity: severity.Critical,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, instance := range s.AWS.EC2.LaunchTemplates {
- if instance.Metadata.IsUnmanaged() {
- continue
- }
- if result := scanner.Scan(instance.UserData.Value()); result.TransgressionFound {
- results.Add(
- fmt.Sprintf("Sensitive data found in launch template user data: %s", result.Description),
- instance.UserData,
- )
- } else {
- results.AddPassed(&instance)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/aws/ec2/as_no_secrets_in_user_data.tf.go b/checks/cloud/aws/ec2/as_no_secrets_in_user_data.tf.go
deleted file mode 100644
index 65770ed2..00000000
--- a/checks/cloud/aws/ec2/as_no_secrets_in_user_data.tf.go
+++ /dev/null
@@ -1,43 +0,0 @@
-package ec2
-
-var terraformASNoSecretsInUserDataGoodExamples = []string{
- `
- resource "aws_iam_instance_profile" "good_example" {
- // ...
- }
-
- resource "aws_launch_template" "good_example" {
- image_id = "ami-12345667"
- instance_type = "t2.small"
-
- iam_instance_profile {
- name = aws_iam_instance_profile.good_profile.arn
- }
- user_data = <metadata_options block and its http_tokens variable set to required.
-`,
-
- Links: []string{
- "https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service",
- },
-
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformEnforceHttpTokenImdsGoodExamples,
- BadExamples: terraformEnforceHttpTokenImdsBadExamples,
- Links: terraformEnforceHttpTokenImdsLinks,
- RemediationMarkdown: terraformEnforceHttpTokenImdsRemediationMarkdown,
- },
- Severity: severity.High,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, instance := range s.AWS.EC2.Instances {
- if !instance.RequiresIMDSToken() && !instance.HasHTTPEndpointDisabled() {
- results.Add(
- "Instance does not require IMDS access to require a token",
- instance.MetadataOptions.HttpTokens,
- )
- } else {
- results.AddPassed(&instance)
- }
- }
- return results
- },
-)
diff --git a/checks/cloud/aws/ec2/enforce_http_token_imds.tf.go b/checks/cloud/aws/ec2/enforce_http_token_imds.tf.go
deleted file mode 100644
index 836e2811..00000000
--- a/checks/cloud/aws/ec2/enforce_http_token_imds.tf.go
+++ /dev/null
@@ -1,28 +0,0 @@
-package ec2
-
-var terraformEnforceHttpTokenImdsGoodExamples = []string{
- `
- resource "aws_instance" "good_example" {
- ami = "ami-005e54dee72cc1d00"
- instance_type = "t2.micro"
- metadata_options {
- http_tokens = "required"
- }
- }
- `,
-}
-
-var terraformEnforceHttpTokenImdsBadExamples = []string{
- `
- resource "aws_instance" "bad_example" {
- ami = "ami-005e54dee72cc1d00"
- instance_type = "t2.micro"
- }
- `,
-}
-
-var terraformEnforceHttpTokenImdsLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#metadata-options`,
-}
-
-var terraformEnforceHttpTokenImdsRemediationMarkdown = ``
diff --git a/checks/cloud/aws/ec2/no_default_vpc.go b/checks/cloud/aws/ec2/no_default_vpc.go
deleted file mode 100755
index bf513faa..00000000
--- a/checks/cloud/aws/ec2/no_default_vpc.go
+++ /dev/null
@@ -1,45 +0,0 @@
-package ec2
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNoDefaultVpc = rules.Register(
- scan.Rule{
- AVDID: "AVD-AWS-0101",
- Aliases: []string{"aws-vpc-no-default-vpc"},
- Provider: providers.AWSProvider,
- Service: "ec2",
- ShortCode: "no-default-vpc",
- Summary: "AWS best practice to not use the default VPC for workflows",
- Impact: "The default VPC does not have critical security features applied",
- Resolution: "Create a non-default vpc for resources to be created in",
- Explanation: `Default VPC does not have a lot of the critical security features that standard VPC comes with, new resources should not be created in the default VPC and it should not be present in the Terraform.`,
- Links: []string{
- "https://docs.aws.amazon.com/vpc/latest/userguide/default-vpc.html",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoDefaultVpcGoodExamples,
- BadExamples: terraformNoDefaultVpcBadExamples,
- Links: terraformNoDefaultVpcLinks,
- RemediationMarkdown: terraformNoDefaultVpcRemediationMarkdown,
- },
- Severity: severity.High,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, def := range s.AWS.EC2.VPCs {
- if def.IsDefault.IsTrue() {
- results.Add(
- "Default VPC is used.",
- &def,
- )
- }
- }
- return
- },
-)
diff --git a/checks/cloud/aws/ec2/no_default_vpc.tf.go b/checks/cloud/aws/ec2/no_default_vpc.tf.go
deleted file mode 100644
index 39ea5152..00000000
--- a/checks/cloud/aws/ec2/no_default_vpc.tf.go
+++ /dev/null
@@ -1,23 +0,0 @@
-package ec2
-
-var terraformNoDefaultVpcGoodExamples = []string{
- `
- # no aws default vpc present
- `,
-}
-
-var terraformNoDefaultVpcBadExamples = []string{
- `
- resource "aws_default_vpc" "default" {
- tags = {
- Name = "Default VPC"
- }
- }
- `,
-}
-
-var terraformNoDefaultVpcLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_vpc`,
-}
-
-var terraformNoDefaultVpcRemediationMarkdown = ``
diff --git a/checks/cloud/aws/ec2/no_excessive_port_access.cf.go b/checks/cloud/aws/ec2/no_excessive_port_access.cf.go
deleted file mode 100644
index 50a889ec..00000000
--- a/checks/cloud/aws/ec2/no_excessive_port_access.cf.go
+++ /dev/null
@@ -1,45 +0,0 @@
-package ec2
-
-var cloudFormationNoExcessivePortAccessGoodExamples = []string{
- `---
-AWSTemplateFormatVersion: 2010-09-09
-Description: Good example of excessive ports
-Resources:
- NetworkACL:
- Type: AWS::EC2::NetworkAcl
- Properties:
- VpcId: "something"
- RuleAction: "allow"
- Rule:
- Type: AWS::EC2::NetworkAclEntry
- Properties:
- RuleAction: "allow"
- NetworkAclId:
- Ref: NetworkACL
- Protocol: 6
-`,
-}
-
-var cloudFormationNoExcessivePortAccessBadExamples = []string{
- `---
-AWSTemplateFormatVersion: 2010-09-09
-Description: Bad example of excessive ports
-Resources:
- NetworkACL:
- Type: AWS::EC2::NetworkAcl
- Properties:
- VpcId: "something"
- RuleAction: "allow"
- Rule:
- Type: AWS::EC2::NetworkAclEntry
- Properties:
- NetworkAclId:
- Ref: NetworkACL
- Protocol: -1
- RuleAction: "allow"
-`,
-}
-
-var cloudFormationNoExcessivePortAccessLinks = []string{}
-
-var cloudFormationNoExcessivePortAccessRemediationMarkdown = ``
diff --git a/checks/cloud/aws/ec2/no_excessive_port_access.go b/checks/cloud/aws/ec2/no_excessive_port_access.go
deleted file mode 100755
index 84bfff35..00000000
--- a/checks/cloud/aws/ec2/no_excessive_port_access.go
+++ /dev/null
@@ -1,55 +0,0 @@
-package ec2
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNoExcessivePortAccess = rules.Register(
- scan.Rule{
- AVDID: "AVD-AWS-0102",
- Aliases: []string{"aws-vpc-no-excessive-port-access"},
- Provider: providers.AWSProvider,
- Service: "ec2",
- ShortCode: "no-excessive-port-access",
- Summary: "An Network ACL rule allows ALL ports.",
- Impact: "All ports exposed for ingressing/egressing data",
- Resolution: "Set specific allowed ports",
- Explanation: `Ensure access to specific required ports is allowed, and nothing else.`,
- Links: []string{
- "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoExcessivePortAccessGoodExamples,
- BadExamples: terraformNoExcessivePortAccessBadExamples,
- Links: terraformNoExcessivePortAccessLinks,
- RemediationMarkdown: terraformNoExcessivePortAccessRemediationMarkdown,
- },
- CloudFormation: &scan.EngineMetadata{
- GoodExamples: cloudFormationNoExcessivePortAccessGoodExamples,
- BadExamples: cloudFormationNoExcessivePortAccessBadExamples,
- Links: cloudFormationNoExcessivePortAccessLinks,
- RemediationMarkdown: cloudFormationNoExcessivePortAccessRemediationMarkdown,
- },
- Severity: severity.Critical,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, acl := range s.AWS.EC2.NetworkACLs {
- for _, rule := range acl.Rules {
- if rule.Action.EqualTo("allow") && rule.Protocol.EqualTo("-1") || rule.Protocol.EqualTo("all") {
- results.Add(
- "Network ACL rule allows access using ALL ports.",
- rule.Protocol,
- )
- } else {
- results.AddPassed(&rule)
- }
- }
- }
- return
- },
-)
diff --git a/checks/cloud/aws/ec2/no_excessive_port_access.tf.go b/checks/cloud/aws/ec2/no_excessive_port_access.tf.go
deleted file mode 100644
index c0cc585d..00000000
--- a/checks/cloud/aws/ec2/no_excessive_port_access.tf.go
+++ /dev/null
@@ -1,31 +0,0 @@
-package ec2
-
-var terraformNoExcessivePortAccessGoodExamples = []string{
- `
- resource "aws_network_acl_rule" "good_example" {
- egress = false
- protocol = "tcp"
- from_port = 22
- to_port = 22
- rule_action = "allow"
- cidr_block = "0.0.0.0/0"
- }
- `,
-}
-
-var terraformNoExcessivePortAccessBadExamples = []string{
- `
- resource "aws_network_acl_rule" "bad_example" {
- egress = false
- protocol = "all"
- rule_action = "allow"
- cidr_block = "0.0.0.0/0"
- }
- `,
-}
-
-var terraformNoExcessivePortAccessLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule#to_port`,
-}
-
-var terraformNoExcessivePortAccessRemediationMarkdown = ``
diff --git a/checks/cloud/aws/ec2/no_public_egress_sgr.cf.go b/checks/cloud/aws/ec2/no_public_egress_sgr.cf.go
deleted file mode 100644
index d0f4cd4e..00000000
--- a/checks/cloud/aws/ec2/no_public_egress_sgr.cf.go
+++ /dev/null
@@ -1,35 +0,0 @@
-package ec2
-
-var cloudFormationNoPublicEgressSgrGoodExamples = []string{
- `---
-AWSTemplateFormatVersion: 2010-09-09
-Description: Good example of egress rule
-Resources:
- BadSecurityGroup:
- Type: AWS::EC2::SecurityGroup
- Properties:
- GroupDescription: Limits security group egress traffic
- SecurityGroupEgress:
- - CidrIp: 127.0.0.1/32
- IpProtocol: "6"
-`,
-}
-
-var cloudFormationNoPublicEgressSgrBadExamples = []string{
- `---
-AWSTemplateFormatVersion: 2010-09-09
-Description: Bad example of egress rule
-Resources:
- BadSecurityGroup:
- Type: AWS::EC2::SecurityGroup
- Properties:
- GroupDescription: Limits security group egress traffic
- SecurityGroupEgress:
- - CidrIp: 0.0.0.0/0
- IpProtocol: "6"
-`,
-}
-
-var cloudFormationNoPublicEgressSgrLinks = []string{}
-
-var cloudFormationNoPublicEgressSgrRemediationMarkdown = ``
diff --git a/checks/cloud/aws/ec2/no_public_egress_sgr.go b/checks/cloud/aws/ec2/no_public_egress_sgr.go
deleted file mode 100755
index ef1a1334..00000000
--- a/checks/cloud/aws/ec2/no_public_egress_sgr.go
+++ /dev/null
@@ -1,61 +0,0 @@
-package ec2
-
-import (
- "github.com/aquasecurity/trivy-checks/internal/cidr"
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNoPublicEgressSgr = rules.Register(
- scan.Rule{
- AVDID: "AVD-AWS-0104",
- Aliases: []string{"aws-vpc-no-public-egress-sgr"},
- Provider: providers.AWSProvider,
- Service: "ec2",
- ShortCode: "no-public-egress-sgr",
- Summary: "An egress security group rule allows traffic to /0.",
- Impact: "Your port is egressing data to the internet",
- Resolution: "Set a more restrictive cidr range",
- Explanation: `Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.`,
- Links: []string{
- "https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/centralized-egress-to-internet.html",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoPublicEgressSgrGoodExamples,
- BadExamples: terraformNoPublicEgressSgrBadExamples,
- Links: terraformNoPublicEgressSgrLinks,
- RemediationMarkdown: terraformNoPublicEgressSgrRemediationMarkdown,
- },
- CloudFormation: &scan.EngineMetadata{
- GoodExamples: cloudFormationNoPublicEgressSgrGoodExamples,
- BadExamples: cloudFormationNoPublicEgressSgrBadExamples,
- Links: cloudFormationNoPublicEgressSgrLinks,
- RemediationMarkdown: cloudFormationNoPublicEgressSgrRemediationMarkdown,
- },
- Severity: severity.Critical,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, group := range s.AWS.EC2.SecurityGroups {
- for _, rule := range group.EgressRules {
- var fail bool
- for _, block := range rule.CIDRs {
- if cidr.IsPublic(block.Value()) && cidr.CountAddresses(block.Value()) > 1 {
- fail = true
- results.Add(
- "Security group rule allows egress to multiple public internet addresses.",
- block,
- )
- }
- }
- if !fail {
- results.AddPassed(&rule)
- }
- }
- }
- return
- },
-)
diff --git a/checks/cloud/aws/ec2/no_public_egress_sgr.tf.go b/checks/cloud/aws/ec2/no_public_egress_sgr.tf.go
deleted file mode 100644
index ef34c231..00000000
--- a/checks/cloud/aws/ec2/no_public_egress_sgr.tf.go
+++ /dev/null
@@ -1,27 +0,0 @@
-package ec2
-
-var terraformNoPublicEgressSgrGoodExamples = []string{
- `
- resource "aws_security_group" "good_example" {
- egress {
- cidr_blocks = ["1.2.3.4/32"]
- }
- }
- `,
-}
-
-var terraformNoPublicEgressSgrBadExamples = []string{
- `
- resource "aws_security_group" "bad_example" {
- egress {
- cidr_blocks = ["0.0.0.0/0"]
- }
- }
- `,
-}
-
-var terraformNoPublicEgressSgrLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group`,
-}
-
-var terraformNoPublicEgressSgrRemediationMarkdown = ``
diff --git a/checks/cloud/aws/ec2/no_public_egress_sgr_test.go b/checks/cloud/aws/ec2/no_public_egress_sgr_test.go
deleted file mode 100644
index 33dcf709..00000000
--- a/checks/cloud/aws/ec2/no_public_egress_sgr_test.go
+++ /dev/null
@@ -1,80 +0,0 @@
-package ec2
-
-import (
- "testing"
-
- trivyTypes "github.com/aquasecurity/trivy/pkg/iac/types"
-
- "github.com/aquasecurity/trivy/pkg/iac/providers/aws/ec2"
-
- "github.com/aquasecurity/trivy/pkg/iac/state"
-
- "github.com/aquasecurity/trivy/pkg/iac/scan"
-
- "github.com/stretchr/testify/assert"
-)
-
-func TestCheckNoPublicEgressSgr(t *testing.T) {
- tests := []struct {
- name string
- input ec2.EC2
- expected bool
- }{
- {
- name: "AWS VPC security group rule with wildcard address",
- input: ec2.EC2{
- SecurityGroups: []ec2.SecurityGroup{
- {
- Metadata: trivyTypes.NewTestMetadata(),
- EgressRules: []ec2.SecurityGroupRule{
- {
- Metadata: trivyTypes.NewTestMetadata(),
- CIDRs: []trivyTypes.StringValue{
- trivyTypes.String("0.0.0.0/0", trivyTypes.NewTestMetadata()),
- },
- },
- },
- },
- },
- },
- expected: true,
- },
- {
- name: "AWS VPC security group rule with private address",
- input: ec2.EC2{
- SecurityGroups: []ec2.SecurityGroup{
- {
- Metadata: trivyTypes.NewTestMetadata(),
- EgressRules: []ec2.SecurityGroupRule{
- {
- Metadata: trivyTypes.NewTestMetadata(),
- CIDRs: []trivyTypes.StringValue{
- trivyTypes.String("10.0.0.0/16", trivyTypes.NewTestMetadata()),
- },
- },
- },
- },
- },
- },
- expected: false,
- },
- }
- for _, test := range tests {
- t.Run(test.name, func(t *testing.T) {
- var testState state.State
- testState.AWS.EC2 = test.input
- results := CheckNoPublicEgressSgr.Evaluate(&testState)
- var found bool
- for _, result := range results {
- if result.Status() == scan.StatusFailed && result.Rule().LongID() == CheckNoPublicEgressSgr.LongID() {
- found = true
- }
- }
- if test.expected {
- assert.True(t, found, "Rule should have been found")
- } else {
- assert.False(t, found, "Rule should not have been found")
- }
- })
- }
-}
diff --git a/checks/cloud/aws/ec2/no_public_ingress_acl.cf.go b/checks/cloud/aws/ec2/no_public_ingress_acl.cf.go
deleted file mode 100644
index dd3f4882..00000000
--- a/checks/cloud/aws/ec2/no_public_ingress_acl.cf.go
+++ /dev/null
@@ -1,45 +0,0 @@
-package ec2
-
-var cloudFormationNoPublicIngressAclGoodExamples = []string{
- `---
-AWSTemplateFormatVersion: 2010-09-09
-Description: Godd example of excessive ports
-Resources:
- NetworkACL:
- Type: AWS::EC2::NetworkAcl
- Properties:
- VpcId: "something"
- Rule:
- Type: AWS::EC2::NetworkAclEntry
- Properties:
- NetworkAclId:
- Ref: NetworkACL
- Protocol: 6
- CidrBlock: 10.0.0.0/8
- RuleAction: allow
-`,
-}
-
-var cloudFormationNoPublicIngressAclBadExamples = []string{
- `---
-AWSTemplateFormatVersion: 2010-09-09
-Description: Bad example of excessive ports
-Resources:
- NetworkACL:
- Type: AWS::EC2::NetworkAcl
- Properties:
- VpcId: "something"
- Rule:
- Type: AWS::EC2::NetworkAclEntry
- Properties:
- NetworkAclId:
- Ref: NetworkACL
- Protocol: 6
- CidrBlock: 0.0.0.0/0
- RuleAction: allow
-`,
-}
-
-var cloudFormationNoPublicIngressAclLinks = []string{}
-
-var cloudFormationNoPublicIngressAclRemediationMarkdown = ``
diff --git a/checks/cloud/aws/ec2/no_public_ingress_acl.go b/checks/cloud/aws/ec2/no_public_ingress_acl.go
deleted file mode 100755
index b576d684..00000000
--- a/checks/cloud/aws/ec2/no_public_ingress_acl.go
+++ /dev/null
@@ -1,68 +0,0 @@
-package ec2
-
-import (
- "github.com/aquasecurity/trivy-checks/internal/cidr"
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/providers/aws/ec2"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNoPublicIngress = rules.Register(
- scan.Rule{
- AVDID: "AVD-AWS-0105",
- Aliases: []string{"aws-vpc-no-public-ingress-acl"},
- Provider: providers.AWSProvider,
- Service: "ec2",
- ShortCode: "no-public-ingress-acl",
- Summary: "An ingress Network ACL rule allows specific ports from /0.",
- Impact: "The ports are exposed for ingressing data to the internet",
- Resolution: "Set a more restrictive cidr range",
- Explanation: `Opening up ACLs to the public internet is potentially dangerous. You should restrict access to IP addresses or ranges that explicitly require it where possible.`,
- Links: []string{
- "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoPublicIngressAclGoodExamples,
- BadExamples: terraformNoPublicIngressAclBadExamples,
- Links: terraformNoPublicIngressAclLinks,
- RemediationMarkdown: terraformNoPublicIngressAclRemediationMarkdown,
- },
- CloudFormation: &scan.EngineMetadata{
- GoodExamples: cloudFormationNoPublicIngressAclGoodExamples,
- BadExamples: cloudFormationNoPublicIngressAclBadExamples,
- Links: cloudFormationNoPublicIngressAclLinks,
- RemediationMarkdown: cloudFormationNoPublicIngressAclRemediationMarkdown,
- },
- Severity: severity.Critical,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, acl := range s.AWS.EC2.NetworkACLs {
- for _, rule := range acl.Rules {
- if !rule.Type.EqualTo(ec2.TypeIngress) {
- continue
- }
- if !rule.Action.EqualTo(ec2.ActionAllow) {
- continue
- }
- var fail bool
- for _, block := range rule.CIDRs {
- if cidr.IsPublic(block.Value()) && cidr.CountAddresses(block.Value()) > 1 {
- fail = true
- results.Add(
- "Network ACL rule allows ingress from public internet.",
- block,
- )
- }
- }
- if !fail {
- results.AddPassed(&rule)
- }
- }
- }
- return
- },
-)
diff --git a/checks/cloud/aws/ec2/no_public_ingress_acl.tf.go b/checks/cloud/aws/ec2/no_public_ingress_acl.tf.go
deleted file mode 100644
index b6ef11c9..00000000
--- a/checks/cloud/aws/ec2/no_public_ingress_acl.tf.go
+++ /dev/null
@@ -1,33 +0,0 @@
-package ec2
-
-var terraformNoPublicIngressAclGoodExamples = []string{
- `
- resource "aws_network_acl_rule" "good_example" {
- egress = false
- protocol = "tcp"
- from_port = 22
- to_port = 22
- rule_action = "allow"
- cidr_block = "10.0.0.0/16"
- }
- `,
-}
-
-var terraformNoPublicIngressAclBadExamples = []string{
- `
- resource "aws_network_acl_rule" "bad_example" {
- egress = false
- protocol = "tcp"
- from_port = 22
- to_port = 22
- rule_action = "allow"
- cidr_block = "0.0.0.0/0"
- }
- `,
-}
-
-var terraformNoPublicIngressAclLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule#cidr_block`,
-}
-
-var terraformNoPublicIngressAclRemediationMarkdown = ``
diff --git a/checks/cloud/aws/ec2/no_public_ingress_acl_test.go b/checks/cloud/aws/ec2/no_public_ingress_acl_test.go
deleted file mode 100644
index dd5b7d95..00000000
--- a/checks/cloud/aws/ec2/no_public_ingress_acl_test.go
+++ /dev/null
@@ -1,84 +0,0 @@
-package ec2
-
-import (
- "testing"
-
- trivyTypes "github.com/aquasecurity/trivy/pkg/iac/types"
-
- "github.com/aquasecurity/trivy/pkg/iac/providers/aws/ec2"
-
- "github.com/aquasecurity/trivy/pkg/iac/state"
-
- "github.com/aquasecurity/trivy/pkg/iac/scan"
-
- "github.com/stretchr/testify/assert"
-)
-
-func TestCheckNoPublicIngress(t *testing.T) {
- tests := []struct {
- name string
- input ec2.EC2
- expected bool
- }{
- {
- name: "AWS VPC network ACL rule with wildcard address",
- input: ec2.EC2{
- NetworkACLs: []ec2.NetworkACL{
- {
- Metadata: trivyTypes.NewTestMetadata(),
- Rules: []ec2.NetworkACLRule{
- {
- Metadata: trivyTypes.NewTestMetadata(),
- Type: trivyTypes.String(ec2.TypeIngress, trivyTypes.NewTestMetadata()),
- Action: trivyTypes.String(ec2.ActionAllow, trivyTypes.NewTestMetadata()),
- CIDRs: []trivyTypes.StringValue{
- trivyTypes.String("0.0.0.0/0", trivyTypes.NewTestMetadata()),
- },
- },
- },
- },
- },
- },
- expected: true,
- },
- {
- name: "AWS VPC network ACL rule with private address",
- input: ec2.EC2{
- NetworkACLs: []ec2.NetworkACL{
- {
- Metadata: trivyTypes.NewTestMetadata(),
- Rules: []ec2.NetworkACLRule{
- {
- Metadata: trivyTypes.NewTestMetadata(),
- Type: trivyTypes.String(ec2.TypeIngress, trivyTypes.NewTestMetadata()),
- Action: trivyTypes.String(ec2.ActionAllow, trivyTypes.NewTestMetadata()),
- CIDRs: []trivyTypes.StringValue{
- trivyTypes.String("10.0.0.0/16", trivyTypes.NewTestMetadata()),
- },
- },
- },
- },
- },
- },
- expected: false,
- },
- }
- for _, test := range tests {
- t.Run(test.name, func(t *testing.T) {
- var testState state.State
- testState.AWS.EC2 = test.input
- results := CheckNoPublicIngress.Evaluate(&testState)
- var found bool
- for _, result := range results {
- if result.Status() == scan.StatusFailed && result.Rule().LongID() == CheckNoPublicIngress.LongID() {
- found = true
- }
- }
- if test.expected {
- assert.True(t, found, "Rule should have been found")
- } else {
- assert.False(t, found, "Rule should not have been found")
- }
- })
- }
-}
diff --git a/checks/cloud/aws/ec2/no_public_ingress_sgr.cf.go b/checks/cloud/aws/ec2/no_public_ingress_sgr.cf.go
deleted file mode 100644
index 03118337..00000000
--- a/checks/cloud/aws/ec2/no_public_ingress_sgr.cf.go
+++ /dev/null
@@ -1,31 +0,0 @@
-package ec2
-
-var cloudFormationNoPublicIngressSgrGoodExamples = []string{
- `---
-Resources:
- GoodSecurityGroup:
- Type: AWS::EC2::SecurityGroup
- Properties:
- GroupDescription: Limits security group egress traffic
- SecurityGroupIngress:
- - CidrIp: 127.0.0.1/32
- IpProtocol: "6"
-`,
-}
-
-var cloudFormationNoPublicIngressSgrBadExamples = []string{
- `---
-Resources:
- BadSecurityGroup:
- Type: AWS::EC2::SecurityGroup
- Properties:
- GroupDescription: Limits security group egress traffic
- SecurityGroupIngress:
- - CidrIp: 0.0.0.0/0
- IpProtocol: "6"
-`,
-}
-
-var cloudFormationNoPublicIngressSgrLinks = []string{}
-
-var cloudFormationNoPublicIngressSgrRemediationMarkdown = ``
diff --git a/checks/cloud/aws/ec2/no_public_ingress_sgr.go b/checks/cloud/aws/ec2/no_public_ingress_sgr.go
deleted file mode 100755
index fa2fb6c1..00000000
--- a/checks/cloud/aws/ec2/no_public_ingress_sgr.go
+++ /dev/null
@@ -1,66 +0,0 @@
-package ec2
-
-import (
- "github.com/aquasecurity/trivy-checks/internal/cidr"
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/framework"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNoPublicIngressSgr = rules.Register(
- scan.Rule{
- AVDID: "AVD-AWS-0107",
- Aliases: []string{"aws-vpc-no-public-ingress-sgr"},
- Provider: providers.AWSProvider,
- Service: "ec2",
- ShortCode: "no-public-ingress-sgr",
- Frameworks: map[framework.Framework][]string{
- framework.Default: nil,
- framework.CIS_AWS_1_2: {"4.1", "4.2"},
- },
- Summary: "An ingress security group rule allows traffic from /0.",
- Impact: "Your port exposed to the internet",
- Resolution: "Set a more restrictive cidr range",
- Explanation: `Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.`,
- Links: []string{
- "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoPublicIngressSgrGoodExamples,
- BadExamples: terraformNoPublicIngressSgrBadExamples,
- Links: terraformNoPublicIngressSgrLinks,
- RemediationMarkdown: terraformNoPublicIngressSgrRemediationMarkdown,
- },
- CloudFormation: &scan.EngineMetadata{
- GoodExamples: cloudFormationNoPublicIngressSgrGoodExamples,
- BadExamples: cloudFormationNoPublicIngressSgrBadExamples,
- Links: cloudFormationNoPublicIngressSgrLinks,
- RemediationMarkdown: cloudFormationNoPublicIngressSgrRemediationMarkdown,
- },
- Severity: severity.Critical,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, group := range s.AWS.EC2.SecurityGroups {
- for _, rule := range group.IngressRules {
- var failed bool
- for _, block := range rule.CIDRs {
- if cidr.IsPublic(block.Value()) && cidr.CountAddresses(block.Value()) > 1 {
- failed = true
- results.Add(
- "Security group rule allows ingress from public internet.",
- block,
- )
- }
- }
- if !failed {
- results.AddPassed(&rule)
- }
- }
- }
- return
- },
-)
diff --git a/checks/cloud/aws/ec2/no_public_ingress_sgr.tf.go b/checks/cloud/aws/ec2/no_public_ingress_sgr.tf.go
deleted file mode 100644
index e5d68d5d..00000000
--- a/checks/cloud/aws/ec2/no_public_ingress_sgr.tf.go
+++ /dev/null
@@ -1,38 +0,0 @@
-package ec2
-
-var terraformNoPublicIngressSgrGoodExamples = []string{
- `
- resource "aws_security_group_rule" "good_example" {
- type = "ingress"
- cidr_blocks = ["10.0.0.0/16"]
- }
- `,
- `
-resource "aws_security_group_rule" "allow_partner_rsync" {
- type = "ingress"
- security_group_id = aws_security_group.….id
- from_port = 22
- to_port = 22
- protocol = "tcp"
- cidr_blocks = [
- "1.2.3.4/32",
- "4.5.6.7/32",
- ]
-}
-`,
-}
-
-var terraformNoPublicIngressSgrBadExamples = []string{
- `
- resource "aws_security_group_rule" "bad_example" {
- type = "ingress"
- cidr_blocks = ["0.0.0.0/0"]
- }
- `,
-}
-
-var terraformNoPublicIngressSgrLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks`,
-}
-
-var terraformNoPublicIngressSgrRemediationMarkdown = ``
diff --git a/checks/cloud/aws/ec2/no_public_ip.cf.go b/checks/cloud/aws/ec2/no_public_ip.cf.go
deleted file mode 100644
index 8f5a0908..00000000
--- a/checks/cloud/aws/ec2/no_public_ip.cf.go
+++ /dev/null
@@ -1,28 +0,0 @@
-package ec2
-
-var cloudFormationNoPublicIpGoodExamples = []string{
- `---
-Resources:
- GoodExample:
- Properties:
- ImageId: ami-123456
- InstanceType: t2.small
- Type: AWS::AutoScaling::LaunchConfiguration
-`,
-}
-
-var cloudFormationNoPublicIpBadExamples = []string{
- `---
-Resources:
- BadExample:
- Properties:
- AssociatePublicIpAddress: true
- ImageId: ami-123456
- InstanceType: t2.small
- Type: AWS::AutoScaling::LaunchConfiguration
-`,
-}
-
-var cloudFormationNoPublicIpLinks = []string{}
-
-var cloudFormationNoPublicIpRemediationMarkdown = ``
diff --git a/checks/cloud/aws/ec2/no_public_ip.go b/checks/cloud/aws/ec2/no_public_ip.go
deleted file mode 100755
index 66b771fe..00000000
--- a/checks/cloud/aws/ec2/no_public_ip.go
+++ /dev/null
@@ -1,53 +0,0 @@
-package ec2
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNoPublicIp = rules.Register(
- scan.Rule{
- AVDID: "AVD-AWS-0009",
- Aliases: []string{"aws-autoscaling-no-public-ip"},
- Provider: providers.AWSProvider,
- Service: "ec2",
- ShortCode: "no-public-ip",
- Summary: "Launch configuration should not have a public IP address.",
- Impact: "The instance or configuration is publicly accessible",
- Resolution: "Set the instance to not be publicly accessible",
- Explanation: `You should limit the provision of public IP addresses for resources. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application.`,
- Links: []string{
- "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoPublicIpGoodExamples,
- BadExamples: terraformNoPublicIpBadExamples,
- Links: terraformNoPublicIpLinks,
- RemediationMarkdown: terraformNoPublicIpRemediationMarkdown,
- },
- CloudFormation: &scan.EngineMetadata{
- GoodExamples: cloudFormationNoPublicIpGoodExamples,
- BadExamples: cloudFormationNoPublicIpBadExamples,
- Links: cloudFormationNoPublicIpLinks,
- RemediationMarkdown: cloudFormationNoPublicIpRemediationMarkdown,
- },
- Severity: severity.High,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, launchConfig := range s.AWS.EC2.LaunchConfigurations {
- if launchConfig.AssociatePublicIP.IsTrue() {
- results.Add(
- "Launch configuration associates public IP address.",
- launchConfig.AssociatePublicIP,
- )
- } else {
- results.AddPassed(&launchConfig)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/aws/ec2/no_public_ip.tf.go b/checks/cloud/aws/ec2/no_public_ip.tf.go
deleted file mode 100644
index 712ac6d3..00000000
--- a/checks/cloud/aws/ec2/no_public_ip.tf.go
+++ /dev/null
@@ -1,23 +0,0 @@
-package ec2
-
-var terraformNoPublicIpGoodExamples = []string{
- `
- resource "aws_launch_configuration" "good_example" {
- associate_public_ip_address = false
- }
- `,
-}
-
-var terraformNoPublicIpBadExamples = []string{
- `
- resource "aws_launch_configuration" "bad_example" {
- associate_public_ip_address = true
- }
- `,
-}
-
-var terraformNoPublicIpLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#associate_public_ip_address`, `https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#associate_public_ip_address`,
-}
-
-var terraformNoPublicIpRemediationMarkdown = ``
diff --git a/checks/cloud/aws/ec2/no_public_ip_subnet.cf.go b/checks/cloud/aws/ec2/no_public_ip_subnet.cf.go
deleted file mode 100644
index bef77573..00000000
--- a/checks/cloud/aws/ec2/no_public_ip_subnet.cf.go
+++ /dev/null
@@ -1,26 +0,0 @@
-package ec2
-
-var cloudFormationNoPublicIpSubnetGoodExamples = []string{
- `---
-Resources:
- GoodExample:
- Properties:
- VpcId: vpc-123456
- Type: AWS::EC2::Subnet
-`,
-}
-
-var cloudFormationNoPublicIpSubnetBadExamples = []string{
- `---
-Resources:
- BadExample:
- Properties:
- MapPublicIpOnLaunch: true
- VpcId: vpc-123456
- Type: AWS::EC2::Subnet
-`,
-}
-
-var cloudFormationNoPublicIpSubnetLinks = []string{}
-
-var cloudFormationNoPublicIpSubnetRemediationMarkdown = ``
diff --git a/checks/cloud/aws/ec2/no_public_ip_subnet.go b/checks/cloud/aws/ec2/no_public_ip_subnet.go
deleted file mode 100755
index 3663ce5c..00000000
--- a/checks/cloud/aws/ec2/no_public_ip_subnet.go
+++ /dev/null
@@ -1,53 +0,0 @@
-package ec2
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNoPublicIpSubnet = rules.Register(
- scan.Rule{
- AVDID: "AVD-AWS-0164",
- Aliases: []string{"aws-subnet-no-public-ip"},
- Provider: providers.AWSProvider,
- Service: "ec2",
- ShortCode: "no-public-ip-subnet",
- Summary: "Instances in a subnet should not receive a public IP address by default.",
- Impact: "The instance is publicly accessible",
- Resolution: "Set the instance to not be publicly accessible",
- Explanation: `You should limit the provision of public IP addresses for resources. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application.`,
- Links: []string{
- "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-public-addresses",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoPublicIpSubnetGoodExamples,
- BadExamples: terraformNoPublicIpSubnetBadExamples,
- Links: terraformNoPublicIpSubnetLinks,
- RemediationMarkdown: terraformNoPublicIpSubnetRemediationMarkdown,
- },
- CloudFormation: &scan.EngineMetadata{
- GoodExamples: cloudFormationNoPublicIpSubnetGoodExamples,
- BadExamples: cloudFormationNoPublicIpSubnetBadExamples,
- Links: cloudFormationNoPublicIpSubnetLinks,
- RemediationMarkdown: cloudFormationNoPublicIpSubnetRemediationMarkdown,
- },
- Severity: severity.High,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, subnet := range s.AWS.EC2.Subnets {
- if subnet.MapPublicIpOnLaunch.IsTrue() {
- results.Add(
- "Subnet associates public IP address.",
- subnet.MapPublicIpOnLaunch,
- )
- } else {
- results.AddPassed(&subnet)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/aws/ec2/no_public_ip_subnet.tf.go b/checks/cloud/aws/ec2/no_public_ip_subnet.tf.go
deleted file mode 100644
index 3e3bb8a2..00000000
--- a/checks/cloud/aws/ec2/no_public_ip_subnet.tf.go
+++ /dev/null
@@ -1,25 +0,0 @@
-package ec2
-
-var terraformNoPublicIpSubnetGoodExamples = []string{
- `
- resource "aws_subnet" "good_example" {
- vpc_id = "vpc-123456"
- map_public_ip_on_launch = false
- }
- `,
-}
-
-var terraformNoPublicIpSubnetBadExamples = []string{
- `
- resource "aws_subnet" "bad_example" {
- vpc_id = "vpc-123456"
- map_public_ip_on_launch = true
- }
- `,
-}
-
-var terraformNoPublicIpSubnetLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet#map_public_ip_on_launch`,
-}
-
-var terraformNoPublicIpSubnetRemediationMarkdown = ``
diff --git a/checks/cloud/aws/ec2/no_secrets_in_user_data.cf.go b/checks/cloud/aws/ec2/no_secrets_in_user_data.cf.go
deleted file mode 100644
index 6daf1ffd..00000000
--- a/checks/cloud/aws/ec2/no_secrets_in_user_data.cf.go
+++ /dev/null
@@ -1,47 +0,0 @@
-package ec2
-
-var cloudFormationNoSecretsInUserDataGoodExamples = []string{
- `---
-Resources:
- GoodExample:
- Type: AWS::EC2::Instance
- Properties:
- ImageId: "ami-79fd7eee"
- KeyName: "testkey"
- UserData: export SSM_PATH=/database/creds
- BlockDeviceMappings:
- - DeviceName: "/dev/sdm"
- Ebs:
- VolumeType: "io1"
- Iops: "200"
- DeleteOnTermination: "false"
- VolumeSize: "20"
- - DeviceName: "/dev/sdk"
-
-`,
-}
-
-var cloudFormationNoSecretsInUserDataBadExamples = []string{
- `---
-Resources:
- BadExample:
- Type: AWS::EC2::Instance
- Properties:
- ImageId: "ami-79fd7eee"
- KeyName: "testkey"
- UserData: export DATABASE_PASSWORD=password1234
- BlockDeviceMappings:
- - DeviceName: "/dev/sdm"
- Ebs:
- VolumeType: "io1"
- Iops: "200"
- DeleteOnTermination: "false"
- VolumeSize: "20"
- - DeviceName: "/dev/sdk"
-
-`,
-}
-
-var cloudFormationNoSecretsInUserDataLinks = []string{}
-
-var cloudFormationNoSecretsInUserDataRemediationMarkdown = ``
diff --git a/checks/cloud/aws/ec2/no_secrets_in_user_data.go b/checks/cloud/aws/ec2/no_secrets_in_user_data.go
deleted file mode 100755
index c43d15c0..00000000
--- a/checks/cloud/aws/ec2/no_secrets_in_user_data.go
+++ /dev/null
@@ -1,61 +0,0 @@
-package ec2
-
-import (
- "fmt"
-
- "github.com/aquasecurity/trivy/pkg/iac/severity"
-
- "github.com/aquasecurity/trivy/pkg/iac/state"
-
- "github.com/aquasecurity/trivy/pkg/iac/scan"
-
- "github.com/aquasecurity/trivy-checks/pkg/rules"
-
- "github.com/aquasecurity/trivy/pkg/iac/providers"
-)
-
-var CheckNoSecretsInUserData = rules.Register(
- scan.Rule{
- AVDID: "AVD-AWS-0029",
- Provider: providers.AWSProvider,
- Service: "ec2",
- ShortCode: "no-secrets-in-user-data",
- Summary: "User data for EC2 instances must not contain sensitive AWS keys",
- Impact: "User data is visible through the AWS Management console",
- Resolution: "Remove sensitive data from the EC2 instance user-data",
- Explanation: `EC2 instance data is used to pass start up information into the EC2 instance. This userdata must not contain access key credentials. Instead use an IAM Instance Profile assigned to the instance to grant access to other AWS Services.`,
- Links: []string{
- "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-add-user-data.html",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoSecretsInUserDataGoodExamples,
- BadExamples: terraformNoSecretsInUserDataBadExamples,
- Links: terraformNoSecretsInUserDataLinks,
- RemediationMarkdown: terraformNoSecretsInUserDataRemediationMarkdown,
- },
- CloudFormation: &scan.EngineMetadata{
- GoodExamples: cloudFormationNoSecretsInUserDataGoodExamples,
- BadExamples: cloudFormationNoSecretsInUserDataBadExamples,
- Links: cloudFormationNoSecretsInUserDataLinks,
- RemediationMarkdown: cloudFormationNoSecretsInUserDataRemediationMarkdown,
- },
- Severity: severity.Critical,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, instance := range s.AWS.EC2.Instances {
- if instance.Metadata.IsUnmanaged() {
- continue
- }
- if result := scanner.Scan(instance.UserData.Value()); result.TransgressionFound {
- results.Add(
- fmt.Sprintf("Sensitive data found in instance user data: %s", result.Description),
- instance.UserData,
- )
- } else {
- results.AddPassed(&instance)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/aws/ec2/no_secrets_in_user_data.tf.go b/checks/cloud/aws/ec2/no_secrets_in_user_data.tf.go
deleted file mode 100644
index befb61c9..00000000
--- a/checks/cloud/aws/ec2/no_secrets_in_user_data.tf.go
+++ /dev/null
@@ -1,42 +0,0 @@
-package ec2
-
-var terraformNoSecretsInUserDataGoodExamples = []string{
- `
- resource "aws_iam_instance_profile" "good_example" {
- // ...
- }
-
- resource "aws_instance" "good_example" {
- ami = "ami-12345667"
- instance_type = "t2.small"
-
- iam_instance_profile = aws_iam_instance_profile.good_profile.arn
-
- user_data = <image_tag_mutability to IMMUTABLE`,
- Links: []string{
- "https://sysdig.com/blog/toctou-tag-mutability/",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformEnforceImmutableRepositoryGoodExamples,
- BadExamples: terraformEnforceImmutableRepositoryBadExamples,
- Links: terraformEnforceImmutableRepositoryLinks,
- RemediationMarkdown: terraformEnforceImmutableRepositoryRemediationMarkdown,
- },
- CloudFormation: &scan.EngineMetadata{
- GoodExamples: cloudFormationEnforceImmutableRepositoryGoodExamples,
- BadExamples: cloudFormationEnforceImmutableRepositoryBadExamples,
- Links: cloudFormationEnforceImmutableRepositoryLinks,
- RemediationMarkdown: cloudFormationEnforceImmutableRepositoryRemediationMarkdown,
- },
- Severity: severity.High,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, repo := range s.AWS.ECR.Repositories {
- if repo.ImageTagsImmutable.IsFalse() {
- results.Add(
- "Repository tags are mutable.",
- repo.ImageTagsImmutable,
- )
- } else {
- results.AddPassed(&repo)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/aws/ecr/enforce_immutable_repository.tf.go b/checks/cloud/aws/ecr/enforce_immutable_repository.tf.go
deleted file mode 100644
index 8ef2935e..00000000
--- a/checks/cloud/aws/ecr/enforce_immutable_repository.tf.go
+++ /dev/null
@@ -1,33 +0,0 @@
-package ecr
-
-var terraformEnforceImmutableRepositoryGoodExamples = []string{
- `
- resource "aws_ecr_repository" "good_example" {
- name = "bar"
- image_tag_mutability = "IMMUTABLE"
-
- image_scanning_configuration {
- scan_on_push = true
- }
- }
- `,
-}
-
-var terraformEnforceImmutableRepositoryBadExamples = []string{
- `
- resource "aws_ecr_repository" "bad_example" {
- name = "bar"
- image_tag_mutability = "MUTABLE"
-
- image_scanning_configuration {
- scan_on_push = true
- }
- }
- `,
-}
-
-var terraformEnforceImmutableRepositoryLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository`,
-}
-
-var terraformEnforceImmutableRepositoryRemediationMarkdown = ``
diff --git a/checks/cloud/aws/ecr/no_public_access.cf.go b/checks/cloud/aws/ecr/no_public_access.cf.go
deleted file mode 100644
index ac3f6ec8..00000000
--- a/checks/cloud/aws/ecr/no_public_access.cf.go
+++ /dev/null
@@ -1,67 +0,0 @@
-package ecr
-
-var cloudFormationNoPublicAccessGoodExamples = []string{
- `---
-Resources:
- GoodExample:
- Type: AWS::ECR::Repository
- Properties:
- RepositoryName: "test-repository"
- ImageTagImmutability: IMMUTABLE
- ImageScanningConfiguration:
- ScanOnPush: false
- EncryptionConfiguration:
- EncryptionType: KMS
- KmsKey: "alias/ecr-key"
- RepositoryPolicyText:
- Version: "2012-10-17"
- Statement:
- -
- Sid: AllowPushPull
- Effect: Allow
- Principal:
- AWS:
- - "arn:aws:iam::123456789012:user/Alice"
- Action:
- - "ecr:GetDownloadUrlForLayer"
- - "ecr:BatchGetImage"
- - "ecr:BatchCheckLayerAvailability"
- - "ecr:PutImage"
- - "ecr:InitiateLayerUpload"
- - "ecr:UploadLayerPart"
- - "ecr:CompleteLayerUpload"
-`,
-}
-
-var cloudFormationNoPublicAccessBadExamples = []string{
- `---
-Resources:
- BadExample:
- Type: AWS::ECR::Repository
- Properties:
- RepositoryName: "test-repository"
- ImageScanningConfiguration:
- ScanOnPush: false
- RepositoryPolicyText:
- Version: "2012-10-17"
- Statement:
- -
- Sid: AllowPushPull
- Effect: Allow
- Principal:
- AWS:
- - "*"
- Action:
- - "ecr:GetDownloadUrlForLayer"
- - "ecr:BatchGetImage"
- - "ecr:BatchCheckLayerAvailability"
- - "ecr:PutImage"
- - "ecr:InitiateLayerUpload"
- - "ecr:UploadLayerPart"
- - "ecr:CompleteLayerUpload"
-`,
-}
-
-var cloudFormationNoPublicAccessLinks = []string{}
-
-var cloudFormationNoPublicAccessRemediationMarkdown = ``
diff --git a/checks/cloud/aws/ecr/no_public_access.go b/checks/cloud/aws/ecr/no_public_access.go
deleted file mode 100755
index 06139428..00000000
--- a/checks/cloud/aws/ecr/no_public_access.go
+++ /dev/null
@@ -1,94 +0,0 @@
-package ecr
-
-import (
- "strings"
-
- "github.com/aquasecurity/trivy/pkg/iac/severity"
-
- "github.com/aquasecurity/trivy/pkg/iac/state"
-
- "github.com/aquasecurity/trivy/pkg/iac/scan"
-
- "github.com/aquasecurity/trivy-checks/pkg/rules"
-
- "github.com/aquasecurity/trivy/pkg/iac/providers"
-)
-
-var CheckNoPublicAccess = rules.Register(
- scan.Rule{
- AVDID: "AVD-AWS-0032",
- Provider: providers.AWSProvider,
- Service: "ecr",
- ShortCode: "no-public-access",
- Summary: "ECR repository policy must block public access",
- Impact: "Risk of potential data leakage of sensitive artifacts",
- Resolution: "Do not allow public access in the policy",
- Explanation: `Allowing public access to the ECR repository risks leaking sensitive of abusable information`,
- Links: []string{
- "https://docs.aws.amazon.com/AmazonECR/latest/public/public-repository-policies.html",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoPublicAccessGoodExamples,
- BadExamples: terraformNoPublicAccessBadExamples,
- Links: terraformNoPublicAccessLinks,
- RemediationMarkdown: terraformNoPublicAccessRemediationMarkdown,
- },
- CloudFormation: &scan.EngineMetadata{
- GoodExamples: cloudFormationNoPublicAccessGoodExamples,
- BadExamples: cloudFormationNoPublicAccessBadExamples,
- Links: cloudFormationNoPublicAccessLinks,
- RemediationMarkdown: cloudFormationNoPublicAccessRemediationMarkdown,
- },
- Severity: severity.High,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, repo := range s.AWS.ECR.Repositories {
- if repo.Metadata.IsUnmanaged() {
- continue
- }
- for _, policyDocument := range repo.Policies {
- policy := policyDocument.Document.Parsed
- statements, _ := policy.Statements()
- for _, statement := range statements {
- var hasECRAction bool
- actions, _ := statement.Actions()
- for _, action := range actions {
- if strings.HasPrefix(action, "ecr:") {
- hasECRAction = true
- break
- }
- }
- if !hasECRAction {
- continue
- }
- var foundIssue bool
- principals, _ := statement.Principals()
- if all, r := principals.All(); all {
- foundIssue = true
- results.Add(
- "Policy provides public access to the ECR repository.",
- policyDocument.Document.MetadataFromIamGo(statement.Range(), r),
- )
- } else {
- accounts, r := principals.AWS()
- for _, account := range accounts {
- if account == "*" {
- foundIssue = true
- results.Add(
- "Policy provides public access to the ECR repository.",
- policyDocument.Document.MetadataFromIamGo(statement.Range(), r),
- )
- }
- continue
- }
- }
- if foundIssue {
- results.AddPassed(&repo)
- }
- }
- }
- }
- return
- },
-)
diff --git a/checks/cloud/aws/ecr/no_public_access.tf.go b/checks/cloud/aws/ecr/no_public_access.tf.go
deleted file mode 100644
index 27ddea04..00000000
--- a/checks/cloud/aws/ecr/no_public_access.tf.go
+++ /dev/null
@@ -1,89 +0,0 @@
-package ecr
-
-var terraformNoPublicAccessGoodExamples = []string{
- `
- resource "aws_ecr_repository" "foo" {
- name = "bar"
- }
-
- resource "aws_ecr_repository_policy" "foopolicy" {
- repository = aws_ecr_repository.foo.name
-
- policy = <true.`,
- Links: []string{
- "https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformEnableDiskEncryptionGoodExamples,
- BadExamples: terraformEnableDiskEncryptionBadExamples,
- Links: terraformEnableDiskEncryptionLinks,
- RemediationMarkdown: terraformEnableDiskEncryptionRemediationMarkdown,
- },
- Severity: severity.High,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, disk := range s.Azure.Compute.ManagedDisks {
- if disk.Metadata.IsUnmanaged() {
- continue
- }
- if disk.Encryption.Enabled.IsFalse() {
- results.Add(
- "Managed disk is not encrypted.",
- disk.Encryption.Enabled,
- )
- } else {
- results.AddPassed(&disk)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/azure/compute/enable_disk_encryption.tf.go b/checks/cloud/azure/compute/enable_disk_encryption.tf.go
deleted file mode 100644
index d727db7c..00000000
--- a/checks/cloud/azure/compute/enable_disk_encryption.tf.go
+++ /dev/null
@@ -1,25 +0,0 @@
-package compute
-
-var terraformEnableDiskEncryptionGoodExamples = []string{
- `
- resource "azurerm_managed_disk" "good_example" {
- encryption_settings {
- enabled = true
- }
- }`,
-}
-
-var terraformEnableDiskEncryptionBadExamples = []string{
- `
- resource "azurerm_managed_disk" "bad_example" {
- encryption_settings {
- enabled = false
- }
- }`,
-}
-
-var terraformEnableDiskEncryptionLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/managed_disk`,
-}
-
-var terraformEnableDiskEncryptionRemediationMarkdown = ``
diff --git a/checks/cloud/azure/compute/no_secrets_in_custom_data.go b/checks/cloud/azure/compute/no_secrets_in_custom_data.go
deleted file mode 100755
index f0580ffc..00000000
--- a/checks/cloud/azure/compute/no_secrets_in_custom_data.go
+++ /dev/null
@@ -1,63 +0,0 @@
-package compute
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
- "github.com/owenrumney/squealer/pkg/squealer"
-)
-
-var scanner = squealer.NewStringScanner()
-
-var CheckNoSecretsInCustomData = rules.Register(
- scan.Rule{
- AVDID: "AVD-AZU-0037",
- Provider: providers.AzureProvider,
- Service: "compute",
- ShortCode: "no-secrets-in-custom-data",
- Summary: "Ensure that no sensitive credentials are exposed in VM custom_data",
- Impact: "Sensitive credentials in custom_data can be leaked",
- Resolution: "Don't use sensitive credentials in the VM custom_data",
- Explanation: `When creating Azure Virtual Machines, custom_data is used to pass start up information into the EC2 instance. This custom_dat must not contain access key credentials.`,
- Links: []string{},
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoSecretsInCustomDataGoodExamples,
- BadExamples: terraformNoSecretsInCustomDataBadExamples,
- Links: terraformNoSecretsInCustomDataLinks,
- RemediationMarkdown: terraformNoSecretsInCustomDataRemediationMarkdown,
- },
- Severity: severity.Medium,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, vm := range s.Azure.Compute.LinuxVirtualMachines {
- if vm.Metadata.IsUnmanaged() {
- continue
- }
- if result := scanner.Scan(vm.CustomData.Value()); result.TransgressionFound {
- results.Add(
- "Virtual machine includes secret(s) in custom data.",
- vm.CustomData,
- )
- } else {
- results.AddPassed(&vm)
- }
- }
- for _, vm := range s.Azure.Compute.WindowsVirtualMachines {
- if vm.Metadata.IsUnmanaged() {
- continue
- }
- if result := scanner.Scan(vm.CustomData.Value()); result.TransgressionFound {
- results.Add(
- "Virtual machine includes secret(s) in custom data.",
- vm.CustomData,
- )
- } else {
- results.AddPassed(&vm)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/azure/compute/no_secrets_in_custom_data.tf.go b/checks/cloud/azure/compute/no_secrets_in_custom_data.tf.go
deleted file mode 100644
index b4558068..00000000
--- a/checks/cloud/azure/compute/no_secrets_in_custom_data.tf.go
+++ /dev/null
@@ -1,39 +0,0 @@
-package compute
-
-var terraformNoSecretsInCustomDataGoodExamples = []string{
- `
- resource "azurerm_virtual_machine" "good_example" {
- name = "good_example"
- os_profile_linux_config {
- disable_password_authentication = false
- }
- os_profile {
- custom_data =<This page is empty.
" - content_type = "text/html" - } - `, -} - -var terraformAclNoPublicReadBadExamples = []string{ - ` - resource "digitalocean_spaces_bucket" "bad_example" { - name = "public_space" - region = "nyc3" - acl = "public-read" - } - - resource "digitalocean_spaces_bucket_object" "index" { - region = digitalocean_spaces_bucket.bad_example.region - bucket = digitalocean_spaces_bucket.bad_example.name - key = "index.html" - content = "This page is empty.
" - content_type = "text/html" - acl = "public-read" - } - `, -} - -var terraformAclNoPublicReadLinks = []string{ - `https://registry.terraform.io/providers/digitalocean/digitalocean/latest/docs/resources/spaces_bucket#acl`, `https://registry.terraform.io/providers/digitalocean/digitalocean/latest/docs/resources/spaces_bucket_object#acl`, -} - -var terraformAclNoPublicReadRemediationMarkdown = `` diff --git a/checks/cloud/digitalocean/spaces/disable_force_destroy.go b/checks/cloud/digitalocean/spaces/disable_force_destroy.go deleted file mode 100755 index c948c113..00000000 --- a/checks/cloud/digitalocean/spaces/disable_force_destroy.go +++ /dev/null @@ -1,47 +0,0 @@ -package spaces - -import ( - "github.com/aquasecurity/trivy-checks/pkg/rules" - "github.com/aquasecurity/trivy/pkg/iac/providers" - "github.com/aquasecurity/trivy/pkg/iac/scan" - "github.com/aquasecurity/trivy/pkg/iac/severity" - "github.com/aquasecurity/trivy/pkg/iac/state" -) - -var CheckDisableForceDestroy = rules.Register( - scan.Rule{ - AVDID: "AVD-DIG-0009", - Provider: providers.DigitalOceanProvider, - Service: "spaces", - ShortCode: "disable-force-destroy", - Summary: "Force destroy is enabled on Spaces bucket which is dangerous", - Impact: "Accidental deletion of bucket objects", - Resolution: "Don't use force destroy on bucket configuration", - Explanation: `Enabling force destroy on a Spaces bucket means that the bucket can be deleted without the additional check that it is empty. This risks important data being accidentally deleted by a bucket removal process.`, - Links: []string{}, - Terraform: &scan.EngineMetadata{ - GoodExamples: terraformDisableForceDestroyGoodExamples, - BadExamples: terraformDisableForceDestroyBadExamples, - Links: terraformDisableForceDestroyLinks, - RemediationMarkdown: terraformDisableForceDestroyRemediationMarkdown, - }, - Severity: severity.Medium, - Deprecated: true, - }, - func(s *state.State) (results scan.Results) { - for _, bucket := range s.DigitalOcean.Spaces.Buckets { - if bucket.Metadata.IsUnmanaged() { - continue - } - if bucket.ForceDestroy.IsTrue() { - results.Add( - "Bucket has force-destroy enabled.", - bucket.ForceDestroy, - ) - } else { - results.AddPassed(&bucket) - } - } - return - }, -) diff --git a/checks/cloud/digitalocean/spaces/disable_force_destroy.tf.go b/checks/cloud/digitalocean/spaces/disable_force_destroy.tf.go deleted file mode 100644 index 253db7b2..00000000 --- a/checks/cloud/digitalocean/spaces/disable_force_destroy.tf.go +++ /dev/null @@ -1,26 +0,0 @@ -package spaces - -var terraformDisableForceDestroyGoodExamples = []string{ - ` - resource "digitalocean_spaces_bucket" "good_example" { - name = "foobar" - region = "nyc3" - } - `, -} - -var terraformDisableForceDestroyBadExamples = []string{ - ` - resource "digitalocean_spaces_bucket" "bad_example" { - name = "foobar" - region = "nyc3" - force_destroy = true - } - `, -} - -var terraformDisableForceDestroyLinks = []string{ - `https://registry.terraform.io/providers/digitalocean/digitalocean/latest/docs/resources/spaces_bucket#force_destroy`, -} - -var terraformDisableForceDestroyRemediationMarkdown = `` diff --git a/checks/cloud/digitalocean/spaces/versioning_enabled.go b/checks/cloud/digitalocean/spaces/versioning_enabled.go deleted file mode 100755 index 63d4e14e..00000000 --- a/checks/cloud/digitalocean/spaces/versioning_enabled.go +++ /dev/null @@ -1,49 +0,0 @@ -package spaces - -import ( - "github.com/aquasecurity/trivy-checks/pkg/rules" - "github.com/aquasecurity/trivy/pkg/iac/providers" - "github.com/aquasecurity/trivy/pkg/iac/scan" - "github.com/aquasecurity/trivy/pkg/iac/severity" - "github.com/aquasecurity/trivy/pkg/iac/state" -) - -var CheckVersioningEnabled = rules.Register( - scan.Rule{ - AVDID: "AVD-DIG-0007", - Provider: providers.DigitalOceanProvider, - Service: "spaces", - ShortCode: "versioning-enabled", - Summary: "Spaces buckets should have versioning enabled", - Impact: "Deleted or modified data would not be recoverable", - Resolution: "Enable versioning to protect against accidental or malicious removal or modification", - Explanation: `Versioning is a means of keeping multiple variants of an object in the same bucket. You can use the Spaces (S3) Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. With versioning you can recover more easily from both unintended user actions and application failures.`, - Links: []string{ - "https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html", - }, - Terraform: &scan.EngineMetadata{ - GoodExamples: terraformVersioningEnabledGoodExamples, - BadExamples: terraformVersioningEnabledBadExamples, - Links: terraformVersioningEnabledLinks, - RemediationMarkdown: terraformVersioningEnabledRemediationMarkdown, - }, - Severity: severity.Medium, - Deprecated: true, - }, - func(s *state.State) (results scan.Results) { - for _, bucket := range s.DigitalOcean.Spaces.Buckets { - if bucket.Metadata.IsUnmanaged() { - continue - } - if bucket.Versioning.Enabled.IsFalse() { - results.Add( - "Bucket does not have versioning enabled.", - bucket.Versioning.Enabled, - ) - } else { - results.AddPassed(&bucket) - } - } - return - }, -) diff --git a/checks/cloud/digitalocean/spaces/versioning_enabled.tf.go b/checks/cloud/digitalocean/spaces/versioning_enabled.tf.go deleted file mode 100644 index 53a8716f..00000000 --- a/checks/cloud/digitalocean/spaces/versioning_enabled.tf.go +++ /dev/null @@ -1,38 +0,0 @@ -package spaces - -var terraformVersioningEnabledGoodExamples = []string{ - ` - resource "digitalocean_spaces_bucket" "good_example" { - name = "foobar" - region = "nyc3" - - versioning { - enabled = true - } - } - `, -} - -var terraformVersioningEnabledBadExamples = []string{ - ` - resource "digitalocean_spaces_bucket" "bad_example" { - name = "foobar" - region = "nyc3" - } - - resource "digitalocean_spaces_bucket" "bad_example" { - name = "foobar" - region = "nyc3" - - versioning { - enabled = false - } - } - `, -} - -var terraformVersioningEnabledLinks = []string{ - `https://registry.terraform.io/providers/digitalocean/digitalocean/latest/docs/resources/spaces_bucket#versioning`, -} - -var terraformVersioningEnabledRemediationMarkdown = `` diff --git a/checks/cloud/github/actions/no_plain_text_action_secrets.go b/checks/cloud/github/actions/no_plain_text_action_secrets.go deleted file mode 100644 index 7ae8871c..00000000 --- a/checks/cloud/github/actions/no_plain_text_action_secrets.go +++ /dev/null @@ -1,48 +0,0 @@ -package actions - -import ( - "github.com/aquasecurity/trivy-checks/pkg/rules" - "github.com/aquasecurity/trivy/pkg/iac/providers" - "github.com/aquasecurity/trivy/pkg/iac/scan" - "github.com/aquasecurity/trivy/pkg/iac/severity" - "github.com/aquasecurity/trivy/pkg/iac/state" -) - -var CheckNoPlainTextActionEnvironmentSecrets = rules.Register( - scan.Rule{ - AVDID: "AVD-GIT-0002", - Provider: providers.GitHubProvider, - Service: "actions", - ShortCode: "no-plain-text-action-secrets", - Summary: "Ensure plaintext value is not used for GitHub Action Environment Secret.", - Impact: "Unencrypted sensitive plaintext value can be easily accessible in code.", - Resolution: "Do not store plaintext values in your code but rather populate the encrypted_value using fields from a resource, data source or variable.", Explanation: `For the purposes of security, the contents of the plaintext_value field have been marked as sensitive to Terraform, but this does not hide it from state files. State should be treated as sensitive always.`, - - Links: []string{ - "https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_environment_secret", - "https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions", - }, - Terraform: &scan.EngineMetadata{ - GoodExamples: terraformNoPlainTextActionSecretsGoodExamples, - BadExamples: terraformNoPlainTextActionSecretsBadExamples, - Links: terraformNoPlainTextActionSecretsLinks, - RemediationMarkdown: terraformNoPlainTextActionSecretsRemediationMarkdown, - }, - Severity: severity.High, - Deprecated: true, - }, - func(s *state.State) (results scan.Results) { - for _, environmentSecret := range s.GitHub.EnvironmentSecrets { - if environmentSecret.Metadata.IsUnmanaged() { - continue - } - if environmentSecret.PlainTextValue.IsNotEmpty() { - results.Add("Secret has plain text value", - environmentSecret.PlainTextValue) - } else { - results.AddPassed(&environmentSecret) - } - } - return results - }, -) diff --git a/checks/cloud/github/actions/no_plain_text_action_secrets.tf.go b/checks/cloud/github/actions/no_plain_text_action_secrets.tf.go deleted file mode 100644 index 27e4685d..00000000 --- a/checks/cloud/github/actions/no_plain_text_action_secrets.tf.go +++ /dev/null @@ -1,29 +0,0 @@ -package actions - -var terraformNoPlainTextActionSecretsGoodExamples = []string{ - ` -resource "github_actions_environment_secret" "good_example" { - repository = "my repository name" - environment = "my environment" - secret_name = "my secret name" - encrypted_value = var.some_encrypted_secret_string -} -`, -} - -var terraformNoPlainTextActionSecretsBadExamples = []string{ - ` -resource "github_actions_environment_secret" "bad_example" { - repository = "my repository name" - environment = "my environment" - secret_name = "my secret name" - plaintext_value = "sensitive secret string" -} -`, -} - -var terraformNoPlainTextActionSecretsLinks = []string{ - `https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_environment_secret`, `https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions`, -} - -var terraformNoPlainTextActionSecretsRemediationMarkdown = `` diff --git a/checks/cloud/github/branch_protections/require_signed_commits.go b/checks/cloud/github/branch_protections/require_signed_commits.go deleted file mode 100755 index ee3771fb..00000000 --- a/checks/cloud/github/branch_protections/require_signed_commits.go +++ /dev/null @@ -1,50 +0,0 @@ -package branch_protections - -import ( - "github.com/aquasecurity/trivy-checks/pkg/rules" - "github.com/aquasecurity/trivy/pkg/iac/providers" - "github.com/aquasecurity/trivy/pkg/iac/scan" - "github.com/aquasecurity/trivy/pkg/iac/severity" - "github.com/aquasecurity/trivy/pkg/iac/state" -) - -var CheckRequireSignedCommits = rules.Register( - scan.Rule{ - AVDID: "AVD-GIT-0004", - Provider: providers.GitHubProvider, - Service: "branch_protections", - ShortCode: "require_signed_commits", - Summary: "GitHub branch protection does not require signed commits.", - Impact: "Commits may not be verified and signed as coming from a trusted developer", - Resolution: "Require signed commits", - Explanation: `GitHub branch protection should be set to require signed commits. - -You can do this by setting therequire_signed_commits attribute to 'true'.`,
- Links: []string{
- "https://registry.terraform.io/providers/integrations/github/latest/docs/resources/branch_protection#require_signed_commits",
- "https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification",
- "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-signed-commits",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformRequireSignedCommitsGoodExamples,
- BadExamples: terraformRequireSignedCommitsBadExamples,
- Links: terraformRequireSignedCommitsLinks,
- RemediationMarkdown: terraformRequireSignedCommitsRemediationMarkdown,
- },
- Severity: severity.High,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, branchProtection := range s.GitHub.BranchProtections {
- if branchProtection.RequireSignedCommits.IsFalse() {
- results.Add(
- "Branch protection does not require signed commits,",
- branchProtection.RequireSignedCommits,
- )
- } else {
- results.AddPassed(branchProtection)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/github/branch_protections/require_signed_commits.tf.go b/checks/cloud/github/branch_protections/require_signed_commits.tf.go
deleted file mode 100644
index 51aa2736..00000000
--- a/checks/cloud/github/branch_protections/require_signed_commits.tf.go
+++ /dev/null
@@ -1,29 +0,0 @@
-package branch_protections
-
-var terraformRequireSignedCommitsGoodExamples = []string{
- `
- resource "github_branch_protection" "good_example" {
- repository_id = "example"
- pattern = "main"
-
- require_signed_commits = true
- }
- `,
-}
-
-var terraformRequireSignedCommitsBadExamples = []string{
- `
- resource "github_branch_protection" "good_example" {
- repository_id = "example"
- pattern = "main"
-
- require_signed_commits = false
- }
- `,
-}
-
-var terraformRequireSignedCommitsLinks = []string{
- `https://registry.terraform.io/providers/integrations/github/latest/docs/resources/branch_protection`,
-}
-
-var terraformRequireSignedCommitsRemediationMarkdown = ``
diff --git a/checks/cloud/github/repositories/enable_vulnerability_alerts.go b/checks/cloud/github/repositories/enable_vulnerability_alerts.go
deleted file mode 100755
index c2039d8e..00000000
--- a/checks/cloud/github/repositories/enable_vulnerability_alerts.go
+++ /dev/null
@@ -1,54 +0,0 @@
-package repositories
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckEnableVulnerabilityAlerts = rules.Register(
- scan.Rule{
- AVDID: "AVD-GIT-0003",
- Provider: providers.GitHubProvider,
- Service: "repositories",
- ShortCode: "enable_vulnerability_alerts",
- Summary: "GitHub repository has vulnerability alerts disabled.",
- Impact: "Known vulnerabilities may not be discovered",
- Resolution: "Enable vulnerability alerts",
- Explanation: `GitHub repository should be set to use vulnerability alerts.
-
-You can do this by setting the vulnerability_alerts attribute to 'true'.`,
- Links: []string{
- "https://docs.github.com/en/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-alerts-for-vulnerable-dependencies",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformEnableVulnerabilityAlertsGoodExamples,
- BadExamples: terraformEnableVulnerabilityAlertsBadExamples,
- Links: terraformEnableVulnerabilityAlertsLinks,
- RemediationMarkdown: terraformEnableVulnerabilityAlertsRemediationMarkdown,
- },
- Severity: severity.High,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, repo := range s.GitHub.Repositories {
- if repo.Metadata.IsUnmanaged() {
- continue
- }
- if repo.IsArchived() {
- continue
- }
- if repo.VulnerabilityAlerts.IsFalse() {
- results.Add(
- "Repository does not have vulnerability alerts enabled,",
- repo.VulnerabilityAlerts,
- )
- } else {
- results.AddPassed(repo)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/github/repositories/enable_vulnerability_alerts.tf.go b/checks/cloud/github/repositories/enable_vulnerability_alerts.tf.go
deleted file mode 100644
index 7e8808d7..00000000
--- a/checks/cloud/github/repositories/enable_vulnerability_alerts.tf.go
+++ /dev/null
@@ -1,39 +0,0 @@
-package repositories
-
-var terraformEnableVulnerabilityAlertsGoodExamples = []string{
- `
- resource "github_repository" "good_example" {
- name = "example"
- description = "My awesome codebase"
-
- vulnerability_alerts = true
-
- template {
- owner = "github"
- repository = "terraform-module-template"
- }
- }
- `,
-}
-
-var terraformEnableVulnerabilityAlertsBadExamples = []string{
- `
- resource "github_repository" "bad_example" {
- name = "example"
- description = "My awesome codebase"
-
- vulnerability_alerts = false
-
- template {
- owner = "github"
- repository = "terraform-module-template"
- }
- }
- `,
-}
-
-var terraformEnableVulnerabilityAlertsLinks = []string{
- `https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository`,
-}
-
-var terraformEnableVulnerabilityAlertsRemediationMarkdown = ``
diff --git a/checks/cloud/github/repositories/private.tf.go b/checks/cloud/github/repositories/private.tf.go
deleted file mode 100644
index a5c650a7..00000000
--- a/checks/cloud/github/repositories/private.tf.go
+++ /dev/null
@@ -1,39 +0,0 @@
-package repositories
-
-var terraformPrivateGoodExamples = []string{
- `
- resource "github_repository" "good_example" {
- name = "example"
- description = "My awesome codebase"
-
- visibility = "private"
-
- template {
- owner = "github"
- repository = "terraform-module-template"
- }
- }
- `,
-}
-
-var terraformPrivateBadExamples = []string{
- `
- resource "github_repository" "bad_example" {
- name = "example"
- description = "My awesome codebase"
-
- visibility = "public"
-
- template {
- owner = "github"
- repository = "terraform-module-template"
- }
- }
- `,
-}
-
-var terraformPrivateLinks = []string{
- `https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository`,
-}
-
-var terraformPrivateRemediationMarkdown = ``
diff --git a/checks/cloud/github/repositories/private_repository.go b/checks/cloud/github/repositories/private_repository.go
deleted file mode 100755
index dd9a0a95..00000000
--- a/checks/cloud/github/repositories/private_repository.go
+++ /dev/null
@@ -1,52 +0,0 @@
-package repositories
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckPrivate = rules.Register(
- scan.Rule{
- AVDID: "AVD-GIT-0001",
- Provider: providers.GitHubProvider,
- Service: "repositories",
- ShortCode: "private",
- Summary: "GitHub repository shouldn't be public.",
- Impact: "Anyone can read the contents of the GitHub repository and leak IP",
- Resolution: "Make sensitive or commercially important repositories private",
- Explanation: `GitHub repository should be set to be private.
-
-You can do this by either setting private attribute to 'true' or visibility attribute to 'internal' or 'private'.`,
- Links: []string{
- "https://docs.github.com/en/github/creating-cloning-and-archiving-repositories/about-repository-visibility",
- "https://docs.github.com/en/github/creating-cloning-and-archiving-repositories/about-repository-visibility#about-internal-repositories",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformPrivateGoodExamples,
- BadExamples: terraformPrivateBadExamples,
- Links: terraformPrivateLinks,
- RemediationMarkdown: terraformPrivateRemediationMarkdown,
- },
- Severity: severity.Critical,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, repo := range s.GitHub.Repositories {
- if repo.Metadata.IsUnmanaged() {
- continue
- }
- if repo.Public.IsTrue() {
- results.Add(
- "Repository is public,",
- repo.Public,
- )
- } else {
- results.AddPassed(repo)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/google/bigquery/no_public_access.go b/checks/cloud/google/bigquery/no_public_access.go
deleted file mode 100755
index 5af6e854..00000000
--- a/checks/cloud/google/bigquery/no_public_access.go
+++ /dev/null
@@ -1,47 +0,0 @@
-package bigquery
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/providers/google/bigquery"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNoPublicAccess = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0046",
- Provider: providers.GoogleProvider,
- Service: "bigquery",
- ShortCode: "no-public-access",
- Summary: "BigQuery datasets should only be accessible within the organisation",
- Impact: "Exposure of sensitive data to the public iniernet",
- Resolution: "Configure access permissions with higher granularity",
- Explanation: `Using 'allAuthenticatedUsers' provides any GCP user - even those outside of your organisation - access to your BigQuery dataset.`,
- Links: []string{},
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoPublicAccessGoodExamples,
- BadExamples: terraformNoPublicAccessBadExamples,
- Links: terraformNoPublicAccessLinks,
- RemediationMarkdown: terraformNoPublicAccessRemediationMarkdown,
- },
- Severity: severity.Critical,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, dataset := range s.Google.BigQuery.Datasets {
- for _, grant := range dataset.AccessGrants {
- if grant.SpecialGroup.EqualTo(bigquery.SpecialGroupAllAuthenticatedUsers) {
- results.Add(
- "Dataset grants access to all authenticated GCP users.",
- grant.SpecialGroup,
- )
- } else {
- results.AddPassed(&grant)
- }
- }
- }
- return
- },
-)
diff --git a/checks/cloud/google/bigquery/no_public_access.tf.go b/checks/cloud/google/bigquery/no_public_access.tf.go
deleted file mode 100644
index c83db651..00000000
--- a/checks/cloud/google/bigquery/no_public_access.tf.go
+++ /dev/null
@@ -1,64 +0,0 @@
-package bigquery
-
-var terraformNoPublicAccessGoodExamples = []string{
- `
- resource "google_bigquery_dataset" "good_example" {
- dataset_id = "example_dataset"
- friendly_name = "test"
- description = "This is a test description"
- location = "EU"
- default_table_expiration_ms = 3600000
-
- labels = {
- env = "default"
- }
-
- access {
- role = "OWNER"
- user_by_email = google_service_account.bqowner.email
- }
-
- access {
- role = "READER"
- domain = "hashicorp.com"
- }
- }
-
- resource "google_service_account" "bqowner" {
- account_id = "bqowner"
- }
- `,
-}
-
-var terraformNoPublicAccessBadExamples = []string{
- `
- resource "google_bigquery_dataset" "bad_example" {
- dataset_id = "example_dataset"
- friendly_name = "test"
- description = "This is a test description"
- location = "EU"
- default_table_expiration_ms = 3600000
-
- labels = {
- env = "default"
- }
-
- access {
- role = "OWNER"
- special_group = "allAuthenticatedUsers"
- }
-
- access {
- role = "READER"
- domain = "hashicorp.com"
- }
- }
-
- `,
-}
-
-var terraformNoPublicAccessLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/bigquery_dataset#special_group`,
-}
-
-var terraformNoPublicAccessRemediationMarkdown = ``
diff --git a/checks/cloud/google/compute/disk_encryption_customer_key.go b/checks/cloud/google/compute/disk_encryption_customer_key.go
deleted file mode 100755
index cd84f570..00000000
--- a/checks/cloud/google/compute/disk_encryption_customer_key.go
+++ /dev/null
@@ -1,47 +0,0 @@
-package compute
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckDiskEncryptionCustomerKey = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0034",
- Provider: providers.GoogleProvider,
- Service: "compute",
- ShortCode: "disk-encryption-customer-key",
- Summary: "Disks should be encrypted with customer managed encryption keys",
- Impact: "Using unmanaged keys does not allow for proper key management.",
- Resolution: "Use managed keys to encrypt disks.",
- Explanation: `Using unmanaged keys makes rotation and general management difficult.`,
- Links: []string{},
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformDiskEncryptionCustomerKeyGoodExamples,
- BadExamples: terraformDiskEncryptionCustomerKeyBadExamples,
- Links: terraformDiskEncryptionCustomerKeyLinks,
- RemediationMarkdown: terraformDiskEncryptionCustomerKeyRemediationMarkdown,
- },
- Severity: severity.Low,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, disk := range s.Google.Compute.Disks {
- if disk.Metadata.IsUnmanaged() {
- continue
- }
- if disk.Encryption.KMSKeyLink.IsEmpty() {
- results.Add(
- "Disk is not encrypted with a customer managed key.",
- disk.Encryption.KMSKeyLink,
- )
- } else {
- results.AddPassed(&disk)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/google/compute/disk_encryption_customer_key.tf.go b/checks/cloud/google/compute/disk_encryption_customer_key.tf.go
deleted file mode 100644
index 17a5f99f..00000000
--- a/checks/cloud/google/compute/disk_encryption_customer_key.tf.go
+++ /dev/null
@@ -1,40 +0,0 @@
-package compute
-
-var terraformDiskEncryptionCustomerKeyGoodExamples = []string{
- `
- resource "google_compute_disk" "good_example" {
- name = "test-disk"
- type = "pd-ssd"
- zone = "us-central1-a"
- image = "debian-9-stretch-v20200805"
- labels = {
- environment = "dev"
- }
- physical_block_size_bytes = 4096
- disk_encryption_key {
- kms_key_self_link = "something"
- }
- }
- `,
-}
-
-var terraformDiskEncryptionCustomerKeyBadExamples = []string{
- `
- resource "google_compute_disk" "bad_example" {
- name = "test-disk"
- type = "pd-ssd"
- zone = "us-central1-a"
- image = "debian-9-stretch-v20200805"
- labels = {
- environment = "dev"
- }
- physical_block_size_bytes = 4096
- }
- `,
-}
-
-var terraformDiskEncryptionCustomerKeyLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_disk#kms_key_self_link`,
-}
-
-var terraformDiskEncryptionCustomerKeyRemediationMarkdown = ``
diff --git a/checks/cloud/google/compute/disk_encryption_no_plaintext_key.go b/checks/cloud/google/compute/disk_encryption_no_plaintext_key.go
deleted file mode 100755
index 695656d6..00000000
--- a/checks/cloud/google/compute/disk_encryption_no_plaintext_key.go
+++ /dev/null
@@ -1,58 +0,0 @@
-package compute
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckDiskEncryptionRequired = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0037",
- Provider: providers.GoogleProvider,
- Service: "compute",
- ShortCode: "disk-encryption-no-plaintext-key",
- Summary: "The encryption key used to encrypt a compute disk has been specified in plaintext.",
- Impact: "The encryption key should be considered compromised as it is not stored securely.",
- Resolution: "Reference a managed key rather than include the key in raw format.",
- Explanation: `Sensitive values such as raw encryption keys should not be included in your Terraform code, and should be stored securely by a secrets manager.`,
- Links: []string{
- "https://cloud.google.com/compute/docs/disks/customer-supplied-encryption",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformDiskEncryptionNoPlaintextKeyGoodExamples,
- BadExamples: terraformDiskEncryptionNoPlaintextKeyBadExamples,
- Links: terraformDiskEncryptionNoPlaintextKeyLinks,
- RemediationMarkdown: terraformDiskEncryptionNoPlaintextKeyRemediationMarkdown,
- },
- Severity: severity.Critical,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, instance := range s.Google.Compute.Instances {
- for _, disk := range append(instance.BootDisks, instance.AttachedDisks...) {
- if disk.Encryption.RawKey.Len() > 0 {
- results.Add(
- "Instance disk has encryption key provided in plaintext.",
- disk.Encryption.RawKey,
- )
- } else {
- results.AddPassed(&disk)
- }
- }
- }
- for _, disk := range s.Google.Compute.Disks {
- if disk.Encryption.RawKey.Len() > 0 {
- results.Add(
- "Disk encryption key is supplied in plaintext.",
- disk.Encryption.RawKey,
- )
- } else {
- results.AddPassed(&disk)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/google/compute/disk_encryption_no_plaintext_key.tf.go b/checks/cloud/google/compute/disk_encryption_no_plaintext_key.tf.go
deleted file mode 100644
index 633d50ce..00000000
--- a/checks/cloud/google/compute/disk_encryption_no_plaintext_key.tf.go
+++ /dev/null
@@ -1,27 +0,0 @@
-package compute
-
-var terraformDiskEncryptionNoPlaintextKeyGoodExamples = []string{
- `
- resource "google_compute_disk" "good_example" {
- disk_encryption_key {
- kms_key_self_link = google_kms_crypto_key.my_crypto_key.id
- }
- }
- `,
-}
-
-var terraformDiskEncryptionNoPlaintextKeyBadExamples = []string{
- `
- resource "google_compute_disk" "bad_example" {
- disk_encryption_key {
- raw_key="b2ggbm8gdGhpcyBpcyBiYWQ="
- }
- }
- `,
-}
-
-var terraformDiskEncryptionNoPlaintextKeyLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_disk#kms_key_self_link`,
-}
-
-var terraformDiskEncryptionNoPlaintextKeyRemediationMarkdown = ``
diff --git a/checks/cloud/google/compute/enable_shielded_vm_im.go b/checks/cloud/google/compute/enable_shielded_vm_im.go
deleted file mode 100755
index cf0ff0b1..00000000
--- a/checks/cloud/google/compute/enable_shielded_vm_im.go
+++ /dev/null
@@ -1,49 +0,0 @@
-package compute
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckEnableShieldedVMIntegrityMonitoring = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0045",
- Provider: providers.GoogleProvider,
- Service: "compute",
- ShortCode: "enable-shielded-vm-im",
- Summary: "Instances should have Shielded VM integrity monitoring enabled",
- Impact: "No visibility of VM instance boot state.",
- Resolution: "Enable Shielded VM Integrity Monitoring",
- Explanation: `Integrity monitoring helps you understand and make decisions about the state of your VM instances.`,
- Links: []string{
- "https://cloud.google.com/security/shielded-cloud/shielded-vm#integrity-monitoring",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformEnableShieldedVmImGoodExamples,
- BadExamples: terraformEnableShieldedVmImBadExamples,
- Links: terraformEnableShieldedVmImLinks,
- RemediationMarkdown: terraformEnableShieldedVmImRemediationMarkdown,
- },
- Severity: severity.Medium,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, instance := range s.Google.Compute.Instances {
- if instance.Metadata.IsUnmanaged() {
- continue
- }
- if instance.ShieldedVM.IntegrityMonitoringEnabled.IsFalse() {
- results.Add(
- "Instance does not have shielded VM integrity monitoring enabled.",
- instance.ShieldedVM.IntegrityMonitoringEnabled,
- )
- } else {
- results.AddPassed(&instance)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/google/compute/enable_shielded_vm_im.tf.go b/checks/cloud/google/compute/enable_shielded_vm_im.tf.go
deleted file mode 100644
index e91d7e9d..00000000
--- a/checks/cloud/google/compute/enable_shielded_vm_im.tf.go
+++ /dev/null
@@ -1,61 +0,0 @@
-package compute
-
-var terraformEnableShieldedVmImGoodExamples = []string{
- `
- resource "google_compute_instance" "good_example" {
- name = "test"
- machine_type = "e2-medium"
- zone = "us-central1-a"
-
- tags = ["foo", "bar"]
-
- boot_disk {
- initialize_params {
- image = "debian-cloud/debian-9"
- }
- }
-
- // Local SSD disk
- scratch_disk {
- interface = "SCSI"
- }
-
- shielded_instance_config {
- enable_integrity_monitoring = true
- }
- }
- `,
-}
-
-var terraformEnableShieldedVmImBadExamples = []string{
- `
- resource "google_compute_instance" "bad_example" {
- name = "test"
- machine_type = "e2-medium"
- zone = "us-central1-a"
-
- tags = ["foo", "bar"]
-
- boot_disk {
- initialize_params {
- image = "debian-cloud/debian-9"
- }
- }
-
- // Local SSD disk
- scratch_disk {
- interface = "SCSI"
- }
-
- shielded_instance_config {
- enable_integrity_monitoring = false
- }
- }
- `,
-}
-
-var terraformEnableShieldedVmImLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#enable_vtpm`,
-}
-
-var terraformEnableShieldedVmImRemediationMarkdown = ``
diff --git a/checks/cloud/google/compute/enable_shielded_vm_sb.go b/checks/cloud/google/compute/enable_shielded_vm_sb.go
deleted file mode 100644
index 16f7747b..00000000
--- a/checks/cloud/google/compute/enable_shielded_vm_sb.go
+++ /dev/null
@@ -1,49 +0,0 @@
-package compute
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckEnableShieldedVMSecureBoot = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0067",
- Provider: providers.GoogleProvider,
- Service: "compute",
- ShortCode: "enable-shielded-vm-sb",
- Summary: "Instances should have Shielded VM secure boot enabled",
- Impact: "Unable to verify digital signature of boot components, and unable to stop the boot process if verification fails.",
- Resolution: "Enable Shielded VM secure boot",
- Explanation: `Secure boot helps ensure that the system only runs authentic software.`,
- Links: []string{
- "https://cloud.google.com/security/shielded-cloud/shielded-vm#secure-boot",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformEnableShieldedVmSbGoodExamples,
- BadExamples: terraformEnableShieldedVmSbBadExamples,
- Links: terraformEnableShieldedVmSbLinks,
- RemediationMarkdown: terraformEnableShieldedVmSbRemediationMarkdown,
- },
- Severity: severity.Medium,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, instance := range s.Google.Compute.Instances {
- if instance.Metadata.IsUnmanaged() {
- continue
- }
- if instance.ShieldedVM.SecureBootEnabled.IsFalse() {
- results.Add(
- "Instance does not have shielded VM secure boot enabled.",
- instance.ShieldedVM.SecureBootEnabled,
- )
- } else {
- results.AddPassed(&instance)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/google/compute/enable_shielded_vm_sb.tf.go b/checks/cloud/google/compute/enable_shielded_vm_sb.tf.go
deleted file mode 100644
index 47dce3dd..00000000
--- a/checks/cloud/google/compute/enable_shielded_vm_sb.tf.go
+++ /dev/null
@@ -1,61 +0,0 @@
-package compute
-
-var terraformEnableShieldedVmSbGoodExamples = []string{
- `
- resource "google_compute_instance" "good_example" {
- name = "test"
- machine_type = "e2-medium"
- zone = "us-central1-a"
-
- tags = ["foo", "bar"]
-
- boot_disk {
- initialize_params {
- image = "debian-cloud/debian-9"
- }
- }
-
- // Local SSD disk
- scratch_disk {
- interface = "SCSI"
- }
-
- shielded_instance_config {
- enable_secure_boot = true
- }
- }
- `,
-}
-
-var terraformEnableShieldedVmSbBadExamples = []string{
- `
- resource "google_compute_instance" "bad_example" {
- name = "test"
- machine_type = "e2-medium"
- zone = "us-central1-a"
-
- tags = ["foo", "bar"]
-
- boot_disk {
- initialize_params {
- image = "debian-cloud/debian-9"
- }
- }
-
- // Local SSD disk
- scratch_disk {
- interface = "SCSI"
- }
-
- shielded_instance_config {
- enable_secure_boot = false
- }
- }
- `,
-}
-
-var terraformEnableShieldedVmSbLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#enable_secure_boot`,
-}
-
-var terraformEnableShieldedVmSbRemediationMarkdown = ``
diff --git a/checks/cloud/google/compute/enable_shielded_vm_vtpm.go b/checks/cloud/google/compute/enable_shielded_vm_vtpm.go
deleted file mode 100755
index 650a7fe5..00000000
--- a/checks/cloud/google/compute/enable_shielded_vm_vtpm.go
+++ /dev/null
@@ -1,49 +0,0 @@
-package compute
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckEnableShieldedVMVTPM = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0041",
- Provider: providers.GoogleProvider,
- Service: "compute",
- ShortCode: "enable-shielded-vm-vtpm",
- Summary: "Instances should have Shielded VM VTPM enabled",
- Impact: "Unable to prevent unwanted system state modification",
- Resolution: "Enable Shielded VM VTPM",
- Explanation: `The virtual TPM provides numerous security measures to your VM.`,
- Links: []string{
- "https://cloud.google.com/blog/products/identity-security/virtual-trusted-platform-module-for-shielded-vms-security-in-plaintext",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformEnableShieldedVmVtpmGoodExamples,
- BadExamples: terraformEnableShieldedVmVtpmBadExamples,
- Links: terraformEnableShieldedVmVtpmLinks,
- RemediationMarkdown: terraformEnableShieldedVmVtpmRemediationMarkdown,
- },
- Severity: severity.Medium,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, instance := range s.Google.Compute.Instances {
- if instance.Metadata.IsUnmanaged() {
- continue
- }
- if instance.ShieldedVM.VTPMEnabled.IsFalse() {
- results.Add(
- "Instance does not have VTPM for shielded VMs enabled.",
- instance.ShieldedVM.VTPMEnabled,
- )
- } else {
- results.AddPassed(&instance)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/google/compute/enable_shielded_vm_vtpm.tf.go b/checks/cloud/google/compute/enable_shielded_vm_vtpm.tf.go
deleted file mode 100644
index 3e2efa98..00000000
--- a/checks/cloud/google/compute/enable_shielded_vm_vtpm.tf.go
+++ /dev/null
@@ -1,61 +0,0 @@
-package compute
-
-var terraformEnableShieldedVmVtpmGoodExamples = []string{
- `
- resource "google_compute_instance" "good_example" {
- name = "test"
- machine_type = "e2-medium"
- zone = "us-central1-a"
-
- tags = ["foo", "bar"]
-
- boot_disk {
- initialize_params {
- image = "debian-cloud/debian-9"
- }
- }
-
- // Local SSD disk
- scratch_disk {
- interface = "SCSI"
- }
-
- shielded_instance_config {
- enable_vtpm = true
- }
- }
- `,
-}
-
-var terraformEnableShieldedVmVtpmBadExamples = []string{
- `
- resource "google_compute_instance" "bad_example" {
- name = "test"
- machine_type = "e2-medium"
- zone = "us-central1-a"
-
- tags = ["foo", "bar"]
-
- boot_disk {
- initialize_params {
- image = "debian-cloud/debian-9"
- }
- }
-
- // Local SSD disk
- scratch_disk {
- interface = "SCSI"
- }
-
- shielded_instance_config {
- enable_vtpm = false
- }
- }
- `,
-}
-
-var terraformEnableShieldedVmVtpmLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#enable_vtpm`,
-}
-
-var terraformEnableShieldedVmVtpmRemediationMarkdown = ``
diff --git a/checks/cloud/google/compute/enable_vpc_flow_logs.go b/checks/cloud/google/compute/enable_vpc_flow_logs.go
deleted file mode 100755
index ef88b095..00000000
--- a/checks/cloud/google/compute/enable_vpc_flow_logs.go
+++ /dev/null
@@ -1,49 +0,0 @@
-package compute
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckEnableVPCFlowLogs = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0029",
- Provider: providers.GoogleProvider,
- Service: "compute",
- ShortCode: "enable-vpc-flow-logs",
- Summary: "VPC flow logs should be enabled for all subnetworks",
- Impact: "Limited auditing capability and awareness",
- Resolution: "Enable VPC flow logs",
- Explanation: `VPC flow logs record information about all traffic, which is a vital tool in reviewing anomalous traffic.`,
- Links: []string{},
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformEnableVpcFlowLogsGoodExamples,
- BadExamples: terraformEnableVpcFlowLogsBadExamples,
- Links: terraformEnableVpcFlowLogsLinks,
- RemediationMarkdown: terraformEnableVpcFlowLogsRemediationMarkdown,
- },
- Severity: severity.Low,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, network := range s.Google.Compute.Networks {
- for _, subnetwork := range network.Subnetworks {
- if subnetwork.EnableFlowLogs.IsFalse() &&
- // Proxy-only subnets don't support VPC Flow Logs.
- // https://cloud.google.com/vpc/docs/using-flow-logs#flow_logs_appear_to_be_disabled_even_though_you_enabled_them
- !subnetwork.Purpose.IsOneOf("REGIONAL_MANAGED_PROXY", "GLOBAL_MANAGED_PROXY") {
- results.Add(
- "Subnetwork does not have VPC flow logs enabled.",
- subnetwork.EnableFlowLogs,
- )
- } else {
- results.AddPassed(&subnetwork)
- }
- }
- }
- return
- },
-)
diff --git a/checks/cloud/google/compute/enable_vpc_flow_logs.tf.go b/checks/cloud/google/compute/enable_vpc_flow_logs.tf.go
deleted file mode 100644
index fe22e0fc..00000000
--- a/checks/cloud/google/compute/enable_vpc_flow_logs.tf.go
+++ /dev/null
@@ -1,50 +0,0 @@
-package compute
-
-var terraformEnableVpcFlowLogsGoodExamples = []string{
- `
-resource "google_compute_subnetwork" "good_example" {
- name = "test-subnetwork"
- ip_cidr_range = "10.2.0.0/16"
- region = "us-central1"
- network = google_compute_network.custom-test.id
- secondary_ip_range {
- range_name = "tf-test-secondary-range-update1"
- ip_cidr_range = "192.168.10.0/24"
- }
- log_config {
- aggregation_interval = "INTERVAL_10_MIN"
- flow_sampling = 0.5
- metadata = "INCLUDE_ALL_METADATA"
- }
-}
-resource "google_compute_network" "custom-test" {
- name = "test-network"
- auto_create_subnetworks = false
-}
-`,
-}
-
-var terraformEnableVpcFlowLogsBadExamples = []string{
- `
-resource "google_compute_subnetwork" "bad_example" {
- name = "test-subnetwork"
- ip_cidr_range = "10.2.0.0/16"
- region = "us-central1"
- network = google_compute_network.custom-test.id
- secondary_ip_range {
- range_name = "tf-test-secondary-range-update1"
- ip_cidr_range = "192.168.10.0/24"
- }
-}
-resource "google_compute_network" "custom-test" {
- name = "test-network"
- auto_create_subnetworks = false
-}
-`,
-}
-
-var terraformEnableVpcFlowLogsLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_subnetwork#enable_flow_logs`,
-}
-
-var terraformEnableVpcFlowLogsRemediationMarkdown = ``
diff --git a/checks/cloud/google/compute/no_default_service_account.go b/checks/cloud/google/compute/no_default_service_account.go
deleted file mode 100755
index 9d7b3752..00000000
--- a/checks/cloud/google/compute/no_default_service_account.go
+++ /dev/null
@@ -1,47 +0,0 @@
-package compute
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNoDefaultServiceAccount = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0044",
- Provider: providers.GoogleProvider,
- Service: "compute",
- ShortCode: "no-default-service-account",
- Summary: "Instances should not use the default service account",
- Impact: "Instance has full access to the project",
- Resolution: "Remove use of default service account",
- Explanation: `The default service account has full project access. Instances should instead be assigned the minimal access they need.`,
- Links: []string{},
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoDefaultServiceAccountGoodExamples,
- BadExamples: terraformNoDefaultServiceAccountBadExamples,
- Links: terraformNoDefaultServiceAccountLinks,
- RemediationMarkdown: terraformNoDefaultServiceAccountRemediationMarkdown,
- },
- Severity: severity.Critical,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, instance := range s.Google.Compute.Instances {
- if instance.Metadata.IsUnmanaged() {
- continue
- }
- if instance.ServiceAccount.IsDefault.IsTrue() {
- results.Add(
- "Instance uses the default service account.",
- instance.ServiceAccount.Email,
- )
- } else {
- results.AddPassed(&instance)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/google/compute/no_default_service_account.tf.go b/checks/cloud/google/compute/no_default_service_account.tf.go
deleted file mode 100644
index 41594fed..00000000
--- a/checks/cloud/google/compute/no_default_service_account.tf.go
+++ /dev/null
@@ -1,84 +0,0 @@
-package compute
-
-var terraformNoDefaultServiceAccountGoodExamples = []string{
- `
- resource "google_service_account" "default" {
- account_id = "service_account_id"
- display_name = "Service Account"
- }
-
- resource "google_compute_instance" "default" {
- name = "test"
- machine_type = "e2-medium"
- zone = "us-central1-a"
-
- tags = ["foo", "bar"]
-
- boot_disk {
- initialize_params {
- image = "debian-cloud/debian-9"
- }
- }
-
- // Local SSD disk
- scratch_disk {
- interface = "SCSI"
- }
-
- network_interface {
- network = "default"
-
- access_config {
- // Ephemeral IP
- }
- }
-
- metadata = {
- foo = "bar"
- }
-
- metadata_startup_script = "echo hi > /test.txt"
-
- service_account {
- # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
- email = google_service_account.default.email
- scopes = ["cloud-platform"]
- }
- }
- `,
-}
-
-var terraformNoDefaultServiceAccountBadExamples = []string{
- `
- resource "google_compute_instance" "default" {
- name = "test"
- machine_type = "e2-medium"
- zone = "us-central1-a"
-
- tags = ["foo", "bar"]
-
- boot_disk {
- initialize_params {
- image = "debian-cloud/debian-9"
- }
- }
-
- // Local SSD disk
- scratch_disk {
- interface = "SCSI"
- }
-
- service_account {
- # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
- email = "1234567890-compute@developer.gserviceaccount.com"
- scopes = ["cloud-platform"]
- }
- }
- `,
-}
-
-var terraformNoDefaultServiceAccountLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#`,
-}
-
-var terraformNoDefaultServiceAccountRemediationMarkdown = ``
diff --git a/checks/cloud/google/compute/no_ip_forwarding.go b/checks/cloud/google/compute/no_ip_forwarding.go
deleted file mode 100755
index 2f61be03..00000000
--- a/checks/cloud/google/compute/no_ip_forwarding.go
+++ /dev/null
@@ -1,47 +0,0 @@
-package compute
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNoIpForwarding = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0043",
- Provider: providers.GoogleProvider,
- Service: "compute",
- ShortCode: "no-ip-forwarding",
- Summary: "Instances should not have IP forwarding enabled",
- Impact: "Instance can send/receive packets without the explicit instance address",
- Resolution: "Disable IP forwarding",
- Explanation: `Disabling IP forwarding ensures the instance can only receive packets addressed to the instance and can only send packets with a source address of the instance.`,
- Links: []string{},
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoIpForwardingGoodExamples,
- BadExamples: terraformNoIpForwardingBadExamples,
- Links: terraformNoIpForwardingLinks,
- RemediationMarkdown: terraformNoIpForwardingRemediationMarkdown,
- },
- Severity: severity.High,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, instance := range s.Google.Compute.Instances {
- if instance.Metadata.IsUnmanaged() {
- continue
- }
- if instance.CanIPForward.IsTrue() {
- results.Add(
- "Instance has IP forwarding allowed.",
- instance.CanIPForward,
- )
- } else {
- results.AddPassed(&instance)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/google/compute/no_ip_forwarding.tf.go b/checks/cloud/google/compute/no_ip_forwarding.tf.go
deleted file mode 100644
index 620cf42f..00000000
--- a/checks/cloud/google/compute/no_ip_forwarding.tf.go
+++ /dev/null
@@ -1,53 +0,0 @@
-package compute
-
-var terraformNoIpForwardingGoodExamples = []string{
- `
- resource "google_compute_instance" "good_example" {
- name = "test"
- machine_type = "e2-medium"
- zone = "us-central1-a"
-
- boot_disk {
- initialize_params {
- image = "debian-cloud/debian-9"
- }
- }
-
- // Local SSD disk
- scratch_disk {
- interface = "SCSI"
- }
-
- can_ip_forward = false
- }
- `,
-}
-
-var terraformNoIpForwardingBadExamples = []string{
- `
- resource "google_compute_instance" "bad_example" {
- name = "test"
- machine_type = "e2-medium"
- zone = "us-central1-a"
-
- boot_disk {
- initialize_params {
- image = "debian-cloud/debian-9"
- }
- }
-
- // Local SSD disk
- scratch_disk {
- interface = "SCSI"
- }
-
- can_ip_forward = true
- }
- `,
-}
-
-var terraformNoIpForwardingLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#can_ip_forward`,
-}
-
-var terraformNoIpForwardingRemediationMarkdown = ``
diff --git a/checks/cloud/google/compute/no_oslogin_override.go b/checks/cloud/google/compute/no_oslogin_override.go
deleted file mode 100755
index 73520307..00000000
--- a/checks/cloud/google/compute/no_oslogin_override.go
+++ /dev/null
@@ -1,47 +0,0 @@
-package compute
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNoOsloginOverride = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0036",
- Provider: providers.GoogleProvider,
- Service: "compute",
- ShortCode: "no-oslogin-override",
- Summary: "Instances should not override the project setting for OS Login",
- Impact: "Access via SSH key cannot be revoked automatically when an IAM user is removed.",
- Resolution: "Enable OS Login at project level and remove instance-level overrides",
- Explanation: `OS Login automatically revokes the relevant SSH keys when an IAM user has their access revoked.`,
- Links: []string{},
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoOsloginOverrideGoodExamples,
- BadExamples: terraformNoOsloginOverrideBadExamples,
- Links: terraformNoOsloginOverrideLinks,
- RemediationMarkdown: terraformNoOsloginOverrideRemediationMarkdown,
- },
- Severity: severity.Medium,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, instance := range s.Google.Compute.Instances {
- if instance.Metadata.IsUnmanaged() {
- continue
- }
- if instance.OSLoginEnabled.IsFalse() {
- results.Add(
- "Instance has OS Login disabled.",
- instance.OSLoginEnabled,
- )
- } else {
- results.AddPassed(&instance)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/google/compute/no_oslogin_override.tf.go b/checks/cloud/google/compute/no_oslogin_override.tf.go
deleted file mode 100644
index e6343882..00000000
--- a/checks/cloud/google/compute/no_oslogin_override.tf.go
+++ /dev/null
@@ -1,56 +0,0 @@
-package compute
-
-var terraformNoOsloginOverrideGoodExamples = []string{
- `
- resource "google_compute_instance" "default" {
- name = "test"
- machine_type = "e2-medium"
- zone = "us-central1-a"
-
- boot_disk {
- initialize_params {
- image = "debian-cloud/debian-9"
- }
- }
-
- // Local SSD disk
- scratch_disk {
- interface = "SCSI"
- }
-
- metadata = {
- }
- }
- `,
-}
-
-var terraformNoOsloginOverrideBadExamples = []string{
- `
- resource "google_compute_instance" "default" {
- name = "test"
- machine_type = "e2-medium"
- zone = "us-central1-a"
-
- boot_disk {
- initialize_params {
- image = "debian-cloud/debian-9"
- }
- }
-
- // Local SSD disk
- scratch_disk {
- interface = "SCSI"
- }
-
- metadata = {
- enable-oslogin = false
- }
- }
- `,
-}
-
-var terraformNoOsloginOverrideLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#`,
-}
-
-var terraformNoOsloginOverrideRemediationMarkdown = ``
diff --git a/checks/cloud/google/compute/no_project_wide_ssh_keys.go b/checks/cloud/google/compute/no_project_wide_ssh_keys.go
deleted file mode 100755
index b9d43557..00000000
--- a/checks/cloud/google/compute/no_project_wide_ssh_keys.go
+++ /dev/null
@@ -1,47 +0,0 @@
-package compute
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNoProjectWideSshKeys = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0030",
- Provider: providers.GoogleProvider,
- Service: "compute",
- ShortCode: "no-project-wide-ssh-keys",
- Summary: "Disable project-wide SSH keys for all instances",
- Impact: "Compromise of a single key pair compromises all instances",
- Resolution: "Disable project-wide SSH keys",
- Explanation: `Use of project-wide SSH keys means that a compromise of any one of these key pairs can result in all instances being compromised. It is recommended to use instance-level keys.`,
- Links: []string{},
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoProjectWideSshKeysGoodExamples,
- BadExamples: terraformNoProjectWideSshKeysBadExamples,
- Links: terraformNoProjectWideSshKeysLinks,
- RemediationMarkdown: terraformNoProjectWideSshKeysRemediationMarkdown,
- },
- Severity: severity.Medium,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, instance := range s.Google.Compute.Instances {
- if instance.Metadata.IsUnmanaged() {
- continue
- }
- if instance.EnableProjectSSHKeyBlocking.IsFalse() {
- results.Add(
- "Instance allows use of project-level SSH keys.",
- instance.EnableProjectSSHKeyBlocking,
- )
- } else {
- results.AddPassed(&instance)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/google/compute/no_project_wide_ssh_keys.tf.go b/checks/cloud/google/compute/no_project_wide_ssh_keys.tf.go
deleted file mode 100644
index e23a7816..00000000
--- a/checks/cloud/google/compute/no_project_wide_ssh_keys.tf.go
+++ /dev/null
@@ -1,103 +0,0 @@
-package compute
-
-var terraformNoProjectWideSshKeysGoodExamples = []string{
- `
- resource "google_service_account" "default" {
- account_id = "service_account_id"
- display_name = "Service Account"
- }
-
- resource "google_compute_instance" "default" {
- name = "test"
- machine_type = "e2-medium"
- zone = "us-central1-a"
-
- tags = ["foo", "bar"]
-
- boot_disk {
- initialize_params {
- image = "debian-cloud/debian-9"
- }
- }
-
- // Local SSD disk
- scratch_disk {
- interface = "SCSI"
- }
-
- network_interface {
- network = "default"
-
- access_config {
- // Ephemeral IP
- }
- }
-
- metadata = {
- block-project-ssh-keys = true
- }
-
- metadata_startup_script = "echo hi > /test.txt"
-
- service_account {
- # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
- email = google_service_account.default.email
- scopes = ["cloud-platform"]
- }
- }
- `,
-}
-
-var terraformNoProjectWideSshKeysBadExamples = []string{
- `
- resource "google_service_account" "default" {
- account_id = "service_account_id"
- display_name = "Service Account"
- }
-
- resource "google_compute_instance" "default" {
- name = "test"
- machine_type = "e2-medium"
- zone = "us-central1-a"
-
- tags = ["foo", "bar"]
-
- boot_disk {
- initialize_params {
- image = "debian-cloud/debian-9"
- }
- }
-
- // Local SSD disk
- scratch_disk {
- interface = "SCSI"
- }
-
- network_interface {
- network = "default"
-
- access_config {
- // Ephemeral IP
- }
- }
-
- metadata = {
- block-project-ssh-keys = false
- }
-
- metadata_startup_script = "echo hi > /test.txt"
-
- service_account {
- # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
- email = google_service_account.default.email
- scopes = ["cloud-platform"]
- }
- }
- `,
-}
-
-var terraformNoProjectWideSshKeysLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#`,
-}
-
-var terraformNoProjectWideSshKeysRemediationMarkdown = ``
diff --git a/checks/cloud/google/compute/no_public_egress.go b/checks/cloud/google/compute/no_public_egress.go
deleted file mode 100755
index c05858fb..00000000
--- a/checks/cloud/google/compute/no_public_egress.go
+++ /dev/null
@@ -1,62 +0,0 @@
-package compute
-
-import (
- "github.com/aquasecurity/trivy-checks/internal/cidr"
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNoPublicEgress = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0035",
- Provider: providers.GoogleProvider,
- Service: "compute",
- ShortCode: "no-public-egress",
- Summary: "An outbound firewall rule allows traffic to /0.",
- Impact: "The port is exposed for egress to the internet",
- Resolution: "Set a more restrictive cidr range",
- Explanation: `Network security rules should not use very broad subnets.
-
-Where possible, segments should be broken into smaller subnets and avoid using the /0 subnet.`,
- Links: []string{
- "https://cloud.google.com/vpc/docs/using-firewalls",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoPublicEgressGoodExamples,
- BadExamples: terraformNoPublicEgressBadExamples,
- Links: terraformNoPublicEgressLinks,
- RemediationMarkdown: terraformNoPublicEgressRemediationMarkdown,
- },
- Severity: severity.Critical,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, network := range s.Google.Compute.Networks {
- if network.Firewall == nil {
- continue
- }
- for _, rule := range network.Firewall.EgressRules {
- if !rule.IsAllow.IsTrue() {
- continue
- }
- if rule.Enforced.IsFalse() {
- continue
- }
- for _, destination := range rule.DestinationRanges {
- if cidr.IsPublic(destination.Value()) && cidr.CountAddresses(destination.Value()) > 1 {
- results.Add(
- "Firewall rule allows egress traffic to multiple addresses on the public internet.",
- destination,
- )
- } else {
- results.AddPassed(destination)
- }
- }
- }
- }
- return
- },
-)
diff --git a/checks/cloud/google/compute/no_public_egress.tf.go b/checks/cloud/google/compute/no_public_egress.tf.go
deleted file mode 100644
index fa5b14ce..00000000
--- a/checks/cloud/google/compute/no_public_egress.tf.go
+++ /dev/null
@@ -1,29 +0,0 @@
-package compute
-
-var terraformNoPublicEgressGoodExamples = []string{
- `
- resource "google_compute_firewall" "good_example" {
- direction = "EGRESS"
- allow {
- protocol = "icmp"
- }
- destination_ranges = ["1.2.3.4/32"]
-}`,
-}
-
-var terraformNoPublicEgressBadExamples = []string{
- `
-resource "google_compute_firewall" "bad_example" {
- direction = "EGRESS"
- allow {
- protocol = "icmp"
- }
- destination_ranges = ["0.0.0.0/0"]
-}`,
-}
-
-var terraformNoPublicEgressLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall`,
-}
-
-var terraformNoPublicEgressRemediationMarkdown = ``
diff --git a/checks/cloud/google/compute/no_public_ingress.go b/checks/cloud/google/compute/no_public_ingress.go
deleted file mode 100755
index 835e0d68..00000000
--- a/checks/cloud/google/compute/no_public_ingress.go
+++ /dev/null
@@ -1,67 +0,0 @@
-package compute
-
-import (
- "github.com/aquasecurity/trivy-checks/internal/cidr"
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNoPublicIngress = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0027",
- Provider: providers.GoogleProvider,
- Service: "compute",
- ShortCode: "no-public-ingress",
- Summary: "An inbound firewall rule allows traffic from /0.",
- Impact: "The port is exposed for ingress from the internet",
- Resolution: "Set a more restrictive cidr range",
- Explanation: `Network security rules should not use very broad subnets.
-
-Where possible, segments should be broken into smaller subnets and avoid using the /0 subnet.`,
- Links: []string{
- "https://cloud.google.com/vpc/docs/using-firewalls",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoPublicIngressGoodExamples,
- BadExamples: terraformNoPublicIngressBadExamples,
- Links: terraformNoPublicIngressLinks,
- RemediationMarkdown: terraformNoPublicIngressRemediationMarkdown,
- },
- Severity: severity.Critical,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, network := range s.Google.Compute.Networks {
- if network.Firewall == nil {
- continue
- }
-
- if len(network.Firewall.SourceTags) > 0 && len(network.Firewall.TargetTags) > 0 {
- continue
- }
-
- for _, rule := range network.Firewall.IngressRules {
- if !rule.IsAllow.IsTrue() {
- continue
- }
- if rule.Enforced.IsFalse() {
- continue
- }
- for _, source := range rule.SourceRanges {
- if cidr.IsPublic(source.Value()) && cidr.CountAddresses(source.Value()) > 1 {
- results.Add(
- "Firewall rule allows ingress traffic from multiple addresses on the public internet.",
- source,
- )
- } else {
- results.AddPassed(source)
- }
- }
- }
- }
- return
- },
-)
diff --git a/checks/cloud/google/compute/no_public_ingress.tf.go b/checks/cloud/google/compute/no_public_ingress.tf.go
deleted file mode 100644
index a2dd2f0b..00000000
--- a/checks/cloud/google/compute/no_public_ingress.tf.go
+++ /dev/null
@@ -1,55 +0,0 @@
-package compute
-
-var terraformNoPublicIngressGoodExamples = []string{
- `
-resource "google_compute_firewall" "good_example" {
- source_ranges = ["1.2.3.4/32"]
- allow {
- protocol = "icmp"
- }
-}`,
- `
-resource "google_compute_firewall" "allow-vms-to-some-machine" {
- name = "allow-vms-to-some-machine"
- network = local.network
- priority = 1300
- direction = "INGRESS"
- allow {
- protocol = "tcp"
- ports = ["8081"]
- }
- source_tags = ["vms"]
- target_tags = ["some-machine"]
-}`,
- `
-resource "google_compute_firewall" "test" {
- name = "gmp-validating-webhook-fw"
- network = google_compute_network.my_vpc_name.self_link
-
- allow {
- protocol = "tcp"
- ports = ["8443"]
- }
-
- target_tags = [ "k8s-node-pool" ]
- source_ranges = [google_container_cluster.my_cluster_name.private_cluster_config[0].master_ipv4_cidr_block]
-}
-`,
-}
-
-var terraformNoPublicIngressBadExamples = []string{
- `
-resource "google_compute_firewall" "bad_example" {
- source_ranges = ["0.0.0.0/0"]
- allow {
- protocol = "icmp"
- }
-}`,
-}
-
-var terraformNoPublicIngressLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall#source_ranges`,
- `https://www.terraform.io/docs/providers/google/r/compute_firewall.html`,
-}
-
-var terraformNoPublicIngressRemediationMarkdown = ``
diff --git a/checks/cloud/google/compute/no_public_ip.go b/checks/cloud/google/compute/no_public_ip.go
deleted file mode 100755
index 469323f8..00000000
--- a/checks/cloud/google/compute/no_public_ip.go
+++ /dev/null
@@ -1,49 +0,0 @@
-package compute
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckInstancesDoNotHavePublicIPs = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0031",
- Provider: providers.GoogleProvider,
- Service: service,
- ShortCode: "no-public-ip",
- Summary: "Instances should not have public IP addresses",
- Impact: "Direct exposure of an instance to the public internet",
- Resolution: "Remove public IP",
- Explanation: `Instances should not be publicly exposed to the internet`,
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoPublicIpGoodExamples,
- BadExamples: terraformNoPublicIpBadExamples,
- Links: terraformNoPublicIpLinks,
- RemediationMarkdown: terraformNoPublicIpRemediationMarkdown,
- },
- Severity: severity.High,
- Links: []string{
- "https://cloud.google.com/compute/docs/ip-addresses#externaladdresses",
- },
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, instance := range s.Google.Compute.Instances {
- for _, networkInterface := range instance.NetworkInterfaces {
- if networkInterface.HasPublicIP.IsTrue() {
- results.Add(
- "Instance has a public IP allocated.",
- networkInterface.HasPublicIP,
- )
- } else {
- results.AddPassed(&networkInterface)
- }
- }
-
- }
- return results
- },
-)
diff --git a/checks/cloud/google/compute/no_public_ip.tf.go b/checks/cloud/google/compute/no_public_ip.tf.go
deleted file mode 100644
index fe2de7bd..00000000
--- a/checks/cloud/google/compute/no_public_ip.tf.go
+++ /dev/null
@@ -1,65 +0,0 @@
-package compute
-
-var terraformNoPublicIpGoodExamples = []string{
- `
- resource "google_compute_instance" "good_example" {
- name = "test"
- machine_type = "e2-medium"
- zone = "us-central1-a"
-
- tags = ["foo", "bar"]
-
- boot_disk {
- initialize_params {
- image = "debian-cloud/debian-9"
- }
- }
-
- // Local SSD disk
- scratch_disk {
- interface = "SCSI"
- }
-
- network_interface {
- network = "default"
- }
- }
- `,
-}
-
-var terraformNoPublicIpBadExamples = []string{
- `
- resource "google_compute_instance" "bad_example" {
- name = "test"
- machine_type = "e2-medium"
- zone = "us-central1-a"
-
- tags = ["foo", "bar"]
-
- boot_disk {
- initialize_params {
- image = "debian-cloud/debian-9"
- }
- }
-
- // Local SSD disk
- scratch_disk {
- interface = "SCSI"
- }
-
- network_interface {
- network = "default"
-
- access_config {
- // Ephemeral IP
- }
- }
- }
- `,
-}
-
-var terraformNoPublicIpLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#access_config`,
-}
-
-var terraformNoPublicIpRemediationMarkdown = ``
diff --git a/checks/cloud/google/compute/no_serial_port.go b/checks/cloud/google/compute/no_serial_port.go
deleted file mode 100755
index ebdb1049..00000000
--- a/checks/cloud/google/compute/no_serial_port.go
+++ /dev/null
@@ -1,47 +0,0 @@
-package compute
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNoSerialPort = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0032",
- Provider: providers.GoogleProvider,
- Service: "compute",
- ShortCode: "no-serial-port",
- Summary: "Disable serial port connectivity for all instances",
- Impact: "Unrestricted network access to the serial console of the instance",
- Resolution: "Disable serial port access",
- Explanation: `When serial port access is enabled, the access is not governed by network security rules meaning the port can be exposed publicly.`,
- Links: []string{},
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoSerialPortGoodExamples,
- BadExamples: terraformNoSerialPortBadExamples,
- Links: terraformNoSerialPortLinks,
- RemediationMarkdown: terraformNoSerialPortRemediationMarkdown,
- },
- Severity: severity.Medium,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, instance := range s.Google.Compute.Instances {
- if instance.Metadata.IsUnmanaged() {
- continue
- }
- if instance.EnableSerialPort.IsTrue() {
- results.Add(
- "Instance has serial port enabled.",
- instance.EnableSerialPort,
- )
- } else {
- results.AddPassed(&instance)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/google/compute/no_serial_port.tf.go b/checks/cloud/google/compute/no_serial_port.tf.go
deleted file mode 100644
index 5e107934..00000000
--- a/checks/cloud/google/compute/no_serial_port.tf.go
+++ /dev/null
@@ -1,103 +0,0 @@
-package compute
-
-var terraformNoSerialPortGoodExamples = []string{
- `
- resource "google_service_account" "default" {
- account_id = "service_account_id"
- display_name = "Service Account"
- }
-
- resource "google_compute_instance" "default" {
- name = "test"
- machine_type = "e2-medium"
- zone = "us-central1-a"
-
- tags = ["foo", "bar"]
-
- boot_disk {
- initialize_params {
- image = "debian-cloud/debian-9"
- }
- }
-
- // Local SSD disk
- scratch_disk {
- interface = "SCSI"
- }
-
- network_interface {
- network = "default"
-
- access_config {
- // Ephemeral IP
- }
- }
-
- metadata = {
- serial-port-enable = false
- }
-
- metadata_startup_script = "echo hi > /test.txt"
-
- service_account {
- # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
- email = google_service_account.default.email
- scopes = ["cloud-platform"]
- }
- }
- `,
-}
-
-var terraformNoSerialPortBadExamples = []string{
- `
- resource "google_service_account" "default" {
- account_id = "service_account_id"
- display_name = "Service Account"
- }
-
- resource "google_compute_instance" "default" {
- name = "test"
- machine_type = "e2-medium"
- zone = "us-central1-a"
-
- tags = ["foo", "bar"]
-
- boot_disk {
- initialize_params {
- image = "debian-cloud/debian-9"
- }
- }
-
- // Local SSD disk
- scratch_disk {
- interface = "SCSI"
- }
-
- network_interface {
- network = "default"
-
- access_config {
- // Ephemeral IP
- }
- }
-
- metadata = {
- serial-port-enable = true
- }
-
- metadata_startup_script = "echo hi > /test.txt"
-
- service_account {
- # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
- email = google_service_account.default.email
- scopes = ["cloud-platform"]
- }
- }
- `,
-}
-
-var terraformNoSerialPortLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#`,
-}
-
-var terraformNoSerialPortRemediationMarkdown = ``
diff --git a/checks/cloud/google/compute/project_level_oslogin.go b/checks/cloud/google/compute/project_level_oslogin.go
deleted file mode 100755
index 87f65e10..00000000
--- a/checks/cloud/google/compute/project_level_oslogin.go
+++ /dev/null
@@ -1,44 +0,0 @@
-package compute
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckProjectLevelOslogin = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0042",
- Provider: providers.GoogleProvider,
- Service: "compute",
- ShortCode: "project-level-oslogin",
- Summary: "OS Login should be enabled at project level",
- Impact: "Access via SSH key cannot be revoked automatically when an IAM user is removed.",
- Resolution: "Enable OS Login at project level",
- Explanation: `OS Login automatically revokes the relevant SSH keys when an IAM user has their access revoked.`,
- Links: []string{},
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformProjectLevelOsloginGoodExamples,
- BadExamples: terraformProjectLevelOsloginBadExamples,
- Links: terraformProjectLevelOsloginLinks,
- RemediationMarkdown: terraformProjectLevelOsloginRemediationMarkdown,
- },
- Severity: severity.Medium,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- if s.Google.Compute.ProjectMetadata.Metadata.IsManaged() {
- if s.Google.Compute.ProjectMetadata.EnableOSLogin.IsFalse() {
- results.Add(
- "OS Login is disabled at project level.",
- s.Google.Compute.ProjectMetadata.EnableOSLogin,
- )
- } else {
- results.AddPassed(&s.Google.Compute.ProjectMetadata)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/google/compute/project_level_oslogin.tf.go b/checks/cloud/google/compute/project_level_oslogin.tf.go
deleted file mode 100644
index 5484d919..00000000
--- a/checks/cloud/google/compute/project_level_oslogin.tf.go
+++ /dev/null
@@ -1,27 +0,0 @@
-package compute
-
-var terraformProjectLevelOsloginGoodExamples = []string{
- `
- resource "google_compute_project_metadata" "default" {
- metadata = {
- enable-oslogin = true
- }
- }
- `,
-}
-
-var terraformProjectLevelOsloginBadExamples = []string{
- `
- resource "google_compute_project_metadata" "default" {
- metadata = {
- enable-oslogin = false
- }
- }
- `,
-}
-
-var terraformProjectLevelOsloginLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_project_metadata#`,
-}
-
-var terraformProjectLevelOsloginRemediationMarkdown = ``
diff --git a/checks/cloud/google/compute/service.go b/checks/cloud/google/compute/service.go
deleted file mode 100755
index af136198..00000000
--- a/checks/cloud/google/compute/service.go
+++ /dev/null
@@ -1,3 +0,0 @@
-package compute
-
-const service = "compute"
diff --git a/checks/cloud/google/compute/use_secure_tls_policy.go b/checks/cloud/google/compute/use_secure_tls_policy.go
deleted file mode 100755
index 71592f6f..00000000
--- a/checks/cloud/google/compute/use_secure_tls_policy.go
+++ /dev/null
@@ -1,47 +0,0 @@
-package compute
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckUseSecureTlsPolicy = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0039",
- Provider: providers.GoogleProvider,
- Service: "compute",
- ShortCode: "use-secure-tls-policy",
- Summary: "SSL policies should enforce secure versions of TLS",
- Impact: "Data in transit is not sufficiently secured",
- Resolution: "Enforce a minimum TLS version of 1.2",
- Explanation: `TLS versions prior to 1.2 are outdated and insecure. You should use 1.2 as aminimum version.`,
- Links: []string{},
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformUseSecureTlsPolicyGoodExamples,
- BadExamples: terraformUseSecureTlsPolicyBadExamples,
- Links: terraformUseSecureTlsPolicyLinks,
- RemediationMarkdown: terraformUseSecureTlsPolicyRemediationMarkdown,
- },
- Severity: severity.Critical,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, policy := range s.Google.Compute.SSLPolicies {
- if policy.Metadata.IsUnmanaged() {
- continue
- }
- if policy.MinimumTLSVersion.NotEqualTo("TLS_1_2") {
- results.Add(
- "TLS policy does not specify a minimum of TLS 1.2",
- policy.MinimumTLSVersion,
- )
- } else {
- results.AddPassed(&policy)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/google/compute/use_secure_tls_policy.tf.go b/checks/cloud/google/compute/use_secure_tls_policy.tf.go
deleted file mode 100644
index fdedb0ab..00000000
--- a/checks/cloud/google/compute/use_secure_tls_policy.tf.go
+++ /dev/null
@@ -1,28 +0,0 @@
-package compute
-
-var terraformUseSecureTlsPolicyGoodExamples = []string{
- `
- resource "google_compute_ssl_policy" "good_example" {
- name = "production-ssl-policy"
- profile = "MODERN"
- min_tls_version = "TLS_1_2"
- }
- `,
-}
-
-var terraformUseSecureTlsPolicyBadExamples = []string{
- `
- resource "google_compute_ssl_policy" "bad_example" {
- name = "production-ssl-policy"
- profile = "MODERN"
- min_tls_version = "TLS_1_1"
- }
-
- `,
-}
-
-var terraformUseSecureTlsPolicyLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_ssl_policy#min_tls_version`,
-}
-
-var terraformUseSecureTlsPolicyRemediationMarkdown = ``
diff --git a/checks/cloud/google/compute/vm_disk_encryption_customer_key.go b/checks/cloud/google/compute/vm_disk_encryption_customer_key.go
deleted file mode 100755
index 63ba66ad..00000000
--- a/checks/cloud/google/compute/vm_disk_encryption_customer_key.go
+++ /dev/null
@@ -1,46 +0,0 @@
-package compute
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckVmDiskEncryptionCustomerKey = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0033",
- Provider: providers.GoogleProvider,
- Service: "compute",
- ShortCode: "vm-disk-encryption-customer-key",
- Summary: "VM disks should be encrypted with Customer Supplied Encryption Keys",
- Impact: "Using unmanaged keys does not allow for proper management",
- Resolution: "Use managed keys ",
- Explanation: `Using unmanaged keys makes rotation and general management difficult.`,
- Links: []string{},
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformVmDiskEncryptionCustomerKeyGoodExamples,
- BadExamples: terraformVmDiskEncryptionCustomerKeyBadExamples,
- Links: terraformVmDiskEncryptionCustomerKeyLinks,
- RemediationMarkdown: terraformVmDiskEncryptionCustomerKeyRemediationMarkdown,
- },
- Severity: severity.Low,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, instance := range s.Google.Compute.Instances {
- for _, disk := range append(instance.BootDisks, instance.AttachedDisks...) {
- if disk.Encryption.KMSKeyLink.IsEmpty() {
- results.Add(
- "Instance disk encryption does not use a customer managed key.",
- disk.Encryption.KMSKeyLink,
- )
- } else {
- results.AddPassed(&disk)
- }
- }
- }
- return
- },
-)
diff --git a/checks/cloud/google/compute/vm_disk_encryption_customer_key.tf.go b/checks/cloud/google/compute/vm_disk_encryption_customer_key.tf.go
deleted file mode 100644
index eb2cfb81..00000000
--- a/checks/cloud/google/compute/vm_disk_encryption_customer_key.tf.go
+++ /dev/null
@@ -1,104 +0,0 @@
-package compute
-
-var terraformVmDiskEncryptionCustomerKeyGoodExamples = []string{
- `
- resource "google_service_account" "default" {
- account_id = "service_account_id"
- display_name = "Service Account"
- }
-
- resource "google_compute_instance" "good_example" {
- name = "test"
- machine_type = "e2-medium"
- zone = "us-central1-a"
-
- tags = ["foo", "bar"]
-
- boot_disk {
- initialize_params {
- image = "debian-cloud/debian-9"
- }
- kms_key_self_link = "something"
- }
-
- // Local SSD disk
- scratch_disk {
- interface = "SCSI"
- }
-
- network_interface {
- network = "default"
-
- access_config {
- // Ephemeral IP
- }
- }
-
- metadata = {
- foo = "bar"
- }
-
- metadata_startup_script = "echo hi > /test.txt"
-
- service_account {
- # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
- email = google_service_account.default.email
- scopes = ["cloud-platform"]
- }
- }
- `,
-}
-
-var terraformVmDiskEncryptionCustomerKeyBadExamples = []string{
- `
- resource "google_service_account" "default" {
- account_id = "service_account_id"
- display_name = "Service Account"
- }
-
- resource "google_compute_instance" "bad_example" {
- name = "test"
- machine_type = "e2-medium"
- zone = "us-central1-a"
-
- tags = ["foo", "bar"]
-
- boot_disk {
- initialize_params {
- image = "debian-cloud/debian-9"
- }
- }
-
- // Local SSD disk
- scratch_disk {
- interface = "SCSI"
- }
-
- network_interface {
- network = "default"
-
- access_config {
- // Ephemeral IP
- }
- }
-
- metadata = {
- foo = "bar"
- }
-
- metadata_startup_script = "echo hi > /test.txt"
-
- service_account {
- # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
- email = google_service_account.default.email
- scopes = ["cloud-platform"]
- }
- }
- `,
-}
-
-var terraformVmDiskEncryptionCustomerKeyLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#kms_key_self_link`,
-}
-
-var terraformVmDiskEncryptionCustomerKeyRemediationMarkdown = ``
diff --git a/checks/cloud/google/dns/enable_dnssec.go b/checks/cloud/google/dns/enable_dnssec.go
deleted file mode 100755
index 92766d25..00000000
--- a/checks/cloud/google/dns/enable_dnssec.go
+++ /dev/null
@@ -1,47 +0,0 @@
-package dns
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckEnableDnssec = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0013",
- Provider: providers.GoogleProvider,
- Service: "dns",
- ShortCode: "enable-dnssec",
- Summary: "Cloud DNS should use DNSSEC",
- Impact: "Unverified DNS responses could lead to man-in-the-middle attacks",
- Resolution: "Enable DNSSEC",
- Explanation: `DNSSEC authenticates DNS responses, preventing MITM attacks and impersonation.`,
- Links: []string{},
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformEnableDnssecGoodExamples,
- BadExamples: terraformEnableDnssecBadExamples,
- Links: terraformEnableDnssecLinks,
- RemediationMarkdown: terraformEnableDnssecRemediationMarkdown,
- },
- Severity: severity.Medium,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, zone := range s.Google.DNS.ManagedZones {
- if zone.Metadata.IsUnmanaged() || zone.IsPrivate() {
- continue
- }
- if zone.DNSSec.Enabled.IsFalse() {
- results.Add(
- "Managed zone does not have DNSSEC enabled.",
- zone.DNSSec.Enabled,
- )
- } else {
- results.AddPassed(&zone)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/google/dns/enable_dnssec.tf.go b/checks/cloud/google/dns/enable_dnssec.tf.go
deleted file mode 100644
index 19fe0b41..00000000
--- a/checks/cloud/google/dns/enable_dnssec.tf.go
+++ /dev/null
@@ -1,47 +0,0 @@
-package dns
-
-var terraformEnableDnssecGoodExamples = []string{
- `
- resource "google_dns_managed_zone" "good_example" {
- name = "example-zone"
- dns_name = "example-${random_id.rnd.hex}.com."
- description = "Example DNS zone"
- labels = {
- foo = "bar"
- }
- dnssec_config {
- state = "on"
- }
- }
-
- resource "random_id" "rnd" {
- byte_length = 4
- }
- `,
-}
-
-var terraformEnableDnssecBadExamples = []string{
- `
- resource "google_dns_managed_zone" "bad_example" {
- name = "example-zone"
- dns_name = "example-${random_id.rnd.hex}.com."
- description = "Example DNS zone"
- labels = {
- foo = "bar"
- }
- dnssec_config {
- state = "off"
- }
- }
-
- resource "random_id" "rnd" {
- byte_length = 4
- }
- `,
-}
-
-var terraformEnableDnssecLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_managed_zone#state`,
-}
-
-var terraformEnableDnssecRemediationMarkdown = ``
diff --git a/checks/cloud/google/dns/no_rsa_sha1.go b/checks/cloud/google/dns/no_rsa_sha1.go
deleted file mode 100755
index 813124e8..00000000
--- a/checks/cloud/google/dns/no_rsa_sha1.go
+++ /dev/null
@@ -1,50 +0,0 @@
-package dns
-
-import (
- "fmt"
-
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNoRsaSha1 = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0012",
- Provider: providers.GoogleProvider,
- Service: "dns",
- ShortCode: "no-rsa-sha1",
- Summary: "Zone signing should not use RSA SHA1",
- Impact: "Less secure encryption algorithm than others available",
- Resolution: "Use RSA SHA512",
- Explanation: `RSA SHA1 is a weaker algorithm than SHA2-based algorithms such as RSA SHA256/512`,
- Links: []string{},
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoRsaSha1GoodExamples,
- BadExamples: terraformNoRsaSha1BadExamples,
- Links: terraformNoRsaSha1Links,
- RemediationMarkdown: terraformNoRsaSha1RemediationMarkdown,
- },
- Severity: severity.Medium,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, zone := range s.Google.DNS.ManagedZones {
- if zone.Metadata.IsUnmanaged() {
- continue
- }
- for _, keySpec := range zone.DNSSec.DefaultKeySpecs {
-
- if keySpec.Algorithm.EqualTo("rsasha1") {
- results.Add(
- fmt.Sprintf("Zone uses %q key type with RSA SHA1 algorithm for signing.", keySpec.KeyType.Value()),
- keySpec.Algorithm,
- )
- }
- }
- }
- return
- },
-)
diff --git a/checks/cloud/google/dns/no_rsa_sha1.tf.go b/checks/cloud/google/dns/no_rsa_sha1.tf.go
deleted file mode 100644
index 4a2fc4db..00000000
--- a/checks/cloud/google/dns/no_rsa_sha1.tf.go
+++ /dev/null
@@ -1,49 +0,0 @@
-package dns
-
-var terraformNoRsaSha1GoodExamples = []string{
- `
-resource "google_dns_managed_zone" "example-zone" {
- name = "example-zone"
- dns_name = "example-${random_id.rnd.hex}.com."
-
- dnssec_config {
- state = "on"
- default_key_specs {
- algorithm = "rsasha512"
- key_type = "keySigning"
- }
- default_key_specs {
- algorithm = "rsasha512"
- key_type = "zoneSigning"
- }
- }
-}
- `,
-}
-
-var terraformNoRsaSha1BadExamples = []string{
- `
-resource "google_dns_managed_zone" "example-zone" {
- name = "example-zone"
- dns_name = "example-${random_id.rnd.hex}.com."
-
- dnssec_config {
- state = "on"
- default_key_specs {
- algorithm = "rsasha1"
- key_type = "keySigning"
- }
- default_key_specs {
- algorithm = "rsasha1"
- key_type = "zoneSigning"
- }
- }
-}
- `,
-}
-
-var terraformNoRsaSha1Links = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_managed_zone#algorithm`,
-}
-
-var terraformNoRsaSha1RemediationMarkdown = ``
diff --git a/checks/cloud/google/gke/enable_auto_repair.go b/checks/cloud/google/gke/enable_auto_repair.go
deleted file mode 100755
index 8d0710f3..00000000
--- a/checks/cloud/google/gke/enable_auto_repair.go
+++ /dev/null
@@ -1,46 +0,0 @@
-package gke
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckEnableAutoRepair = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0063",
- Provider: providers.GoogleProvider,
- Service: "gke",
- ShortCode: "enable-auto-repair",
- Summary: "Kubernetes should have 'Automatic repair' enabled",
- Impact: "Failing nodes will require manual repair.",
- Resolution: "Enable automatic repair",
- Explanation: `Automatic repair will monitor nodes and attempt repair when a node fails multiple subsequent health checks`,
- Links: []string{},
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformEnableAutoRepairGoodExamples,
- BadExamples: terraformEnableAutoRepairBadExamples,
- Links: terraformEnableAutoRepairLinks,
- RemediationMarkdown: terraformEnableAutoRepairRemediationMarkdown,
- },
- Severity: severity.Low,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, cluster := range s.Google.GKE.Clusters {
- for _, nodePool := range cluster.NodePools {
- if nodePool.Management.EnableAutoRepair.IsFalse() {
- results.Add(
- "Node pool does not have auto-repair enabled.",
- nodePool.Management.EnableAutoRepair,
- )
- } else {
- results.AddPassed(&nodePool)
- }
- }
- }
- return
- },
-)
diff --git a/checks/cloud/google/gke/enable_auto_repair.tf.go b/checks/cloud/google/gke/enable_auto_repair.tf.go
deleted file mode 100644
index 47eeb661..00000000
--- a/checks/cloud/google/gke/enable_auto_repair.tf.go
+++ /dev/null
@@ -1,87 +0,0 @@
-package gke
-
-var terraformEnableAutoRepairGoodExamples = []string{
- `
- resource "google_service_account" "default" {
- account_id = "service-account-id"
- display_name = "Service Account"
- }
-
- resource "google_container_cluster" "primary" {
- name = "my-gke-cluster"
- location = "us-central1"
-
- # We can't create a cluster with no node pool defined, but we want to only use
- # separately managed node pools. So we create the smallest possible default
- # node pool and immediately delete it.
- remove_default_node_pool = true
- initial_node_count = 1
- }
-
- resource "google_container_node_pool" "good_example" {
- name = "my-node-pool"
- cluster = google_container_cluster.primary.id
- node_count = 1
-
- node_config {
- preemptible = true
- machine_type = "e2-medium"
-
- # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
- service_account = google_service_account.default.email
- oauth_scopes = [
- "https://www.googleapis.com/auth/cloud-platform"
- ]
- }
- management {
- auto_repair = true
- }
- }
- `,
-}
-
-var terraformEnableAutoRepairBadExamples = []string{
- `
- resource "google_service_account" "default" {
- account_id = "service-account-id"
- display_name = "Service Account"
- }
-
- resource "google_container_cluster" "primary" {
- name = "my-gke-cluster"
- location = "us-central1"
-
- # We can't create a cluster with no node pool defined, but we want to only use
- # separately managed node pools. So we create the smallest possible default
- # node pool and immediately delete it.
- remove_default_node_pool = true
- initial_node_count = 1
- }
-
- resource "google_container_node_pool" "bad_example" {
- name = "my-node-pool"
- cluster = google_container_cluster.primary.id
- node_count = 1
-
- node_config {
- preemptible = true
- machine_type = "e2-medium"
-
- # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
- service_account = google_service_account.default.email
- oauth_scopes = [
- "https://www.googleapis.com/auth/cloud-platform"
- ]
- }
- management {
- auto_repair = false
- }
- }
- `,
-}
-
-var terraformEnableAutoRepairLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool#auto_repair`,
-}
-
-var terraformEnableAutoRepairRemediationMarkdown = ``
diff --git a/checks/cloud/google/gke/enable_auto_upgrade.go b/checks/cloud/google/gke/enable_auto_upgrade.go
deleted file mode 100755
index 89ff1fd6..00000000
--- a/checks/cloud/google/gke/enable_auto_upgrade.go
+++ /dev/null
@@ -1,47 +0,0 @@
-package gke
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckEnableAutoUpgrade = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0058",
- Provider: providers.GoogleProvider,
- Service: "gke",
- ShortCode: "enable-auto-upgrade",
- Summary: "Kubernetes should have 'Automatic upgrade' enabled",
- Impact: "Nodes will need the cluster master version manually updating",
- Resolution: "Enable automatic upgrades",
- Explanation: `Automatic updates keep nodes updated with the latest cluster master version.`,
- Links: []string{},
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformEnableAutoUpgradeGoodExamples,
- BadExamples: terraformEnableAutoUpgradeBadExamples,
- Links: terraformEnableAutoUpgradeLinks,
- RemediationMarkdown: terraformEnableAutoUpgradeRemediationMarkdown,
- },
- Severity: severity.Low,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, cluster := range s.Google.GKE.Clusters {
- for _, nodePool := range cluster.NodePools {
- if nodePool.Management.EnableAutoUpgrade.IsFalse() {
- results.Add(
- "Node pool does not have auto-upgraade enabled.",
- nodePool.Management.EnableAutoUpgrade,
- )
- } else {
- results.AddPassed(&nodePool)
- }
-
- }
- }
- return
- },
-)
diff --git a/checks/cloud/google/gke/enable_auto_upgrade.tf.go b/checks/cloud/google/gke/enable_auto_upgrade.tf.go
deleted file mode 100644
index d2a61d7a..00000000
--- a/checks/cloud/google/gke/enable_auto_upgrade.tf.go
+++ /dev/null
@@ -1,87 +0,0 @@
-package gke
-
-var terraformEnableAutoUpgradeGoodExamples = []string{
- `
- resource "google_service_account" "default" {
- account_id = "service-account-id"
- display_name = "Service Account"
- }
-
- resource "google_container_cluster" "primary" {
- name = "my-gke-cluster"
- location = "us-central1"
-
- # We can't create a cluster with no node pool defined, but we want to only use
- # separately managed node pools. So we create the smallest possible default
- # node pool and immediately delete it.
- remove_default_node_pool = true
- initial_node_count = 1
- }
-
- resource "google_container_node_pool" "good_example" {
- name = "my-node-pool"
- cluster = google_container_cluster.primary.id
- node_count = 1
-
- node_config {
- preemptible = true
- machine_type = "e2-medium"
-
- # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
- service_account = google_service_account.default.email
- oauth_scopes = [
- "https://www.googleapis.com/auth/cloud-platform"
- ]
- }
- management {
- auto_upgrade = true
- }
- }
- `,
-}
-
-var terraformEnableAutoUpgradeBadExamples = []string{
- `
- resource "google_service_account" "default" {
- account_id = "service-account-id"
- display_name = "Service Account"
- }
-
- resource "google_container_cluster" "primary" {
- name = "my-gke-cluster"
- location = "us-central1"
-
- # We can't create a cluster with no node pool defined, but we want to only use
- # separately managed node pools. So we create the smallest possible default
- # node pool and immediately delete it.
- remove_default_node_pool = true
- initial_node_count = 1
- }
-
- resource "google_container_node_pool" "bad_example" {
- name = "my-node-pool"
- cluster = google_container_cluster.primary.id
- node_count = 1
-
- node_config {
- preemptible = true
- machine_type = "e2-medium"
-
- # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
- service_account = google_service_account.default.email
- oauth_scopes = [
- "https://www.googleapis.com/auth/cloud-platform"
- ]
- }
- management {
- auto_upgrade = false
- }
- }
- `,
-}
-
-var terraformEnableAutoUpgradeLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool#auto_upgrade`,
-}
-
-var terraformEnableAutoUpgradeRemediationMarkdown = ``
diff --git a/checks/cloud/google/gke/enable_ip_aliasing.go b/checks/cloud/google/gke/enable_ip_aliasing.go
deleted file mode 100755
index 3f6b0441..00000000
--- a/checks/cloud/google/gke/enable_ip_aliasing.go
+++ /dev/null
@@ -1,48 +0,0 @@
-package gke
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckEnableIpAliasing = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0049",
- Provider: providers.GoogleProvider,
- Service: "gke",
- ShortCode: "enable-ip-aliasing",
- Summary: "Clusters should have IP aliasing enabled",
- Impact: "Nodes need a NAT gateway to access local services",
- Resolution: "Enable IP aliasing",
- Explanation: `IP aliasing allows the reuse of public IPs internally, removing the need for a NAT gateway.`,
- Links: []string{},
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformEnableIpAliasingGoodExamples,
- BadExamples: terraformEnableIpAliasingBadExamples,
- Links: terraformEnableIpAliasingLinks,
- RemediationMarkdown: terraformEnableIpAliasingRemediationMarkdown,
- },
- Severity: severity.Low,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, cluster := range s.Google.GKE.Clusters {
- if cluster.Metadata.IsUnmanaged() {
- continue
- }
- if cluster.IPAllocationPolicy.Enabled.IsFalse() {
- results.Add(
- "Cluster has IP aliasing disabled.",
- cluster.IPAllocationPolicy.Enabled,
- )
- } else {
- results.AddPassed(&cluster)
- }
-
- }
- return
- },
-)
diff --git a/checks/cloud/google/gke/enable_ip_aliasing.tf.go b/checks/cloud/google/gke/enable_ip_aliasing.tf.go
deleted file mode 100644
index fbdc2e47..00000000
--- a/checks/cloud/google/gke/enable_ip_aliasing.tf.go
+++ /dev/null
@@ -1,84 +0,0 @@
-package gke
-
-var terraformEnableIpAliasingGoodExamples = []string{
- `
- resource "google_service_account" "default" {
- account_id = "service-account-id"
- display_name = "Service Account"
- }
-
- resource "google_container_cluster" "good_example" {
- name = "my-gke-cluster"
- location = "us-central1"
-
- # We can't create a cluster with no node pool defined, but we want to only use
- # separately managed node pools. So we create the smallest possible default
- # node pool and immediately delete it.
- remove_default_node_pool = true
- initial_node_count = 1
- ip_allocation_policy {}
- }
-
- resource "google_container_node_pool" "primary_preemptible_nodes" {
- name = "my-node-pool"
- location = "us-central1"
- cluster = google_container_cluster.primary.name
- node_count = 1
-
- node_config {
- preemptible = true
- machine_type = "e2-medium"
-
- # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
- service_account = google_service_account.default.email
- oauth_scopes = [
- "https://www.googleapis.com/auth/cloud-platform"
- ]
- }
- }
- `,
-}
-
-var terraformEnableIpAliasingBadExamples = []string{
- `
- resource "google_service_account" "default" {
- account_id = "service-account-id"
- display_name = "Service Account"
- }
-
- resource "google_container_cluster" "bad_example" {
- name = "my-gke-cluster"
- location = "us-central1"
-
- # We can't create a cluster with no node pool defined, but we want to only use
- # separately managed node pools. So we create the smallest possible default
- # node pool and immediately delete it.
- remove_default_node_pool = true
- initial_node_count = 1
- }
-
- resource "google_container_node_pool" "primary_preemptible_nodes" {
- name = "my-node-pool"
- location = "us-central1"
- cluster = google_container_cluster.primary.name
- node_count = 1
-
- node_config {
- preemptible = true
- machine_type = "e2-medium"
-
- # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
- service_account = google_service_account.default.email
- oauth_scopes = [
- "https://www.googleapis.com/auth/cloud-platform"
- ]
- }
- }
- `,
-}
-
-var terraformEnableIpAliasingLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#ip_allocation_policy`,
-}
-
-var terraformEnableIpAliasingRemediationMarkdown = ``
diff --git a/checks/cloud/google/gke/enable_master_networks.go b/checks/cloud/google/gke/enable_master_networks.go
deleted file mode 100755
index 80ae2958..00000000
--- a/checks/cloud/google/gke/enable_master_networks.go
+++ /dev/null
@@ -1,48 +0,0 @@
-package gke
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckEnableMasterNetworks = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0061",
- Provider: providers.GoogleProvider,
- Service: "gke",
- ShortCode: "enable-master-networks",
- Summary: "Master authorized networks should be configured on GKE clusters",
- Impact: "Unrestricted network access to the master",
- Resolution: "Enable master authorized networks",
- Explanation: `Enabling authorized networks means you can restrict master access to a fixed set of CIDR ranges`,
- Links: []string{},
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformEnableMasterNetworksGoodExamples,
- BadExamples: terraformEnableMasterNetworksBadExamples,
- Links: terraformEnableMasterNetworksLinks,
- RemediationMarkdown: terraformEnableMasterNetworksRemediationMarkdown,
- },
- Severity: severity.High,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, cluster := range s.Google.GKE.Clusters {
- if cluster.Metadata.IsUnmanaged() {
- continue
- }
- if cluster.MasterAuthorizedNetworks.Enabled.IsFalse() {
- results.Add(
- "Cluster does not have master authorized networks enabled.",
- cluster.MasterAuthorizedNetworks.Enabled,
- )
- } else {
- results.AddPassed(&cluster)
- }
-
- }
- return
- },
-)
diff --git a/checks/cloud/google/gke/enable_master_networks.tf.go b/checks/cloud/google/gke/enable_master_networks.tf.go
deleted file mode 100644
index 34760b4c..00000000
--- a/checks/cloud/google/gke/enable_master_networks.tf.go
+++ /dev/null
@@ -1,89 +0,0 @@
-package gke
-
-var terraformEnableMasterNetworksGoodExamples = []string{
- `
- resource "google_service_account" "default" {
- account_id = "service-account-id"
- display_name = "Service Account"
- }
-
- resource "google_container_cluster" "primary" {
- name = "my-gke-cluster"
- location = "us-central1"
-
- # We can't create a cluster with no node pool defined, but we want to only use
- # separately managed node pools. So we create the smallest possible default
- # node pool and immediately delete it.
- remove_default_node_pool = true
- initial_node_count = 1
- master_authorized_networks_config {
- cidr_blocks {
- cidr_block = "10.10.128.0/24"
- display_name = "internal"
- }
- }
- }
-
- resource "google_container_node_pool" "primary_preemptible_nodes" {
- name = "my-node-pool"
- location = "us-central1"
- cluster = google_container_cluster.primary.name
- node_count = 1
-
- node_config {
- preemptible = true
- machine_type = "e2-medium"
-
- # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
- service_account = google_service_account.default.email
- oauth_scopes = [
- "https://www.googleapis.com/auth/cloud-platform"
- ]
- }
- }
- `,
-}
-
-var terraformEnableMasterNetworksBadExamples = []string{
- `
- resource "google_service_account" "default" {
- account_id = "service-account-id"
- display_name = "Service Account"
- }
-
- resource "google_container_cluster" "primary" {
- name = "my-gke-cluster"
- location = "us-central1"
-
- # We can't create a cluster with no node pool defined, but we want to only use
- # separately managed node pools. So we create the smallest possible default
- # node pool and immediately delete it.
- remove_default_node_pool = true
- initial_node_count = 1
- }
-
- resource "google_container_node_pool" "primary_preemptible_nodes" {
- name = "my-node-pool"
- location = "us-central1"
- cluster = google_container_cluster.primary.name
- node_count = 1
-
- node_config {
- preemptible = true
- machine_type = "e2-medium"
-
- # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
- service_account = google_service_account.default.email
- oauth_scopes = [
- "https://www.googleapis.com/auth/cloud-platform"
- ]
- }
- }
- `,
-}
-
-var terraformEnableMasterNetworksLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#`,
-}
-
-var terraformEnableMasterNetworksRemediationMarkdown = ``
diff --git a/checks/cloud/google/gke/enable_network_policy.go b/checks/cloud/google/gke/enable_network_policy.go
deleted file mode 100755
index 04400315..00000000
--- a/checks/cloud/google/gke/enable_network_policy.go
+++ /dev/null
@@ -1,50 +0,0 @@
-package gke
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckEnableNetworkPolicy = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0056",
- Provider: providers.GoogleProvider,
- Service: "gke",
- ShortCode: "enable-network-policy",
- Summary: "Network Policy should be enabled on GKE clusters",
- Impact: "Unrestricted inter-cluster communication",
- Resolution: "Enable network policy",
- Explanation: `Enabling a network policy allows the segregation of network traffic by namespace`,
- Links: []string{},
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformEnableNetworkPolicyGoodExamples,
- BadExamples: terraformEnableNetworkPolicyBadExamples,
- Links: terraformEnableNetworkPolicyLinks,
- RemediationMarkdown: terraformEnableNetworkPolicyRemediationMarkdown,
- },
- Severity: severity.Medium,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, cluster := range s.Google.GKE.Clusters {
- if cluster.Metadata.IsUnmanaged() {
- continue
- }
- if cluster.NetworkPolicy.Enabled.IsFalse() &&
- !cluster.EnableAutpilot.IsTrue() &&
- !cluster.DatapathProvider.EqualTo("ADVANCED_DATAPATH") {
- results.Add(
- "Cluster does not have a network policy enabled.",
- cluster.NetworkPolicy.Enabled,
- )
- } else {
- results.AddPassed(&cluster)
- }
-
- }
- return
- },
-)
diff --git a/checks/cloud/google/gke/enable_network_policy.tf.go b/checks/cloud/google/gke/enable_network_policy.tf.go
deleted file mode 100644
index d49c8d59..00000000
--- a/checks/cloud/google/gke/enable_network_policy.tf.go
+++ /dev/null
@@ -1,89 +0,0 @@
-package gke
-
-var terraformEnableNetworkPolicyGoodExamples = []string{
- `
- resource "google_service_account" "default" {
- account_id = "service-account-id"
- display_name = "Service Account"
- }
-
- resource "google_container_cluster" "good_example" {
- name = "my-gke-cluster"
- location = "us-central1"
-
- # We can't create a cluster with no node pool defined, but we want to only use
- # separately managed node pools. So we create the smallest possible default
- # node pool and immediately delete it.
- remove_default_node_pool = true
- initial_node_count = 1
- network_policy {
- enabled = true
- }
- }
-
- resource "google_container_node_pool" "primary_preemptible_nodes" {
- name = "my-node-pool"
- location = "us-central1"
- cluster = google_container_cluster.primary.name
- node_count = 1
-
- node_config {
- preemptible = true
- machine_type = "e2-medium"
-
- # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
- service_account = google_service_account.default.email
- oauth_scopes = [
- "https://www.googleapis.com/auth/cloud-platform"
- ]
- }
- }
- `,
-}
-
-var terraformEnableNetworkPolicyBadExamples = []string{
- `
- resource "google_service_account" "default" {
- account_id = "service-account-id"
- display_name = "Service Account"
- }
-
- resource "google_container_cluster" "bad_example" {
- name = "my-gke-cluster"
- location = "us-central1"
-
- # We can't create a cluster with no node pool defined, but we want to only use
- # separately managed node pools. So we create the smallest possible default
- # node pool and immediately delete it.
- remove_default_node_pool = true
- initial_node_count = 1
- network_policy {
- enabled = false
- }
- }
-
- resource "google_container_node_pool" "primary_preemptible_nodes" {
- name = "my-node-pool"
- location = "us-central1"
- cluster = google_container_cluster.primary.name
- node_count = 1
-
- node_config {
- preemptible = true
- machine_type = "e2-medium"
-
- # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
- service_account = google_service_account.default.email
- oauth_scopes = [
- "https://www.googleapis.com/auth/cloud-platform"
- ]
- }
- }
- `,
-}
-
-var terraformEnableNetworkPolicyLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#enabled`,
-}
-
-var terraformEnableNetworkPolicyRemediationMarkdown = ``
diff --git a/checks/cloud/google/gke/enable_private_cluster.go b/checks/cloud/google/gke/enable_private_cluster.go
deleted file mode 100755
index f5c3f0d2..00000000
--- a/checks/cloud/google/gke/enable_private_cluster.go
+++ /dev/null
@@ -1,48 +0,0 @@
-package gke
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckEnablePrivateCluster = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0059",
- Provider: providers.GoogleProvider,
- Service: "gke",
- ShortCode: "enable-private-cluster",
- Summary: "Clusters should be set to private",
- Impact: "Nodes may be exposed to the public internet",
- Resolution: "Enable private cluster",
- Explanation: `Enabling private nodes on a cluster ensures the nodes are only available internally as they will only be assigned internal addresses.`,
- Links: []string{},
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformEnablePrivateClusterGoodExamples,
- BadExamples: terraformEnablePrivateClusterBadExamples,
- Links: terraformEnablePrivateClusterLinks,
- RemediationMarkdown: terraformEnablePrivateClusterRemediationMarkdown,
- },
- Severity: severity.Medium,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, cluster := range s.Google.GKE.Clusters {
- if cluster.Metadata.IsUnmanaged() {
- continue
- }
- if cluster.PrivateCluster.EnablePrivateNodes.IsFalse() {
- results.Add(
- "Cluster does not have private nodes.",
- cluster.PrivateCluster.EnablePrivateNodes,
- )
- } else {
- results.AddPassed(&cluster)
- }
-
- }
- return
- },
-)
diff --git a/checks/cloud/google/gke/enable_private_cluster.tf.go b/checks/cloud/google/gke/enable_private_cluster.tf.go
deleted file mode 100644
index 270cc0a5..00000000
--- a/checks/cloud/google/gke/enable_private_cluster.tf.go
+++ /dev/null
@@ -1,89 +0,0 @@
-package gke
-
-var terraformEnablePrivateClusterGoodExamples = []string{
- `
- resource "google_service_account" "default" {
- account_id = "service-account-id"
- display_name = "Service Account"
- }
-
- resource "google_container_cluster" "good_example" {
- name = "my-gke-cluster"
- location = "us-central1"
-
- # We can't create a cluster with no node pool defined, but we want to only use
- # separately managed node pools. So we create the smallest possible default
- # node pool and immediately delete it.
- remove_default_node_pool = true
- initial_node_count = 1
- private_cluster_config {
- enable_private_nodes = true
- }
- }
-
- resource "google_container_node_pool" "primary_preemptible_nodes" {
- name = "my-node-pool"
- location = "us-central1"
- cluster = google_container_cluster.primary.name
- node_count = 1
-
- node_config {
- preemptible = true
- machine_type = "e2-medium"
-
- # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
- service_account = google_service_account.default.email
- oauth_scopes = [
- "https://www.googleapis.com/auth/cloud-platform"
- ]
- }
- }
- `,
-}
-
-var terraformEnablePrivateClusterBadExamples = []string{
- `
- resource "google_service_account" "default" {
- account_id = "service-account-id"
- display_name = "Service Account"
- }
-
- resource "google_container_cluster" "bad_example" {
- name = "my-gke-cluster"
- location = "us-central1"
-
- # We can't create a cluster with no node pool defined, but we want to only use
- # separately managed node pools. So we create the smallest possible default
- # node pool and immediately delete it.
- remove_default_node_pool = true
- initial_node_count = 1
- private_cluster_config {
- enable_private_nodes = false
- }
- }
-
- resource "google_container_node_pool" "primary_preemptible_nodes" {
- name = "my-node-pool"
- location = "us-central1"
- cluster = google_container_cluster.primary.name
- node_count = 1
-
- node_config {
- preemptible = true
- machine_type = "e2-medium"
-
- # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
- service_account = google_service_account.default.email
- oauth_scopes = [
- "https://www.googleapis.com/auth/cloud-platform"
- ]
- }
- }
- `,
-}
-
-var terraformEnablePrivateClusterLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#enable_private_nodes`,
-}
-
-var terraformEnablePrivateClusterRemediationMarkdown = ``
diff --git a/checks/cloud/google/gke/enable_stackdriver_logging.go b/checks/cloud/google/gke/enable_stackdriver_logging.go
deleted file mode 100755
index 8ac7e0ba..00000000
--- a/checks/cloud/google/gke/enable_stackdriver_logging.go
+++ /dev/null
@@ -1,48 +0,0 @@
-package gke
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckEnableStackdriverLogging = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0060",
- Provider: providers.GoogleProvider,
- Service: "gke",
- ShortCode: "enable-stackdriver-logging",
- Summary: "Stackdriver Logging should be enabled",
- Impact: "Visibility will be reduced",
- Resolution: "Enable StackDriver logging",
- Explanation: `StackDriver logging provides a useful interface to all of stdout/stderr for each container and should be enabled for moitoring, debugging, etc.`,
- Links: []string{},
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformEnableStackdriverLoggingGoodExamples,
- BadExamples: terraformEnableStackdriverLoggingBadExamples,
- Links: terraformEnableStackdriverLoggingLinks,
- RemediationMarkdown: terraformEnableStackdriverLoggingRemediationMarkdown,
- },
- Severity: severity.Low,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, cluster := range s.Google.GKE.Clusters {
- if cluster.Metadata.IsUnmanaged() {
- continue
- }
- if cluster.LoggingService.NotEqualTo("logging.googleapis.com/kubernetes") {
- results.Add(
- "Cluster does not use the logging.googleapis.com/kubernetes StackDriver logging service.",
- cluster.LoggingService,
- )
- } else {
- results.AddPassed(&cluster)
- }
-
- }
- return
- },
-)
diff --git a/checks/cloud/google/gke/enable_stackdriver_logging.tf.go b/checks/cloud/google/gke/enable_stackdriver_logging.tf.go
deleted file mode 100644
index c7fad3ea..00000000
--- a/checks/cloud/google/gke/enable_stackdriver_logging.tf.go
+++ /dev/null
@@ -1,85 +0,0 @@
-package gke
-
-var terraformEnableStackdriverLoggingGoodExamples = []string{
- `
- resource "google_service_account" "default" {
- account_id = "service-account-id"
- display_name = "Service Account"
- }
-
- resource "google_container_cluster" "good_example" {
- name = "my-gke-cluster"
- location = "us-central1"
-
- # We can't create a cluster with no node pool defined, but we want to only use
- # separately managed node pools. So we create the smallest possible default
- # node pool and immediately delete it.
- remove_default_node_pool = true
- initial_node_count = 1
- logging_service = "logging.googleapis.com/kubernetes"
- }
-
- resource "google_container_node_pool" "primary_preemptible_nodes" {
- name = "my-node-pool"
- location = "us-central1"
- cluster = google_container_cluster.primary.name
- node_count = 1
-
- node_config {
- preemptible = true
- machine_type = "e2-medium"
-
- # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
- service_account = google_service_account.default.email
- oauth_scopes = [
- "https://www.googleapis.com/auth/cloud-platform"
- ]
- }
- }
- `,
-}
-
-var terraformEnableStackdriverLoggingBadExamples = []string{
- `
- resource "google_service_account" "default" {
- account_id = "service-account-id"
- display_name = "Service Account"
- }
-
- resource "google_container_cluster" "bad_example" {
- name = "my-gke-cluster"
- location = "us-central1"
-
- # We can't create a cluster with no node pool defined, but we want to only use
- # separately managed node pools. So we create the smallest possible default
- # node pool and immediately delete it.
- remove_default_node_pool = true
- initial_node_count = 1
- logging_service = "logging.googleapis.com"
- }
-
- resource "google_container_node_pool" "primary_preemptible_nodes" {
- name = "my-node-pool"
- location = "us-central1"
- cluster = google_container_cluster.primary.name
- node_count = 1
-
- node_config {
- preemptible = true
- machine_type = "e2-medium"
-
- # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
- service_account = google_service_account.default.email
- oauth_scopes = [
- "https://www.googleapis.com/auth/cloud-platform"
- ]
- }
- }
- `,
-}
-
-var terraformEnableStackdriverLoggingLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#logging_service`,
-}
-
-var terraformEnableStackdriverLoggingRemediationMarkdown = ``
diff --git a/checks/cloud/google/gke/enable_stackdriver_monitoring.go b/checks/cloud/google/gke/enable_stackdriver_monitoring.go
deleted file mode 100755
index 5eda3b10..00000000
--- a/checks/cloud/google/gke/enable_stackdriver_monitoring.go
+++ /dev/null
@@ -1,48 +0,0 @@
-package gke
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckEnableStackdriverMonitoring = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0052",
- Provider: providers.GoogleProvider,
- Service: "gke",
- ShortCode: "enable-stackdriver-monitoring",
- Summary: "Stackdriver Monitoring should be enabled",
- Impact: "Visibility will be reduced",
- Resolution: "Enable StackDriver monitoring",
- Explanation: `StackDriver monitoring aggregates logs, events, and metrics from your Kubernetes environment on GKE to help you understand your application's behavior in production.`,
- Links: []string{},
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformEnableStackdriverMonitoringGoodExamples,
- BadExamples: terraformEnableStackdriverMonitoringBadExamples,
- Links: terraformEnableStackdriverMonitoringLinks,
- RemediationMarkdown: terraformEnableStackdriverMonitoringRemediationMarkdown,
- },
- Severity: severity.Low,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, cluster := range s.Google.GKE.Clusters {
- if cluster.Metadata.IsUnmanaged() {
- continue
- }
- if cluster.MonitoringService.NotEqualTo("monitoring.googleapis.com/kubernetes") {
- results.Add(
- "Cluster does not use the monitoring.googleapis.com/kubernetes StackDriver monitoring service.",
- cluster.MonitoringService,
- )
- } else {
- results.AddPassed(&cluster)
- }
-
- }
- return
- },
-)
diff --git a/checks/cloud/google/gke/enable_stackdriver_monitoring.tf.go b/checks/cloud/google/gke/enable_stackdriver_monitoring.tf.go
deleted file mode 100644
index c7541d30..00000000
--- a/checks/cloud/google/gke/enable_stackdriver_monitoring.tf.go
+++ /dev/null
@@ -1,85 +0,0 @@
-package gke
-
-var terraformEnableStackdriverMonitoringGoodExamples = []string{
- `
- resource "google_service_account" "default" {
- account_id = "service-account-id"
- display_name = "Service Account"
- }
-
- resource "google_container_cluster" "good_example" {
- name = "my-gke-cluster"
- location = "us-central1"
-
- # We can't create a cluster with no node pool defined, but we want to only use
- # separately managed node pools. So we create the smallest possible default
- # node pool and immediately delete it.
- remove_default_node_pool = true
- initial_node_count = 1
- monitoring_service = "monitoring.googleapis.com/kubernetes"
- }
-
- resource "google_container_node_pool" "primary_preemptible_nodes" {
- name = "my-node-pool"
- location = "us-central1"
- cluster = google_container_cluster.primary.name
- node_count = 1
-
- node_config {
- preemptible = true
- machine_type = "e2-medium"
-
- # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
- service_account = google_service_account.default.email
- oauth_scopes = [
- "https://www.googleapis.com/auth/cloud-platform"
- ]
- }
- }
- `,
-}
-
-var terraformEnableStackdriverMonitoringBadExamples = []string{
- `
- resource "google_service_account" "default" {
- account_id = "service-account-id"
- display_name = "Service Account"
- }
-
- resource "google_container_cluster" "bad_example" {
- name = "my-gke-cluster"
- location = "us-central1"
-
- # We can't create a cluster with no node pool defined, but we want to only use
- # separately managed node pools. So we create the smallest possible default
- # node pool and immediately delete it.
- remove_default_node_pool = true
- initial_node_count = 1
- monitoring_service = "monitoring.googleapis.com"
- }
-
- resource "google_container_node_pool" "primary_preemptible_nodes" {
- name = "my-node-pool"
- location = "us-central1"
- cluster = google_container_cluster.primary.name
- node_count = 1
-
- node_config {
- preemptible = true
- machine_type = "e2-medium"
-
- # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
- service_account = google_service_account.default.email
- oauth_scopes = [
- "https://www.googleapis.com/auth/cloud-platform"
- ]
- }
- }
- `,
-}
-
-var terraformEnableStackdriverMonitoringLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#monitoring_service`,
-}
-
-var terraformEnableStackdriverMonitoringRemediationMarkdown = ``
diff --git a/checks/cloud/google/gke/metadata_endpoints_disabled.go b/checks/cloud/google/gke/metadata_endpoints_disabled.go
deleted file mode 100755
index b3490d96..00000000
--- a/checks/cloud/google/gke/metadata_endpoints_disabled.go
+++ /dev/null
@@ -1,65 +0,0 @@
-package gke
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckMetadataEndpointsDisabled = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0048",
- Provider: providers.GoogleProvider,
- Service: "gke",
- ShortCode: "metadata-endpoints-disabled",
- Summary: "Legacy metadata endpoints enabled.",
- Impact: "Legacy metadata endpoints don't require metadata headers",
- Resolution: "Disable legacy metadata endpoints",
- Explanation: `The Compute Engine instance metadata server exposes legacy v0.1 and v1beta1 endpoints, which do not enforce metadata query headers.
-
-This is a feature in the v1 APIs that makes it more difficult for a potential attacker to retrieve instance metadata.
-
-Unless specifically required, we recommend you disable these legacy APIs.
-
-When setting the metadata block, the default value for disable-legacy-endpoints is set to true, they should not be explicitly enabled.`,
- Links: []string{
- "https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#protect_node_metadata_default_for_112",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformMetadataEndpointsDisabledGoodExamples,
- BadExamples: terraformMetadataEndpointsDisabledBadExamples,
- Links: terraformMetadataEndpointsDisabledLinks,
- RemediationMarkdown: terraformMetadataEndpointsDisabledRemediationMarkdown,
- },
- Severity: severity.High,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, cluster := range s.Google.GKE.Clusters {
- if cluster.Metadata.IsUnmanaged() {
- continue
- }
- if cluster.RemoveDefaultNodePool.IsTrue() {
- for _, pool := range cluster.NodePools {
- if pool.NodeConfig.EnableLegacyEndpoints.IsTrue() {
- results.Add(
- "Cluster has legacy metadata endpoints enabled.",
- pool.NodeConfig.EnableLegacyEndpoints,
- )
- }
- }
- } else if cluster.NodeConfig.EnableLegacyEndpoints.IsTrue() {
- results.Add(
- "Cluster has legacy metadata endpoints enabled.",
- cluster.NodeConfig.EnableLegacyEndpoints,
- )
- } else {
- results.AddPassed(&cluster)
- }
-
- }
- return
- },
-)
diff --git a/checks/cloud/google/gke/metadata_endpoints_disabled.tf.go b/checks/cloud/google/gke/metadata_endpoints_disabled.tf.go
deleted file mode 100644
index 0ec8185c..00000000
--- a/checks/cloud/google/gke/metadata_endpoints_disabled.tf.go
+++ /dev/null
@@ -1,29 +0,0 @@
-package gke
-
-var terraformMetadataEndpointsDisabledGoodExamples = []string{
- `
- resource "google_container_cluster" "good_example" {
- node_config {
- metadata = {
- disable-legacy-endpoints = true
- }
- }
- }`,
-}
-
-var terraformMetadataEndpointsDisabledBadExamples = []string{
- `
- resource "google_container_cluster" "bad_example" {
- node_config {
- metadata = {
- disable-legacy-endpoints = false
- }
- }
- }`,
-}
-
-var terraformMetadataEndpointsDisabledLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#metadata`,
-}
-
-var terraformMetadataEndpointsDisabledRemediationMarkdown = ``
diff --git a/checks/cloud/google/gke/no_legacy_authentication.go b/checks/cloud/google/gke/no_legacy_authentication.go
deleted file mode 100755
index b04b7c4d..00000000
--- a/checks/cloud/google/gke/no_legacy_authentication.go
+++ /dev/null
@@ -1,57 +0,0 @@
-package gke
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNoLegacyAuthentication = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0064",
- Provider: providers.GoogleProvider,
- Service: "gke",
- ShortCode: "no-legacy-authentication",
- Summary: "Legacy client authentication methods utilized.",
- Impact: "Username/password or certificate authentication methods are less secure",
- Resolution: "Use service account or OAuth for authentication",
- Explanation: `It is recommended to use Service Accounts and OAuth as authentication methods for accessing the master in the container cluster.
-
-Basic authentication should be disabled by explicitly unsetting the username and password on the master_auth block.`,
- Links: []string{
- "https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#restrict_authn_methods",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoLegacyAuthenticationGoodExamples,
- BadExamples: terraformNoLegacyAuthenticationBadExamples,
- Links: terraformNoLegacyAuthenticationLinks,
- RemediationMarkdown: terraformNoLegacyAuthenticationRemediationMarkdown,
- },
- Severity: severity.High,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, cluster := range s.Google.GKE.Clusters {
- if cluster.Metadata.IsUnmanaged() {
- continue
- }
- if cluster.MasterAuth.ClientCertificate.IssueCertificate.IsTrue() {
- results.Add(
- "Cluster allows the use of certificates for master authentication.",
- cluster.MasterAuth.ClientCertificate.IssueCertificate,
- )
- } else if cluster.MasterAuth.Username.NotEqualTo("") {
- results.Add(
- "Cluster allows the use of basic auth for master authentication.",
- cluster.MasterAuth.Username,
- )
- } else {
- results.AddPassed(&cluster)
- }
-
- }
- return
- },
-)
diff --git a/checks/cloud/google/gke/no_legacy_authentication.tf.go b/checks/cloud/google/gke/no_legacy_authentication.tf.go
deleted file mode 100644
index 953d6ab3..00000000
--- a/checks/cloud/google/gke/no_legacy_authentication.tf.go
+++ /dev/null
@@ -1,88 +0,0 @@
-package gke
-
-var terraformNoLegacyAuthenticationGoodExamples = []string{
- `
- resource "google_service_account" "default" {
- account_id = "service-account-id"
- display_name = "Service Account"
- }
-
- resource "google_container_cluster" "good_example" {
- name = "my-gke-cluster"
- location = "us-central1"
-
- # We can't create a cluster with no node pool defined, but we want to only use
- # separately managed node pools. So we create the smallest possible default
- # node pool and immediately delete it.
- remove_default_node_pool = true
- initial_node_count = 1
- }
-
- resource "google_container_node_pool" "primary_preemptible_nodes" {
- name = "my-node-pool"
- location = "us-central1"
- cluster = google_container_cluster.primary.name
- node_count = 1
-
- node_config {
- preemptible = true
- machine_type = "e2-medium"
-
- # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
- service_account = google_service_account.default.email
- oauth_scopes = [
- "https://www.googleapis.com/auth/cloud-platform"
- ]
- }
- }
- `,
-}
-
-var terraformNoLegacyAuthenticationBadExamples = []string{
- `
- resource "google_service_account" "default" {
- account_id = "service-account-id"
- display_name = "Service Account"
- }
-
- resource "google_container_cluster" "good_example" {
- name = "my-gke-cluster"
- location = "us-central1"
-
- # We can't create a cluster with no node pool defined, but we want to only use
- # separately managed node pools. So we create the smallest possible default
- # node pool and immediately delete it.
- remove_default_node_pool = true
- initial_node_count = 1
- master_auth {
- client_certificate_config {
- issue_client_certificate = true
- }
- }
- }
-
- resource "google_container_node_pool" "primary_preemptible_nodes" {
- name = "my-node-pool"
- location = "us-central1"
- cluster = google_container_cluster.primary.name
- node_count = 1
-
- node_config {
- preemptible = true
- machine_type = "e2-medium"
-
- # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
- service_account = google_service_account.default.email
- oauth_scopes = [
- "https://www.googleapis.com/auth/cloud-platform"
- ]
- }
- }
- `,
-}
-
-var terraformNoLegacyAuthenticationLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#master_auth`,
-}
-
-var terraformNoLegacyAuthenticationRemediationMarkdown = ``
diff --git a/checks/cloud/google/gke/no_public_control_plane.go b/checks/cloud/google/gke/no_public_control_plane.go
deleted file mode 100755
index fc45d54f..00000000
--- a/checks/cloud/google/gke/no_public_control_plane.go
+++ /dev/null
@@ -1,51 +0,0 @@
-package gke
-
-import (
- "github.com/aquasecurity/trivy-checks/internal/cidr"
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNoPublicControlPlane = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0053",
- Provider: providers.GoogleProvider,
- Service: "gke",
- ShortCode: "no-public-control-plane",
- Summary: "GKE Control Plane should not be publicly accessible",
- Impact: "GKE control plane exposed to public internet",
- Resolution: "Use private nodes and master authorised networks to prevent exposure",
- Explanation: `The GKE control plane is exposed to the public internet by default.`,
- Links: []string{},
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoPublicControlPlaneGoodExamples,
- BadExamples: terraformNoPublicControlPlaneBadExamples,
- Links: terraformNoPublicControlPlaneLinks,
- RemediationMarkdown: terraformNoPublicControlPlaneRemediationMarkdown,
- },
- Severity: severity.High,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, cluster := range s.Google.GKE.Clusters {
- if cluster.Metadata.IsUnmanaged() {
- continue
- }
- for _, block := range cluster.MasterAuthorizedNetworks.CIDRs {
- if cidr.IsPublic(block.Value()) {
- results.Add(
- "Cluster exposes control plane to the public internet.",
- block,
- )
- } else {
- results.AddPassed(&cluster)
- }
-
- }
- }
- return
- },
-)
diff --git a/checks/cloud/google/gke/no_public_control_plane.tf.go b/checks/cloud/google/gke/no_public_control_plane.tf.go
deleted file mode 100644
index d7f075d7..00000000
--- a/checks/cloud/google/gke/no_public_control_plane.tf.go
+++ /dev/null
@@ -1,95 +0,0 @@
-package gke
-
-var terraformNoPublicControlPlaneGoodExamples = []string{
- `
- resource "google_service_account" "default" {
- account_id = "service-account-id"
- display_name = "Service Account"
- }
-
- resource "google_container_cluster" "primary" {
- name = "my-gke-cluster"
- location = "us-central1"
-
- # We can't create a cluster with no node pool defined, but we want to only use
- # separately managed node pools. So we create the smallest possible default
- # node pool and immediately delete it.
- remove_default_node_pool = true
- initial_node_count = 1
- master_authorized_networks_config {
- cidr_blocks {
- cidr_block = "10.10.128.0/24"
- display_name = "internal"
- }
- }
- }
-
- resource "google_container_node_pool" "primary_preemptible_nodes" {
- name = "my-node-pool"
- location = "us-central1"
- cluster = google_container_cluster.primary.name
- node_count = 1
-
- node_config {
- preemptible = true
- machine_type = "e2-medium"
-
- # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
- service_account = google_service_account.default.email
- oauth_scopes = [
- "https://www.googleapis.com/auth/cloud-platform"
- ]
- }
- }
- `,
-}
-
-var terraformNoPublicControlPlaneBadExamples = []string{
- `
- resource "google_service_account" "default" {
- account_id = "service-account-id"
- display_name = "Service Account"
- }
-
- resource "google_container_cluster" "primary" {
- name = "my-gke-cluster"
- location = "us-central1"
-
- # We can't create a cluster with no node pool defined, but we want to only use
- # separately managed node pools. So we create the smallest possible default
- # node pool and immediately delete it.
- remove_default_node_pool = true
- initial_node_count = 1
- master_authorized_networks_config {
- cidr_blocks {
- cidr_block = "0.0.0.0/0"
- display_name = "external"
- }
- }
- }
-
- resource "google_container_node_pool" "primary_preemptible_nodes" {
- name = "my-node-pool"
- location = "us-central1"
- cluster = google_container_cluster.primary.name
- node_count = 1
-
- node_config {
- preemptible = true
- machine_type = "e2-medium"
-
- # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
- service_account = google_service_account.default.email
- oauth_scopes = [
- "https://www.googleapis.com/auth/cloud-platform"
- ]
- }
- }
- `,
-}
-
-var terraformNoPublicControlPlaneLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#`,
-}
-
-var terraformNoPublicControlPlaneRemediationMarkdown = ``
diff --git a/checks/cloud/google/gke/node_metadata_security.go b/checks/cloud/google/gke/node_metadata_security.go
deleted file mode 100755
index 8c4523bb..00000000
--- a/checks/cloud/google/gke/node_metadata_security.go
+++ /dev/null
@@ -1,64 +0,0 @@
-package gke
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNodeMetadataSecurity = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0057",
- Provider: providers.GoogleProvider,
- Service: "gke",
- ShortCode: "node-metadata-security",
- Summary: "Node metadata value disables metadata concealment.",
- Impact: "Metadata that isn't concealed potentially risks leakage of sensitive data",
- Resolution: "Set node metadata to SECURE or GKE_METADATA_SERVER",
- Explanation: `If the workload_metadata_config block within node_config is included, the node_metadata attribute should be configured securely.
-
-The attribute should be set to SECURE to use metadata concealment, or GKE_METADATA_SERVER if workload identity is enabled. This ensures that the VM metadata is not unnecessarily exposed to pods.`,
- Links: []string{
- "https://cloud.google.com/kubernetes-engine/docs/how-to/protecting-cluster-metadata#create-concealed",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNodeMetadataSecurityGoodExamples,
- BadExamples: terraformNodeMetadataSecurityBadExamples,
- Links: terraformNodeMetadataSecurityLinks,
- RemediationMarkdown: terraformNodeMetadataSecurityRemediationMarkdown,
- },
- Severity: severity.High,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, cluster := range s.Google.GKE.Clusters {
- if cluster.Metadata.IsManaged() {
- metadata := cluster.NodeConfig.WorkloadMetadataConfig.NodeMetadata
- if metadata.EqualTo("UNSPECIFIED") || metadata.EqualTo("EXPOSE") {
- results.Add(
- "Cluster exposes node metadata of pools by default.",
- metadata,
- )
- } else {
- results.AddPassed(&cluster)
- }
-
- }
- for _, pool := range cluster.NodePools {
- metadata := pool.NodeConfig.WorkloadMetadataConfig.NodeMetadata
- if metadata.EqualTo("UNSPECIFIED") || metadata.EqualTo("EXPOSE") {
- results.Add(
- "Node pool exposes node metadata.",
- metadata,
- )
- } else {
- results.AddPassed(&pool)
- }
-
- }
- }
- return
- },
-)
diff --git a/checks/cloud/google/gke/node_metadata_security.tf.go b/checks/cloud/google/gke/node_metadata_security.tf.go
deleted file mode 100644
index 2f21b2b4..00000000
--- a/checks/cloud/google/gke/node_metadata_security.tf.go
+++ /dev/null
@@ -1,29 +0,0 @@
-package gke
-
-var terraformNodeMetadataSecurityGoodExamples = []string{
- `
- resource "google_container_node_pool" "good_example" {
- node_config {
- workload_metadata_config {
- node_metadata = "SECURE"
- }
- }
- }`,
-}
-
-var terraformNodeMetadataSecurityBadExamples = []string{
- `
- resource "google_container_node_pool" "bad_example" {
- node_config {
- workload_metadata_config {
- node_metadata = "EXPOSE"
- }
- }
- }`,
-}
-
-var terraformNodeMetadataSecurityLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#node_metadata`,
-}
-
-var terraformNodeMetadataSecurityRemediationMarkdown = ``
diff --git a/checks/cloud/google/gke/node_pool_uses_cos.go b/checks/cloud/google/gke/node_pool_uses_cos.go
deleted file mode 100755
index 5a9db079..00000000
--- a/checks/cloud/google/gke/node_pool_uses_cos.go
+++ /dev/null
@@ -1,58 +0,0 @@
-package gke
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
- "github.com/aquasecurity/trivy/pkg/iac/types"
-)
-
-var CheckNodePoolUsesCos = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0054",
- Provider: providers.GoogleProvider,
- Service: "gke",
- ShortCode: "node-pool-uses-cos",
- Summary: "Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image",
- Impact: "COS is the recommended OS image to use on cluster nodes",
- Resolution: "Use the COS image type",
- Explanation: `GKE supports several OS image types but COS is the recommended OS image to use on cluster nodes for enhanced security`,
- Links: []string{},
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNodePoolUsesCosGoodExamples,
- BadExamples: terraformNodePoolUsesCosBadExamples,
- Links: terraformNodePoolUsesCosLinks,
- RemediationMarkdown: terraformNodePoolUsesCosRemediationMarkdown,
- },
- Severity: severity.Low,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, cluster := range s.Google.GKE.Clusters {
- if cluster.Metadata.IsManaged() {
- if cluster.NodeConfig.ImageType.NotEqualTo("") && cluster.NodeConfig.ImageType.NotEqualTo("COS_CONTAINERD", types.IgnoreCase) && cluster.NodeConfig.ImageType.NotEqualTo("COS", types.IgnoreCase) {
- results.Add(
- "Cluster is not configuring node pools to use the COS containerd image type by default.",
- cluster.NodeConfig.ImageType,
- )
- } else {
- results.AddPassed(&cluster)
- }
- }
- for _, pool := range cluster.NodePools {
- if pool.NodeConfig.ImageType.NotEqualTo("COS_CONTAINERD", types.IgnoreCase) && pool.NodeConfig.ImageType.NotEqualTo("COS", types.IgnoreCase) {
- results.Add(
- "Node pool is not using the COS containerd image type.",
- pool.NodeConfig.ImageType,
- )
- } else {
- results.AddPassed(&pool)
- }
-
- }
- }
- return
- },
-)
diff --git a/checks/cloud/google/gke/node_pool_uses_cos.tf.go b/checks/cloud/google/gke/node_pool_uses_cos.tf.go
deleted file mode 100644
index f4e41a50..00000000
--- a/checks/cloud/google/gke/node_pool_uses_cos.tf.go
+++ /dev/null
@@ -1,83 +0,0 @@
-package gke
-
-var terraformNodePoolUsesCosGoodExamples = []string{
- `
- resource "google_service_account" "default" {
- account_id = "service-account-id"
- display_name = "Service Account"
- }
-
- resource "google_container_cluster" "primary" {
- name = "my-gke-cluster"
- location = "us-central1"
-
- # We can't create a cluster with no node pool defined, but we want to only use
- # separately managed node pools. So we create the smallest possible default
- # node pool and immediately delete it.
- remove_default_node_pool = true
- initial_node_count = 1
- }
-
- resource "google_container_node_pool" "good_example" {
- name = "my-node-pool"
- cluster = google_container_cluster.primary.id
- node_count = 1
-
- node_config {
- preemptible = true
- machine_type = "e2-medium"
-
- # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
- service_account = google_service_account.default.email
- oauth_scopes = [
- "https://www.googleapis.com/auth/cloud-platform"
- ]
- image_type = "COS"
- }
- }
- `,
-}
-
-var terraformNodePoolUsesCosBadExamples = []string{
- `
- resource "google_service_account" "default" {
- account_id = "service-account-id"
- display_name = "Service Account"
- }
-
- resource "google_container_cluster" "primary" {
- name = "my-gke-cluster"
- location = "us-central1"
-
- # We can't create a cluster with no node pool defined, but we want to only use
- # separately managed node pools. So we create the smallest possible default
- # node pool and immediately delete it.
- remove_default_node_pool = true
- initial_node_count = 1
- }
-
- resource "google_container_node_pool" "bad_example" {
- name = "my-node-pool"
- cluster = google_container_cluster.primary.id
- node_count = 1
-
- node_config {
- preemptible = true
- machine_type = "e2-medium"
-
- # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
- service_account = google_service_account.default.email
- oauth_scopes = [
- "https://www.googleapis.com/auth/cloud-platform"
- ]
- image_type = "something"
- }
- }
- `,
-}
-
-var terraformNodePoolUsesCosLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool#image_type`,
-}
-
-var terraformNodePoolUsesCosRemediationMarkdown = ``
diff --git a/checks/cloud/google/gke/node_shielding_enabled.go b/checks/cloud/google/gke/node_shielding_enabled.go
deleted file mode 100755
index 33600b86..00000000
--- a/checks/cloud/google/gke/node_shielding_enabled.go
+++ /dev/null
@@ -1,52 +0,0 @@
-package gke
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNodeShieldingEnabled = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0055",
- Provider: providers.GoogleProvider,
- Service: "gke",
- ShortCode: "node-shielding-enabled",
- Summary: "Shielded GKE nodes not enabled.",
- Impact: "Node identity and integrity can't be verified without shielded GKE nodes",
- Resolution: "Enable node shielding",
- Explanation: `CIS GKE Benchmark Recommendation: 6.5.5. Ensure Shielded GKE Nodes are Enabled
-
-Shielded GKE Nodes provide strong, verifiable node identity and integrity to increase the security of GKE nodes and should be enabled on all GKE clusters.`,
- Links: []string{
- "https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#shielded_nodes",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNodeShieldingEnabledGoodExamples,
- BadExamples: terraformNodeShieldingEnabledBadExamples,
- Links: terraformNodeShieldingEnabledLinks,
- RemediationMarkdown: terraformNodeShieldingEnabledRemediationMarkdown,
- },
- Severity: severity.High,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, cluster := range s.Google.GKE.Clusters {
- if cluster.Metadata.IsUnmanaged() {
- continue
- }
- if cluster.EnableShieldedNodes.IsFalse() {
- results.Add(
- "Cluster has shielded nodes disabled.",
- cluster.EnableShieldedNodes,
- )
- } else {
- results.AddPassed(&cluster)
- }
-
- }
- return
- },
-)
diff --git a/checks/cloud/google/gke/node_shielding_enabled.tf.go b/checks/cloud/google/gke/node_shielding_enabled.tf.go
deleted file mode 100644
index bb41fd12..00000000
--- a/checks/cloud/google/gke/node_shielding_enabled.tf.go
+++ /dev/null
@@ -1,21 +0,0 @@
-package gke
-
-var terraformNodeShieldingEnabledGoodExamples = []string{
- `
- resource "google_container_cluster" "good_example" {
- enable_shielded_nodes = "true"
- }`,
-}
-
-var terraformNodeShieldingEnabledBadExamples = []string{
- `
- resource "google_container_cluster" "bad_example" {
- enable_shielded_nodes = "false"
- }`,
-}
-
-var terraformNodeShieldingEnabledLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#enable_shielded_nodes`,
-}
-
-var terraformNodeShieldingEnabledRemediationMarkdown = ``
diff --git a/checks/cloud/google/gke/use_cluster_labels.go b/checks/cloud/google/gke/use_cluster_labels.go
deleted file mode 100755
index d4274a6f..00000000
--- a/checks/cloud/google/gke/use_cluster_labels.go
+++ /dev/null
@@ -1,47 +0,0 @@
-package gke
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckUseClusterLabels = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0051",
- Provider: providers.GoogleProvider,
- Service: "gke",
- ShortCode: "use-cluster-labels",
- Summary: "Clusters should be configured with Labels",
- Impact: "Asset management can be limited/more difficult",
- Resolution: "Set cluster resource labels",
- Explanation: `Labels make it easier to manage assets and differentiate between clusters and environments, allowing the mapping of computational resources to the wider organisational structure.`,
- Links: []string{},
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformUseClusterLabelsGoodExamples,
- BadExamples: terraformUseClusterLabelsBadExamples,
- Links: terraformUseClusterLabelsLinks,
- RemediationMarkdown: terraformUseClusterLabelsRemediationMarkdown,
- },
- Severity: severity.Low,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, cluster := range s.Google.GKE.Clusters {
- if cluster.Metadata.IsUnmanaged() {
- continue
- }
- if cluster.ResourceLabels.Len() == 0 {
- results.Add(
- "Cluster does not use GCE resource labels.",
- cluster.ResourceLabels,
- )
- } else {
- results.AddPassed(&cluster)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/google/gke/use_cluster_labels.tf.go b/checks/cloud/google/gke/use_cluster_labels.tf.go
deleted file mode 100644
index 8bd1d6d0..00000000
--- a/checks/cloud/google/gke/use_cluster_labels.tf.go
+++ /dev/null
@@ -1,86 +0,0 @@
-package gke
-
-var terraformUseClusterLabelsGoodExamples = []string{
- `
- resource "google_service_account" "default" {
- account_id = "service-account-id"
- display_name = "Service Account"
- }
-
- resource "google_container_cluster" "good_example" {
- name = "my-gke-cluster"
- location = "us-central1"
-
- # We can't create a cluster with no node pool defined, but we want to only use
- # separately managed node pools. So we create the smallest possible default
- # node pool and immediately delete it.
- remove_default_node_pool = true
- initial_node_count = 1
- resource_labels = {
- "env" = "staging"
- }
- }
-
- resource "google_container_node_pool" "primary_preemptible_nodes" {
- name = "my-node-pool"
- location = "us-central1"
- cluster = google_container_cluster.primary.name
- node_count = 1
-
- node_config {
- preemptible = true
- machine_type = "e2-medium"
-
- # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
- service_account = google_service_account.default.email
- oauth_scopes = [
- "https://www.googleapis.com/auth/cloud-platform"
- ]
- }
- }
- `,
-}
-
-var terraformUseClusterLabelsBadExamples = []string{
- `
- resource "google_service_account" "default" {
- account_id = "service-account-id"
- display_name = "Service Account"
- }
-
- resource "google_container_cluster" "bad_example" {
- name = "my-gke-cluster"
- location = "us-central1"
-
- # We can't create a cluster with no node pool defined, but we want to only use
- # separately managed node pools. So we create the smallest possible default
- # node pool and immediately delete it.
- remove_default_node_pool = true
- initial_node_count = 1
- }
-
- resource "google_container_node_pool" "primary_preemptible_nodes" {
- name = "my-node-pool"
- location = "us-central1"
- cluster = google_container_cluster.primary.name
- node_count = 1
-
- node_config {
- preemptible = true
- machine_type = "e2-medium"
-
- # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
- service_account = google_service_account.default.email
- oauth_scopes = [
- "https://www.googleapis.com/auth/cloud-platform"
- ]
- }
- }
- `,
-}
-
-var terraformUseClusterLabelsLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#resource_labels`,
-}
-
-var terraformUseClusterLabelsRemediationMarkdown = ``
diff --git a/checks/cloud/google/gke/use_rbac_permissions.go b/checks/cloud/google/gke/use_rbac_permissions.go
deleted file mode 100755
index 39f22887..00000000
--- a/checks/cloud/google/gke/use_rbac_permissions.go
+++ /dev/null
@@ -1,51 +0,0 @@
-package gke
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckUseRbacPermissions = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0062",
- Provider: providers.GoogleProvider,
- Service: "gke",
- ShortCode: "use-rbac-permissions",
- Summary: "Legacy ABAC permissions are enabled.",
- Impact: "ABAC permissions are less secure than RBAC permissions",
- Resolution: "Switch to using RBAC permissions",
- Explanation: `You should disable Attribute-Based Access Control (ABAC), and instead use Role-Based Access Control (RBAC) in GKE.
-
-RBAC has significant security advantages and is now stable in Kubernetes, so it’s time to disable ABAC.`,
- Links: []string{
- "https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#leave_abac_disabled_default_for_110",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformUseRbacPermissionsGoodExamples,
- BadExamples: terraformUseRbacPermissionsBadExamples,
- Links: terraformUseRbacPermissionsLinks,
- RemediationMarkdown: terraformUseRbacPermissionsRemediationMarkdown,
- },
- Severity: severity.High,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, cluster := range s.Google.GKE.Clusters {
- if cluster.Metadata.IsUnmanaged() {
- continue
- }
- if cluster.EnableLegacyABAC.IsTrue() {
- results.Add(
- "Cluster has legacy ABAC enabled.",
- cluster.EnableLegacyABAC,
- )
- } else {
- results.AddPassed(&cluster)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/google/gke/use_rbac_permissions.tf.go b/checks/cloud/google/gke/use_rbac_permissions.tf.go
deleted file mode 100644
index a4dae05d..00000000
--- a/checks/cloud/google/gke/use_rbac_permissions.tf.go
+++ /dev/null
@@ -1,25 +0,0 @@
-package gke
-
-var terraformUseRbacPermissionsGoodExamples = []string{
- `
- resource "google_container_cluster" "good_example" {
- # ...
- # enable_legacy_abac not set
- # ...
- }
- `,
-}
-
-var terraformUseRbacPermissionsBadExamples = []string{
- `
- resource "google_container_cluster" "bad_example" {
- enable_legacy_abac = "true"
- }
- `,
-}
-
-var terraformUseRbacPermissionsLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#enable_legacy_abac`,
-}
-
-var terraformUseRbacPermissionsRemediationMarkdown = ``
diff --git a/checks/cloud/google/gke/use_service_account.go b/checks/cloud/google/gke/use_service_account.go
deleted file mode 100755
index bfd0532a..00000000
--- a/checks/cloud/google/gke/use_service_account.go
+++ /dev/null
@@ -1,60 +0,0 @@
-package gke
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckUseServiceAccount = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0050",
- Provider: providers.GoogleProvider,
- Service: "gke",
- ShortCode: "use-service-account",
- Summary: "Checks for service account defined for GKE nodes",
- Impact: "Service accounts with wide permissions can increase the risk of compromise",
- Resolution: "Use limited permissions for service accounts to be effective",
- Explanation: `You should create and use a minimally privileged service account to run your GKE cluster instead of using the Compute Engine default service account.`,
- Links: []string{
- "https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#use_least_privilege_sa",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformUseServiceAccountGoodExamples,
- BadExamples: terraformUseServiceAccountBadExamples,
- Links: terraformUseServiceAccountLinks,
- RemediationMarkdown: terraformUseServiceAccountRemediationMarkdown,
- },
- Severity: severity.Medium,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, cluster := range s.Google.GKE.Clusters {
- if cluster.Metadata.IsManaged() {
- if cluster.RemoveDefaultNodePool.IsFalse() {
- if cluster.NodeConfig.ServiceAccount.IsEmpty() {
- results.Add(
- "Cluster does not override the default service account.",
- cluster.NodeConfig.ServiceAccount,
- )
- }
- } else {
- results.AddPassed(&cluster)
- }
- }
- for _, pool := range cluster.NodePools {
- if pool.NodeConfig.ServiceAccount.IsEmpty() {
- results.Add(
- "Node pool does not override the default service account.",
- pool.NodeConfig.ServiceAccount,
- )
- } else {
- results.AddPassed(&pool)
- }
- }
- }
- return
- },
-)
diff --git a/checks/cloud/google/gke/use_service_account.tf.go b/checks/cloud/google/gke/use_service_account.tf.go
deleted file mode 100644
index 10a0d939..00000000
--- a/checks/cloud/google/gke/use_service_account.tf.go
+++ /dev/null
@@ -1,26 +0,0 @@
-package gke
-
-var terraformUseServiceAccountGoodExamples = []string{
- `
- resource "google_container_cluster" "good_example" {
- node_config {
- service_account = "cool-service-account@example.com"
- }
- }
- `,
-}
-
-var terraformUseServiceAccountBadExamples = []string{
- `
- resource "google_container_cluster" "bad_example" {
- node_config {
- }
- }
- `,
-}
-
-var terraformUseServiceAccountLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#service_account`,
-}
-
-var terraformUseServiceAccountRemediationMarkdown = ``
diff --git a/checks/cloud/google/iam/no_conditions_on_workload_identity_pool_provider.go b/checks/cloud/google/iam/no_conditions_on_workload_identity_pool_provider.go
deleted file mode 100644
index 9cba887b..00000000
--- a/checks/cloud/google/iam/no_conditions_on_workload_identity_pool_provider.go
+++ /dev/null
@@ -1,46 +0,0 @@
-package iam
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNoConditionOnWorkloadIdentityPoolProvider = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0068",
- Provider: providers.GoogleProvider,
- Service: "iam",
- ShortCode: "no-conditions-workload-identity-pool-provider",
- Summary: "A configuration for an external workload identity pool provider should have conditions set",
- Impact: "Allows an external attacker to authenticate as the attached service account and act with its permissions",
- Resolution: "Set conditions on this provider, for example by restricting it to only be allowed from repositories in your GitHub organization",
- Explanation: `In GitHub Actions, one can authenticate to Google Cloud by setting values for workload_identity_provider and service_account and requesting a short-lived OIDC token which is then used to execute commands as that Service Account. If you don't specify a condition in the workload identity provider pool configuration, then any GitHub Action can assume this role and act as that Service Account.`,
- Links: []string{
- "https://www.revblock.dev/exploiting-misconfigured-google-cloud-service-accounts-from-github-actions/",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoConditionOnWorkloadIdentityPoolProviderGoodExamples,
- BadExamples: terraformNoConditionOnWorkloadIdentityPoolProviderBadExamples,
- Links: terraformNoConditionOnWorkloadIdentityPoolProviderLinks,
- RemediationMarkdown: terraformNoConditionOnWorkloadIdentityPoolProviderMarkdown,
- },
- Severity: severity.High,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, provider := range s.Google.IAM.WorkloadIdentityPoolProviders {
- if provider.AttributeCondition.IsEmpty() {
- results.Add(
- "This workload identity pool provider configuration has no conditions set.",
- provider.AttributeCondition,
- )
- } else {
- results.AddPassed(provider)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/google/iam/no_conditions_on_workload_identity_pool_provider.tf.go b/checks/cloud/google/iam/no_conditions_on_workload_identity_pool_provider.tf.go
deleted file mode 100644
index 4eb8dbfd..00000000
--- a/checks/cloud/google/iam/no_conditions_on_workload_identity_pool_provider.tf.go
+++ /dev/null
@@ -1,65 +0,0 @@
-package iam
-
-var terraformNoConditionOnWorkloadIdentityPoolProviderGoodExamples = []string{
- `
- resource "google_iam_workload_identity_pool" "github" {
- provider = google
- project = data.google_project.project.project_id
- workload_identity_pool_id = "github"
- }
-
- resource "google_iam_workload_identity_pool_provider" "github" {
- provider = google
- project = data.google_project.project.project_id
- workload_identity_pool_id = google_iam_workload_identity_pool.github-actions[0].workload_identity_pool_id
- workload_identity_pool_provider_id = "github"
-
- attribute_condition = "assertion.repository_owner=='your-github-organization'"
-
- attribute_mapping = {
- "google.subject" = "assertion.sub"
- "attribute.actor" = "assertion.actor"
- "attribute.aud" = "assertion.aud"
- "attribute.repository" = "assertion.repository"
- }
-
- oidc {
- issuer_uri = "https://token.actions.githubusercontent.com"
- }
- }
- `,
-}
-
-var terraformNoConditionOnWorkloadIdentityPoolProviderBadExamples = []string{
- `
- resource "google_iam_workload_identity_pool" "github" {
- provider = google
- project = data.google_project.project.project_id
- workload_identity_pool_id = "github"
- }
-
- resource "google_iam_workload_identity_pool_provider" "github" {
- provider = google
- project = data.google_project.project.project_id
- workload_identity_pool_id = google_iam_workload_identity_pool.github-actions[0].workload_identity_pool_id
- workload_identity_pool_provider_id = "github"
-
- attribute_mapping = {
- "google.subject" = "assertion.sub"
- "attribute.actor" = "assertion.actor"
- "attribute.aud" = "assertion.aud"
- "attribute.repository" = "assertion.repository"
- }
-
- oidc {
- issuer_uri = "https://token.actions.githubusercontent.com"
- }
- }
- `,
-}
-
-var terraformNoConditionOnWorkloadIdentityPoolProviderLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider#attribute_condition`,
-}
-
-var terraformNoConditionOnWorkloadIdentityPoolProviderMarkdown = ``
diff --git a/checks/cloud/google/iam/no_default_network.go b/checks/cloud/google/iam/no_default_network.go
deleted file mode 100755
index e4765325..00000000
--- a/checks/cloud/google/iam/no_default_network.go
+++ /dev/null
@@ -1,48 +0,0 @@
-package iam
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNoDefaultNetwork = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0010",
- Provider: providers.GoogleProvider,
- Service: "iam",
- ShortCode: "no-default-network",
- Summary: "Default network should not be created at project level",
- Impact: "Exposure of internal infrastructure/services to public internet",
- Resolution: "Disable automatic default network creation",
- Explanation: `The default network which is provided for a project contains multiple insecure firewall rules which allow ingress to the project's infrastructure. Creation of this network should therefore be disabled.`,
- Links: []string{},
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoDefaultNetworkGoodExamples,
- BadExamples: terraformNoDefaultNetworkBadExamples,
- Links: terraformNoDefaultNetworkLinks,
- RemediationMarkdown: terraformNoDefaultNetworkRemediationMarkdown,
- },
- Severity: severity.High,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- // TODO: check constraints before auto_create_network
- for _, project := range s.Google.IAM.AllProjects() {
- if project.Metadata.IsUnmanaged() {
- continue
- }
- if project.AutoCreateNetwork.IsTrue() {
- results.Add(
- "Project has automatic network creation enabled.",
- project.AutoCreateNetwork,
- )
- } else {
- results.AddPassed(project)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/google/iam/no_default_network.tf.go b/checks/cloud/google/iam/no_default_network.tf.go
deleted file mode 100644
index a7e48269..00000000
--- a/checks/cloud/google/iam/no_default_network.tf.go
+++ /dev/null
@@ -1,29 +0,0 @@
-package iam
-
-var terraformNoDefaultNetworkGoodExamples = []string{
- `
- resource "google_project" "good_example" {
- name = "My Project"
- project_id = "your-project-id"
- org_id = "1234567"
- auto_create_network = false
- }
- `,
-}
-
-var terraformNoDefaultNetworkBadExamples = []string{
- `
- resource "google_project" "bad_example" {
- name = "My Project"
- project_id = "your-project-id"
- org_id = "1234567"
- auto_create_network = true
- }
- `,
-}
-
-var terraformNoDefaultNetworkLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project#auto_create_network`,
-}
-
-var terraformNoDefaultNetworkRemediationMarkdown = ``
diff --git a/checks/cloud/google/iam/no_folder_level_default_service_account_assignment.go b/checks/cloud/google/iam/no_folder_level_default_service_account_assignment.go
deleted file mode 100755
index 4316cb4e..00000000
--- a/checks/cloud/google/iam/no_folder_level_default_service_account_assignment.go
+++ /dev/null
@@ -1,90 +0,0 @@
-package iam
-
-import (
- "strings"
-
- "github.com/aquasecurity/trivy/pkg/iac/severity"
-
- "github.com/aquasecurity/trivy/pkg/iac/state"
-
- "github.com/aquasecurity/trivy/pkg/iac/scan"
-
- "github.com/aquasecurity/trivy-checks/pkg/rules"
-
- "github.com/aquasecurity/trivy/pkg/iac/providers"
-)
-
-var CheckNoFolderLevelDefaultServiceAccountAssignment = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0004",
- Provider: providers.GoogleProvider,
- Service: "iam",
- ShortCode: "no-folder-level-default-service-account-assignment",
- Summary: "Roles should not be assigned to default service accounts",
- Impact: "Violation of principal of least privilege",
- Resolution: "Use specialised service accounts for specific purposes.",
- Explanation: `Default service accounts should not be used - consider creating specialised service accounts for individual purposes.`,
- Links: []string{
- "",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoFolderLevelDefaultServiceAccountAssignmentGoodExamples,
- BadExamples: terraformNoFolderLevelDefaultServiceAccountAssignmentBadExamples,
- Links: terraformNoFolderLevelDefaultServiceAccountAssignmentLinks,
- RemediationMarkdown: terraformNoFolderLevelDefaultServiceAccountAssignmentRemediationMarkdown,
- },
- Severity: severity.Medium,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, folder := range s.Google.IAM.AllFolders() {
- for _, member := range folder.Members {
- if member.Metadata.IsUnmanaged() {
- continue
- }
- if member.DefaultServiceAccount.IsTrue() {
- results.Add(
- "Role is assigned to a default service account at folder level.",
- member.DefaultServiceAccount,
- )
- } else if isMemberDefaultServiceAccount(member.Member.Value()) {
- results.Add(
- "Role is assigned to a default service account at folder level.",
- member.Member,
- )
- } else {
- results.AddPassed(&member)
- }
-
- }
- for _, binding := range folder.Bindings {
- if binding.Metadata.IsUnmanaged() {
- continue
- }
- if binding.IncludesDefaultServiceAccount.IsTrue() {
- results.Add(
- "Role is assigned to a default service account at folder level.",
- binding.IncludesDefaultServiceAccount,
- )
- continue
- }
- for _, member := range binding.Members {
- if isMemberDefaultServiceAccount(member.Value()) {
- results.Add(
- "Role is assigned to a default service account at folder level.",
- member,
- )
- } else {
- results.AddPassed(member)
- }
- }
- }
-
- }
- return
- },
-)
-
-func isMemberDefaultServiceAccount(member string) bool {
- return strings.HasSuffix(member, "-compute@developer.gserviceaccount.com") || strings.HasSuffix(member, "@appspot.gserviceaccount.com")
-}
diff --git a/checks/cloud/google/iam/no_folder_level_default_service_account_assignment.tf.go b/checks/cloud/google/iam/no_folder_level_default_service_account_assignment.tf.go
deleted file mode 100644
index cea419dc..00000000
--- a/checks/cloud/google/iam/no_folder_level_default_service_account_assignment.tf.go
+++ /dev/null
@@ -1,47 +0,0 @@
-package iam
-
-var terraformNoFolderLevelDefaultServiceAccountAssignmentGoodExamples = []string{
- `
- resource "google_service_account" "test" {
- account_id = "account123"
- display_name = "account123"
- }
-
- resource "google_folder_iam_member" "folder-123" {
- folder = "folder-123"
- role = "roles/whatever"
- member = "serviceAccount:${google_service_account.test.email}"
- }
- `,
-}
-
-var terraformNoFolderLevelDefaultServiceAccountAssignmentBadExamples = []string{
- `
- resource "google_folder_iam_member" "folder-123" {
- folder = "folder-123"
- role = "roles/whatever"
- member = "123-compute@developer.gserviceaccount.com"
- }
- `, `
- resource "google_folder_iam_member" "folder-123" {
- folder = "folder-123"
- role = "roles/whatever"
- member = "123@appspot.gserviceaccount.com"
- }
- `, `
- data "google_compute_default_service_account" "default" {
- }
-
- resource "google_folder_iam_member" "folder-123" {
- folder = "folder-123"
- role = "roles/whatever"
- member = data.google_compute_default_service_account.default.id
- }
- `,
-}
-
-var terraformNoFolderLevelDefaultServiceAccountAssignmentLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_folder_iam`, ``,
-}
-
-var terraformNoFolderLevelDefaultServiceAccountAssignmentRemediationMarkdown = ``
diff --git a/checks/cloud/google/iam/no_folder_level_service_account_impersonation.go b/checks/cloud/google/iam/no_folder_level_service_account_impersonation.go
deleted file mode 100755
index a104e4a2..00000000
--- a/checks/cloud/google/iam/no_folder_level_service_account_impersonation.go
+++ /dev/null
@@ -1,66 +0,0 @@
-package iam
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNoFolderLevelServiceAccountImpersonation = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0005",
- Provider: providers.GoogleProvider,
- Service: "IAM",
- ShortCode: "no-folder-level-service-account-impersonation",
- Summary: "Users should not be granted service account access at the folder level",
- Impact: "Privilege escalation, impersonation of any/all services",
- Resolution: "Provide access at the service-level instead of folder-level, if required",
- Explanation: `Users with service account access at folder level can impersonate any service account. Instead, they should be given access to particular service accounts as required.`,
- Links: []string{
- "https://cloud.google.com/iam/docs/impersonating-service-accounts",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoFolderLevelServiceAccountImpersonationGoodExamples,
- BadExamples: terraformNoFolderLevelServiceAccountImpersonationBadExamples,
- Links: terraformNoFolderLevelServiceAccountImpersonationLinks,
- RemediationMarkdown: terraformNoFolderLevelServiceAccountImpersonationRemediationMarkdown,
- },
- Severity: severity.Medium,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, folder := range s.Google.IAM.AllFolders() {
- for _, member := range folder.Members {
- if member.Metadata.IsUnmanaged() {
- continue
- }
- if member.Role.IsOneOf("roles/iam.serviceAccountUser", "roles/iam.serviceAccountTokenCreator") {
- results.Add(
- "Service account access is granted to a user at folder level.",
- member.Role,
- )
- } else {
- results.AddPassed(&member)
- }
-
- }
- for _, binding := range folder.Bindings {
- if binding.Metadata.IsUnmanaged() {
- continue
- }
- if binding.Role.IsOneOf("roles/iam.serviceAccountUser", "roles/iam.serviceAccountTokenCreator") {
- results.Add(
- "Service account access is granted to a user at folder level.",
- binding.Role,
- )
- } else {
- results.AddPassed(&binding)
- }
-
- }
- }
- return
- },
-)
diff --git a/checks/cloud/google/iam/no_folder_level_service_account_impersonation.tf.go b/checks/cloud/google/iam/no_folder_level_service_account_impersonation.tf.go
deleted file mode 100644
index dd7eecb5..00000000
--- a/checks/cloud/google/iam/no_folder_level_service_account_impersonation.tf.go
+++ /dev/null
@@ -1,30 +0,0 @@
-package iam
-
-var terraformNoFolderLevelServiceAccountImpersonationGoodExamples = []string{
- `
- resource "google_folder_iam_binding" "folder-123" {
- folder = "folder-123"
- role = "roles/nothingInParticular"
- }
- `,
-}
-
-var terraformNoFolderLevelServiceAccountImpersonationBadExamples = []string{
- `
- resource "google_folder_iam_binding" "folder-123" {
- folder = "folder-123"
- role = "roles/iam.serviceAccountUser"
- }
- `, `
- resource "google_folder_iam_binding" "folder-123" {
- folder = "folder-123"
- role = "roles/iam.serviceAccountTokenCreator"
- }
- `,
-}
-
-var terraformNoFolderLevelServiceAccountImpersonationLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_folder_iam`,
-}
-
-var terraformNoFolderLevelServiceAccountImpersonationRemediationMarkdown = ``
diff --git a/checks/cloud/google/iam/no_org_level_default_service_account_assignment.go b/checks/cloud/google/iam/no_org_level_default_service_account_assignment.go
deleted file mode 100755
index afc9a506..00000000
--- a/checks/cloud/google/iam/no_org_level_default_service_account_assignment.go
+++ /dev/null
@@ -1,77 +0,0 @@
-package iam
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNoOrgLevelDefaultServiceAccountAssignment = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0008",
- Provider: providers.GoogleProvider,
- Service: "iam",
- ShortCode: "no-org-level-default-service-account-assignment",
- Summary: "Roles should not be assigned to default service accounts",
- Impact: "Violation of principal of least privilege",
- Resolution: "Use specialised service accounts for specific purposes.",
- Explanation: `Default service accounts should not be used - consider creating specialised service accounts for individual purposes.`,
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoOrgLevelDefaultServiceAccountAssignmentGoodExamples,
- BadExamples: terraformNoOrgLevelDefaultServiceAccountAssignmentBadExamples,
- Links: terraformNoOrgLevelDefaultServiceAccountAssignmentLinks,
- RemediationMarkdown: terraformNoOrgLevelDefaultServiceAccountAssignmentRemediationMarkdown,
- },
- Severity: severity.Medium,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, org := range s.Google.IAM.Organizations {
- for _, binding := range org.Bindings {
- if binding.Metadata.IsUnmanaged() {
- continue
- }
- if binding.IncludesDefaultServiceAccount.IsTrue() {
- results.Add(
- "Role is assigned to a default service account at organisation level.",
- binding.IncludesDefaultServiceAccount,
- )
- } else {
- for _, member := range binding.Members {
- if isMemberDefaultServiceAccount(member.Value()) {
- results.Add(
- "Role is assigned to a default service account at organisation level.",
- member,
- )
- } else {
- results.AddPassed(member)
- }
-
- }
- }
- }
- for _, member := range org.Members {
- if member.Metadata.IsUnmanaged() {
- continue
- }
- if isMemberDefaultServiceAccount(member.Member.Value()) {
- results.Add(
- "Role is assigned to a default service account at organisation level.",
- member.Member,
- )
- } else if member.DefaultServiceAccount.IsTrue() {
- results.Add(
- "Role is assigned to a default service account at organisation level.",
- member.DefaultServiceAccount,
- )
- } else {
- results.AddPassed(&member)
- }
-
- }
- }
- return
- },
-)
diff --git a/checks/cloud/google/iam/no_org_level_default_service_account_assignment.tf.go b/checks/cloud/google/iam/no_org_level_default_service_account_assignment.tf.go
deleted file mode 100644
index 7b562722..00000000
--- a/checks/cloud/google/iam/no_org_level_default_service_account_assignment.tf.go
+++ /dev/null
@@ -1,47 +0,0 @@
-package iam
-
-var terraformNoOrgLevelDefaultServiceAccountAssignmentGoodExamples = []string{
- `
- resource "google_service_account" "test" {
- account_id = "account123"
- display_name = "account123"
- }
-
- resource "google_organization_iam_member" "org-123" {
- org_id = "org-123"
- role = "roles/whatever"
- member = "serviceAccount:${google_service_account.test.email}"
- }
- `,
-}
-
-var terraformNoOrgLevelDefaultServiceAccountAssignmentBadExamples = []string{
- `
- resource "google_organization_iam_member" "org-123" {
- org_id = "organization-123"
- role = "roles/whatever"
- member = "123-compute@developer.gserviceaccount.com"
- }
- `, `
- resource "google_organization_iam_member" "org-123" {
- org_id = "org-123"
- role = "roles/whatever"
- member = "123@appspot.gserviceaccount.com"
- }
- `, `
- data "google_compute_default_service_account" "default" {
- }
-
- resource "google_organization_iam_member" "org-123" {
- org_id = "org-123"
- role = "roles/whatever"
- member = data.google_compute_default_service_account.default.id
- }
- `,
-}
-
-var terraformNoOrgLevelDefaultServiceAccountAssignmentLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam`, ``,
-}
-
-var terraformNoOrgLevelDefaultServiceAccountAssignmentRemediationMarkdown = ``
diff --git a/checks/cloud/google/iam/no_org_level_service_account_impersonation.go b/checks/cloud/google/iam/no_org_level_service_account_impersonation.go
deleted file mode 100755
index 57599266..00000000
--- a/checks/cloud/google/iam/no_org_level_service_account_impersonation.go
+++ /dev/null
@@ -1,66 +0,0 @@
-package iam
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNoOrgLevelServiceAccountImpersonation = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0009",
- Provider: providers.GoogleProvider,
- Service: "iam",
- ShortCode: "no-org-level-service-account-impersonation",
- Summary: "Users should not be granted service account access at the organization level",
- Impact: "Privilege escalation, impersonation of any/all services",
- Resolution: "Provide access at the service-level instead of organization-level, if required",
- Explanation: `Users with service account access at organization level can impersonate any service account. Instead, they should be given access to particular service accounts as required.`,
- Links: []string{
- "https://cloud.google.com/iam/docs/impersonating-service-accounts",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoOrgLevelServiceAccountImpersonationGoodExamples,
- BadExamples: terraformNoOrgLevelServiceAccountImpersonationBadExamples,
- Links: terraformNoOrgLevelServiceAccountImpersonationLinks,
- RemediationMarkdown: terraformNoOrgLevelServiceAccountImpersonationRemediationMarkdown,
- },
- Severity: severity.Medium,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, org := range s.Google.IAM.Organizations {
- for _, member := range org.Members {
- if member.Metadata.IsUnmanaged() {
- continue
- }
- if member.Role.IsOneOf("roles/iam.serviceAccountUser", "roles/iam.serviceAccountTokenCreator") {
- results.Add(
- "Service account access is granted to a user at organization level.",
- member.Role,
- )
- } else {
- results.AddPassed(&member)
- }
-
- }
- for _, binding := range org.Bindings {
- if binding.Metadata.IsUnmanaged() {
- continue
- }
- if binding.Role.IsOneOf("roles/iam.serviceAccountUser", "roles/iam.serviceAccountTokenCreator") {
- results.Add(
- "Service account access is granted to a user at organization level.",
- binding.Role,
- )
- } else {
- results.AddPassed(&binding)
- }
-
- }
- }
- return
- },
-)
diff --git a/checks/cloud/google/iam/no_org_level_service_account_impersonation.tf.go b/checks/cloud/google/iam/no_org_level_service_account_impersonation.tf.go
deleted file mode 100644
index 602cb773..00000000
--- a/checks/cloud/google/iam/no_org_level_service_account_impersonation.tf.go
+++ /dev/null
@@ -1,30 +0,0 @@
-package iam
-
-var terraformNoOrgLevelServiceAccountImpersonationGoodExamples = []string{
- `
- resource "google_organization_iam_binding" "organization-123" {
- org_id = "org-123"
- role = "roles/nothingInParticular"
- }
- `,
-}
-
-var terraformNoOrgLevelServiceAccountImpersonationBadExamples = []string{
- `
- resource "google_organization_iam_binding" "organization-123" {
- org_id = "org-123"
- role = "roles/iam.serviceAccountUser"
- }
- `, `
- resource "google_organization_iam_binding" "organization-123" {
- org_id = "org-123"
- role = "roles/iam.serviceAccountTokenCreator"
- }
- `,
-}
-
-var terraformNoOrgLevelServiceAccountImpersonationLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam`,
-}
-
-var terraformNoOrgLevelServiceAccountImpersonationRemediationMarkdown = ``
diff --git a/checks/cloud/google/iam/no_privileged_service_accounts.go b/checks/cloud/google/iam/no_privileged_service_accounts.go
deleted file mode 100755
index a591d156..00000000
--- a/checks/cloud/google/iam/no_privileged_service_accounts.go
+++ /dev/null
@@ -1,166 +0,0 @@
-package iam
-
-import (
- "strings"
-
- "github.com/aquasecurity/trivy/pkg/iac/severity"
-
- "github.com/aquasecurity/trivy/pkg/iac/state"
-
- "github.com/aquasecurity/trivy/pkg/iac/scan"
-
- "github.com/aquasecurity/trivy-checks/pkg/rules"
-
- "github.com/aquasecurity/trivy/pkg/iac/providers"
-)
-
-var CheckNoPrivilegedServiceAccounts = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0007",
- Provider: providers.GoogleProvider,
- Service: "iam",
- ShortCode: "no-privileged-service-accounts",
- Summary: "Service accounts should not have roles assigned with excessive privileges",
- Impact: "Cloud account takeover if a resource using a service account is compromised",
- Resolution: "Limit service account access to minimal required set",
- Explanation: `Service accounts should have a minimal set of permissions assigned in order to do their job. They should never have excessive access as if compromised, an attacker can escalate privileges and take over the entire account.`,
- Links: []string{
- "https://cloud.google.com/iam/docs/understanding-roles",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoPrivilegedServiceAccountsGoodExamples,
- BadExamples: terraformNoPrivilegedServiceAccountsBadExamples,
- Links: terraformNoPrivilegedServiceAccountsLinks,
- RemediationMarkdown: terraformNoPrivilegedServiceAccountsRemediationMarkdown,
- },
- Severity: severity.High,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, project := range s.Google.IAM.AllProjects() {
- for _, member := range project.Members {
- if member.Metadata.IsUnmanaged() {
- continue
- }
- if member.Member.StartsWith("serviceAccount:") {
- if isRolePrivileged(member.Role.Value()) {
- results.Add(
- "Service account is granted a privileged role.",
- member.Role,
- )
- } else {
- results.AddPassed(&member)
- }
-
- }
- }
- for _, binding := range project.Bindings {
- if binding.Metadata.IsUnmanaged() {
- continue
- }
- if isRolePrivileged(binding.Role.Value()) {
- for _, member := range binding.Members {
- if member.StartsWith("serviceAccount:") {
- results.Add(
- "Service account is granted a privileged role.",
- binding.Role,
- )
- } else {
- results.AddPassed(&binding)
- }
-
- }
- }
- }
- }
- for _, folder := range s.Google.IAM.AllFolders() {
- for _, member := range folder.Members {
- if member.Metadata.IsUnmanaged() {
- continue
- }
- if member.Member.StartsWith("serviceAccount:") {
- if isRolePrivileged(member.Role.Value()) {
- results.Add(
- "Service account is granted a privileged role.",
- member.Role,
- )
- } else {
- results.AddPassed(&member)
- }
-
- }
- }
- for _, binding := range folder.Bindings {
- if binding.Metadata.IsUnmanaged() {
- continue
- }
- if isRolePrivileged(binding.Role.Value()) {
- for _, member := range binding.Members {
- if member.StartsWith("serviceAccount:") {
- results.Add(
- "Service account is granted a privileged role.",
- binding.Role,
- )
- } else {
- results.AddPassed(member)
- }
-
- }
- }
- }
-
- }
-
- for _, org := range s.Google.IAM.Organizations {
- for _, member := range org.Members {
- if member.Metadata.IsUnmanaged() {
- continue
- }
- if member.Member.StartsWith("serviceAccount:") {
- if isRolePrivileged(member.Role.Value()) {
- results.Add(
- "Service account is granted a privileged role.",
- member.Role,
- )
- } else {
- results.AddPassed(&member)
- }
-
- }
- }
- for _, binding := range org.Bindings {
- if binding.Metadata.IsUnmanaged() {
- continue
- }
- if isRolePrivileged(binding.Role.Value()) {
- for _, member := range binding.Members {
- if member.StartsWith("serviceAccount:") {
- results.Add(
- "Service account is granted a privileged role.",
- binding.Role,
- )
- } else {
- results.AddPassed(member)
- }
-
- }
- }
- }
-
- }
-
- return
- },
-)
-
-func isRolePrivileged(role string) bool {
- switch {
- case role == "roles/owner":
- return true
- case role == "roles/editor":
- return true
- case strings.HasSuffix(strings.ToLower(role), "admin"):
- return true
- }
- return false
-}
diff --git a/checks/cloud/google/iam/no_privileged_service_accounts.tf.go b/checks/cloud/google/iam/no_privileged_service_accounts.tf.go
deleted file mode 100644
index f7912d66..00000000
--- a/checks/cloud/google/iam/no_privileged_service_accounts.tf.go
+++ /dev/null
@@ -1,39 +0,0 @@
-package iam
-
-var terraformNoPrivilegedServiceAccountsGoodExamples = []string{
- `
- resource "google_service_account" "test" {
- account_id = "account123"
- display_name = "account123"
- email = "jim@tfsec.dev"
- }
-
- resource "google_project_iam_member" "project" {
- project = "your-project-id"
- role = "roles/logging.logWriter"
- member = "serviceAccount:${google_service_account.test.email}"
- }
- `,
-}
-
-var terraformNoPrivilegedServiceAccountsBadExamples = []string{
- `
- resource "google_service_account" "test" {
- account_id = "account123"
- display_name = "account123"
- email = "jim@tfsec.dev"
- }
-
- resource "google_project_iam_member" "project" {
- project = "your-project-id"
- role = "roles/owner"
- member = "serviceAccount:${google_service_account.test.email}"
- }
- `,
-}
-
-var terraformNoPrivilegedServiceAccountsLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam`,
-}
-
-var terraformNoPrivilegedServiceAccountsRemediationMarkdown = ``
diff --git a/checks/cloud/google/iam/no_project_level_default_service_account_assignment.go b/checks/cloud/google/iam/no_project_level_default_service_account_assignment.go
deleted file mode 100755
index d95b8857..00000000
--- a/checks/cloud/google/iam/no_project_level_default_service_account_assignment.go
+++ /dev/null
@@ -1,80 +0,0 @@
-package iam
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNoProjectLevelDefaultServiceAccountAssignment = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0006",
- Provider: providers.GoogleProvider,
- Service: "iam",
- ShortCode: "no-project-level-default-service-account-assignment",
- Summary: "Roles should not be assigned to default service accounts",
- Impact: "Violation of principal of least privilege",
- Resolution: "Use specialised service accounts for specific purposes.",
- Explanation: `Default service accounts should not be used - consider creating specialised service accounts for individual purposes.`,
- Links: []string{
- "",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoProjectLevelDefaultServiceAccountAssignmentGoodExamples,
- BadExamples: terraformNoProjectLevelDefaultServiceAccountAssignmentBadExamples,
- Links: terraformNoProjectLevelDefaultServiceAccountAssignmentLinks,
- RemediationMarkdown: terraformNoProjectLevelDefaultServiceAccountAssignmentRemediationMarkdown,
- },
- Severity: severity.Medium,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, project := range s.Google.IAM.AllProjects() {
- for _, binding := range project.Bindings {
- if binding.Metadata.IsUnmanaged() {
- continue
- }
- if binding.IncludesDefaultServiceAccount.IsTrue() {
- results.Add(
- "Role is assigned to a default service account at project level.",
- binding.IncludesDefaultServiceAccount,
- )
- } else {
- for _, member := range binding.Members {
- if isMemberDefaultServiceAccount(member.Value()) {
- results.Add(
- "Role is assigned to a default service account at project level.",
- member,
- )
- } else {
- results.AddPassed(member)
- }
-
- }
- }
- }
- for _, member := range project.Members {
- if member.Metadata.IsUnmanaged() {
- continue
- }
- if member.DefaultServiceAccount.IsTrue() {
- results.Add(
- "Role is assigned to a default service account at project level.",
- member.DefaultServiceAccount,
- )
- } else if isMemberDefaultServiceAccount(member.Member.Value()) {
- results.Add(
- "Role is assigned to a default service account at project level.",
- member.Member,
- )
- } else {
- results.AddPassed(&member)
- }
-
- }
- }
- return
- },
-)
diff --git a/checks/cloud/google/iam/no_project_level_default_service_account_assignment.tf.go b/checks/cloud/google/iam/no_project_level_default_service_account_assignment.tf.go
deleted file mode 100644
index 6e98dd6e..00000000
--- a/checks/cloud/google/iam/no_project_level_default_service_account_assignment.tf.go
+++ /dev/null
@@ -1,47 +0,0 @@
-package iam
-
-var terraformNoProjectLevelDefaultServiceAccountAssignmentGoodExamples = []string{
- `
- resource "google_service_account" "test" {
- account_id = "account123"
- display_name = "account123"
- }
-
- resource "google_project_iam_member" "project-123" {
- project = "project-123"
- role = "roles/whatever"
- member = "serviceAccount:${google_service_account.test.email}"
- }
- `,
-}
-
-var terraformNoProjectLevelDefaultServiceAccountAssignmentBadExamples = []string{
- `
- resource "google_project_iam_member" "project-123" {
- project = "project-123"
- role = "roles/whatever"
- member = "123-compute@developer.gserviceaccount.com"
- }
- `, `
- resource "google_project_iam_member" "project-123" {
- project = "project-123"
- role = "roles/whatever"
- member = "123@appspot.gserviceaccount.com"
- }
- `, `
- data "google_compute_default_service_account" "default" {
- }
-
- resource "google_project_iam_member" "project-123" {
- project = "project-123"
- role = "roles/whatever"
- member = data.google_compute_default_service_account.default.id
- }
- `,
-}
-
-var terraformNoProjectLevelDefaultServiceAccountAssignmentLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam`, ``,
-}
-
-var terraformNoProjectLevelDefaultServiceAccountAssignmentRemediationMarkdown = ``
diff --git a/checks/cloud/google/iam/no_project_level_service_account_impersonation.go b/checks/cloud/google/iam/no_project_level_service_account_impersonation.go
deleted file mode 100755
index 919b5d7a..00000000
--- a/checks/cloud/google/iam/no_project_level_service_account_impersonation.go
+++ /dev/null
@@ -1,65 +0,0 @@
-package iam
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNoProjectLevelServiceAccountImpersonation = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0011",
- Provider: providers.GoogleProvider,
- Service: "iam",
- ShortCode: "no-project-level-service-account-impersonation",
- Summary: "Users should not be granted service account access at the project level",
- Impact: "Privilege escalation, impersonation of any/all services",
- Resolution: "Provide access at the service-level instead of project-level, if required",
- Explanation: `Users with service account access at project level can impersonate any service account. Instead, they should be given access to particular service accounts as required.`,
- Links: []string{
- "https://cloud.google.com/iam/docs/impersonating-service-accounts",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoProjectLevelServiceAccountImpersonationGoodExamples,
- BadExamples: terraformNoProjectLevelServiceAccountImpersonationBadExamples,
- Links: terraformNoProjectLevelServiceAccountImpersonationLinks,
- RemediationMarkdown: terraformNoProjectLevelServiceAccountImpersonationRemediationMarkdown,
- },
- Severity: severity.Medium,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, project := range s.Google.IAM.AllProjects() {
- for _, member := range project.Members {
- if member.Metadata.IsUnmanaged() {
- continue
- }
- if member.Role.IsOneOf("roles/iam.serviceAccountUser", "roles/iam.serviceAccountTokenCreator") {
- results.Add(
- "Service account access is granted to a user at project level.",
- member.Role,
- )
- } else {
- results.AddPassed(&member)
- }
- }
- for _, binding := range project.Bindings {
- if binding.Metadata.IsUnmanaged() {
- continue
- }
- if binding.Role.IsOneOf("roles/iam.serviceAccountUser", "roles/iam.serviceAccountTokenCreator") {
- results.Add(
- "Service account access is granted to a user at project level.",
- binding.Role,
- )
- } else {
- results.AddPassed(&binding)
- }
-
- }
- }
- return
- },
-)
diff --git a/checks/cloud/google/iam/no_project_level_service_account_impersonation.tf.go b/checks/cloud/google/iam/no_project_level_service_account_impersonation.tf.go
deleted file mode 100644
index 8ecccb69..00000000
--- a/checks/cloud/google/iam/no_project_level_service_account_impersonation.tf.go
+++ /dev/null
@@ -1,30 +0,0 @@
-package iam
-
-var terraformNoProjectLevelServiceAccountImpersonationGoodExamples = []string{
- `
- resource "google_project_iam_binding" "project-123" {
- project = "project-123"
- role = "roles/nothingInParticular"
- }
- `,
-}
-
-var terraformNoProjectLevelServiceAccountImpersonationBadExamples = []string{
- `
- resource "google_project_iam_binding" "project-123" {
- project = "project-123"
- role = "roles/iam.serviceAccountUser"
- }
- `, `
- resource "google_project_iam_binding" "project-123" {
- project = "project-123"
- role = "roles/iam.serviceAccountTokenCreator"
- }
- `,
-}
-
-var terraformNoProjectLevelServiceAccountImpersonationLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam`,
-}
-
-var terraformNoProjectLevelServiceAccountImpersonationRemediationMarkdown = ``
diff --git a/checks/cloud/google/iam/no_user_granted_permissions.go b/checks/cloud/google/iam/no_user_granted_permissions.go
deleted file mode 100755
index dbe69357..00000000
--- a/checks/cloud/google/iam/no_user_granted_permissions.go
+++ /dev/null
@@ -1,131 +0,0 @@
-package iam
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNoUserGrantedPermissions = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0003",
- Provider: providers.GoogleProvider,
- Service: "iam",
- ShortCode: "no-user-granted-permissions",
- Summary: "IAM granted directly to user.",
- Impact: "Users shouldn't have permissions granted to them directly",
- Resolution: "Roles should be granted permissions and assigned to users",
- Explanation: `Permissions should not be directly granted to users, you identify roles that contain the appropriate permissions, and then grant those roles to the user.
-
-Granting permissions to users quickly become unwieldy and complex to make large scale changes to remove access to a particular resource.
-
-Permissions should be granted on roles, groups, services accounts instead.`,
- Links: []string{
- "https://cloud.google.com/iam/docs/overview#permissions",
- "https://cloud.google.com/resource-manager/reference/rest/v1/projects/setIamPolicy",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoUserGrantedPermissionsGoodExamples,
- BadExamples: terraformNoUserGrantedPermissionsBadExamples,
- Links: terraformNoUserGrantedPermissionsLinks,
- RemediationMarkdown: terraformNoUserGrantedPermissionsRemediationMarkdown,
- },
- Severity: severity.Medium,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, project := range s.Google.IAM.AllProjects() {
- for _, member := range project.Members {
- if member.Metadata.IsUnmanaged() {
- continue
- }
- if member.Member.StartsWith("user:") {
- results.Add(
- "Permissions are granted directly to a user.",
- member.Role,
- )
- } else {
- results.AddPassed(&member)
- }
-
- }
- for _, binding := range project.Bindings {
- for _, member := range binding.Members {
- if member.StartsWith("user:") {
- results.Add(
- "Permissions are granted directly to a user.",
- binding.Role,
- )
- } else {
- results.AddPassed(member)
- }
-
- }
- }
- }
-
- for _, folder := range s.Google.IAM.AllFolders() {
- for _, member := range folder.Members {
- if member.Metadata.IsUnmanaged() {
- continue
- }
- if member.Member.StartsWith("user:") {
- results.Add(
- "Permissions are granted directly to a user.",
- member.Role,
- )
- } else {
- results.AddPassed(&member)
- }
-
- }
- for _, binding := range folder.Bindings {
- for _, member := range binding.Members {
- if member.StartsWith("user:") {
- results.Add(
- "Permissions are granted directly to a user.",
- binding.Role,
- )
- } else {
- results.AddPassed(member)
- }
-
- }
- }
- }
-
- for _, org := range s.Google.IAM.Organizations {
- for _, member := range org.Members {
- if member.Metadata.IsUnmanaged() {
- continue
- }
- if member.Member.StartsWith("user:") {
- results.Add(
- "Permissions are granted directly to a user.",
- member.Role,
- )
- } else {
- results.AddPassed(&member)
- }
-
- }
- for _, binding := range org.Bindings {
- for _, member := range binding.Members {
- if member.StartsWith("user:") {
- results.Add(
- "Permissions are granted directly to a user.",
- binding.Role,
- )
- } else {
- results.AddPassed(member)
- }
-
- }
- }
- }
-
- return
- },
-)
diff --git a/checks/cloud/google/iam/no_user_granted_permissions.tf.go b/checks/cloud/google/iam/no_user_granted_permissions.tf.go
deleted file mode 100644
index c0a0194f..00000000
--- a/checks/cloud/google/iam/no_user_granted_permissions.tf.go
+++ /dev/null
@@ -1,34 +0,0 @@
-package iam
-
-var terraformNoUserGrantedPermissionsGoodExamples = []string{
- `
- resource "google_project_iam_binding" "good_example" {
- members = [
- "group:test@example.com",
- ]
- }
-
- resource "google_storage_bucket_iam_member" "good_example" {
- member = "serviceAccount:test@example.com"
- }`,
-}
-
-var terraformNoUserGrantedPermissionsBadExamples = []string{
- `
- resource "google_project_iam_binding" "bad_example" {
- members = [
- "user:test@example.com",
- ]
- }
-
- resource "google_project_iam_member" "bad_example" {
- member = "user:test@example.com"
- }
- `,
-}
-
-var terraformNoUserGrantedPermissionsLinks = []string{
- `https://www.terraform.io/docs/providers/google/d/iam_policy.html#members`,
-}
-
-var terraformNoUserGrantedPermissionsRemediationMarkdown = ``
diff --git a/checks/cloud/google/kms/rotate_kms_keys.go b/checks/cloud/google/kms/rotate_kms_keys.go
deleted file mode 100755
index 71c51b93..00000000
--- a/checks/cloud/google/kms/rotate_kms_keys.go
+++ /dev/null
@@ -1,46 +0,0 @@
-package kms
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckRotateKmsKeys = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0065",
- Provider: providers.GoogleProvider,
- Service: "kms",
- ShortCode: "rotate-kms-keys",
- Summary: "KMS keys should be rotated at least every 90 days",
- Impact: "Exposure is greater if the same keys are used over a long period",
- Resolution: "Set key rotation period to 90 days",
- Explanation: `Keys should be rotated on a regular basis to limit exposure if a given key should become compromised.`,
- Links: []string{},
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformRotateKmsKeysGoodExamples,
- BadExamples: terraformRotateKmsKeysBadExamples,
- Links: terraformRotateKmsKeysLinks,
- RemediationMarkdown: terraformRotateKmsKeysRemediationMarkdown,
- },
- Severity: severity.High,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, keyring := range s.Google.KMS.KeyRings {
- for _, key := range keyring.Keys {
- if key.RotationPeriodSeconds.GreaterThan(7776000) {
- results.Add(
- "Key has a rotation period of more than 90 days.",
- key.RotationPeriodSeconds,
- )
- } else {
- results.AddPassed(&key)
- }
- }
- }
- return
- },
-)
diff --git a/checks/cloud/google/kms/rotate_kms_keys.tf.go b/checks/cloud/google/kms/rotate_kms_keys.tf.go
deleted file mode 100644
index fb3cff01..00000000
--- a/checks/cloud/google/kms/rotate_kms_keys.tf.go
+++ /dev/null
@@ -1,45 +0,0 @@
-package kms
-
-var terraformRotateKmsKeysGoodExamples = []string{
- `
- resource "google_kms_key_ring" "keyring" {
- name = "keyring-example"
- location = "global"
- }
-
- resource "google_kms_crypto_key" "example-key" {
- name = "crypto-key-example"
- key_ring = google_kms_key_ring.keyring.id
- rotation_period = "7776000s"
-
- lifecycle {
- prevent_destroy = true
- }
- }
- `,
-}
-
-var terraformRotateKmsKeysBadExamples = []string{
- `
- resource "google_kms_key_ring" "keyring" {
- name = "keyring-example"
- location = "global"
- }
-
- resource "google_kms_crypto_key" "example-key" {
- name = "crypto-key-example"
- key_ring = google_kms_key_ring.keyring.id
- rotation_period = "15552000s"
-
- lifecycle {
- prevent_destroy = true
- }
- }
- `,
-}
-
-var terraformRotateKmsKeysLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/kms_crypto_key#rotation_period`,
-}
-
-var terraformRotateKmsKeysRemediationMarkdown = ``
diff --git a/checks/cloud/google/sql/enable_backup.go b/checks/cloud/google/sql/enable_backup.go
deleted file mode 100755
index 663fca00..00000000
--- a/checks/cloud/google/sql/enable_backup.go
+++ /dev/null
@@ -1,50 +0,0 @@
-package sql
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckEnableBackup = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0024",
- Provider: providers.GoogleProvider,
- Service: "sql",
- ShortCode: "enable-backup",
- Summary: "Enable automated backups to recover from data-loss",
- Impact: "No recovery of lost or corrupted data",
- Resolution: "Enable automated backups",
- Explanation: `Automated backups are not enabled by default. Backups are an easy way to restore data in a corruption or data-loss scenario.`,
- Links: []string{
- "https://cloud.google.com/sql/docs/mysql/backup-recovery/backups",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformEnableBackupGoodExamples,
- BadExamples: terraformEnableBackupBadExamples,
- Links: terraformEnableBackupLinks,
- RemediationMarkdown: terraformEnableBackupRemediationMarkdown,
- },
- Severity: severity.Medium,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, instance := range s.Google.SQL.Instances {
- if instance.Metadata.IsUnmanaged() || instance.IsReplica.IsTrue() {
- continue
- }
- if instance.Settings.Backups.Enabled.IsFalse() {
- results.Add(
- "Database instance does not have backups enabled.",
- instance.Settings.Backups.Enabled,
- )
- } else {
- results.AddPassed(&instance)
- }
-
- }
- return
- },
-)
diff --git a/checks/cloud/google/sql/enable_backup.tf.go b/checks/cloud/google/sql/enable_backup.tf.go
deleted file mode 100644
index 867648a1..00000000
--- a/checks/cloud/google/sql/enable_backup.tf.go
+++ /dev/null
@@ -1,52 +0,0 @@
-package sql
-
-var terraformEnableBackupGoodExamples = []string{
- `
- resource "google_sql_database_instance" "db" {
- name = "db"
- database_version = "POSTGRES_12"
- region = "us-central1"
- settings {
- backup_configuration {
- enabled = true
- }
- }
- }
- `,
- `
-resource "google_sql_database_instance" "new_instance_sql_replica" {
- name = "replica"
- region = "europe-west3"
- database_version = "POSTGRES_14"
- master_instance_name = google_sql_database_instance.instance[0].name
- deletion_protection = terraform.workspace == "prod" ? true : false
-
- replica_configuration {
- connect_retry_interval = 0
- failover_target = false
- master_heartbeat_period = 0
- }
-}
-`,
-}
-
-var terraformEnableBackupBadExamples = []string{
- `
- resource "google_sql_database_instance" "db" {
- name = "db"
- database_version = "POSTGRES_12"
- region = "us-central1"
- settings {
- backup_configuration {
- enabled = false
- }
- }
- }
- `,
-}
-
-var terraformEnableBackupLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance#settings.backup_configuration.enabled=true`,
-}
-
-var terraformEnableBackupRemediationMarkdown = ``
diff --git a/checks/cloud/google/sql/enable_pg_temp_file_logging.go b/checks/cloud/google/sql/enable_pg_temp_file_logging.go
deleted file mode 100755
index a8bafa4d..00000000
--- a/checks/cloud/google/sql/enable_pg_temp_file_logging.go
+++ /dev/null
@@ -1,58 +0,0 @@
-package sql
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/providers/google/sql"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckEnablePgTempFileLogging = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0014",
- Provider: providers.GoogleProvider,
- Service: "sql",
- ShortCode: "enable-pg-temp-file-logging",
- Summary: "Temporary file logging should be enabled for all temporary files.",
- Impact: "Use of temporary files will not be logged",
- Resolution: "Enable temporary file logging for all files",
- Explanation: `Temporary files are not logged by default. To log all temporary files, a value of ` + "`" + `0` + "`" + ` should set in the ` + "`" + `log_temp_files` + "`" + ` flag - as all files greater in size than the number of bytes set in this flag will be logged.`,
- Links: []string{
- "https://postgresqlco.nf/doc/en/param/log_temp_files/",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformEnablePgTempFileLoggingGoodExamples,
- BadExamples: terraformEnablePgTempFileLoggingBadExamples,
- Links: terraformEnablePgTempFileLoggingLinks,
- RemediationMarkdown: terraformEnablePgTempFileLoggingRemediationMarkdown,
- },
- Severity: severity.Medium,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, instance := range s.Google.SQL.Instances {
- if instance.Metadata.IsUnmanaged() {
- continue
- }
- if instance.DatabaseFamily() != sql.DatabaseFamilyPostgres {
- continue
- }
- if instance.Settings.Flags.LogTempFileSize.LessThan(0) {
- results.Add(
- "Database instance has temporary file logging disabled.",
- instance.Settings.Flags.LogTempFileSize,
- )
- } else if instance.Settings.Flags.LogTempFileSize.GreaterThan(0) {
- results.Add(
- "Database instance has temporary file logging disabled for files of certain sizes.",
- instance.Settings.Flags.LogTempFileSize,
- )
- } else {
- results.AddPassed(&instance)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/google/sql/enable_pg_temp_file_logging.tf.go b/checks/cloud/google/sql/enable_pg_temp_file_logging.tf.go
deleted file mode 100644
index dc17b1bf..00000000
--- a/checks/cloud/google/sql/enable_pg_temp_file_logging.tf.go
+++ /dev/null
@@ -1,33 +0,0 @@
-package sql
-
-var terraformEnablePgTempFileLoggingGoodExamples = []string{
- `
- resource "google_sql_database_instance" "db" {
- name = "db"
- database_version = "POSTGRES_12"
- region = "us-central1"
- settings {
- database_flags {
- name = "log_temp_files"
- value = "0"
- }
- }
- }
- `,
-}
-
-var terraformEnablePgTempFileLoggingBadExamples = []string{
- `
- resource "google_sql_database_instance" "db" {
- name = "db"
- database_version = "POSTGRES_12"
- region = "us-central1"
- }
- `,
-}
-
-var terraformEnablePgTempFileLoggingLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance`,
-}
-
-var terraformEnablePgTempFileLoggingRemediationMarkdown = ``
diff --git a/checks/cloud/google/sql/encrypt_in_transit_data.go b/checks/cloud/google/sql/encrypt_in_transit_data.go
deleted file mode 100755
index 690554cc..00000000
--- a/checks/cloud/google/sql/encrypt_in_transit_data.go
+++ /dev/null
@@ -1,49 +0,0 @@
-package sql
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckEncryptInTransitData = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0015",
- Provider: providers.GoogleProvider,
- Service: "sql",
- ShortCode: "encrypt-in-transit-data",
- Summary: "SSL connections to a SQL database instance should be enforced.",
- Impact: "Intercepted data can be read in transit",
- Resolution: "Enforce SSL for all connections",
- Explanation: `In-transit data should be encrypted so that if traffic is intercepted data will not be exposed in plaintext to attackers.`,
- Links: []string{
- "https://cloud.google.com/sql/docs/mysql/configure-ssl-instance",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformEncryptInTransitDataGoodExamples,
- BadExamples: terraformEncryptInTransitDataBadExamples,
- Links: terraformEncryptInTransitDataLinks,
- RemediationMarkdown: terraformEncryptInTransitDataRemediationMarkdown,
- },
- Severity: severity.High,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, instance := range s.Google.SQL.Instances {
- if instance.Metadata.IsUnmanaged() {
- continue
- }
- if instance.Settings.IPConfiguration.RequireTLS.IsFalse() {
- results.Add(
- "Database instance does not require TLS for all connections.",
- instance.Settings.IPConfiguration.RequireTLS,
- )
- } else {
- results.AddPassed(&instance)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/google/sql/encrypt_in_transit_data.tf.go b/checks/cloud/google/sql/encrypt_in_transit_data.tf.go
deleted file mode 100644
index 63878789..00000000
--- a/checks/cloud/google/sql/encrypt_in_transit_data.tf.go
+++ /dev/null
@@ -1,91 +0,0 @@
-package sql
-
-var terraformEncryptInTransitDataGoodExamples = []string{
- `
- # For terraform-provider-google < 6.0.1
- resource "google_sql_database_instance" "postgres" {
- name = "postgres-instance-a"
- database_version = "POSTGRES_11"
-
- settings {
- tier = "db-f1-micro"
-
- ip_configuration {
- ipv4_enabled = false
- authorized_networks {
- value = "108.12.12.0/24"
- name = "internal"
- }
- require_ssl = true
- }
- }
- }
- `,
- `
- # For terraform-provider-google >= 6.0.1
- resource "google_sql_database_instance" "postgres" {
- name = "postgres-instance-a"
- database_version = "POSTGRES_11"
-
- settings {
- tier = "db-f1-micro"
-
- ip_configuration {
- ipv4_enabled = false
- authorized_networks {
- value = "108.12.12.0/24"
- name = "internal"
- }
- ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"
- }
- }
- }
- `,
-}
-
-var terraformEncryptInTransitDataBadExamples = []string{
- `
- resource "google_sql_database_instance" "postgres" {
- name = "postgres-instance-a"
- database_version = "POSTGRES_11"
-
- settings {
- tier = "db-f1-micro"
-
- ip_configuration {
- ipv4_enabled = false
- authorized_networks {
- value = "108.12.12.0/24"
- name = "internal"
- }
- require_ssl = false
- }
- }
- }
- `,
- `
- resource "google_sql_database_instance" "postgres" {
- name = "postgres-instance-a"
- database_version = "POSTGRES_11"
-
- settings {
- tier = "db-f1-micro"
-
- ip_configuration {
- ipv4_enabled = false
- authorized_networks {
- value = "108.12.12.0/24"
- name = "internal"
- }
- ssl_mode = "ALLOW_UNENCRYPTED_AND_ENCRYPTED"
- }
- }
- }
-`,
-}
-
-var terraformEncryptInTransitDataLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance`,
-}
-
-var terraformEncryptInTransitDataRemediationMarkdown = ``
diff --git a/checks/cloud/google/sql/mysql_no_local_infile.go b/checks/cloud/google/sql/mysql_no_local_infile.go
deleted file mode 100755
index 0a308214..00000000
--- a/checks/cloud/google/sql/mysql_no_local_infile.go
+++ /dev/null
@@ -1,54 +0,0 @@
-package sql
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/providers/google/sql"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckMysqlNoLocalInfile = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0026",
- Provider: providers.GoogleProvider,
- Service: "sql",
- ShortCode: "mysql-no-local-infile",
- Summary: "Disable local_infile setting in MySQL",
- Impact: "Arbitrary files read by attackers when combined with a SQL injection vulnerability.",
- Resolution: "Disable the local infile setting",
- Explanation: `Arbitrary files can be read from the system using LOAD_DATA unless this setting is disabled.`,
- Links: []string{
- "https://dev.mysql.com/doc/refman/8.0/en/load-data-local-security.html",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformMysqlNoLocalInfileGoodExamples,
- BadExamples: terraformMysqlNoLocalInfileBadExamples,
- Links: terraformMysqlNoLocalInfileLinks,
- RemediationMarkdown: terraformMysqlNoLocalInfileRemediationMarkdown,
- },
- Severity: severity.High,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, instance := range s.Google.SQL.Instances {
- if instance.Metadata.IsUnmanaged() {
- continue
- }
- if instance.DatabaseFamily() != sql.DatabaseFamilyMySQL {
- continue
- }
- if instance.Settings.Flags.LocalInFile.IsTrue() {
- results.Add(
- "Database instance has local file read access enabled.",
- instance.Settings.Flags.LocalInFile,
- )
- } else {
- results.AddPassed(&instance)
- }
-
- }
- return
- },
-)
diff --git a/checks/cloud/google/sql/mysql_no_local_infile.tf.go b/checks/cloud/google/sql/mysql_no_local_infile.tf.go
deleted file mode 100644
index a460e9b4..00000000
--- a/checks/cloud/google/sql/mysql_no_local_infile.tf.go
+++ /dev/null
@@ -1,39 +0,0 @@
-package sql
-
-var terraformMysqlNoLocalInfileGoodExamples = []string{
- `
- resource "google_sql_database_instance" "db" {
- name = "db"
- database_version = "MYSQL_5_6"
- region = "us-central1"
- settings {
- database_flags {
- name = "local_infile"
- value = "off"
- }
- }
- }
- `,
-}
-
-var terraformMysqlNoLocalInfileBadExamples = []string{
- `
- resource "google_sql_database_instance" "db" {
- name = "db"
- database_version = "MYSQL_5_6"
- region = "us-central1"
- settings {
- database_flags {
- name = "local_infile"
- value = "on"
- }
- }
- }
- `,
-}
-
-var terraformMysqlNoLocalInfileLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance`, `https://dev.mysql.com/doc/refman/8.0/en/load-data-local-security.html`,
-}
-
-var terraformMysqlNoLocalInfileRemediationMarkdown = ``
diff --git a/checks/cloud/google/sql/no_contained_db_auth.go b/checks/cloud/google/sql/no_contained_db_auth.go
deleted file mode 100755
index d2fe9015..00000000
--- a/checks/cloud/google/sql/no_contained_db_auth.go
+++ /dev/null
@@ -1,54 +0,0 @@
-package sql
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/providers/google/sql"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNoContainedDbAuth = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0023",
- Provider: providers.GoogleProvider,
- Service: "sql",
- ShortCode: "no-contained-db-auth",
- Summary: "Contained database authentication should be disabled",
- Impact: "Access can be granted without knowledge of the database administrator",
- Resolution: "Disable contained database authentication",
- Explanation: `Users with ALTER permissions on users can grant access to a contained database without the knowledge of an administrator`,
- Links: []string{
- "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/contained-database-authentication-server-configuration-option?view=sql-server-ver15",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoContainedDbAuthGoodExamples,
- BadExamples: terraformNoContainedDbAuthBadExamples,
- Links: terraformNoContainedDbAuthLinks,
- RemediationMarkdown: terraformNoContainedDbAuthRemediationMarkdown,
- },
- Severity: severity.Medium,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, instance := range s.Google.SQL.Instances {
- if instance.Metadata.IsUnmanaged() {
- continue
- }
- if instance.DatabaseFamily() != sql.DatabaseFamilySQLServer {
- continue
- }
- if instance.Settings.Flags.ContainedDatabaseAuthentication.IsTrue() {
- results.Add(
- "Database instance has contained database authentication enabled.",
- instance.Settings.Flags.ContainedDatabaseAuthentication,
- )
- } else {
- results.AddPassed(&instance)
- }
-
- }
- return
- },
-)
diff --git a/checks/cloud/google/sql/no_contained_db_auth.tf.go b/checks/cloud/google/sql/no_contained_db_auth.tf.go
deleted file mode 100644
index 440191aa..00000000
--- a/checks/cloud/google/sql/no_contained_db_auth.tf.go
+++ /dev/null
@@ -1,33 +0,0 @@
-package sql
-
-var terraformNoContainedDbAuthGoodExamples = []string{
- `
- resource "google_sql_database_instance" "db" {
- name = "db"
- database_version = "SQLSERVER_2017_STANDARD"
- region = "us-central1"
- settings {
- database_flags {
- name = "contained database authentication"
- value = "off"
- }
- }
- }
- `,
-}
-
-var terraformNoContainedDbAuthBadExamples = []string{
- `
- resource "google_sql_database_instance" "db" {
- name = "db"
- database_version = "SQLSERVER_2017_STANDARD"
- region = "us-central1"
- }
- `,
-}
-
-var terraformNoContainedDbAuthLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance`,
-}
-
-var terraformNoContainedDbAuthRemediationMarkdown = ``
diff --git a/checks/cloud/google/sql/no_cross_db_ownership_chaining.go b/checks/cloud/google/sql/no_cross_db_ownership_chaining.go
deleted file mode 100755
index 1f77cfb8..00000000
--- a/checks/cloud/google/sql/no_cross_db_ownership_chaining.go
+++ /dev/null
@@ -1,54 +0,0 @@
-package sql
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/providers/google/sql"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNoCrossDbOwnershipChaining = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0019",
- Provider: providers.GoogleProvider,
- Service: "sql",
- ShortCode: "no-cross-db-ownership-chaining",
- Summary: "Cross-database ownership chaining should be disabled",
- Impact: "Unintended access to sensitive data",
- Resolution: "Disable cross database ownership chaining",
- Explanation: `Cross-database ownership chaining, also known as cross-database chaining, is a security feature of SQL Server that allows users of databases access to other databases besides the one they are currently using.`,
- Links: []string{
- "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/cross-db-ownership-chaining-server-configuration-option?view=sql-server-ver15",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoCrossDbOwnershipChainingGoodExamples,
- BadExamples: terraformNoCrossDbOwnershipChainingBadExamples,
- Links: terraformNoCrossDbOwnershipChainingLinks,
- RemediationMarkdown: terraformNoCrossDbOwnershipChainingRemediationMarkdown,
- },
- Severity: severity.Medium,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, instance := range s.Google.SQL.Instances {
- if instance.Metadata.IsUnmanaged() {
- continue
- }
- if instance.DatabaseFamily() != sql.DatabaseFamilySQLServer {
- continue
- }
- if instance.Settings.Flags.CrossDBOwnershipChaining.IsTrue() {
- results.Add(
- "Database instance has cross database ownership chaining enabled.",
- instance.Settings.Flags.CrossDBOwnershipChaining,
- )
- } else {
- results.AddPassed(&instance)
- }
-
- }
- return
- },
-)
diff --git a/checks/cloud/google/sql/no_cross_db_ownership_chaining.tf.go b/checks/cloud/google/sql/no_cross_db_ownership_chaining.tf.go
deleted file mode 100644
index 01238201..00000000
--- a/checks/cloud/google/sql/no_cross_db_ownership_chaining.tf.go
+++ /dev/null
@@ -1,33 +0,0 @@
-package sql
-
-var terraformNoCrossDbOwnershipChainingGoodExamples = []string{
- `
- resource "google_sql_database_instance" "db" {
- name = "db"
- database_version = "SQLSERVER_2017_STANDARD"
- region = "us-central1"
- settings {
- database_flags {
- name = "cross db ownership chaining"
- value = "off"
- }
- }
- }
- `,
-}
-
-var terraformNoCrossDbOwnershipChainingBadExamples = []string{
- `
- resource "google_sql_database_instance" "db" {
- name = "db"
- database_version = "SQLSERVER_2017_STANDARD"
- region = "us-central1"
- }
- `,
-}
-
-var terraformNoCrossDbOwnershipChainingLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance`,
-}
-
-var terraformNoCrossDbOwnershipChainingRemediationMarkdown = ``
diff --git a/checks/cloud/google/sql/no_public_access.go b/checks/cloud/google/sql/no_public_access.go
deleted file mode 100755
index 3c1ebe25..00000000
--- a/checks/cloud/google/sql/no_public_access.go
+++ /dev/null
@@ -1,58 +0,0 @@
-package sql
-
-import (
- "github.com/aquasecurity/trivy-checks/internal/cidr"
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNoPublicAccess = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0017",
- Provider: providers.GoogleProvider,
- Service: "sql",
- ShortCode: "no-public-access",
- Summary: "Ensure that Cloud SQL Database Instances are not publicly exposed",
- Impact: "Public exposure of sensitive data",
- Resolution: "Remove public access from database instances",
- Explanation: `Database instances should be configured so that they are not available over the public internet, but to internal compute resources which access them.`,
- Links: []string{
- "https://www.cloudconformity.com/knowledge-base/gcp/CloudSQL/publicly-accessible-cloud-sql-instances.html",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoPublicAccessGoodExamples,
- BadExamples: terraformNoPublicAccessBadExamples,
- Links: terraformNoPublicAccessLinks,
- RemediationMarkdown: terraformNoPublicAccessRemediationMarkdown,
- },
- Severity: severity.High,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, instance := range s.Google.SQL.Instances {
- if instance.Metadata.IsUnmanaged() {
- continue
- }
- if instance.Settings.IPConfiguration.EnableIPv4.IsTrue() {
- results.Add(
- "Database instance is granted a public internet address.",
- instance.Settings.IPConfiguration.EnableIPv4,
- )
- }
- for _, network := range instance.Settings.IPConfiguration.AuthorizedNetworks {
- if cidr.IsPublic(network.CIDR.Value()) {
- results.Add(
- "Database instance allows access from the public internet.",
- network.CIDR,
- )
- } else {
- results.AddPassed(&instance)
- }
- }
- }
- return
- },
-)
diff --git a/checks/cloud/google/sql/no_public_access.tf.go b/checks/cloud/google/sql/no_public_access.tf.go
deleted file mode 100644
index 258e31ab..00000000
--- a/checks/cloud/google/sql/no_public_access.tf.go
+++ /dev/null
@@ -1,54 +0,0 @@
-package sql
-
-var terraformNoPublicAccessGoodExamples = []string{
- `
- resource "google_sql_database_instance" "postgres" {
- name = "postgres-instance-a"
- database_version = "POSTGRES_11"
-
- settings {
- tier = "db-f1-micro"
-
- ip_configuration {
- ipv4_enabled = false
- authorized_networks {
- value = "10.0.0.1/24"
- name = "internal"
- }
- }
- }
- }
- `,
-}
-
-var terraformNoPublicAccessBadExamples = []string{
- `
- resource "google_sql_database_instance" "postgres" {
- name = "postgres-instance-a"
- database_version = "POSTGRES_11"
-
- settings {
- tier = "db-f1-micro"
-
- ip_configuration {
- ipv4_enabled = false
- authorized_networks {
- value = "108.12.12.0/24"
- name = "internal"
- }
-
- authorized_networks {
- value = "0.0.0.0/0"
- name = "internet"
- }
- }
- }
- }
- `,
-}
-
-var terraformNoPublicAccessLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance`,
-}
-
-var terraformNoPublicAccessRemediationMarkdown = ``
diff --git a/checks/cloud/google/sql/pg_log_checkpoints.go b/checks/cloud/google/sql/pg_log_checkpoints.go
deleted file mode 100755
index 6d0fc9bb..00000000
--- a/checks/cloud/google/sql/pg_log_checkpoints.go
+++ /dev/null
@@ -1,53 +0,0 @@
-package sql
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/providers/google/sql"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckPgLogCheckpoints = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0025",
- Provider: providers.GoogleProvider,
- Service: "sql",
- ShortCode: "pg-log-checkpoints",
- Summary: "Ensure that logging of checkpoints is enabled.",
- Impact: "Insufficient diagnostic data.",
- Resolution: "Enable checkpoints logging.",
- Explanation: `Logging checkpoints provides useful diagnostic data, which can identify performance issues in an application and potential DoS vectors.`,
- Links: []string{
- "https://www.postgresql.org/docs/13/runtime-config-logging.html#GUC-LOG-CHECKPOINTS",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformPgLogCheckpointsGoodExamples,
- BadExamples: terraformPgLogCheckpointsBadExamples,
- Links: terraformPgLogCheckpointsLinks,
- RemediationMarkdown: terraformPgLogCheckpointsRemediationMarkdown,
- },
- Severity: severity.Medium,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, instance := range s.Google.SQL.Instances {
- if instance.Metadata.IsUnmanaged() {
- continue
- }
- if instance.DatabaseFamily() != sql.DatabaseFamilyPostgres {
- continue
- }
- if instance.Settings.Flags.LogCheckpoints.IsFalse() {
- results.Add(
- "Database instance is not configured to log checkpoints.",
- instance.Settings.Flags.LogCheckpoints,
- )
- } else {
- results.AddPassed(&instance)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/google/sql/pg_log_checkpoints.tf.go b/checks/cloud/google/sql/pg_log_checkpoints.tf.go
deleted file mode 100644
index ee9c0afd..00000000
--- a/checks/cloud/google/sql/pg_log_checkpoints.tf.go
+++ /dev/null
@@ -1,39 +0,0 @@
-package sql
-
-var terraformPgLogCheckpointsGoodExamples = []string{
- `
- resource "google_sql_database_instance" "db" {
- name = "db"
- database_version = "POSTGRES_12"
- region = "us-central1"
- settings {
- database_flags {
- name = "log_checkpoints"
- value = "on"
- }
- }
- }
- `,
-}
-
-var terraformPgLogCheckpointsBadExamples = []string{
- `
- resource "google_sql_database_instance" "db" {
- name = "db"
- database_version = "POSTGRES_12"
- region = "us-central1"
- settings {
- database_flags {
- name = "log_checkpoints"
- value = "off"
- }
- }
- }
- `,
-}
-
-var terraformPgLogCheckpointsLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance`,
-}
-
-var terraformPgLogCheckpointsRemediationMarkdown = ``
diff --git a/checks/cloud/google/sql/pg_log_connections.go b/checks/cloud/google/sql/pg_log_connections.go
deleted file mode 100755
index cf958759..00000000
--- a/checks/cloud/google/sql/pg_log_connections.go
+++ /dev/null
@@ -1,53 +0,0 @@
-package sql
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/providers/google/sql"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckPgLogConnections = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0016",
- Provider: providers.GoogleProvider,
- Service: "sql",
- ShortCode: "pg-log-connections",
- Summary: "Ensure that logging of connections is enabled.",
- Impact: "Insufficient diagnostic data.",
- Resolution: "Enable connection logging.",
- Explanation: `Logging connections provides useful diagnostic data such as session length, which can identify performance issues in an application and potential DoS vectors.`,
- Links: []string{
- "https://www.postgresql.org/docs/13/runtime-config-logging.html#GUC-LOG-CONNECTIONS",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformPgLogConnectionsGoodExamples,
- BadExamples: terraformPgLogConnectionsBadExamples,
- Links: terraformPgLogConnectionsLinks,
- RemediationMarkdown: terraformPgLogConnectionsRemediationMarkdown,
- },
- Severity: severity.Medium,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, instance := range s.Google.SQL.Instances {
- if instance.Metadata.IsUnmanaged() {
- continue
- }
- if instance.DatabaseFamily() != sql.DatabaseFamilyPostgres {
- continue
- }
- if instance.Settings.Flags.LogConnections.IsFalse() {
- results.Add(
- "Database instance is not configured to log connections.",
- instance.Settings.Flags.LogConnections,
- )
- } else {
- results.AddPassed(&instance)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/google/sql/pg_log_connections.tf.go b/checks/cloud/google/sql/pg_log_connections.tf.go
deleted file mode 100644
index 538068c0..00000000
--- a/checks/cloud/google/sql/pg_log_connections.tf.go
+++ /dev/null
@@ -1,39 +0,0 @@
-package sql
-
-var terraformPgLogConnectionsGoodExamples = []string{
- `
- resource "google_sql_database_instance" "db" {
- name = "db"
- database_version = "POSTGRES_12"
- region = "us-central1"
- settings {
- database_flags {
- name = "log_connections"
- value = "on"
- }
- }
- }
- `,
-}
-
-var terraformPgLogConnectionsBadExamples = []string{
- `
- resource "google_sql_database_instance" "db" {
- name = "db"
- database_version = "POSTGRES_12"
- region = "us-central1"
- settings {
- database_flags {
- name = "log_connections"
- value = "off"
- }
- }
- }
- `,
-}
-
-var terraformPgLogConnectionsLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance`,
-}
-
-var terraformPgLogConnectionsRemediationMarkdown = ``
diff --git a/checks/cloud/google/sql/pg_log_disconnections.go b/checks/cloud/google/sql/pg_log_disconnections.go
deleted file mode 100755
index be777691..00000000
--- a/checks/cloud/google/sql/pg_log_disconnections.go
+++ /dev/null
@@ -1,54 +0,0 @@
-package sql
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/providers/google/sql"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckPgLogDisconnections = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0022",
- Provider: providers.GoogleProvider,
- Service: "sql",
- ShortCode: "pg-log-disconnections",
- Summary: "Ensure that logging of disconnections is enabled.",
- Impact: "Insufficient diagnostic data.",
- Resolution: "Enable disconnection logging.",
- Explanation: `Logging disconnections provides useful diagnostic data such as session length, which can identify performance issues in an application and potential DoS vectors.`,
- Links: []string{
- "https://www.postgresql.org/docs/13/runtime-config-logging.html#GUC-LOG-DISCONNECTIONS",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformPgLogDisconnectionsGoodExamples,
- BadExamples: terraformPgLogDisconnectionsBadExamples,
- Links: terraformPgLogDisconnectionsLinks,
- RemediationMarkdown: terraformPgLogDisconnectionsRemediationMarkdown,
- },
- Severity: severity.Medium,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, instance := range s.Google.SQL.Instances {
- if instance.Metadata.IsUnmanaged() {
- continue
- }
- if instance.DatabaseFamily() != sql.DatabaseFamilyPostgres {
- continue
- }
- if instance.Settings.Flags.LogDisconnections.IsFalse() {
- results.Add(
- "Database instance is not configured to log disconnections.",
- instance.Settings.Flags.LogDisconnections,
- )
- } else {
- results.AddPassed(&instance)
- }
-
- }
- return
- },
-)
diff --git a/checks/cloud/google/sql/pg_log_disconnections.tf.go b/checks/cloud/google/sql/pg_log_disconnections.tf.go
deleted file mode 100644
index 63843e76..00000000
--- a/checks/cloud/google/sql/pg_log_disconnections.tf.go
+++ /dev/null
@@ -1,39 +0,0 @@
-package sql
-
-var terraformPgLogDisconnectionsGoodExamples = []string{
- `
- resource "google_sql_database_instance" "db" {
- name = "db"
- database_version = "POSTGRES_12"
- region = "us-central1"
- settings {
- database_flags {
- name = "log_disconnections"
- value = "on"
- }
- }
- }
- `,
-}
-
-var terraformPgLogDisconnectionsBadExamples = []string{
- `
- resource "google_sql_database_instance" "db" {
- name = "db"
- database_version = "POSTGRES_12"
- region = "us-central1"
- settings {
- database_flags {
- name = "log_disconnections"
- value = "off"
- }
- }
- }
- `,
-}
-
-var terraformPgLogDisconnectionsLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance`,
-}
-
-var terraformPgLogDisconnectionsRemediationMarkdown = ``
diff --git a/checks/cloud/google/sql/pg_log_errors.go b/checks/cloud/google/sql/pg_log_errors.go
deleted file mode 100755
index 80c77488..00000000
--- a/checks/cloud/google/sql/pg_log_errors.go
+++ /dev/null
@@ -1,55 +0,0 @@
-package sql
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/providers/google/sql"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckPgLogErrors = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0018",
- Provider: providers.GoogleProvider,
- Service: "sql",
- ShortCode: "pg-log-errors",
- Summary: "Ensure that Postgres errors are logged",
- Impact: "Loss of error logging",
- Resolution: "Set the minimum log severity to at least ERROR",
- Explanation: `Setting the minimum log severity too high will cause errors not to be logged`,
- Links: []string{
- "https://postgresqlco.nf/doc/en/param/log_min_messages/",
- "https://www.postgresql.org/docs/13/runtime-config-logging.html#GUC-LOG-MIN-MESSAGES",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformPgLogErrorsGoodExamples,
- BadExamples: terraformPgLogErrorsBadExamples,
- Links: terraformPgLogErrorsLinks,
- RemediationMarkdown: terraformPgLogErrorsRemediationMarkdown,
- },
- Severity: severity.Low,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, instance := range s.Google.SQL.Instances {
- if instance.Metadata.IsUnmanaged() {
- continue
- }
- if instance.DatabaseFamily() != sql.DatabaseFamilyPostgres {
- continue
- }
- if instance.Settings.Flags.LogMinMessages.IsOneOf("FATAL", "PANIC", "LOG") {
- results.Add(
- "Database instance is not configured to log errors.",
- instance.Settings.Flags.LogMinMessages,
- )
- } else {
- results.AddPassed(&instance)
- }
-
- }
- return
- },
-)
diff --git a/checks/cloud/google/sql/pg_log_errors.tf.go b/checks/cloud/google/sql/pg_log_errors.tf.go
deleted file mode 100644
index 482ef089..00000000
--- a/checks/cloud/google/sql/pg_log_errors.tf.go
+++ /dev/null
@@ -1,39 +0,0 @@
-package sql
-
-var terraformPgLogErrorsGoodExamples = []string{
- `
- resource "google_sql_database_instance" "db" {
- name = "db"
- database_version = "POSTGRES_12"
- region = "us-central1"
- settings {
- database_flags {
- name = "log_min_messages"
- value = "WARNING"
- }
- }
- }
- `,
-}
-
-var terraformPgLogErrorsBadExamples = []string{
- `
- resource "google_sql_database_instance" "db" {
- name = "db"
- database_version = "POSTGRES_12"
- region = "us-central1"
- settings {
- database_flags {
- name = "log_min_messages"
- value = "PANIC"
- }
- }
- }
- `,
-}
-
-var terraformPgLogErrorsLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance`,
-}
-
-var terraformPgLogErrorsRemediationMarkdown = ``
diff --git a/checks/cloud/google/sql/pg_log_lock_waits.go b/checks/cloud/google/sql/pg_log_lock_waits.go
deleted file mode 100755
index 16c840ed..00000000
--- a/checks/cloud/google/sql/pg_log_lock_waits.go
+++ /dev/null
@@ -1,54 +0,0 @@
-package sql
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/providers/google/sql"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckPgLogLockWaits = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0020",
- Provider: providers.GoogleProvider,
- Service: "sql",
- ShortCode: "pg-log-lock-waits",
- Summary: "Ensure that logging of lock waits is enabled.",
- Impact: "Issues leading to denial of service may not be identified.",
- Resolution: "Enable lock wait logging.",
- Explanation: `Lock waits are often an indication of poor performance and often an indicator of a potential denial of service vulnerability, therefore occurrences should be logged for analysis.`,
- Links: []string{
- "https://www.postgresql.org/docs/13/runtime-config-logging.html#GUC-LOG-LOCK-WAITS",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformPgLogLockWaitsGoodExamples,
- BadExamples: terraformPgLogLockWaitsBadExamples,
- Links: terraformPgLogLockWaitsLinks,
- RemediationMarkdown: terraformPgLogLockWaitsRemediationMarkdown,
- },
- Severity: severity.Medium,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, instance := range s.Google.SQL.Instances {
- if instance.Metadata.IsUnmanaged() {
- continue
- }
- if instance.DatabaseFamily() != sql.DatabaseFamilyPostgres {
- continue
- }
- if instance.Settings.Flags.LogLockWaits.IsFalse() {
- results.Add(
- "Database instance is not configured to log lock waits.",
- instance.Settings.Flags.LogLockWaits,
- )
- } else {
- results.AddPassed(&instance)
- }
-
- }
- return
- },
-)
diff --git a/checks/cloud/google/sql/pg_log_lock_waits.tf.go b/checks/cloud/google/sql/pg_log_lock_waits.tf.go
deleted file mode 100644
index d6d4f3d4..00000000
--- a/checks/cloud/google/sql/pg_log_lock_waits.tf.go
+++ /dev/null
@@ -1,39 +0,0 @@
-package sql
-
-var terraformPgLogLockWaitsGoodExamples = []string{
- `
- resource "google_sql_database_instance" "db" {
- name = "db"
- database_version = "POSTGRES_12"
- region = "us-central1"
- settings {
- database_flags {
- name = "log_lock_waits"
- value = "on"
- }
- }
- }
- `,
-}
-
-var terraformPgLogLockWaitsBadExamples = []string{
- `
- resource "google_sql_database_instance" "db" {
- name = "db"
- database_version = "POSTGRES_12"
- region = "us-central1"
- settings {
- database_flags {
- name = "log_lock_waits"
- value = "off"
- }
- }
- }
- `,
-}
-
-var terraformPgLogLockWaitsLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance`,
-}
-
-var terraformPgLogLockWaitsRemediationMarkdown = ``
diff --git a/checks/cloud/google/sql/pg_no_min_statement_logging.go b/checks/cloud/google/sql/pg_no_min_statement_logging.go
deleted file mode 100755
index fdefd4a1..00000000
--- a/checks/cloud/google/sql/pg_no_min_statement_logging.go
+++ /dev/null
@@ -1,54 +0,0 @@
-package sql
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/providers/google/sql"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckPgNoMinStatementLogging = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0021",
- Provider: providers.GoogleProvider,
- Service: "sql",
- ShortCode: "pg-no-min-statement-logging",
- Summary: "Ensure that logging of long statements is disabled.",
- Impact: "Sensitive data could be exposed in the database logs.",
- Resolution: "Disable minimum duration statement logging completely",
- Explanation: `Logging of statements which could contain sensitive data is not advised, therefore this setting should preclude all statements from being logged.`,
- Links: []string{
- "https://www.postgresql.org/docs/13/runtime-config-logging.html#GUC-LOG-MIN-DURATION-STATEMENT",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformPgNoMinStatementLoggingGoodExamples,
- BadExamples: terraformPgNoMinStatementLoggingBadExamples,
- Links: terraformPgNoMinStatementLoggingLinks,
- RemediationMarkdown: terraformPgNoMinStatementLoggingRemediationMarkdown,
- },
- Severity: severity.Low,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, instance := range s.Google.SQL.Instances {
- if instance.Metadata.IsUnmanaged() {
- continue
- }
- if instance.DatabaseFamily() != sql.DatabaseFamilyPostgres {
- continue
- }
- if instance.Settings.Flags.LogMinDurationStatement.NotEqualTo(-1) {
- results.Add(
- "Database instance is configured to log statements.",
- instance.Settings.Flags.LogMinDurationStatement,
- )
- } else {
- results.AddPassed(&instance)
- }
-
- }
- return
- },
-)
diff --git a/checks/cloud/google/sql/pg_no_min_statement_logging.tf.go b/checks/cloud/google/sql/pg_no_min_statement_logging.tf.go
deleted file mode 100644
index 4db208fc..00000000
--- a/checks/cloud/google/sql/pg_no_min_statement_logging.tf.go
+++ /dev/null
@@ -1,39 +0,0 @@
-package sql
-
-var terraformPgNoMinStatementLoggingGoodExamples = []string{
- `
- resource "google_sql_database_instance" "db" {
- name = "db"
- database_version = "POSTGRES_12"
- region = "us-central1"
- settings {
- database_flags {
- name = "log_min_duration_statement"
- value = "-1"
- }
- }
- }
- `,
-}
-
-var terraformPgNoMinStatementLoggingBadExamples = []string{
- `
- resource "google_sql_database_instance" "db" {
- name = "db"
- database_version = "POSTGRES_12"
- region = "us-central1"
- settings {
- database_flags {
- name = "log_min_duration_statement"
- value = "99"
- }
- }
- }
- `,
-}
-
-var terraformPgNoMinStatementLoggingLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance`,
-}
-
-var terraformPgNoMinStatementLoggingRemediationMarkdown = ``
diff --git a/checks/cloud/google/storage/bucket_encryption_customer_key.go b/checks/cloud/google/storage/bucket_encryption_customer_key.go
deleted file mode 100755
index ab9807ab..00000000
--- a/checks/cloud/google/storage/bucket_encryption_customer_key.go
+++ /dev/null
@@ -1,49 +0,0 @@
-package storage
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckBucketEncryptionCustomerKey = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0066",
- Provider: providers.GoogleProvider,
- Service: "storage",
- ShortCode: "bucket-encryption-customer-key",
- Summary: "Cloud Storage buckets should be encrypted with a customer-managed key.",
- Impact: "Using unmanaged keys does not allow for proper key management.",
- Resolution: "Encrypt Cloud Storage buckets using customer-managed keys.",
- Explanation: `Using unmanaged keys makes rotation and general management difficult.`,
- Links: []string{
- "https://cloud.google.com/storage/docs/encryption/customer-managed-keys",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformBucketEncryptionCustomerKeyGoodExamples,
- BadExamples: terraformBucketEncryptionCustomerKeyBadExamples,
- Links: terraformBucketEncryptionCustomerKeyLinks,
- RemediationMarkdown: terraformBucketEncryptionCustomerKeyRemediationMarkdown,
- },
- Severity: severity.Low,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, bucket := range s.Google.Storage.Buckets {
- if bucket.Metadata.IsUnmanaged() {
- continue
- }
- if bucket.Encryption.DefaultKMSKeyName.IsEmpty() {
- results.Add(
- "Storage bucket encryption does not use a customer-managed key.",
- bucket.Encryption.DefaultKMSKeyName,
- )
- } else {
- results.AddPassed(&bucket)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/google/storage/bucket_encryption_customer_key.tf.go b/checks/cloud/google/storage/bucket_encryption_customer_key.tf.go
deleted file mode 100644
index 78c73a06..00000000
--- a/checks/cloud/google/storage/bucket_encryption_customer_key.tf.go
+++ /dev/null
@@ -1,33 +0,0 @@
-package storage
-
-var terraformBucketEncryptionCustomerKeyGoodExamples = []string{
- `
- resource "google_storage_bucket" "default" {
- name = "my-default-bucket"
- location = "EU"
- force_destroy = true
- uniform_bucket_level_access = true
-
- encryption {
- default_kms_key_name = "projects/my-pet-project/locations/us-east1/keyRings/my-key-ring/cryptoKeys/my-key"
- }
- }
- `,
-}
-
-var terraformBucketEncryptionCustomerKeyBadExamples = []string{
- `
- resource "google_storage_bucket" "default" {
- name = "my-default-bucket"
- location = "EU"
- force_destroy = true
- uniform_bucket_level_access = true
- }
- `,
-}
-
-var terraformBucketEncryptionCustomerKeyLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket#encryption`,
-}
-
-var terraformBucketEncryptionCustomerKeyRemediationMarkdown = ``
diff --git a/checks/cloud/google/storage/enable_ubla.go b/checks/cloud/google/storage/enable_ubla.go
deleted file mode 100755
index ea974af4..00000000
--- a/checks/cloud/google/storage/enable_ubla.go
+++ /dev/null
@@ -1,50 +0,0 @@
-package storage
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckEnableUbla = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0002",
- Provider: providers.GoogleProvider,
- Service: "storage",
- ShortCode: "enable-ubla",
- Summary: "Ensure that Cloud Storage buckets have uniform bucket-level access enabled",
- Impact: "ACLs are difficult to manage and often lead to incorrect/unintended configurations.",
- Resolution: "Enable uniform bucket level access to provide a uniform permissioning system.",
- Explanation: `When you enable uniform bucket-level access on a bucket, Access Control Lists (ACLs) are disabled, and only bucket-level Identity and Access Management (IAM) permissions grant access to that bucket and the objects it contains. You revoke all access granted by object ACLs and the ability to administrate permissions using bucket ACLs.`,
- Links: []string{
- "https://cloud.google.com/storage/docs/uniform-bucket-level-access",
- "https://jbrojbrojbro.medium.com/you-make-the-rules-with-authentication-controls-for-cloud-storage-53c32543747b",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformEnableUblaGoodExamples,
- BadExamples: terraformEnableUblaBadExamples,
- Links: terraformEnableUblaLinks,
- RemediationMarkdown: terraformEnableUblaRemediationMarkdown,
- },
- Severity: severity.Medium,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, bucket := range s.Google.Storage.Buckets {
- if bucket.Metadata.IsUnmanaged() {
- continue
- }
- if bucket.EnableUniformBucketLevelAccess.IsFalse() {
- results.Add(
- "Bucket has uniform bucket level access disabled.",
- bucket.EnableUniformBucketLevelAccess,
- )
- } else {
- results.AddPassed(&bucket)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/google/storage/enable_ubla.tf.go b/checks/cloud/google/storage/enable_ubla.tf.go
deleted file mode 100644
index 3c126b43..00000000
--- a/checks/cloud/google/storage/enable_ubla.tf.go
+++ /dev/null
@@ -1,53 +0,0 @@
-package storage
-
-var terraformEnableUblaGoodExamples = []string{
- `
- resource "google_storage_bucket" "static-site" {
- name = "image-store.com"
- location = "EU"
- force_destroy = true
-
- uniform_bucket_level_access = true
-
- website {
- main_page_suffix = "index.html"
- not_found_page = "404.html"
- }
- cors {
- origin = ["http://image-store.com"]
- method = ["GET", "HEAD", "PUT", "POST", "DELETE"]
- response_header = ["*"]
- max_age_seconds = 3600
- }
- }
- `,
-}
-
-var terraformEnableUblaBadExamples = []string{
- `
- resource "google_storage_bucket" "static-site" {
- name = "image-store.com"
- location = "EU"
- force_destroy = true
-
- uniform_bucket_level_access = false
-
- website {
- main_page_suffix = "index.html"
- not_found_page = "404.html"
- }
- cors {
- origin = ["http://image-store.com"]
- method = ["GET", "HEAD", "PUT", "POST", "DELETE"]
- response_header = ["*"]
- max_age_seconds = 3600
- }
- }
- `,
-}
-
-var terraformEnableUblaLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket#uniform_bucket_level_access`,
-}
-
-var terraformEnableUblaRemediationMarkdown = ``
diff --git a/checks/cloud/google/storage/no_public_access.go b/checks/cloud/google/storage/no_public_access.go
deleted file mode 100755
index ef92b14e..00000000
--- a/checks/cloud/google/storage/no_public_access.go
+++ /dev/null
@@ -1,64 +0,0 @@
-package storage
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNoPublicAccess = rules.Register(
- scan.Rule{
- AVDID: "AVD-GCP-0001",
- Provider: providers.GoogleProvider,
- Service: "storage",
- ShortCode: "no-public-access",
- Summary: "Ensure that Cloud Storage bucket is not anonymously or publicly accessible.",
- Impact: "Public exposure of sensitive data.",
- Resolution: "Restrict public access to the bucket.",
- Explanation: `Using 'allUsers' or 'allAuthenticatedUsers' as members in an IAM member/binding causes data to be exposed outside of the organisation.`,
- Links: []string{
- "https://jbrojbrojbro.medium.com/you-make-the-rules-with-authentication-controls-for-cloud-storage-53c32543747b",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoPublicAccessGoodExamples,
- BadExamples: terraformNoPublicAccessBadExamples,
- Links: terraformNoPublicAccessLinks,
- RemediationMarkdown: terraformNoPublicAccessRemediationMarkdown,
- },
- Severity: severity.High,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, bucket := range s.Google.Storage.Buckets {
- for _, binding := range bucket.Bindings {
- for _, member := range binding.Members {
- if googleIAMMemberIsExternal(member.Value()) {
- results.Add(
- "Bucket allows public access.",
- member,
- )
- } else {
- results.AddPassed(member)
- }
- }
- }
- for _, member := range bucket.Members {
- if googleIAMMemberIsExternal(member.Member.Value()) {
- results.Add(
- "Bucket allows public access.",
- member.Member,
- )
- } else {
- results.AddPassed(member.Member)
- }
- }
- }
- return
- },
-)
-
-func googleIAMMemberIsExternal(member string) bool {
- return member == "allUsers" || member == "allAuthenticatedUsers"
-}
diff --git a/checks/cloud/google/storage/no_public_access.tf.go b/checks/cloud/google/storage/no_public_access.tf.go
deleted file mode 100644
index a0960185..00000000
--- a/checks/cloud/google/storage/no_public_access.tf.go
+++ /dev/null
@@ -1,31 +0,0 @@
-package storage
-
-var terraformNoPublicAccessGoodExamples = []string{
- `
- resource "google_storage_bucket_iam_binding" "binding" {
- bucket = google_storage_bucket.default.name
- role = "roles/storage.admin"
- members = [
- "user:jane@example.com",
- ]
- }
- `,
-}
-
-var terraformNoPublicAccessBadExamples = []string{
- `
- resource "google_storage_bucket_iam_binding" "binding" {
- bucket = google_storage_bucket.default.name
- role = "roles/storage.admin"
- members = [
- "allAuthenticatedUsers",
- ]
- }
- `,
-}
-
-var terraformNoPublicAccessLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam#member/members`,
-}
-
-var terraformNoPublicAccessRemediationMarkdown = ``
diff --git a/checks/cloud/nifcloud/computing/add_description_to_security_group.go b/checks/cloud/nifcloud/computing/add_description_to_security_group.go
deleted file mode 100755
index 50fa9359..00000000
--- a/checks/cloud/nifcloud/computing/add_description_to_security_group.go
+++ /dev/null
@@ -1,57 +0,0 @@
-package computing
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckAddDescriptionToSecurityGroup = rules.Register(
- scan.Rule{
- AVDID: "AVD-NIF-0002",
- Aliases: []string{"nifcloud-computing-add-description-to-security-group"},
- Provider: providers.NifcloudProvider,
- Service: "computing",
- ShortCode: "add-description-to-security-group",
- Summary: "Missing description for security group.",
- Impact: "Descriptions provide context for the firewall rule reasons",
- Resolution: "Add descriptions for all security groups",
- Explanation: `Security groups should include a description for auditing purposes.
-
-Simplifies auditing, debugging, and managing security groups.`,
- Links: []string{
- "https://pfs.nifcloud.com/help/fw/change.htm",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformAddDescriptionToSecurityGroupGoodExamples,
- BadExamples: terraformAddDescriptionToSecurityGroupBadExamples,
- Links: terraformAddDescriptionToSecurityGroupLinks,
- RemediationMarkdown: terraformAddDescriptionToSecurityGroupRemediationMarkdown,
- },
- Severity: severity.Low,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, group := range s.Nifcloud.Computing.SecurityGroups {
- if group.Metadata.IsUnmanaged() {
- continue
- }
- if group.Description.IsEmpty() {
- results.Add(
- "Security group does not have a description.",
- group.Description,
- )
- } else if group.Description.EqualTo("Managed by Terraform") {
- results.Add(
- "Security group explicitly uses the default description.",
- group.Description,
- )
- } else {
- results.AddPassed(&group)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/nifcloud/computing/add_description_to_security_group.tf.go b/checks/cloud/nifcloud/computing/add_description_to_security_group.tf.go
deleted file mode 100644
index 7565d1e4..00000000
--- a/checks/cloud/nifcloud/computing/add_description_to_security_group.tf.go
+++ /dev/null
@@ -1,25 +0,0 @@
-package computing
-
-var terraformAddDescriptionToSecurityGroupGoodExamples = []string{
- `
- resource "nifcloud_security_group" "good_example" {
- group_name = "http"
- description = "Allow inbound HTTP traffic"
- }
- `,
-}
-
-var terraformAddDescriptionToSecurityGroupBadExamples = []string{
- `
- resource "nifcloud_security_group" "bad_example" {
- group_name = "http"
- description = ""
- }
- `,
-}
-
-var terraformAddDescriptionToSecurityGroupLinks = []string{
- `https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/security_group#description`,
-}
-
-var terraformAddDescriptionToSecurityGroupRemediationMarkdown = ``
diff --git a/checks/cloud/nifcloud/computing/add_description_to_security_group_rule.go b/checks/cloud/nifcloud/computing/add_description_to_security_group_rule.go
deleted file mode 100755
index 17890e71..00000000
--- a/checks/cloud/nifcloud/computing/add_description_to_security_group_rule.go
+++ /dev/null
@@ -1,52 +0,0 @@
-package computing
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckAddDescriptionToSecurityGroupRule = rules.Register(
- scan.Rule{
- AVDID: "AVD-NIF-0003",
- Aliases: []string{"nifcloud-computing-add-description-to-security-group-rule"},
- Provider: providers.NifcloudProvider,
- Service: "computing",
- ShortCode: "add-description-to-security-group-rule",
- Summary: "Missing description for security group rule.",
- Impact: "Descriptions provide context for the firewall rule reasons",
- Resolution: "Add descriptions for all security groups rules",
- Explanation: `Security group rules should include a description for auditing purposes.
-
-Simplifies auditing, debugging, and managing security groups.`,
- Links: []string{
- "https://pfs.nifcloud.com/help/fw/rule_new.htm",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformAddDescriptionToSecurityGroupRuleGoodExamples,
- BadExamples: terraformAddDescriptionToSecurityGroupRuleBadExamples,
- Links: terraformAddDescriptionToSecurityGroupRuleLinks,
- RemediationMarkdown: terraformAddDescriptionToSecurityGroupRuleRemediationMarkdown,
- },
- Severity: severity.Low,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, group := range s.Nifcloud.Computing.SecurityGroups {
- for _, rule := range append(group.EgressRules, group.IngressRules...) {
- if rule.Description.IsEmpty() {
- results.Add(
- "Security group rule does not have a description.",
- rule.Description,
- )
- } else {
- results.AddPassed(&rule)
- }
- }
-
- }
- return
- },
-)
diff --git a/checks/cloud/nifcloud/computing/add_description_to_security_group_rule.tf.go b/checks/cloud/nifcloud/computing/add_description_to_security_group_rule.tf.go
deleted file mode 100644
index 41dd4968..00000000
--- a/checks/cloud/nifcloud/computing/add_description_to_security_group_rule.tf.go
+++ /dev/null
@@ -1,34 +0,0 @@
-package computing
-
-var terraformAddDescriptionToSecurityGroupRuleGoodExamples = []string{
- `
- resource "nifcloud_security_group_rule" "good_example" {
- type = "IN"
- description = "HTTP from VPC"
- from_port = 80
- to_port = 80
- protocol = "TCP"
- cidr_ip = nifcloud_private_lan.main.cidr_block
- }
- `,
-}
-
-var terraformAddDescriptionToSecurityGroupRuleBadExamples = []string{
- `
- resource "nifcloud_security_group_rule" "bad_example" {
- type = "IN"
- description = ""
- from_port = 80
- to_port = 80
- protocol = "TCP"
- cidr_ip = nifcloud_private_lan.main.cidr_block
- }
-
- `,
-}
-
-var terraformAddDescriptionToSecurityGroupRuleLinks = []string{
- `https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/security_group_rule#description`,
-}
-
-var terraformAddDescriptionToSecurityGroupRuleRemediationMarkdown = ``
diff --git a/checks/cloud/nifcloud/computing/add_security_group_to_instance.go b/checks/cloud/nifcloud/computing/add_security_group_to_instance.go
deleted file mode 100755
index d90d7ea5..00000000
--- a/checks/cloud/nifcloud/computing/add_security_group_to_instance.go
+++ /dev/null
@@ -1,50 +0,0 @@
-package computing
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckAddSecurityGroupToInstance = rules.Register(
- scan.Rule{
- AVDID: "AVD-NIF-0004",
- Aliases: []string{"nifcloud-computing-add-security-group-to-instance"},
- Provider: providers.NifcloudProvider,
- Service: "computing",
- ShortCode: "add-security-group-to-instance",
- Summary: "Missing security group for instance.",
- Impact: "A security group controls the traffic that is allowed to reach and leave the resources that it is associated with.",
- Resolution: "Add security group for all instances",
- Explanation: "Need to add a security group to your instance.",
- Links: []string{
- "https://pfs.nifcloud.com/help/server/change_fw.htm",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformAddSecurityGroupToInstanceGoodExamples,
- BadExamples: terraformAddSecurityGroupToInstanceBadExamples,
- Links: terraformAddSecurityGroupToInstanceLinks,
- RemediationMarkdown: terraformAddSecurityGroupToInstanceRemediationMarkdown,
- },
- Severity: severity.Critical,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, instance := range s.Nifcloud.Computing.Instances {
- if instance.Metadata.IsUnmanaged() {
- continue
- }
- if instance.SecurityGroup.IsEmpty() {
- results.Add(
- "Instance does not have a securiy group.",
- instance.SecurityGroup,
- )
- } else {
- results.AddPassed(&instance)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/nifcloud/computing/add_security_group_to_instance.tf.go b/checks/cloud/nifcloud/computing/add_security_group_to_instance.tf.go
deleted file mode 100644
index 9e547484..00000000
--- a/checks/cloud/nifcloud/computing/add_security_group_to_instance.tf.go
+++ /dev/null
@@ -1,33 +0,0 @@
-package computing
-
-var terraformAddSecurityGroupToInstanceGoodExamples = []string{
- `
- resource "nifcloud_instance" "good_example" {
- image_id = data.nifcloud_image.ubuntu.id
- security_group = nifcloud_security_group.example.group_name
-
- network_interface {
- network_id = "net-COMMON_GLOBAL"
- }
- }
- `,
-}
-
-var terraformAddSecurityGroupToInstanceBadExamples = []string{
- `
- resource "nifcloud_instance" "bad_example" {
- image_id = data.nifcloud_image.ubuntu.id
- security_group = ""
-
- network_interface {
- network_id = "net-COMMON_GLOBAL"
- }
- }
- `,
-}
-
-var terraformAddSecurityGroupToInstanceLinks = []string{
- `https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/instance#security_group`,
-}
-
-var terraformAddSecurityGroupToInstanceRemediationMarkdown = ``
diff --git a/checks/cloud/nifcloud/computing/no_common_private_instance.go b/checks/cloud/nifcloud/computing/no_common_private_instance.go
deleted file mode 100755
index daf6a74b..00000000
--- a/checks/cloud/nifcloud/computing/no_common_private_instance.go
+++ /dev/null
@@ -1,49 +0,0 @@
-package computing
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNoCommonPrivateInstance = rules.Register(
- scan.Rule{
- AVDID: "AVD-NIF-0005",
- Aliases: []string{"nifcloud-computing-no-common-private-instance"},
- Provider: providers.NifcloudProvider,
- Service: "computing",
- ShortCode: "no-common-private-instance",
- Summary: "The instance has common private network",
- Impact: "The common private network is shared with other users",
- Resolution: "Use private LAN",
- Explanation: `When handling sensitive data between servers, please consider using a private LAN to isolate the private side network from the shared network.`,
- Links: []string{
- "https://pfs.nifcloud.com/service/plan.htm",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoCommonPrivateInstanceGoodExamples,
- BadExamples: terraformNoCommonPrivateInstanceBadExamples,
- Links: terraformNoCommonPrivateInstanceLinks,
- RemediationMarkdown: terraformNoCommonPrivateInstanceRemediationMarkdown,
- },
- Severity: severity.Low,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, instance := range s.Nifcloud.Computing.Instances {
- for _, ni := range instance.NetworkInterfaces {
- if ni.NetworkID.EqualTo("net-COMMON_PRIVATE") {
- results.Add(
- "The instance has common private network",
- ni.NetworkID,
- )
- } else {
- results.AddPassed(&ni)
- }
- }
- }
- return
- },
-)
diff --git a/checks/cloud/nifcloud/computing/no_common_private_instance.tf.go b/checks/cloud/nifcloud/computing/no_common_private_instance.tf.go
deleted file mode 100644
index 05c3f53e..00000000
--- a/checks/cloud/nifcloud/computing/no_common_private_instance.tf.go
+++ /dev/null
@@ -1,33 +0,0 @@
-package computing
-
-var terraformNoCommonPrivateInstanceGoodExamples = []string{
- `
- resource "nifcloud_instance" "good_example" {
- image_id = data.nifcloud_image.ubuntu.id
- security_group = nifcloud_security_group.example.group_name
-
- network_interface {
- network_id = nifcloud_private_lan.main.id
- }
- }
- `,
-}
-
-var terraformNoCommonPrivateInstanceBadExamples = []string{
- `
- resource "nifcloud_instance" "bad_example" {
- image_id = data.nifcloud_image.ubuntu.id
- security_group = nifcloud_security_group.example.group_name
-
- network_interface {
- network_id = "net-COMMON_PRIVATE"
- }
- }
- `,
-}
-
-var terraformNoCommonPrivateInstanceLinks = []string{
- `https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/instance#network_id`,
-}
-
-var terraformNoCommonPrivateInstanceRemediationMarkdown = ``
diff --git a/checks/cloud/nifcloud/computing/no_public_ingress_sgr.go b/checks/cloud/nifcloud/computing/no_public_ingress_sgr.go
deleted file mode 100755
index 869cc51d..00000000
--- a/checks/cloud/nifcloud/computing/no_public_ingress_sgr.go
+++ /dev/null
@@ -1,52 +0,0 @@
-package computing
-
-import (
- "github.com/aquasecurity/trivy-checks/internal/cidr"
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNoPublicIngressSgr = rules.Register(
- scan.Rule{
- AVDID: "AVD-NIF-0001",
- Aliases: []string{"nifcloud-computing-no-public-ingress-sgr"},
- Provider: providers.NifcloudProvider,
- Service: "computing",
- ShortCode: "no-public-ingress-sgr",
- Summary: "An ingress security group rule allows traffic from /0.",
- Impact: "Your port exposed to the internet",
- Resolution: "Set a more restrictive cidr range",
- Explanation: `Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.
-When publishing web applications, use a load balancer instead of publishing directly to instances.
- `,
- Links: []string{
- "https://pfs.nifcloud.com/help/fw/rule_new.htm",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoPublicIngressSgrGoodExamples,
- BadExamples: terraformNoPublicIngressSgrBadExamples,
- Links: terraformNoPublicIngressSgrLinks,
- RemediationMarkdown: terraformNoPublicIngressSgrRemediationMarkdown,
- },
- Severity: severity.Critical,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, group := range s.Nifcloud.Computing.SecurityGroups {
- for _, rule := range group.IngressRules {
- if cidr.IsPublic(rule.CIDR.Value()) && cidr.CountAddresses(rule.CIDR.Value()) > 1 {
- results.Add(
- "Security group rule allows ingress from public internet.",
- rule.CIDR,
- )
- } else {
- results.AddPassed(&rule)
- }
- }
- }
- return
- },
-)
diff --git a/checks/cloud/nifcloud/computing/no_public_ingress_sgr.tf.go b/checks/cloud/nifcloud/computing/no_public_ingress_sgr.tf.go
deleted file mode 100644
index 60206563..00000000
--- a/checks/cloud/nifcloud/computing/no_public_ingress_sgr.tf.go
+++ /dev/null
@@ -1,35 +0,0 @@
-package computing
-
-var terraformNoPublicIngressSgrGoodExamples = []string{
- `
- resource "nifcloud_security_group_rule" "good_example" {
- type = "IN"
- cidr_ip = "10.0.0.0/16"
- }
- `,
- `
-resource "nifcloud_security_group_rule" "allow_partner_rsync" {
- type = "IN"
- security_group_names = [nifcloud_security_group.….group_name]
- from_port = 22
- to_port = 22
- protocol = "TCP"
- cidr_ip = "10.0.0.0/16"
-}
-`,
-}
-
-var terraformNoPublicIngressSgrBadExamples = []string{
- `
- resource "nifcloud_security_group_rule" "bad_example" {
- type = "IN"
- cidr_ip = "0.0.0.0/0"
- }
- `,
-}
-
-var terraformNoPublicIngressSgrLinks = []string{
- `https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/security_group_rule#cidr_ip`,
-}
-
-var terraformNoPublicIngressSgrRemediationMarkdown = ``
diff --git a/checks/cloud/nifcloud/dns/remove_verified_record.go b/checks/cloud/nifcloud/dns/remove_verified_record.go
deleted file mode 100644
index dc101b98..00000000
--- a/checks/cloud/nifcloud/dns/remove_verified_record.go
+++ /dev/null
@@ -1,44 +0,0 @@
-package dns
-
-import (
- "github.com/aquasecurity/trivy/pkg/iac/providers/nifcloud/dns"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
-
- "github.com/aquasecurity/trivy/pkg/iac/state"
-
- "github.com/aquasecurity/trivy/pkg/iac/scan"
-
- "github.com/aquasecurity/trivy-checks/pkg/rules"
-
- "github.com/aquasecurity/trivy/pkg/iac/providers"
-)
-
-var CheckRemoveVerifiedRecord = rules.Register(
- scan.Rule{
- AVDID: "AVD-NIF-0007",
- Provider: providers.NifcloudProvider,
- Service: "dns",
- ShortCode: "remove-verified-record",
- Summary: "Delete verified record",
- Impact: "Risk of DNS records be used by others",
- Resolution: "Remove verified record",
- Explanation: `
-Removing verified record of TXT auth the risk that
-If the authentication record remains, anyone can register the zone`,
- Links: []string{
- "https://pfs.nifcloud.com/guide/dns/zone_new.htm",
- },
- Severity: severity.Critical,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, record := range s.Nifcloud.DNS.Records {
- if record.Type.EqualTo("TXT") && record.Record.StartsWith(dns.ZoneRegistrationAuthTxt) {
- results.Add("Authentication TXT record exists.", &record)
- } else {
- results.AddPassed(&record)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/nifcloud/nas/add_description_to_nas_security_group.go b/checks/cloud/nifcloud/nas/add_description_to_nas_security_group.go
deleted file mode 100755
index 2de3a55d..00000000
--- a/checks/cloud/nifcloud/nas/add_description_to_nas_security_group.go
+++ /dev/null
@@ -1,57 +0,0 @@
-package nas
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckAddDescriptionToNASSecurityGroup = rules.Register(
- scan.Rule{
- AVDID: "AVD-NIF-0015",
- Aliases: []string{"nifcloud-nas-add-description-to-nas-security-group"},
- Provider: providers.NifcloudProvider,
- Service: "nas",
- ShortCode: "add-description-to-nas-security-group",
- Summary: "Missing description for nas security group.",
- Impact: "Descriptions provide context for the firewall rule reasons",
- Resolution: "Add descriptions for all nas security groups",
- Explanation: `NAS security groups should include a description for auditing purposes.
-
-Simplifies auditing, debugging, and managing nas security groups.`,
- Links: []string{
- "https://pfs.nifcloud.com/help/nas/fw_new.htm",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformAddDescriptionToNASSecurityGroupGoodExamples,
- BadExamples: terraformAddDescriptionToNASSecurityGroupBadExamples,
- Links: terraformAddDescriptionToNASSecurityGroupLinks,
- RemediationMarkdown: terraformAddDescriptionToNASSecurityGroupRemediationMarkdown,
- },
- Severity: severity.Low,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, group := range s.Nifcloud.NAS.NASSecurityGroups {
- if group.Metadata.IsUnmanaged() {
- continue
- }
- if group.Description.IsEmpty() {
- results.Add(
- "NAS security group does not have a description.",
- group.Description,
- )
- } else if group.Description.EqualTo("Managed by Terraform") {
- results.Add(
- "NAS security group explicitly uses the default description.",
- group.Description,
- )
- } else {
- results.AddPassed(&group)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/nifcloud/nas/add_description_to_nas_security_group.tf.go b/checks/cloud/nifcloud/nas/add_description_to_nas_security_group.tf.go
deleted file mode 100644
index 03b5a5ab..00000000
--- a/checks/cloud/nifcloud/nas/add_description_to_nas_security_group.tf.go
+++ /dev/null
@@ -1,25 +0,0 @@
-package nas
-
-var terraformAddDescriptionToNASSecurityGroupGoodExamples = []string{
- `
- resource "nifcloud_nas_security_group" "good_example" {
- group_name = "app"
- description = "Allow from app traffic"
- }
- `,
-}
-
-var terraformAddDescriptionToNASSecurityGroupBadExamples = []string{
- `
- resource "nifcloud_nas_security_group" "bad_example" {
- name = "app"
- description = ""
- }
- `,
-}
-
-var terraformAddDescriptionToNASSecurityGroupLinks = []string{
- `https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/nas_security_group#description`,
-}
-
-var terraformAddDescriptionToNASSecurityGroupRemediationMarkdown = ``
diff --git a/checks/cloud/nifcloud/nas/no_common_private_nas_instance.go b/checks/cloud/nifcloud/nas/no_common_private_nas_instance.go
deleted file mode 100755
index e74c5b1c..00000000
--- a/checks/cloud/nifcloud/nas/no_common_private_nas_instance.go
+++ /dev/null
@@ -1,47 +0,0 @@
-package nas
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNoCommonPrivateNASInstance = rules.Register(
- scan.Rule{
- AVDID: "AVD-NIF-0013",
- Aliases: []string{"nifcloud-nas-no-common-private-nas-instance"},
- Provider: providers.NifcloudProvider,
- Service: "nas",
- ShortCode: "no-common-private-nas-instance",
- Summary: "The nas instance has common private network",
- Impact: "The common private network is shared with other users",
- Resolution: "Use private LAN",
- Explanation: `When handling sensitive data between servers, please consider using a private LAN to isolate the private side network from the shared network.`,
- Links: []string{
- "https://pfs.nifcloud.com/service/plan.htm",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoCommonPrivateNASInstanceGoodExamples,
- BadExamples: terraformNoCommonPrivateNASInstanceBadExamples,
- Links: terraformNoCommonPrivateNASInstanceLinks,
- RemediationMarkdown: terraformNoCommonPrivateNASInstanceRemediationMarkdown,
- },
- Severity: severity.Low,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, instance := range s.Nifcloud.NAS.NASInstances {
- if instance.NetworkID.EqualTo("net-COMMON_PRIVATE") {
- results.Add(
- "The nas instance has common private network",
- instance.NetworkID,
- )
- } else {
- results.AddPassed(&instance)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/nifcloud/nas/no_common_private_nas_instance.tf.go b/checks/cloud/nifcloud/nas/no_common_private_nas_instance.tf.go
deleted file mode 100644
index 5f18c759..00000000
--- a/checks/cloud/nifcloud/nas/no_common_private_nas_instance.tf.go
+++ /dev/null
@@ -1,23 +0,0 @@
-package nas
-
-var terraformNoCommonPrivateNASInstanceGoodExamples = []string{
- `
- resource "nifcloud_nas_instance" "good_example" {
- network_id = nifcloud_private_lan.main.id
- }
- `,
-}
-
-var terraformNoCommonPrivateNASInstanceBadExamples = []string{
- `
- resource "nifcloud_nas_instance" "bad_example" {
- network_id = "net-COMMON_PRIVATE"
- }
- `,
-}
-
-var terraformNoCommonPrivateNASInstanceLinks = []string{
- `https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/nas_instance#network_id`,
-}
-
-var terraformNoCommonPrivateNASInstanceRemediationMarkdown = ``
diff --git a/checks/cloud/nifcloud/nas/no_public_ingress_nas_sgr.go b/checks/cloud/nifcloud/nas/no_public_ingress_nas_sgr.go
deleted file mode 100755
index 3d215b4b..00000000
--- a/checks/cloud/nifcloud/nas/no_public_ingress_nas_sgr.go
+++ /dev/null
@@ -1,50 +0,0 @@
-package nas
-
-import (
- "github.com/aquasecurity/trivy-checks/internal/cidr"
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNoPublicIngressNASSgr = rules.Register(
- scan.Rule{
- AVDID: "AVD-NIF-0014",
- Aliases: []string{"nifcloud-nas-no-public-ingress-nas-sgr"},
- Provider: providers.NifcloudProvider,
- Service: "nas",
- ShortCode: "no-public-ingress-nas-sgr",
- Summary: "An ingress nas security group rule allows traffic from /0.",
- Impact: "Your port exposed to the internet",
- Resolution: "Set a more restrictive cidr range",
- Explanation: `Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.`,
- Links: []string{
- "https://pfs.nifcloud.com/api/nas/AuthorizeNASSecurityGroupIngress.htm",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoPublicIngressNASSgrGoodExamples,
- BadExamples: terraformNoPublicIngressNASSgrBadExamples,
- Links: terraformNoPublicIngressNASSgrLinks,
- RemediationMarkdown: terraformNoPublicIngressNASSgrRemediationMarkdown,
- },
- Severity: severity.Critical,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, group := range s.Nifcloud.NAS.NASSecurityGroups {
- for _, rule := range group.CIDRs {
- if cidr.IsPublic(rule.Value()) && cidr.CountAddresses(rule.Value()) > 1 {
- results.Add(
- "NAS Security group rule allows ingress from public internet.",
- rule,
- )
- } else {
- results.AddPassed(&group)
- }
- }
- }
- return
- },
-)
diff --git a/checks/cloud/nifcloud/nas/no_public_ingress_nas_sgr.tf.go b/checks/cloud/nifcloud/nas/no_public_ingress_nas_sgr.tf.go
deleted file mode 100644
index 6e6d5a3d..00000000
--- a/checks/cloud/nifcloud/nas/no_public_ingress_nas_sgr.tf.go
+++ /dev/null
@@ -1,27 +0,0 @@
-package nas
-
-var terraformNoPublicIngressNASSgrGoodExamples = []string{
- `
- resource "nifcloud_nas_security_group" "good_example" {
- rule {
- cidr_ip = "10.0.0.0/16"
- }
- }
- `,
-}
-
-var terraformNoPublicIngressNASSgrBadExamples = []string{
- `
- resource "nifcloud_nas_security_group" "bad_example" {
- rule {
- cidr_ip = "0.0.0.0/0"
- }
- }
- `,
-}
-
-var terraformNoPublicIngressNASSgrLinks = []string{
- `https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/nas_security_group#cidr_ip`,
-}
-
-var terraformNoPublicIngressNASSgrRemediationMarkdown = ``
diff --git a/checks/cloud/nifcloud/network/add_security_group_to_router.go b/checks/cloud/nifcloud/network/add_security_group_to_router.go
deleted file mode 100755
index d21ced6a..00000000
--- a/checks/cloud/nifcloud/network/add_security_group_to_router.go
+++ /dev/null
@@ -1,50 +0,0 @@
-package network
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckAddSecurityGroupToRouter = rules.Register(
- scan.Rule{
- AVDID: "AVD-NIF-0016",
- Aliases: []string{"nifcloud-computing-add-security-group-to-router"},
- Provider: providers.NifcloudProvider,
- Service: "network",
- ShortCode: "add-security-group-to-router",
- Summary: "Missing security group for router.",
- Impact: "A security group controls the traffic that is allowed to reach and leave the resources that it is associated with.",
- Resolution: "Add security group for all routers",
- Explanation: "Need to add a security group to your router.",
- Links: []string{
- "https://pfs.nifcloud.com/help/router/change.htm",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformAddSecurityGroupToRouterGoodExamples,
- BadExamples: terraformAddSecurityGroupToRouterBadExamples,
- Links: terraformAddSecurityGroupToRouterLinks,
- RemediationMarkdown: terraformAddSecurityGroupToRouterRemediationMarkdown,
- },
- Severity: severity.Critical,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, router := range s.Nifcloud.Network.Routers {
- if router.Metadata.IsUnmanaged() {
- continue
- }
- if router.SecurityGroup.IsEmpty() {
- results.Add(
- "Router does not have a securiy group.",
- router.SecurityGroup,
- )
- } else {
- results.AddPassed(&router)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/nifcloud/network/add_security_group_to_router.tf.go b/checks/cloud/nifcloud/network/add_security_group_to_router.tf.go
deleted file mode 100644
index 9e6ab852..00000000
--- a/checks/cloud/nifcloud/network/add_security_group_to_router.tf.go
+++ /dev/null
@@ -1,31 +0,0 @@
-package network
-
-var terraformAddSecurityGroupToRouterGoodExamples = []string{
- `
- resource "nifcloud_router" "good_example" {
- security_group = nifcloud_security_group.example.group_name
-
- network_interface {
- network_id = "net-COMMON_GLOBAL"
- }
- }
- `,
-}
-
-var terraformAddSecurityGroupToRouterBadExamples = []string{
- `
- resource "nifcloud_router" "bad_example" {
- security_group = ""
-
- network_interface {
- network_id = "net-COMMON_GLOBAL"
- }
- }
- `,
-}
-
-var terraformAddSecurityGroupToRouterLinks = []string{
- `https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/router#security_group`,
-}
-
-var terraformAddSecurityGroupToRouterRemediationMarkdown = ``
diff --git a/checks/cloud/nifcloud/network/add_security_group_to_vpn_gateway.go b/checks/cloud/nifcloud/network/add_security_group_to_vpn_gateway.go
deleted file mode 100755
index 6c48c2d0..00000000
--- a/checks/cloud/nifcloud/network/add_security_group_to_vpn_gateway.go
+++ /dev/null
@@ -1,50 +0,0 @@
-package network
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckAddSecurityGroupToVpnGateway = rules.Register(
- scan.Rule{
- AVDID: "AVD-NIF-0018",
- Aliases: []string{"nifcloud-computing-add-security-group-to-vpn-gateway"},
- Provider: providers.NifcloudProvider,
- Service: "network",
- ShortCode: "add-security-group-to-vpn-gateway",
- Summary: "Missing security group for vpnGateway.",
- Impact: "A security group controls the traffic that is allowed to reach and leave the resources that it is associated with.",
- Resolution: "Add security group for all vpnGateways",
- Explanation: "Need to add a security group to your vpnGateway.",
- Links: []string{
- "https://pfs.nifcloud.com/help/vpngw/change.htm",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformAddSecurityGroupToVpnGatewayGoodExamples,
- BadExamples: terraformAddSecurityGroupToVpnGatewayBadExamples,
- Links: terraformAddSecurityGroupToVpnGatewayLinks,
- RemediationMarkdown: terraformAddSecurityGroupToVpnGatewayRemediationMarkdown,
- },
- Severity: severity.Critical,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, vpnGateway := range s.Nifcloud.Network.VpnGateways {
- if vpnGateway.Metadata.IsUnmanaged() {
- continue
- }
- if vpnGateway.SecurityGroup.IsEmpty() {
- results.Add(
- "VpnGateway does not have a securiy group.",
- vpnGateway.SecurityGroup,
- )
- } else {
- results.AddPassed(&vpnGateway)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/nifcloud/network/add_security_group_to_vpn_gateway.tf.go b/checks/cloud/nifcloud/network/add_security_group_to_vpn_gateway.tf.go
deleted file mode 100644
index 4d559c5e..00000000
--- a/checks/cloud/nifcloud/network/add_security_group_to_vpn_gateway.tf.go
+++ /dev/null
@@ -1,31 +0,0 @@
-package network
-
-var terraformAddSecurityGroupToVpnGatewayGoodExamples = []string{
- `
- resource "nifcloud_vpn_gateway" "good_example" {
- security_group = nifcloud_security_group.example.group_name
-
- network_interface {
- network_id = "net-COMMON_GLOBAL"
- }
- }
- `,
-}
-
-var terraformAddSecurityGroupToVpnGatewayBadExamples = []string{
- `
- resource "nifcloud_vpn_gateway" "bad_example" {
- security_group = ""
-
- network_interface {
- network_id = "net-COMMON_GLOBAL"
- }
- }
- `,
-}
-
-var terraformAddSecurityGroupToVpnGatewayLinks = []string{
- `https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/vpn_gateway#security_group`,
-}
-
-var terraformAddSecurityGroupToVpnGatewayRemediationMarkdown = ``
diff --git a/checks/cloud/nifcloud/network/http_not_used.go b/checks/cloud/nifcloud/network/http_not_used.go
deleted file mode 100755
index 7240370b..00000000
--- a/checks/cloud/nifcloud/network/http_not_used.go
+++ /dev/null
@@ -1,76 +0,0 @@
-package network
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckHttpNotUsed = rules.Register(
- scan.Rule{
- AVDID: "AVD-NIF-0021",
- Provider: providers.NifcloudProvider,
- Service: "network",
- ShortCode: "http-not-used",
- Summary: "Use of plain HTTP.",
- Impact: "Your traffic is not protected",
- Resolution: "Switch to HTTPS to benefit from TLS security features",
- Explanation: `Plain HTTP is unencrypted and human-readable. This means that if a malicious actor was to eavesdrop on your connection, they would be able to see all of your data flowing back and forth.
-
-You should use HTTPS, which is HTTP over an encrypted (TLS) connection, meaning eavesdroppers cannot read your traffic.`,
- Links: []string{
- "https://www.cloudflare.com/en-gb/learning/ssl/why-is-http-not-secure/",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformHttpNotUsedGoodExamples,
- BadExamples: terraformHttpNotUsedBadExamples,
- Links: terraformHttpNotUsedLinks,
- RemediationMarkdown: terraformHttpNotUsedRemediationMarkdown,
- },
- Severity: severity.Critical,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, lb := range s.Nifcloud.Network.LoadBalancers {
- for _, listener := range lb.Listeners {
- if !listener.Protocol.EqualTo("HTTP") {
- results.AddPassed(&listener)
- continue
- }
-
- results.Add(
- "Listener for l4 load balancer does not use HTTPS.",
- listener.Protocol,
- )
- }
- }
- for _, elb := range s.Nifcloud.Network.ElasticLoadBalancers {
- var publicLB bool
- for _, ni := range elb.NetworkInterfaces {
- if ni.NetworkID.EqualTo("net-COMMON_GLOBAL") && ni.IsVipNetwork.IsTrue() {
- publicLB = true
- }
- }
-
- if !publicLB {
- continue
- }
-
- for _, listener := range elb.Listeners {
- if !listener.Protocol.EqualTo("HTTP") {
- results.AddPassed(&listener)
- continue
- }
-
- results.Add(
- "Listener for multi load balancer does not use HTTPS.",
- listener.Protocol,
- )
- }
- }
-
- return
- },
-)
diff --git a/checks/cloud/nifcloud/network/http_not_used.tf.go b/checks/cloud/nifcloud/network/http_not_used.tf.go
deleted file mode 100644
index c5e7b248..00000000
--- a/checks/cloud/nifcloud/network/http_not_used.tf.go
+++ /dev/null
@@ -1,39 +0,0 @@
-package network
-
-var terraformHttpNotUsedGoodExamples = []string{
- `
- resource "nifcloud_elb" "good_example" {
- protocol = "HTTPS"
- }
- `,
- `
-resource "nifcloud_load_balancer" "good_example" {
- load_balancer_port = 443
-}
-`,
-}
-
-var terraformHttpNotUsedBadExamples = []string{
- `
- resource "nifcloud_elb" "bad_example" {
- protocol = "HTTP"
-
- network_interface {
- network_id = "net-COMMON_GLOBAL"
- is_vip_network = true
- }
- }
- `,
- `
-resource "nifcloud_load_balancer" "bad_example" {
- load_balancer_port = 80
-}
-`,
-}
-
-var terraformHttpNotUsedLinks = []string{
- `https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/elb#protocol`,
- `https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/load_balancer#load_balancer_port`,
-}
-
-var terraformHttpNotUsedRemediationMarkdown = ``
diff --git a/checks/cloud/nifcloud/network/no_common_private_elb.go b/checks/cloud/nifcloud/network/no_common_private_elb.go
deleted file mode 100755
index b60be8de..00000000
--- a/checks/cloud/nifcloud/network/no_common_private_elb.go
+++ /dev/null
@@ -1,49 +0,0 @@
-package network
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNoCommonPrivateElasticLoadBalancer = rules.Register(
- scan.Rule{
- AVDID: "AVD-NIF-0019",
- Aliases: []string{"nifcloud-network-no-common-private-elb"},
- Provider: providers.NifcloudProvider,
- Service: "network",
- ShortCode: "no-common-private-elb",
- Summary: "The elb has common private network",
- Impact: "The common private network is shared with other users",
- Resolution: "Use private LAN",
- Explanation: `When handling sensitive data between servers, please consider using a private LAN to isolate the private side network from the shared network.`,
- Links: []string{
- "https://pfs.nifcloud.com/service/plan.htm",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoCommonPrivateElasticLoadBalancerGoodExamples,
- BadExamples: terraformNoCommonPrivateElasticLoadBalancerBadExamples,
- Links: terraformNoCommonPrivateElasticLoadBalancerLinks,
- RemediationMarkdown: terraformNoCommonPrivateElasticLoadBalancerRemediationMarkdown,
- },
- Severity: severity.Low,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, elb := range s.Nifcloud.Network.ElasticLoadBalancers {
- for _, ni := range elb.NetworkInterfaces {
- if ni.NetworkID.EqualTo("net-COMMON_PRIVATE") {
- results.Add(
- "The elb has common private network",
- ni.NetworkID,
- )
- } else {
- results.AddPassed(&ni)
- }
- }
- }
- return
- },
-)
diff --git a/checks/cloud/nifcloud/network/no_common_private_elb.tf.go b/checks/cloud/nifcloud/network/no_common_private_elb.tf.go
deleted file mode 100644
index 41c538a5..00000000
--- a/checks/cloud/nifcloud/network/no_common_private_elb.tf.go
+++ /dev/null
@@ -1,39 +0,0 @@
-package network
-
-var terraformNoCommonPrivateElasticLoadBalancerGoodExamples = []string{
- `
- resource "nifcloud_elb" "good_example" {
- elb_name = "foobar"
- availability_zone = "east-11"
- instance_port = 80
- protocol = "HTTP"
- lb_port = 80
-
- network_interface {
- network_id = nifcloud_private_lan.main.id
- }
- }
- `,
-}
-
-var terraformNoCommonPrivateElasticLoadBalancerBadExamples = []string{
- `
- resource "nifcloud_elb" "bad_example" {
- elb_name = "foobar"
- availability_zone = "east-11"
- instance_port = 80
- protocol = "HTTP"
- lb_port = 80
-
- network_interface {
- network_id = "net-COMMON_PRIVATE"
- }
- }
- `,
-}
-
-var terraformNoCommonPrivateElasticLoadBalancerLinks = []string{
- `https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/elb#network_id`,
-}
-
-var terraformNoCommonPrivateElasticLoadBalancerRemediationMarkdown = ``
diff --git a/checks/cloud/nifcloud/network/no_common_private_router.go b/checks/cloud/nifcloud/network/no_common_private_router.go
deleted file mode 100755
index 1fa88c6d..00000000
--- a/checks/cloud/nifcloud/network/no_common_private_router.go
+++ /dev/null
@@ -1,49 +0,0 @@
-package network
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNoCommonPrivateRouter = rules.Register(
- scan.Rule{
- AVDID: "AVD-NIF-0017",
- Aliases: []string{"nifcloud-network-no-common-private-router"},
- Provider: providers.NifcloudProvider,
- Service: "network",
- ShortCode: "no-common-private-router",
- Summary: "The router has common private network",
- Impact: "The common private network is shared with other users",
- Resolution: "Use private LAN",
- Explanation: `When handling sensitive data between servers, please consider using a private LAN to isolate the private side network from the shared network.`,
- Links: []string{
- "https://pfs.nifcloud.com/service/plan.htm",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoCommonPrivateRouterGoodExamples,
- BadExamples: terraformNoCommonPrivateRouterBadExamples,
- Links: terraformNoCommonPrivateRouterLinks,
- RemediationMarkdown: terraformNoCommonPrivateRouterRemediationMarkdown,
- },
- Severity: severity.Low,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, router := range s.Nifcloud.Network.Routers {
- for _, ni := range router.NetworkInterfaces {
- if ni.NetworkID.EqualTo("net-COMMON_PRIVATE") {
- results.Add(
- "The router has common private network",
- ni.NetworkID,
- )
- } else {
- results.AddPassed(&ni)
- }
- }
- }
- return
- },
-)
diff --git a/checks/cloud/nifcloud/network/no_common_private_router.tf.go b/checks/cloud/nifcloud/network/no_common_private_router.tf.go
deleted file mode 100644
index 3e9b8a1b..00000000
--- a/checks/cloud/nifcloud/network/no_common_private_router.tf.go
+++ /dev/null
@@ -1,31 +0,0 @@
-package network
-
-var terraformNoCommonPrivateRouterGoodExamples = []string{
- `
- resource "nifcloud_router" "good_example" {
- security_group = nifcloud_security_group.example.group_name
-
- network_interface {
- network_id = nifcloud_private_lan.main.id
- }
- }
- `,
-}
-
-var terraformNoCommonPrivateRouterBadExamples = []string{
- `
- resource "nifcloud_router" "bad_example" {
- security_group = nifcloud_security_group.example.group_name
-
- network_interface {
- network_id = "net-COMMON_PRIVATE"
- }
- }
- `,
-}
-
-var terraformNoCommonPrivateRouterLinks = []string{
- `https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/router#network_id`,
-}
-
-var terraformNoCommonPrivateRouterRemediationMarkdown = ``
diff --git a/checks/cloud/nifcloud/network/use_secure_tls_policy.go b/checks/cloud/nifcloud/network/use_secure_tls_policy.go
deleted file mode 100755
index 4a133e1b..00000000
--- a/checks/cloud/nifcloud/network/use_secure_tls_policy.go
+++ /dev/null
@@ -1,64 +0,0 @@
-package network
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var outdatedSSLPolicies = []string{
- "",
- "1",
- "Standard Ciphers A ver1",
- "2",
- "Standard Ciphers B ver1",
- "3",
- "Standard Ciphers C ver1",
- "5",
- "Ats Ciphers A ver1",
- "8",
- "Ats Ciphers D ver1",
-}
-
-var CheckUseSecureTlsPolicy = rules.Register(
- scan.Rule{
- AVDID: "AVD-NIF-0020",
- Provider: providers.NifcloudProvider,
- Service: "network",
- ShortCode: "use-secure-tls-policy",
- Summary: "An outdated SSL policy is in use by a load balancer.",
- Impact: "The SSL policy is outdated and has known vulnerabilities",
- Resolution: "Use a more recent TLS/SSL policy for the load balancer",
- Explanation: `You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.`,
- Links: []string{
- "https://pfs.nifcloud.com/service/lb_l4.htm",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformUseSecureTlsPolicyGoodExamples,
- BadExamples: terraformUseSecureTlsPolicyBadExamples,
- Links: terraformUseSecureTlsPolicyLinks,
- RemediationMarkdown: terraformUseSecureTlsPolicyRemediationMarkdown,
- },
- Severity: severity.Critical,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, lb := range s.Nifcloud.Network.LoadBalancers {
- for _, listener := range lb.Listeners {
- for _, outdated := range outdatedSSLPolicies {
- if listener.TLSPolicy.EqualTo(outdated) && listener.Protocol.EqualTo("HTTPS") {
- results.Add(
- "Listener uses an outdated TLS policy.",
- listener.TLSPolicy,
- )
- } else {
- results.AddPassed(&listener)
- }
- }
- }
- }
- return
- },
-)
diff --git a/checks/cloud/nifcloud/network/use_secure_tls_policy.tf.go b/checks/cloud/nifcloud/network/use_secure_tls_policy.tf.go
deleted file mode 100644
index 7b47fd00..00000000
--- a/checks/cloud/nifcloud/network/use_secure_tls_policy.tf.go
+++ /dev/null
@@ -1,28 +0,0 @@
-package network
-
-var terraformUseSecureTlsPolicyGoodExamples = []string{
- `
- resource "nifcloud_load_balancer" "good_example" {
- load_balancer_port = 443
- policy_type = "standard"
- ssl_policy_name = "Standard Ciphers D ver1"
- }
- `,
-}
-
-var terraformUseSecureTlsPolicyBadExamples = []string{
- `
- resource "nifcloud_load_balancer" "bad_example" {
- load_balancer_port = 443
- policy_type = "standard"
- ssl_policy_name = ""
- }
- `,
-}
-
-var terraformUseSecureTlsPolicyLinks = []string{
- `https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/load_balancer#ssl_policy_name`,
- `https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/load_balancer_listener#ssl_policy_name`,
-}
-
-var terraformUseSecureTlsPolicyRemediationMarkdown = ``
diff --git a/checks/cloud/nifcloud/rdb/add_description_to_db_security_group.go b/checks/cloud/nifcloud/rdb/add_description_to_db_security_group.go
deleted file mode 100755
index ec440949..00000000
--- a/checks/cloud/nifcloud/rdb/add_description_to_db_security_group.go
+++ /dev/null
@@ -1,57 +0,0 @@
-package rdb
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckAddDescriptionToDBSecurityGroup = rules.Register(
- scan.Rule{
- AVDID: "AVD-NIF-0012",
- Aliases: []string{"nifcloud-rdb-add-description-to-db-security-group"},
- Provider: providers.NifcloudProvider,
- Service: "rdb",
- ShortCode: "add-description-to-db-security-group",
- Summary: "Missing description for db security group.",
- Impact: "Descriptions provide context for the firewall rule reasons",
- Resolution: "Add descriptions for all db security groups",
- Explanation: `DB security groups should include a description for auditing purposes.
-
-Simplifies auditing, debugging, and managing db security groups.`,
- Links: []string{
- "https://pfs.nifcloud.com/help/rdb/fw_new.htm",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformAddDescriptionToDBSecurityGroupGoodExamples,
- BadExamples: terraformAddDescriptionToDBSecurityGroupBadExamples,
- Links: terraformAddDescriptionToDBSecurityGroupLinks,
- RemediationMarkdown: terraformAddDescriptionToDBSecurityGroupRemediationMarkdown,
- },
- Severity: severity.Low,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, group := range s.Nifcloud.RDB.DBSecurityGroups {
- if group.Metadata.IsUnmanaged() {
- continue
- }
- if group.Description.IsEmpty() {
- results.Add(
- "DB security group does not have a description.",
- group.Description,
- )
- } else if group.Description.EqualTo("Managed by Terraform") {
- results.Add(
- "DB security group explicitly uses the default description.",
- group.Description,
- )
- } else {
- results.AddPassed(&group)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/nifcloud/rdb/add_description_to_db_security_group.tf.go b/checks/cloud/nifcloud/rdb/add_description_to_db_security_group.tf.go
deleted file mode 100644
index f3e5f49c..00000000
--- a/checks/cloud/nifcloud/rdb/add_description_to_db_security_group.tf.go
+++ /dev/null
@@ -1,25 +0,0 @@
-package rdb
-
-var terraformAddDescriptionToDBSecurityGroupGoodExamples = []string{
- `
- resource "nifcloud_db_security_group" "good_example" {
- group_name = "app"
- description = "Allow from app traffic"
- }
- `,
-}
-
-var terraformAddDescriptionToDBSecurityGroupBadExamples = []string{
- `
- resource "nifcloud_db_security_group" "bad_example" {
- name = "app"
- description = ""
- }
- `,
-}
-
-var terraformAddDescriptionToDBSecurityGroupLinks = []string{
- `https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/db_security_group#description`,
-}
-
-var terraformAddDescriptionToDBSecurityGroupRemediationMarkdown = ``
diff --git a/checks/cloud/nifcloud/rdb/no_common_private_db_instance.go b/checks/cloud/nifcloud/rdb/no_common_private_db_instance.go
deleted file mode 100755
index b4b89519..00000000
--- a/checks/cloud/nifcloud/rdb/no_common_private_db_instance.go
+++ /dev/null
@@ -1,47 +0,0 @@
-package rdb
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNoCommonPrivateDBInstance = rules.Register(
- scan.Rule{
- AVDID: "AVD-NIF-0010",
- Aliases: []string{"nifcloud-rdb-no-common-private-db-instance"},
- Provider: providers.NifcloudProvider,
- Service: "rdb",
- ShortCode: "no-common-private-db-instance",
- Summary: "The db instance has common private network",
- Impact: "The common private network is shared with other users",
- Resolution: "Use private LAN",
- Explanation: `When handling sensitive data between servers, please consider using a private LAN to isolate the private side network from the shared network.`,
- Links: []string{
- "https://pfs.nifcloud.com/service/plan.htm",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoCommonPrivateDBInstanceGoodExamples,
- BadExamples: terraformNoCommonPrivateDBInstanceBadExamples,
- Links: terraformNoCommonPrivateDBInstanceLinks,
- RemediationMarkdown: terraformNoCommonPrivateDBInstanceRemediationMarkdown,
- },
- Severity: severity.Low,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, instance := range s.Nifcloud.RDB.DBInstances {
- if instance.NetworkID.EqualTo("net-COMMON_PRIVATE") {
- results.Add(
- "The db instance has common private network",
- instance.NetworkID,
- )
- } else {
- results.AddPassed(&instance)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/nifcloud/rdb/no_common_private_db_instance.tf.go b/checks/cloud/nifcloud/rdb/no_common_private_db_instance.tf.go
deleted file mode 100644
index 7836d3e7..00000000
--- a/checks/cloud/nifcloud/rdb/no_common_private_db_instance.tf.go
+++ /dev/null
@@ -1,23 +0,0 @@
-package rdb
-
-var terraformNoCommonPrivateDBInstanceGoodExamples = []string{
- `
- resource "nifcloud_db_instance" "good_example" {
- network_id = nifcloud_private_lan.main.id
- }
- `,
-}
-
-var terraformNoCommonPrivateDBInstanceBadExamples = []string{
- `
- resource "nifcloud_db_instance" "bad_example" {
- network_id = "net-COMMON_PRIVATE"
- }
- `,
-}
-
-var terraformNoCommonPrivateDBInstanceLinks = []string{
- `https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/db_instance#network_id`,
-}
-
-var terraformNoCommonPrivateDBInstanceRemediationMarkdown = ``
diff --git a/checks/cloud/nifcloud/rdb/no_public_db_access.go b/checks/cloud/nifcloud/rdb/no_public_db_access.go
deleted file mode 100755
index ccf1a57b..00000000
--- a/checks/cloud/nifcloud/rdb/no_public_db_access.go
+++ /dev/null
@@ -1,46 +0,0 @@
-package rdb
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNoPublicDbAccess = rules.Register(
- scan.Rule{
- AVDID: "AVD-NIF-0008",
- Provider: providers.NifcloudProvider,
- Service: "rdb",
- ShortCode: "no-public-db-access",
- Summary: "A database resource is marked as publicly accessible.",
- Impact: "The database instance is publicly accessible",
- Resolution: "Set the database to not be publicly accessible",
- Explanation: `Database resources should not publicly available. You should limit all access to the minimum that is required for your application to function.`,
- Links: []string{
- "https://pfs.nifcloud.com/guide/rdb/server_new.htm",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoPublicDbAccessGoodExamples,
- BadExamples: terraformNoPublicDbAccessBadExamples,
- Links: terraformNoPublicDbAccessLinks,
- RemediationMarkdown: terraformNoPublicDbAccessRemediationMarkdown,
- },
- Severity: severity.Critical,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, instance := range s.Nifcloud.RDB.DBInstances {
- if instance.PublicAccess.IsTrue() {
- results.Add(
- "Instance is exposed publicly.",
- instance.PublicAccess,
- )
- } else {
- results.AddPassed(&instance)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/nifcloud/rdb/no_public_db_access.tf.go b/checks/cloud/nifcloud/rdb/no_public_db_access.tf.go
deleted file mode 100644
index 8a35ddb0..00000000
--- a/checks/cloud/nifcloud/rdb/no_public_db_access.tf.go
+++ /dev/null
@@ -1,23 +0,0 @@
-package rdb
-
-var terraformNoPublicDbAccessGoodExamples = []string{
- `
- resource "nifcloud_db_instance" "good_example" {
- publicly_accessible = false
- }
- `,
-}
-
-var terraformNoPublicDbAccessBadExamples = []string{
- `
- resource "nifcloud_db_instance" "bad_example" {
- publicly_accessible = true
- }
- `,
-}
-
-var terraformNoPublicDbAccessLinks = []string{
- `https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/db_instance#publicly_accessible`,
-}
-
-var terraformNoPublicDbAccessRemediationMarkdown = ``
diff --git a/checks/cloud/nifcloud/rdb/no_public_ingress_db_sgr.go b/checks/cloud/nifcloud/rdb/no_public_ingress_db_sgr.go
deleted file mode 100755
index 5efb0f90..00000000
--- a/checks/cloud/nifcloud/rdb/no_public_ingress_db_sgr.go
+++ /dev/null
@@ -1,50 +0,0 @@
-package rdb
-
-import (
- "github.com/aquasecurity/trivy-checks/internal/cidr"
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNoPublicIngressDBSgr = rules.Register(
- scan.Rule{
- AVDID: "AVD-NIF-0011",
- Aliases: []string{"nifcloud-rdb-no-public-ingress-db-sgr"},
- Provider: providers.NifcloudProvider,
- Service: "rdb",
- ShortCode: "no-public-ingress-db-sgr",
- Summary: "An ingress db security group rule allows traffic from /0.",
- Impact: "Your port exposed to the internet",
- Resolution: "Set a more restrictive cidr range",
- Explanation: `Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.`,
- Links: []string{
- "https://pfs.nifcloud.com/api/rdb/AuthorizeDBSecurityGroupIngress.htm",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoPublicIngressDBSgrGoodExamples,
- BadExamples: terraformNoPublicIngressDBSgrBadExamples,
- Links: terraformNoPublicIngressDBSgrLinks,
- RemediationMarkdown: terraformNoPublicIngressDBSgrRemediationMarkdown,
- },
- Severity: severity.Critical,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, group := range s.Nifcloud.RDB.DBSecurityGroups {
- for _, rule := range group.CIDRs {
- if cidr.IsPublic(rule.Value()) && cidr.CountAddresses(rule.Value()) > 1 {
- results.Add(
- "DB Security group rule allows ingress from public internet.",
- rule,
- )
- } else {
- results.AddPassed(&group)
- }
- }
- }
- return
- },
-)
diff --git a/checks/cloud/nifcloud/rdb/no_public_ingress_db_sgr.tf.go b/checks/cloud/nifcloud/rdb/no_public_ingress_db_sgr.tf.go
deleted file mode 100644
index c7b7b430..00000000
--- a/checks/cloud/nifcloud/rdb/no_public_ingress_db_sgr.tf.go
+++ /dev/null
@@ -1,27 +0,0 @@
-package rdb
-
-var terraformNoPublicIngressDBSgrGoodExamples = []string{
- `
- resource "nifcloud_db_security_group" "good_example" {
- rule {
- cidr_ip = "10.0.0.0/16"
- }
- }
- `,
-}
-
-var terraformNoPublicIngressDBSgrBadExamples = []string{
- `
- resource "nifcloud_db_security_group" "bad_example" {
- rule {
- cidr_ip = "0.0.0.0/0"
- }
- }
- `,
-}
-
-var terraformNoPublicIngressDBSgrLinks = []string{
- `https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/db_security_group#cidr_ip`,
-}
-
-var terraformNoPublicIngressDBSgrRemediationMarkdown = ``
diff --git a/checks/cloud/nifcloud/rdb/specify_backup_retention.go b/checks/cloud/nifcloud/rdb/specify_backup_retention.go
deleted file mode 100755
index 1d15fb40..00000000
--- a/checks/cloud/nifcloud/rdb/specify_backup_retention.go
+++ /dev/null
@@ -1,50 +0,0 @@
-package rdb
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckBackupRetentionSpecified = rules.Register(
- scan.Rule{
- AVDID: "AVD-NIF-0009",
- Provider: providers.NifcloudProvider,
- Service: "rdb",
- ShortCode: "specify-backup-retention",
- Summary: "RDB instance should have backup retention longer than 1 day",
- Impact: "Potential loss of data and short opportunity for recovery",
- Resolution: "Explicitly set the retention period to greater than the default",
- Explanation: `Backup retention periods should be set to a period that is a balance on cost and limiting risk.`,
- Links: []string{
- "https://pfs.nifcloud.com/spec/rdb/snapshot_backup.htm",
- },
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformSpecifyBackupRetentionGoodExamples,
- BadExamples: terraformSpecifyBackupRetentionBadExamples,
- Links: terraformSpecifyBackupRetentionLinks,
- RemediationMarkdown: terraformSpecifyBackupRetentionRemediationMarkdown,
- },
- Severity: severity.Medium,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, instance := range s.Nifcloud.RDB.DBInstances {
- if instance.Metadata.IsUnmanaged() {
- continue
- }
- if instance.BackupRetentionPeriodDays.LessThan(2) {
- results.Add(
- "Instance has very low backup retention period.",
- instance.BackupRetentionPeriodDays,
- )
- } else {
- results.AddPassed(&instance)
- }
- }
-
- return
- },
-)
diff --git a/checks/cloud/nifcloud/rdb/specify_backup_retention.tf.go b/checks/cloud/nifcloud/rdb/specify_backup_retention.tf.go
deleted file mode 100644
index ecb015e7..00000000
--- a/checks/cloud/nifcloud/rdb/specify_backup_retention.tf.go
+++ /dev/null
@@ -1,40 +0,0 @@
-package rdb
-
-var terraformSpecifyBackupRetentionGoodExamples = []string{
- `
- resource "nifcloud_db_instance" "good_example" {
- allocated_storage = 100
- engine = "mysql"
- engine_version = "5.7"
- instance_class = "db.large8"
- name = "mydb"
- username = "foo"
- password = "foobarbaz"
- parameter_group_name = "default.mysql5.7"
- backup_retention_period = 5
- skip_final_snapshot = true
- }
- `,
-}
-
-var terraformSpecifyBackupRetentionBadExamples = []string{
- `
- resource "nifcloud_db_instance" "bad_example" {
- allocated_storage = 100
- engine = "mysql"
- engine_version = "5.7"
- instance_class = "db.large8"
- name = "mydb"
- username = "foo"
- password = "foobarbaz"
- parameter_group_name = "default.mysql5.7"
- skip_final_snapshot = true
- }
-`,
-}
-
-var terraformSpecifyBackupRetentionLinks = []string{
- `https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/db_instance#backup_retention_period`,
-}
-
-var terraformSpecifyBackupRetentionRemediationMarkdown = ``
diff --git a/checks/cloud/nifcloud/sslcertificate/remove_expired_certificates.go b/checks/cloud/nifcloud/sslcertificate/remove_expired_certificates.go
deleted file mode 100644
index 4669af56..00000000
--- a/checks/cloud/nifcloud/sslcertificate/remove_expired_certificates.go
+++ /dev/null
@@ -1,48 +0,0 @@
-package sslcertificate
-
-import (
- "time"
-
- "github.com/aquasecurity/trivy/pkg/iac/severity"
-
- "github.com/aquasecurity/trivy/pkg/iac/state"
-
- "github.com/aquasecurity/trivy/pkg/iac/scan"
-
- "github.com/aquasecurity/trivy-checks/pkg/rules"
-
- "github.com/aquasecurity/trivy/pkg/iac/providers"
-)
-
-var CheckRemoveExpiredCertificates = rules.Register(
- scan.Rule{
- AVDID: "AVD-NIF-0006",
- Provider: providers.NifcloudProvider,
- Service: "ssl-certificate",
- ShortCode: "remove-expired-certificates",
- Summary: "Delete expired SSL certificates",
- Impact: "Risk of misconfiguration and damage to credibility",
- Resolution: "Remove expired certificates",
- Explanation: `
-Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be
-deployed accidentally to a resource such as NIFCLOUD Load Balancer(L4LB), which candamage the
-credibility of the application/website behind the L4LB. As a best practice, it is
-recommended to delete expired certificates.
- `,
- Links: []string{
- "https://pfs.nifcloud.com/help/ssl/del.htm",
- },
- Severity: severity.Low,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, certificate := range s.Nifcloud.SSLCertificate.ServerCertificates {
- if certificate.Expiration.Before(time.Now()) {
- results.Add("Certificate has expired.", &certificate)
- } else {
- results.AddPassed(&certificate)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/openstack/compute/no_plaintext_password.go b/checks/cloud/openstack/compute/no_plaintext_password.go
deleted file mode 100755
index 29404d6e..00000000
--- a/checks/cloud/openstack/compute/no_plaintext_password.go
+++ /dev/null
@@ -1,47 +0,0 @@
-package compute
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNoPlaintextPassword = rules.Register(
- scan.Rule{
- AVDID: "AVD-OPNSTK-0001",
- Provider: providers.OpenStackProvider,
- Service: "compute",
- ShortCode: "no-plaintext-password",
- Summary: "No plaintext password for compute instance",
- Impact: "Including a plaintext password could lead to compromised instance",
- Resolution: "Do not use plaintext passwords in terraform files",
- Explanation: `Assigning a password to the compute instance using plaintext could lead to compromise; it would be preferable to use key-pairs as a login mechanism`,
- Links: []string{},
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoPlaintextPasswordGoodExamples,
- BadExamples: terraformNoPlaintextPasswordBadExamples,
- Links: terraformNoPlaintextPasswordLinks,
- RemediationMarkdown: terraformNoPlaintextPasswordRemediationMarkdown,
- },
- Severity: severity.Medium,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, instance := range s.OpenStack.Compute.Instances {
- if instance.Metadata.IsUnmanaged() {
- continue
- }
- if instance.AdminPassword.IsNotEmpty() {
- results.Add(
- "Instance has admin password set.",
- instance.AdminPassword,
- )
- } else {
- results.AddPassed(instance)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/openstack/compute/no_plaintext_password.tf.go b/checks/cloud/openstack/compute/no_plaintext_password.tf.go
deleted file mode 100644
index c2e537bc..00000000
--- a/checks/cloud/openstack/compute/no_plaintext_password.tf.go
+++ /dev/null
@@ -1,39 +0,0 @@
-package compute
-
-var terraformNoPlaintextPasswordGoodExamples = []string{
- `
- resource "openstack_compute_instance_v2" "good_example" {
- name = "basic"
- image_id = "ad091b52-742f-469e-8f3c-fd81cadf0743"
- flavor_id = "3"
- key_pair = "my_key_pair_name"
- security_groups = ["default"]
- user_data = "#cloud-config\nhostname: instance_1.example.com\nfqdn: instance_1.example.com"
-
- network {
- name = "my_network"
- }
- }`,
-}
-
-var terraformNoPlaintextPasswordBadExamples = []string{
- `
- resource "openstack_compute_instance_v2" "bad_example" {
- name = "basic"
- image_id = "ad091b52-742f-469e-8f3c-fd81cadf0743"
- flavor_id = "3"
- admin_pass = "N0tSoS3cretP4ssw0rd"
- security_groups = ["default"]
- user_data = "#cloud-config\nhostname: instance_1.example.com\nfqdn: instance_1.example.com"
-
- network {
- name = "my_network"
- }
- }`,
-}
-
-var terraformNoPlaintextPasswordLinks = []string{
- `https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/compute_instance_v2#admin_pass`,
-}
-
-var terraformNoPlaintextPasswordRemediationMarkdown = ``
diff --git a/checks/cloud/openstack/compute/no_public_access.go b/checks/cloud/openstack/compute/no_public_access.go
deleted file mode 100755
index 4a53d1b6..00000000
--- a/checks/cloud/openstack/compute/no_public_access.go
+++ /dev/null
@@ -1,67 +0,0 @@
-package compute
-
-import (
- "github.com/aquasecurity/trivy-checks/internal/cidr"
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNoPublicAccess = rules.Register(
- scan.Rule{
- AVDID: "AVD-OPNSTK-0002",
- Provider: providers.OpenStackProvider,
- Service: "compute",
- ShortCode: "no-public-access",
- Summary: "A firewall rule allows traffic from/to the public internet",
- Impact: "Exposure of infrastructure to the public internet",
- Resolution: "Employ more restrictive firewall rules",
- Explanation: `Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.`,
- Links: []string{},
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoPublicAccessGoodExamples,
- BadExamples: terraformNoPublicAccessBadExamples,
- Links: terraformNoPublicAccessLinks,
- RemediationMarkdown: terraformNoPublicAccessRemediationMarkdown,
- },
- Severity: severity.Medium,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, rule := range s.OpenStack.Compute.Firewall.AllowRules {
- if rule.Metadata.IsUnmanaged() {
- continue
- }
- if rule.Enabled.IsFalse() {
- continue
- }
- if rule.Destination.IsEmpty() {
- results.Add(
- "Firewall rule does not restrict destination address internally.",
- rule.Destination,
- )
- } else if cidr.IsPublic(rule.Destination.Value()) {
- results.Add(
- "Firewall rule allows public egress.",
- rule.Destination,
- )
- } else if rule.Source.IsEmpty() {
- results.Add(
- "Firewall rule does not restrict source address internally.",
- rule.Source,
- )
- } else if cidr.IsPublic(rule.Source.Value()) {
- results.Add(
- "Firewall rule allows public ingress.",
- rule.Source,
- )
- } else {
- results.AddPassed(rule)
- }
-
- }
- return
- },
-)
diff --git a/checks/cloud/openstack/compute/no_public_access.tf.go b/checks/cloud/openstack/compute/no_public_access.tf.go
deleted file mode 100644
index 3f1f60ed..00000000
--- a/checks/cloud/openstack/compute/no_public_access.tf.go
+++ /dev/null
@@ -1,35 +0,0 @@
-package compute
-
-var terraformNoPublicAccessGoodExamples = []string{
- `
- resource "openstack_fw_rule_v1" "rule_1" {
- name = "my_rule"
- description = "don't let just anyone in"
- action = "allow"
- protocol = "tcp"
- destination_ip_address = "10.10.10.1"
- source_ip_address = "10.10.10.2"
- destination_port = "22"
- enabled = "true"
- }
- `,
-}
-
-var terraformNoPublicAccessBadExamples = []string{
- `
- resource "openstack_fw_rule_v1" "rule_1" {
- name = "my_rule"
- description = "let anyone in"
- action = "allow"
- protocol = "tcp"
- destination_port = "22"
- enabled = "true"
- }
- `,
-}
-
-var terraformNoPublicAccessLinks = []string{
- `https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/fw_rule_v1`,
-}
-
-var terraformNoPublicAccessRemediationMarkdown = ``
diff --git a/checks/cloud/openstack/networking/add_description_to_security_group.go b/checks/cloud/openstack/networking/add_description_to_security_group.go
deleted file mode 100755
index b3c12a55..00000000
--- a/checks/cloud/openstack/networking/add_description_to_security_group.go
+++ /dev/null
@@ -1,47 +0,0 @@
-package compute
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckSecurityGroupHasDescription = rules.Register(
- scan.Rule{
- AVDID: "AVD-OPNSTK-0005",
- Provider: providers.OpenStackProvider,
- Service: "networking",
- ShortCode: "describe-security-group",
- Summary: "Missing description for security group.",
- Impact: "Auditing capability and awareness limited.",
- Resolution: "Add descriptions for all security groups",
- Explanation: `Security groups should include a description for auditing purposes. Simplifies auditing, debugging, and managing security groups.`,
- Links: []string{},
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformSecurityGroupHasDescriptionGoodExamples,
- BadExamples: terraformSecurityGroupHasDescriptionBadExamples,
- Links: terraformSecurityGroupHasDescriptionLinks,
- RemediationMarkdown: terraformSecurityGroupHasDescriptionRemediationMarkdown,
- },
- Severity: severity.Medium,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, group := range s.OpenStack.Networking.SecurityGroups {
- if group.Metadata.IsUnmanaged() {
- continue
- }
- if group.Description.IsEmpty() {
- results.Add(
- "Security group rule allows egress to multiple public addresses.",
- group.Description,
- )
- } else {
- results.AddPassed(group)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/openstack/networking/add_description_to_security_group.tf.go b/checks/cloud/openstack/networking/add_description_to_security_group.tf.go
deleted file mode 100644
index 10018c46..00000000
--- a/checks/cloud/openstack/networking/add_description_to_security_group.tf.go
+++ /dev/null
@@ -1,20 +0,0 @@
-package compute
-
-var terraformSecurityGroupHasDescriptionGoodExamples = []string{
- `
- resource "openstack_networking_secgroup_v2" "group_1" {
- description = "don't let just anyone in"
- }
- `,
-}
-
-var terraformSecurityGroupHasDescriptionBadExamples = []string{
- `
- resource "openstack_networking_secgroup_v2" "group_1" {
- }
- `,
-}
-
-var terraformSecurityGroupHasDescriptionLinks = []string{}
-
-var terraformSecurityGroupHasDescriptionRemediationMarkdown = ``
diff --git a/checks/cloud/openstack/networking/no_public_egress.go b/checks/cloud/openstack/networking/no_public_egress.go
deleted file mode 100755
index 5ba2bd98..00000000
--- a/checks/cloud/openstack/networking/no_public_egress.go
+++ /dev/null
@@ -1,50 +0,0 @@
-package compute
-
-import (
- "github.com/aquasecurity/trivy-checks/internal/cidr"
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNoPublicEgress = rules.Register(
- scan.Rule{
- AVDID: "AVD-OPNSTK-0004",
- Provider: providers.OpenStackProvider,
- Service: "networking",
- ShortCode: "no-public-egress",
- Summary: "A security group rule allows egress traffic to multiple public addresses",
- Impact: "Potential exfiltration of data to the public internet",
- Resolution: "Employ more restrictive security group rules",
- Explanation: `Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.`,
- Links: []string{},
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoPublicEgressGoodExamples,
- BadExamples: terraformNoPublicEgressBadExamples,
- Links: terraformNoPublicEgressLinks,
- RemediationMarkdown: terraformNoPublicEgressRemediationMarkdown,
- },
- Severity: severity.Medium,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, group := range s.OpenStack.Networking.SecurityGroups {
- for _, rule := range group.Rules {
- if rule.Metadata.IsUnmanaged() || rule.IsIngress.IsTrue() {
- continue
- }
- if cidr.IsPublic(rule.CIDR.Value()) && cidr.CountAddresses(rule.CIDR.Value()) > 1 {
- results.Add(
- "Security group rule allows egress to multiple public addresses.",
- rule.CIDR,
- )
- } else {
- results.AddPassed(rule)
- }
- }
- }
- return
- },
-)
diff --git a/checks/cloud/openstack/networking/no_public_egress.tf.go b/checks/cloud/openstack/networking/no_public_egress.tf.go
deleted file mode 100644
index 21cb01eb..00000000
--- a/checks/cloud/openstack/networking/no_public_egress.tf.go
+++ /dev/null
@@ -1,33 +0,0 @@
-package compute
-
-var terraformNoPublicEgressGoodExamples = []string{
- `
-resource "openstack_networking_secgroup_rule_v2" "rule_1" {
- direction = "egress"
- ethertype = "IPv4"
- protocol = "tcp"
- port_range_min = 22
- port_range_max = 22
- remote_ip_prefix = "1.2.3.4/32"
-}
-`,
-}
-
-var terraformNoPublicEgressBadExamples = []string{
- `
- resource "openstack_networking_secgroup_rule_v2" "rule_1" {
- direction = "egress"
- ethertype = "IPv4"
- protocol = "tcp"
- port_range_min = 22
- port_range_max = 22
- remote_ip_prefix = "0.0.0.0/0"
- }
-`,
-}
-
-var terraformNoPublicEgressLinks = []string{
- `https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_secgroup_rule_v2`,
-}
-
-var terraformNoPublicEgressRemediationMarkdown = ``
diff --git a/checks/cloud/openstack/networking/no_public_ingress.go b/checks/cloud/openstack/networking/no_public_ingress.go
deleted file mode 100755
index 414ff87e..00000000
--- a/checks/cloud/openstack/networking/no_public_ingress.go
+++ /dev/null
@@ -1,50 +0,0 @@
-package compute
-
-import (
- "github.com/aquasecurity/trivy-checks/internal/cidr"
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNoPublicIngress = rules.Register(
- scan.Rule{
- AVDID: "AVD-OPNSTK-0003",
- Provider: providers.OpenStackProvider,
- Service: "networking",
- ShortCode: "no-public-ingress",
- Summary: "A security group rule allows ingress traffic from multiple public addresses",
- Impact: "Exposure of infrastructure to the public internet",
- Resolution: "Employ more restrictive security group rules",
- Explanation: `Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.`,
- Links: []string{},
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoPublicIngressGoodExamples,
- BadExamples: terraformNoPublicIngressBadExamples,
- Links: terraformNoPublicIngressLinks,
- RemediationMarkdown: terraformNoPublicIngressRemediationMarkdown,
- },
- Severity: severity.Medium,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, group := range s.OpenStack.Networking.SecurityGroups {
- for _, rule := range group.Rules {
- if rule.Metadata.IsUnmanaged() || rule.IsIngress.IsFalse() {
- continue
- }
- if cidr.IsPublic(rule.CIDR.Value()) && cidr.CountAddresses(rule.CIDR.Value()) > 1 {
- results.Add(
- "Security group rule allows ingress from multiple public addresses.",
- rule.CIDR,
- )
- } else {
- results.AddPassed(rule)
- }
- }
- }
- return
- },
-)
diff --git a/checks/cloud/openstack/networking/no_public_ingress.tf.go b/checks/cloud/openstack/networking/no_public_ingress.tf.go
deleted file mode 100644
index a6333cbb..00000000
--- a/checks/cloud/openstack/networking/no_public_ingress.tf.go
+++ /dev/null
@@ -1,33 +0,0 @@
-package compute
-
-var terraformNoPublicIngressGoodExamples = []string{
- `
- resource "openstack_networking_secgroup_rule_v2" "rule_1" {
- direction = "ingress"
- ethertype = "IPv4"
- protocol = "tcp"
- port_range_min = 22
- port_range_max = 22
- remote_ip_prefix = "1.2.3.4/32"
- }
- `,
-}
-
-var terraformNoPublicIngressBadExamples = []string{
- `
- resource "openstack_networking_secgroup_rule_v2" "rule_1" {
- direction = "ingress"
- ethertype = "IPv4"
- protocol = "tcp"
- port_range_min = 22
- port_range_max = 22
- remote_ip_prefix = "0.0.0.0/0"
- }
- `,
-}
-
-var terraformNoPublicIngressLinks = []string{
- `https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/fw_rule_v1`,
-}
-
-var terraformNoPublicIngressRemediationMarkdown = ``
diff --git a/checks/cloud/oracle/compute/no_public_ip.go b/checks/cloud/oracle/compute/no_public_ip.go
deleted file mode 100755
index 628fdc59..00000000
--- a/checks/cloud/oracle/compute/no_public_ip.go
+++ /dev/null
@@ -1,49 +0,0 @@
-package compute
-
-import (
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNoPublicIp = rules.Register(
- scan.Rule{
- AVDID: "AVD-OCI-0001",
- Provider: providers.OracleProvider,
- Service: "compute",
- ShortCode: "no-public-ip",
- Summary: "Compute instance requests an IP reservation from a public pool",
- Impact: "The compute instance has the ability to be reached from outside",
- Resolution: "Reconsider the use of an public IP",
- Explanation: `Compute instance requests an IP reservation from a public pool
-
-The compute instance has the ability to be reached from outside, you might want to sonder the use of a non public IP.`,
- Links: []string{},
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoPublicIpGoodExamples,
- BadExamples: terraformNoPublicIpBadExamples,
- Links: terraformNoPublicIpLinks,
- RemediationMarkdown: terraformNoPublicIpRemediationMarkdown,
- },
- Severity: severity.Critical,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, reservation := range s.Oracle.Compute.AddressReservations {
- if reservation.Metadata.IsUnmanaged() {
- continue
- }
- if reservation.Pool.EqualTo("public-ippool") { // TODO: future improvement: we need to see what this IP is used for before flagging
- results.Add(
- "Reservation made for public IP address.",
- reservation.Pool,
- )
- } else {
- results.AddPassed(reservation)
- }
- }
- return
- },
-)
diff --git a/checks/cloud/oracle/compute/no_public_ip.tf.go b/checks/cloud/oracle/compute/no_public_ip.tf.go
deleted file mode 100644
index 4f39fb74..00000000
--- a/checks/cloud/oracle/compute/no_public_ip.tf.go
+++ /dev/null
@@ -1,25 +0,0 @@
-package compute
-
-var terraformNoPublicIpGoodExamples = []string{
- `
- resource "opc_compute_ip_address_reservation" "good_example" {
- name = "my-ip-address"
- ip_address_pool = "cloud-ippool"
- }
- `,
-}
-
-var terraformNoPublicIpBadExamples = []string{
- `
- resource "opc_compute_ip_address_reservation" "bad_example" {
- name = "my-ip-address"
- ip_address_pool = "public-ippool"
- }
- `,
-}
-
-var terraformNoPublicIpLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/opc/latest/docs/resources/opc_compute_ip_address_reservation`, `https://registry.terraform.io/providers/hashicorp/opc/latest/docs/resources/opc_compute_instance`,
-}
-
-var terraformNoPublicIpRemediationMarkdown = ``
diff --git a/checks/kubernetes/network/no_public_egress.go b/checks/kubernetes/network/no_public_egress.go
deleted file mode 100755
index 1dc735a8..00000000
--- a/checks/kubernetes/network/no_public_egress.go
+++ /dev/null
@@ -1,50 +0,0 @@
-package network
-
-import (
- "github.com/aquasecurity/trivy-checks/internal/cidr"
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNoPublicEgress = rules.Register(
- scan.Rule{
- AVDID: "AVD-KUBE-0002",
- Provider: providers.KubernetesProvider,
- Service: "network",
- ShortCode: "no-public-egress",
- Summary: "Public egress should not be allowed via network policies",
- Impact: "Exfiltration of data to the public internet",
- Resolution: "Remove public access except where explicitly required",
- Explanation: `You should not expose infrastructure to the public internet except where explicitly required`,
- Links: []string{},
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoPublicEgressGoodExamples,
- BadExamples: terraformNoPublicEgressBadExamples,
- Links: terraformNoPublicEgressLinks,
- RemediationMarkdown: terraformNoPublicEgressRemediationMarkdown,
- },
- Severity: severity.High,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, policy := range s.Kubernetes.NetworkPolicies {
- if policy.Metadata.IsUnmanaged() {
- continue
- }
- for _, destination := range policy.Spec.Egress.DestinationCIDRs {
- if cidr.IsPublic(destination.Value()) {
- results.Add(
- "Network policy allows egress to the public internet.",
- destination,
- )
- } else {
- results.AddPassed(destination)
- }
- }
- }
- return
- },
-)
diff --git a/checks/kubernetes/network/no_public_egress.tf.go b/checks/kubernetes/network/no_public_egress.tf.go
deleted file mode 100644
index 82f502aa..00000000
--- a/checks/kubernetes/network/no_public_egress.tf.go
+++ /dev/null
@@ -1,137 +0,0 @@
-package network
-
-var terraformNoPublicEgressGoodExamples = []string{
- `
- resource "kubernetes_network_policy" "good_example" {
- metadata {
- name = "terraform-example-network-policy"
- namespace = "default"
- }
-
- spec {
- pod_selector {
- match_expressions {
- key = "name"
- operator = "In"
- values = ["webfront", "api"]
- }
- }
-
- egress {
- ports {
- port = "http"
- protocol = "TCP"
- }
- ports {
- port = "8125"
- protocol = "UDP"
- }
-
- to {
- ip_block {
- cidr = "10.0.0.0/16"
- except = [
- "10.0.0.0/24",
- "10.0.1.0/24",
- ]
- }
- }
- }
-
- ingress {
- ports {
- port = "http"
- protocol = "TCP"
- }
- ports {
- port = "8125"
- protocol = "UDP"
- }
-
- from {
- ip_block {
- cidr = "10.0.0.0/16"
- except = [
- "10.0.0.0/24",
- "10.0.1.0/24",
- ]
- }
- }
- }
-
- policy_types = ["Ingress", "Egress"]
- }
- }
- `,
-}
-
-var terraformNoPublicEgressBadExamples = []string{
- `
- resource "kubernetes_network_policy" "bad_example" {
- metadata {
- name = "terraform-example-network-policy"
- namespace = "default"
- }
-
- spec {
- pod_selector {
- match_expressions {
- key = "name"
- operator = "In"
- values = ["webfront", "api"]
- }
- }
-
- egress {
- ports {
- port = "http"
- protocol = "TCP"
- }
- ports {
- port = "8125"
- protocol = "UDP"
- }
-
- to {
- ip_block {
- cidr = "0.0.0.0/0"
- except = [
- "10.0.0.0/24",
- "10.0.1.0/24",
- ]
- }
- }
- }
-
- ingress {
- ports {
- port = "http"
- protocol = "TCP"
- }
- ports {
- port = "8125"
- protocol = "UDP"
- }
-
- from {
- ip_block {
- cidr = "10.0.0.0/16"
- except = [
- "10.0.0.0/24",
- "10.0.1.0/24",
- ]
- }
- }
- }
-
- policy_types = ["Ingress", "Egress"]
- }
- }
- `,
-}
-
-var terraformNoPublicEgressLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy#spec.ingress.from.ip_block.cidr`,
-}
-
-var terraformNoPublicEgressRemediationMarkdown = ``
diff --git a/checks/kubernetes/network/no_public_ingress.go b/checks/kubernetes/network/no_public_ingress.go
deleted file mode 100755
index 41d435b6..00000000
--- a/checks/kubernetes/network/no_public_ingress.go
+++ /dev/null
@@ -1,50 +0,0 @@
-package network
-
-import (
- "github.com/aquasecurity/trivy-checks/internal/cidr"
- "github.com/aquasecurity/trivy-checks/pkg/rules"
- "github.com/aquasecurity/trivy/pkg/iac/providers"
- "github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/severity"
- "github.com/aquasecurity/trivy/pkg/iac/state"
-)
-
-var CheckNoPublicIngress = rules.Register(
- scan.Rule{
- AVDID: "AVD-KUBE-0001",
- Provider: providers.KubernetesProvider,
- Service: "network",
- ShortCode: "no-public-ingress",
- Summary: "Public ingress should not be allowed via network policies",
- Impact: "Exposure of infrastructure to the public internet",
- Resolution: "Remove public access except where explicitly required",
- Explanation: `You should not expose infrastructure to the public internet except where explicitly required`,
- Links: []string{},
- Terraform: &scan.EngineMetadata{
- GoodExamples: terraformNoPublicIngressGoodExamples,
- BadExamples: terraformNoPublicIngressBadExamples,
- Links: terraformNoPublicIngressLinks,
- RemediationMarkdown: terraformNoPublicIngressRemediationMarkdown,
- },
- Severity: severity.High,
- Deprecated: true,
- },
- func(s *state.State) (results scan.Results) {
- for _, policy := range s.Kubernetes.NetworkPolicies {
- if policy.Metadata.IsUnmanaged() {
- continue
- }
- for _, source := range policy.Spec.Ingress.SourceCIDRs {
- if cidr.IsPublic(source.Value()) {
- results.Add(
- "Network policy allows ingress from the public internet.",
- source,
- )
- } else {
- results.AddPassed(source)
- }
- }
- }
- return
- },
-)
diff --git a/checks/kubernetes/network/no_public_ingress.tf.go b/checks/kubernetes/network/no_public_ingress.tf.go
deleted file mode 100644
index 5e00dd99..00000000
--- a/checks/kubernetes/network/no_public_ingress.tf.go
+++ /dev/null
@@ -1,137 +0,0 @@
-package network
-
-var terraformNoPublicIngressGoodExamples = []string{
- `
- resource "kubernetes_network_policy" "good_example" {
- metadata {
- name = "terraform-example-network-policy"
- namespace = "default"
- }
-
- spec {
- pod_selector {
- match_expressions {
- key = "name"
- operator = "In"
- values = ["webfront", "api"]
- }
- }
-
- ingress {
- ports {
- port = "http"
- protocol = "TCP"
- }
- ports {
- port = "8125"
- protocol = "UDP"
- }
-
- from {
- ip_block {
- cidr = "10.0.0.0/16"
- except = [
- "10.0.0.0/24",
- "10.0.1.0/24",
- ]
- }
- }
- }
-
- egress {
- ports {
- port = "http"
- protocol = "TCP"
- }
- ports {
- port = "8125"
- protocol = "UDP"
- }
-
- to {
- ip_block {
- cidr = "0.0.0.0/0"
- except = [
- "10.0.0.0/24",
- "10.0.1.0/24",
- ]
- }
- }
- }
-
- policy_types = ["Ingress", "Egress"]
- }
- }
- `,
-}
-
-var terraformNoPublicIngressBadExamples = []string{
- `
- resource "kubernetes_network_policy" "bad_example" {
- metadata {
- name = "terraform-example-network-policy"
- namespace = "default"
- }
-
- spec {
- pod_selector {
- match_expressions {
- key = "name"
- operator = "In"
- values = ["webfront", "api"]
- }
- }
-
- ingress {
- ports {
- port = "http"
- protocol = "TCP"
- }
- ports {
- port = "8125"
- protocol = "UDP"
- }
-
- from {
- ip_block {
- cidr = "0.0.0.0/0"
- except = [
- "10.0.0.0/24",
- "10.0.1.0/24",
- ]
- }
- }
- }
-
- egress {
- ports {
- port = "http"
- protocol = "TCP"
- }
- ports {
- port = "8125"
- protocol = "UDP"
- }
-
- to {
- ip_block {
- cidr = "0.0.0.0/0"
- except = [
- "10.0.0.0/24",
- "10.0.1.0/24",
- ]
- }
- }
- }
-
- policy_types = ["Ingress", "Egress"]
- }
- }
- `,
-}
-
-var terraformNoPublicIngressLinks = []string{
- `https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy#spec.ingress.from.ip_block.cidr`,
-}
-
-var terraformNoPublicIngressRemediationMarkdown = ``
diff --git a/go.mod b/go.mod
index c4dc9a15..8d0012ca 100644
--- a/go.mod
+++ b/go.mod
@@ -1,16 +1,16 @@
module github.com/aquasecurity/trivy-checks
-go 1.22.1
+go 1.22.9
toolchain go1.23.0
require (
- github.com/aquasecurity/trivy v0.55.1-0.20240920045012-1f9fc13da4a1
+ github.com/aquasecurity/trivy v0.57.1-0.20241127185709-c238c515b831
github.com/aws-cloudformation/rain v1.19.0
github.com/hashicorp/hcl/v2 v2.23.0
github.com/liamg/iamgo v0.0.9
github.com/liamg/memoryfs v1.6.0
- github.com/open-policy-agent/opa v0.67.1
+ github.com/open-policy-agent/opa v0.70.0
github.com/owenrumney/squealer v1.2.5
github.com/samber/lo v1.47.0
github.com/stretchr/testify v1.10.0
@@ -20,12 +20,13 @@ require (
require (
dario.cat/mergo v1.0.1 // indirect
- github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
+ github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 // indirect
+ github.com/BurntSushi/toml v1.4.0 // indirect
github.com/Microsoft/go-winio v0.6.2 // indirect
github.com/OneOfOne/xxhash v1.2.8 // indirect
github.com/ProtonMail/go-crypto v1.1.0-alpha.2 // indirect
github.com/agext/levenshtein v1.2.3 // indirect
- github.com/agnivade/levenshtein v1.1.1 // indirect
+ github.com/agnivade/levenshtein v1.2.0 // indirect
github.com/alecthomas/chroma v0.10.0 // indirect
github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
github.com/beorn7/perks v1.0.1 // indirect
@@ -34,13 +35,13 @@ require (
github.com/cespare/xxhash v1.1.0 // indirect
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/chzyer/readline v1.5.1 // indirect
- github.com/cloudflare/circl v1.3.7 // indirect
- github.com/containerd/containerd v1.7.21 // indirect
- github.com/containerd/errdefs v0.1.0 // indirect
+ github.com/cloudflare/circl v1.3.8 // indirect
+ github.com/containerd/containerd v1.7.23 // indirect
+ github.com/containerd/errdefs v1.0.0 // indirect
github.com/containerd/log v0.1.0 // indirect
- github.com/containerd/platforms v0.2.1 // indirect
- github.com/containerd/typeurl/v2 v2.1.1 // indirect
- github.com/cyphar/filepath-securejoin v0.2.5 // indirect
+ github.com/containerd/platforms v1.0.0-rc.0 // indirect
+ github.com/containerd/typeurl/v2 v2.2.2 // indirect
+ github.com/cyphar/filepath-securejoin v0.3.4 // indirect
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
github.com/dgraph-io/badger/v3 v3.2103.5 // indirect
github.com/dgraph-io/ristretto v0.1.1 // indirect
@@ -59,7 +60,7 @@ require (
github.com/go-logr/stdr v1.2.2 // indirect
github.com/gobwas/glob v0.2.3 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
- github.com/golang/glog v1.2.1 // indirect
+ github.com/golang/glog v1.2.2 // indirect
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
github.com/golang/protobuf v1.5.4 // indirect
github.com/golang/snappy v0.0.4 // indirect
@@ -69,11 +70,13 @@ require (
github.com/gookit/color v1.5.4 // indirect
github.com/gorilla/mux v1.8.1 // indirect
github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect
+ github.com/hashicorp/errwrap v1.1.0 // indirect
+ github.com/hashicorp/go-multierror v1.1.1 // indirect
github.com/hashicorp/hcl v1.0.1-vault-5 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
github.com/kevinburke/ssh_config v1.2.0 // indirect
- github.com/klauspost/compress v1.17.9 // indirect
+ github.com/klauspost/compress v1.17.11 // indirect
github.com/liamg/jfather v0.0.7 // indirect
github.com/magiconair/properties v1.8.7 // indirect
github.com/mattn/go-colorable v0.1.13 // indirect
@@ -81,7 +84,7 @@ require (
github.com/mattn/go-runewidth v0.0.15 // indirect
github.com/mitchellh/go-wordwrap v1.0.1 // indirect
github.com/mitchellh/mapstructure v1.5.0 // indirect
- github.com/moby/buildkit v0.15.2 // indirect
+ github.com/moby/buildkit v0.17.2 // indirect
github.com/moby/docker-image-spec v1.3.1 // indirect
github.com/moby/locker v1.0.1 // indirect
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
@@ -89,12 +92,13 @@ require (
github.com/olekukonko/tablewriter v0.0.5 // indirect
github.com/opencontainers/go-digest v1.0.0 // indirect
github.com/opencontainers/image-spec v1.1.0 // indirect
- github.com/pelletier/go-toml/v2 v2.2.2 // indirect
+ github.com/pelletier/go-toml/v2 v2.2.3 // indirect
github.com/peterh/liner v1.2.2 // indirect
github.com/pjbgf/sha1cd v0.3.0 // indirect
github.com/pkg/errors v0.9.1 // indirect
+ github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
- github.com/prometheus/client_golang v1.20.1 // indirect
+ github.com/prometheus/client_golang v1.20.5 // indirect
github.com/prometheus/client_model v0.6.1 // indirect
github.com/prometheus/common v0.55.0 // indirect
github.com/prometheus/procfs v0.15.1 // indirect
@@ -121,31 +125,31 @@ require (
github.com/yashtewari/glob-intersection v0.2.0 // indirect
github.com/zclconf/go-cty v1.15.0 // indirect
go.opencensus.io v0.24.0 // indirect
- go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect
- go.opentelemetry.io/otel v1.28.0 // indirect
+ go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.56.0 // indirect
+ go.opentelemetry.io/otel v1.31.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0 // indirect
- go.opentelemetry.io/otel/metric v1.28.0 // indirect
- go.opentelemetry.io/otel/sdk v1.28.0 // indirect
- go.opentelemetry.io/otel/trace v1.28.0 // indirect
+ go.opentelemetry.io/otel/metric v1.31.0 // indirect
+ go.opentelemetry.io/otel/sdk v1.31.0 // indirect
+ go.opentelemetry.io/otel/trace v1.31.0 // indirect
go.opentelemetry.io/proto/otlp v1.3.1 // indirect
go.uber.org/automaxprocs v1.5.3 // indirect
go.uber.org/multierr v1.11.0 // indirect
- golang.org/x/crypto v0.28.0 // indirect
+ golang.org/x/crypto v0.29.0 // indirect
golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c // indirect
- golang.org/x/mod v0.21.0 // indirect
- golang.org/x/net v0.30.0 // indirect
- golang.org/x/sync v0.8.0 // indirect
- golang.org/x/sys v0.26.0 // indirect
- golang.org/x/term v0.25.0 // indirect
- golang.org/x/text v0.19.0 // indirect
- golang.org/x/time v0.6.0 // indirect
+ golang.org/x/mod v0.22.0 // indirect
+ golang.org/x/net v0.31.0 // indirect
+ golang.org/x/sync v0.9.0 // indirect
+ golang.org/x/sys v0.27.0 // indirect
+ golang.org/x/term v0.26.0 // indirect
+ golang.org/x/text v0.20.0 // indirect
+ golang.org/x/time v0.7.0 // indirect
golang.org/x/tools v0.26.0 // indirect
golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
- google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094 // indirect
- google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 // indirect
- google.golang.org/grpc v1.65.0 // indirect
- google.golang.org/protobuf v1.34.2 // indirect
+ google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9 // indirect
+ google.golang.org/genproto/googleapis/rpc v0.0.0-20241021214115-324edc3d5d38 // indirect
+ google.golang.org/grpc v1.67.1 // indirect
+ google.golang.org/protobuf v1.35.2 // indirect
gopkg.in/ini.v1 v1.67.0 // indirect
gopkg.in/warnings.v0 v0.1.2 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
diff --git a/go.sum b/go.sum
index 865bdca1..9996ad24 100644
--- a/go.sum
+++ b/go.sum
@@ -1,16 +1,18 @@
cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s=
dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
-github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU=
-github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
+github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 h1:He8afgbRMd7mFxO99hRNu+6tazq8nFF9lIwo9JFroBk=
+github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0=
github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0=
+github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
-github.com/Microsoft/hcsshim v0.12.0 h1:rbICA+XZFwrBef2Odk++0LjFvClNCJGRK+fsrP254Ts=
-github.com/Microsoft/hcsshim v0.12.0/go.mod h1:RZV12pcHCXQ42XnlQ3pz6FZfmrC1C+R4gaOHhRNML1g=
+github.com/Microsoft/hcsshim v0.12.9 h1:2zJy5KA+l0loz1HzEGqyNnjd3fyZA31ZBCGKacp6lLg=
+github.com/Microsoft/hcsshim v0.12.9/go.mod h1:fJ0gkFAna6ukt0bLdKB8djt4XIJhF/vEPuoIWYVvZ8Y=
github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
github.com/OneOfOne/xxhash v1.2.8 h1:31czK/TI9sNkxIKfaUfGlU47BAxQ0ztGgd9vPyqimf8=
github.com/OneOfOne/xxhash v1.2.8/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q=
@@ -18,16 +20,16 @@ github.com/ProtonMail/go-crypto v1.1.0-alpha.2 h1:bkyFVUP+ROOARdgCiJzNQo2V2kiB97
github.com/ProtonMail/go-crypto v1.1.0-alpha.2/go.mod h1:rA3QumHc/FZ8pAHreoekgiAbzpNsfQAosU5td4SnOrE=
github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo=
github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
-github.com/agnivade/levenshtein v1.1.1 h1:QY8M92nrzkmr798gCo3kmMyqXFzdQVpxLlGPRBij0P8=
-github.com/agnivade/levenshtein v1.1.1/go.mod h1:veldBMzWxcCG2ZvUTKD2kJNRdCk5hVbJomOvKkmgYbo=
+github.com/agnivade/levenshtein v1.2.0 h1:U9L4IOT0Y3i0TIlUIDJ7rVUziKi/zPbrJGaFrtYH3SY=
+github.com/agnivade/levenshtein v1.2.0/go.mod h1:QVVI16kDrtSuwcpd0p1+xMC6Z/VfhtCyDIjcwga4/DU=
github.com/alecthomas/chroma v0.10.0 h1:7XDcGkCQopCNKjZHfYrNLraA+M7e0fMiJ/Mfikbfjek=
github.com/alecthomas/chroma v0.10.0/go.mod h1:jtJATyUxlIORhUOFNA9NZDWGAQ8wpxQQqNSB4rjA/1s=
github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew1u1fNQOlOtuGxQY=
github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4=
-github.com/aquasecurity/trivy v0.55.1-0.20240920045012-1f9fc13da4a1 h1:73LIE4lUNO9QBo65hsWaTam85wAySri2mlQIza6fZXk=
-github.com/aquasecurity/trivy v0.55.1-0.20240920045012-1f9fc13da4a1/go.mod h1:Q/GQxnF41AI1oeeo68n18HFRn11Mkji5T8oZjQfbNk8=
+github.com/aquasecurity/trivy v0.57.1-0.20241127185709-c238c515b831 h1:Ol9LT6V3KXCwaJE6lyeOR+3NGgDyA0HOXvPtumz/dxA=
+github.com/aquasecurity/trivy v0.57.1-0.20241127185709-c238c515b831/go.mod h1:fURPZjqUDH08tYy/2EhU4k0uAOzXcPAJeM2O0Z6k0nU=
github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q=
github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE=
github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
@@ -54,33 +56,35 @@ github.com/chzyer/readline v1.5.1/go.mod h1:Eh+b79XXUwfKfcPLepksvw2tcLE/Ct21YObk
github.com/chzyer/test v1.0.0 h1:p3BQDXSxOhOG0P9z6/hGnII4LGiEPOYBhs8asl/fC04=
github.com/chzyer/test v1.0.0/go.mod h1:2JlltgoNkt4TW/z9V/IzDdFaMTM2JPIi26O1pF38GC8=
github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
-github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU=
-github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA=
+github.com/cloudflare/circl v1.3.8 h1:j+V8jJt09PoeMFIu2uh5JUyEaIHTXVOHslFoLNAKqwI=
+github.com/cloudflare/circl v1.3.8/go.mod h1:PDRU+oXvdD7KCtgKxW95M5Z8BpSCJXQORiZFnBQS5QU=
github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
github.com/containerd/cgroups v1.1.0 h1:v8rEWFl6EoqHB+swVNjVoCJE8o3jX7e8nqBGPLaDFBM=
-github.com/containerd/cgroups/v3 v3.0.2 h1:f5WFqIVSgo5IZmtTT3qVBo6TzI1ON6sycSBKkymb9L0=
-github.com/containerd/cgroups/v3 v3.0.2/go.mod h1:JUgITrzdFqp42uI2ryGA+ge0ap/nxzYgkGmIcetmErE=
-github.com/containerd/containerd v1.7.21 h1:USGXRK1eOC/SX0L195YgxTHb0a00anxajOzgfN0qrCA=
-github.com/containerd/containerd v1.7.21/go.mod h1:e3Jz1rYRUZ2Lt51YrH9Rz0zPyJBOlSvB3ghr2jbVD8g=
-github.com/containerd/continuity v0.4.3 h1:6HVkalIp+2u1ZLH1J/pYX2oBVXlJZvh1X1A7bEZ9Su8=
-github.com/containerd/continuity v0.4.3/go.mod h1:F6PTNCKepoxEaXLQp3wDAjygEnImnZ/7o4JzpodfroQ=
-github.com/containerd/errdefs v0.1.0 h1:m0wCRBiu1WJT/Fr+iOoQHMQS/eP5myQ8lCv4Dz5ZURM=
-github.com/containerd/errdefs v0.1.0/go.mod h1:YgWiiHtLmSeBrvpw+UfPijzbLaB77mEG1WwJTDETIV0=
+github.com/containerd/cgroups/v3 v3.0.3 h1:S5ByHZ/h9PMe5IOQoN7E+nMc2UcLEM/V48DGDJ9kip0=
+github.com/containerd/cgroups/v3 v3.0.3/go.mod h1:8HBe7V3aWGLFPd/k03swSIsGjZhHI2WzJmticMgVuz0=
+github.com/containerd/containerd v1.7.23 h1:H2CClyUkmpKAGlhQp95g2WXHfLYc7whAuvZGBNYOOwQ=
+github.com/containerd/containerd v1.7.23/go.mod h1:7QUzfURqZWCZV7RLNEn1XjUCQLEf0bkaK4GjUaZehxw=
+github.com/containerd/continuity v0.4.4 h1:/fNVfTJ7wIl/YPMHjf+5H32uFhl63JucB34PlCpMKII=
+github.com/containerd/continuity v0.4.4/go.mod h1:/lNJvtJKUQStBzpVQ1+rasXO1LAWtUQssk28EZvJ3nE=
+github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
+github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
+github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE=
+github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk=
github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
-github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpSBQv6A=
-github.com/containerd/platforms v0.2.1/go.mod h1:XHCb+2/hzowdiut9rkudds9bE5yJ7npe7dG/wG+uFPw=
-github.com/containerd/typeurl/v2 v2.1.1 h1:3Q4Pt7i8nYwy2KmQWIw2+1hTvwTE/6w9FqcttATPO/4=
-github.com/containerd/typeurl/v2 v2.1.1/go.mod h1:IDp2JFvbwZ31H8dQbEIY7sDl2L3o3HZj1hsSQlywkQ0=
+github.com/containerd/platforms v1.0.0-rc.0 h1:GuHWSKgVVO3POn6nRBB4sH63uPOLa87yuuhsGLWaXAA=
+github.com/containerd/platforms v1.0.0-rc.0/go.mod h1:T1XAzzOdYs3it7l073MNXyxRwQofJfqwi/8cRjufIk4=
+github.com/containerd/typeurl/v2 v2.2.2 h1:3jN/k2ysKuPCsln5Qv8bzR9cxal8XjkxPogJfSNO31k=
+github.com/containerd/typeurl/v2 v2.2.2/go.mod h1:95ljDnPfD3bAbDJRugOiShd/DlAAsxGtUBhJxIn7SCk=
github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk=
github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
-github.com/cpuguy83/dockercfg v0.3.1 h1:/FpZ+JaygUR/lZP2NlFI2DVfrOEMAIKP5wWEJdoYe9E=
-github.com/cpuguy83/dockercfg v0.3.1/go.mod h1:sugsbF4//dDlL/i+S+rtpIWp+5h0BHJHfjj5/jFyUJc=
+github.com/cpuguy83/dockercfg v0.3.2 h1:DlJTyZGBDlXqUZ2Dk2Q3xHs/FtnooJJVaad2S9GKorA=
+github.com/cpuguy83/dockercfg v0.3.2/go.mod h1:sugsbF4//dDlL/i+S+rtpIWp+5h0BHJHfjj5/jFyUJc=
github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE=
github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
-github.com/cyphar/filepath-securejoin v0.2.5 h1:6iR5tXJ/e6tJZzzdMc1km3Sa7RRIVBKAK32O2s7AYfo=
-github.com/cyphar/filepath-securejoin v0.2.5/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
+github.com/cyphar/filepath-securejoin v0.3.4 h1:VBWugsJh2ZxJmLFSM06/0qzQyiQX2Qs0ViKrUAcqdZ8=
+github.com/cyphar/filepath-securejoin v0.3.4/go.mod h1:8s/MCNJREmFK0H02MF6Ihv1nakJe4L/w3WZLHNkvlYM=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
@@ -92,14 +96,14 @@ github.com/dgraph-io/ristretto v0.1.1/go.mod h1:S1GPSBCYCIhmVNfcth17y2zZtQT6wzkz
github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw=
github.com/dgryski/go-farm v0.0.0-20200201041132-a6ae2369ad13 h1:fAjc9m62+UWV/WAFKLNi6ZS0675eEUC9y3AlwSbQu1Y=
github.com/dgryski/go-farm v0.0.0-20200201041132-a6ae2369ad13/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw=
-github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48 h1:fRzb/w+pyskVMQ+UbP35JkH8yB7MYb4q/qhBarqZE6g=
-github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA=
+github.com/dgryski/trifles v0.0.0-20230903005119-f50d829f2e54 h1:SG7nF6SRlWhcT7cNTs5R6Hk4V2lcmLz2NsG2VnInyNo=
+github.com/dgryski/trifles v0.0.0-20230903005119-f50d829f2e54/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA=
github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
github.com/dlclark/regexp2 v1.4.0 h1:F1rxgk7p4uKjwIQxBs9oAXe5CqrXlCduYEJvrF4u93E=
github.com/dlclark/regexp2 v1.4.0/go.mod h1:2pZnwuY/m+8K6iRw6wQdMtk+rH5tNGR1i55kozfMjCc=
-github.com/docker/docker v27.2.0+incompatible h1:Rk9nIVdfH3+Vz4cyI/uhbINhEZ/oLmc+CBXmH6fbNk4=
-github.com/docker/docker v27.2.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v27.3.1+incompatible h1:KttF0XoteNTicmUtBO0L2tP+J7FGRFTjaEF4k6WdhfI=
+github.com/docker/docker v27.3.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
@@ -156,8 +160,8 @@ github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJA
github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/glog v1.2.1 h1:OptwRhECazUx5ix5TTWC3EZhsZEHWcYWY4FQHTIubm4=
-github.com/golang/glog v1.2.1/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
+github.com/golang/glog v1.2.2 h1:1+mZ9upx1Dh6FmUTFR1naJ77miKiXgALjWOZ3NVFPmY=
+github.com/golang/glog v1.2.2/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
@@ -173,7 +177,6 @@ github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:W
github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
-github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
@@ -189,7 +192,6 @@ github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
@@ -202,6 +204,11 @@ github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 h1:bkypFPDjIYGfCYD5mRBvpqxfYX1YCS1PXdKYWi8FsN0=
github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0/go.mod h1:P+Lt/0by1T8bfcF3z737NnSbmxQAppXMRziHUxPOC8k=
+github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
+github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
+github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
github.com/hashicorp/hcl v1.0.1-vault-5 h1:kI3hhbbyzr4dldA8UdTb7ZlVVlI2DACdCfz31RPDgJM=
github.com/hashicorp/hcl v1.0.1-vault-5/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM=
@@ -217,8 +224,8 @@ github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF
github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
github.com/klauspost/compress v1.12.3/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg=
-github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA=
-github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw=
+github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc=
+github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0=
github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
@@ -256,18 +263,18 @@ github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTS
github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
-github.com/moby/buildkit v0.15.2 h1:DnONr0AoceTWyv+plsQ7IhkSaj+6o0WyoaxYPyTFIxs=
-github.com/moby/buildkit v0.15.2/go.mod h1:Yis8ZMUJTHX9XhH9zVyK2igqSHV3sxi3UN0uztZocZk=
+github.com/moby/buildkit v0.17.2 h1:/jgk/MuXbA7jeXMkknOpHYB+Ct4aNvQHkBB7SxD3D4U=
+github.com/moby/buildkit v0.17.2/go.mod h1:vr5vltV8wt4F2jThbNOChfbAklJ0DOW11w36v210hOg=
github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg=
github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc=
github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkVGiPk=
github.com/moby/patternmatcher v0.6.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc=
-github.com/moby/sys/mountinfo v0.7.1 h1:/tTvQaSJRr2FshkhXiIpux6fQ2Zvc4j7tAhMTStAG2g=
-github.com/moby/sys/mountinfo v0.7.1/go.mod h1:IJb6JQeOklcdMU9F5xQ8ZALD+CUr5VlGpwtX+VE0rpI=
-github.com/moby/sys/sequential v0.5.0 h1:OPvI35Lzn9K04PBbCLW0g4LcFAJgHsvXsRyewg5lXtc=
-github.com/moby/sys/sequential v0.5.0/go.mod h1:tH2cOOs5V9MlPiXcQzRC+eEyab644PWKGRYaaV5ZZlo=
+github.com/moby/sys/mountinfo v0.7.2 h1:1shs6aH5s4o5H2zQLn796ADW1wMrIwHsyJ2v9KouLrg=
+github.com/moby/sys/mountinfo v0.7.2/go.mod h1:1YOa8w8Ih7uW0wALDUgT1dTTSBrZ+HiBLGws92L2RU4=
+github.com/moby/sys/sequential v0.6.0 h1:qrx7XFUd/5DxtqcoH1h438hF5TmOvzC/lspjy7zgvCU=
+github.com/moby/sys/sequential v0.6.0/go.mod h1:uyv8EUTrca5PnDsdMGXhZe6CCe8U/UiTWd+lL+7b/Ko=
github.com/moby/sys/user v0.3.0 h1:9ni5DlcW5an3SvRSx4MouotOygvzaXbaSrc/wGDFWPo=
github.com/moby/sys/user v0.3.0/go.mod h1:bG+tYYYJgaMtRKgEmuueC0hJEAZWwtIbZTB+85uoHjs=
github.com/moby/sys/userns v0.1.0 h1:tVLXkFOxVu9A64/yh59slHVv9ahO9UIev4JZusOLG/g=
@@ -293,14 +300,16 @@ github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2sz
github.com/owenrumney/squealer v1.2.5 h1:zxaDuYTTwqyOlh6koqE57SZ1TdKX06Khu3HSofFMi7M=
github.com/owenrumney/squealer v1.2.5/go.mod h1:lTHxnEfjl8y3QIQpoawfl/Bpe9A7SYKptgKSNtzkHOw=
github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
-github.com/pelletier/go-toml/v2 v2.2.2 h1:aYUidT7k73Pcl9nb2gScu7NSrKCSHIDE89b3+6Wq+LM=
-github.com/pelletier/go-toml/v2 v2.2.2/go.mod h1:1t835xjRzz80PqgE6HHgN2JOsmgYu/h4qDAS4n929Rs=
+github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M=
+github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc=
github.com/peterh/liner v1.2.2 h1:aJ4AOodmL+JxOZZEL2u9iJf8omNRpqHc/EbrK+3mAXw=
github.com/peterh/liner v1.2.2/go.mod h1:xFwJyiKIXJZUKItq5dGHZSTBRAuG/CpeNpWLyiNRNwI=
github.com/pjbgf/sha1cd v0.3.0 h1:4D5XXmUUBUl/xQ6IjCkEAbqXskkq/4O7LmGn0AqMDs4=
github.com/pjbgf/sha1cd v0.3.0/go.mod h1:nZ1rrWOcGJ5uZgEEVL1VUM9iRQiZvWdbZjkKyFzPPsI=
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo=
+github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -308,8 +317,8 @@ github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 h1:o4JXh1EVt
github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g=
github.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U=
-github.com/prometheus/client_golang v1.20.1 h1:IMJXHOD6eARkQpxo8KkhgEVFlBNm+nkrFUyGlIu7Na8=
-github.com/prometheus/client_golang v1.20.1/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE=
+github.com/prometheus/client_golang v1.20.5 h1:cxppBPuYhUnsO6yo/aoRol4L7q7UFfdm+bR9r+8l63Y=
+github.com/prometheus/client_golang v1.20.5/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE=
github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
@@ -367,25 +376,22 @@ github.com/spf13/viper v1.19.0/go.mod h1:GQUN9bilAbhU/jgc1bKs99f/suXKeUMct8Adx5+
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
-github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
-github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=
github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
github.com/tchap/go-patricia/v2 v2.3.1 h1:6rQp39lgIYZ+MHmdEq4xzuk1t7OdC35z/xm0BGhTkes=
github.com/tchap/go-patricia/v2 v2.3.1/go.mod h1:VZRHKAb53DLaG+nA9EaYYiaEx6YztwDlLElMsnSHD4k=
-github.com/testcontainers/testcontainers-go v0.33.0 h1:zJS9PfXYT5O0ZFXM2xxXfk4J5UMw/kRiISng037Gxdw=
-github.com/testcontainers/testcontainers-go v0.33.0/go.mod h1:W80YpTa8D5C3Yy16icheD01UTDu+LmXIA2Keo+jWtT8=
-github.com/testcontainers/testcontainers-go/modules/localstack v0.33.0 h1:AhbUGUjneEnMyTV5aTsPYzDiAWrba1duPtiV+Z9CKdY=
-github.com/testcontainers/testcontainers-go/modules/localstack v0.33.0/go.mod h1:J5vMq1fXXiTfwcJplMClHhn+j8+MbIMv7Lic4d9E8qU=
+github.com/testcontainers/testcontainers-go v0.34.0 h1:5fbgF0vIN5u+nD3IWabQwRybuB4GY8G2HHgCkbMzMHo=
+github.com/testcontainers/testcontainers-go v0.34.0/go.mod h1:6P/kMkQe8yqPHfPWNulFGdFHTD8HB2vLq/231xY2iPQ=
+github.com/testcontainers/testcontainers-go/modules/localstack v0.34.0 h1:WkjVmea0XQyGTY10Er8fOsVjHQ77iJCmTExnx6fC3Tw=
+github.com/testcontainers/testcontainers-go/modules/localstack v0.34.0/go.mod h1:rTo76O/BBeAtfazMQqLvfwBrntBBwDP7/+Z60dm3e9U=
github.com/tklauser/go-sysconf v0.3.13 h1:GBUpcahXSpR2xN01jhkNAbTLRk2Yzgggk8IM08lq3r4=
github.com/tklauser/go-sysconf v0.3.13/go.mod h1:zwleP4Q4OehZHGn4CYZDipCgg9usW5IJePewFCGVEa0=
github.com/tklauser/numcpus v0.7.0 h1:yjuerZP127QG9m5Zh/mSO4wqurYil27tHrqwRoRjpr4=
@@ -415,20 +421,20 @@ github.com/zclconf/go-cty-debug v0.0.0-20240509010212-0d6042c53940/go.mod h1:CmB
go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 h1:4K4tsIXefpVJtvA/8srF4V4y0akAoPHkIslgAkjixJA=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg=
-go.opentelemetry.io/otel v1.28.0 h1:/SqNcYk+idO0CxKEUOtKQClMK/MimZihKYMruSMViUo=
-go.opentelemetry.io/otel v1.28.0/go.mod h1:q68ijF8Fc8CnMHKyzqL6akLO46ePnjkgfIMIjUIX9z4=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.56.0 h1:UP6IpuHFkUgOQL9FFQFrZ+5LiwhhYRbi7VZSIx6Nj5s=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.56.0/go.mod h1:qxuZLtbq5QDtdeSHsS7bcf6EH6uO6jUAgk764zd3rhM=
+go.opentelemetry.io/otel v1.31.0 h1:NsJcKPIW0D0H3NgzPDHmo0WW6SptzPdqg/L1zsIm2hY=
+go.opentelemetry.io/otel v1.31.0/go.mod h1:O0C14Yl9FgkjqcCZAsE053C13OaddMYr/hz6clDkEJE=
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 h1:3Q/xZUyC1BBkualc9ROb4G8qkH90LXEIICcs5zv1OYY=
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0/go.mod h1:s75jGIWA9OfCMzF0xr+ZgfrB5FEbbV7UuYo32ahUiFI=
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0 h1:R3X6ZXmNPRR8ul6i3WgFURCHzaXjHdm0karRG/+dj3s=
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0/go.mod h1:QWFXnDavXWwMx2EEcZsf3yxgEKAqsxQ+Syjp+seyInw=
-go.opentelemetry.io/otel/metric v1.28.0 h1:f0HGvSl1KRAU1DLgLGFjrwVyismPlnuU6JD6bOeuA5Q=
-go.opentelemetry.io/otel/metric v1.28.0/go.mod h1:Fb1eVBFZmLVTMb6PPohq3TO9IIhUisDsbJoL/+uQW4s=
-go.opentelemetry.io/otel/sdk v1.28.0 h1:b9d7hIry8yZsgtbmM0DKyPWMMUMlK9NEKuIG4aBqWyE=
-go.opentelemetry.io/otel/sdk v1.28.0/go.mod h1:oYj7ClPUA7Iw3m+r7GeEjz0qckQRJK2B8zjcZEfu7Pg=
-go.opentelemetry.io/otel/trace v1.28.0 h1:GhQ9cUuQGmNDd5BTCP2dAvv75RdMxEfTmYejp+lkx9g=
-go.opentelemetry.io/otel/trace v1.28.0/go.mod h1:jPyXzNPg6da9+38HEwElrQiHlVMTnVfM3/yv2OlIHaI=
+go.opentelemetry.io/otel/metric v1.31.0 h1:FSErL0ATQAmYHUIzSezZibnyVlft1ybhy4ozRPcF2fE=
+go.opentelemetry.io/otel/metric v1.31.0/go.mod h1:C3dEloVbLuYoX41KpmAhOqNriGbA+qqH6PQ5E5mUfnY=
+go.opentelemetry.io/otel/sdk v1.31.0 h1:xLY3abVHYZ5HSfOg3l2E5LUj2Cwva5Y7yGxnSW9H5Gk=
+go.opentelemetry.io/otel/sdk v1.31.0/go.mod h1:TfRbMdhvxIIr/B2N2LQW2S5v9m3gOQ/08KsbbO5BPT0=
+go.opentelemetry.io/otel/trace v1.31.0 h1:ffjsj1aRouKewfr85U2aGagJ46+MvodynlQ1HYdmJys=
+go.opentelemetry.io/otel/trace v1.31.0/go.mod h1:TXZkRk7SM2ZQLtR6eoAWQFIHPvzQ06FJAsO1tJg480A=
go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0=
go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8=
go.uber.org/automaxprocs v1.5.3 h1:kWazyxZUrS3Gs4qUpbwo5kEIMGe/DAvi5Z4tl2NW4j8=
@@ -442,8 +448,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw=
-golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U=
+golang.org/x/crypto v0.29.0 h1:L5SG1JTTXupVV3n6sUqMTeWbjAyfPwoda2DLX8J8FrQ=
+golang.org/x/crypto v0.29.0/go.mod h1:+F4F4N5hv6v38hfeYwTdx20oUvLLc+QfrE9Ax9HtgRg=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c h1:7dEasQXItcW1xKJ2+gg5VOiBnqWrJc+rq0DPKyvvdbY=
golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c/go.mod h1:NQtJDoLvd6faHhE7m4T/1IY708gDefGGjR/iUW8yQQ8=
@@ -452,8 +458,8 @@ golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvx
golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.21.0 h1:vvrHzRwRfVKSiLrG+d4FMl/Qi4ukBCE6kZlTUkDYRT0=
-golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
+golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4=
+golang.org/x/mod v0.22.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -464,8 +470,8 @@ golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLL
golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4=
-golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU=
+golang.org/x/net v0.31.0 h1:68CPQngjLL0r2AlUKiSxtQFKvzRVbnzLwMUn5SzcLHo=
+golang.org/x/net v0.31.0/go.mod h1:P4fl1q7dY2hnZFxEk4pPSkDHF+QqjitcnDjUQyMM+pM=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -473,8 +479,8 @@ golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJ
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
-golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.9.0 h1:fEo0HyrW1GIgZdpbhCRO0PkJajUS5H9IFUztCgEo2jQ=
+golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -492,18 +498,18 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc
golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20221010170243-090e33056c14/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo=
-golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s=
+golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.25.0 h1:WtHI/ltw4NvSUig5KARz9h521QvRC8RmF/cuYqifU24=
-golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M=
+golang.org/x/term v0.26.0 h1:WEQa6V3Gja/BhNxg540hBip/kkaYtRg3cxg4oXSw4AU=
+golang.org/x/term v0.26.0/go.mod h1:Si5m1o57C5nBNQo5z1iq+XDijt21BDBDp2bK0QI8e3E=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM=
-golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
-golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U=
-golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/text v0.20.0 h1:gK/Kv2otX8gz+wn7Rmb3vT96ZwuoxnQlY+HlJVj7Qug=
+golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4=
+golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ=
+golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
@@ -526,18 +532,18 @@ google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoA
google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
-google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094 h1:0+ozOGcrp+Y8Aq8TLNN2Aliibms5LEzsq99ZZmAGYm0=
-google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094/go.mod h1:fJ/e3If/Q67Mj99hin0hMhiNyCRmt6BQ2aWIJshUSJw=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 h1:BwIjyKYGsK9dMCBOorzRri8MQwmi7mT9rGHsCEinZkA=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY=
+google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9 h1:T6rh4haD3GVYsgEfWExoCZA2o2FmbNyKpTuAxbEFPTg=
+google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9/go.mod h1:wp2WsuBYj6j8wUdo3ToZsdxxixbvQNAHqVJrTgi5E5M=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20241021214115-324edc3d5d38 h1:zciRKQ4kBpFgpfC5QQCVtnnNAcLIqweL7plyZRQHVpI=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20241021214115-324edc3d5d38/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI=
google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
-google.golang.org/grpc v1.65.0 h1:bs/cUb4lp1G5iImFFd3u5ixQzweKizoZJAwBNLR42lc=
-google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ=
+google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E=
+google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA=
google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -547,10 +553,8 @@ google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2
google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
-google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
-google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
-google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
+google.golang.org/protobuf v1.35.2 h1:8Ar7bF+apOIoThw1EdZl0p1oWvMqTHmpA2fRTyZO8io=
+google.golang.org/protobuf v1.35.2/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
diff --git a/test/rego/aws_ecs_test.go b/test/rego/aws_ecs_test.go
index 80903553..ad9ebf2a 100644
--- a/test/rego/aws_ecs_test.go
+++ b/test/rego/aws_ecs_test.go
@@ -129,8 +129,8 @@ var awsEcsTestCases = testCases{
Metadata: trivyTypes.NewTestMetadata(),
Name: trivyTypes.String("my_service", trivyTypes.NewTestMetadata()),
Image: trivyTypes.String("my_image", trivyTypes.NewTestMetadata()),
- CPU: trivyTypes.Int(2, trivyTypes.NewTestMetadata()),
- Memory: trivyTypes.Int(256, trivyTypes.NewTestMetadata()),
+ CPU: trivyTypes.String("2", trivyTypes.NewTestMetadata()),
+ Memory: trivyTypes.String("256", trivyTypes.NewTestMetadata()),
Essential: trivyTypes.Bool(true, trivyTypes.NewTestMetadata()),
Environment: []ecs.EnvVar{
{
diff --git a/test/rego/rego_checks_test.go b/test/rego/rego_checks_test.go
index df8311b0..1d34ba04 100644
--- a/test/rego/rego_checks_test.go
+++ b/test/rego/rego_checks_test.go
@@ -9,7 +9,6 @@ import (
"github.com/aquasecurity/trivy/pkg/iac/rego"
"github.com/aquasecurity/trivy/pkg/iac/rules"
"github.com/aquasecurity/trivy/pkg/iac/scan"
- "github.com/aquasecurity/trivy/pkg/iac/scanners/options"
"github.com/aquasecurity/trivy/pkg/iac/state"
trivyTypes "github.com/aquasecurity/trivy/pkg/iac/types"
ruleTypes "github.com/aquasecurity/trivy/pkg/iac/types/rules"
@@ -35,7 +34,7 @@ func addTests(tc testCases) {
func TestRegoChecks(t *testing.T) {
regoScanner := rego.NewScanner(
trivyTypes.SourceCloud,
- options.ScannerWithFrameworks(framework.CIS_AWS_1_2, framework.CIS_AWS_1_4, framework.Default),
+ rego.WithFrameworks(framework.CIS_AWS_1_2, framework.CIS_AWS_1_4, framework.Default),
rego.WithPolicyDirs("."),
rego.WithEmbeddedLibraries(true),
)