actions/trivy-action
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: actions:0.14.0
Branches Tags
actions:master actions:fix-gh-actions actions:bump-trivy-1751468699 actions:update-default-version actions:use-pinned-version actions:update-to-v0.45.0 actions:update-trivy-v0.43.1 actions:bump-trivy-3 actions:bump-trivy actions:add-support-for-trivy-config actions:fix-golden-files actions:exit-code-test actions:update-tarball-docs actions:volume-mounts actions:update-readme actions:revert-45-fix_sarif_duplicate_rule_id actions:knqyf263-patch-1 actions:artifact_types actions:sarif-support-2
actions:0.33.1 actions:0.33.0 actions:0.32.0 actions:0.31.0 actions:0.30.0 actions:0.29.0 actions:0.28.0 actions:0.27.0 actions:0.26.0 actions:0.25.0 actions:0.24.0 actions:0.23.0 actions:0.22.0 actions:0.21.0 actions:0.20.0 actions:0.19.0 actions:0.18.0 actions:0.17.0 actions:0.16.1 actions:0.16.0 actions:0.15.0 actions:0.14.0 actions:0.13.1 actions:0.13.0 actions:0.12.0 actions:0.11.2 actions:0.11.1 actions:0.11.0 actions:0.10.0 actions:0.9.2 actions:0.9.1 actions:0.9.0 actions:0.8.0 actions:0.7.1 actions:0.7.0 actions:0.6.2 actions:0.6.1 actions:0.6.0 actions:0.5.1 actions:0.5.0 actions:0.4.1 actions:0.4.0 actions:0.3.0 actions:0.2.5 actions:0.2.4 actions:0.2.3 actions:0.2.2 actions:0.2.1 actions:0.2.0 actions:0.1.0 actions:0.0.22 actions:0.0.21 actions:0.0.20 actions:0.0.19 actions:0.0.18 actions:0.0.17 actions:0.0.16 actions:0.0.15 actions:0.0.14 actions:0.0.13 actions:0.0.12 actions:0.0.11 actions:v0.0.10 actions:0.0.10 actions:0.0.9 actions:0.0.8 actions:0.0.7 actions:0.0.6 actions:0.0.5 actions:0.0.4 actions:0.0.3 actions:0.0.2 actions:0.0.1
...
compare: actions:0.18.0
Branches Tags
actions:master actions:fix-gh-actions actions:bump-trivy-1751468699 actions:update-default-version actions:use-pinned-version actions:update-to-v0.45.0 actions:update-trivy-v0.43.1 actions:bump-trivy-3 actions:bump-trivy actions:add-support-for-trivy-config actions:fix-golden-files actions:exit-code-test actions:update-tarball-docs actions:volume-mounts actions:update-readme actions:revert-45-fix_sarif_duplicate_rule_id actions:knqyf263-patch-1 actions:artifact_types actions:sarif-support-2
actions:0.33.1 actions:0.33.0 actions:0.32.0 actions:0.31.0 actions:0.30.0 actions:0.29.0 actions:0.28.0 actions:0.27.0 actions:0.26.0 actions:0.25.0 actions:0.24.0 actions:0.23.0 actions:0.22.0 actions:0.21.0 actions:0.20.0 actions:0.19.0 actions:0.18.0 actions:0.17.0 actions:0.16.1 actions:0.16.0 actions:0.15.0 actions:0.14.0 actions:0.13.1 actions:0.13.0 actions:0.12.0 actions:0.11.2 actions:0.11.1 actions:0.11.0 actions:0.10.0 actions:0.9.2 actions:0.9.1 actions:0.9.0 actions:0.8.0 actions:0.7.1 actions:0.7.0 actions:0.6.2 actions:0.6.1 actions:0.6.0 actions:0.5.1 actions:0.5.0 actions:0.4.1 actions:0.4.0 actions:0.3.0 actions:0.2.5 actions:0.2.4 actions:0.2.3 actions:0.2.2 actions:0.2.1 actions:0.2.0 actions:0.1.0 actions:0.0.22 actions:0.0.21 actions:0.0.20 actions:0.0.19 actions:0.0.18 actions:0.0.17 actions:0.0.16 actions:0.0.15 actions:0.0.14 actions:0.0.13 actions:0.0.12 actions:0.0.11 actions:v0.0.10 actions:0.0.10 actions:0.0.9 actions:0.0.8 actions:0.0.7 actions:0.0.6 actions:0.0.5 actions:0.0.4 actions:0.0.3 actions:0.0.2 actions:0.0.1

9 Commits
0.14.0 ... 0.18.0

Author SHA1 Message Date
cococig
062f259268 fix: Refer to scan-ref when scan-type is "sbom" (#314) 2024-02-22 14:28:04 -07:00
Maxime Durand
1f6384b6ce docs(report): improve documentation around Using Trivy to generate SBOM and sending it to Github (#307) 
* Improved documentation with details on how to send output as an artifact on Github and giving an example of a private image scan

* formatting

* better name for job
 2024-02-13 15:20:36 -07:00
Kyle Davies
84384bd6e7 Upgraded Trivy from 0.48.1 to v0.49.0 (#304) 2024-02-05 18:54:03 -07:00
Simão Silva
f3d98514b0 fix: Fix skip-files and hide-progress options not being applied when using Sarif report format (#297) 
* Update entrypoint.sh

* Update entrypoint.sh

* Update entrypoint.sh
 2024-01-14 14:28:49 -07:00
DmitriyLewen
0b9d17b6b5 docs: add configuration info for flags not supported by inputs (#296) 
* docs: add information about configuration flags not supported by inputs

* docs: add env and config file to Customizing
 2024-01-11 15:13:21 -07:00
Lucas Bickel
d43c1f16c0 docs: fix typo in README.md (#293) 
Signed-off-by: Lucas Bickel <hairmare@purplehaze.ch>
 2024-01-02 17:53:48 -07:00
Martin Kemp
5f1841df8d Update Trivy to 0.48.1 (#291) 
* Update Trivy to 0.48.1

Signed-off-by: Martin Kemp <me@martinke.mp>

* update tests

---------

Signed-off-by: Martin Kemp <me@martinke.mp>
Co-authored-by: Simar <simar@linux.com>
 2024-01-02 17:51:04 -07:00
Ivan Santos
91713af97d Update to trivy version 0.48.0 (#289) 
* Update to trivy version 0.48.0

 

---------

Signed-off-by: Simar <simar@linux.com>
Co-authored-by: Simar <simar@linux.com>
 2023-12-08 11:08:35 -07:00
Kyle Davies
22d2755f77 feature(config): add terraform variable files (#285) 
* Action now takes an input for terraform variable filess

* added tf-vars

* updated README.md

* Updated yamlconfig test to latest version of trivy output for that container

* updated for correct cpu type

* test trivy version change to 0.45.0

* run scan with correct parameters

* Added test for terraform tfvars

* Updated output for other tests

* use test data as path and updated tf vars to be relative

* removed quiet
 2023-12-04 16:27:47 -07:00
15 changed files with 1903 additions and 48 deletions
Expand all files Collapse all files

4
.github/workflows/build.yaml vendored
View File

@@ -1,7 +1,7 @@
name: "build"
on: [push, pull_request]
env:
TRIVY_VERSION: 0.45.0
TRIVY_VERSION: 0.49.0
BATS_LIB_PATH: '/usr/lib/'
jobs:
build:
@@ -25,4 +25,4 @@ jobs:
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${{ env.TRIVY_VERSION }}
- name: Test
run: BATS_LIB_PATH=${{ env.BATS_LIB_PATH }} bats --recursive --timing .
run: BATS_LIB_PATH=${{ env.BATS_LIB_PATH }} bats --recursive --timing .

2
Dockerfile
View File

@@ -1,4 +1,4 @@
FROM ghcr.io/aquasecurity/trivy:0.47.0
FROM ghcr.io/aquasecurity/trivy:0.49.0
COPY entrypoint.sh /
RUN apk --no-cache add bash curl npm
RUN chmod +x /entrypoint.sh

113
README.md
View File

@@ -79,6 +79,8 @@ In this case `trivy.yaml` is a YAML configuration that is checked in as part of
format: json
exit-code: 1
severity: CRITICAL
secret:
config: config/trivy/secret.yaml
```
It is possible to define all options in the `trivy.yaml` file. Specifying individual options via the action are left for backward compatibility purposes. Defining the following is required as they cannot be defined with the config file:
@@ -86,7 +88,7 @@ It is possible to define all options in the `trivy.yaml` file. Specifying indivi
- `image-ref`: If using `image` scan.
- `scan-type`: To define the scan type, e.g. `image`, `fs`, `repo`, etc.
#### Order of prerference for options
#### Order of preference for options
Trivy uses [Viper](https://github.com/spf13/viper) which has a defined precedence order for options. The order is as follows:
- GitHub Action flag
- Environment variable
@@ -335,6 +337,49 @@ jobs:
github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT
```
When scanning images you may want to parse the actual output JSON as Github Dependency doesn't show all details like the file path of each dependency for instance.
You can upload the report as an artifact and download it, for instance using the [upload-artifact action](https://github.com/actions/upload-artifact):
```yaml
---
name: Pull Request
on:
push:
branches:
- main
## GITHUB_TOKEN authentication, add only if you're not going to use a PAT
permissions:
contents: write
jobs:
build:
name: Checks
runs-on: ubuntu-20.04
steps:
- name: Scan image in a private registry
uses: aquasecurity/trivy-action@master
with:
image-ref: "private_image_registry/image_name:image_tag"
scan-type: image
format: 'github'
output: 'dependency-results.sbom.json'
github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT
severity: "MEDIUM,HIGH,CRITICAL"
scanners: "vuln"
env:
TRIVY_USERNAME: "image_registry_admin_username"
TRIVY_PASSWORD: "image_registry_admin_password"
- name: Upload trivy report as a Github artifact
uses: actions/upload-artifact@v4
with:
name: trivy-sbom-report
path: '${{ github.workspace }}/dependency-results.sbom.json'
retention-days: 20 # 90 is the default
```
### Using Trivy to scan your private registry
It's also possible to scan your private registry with Trivy's built-in image scan. All you have to do is set ENV vars.
@@ -479,35 +524,49 @@ jobs:
## Customizing
Configuration priority:
- [Inputs](#inputs)
- [Environment variables](#environment-variables)
- [Trivy config file](#trivy-config-file)
- Default values
### inputs
Following inputs can be used as `step.with` keys:
| Name | Type | Default | Description |
|-------------------|---------|------------------------------------|-------------------------------------------------------------------------------------------------|
| `scan-type` | String | `image` | Scan type, e.g. `image` or `fs` |
| `input` | String | | Tar reference, e.g. `alpine-latest.tar` |
| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` |
| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` |
| `format` | String | `table` | Output format (`table`, `json`, `sarif`, `github`) |
| `template` | String | | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`) |
| `output` | String | | Save results to a file |
| `exit-code` | String | `0` | Exit code when specified vulnerabilities are found |
| `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities |
| `vuln-type` | String | `os,library` | Vulnerability types (os,library) |
| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed |
| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped |
| `skip-files` | String | | Comma separated list of files where traversal is skipped |
| `cache-dir` | String | | Cache directory |
| `timeout` | String | `5m0s` | Scan timeout duration |
| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language |
| `hide-progress` | String | `true` | Suppress progress bar |
| `list-all-pkgs` | String | | Output all packages regardless of vulnerability |
| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`) |
| `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files |
| `trivy-config` | String | | Path to trivy.yaml config |
| `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN |
| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
| Name | Type | Default | Description |
|------------------------------|---------|------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `scan-type` | String | `image` | Scan type, e.g. `image` or `fs` |
| `input` | String | | Tar reference, e.g. `alpine-latest.tar` |
| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` |
| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` |
| `format` | String | `table` | Output format (`table`, `json`, `sarif`, `github`) |
| `template` | String | | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`) |
| `tf-vars` | String | | path to Terraform variables file |
| `output` | String | | Save results to a file |
| `exit-code` | String | `0` | Exit code when specified vulnerabilities are found |
| `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities |
| `vuln-type` | String | `os,library` | Vulnerability types (os,library) |
| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed |
| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped |
| `skip-files` | String | | Comma separated list of files where traversal is skipped |
| `cache-dir` | String | | Cache directory |
| `timeout` | String | `5m0s` | Scan timeout duration |
| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language |
| `hide-progress` | String | `true` | Suppress progress bar |
| `list-all-pkgs` | String | | Output all packages regardless of vulnerability |
| `scanners` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`) |
| `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files |
| `trivy-config` | String | | Path to trivy.yaml config |
| `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN |
| `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
### Environment variables
You can use [Trivy environment variables][trivy-env] to set the necessary options (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`).
### Trivy config file
When using the `trivy-config` [Input](#inputs), you can set options using the [Trivy config file][trivy-config] (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`).
[release]: https://github.com/aquasecurity/trivy-action/releases/latest
[release-img]: https://img.shields.io/github/release/aquasecurity/trivy-action.svg?logo=github
@@ -515,3 +574,5 @@ Following inputs can be used as `step.with` keys:
[marketplace-img]: https://img.shields.io/badge/marketplace-trivy--action-blue?logo=github
[license]: https://github.com/aquasecurity/trivy-action/blob/master/LICENSE
[license-img]: https://img.shields.io/github/license/aquasecurity/trivy-action
[trivy-env]: https://aquasecurity.github.io/trivy/latest/docs/configuration/#environment-variables
[trivy-config]: https://aquasecurity.github.io/trivy/latest/docs/references/configuration/config-file/

5
action.yaml
View File

@@ -88,6 +88,9 @@ inputs:
trivy-config:
description: 'path to trivy.yaml config'
required: false
tf-vars:
description: "path to terraform tfvars file"
required: false
limit-severities-for-sarif:
description: 'limit severities for SARIF format'
required: false
@@ -118,4 +121,6 @@ runs:
- '-t ${{ inputs.trivyignores }}'
- '-u ${{ inputs.github-pat }}'
- '-v ${{ inputs.trivy-config }}'
- '-x ${{ inputs.tf-vars }}'
- '-z ${{ inputs.limit-severities-for-sarif }}'

13
entrypoint.sh
View File

@@ -1,6 +1,6 @@
#!/bin/bash
set -e
while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:z:" o; do
while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:x:z:" o; do
case "${o}" in
a)
export scanType=${OPTARG}
@@ -68,6 +68,9 @@ while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:z:" o; do
v)
export trivyConfig=${OPTARG}
;;
x)
export tfVars=${OPTARG}
;;
z)
export limitSeveritiesForSARIF=${OPTARG}
;;
@@ -77,7 +80,7 @@ done
scanType=$(echo $scanType | tr -d '\r')
export artifactRef="${imageRef}"
if [ "${scanType}" = "repo" ] || [ "${scanType}" = "fs" ] || [ "${scanType}" = "filesystem" ] || [ "${scanType}" = "config" ] || [ "${scanType}" = "rootfs" ];then
if [ "${scanType}" = "repo" ] || [ "${scanType}" = "fs" ] || [ "${scanType}" = "filesystem" ] || [ "${scanType}" = "config" ] || [ "${scanType}" = "rootfs" ] || [ "${scanType}" = "sbom" ];then
artifactRef=$(echo $scanRef | tr -d '\r')
fi
input=$(echo $input | tr -d '\r')
@@ -132,6 +135,10 @@ if [ $skipDirs ];then
SARIF_ARGS="$SARIF_ARGS --skip-dirs $i"
done
fi
if [ $tfVars ] && [ "$scanType" == "config" ];then
ARGS="$ARGS --tf-vars $tfVars"
fi
if [ $trivyIgnores ];then
for f in $(echo $trivyIgnores | tr "," "\n")
do
@@ -156,6 +163,7 @@ if [ $ignorePolicy ];then
fi
if [ "$hideProgress" == "true" ];then
ARGS="$ARGS --no-progress"
SARIF_ARGS="$SARIF_ARGS --no-progress"
fi
listAllPkgs=$(echo $listAllPkgs | tr -d '\r')
@@ -166,6 +174,7 @@ if [ "$skipFiles" ];then
for i in $(echo $skipFiles | tr "," "\n")
do
ARGS="$ARGS --skip-files $i"
SARIF_ARGS="$SARIF_ARGS --skip-files $i"
done
fi

504
test/data/config-sarif.test
View File

@@ -1,6 +1,6 @@
{
"version": "2.1.0",
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
"runs": [
{
"tool": {
@@ -23,8 +23,8 @@
},
"helpUri": "https://avd.aquasec.com/misconfig/ds002",
"help": {
"text": "Misconfiguration DS002\nType: Dockerfile Security Check\nSeverity: HIGH\nCheck: Image user should not be 'root'\nMessage: Specify at least 1 USER command in Dockerfile with non-root user as argument\nLink: [DS002](https://avd.aquasec.com/misconfig/ds002)\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
"markdown": "**Misconfiguration DS002**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Dockerfile Security Check|HIGH|Image user should not be 'root'|Specify at least 1 USER command in Dockerfile with non-root user as argument|[DS002](https://avd.aquasec.com/misconfig/ds002)|\n\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile."
"text": "Misconfiguration DS002\\nType: Dockerfile Security Check\\nSeverity: HIGH\\nCheck: Image user should not be 'root'\\nMessage: Specify at least 1 USER command in Dockerfile with non-root user as argument\\nLink: [DS002](https://avd.aquasec.com/misconfig/ds002)\\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
"markdown": "**Misconfiguration DS002**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Dockerfile Security Check|HIGH|Image user should not be 'root'|Specify at least 1 USER command in Dockerfile with non-root user as argument|[DS002](https://avd.aquasec.com/misconfig/ds002)|\\n\\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile."
},
"properties": {
"precision": "very-high",
@@ -50,8 +50,8 @@
},
"helpUri": "https://avd.aquasec.com/misconfig/ds026",
"help": {
"text": "Misconfiguration DS026\nType: Dockerfile Security Check\nSeverity: LOW\nCheck: No HEALTHCHECK defined\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)\nYou should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.",
"markdown": "**Misconfiguration DS026**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Dockerfile Security Check|LOW|No HEALTHCHECK defined|Add HEALTHCHECK instruction in your Dockerfile|[DS026](https://avd.aquasec.com/misconfig/ds026)|\n\nYou should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers."
"text": "Misconfiguration DS026\\nType: Dockerfile Security Check\\nSeverity: LOW\\nCheck: No HEALTHCHECK defined\\nMessage: Add HEALTHCHECK instruction in your Dockerfile\\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)\\nYou should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.",
"markdown": "**Misconfiguration DS026**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Dockerfile Security Check|LOW|No HEALTHCHECK defined|Add HEALTHCHECK instruction in your Dockerfile|[DS026](https://avd.aquasec.com/misconfig/ds026)|\\n\\nYou should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers."
},
"properties": {
"precision": "very-high",
@@ -62,9 +62,252 @@
"LOW"
]
}
},
{
"id": "AVD-AWS-0086",
"name": "Misconfiguration",
"shortDescription": {
"text": "S3 Access block should block public ACL"
},
"fullDescription": {
"text": "\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n"
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0086",
"help": {
"text": "Misconfiguration AVD-AWS-0086\\nType: Terraform Security Check\\nSeverity: HIGH\\nCheck: S3 Access block should block public ACL\\nMessage: No public access block so not blocking public acls\\nLink: [AVD-AWS-0086](https://avd.aquasec.com/misconfig/avd-aws-0086)\\n\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n",
"markdown": "**Misconfiguration AVD-AWS-0086**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Terraform Security Check|HIGH|S3 Access block should block public ACL|No public access block so not blocking public acls|[AVD-AWS-0086](https://avd.aquasec.com/misconfig/avd-aws-0086)|\\n\\n\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n"
},
"properties": {
"precision": "very-high",
"security-severity": "8.0",
"tags": [
"misconfiguration",
"security",
"HIGH"
]
}
},
{
"id": "AVD-AWS-0087",
"name": "Misconfiguration",
"shortDescription": {
"text": "S3 Access block should block public policy"
},
"fullDescription": {
"text": "\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n"
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0087",
"help": {
"text": "Misconfiguration AVD-AWS-0087\\nType: Terraform Security Check\\nSeverity: HIGH\\nCheck: S3 Access block should block public policy\\nMessage: No public access block so not blocking public policies\\nLink: [AVD-AWS-0087](https://avd.aquasec.com/misconfig/avd-aws-0087)\\n\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n",
"markdown": "**Misconfiguration AVD-AWS-0087**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Terraform Security Check|HIGH|S3 Access block should block public policy|No public access block so not blocking public policies|[AVD-AWS-0087](https://avd.aquasec.com/misconfig/avd-aws-0087)|\\n\\n\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n"
},
"properties": {
"precision": "very-high",
"security-severity": "8.0",
"tags": [
"misconfiguration",
"security",
"HIGH"
]
}
},
{
"id": "AVD-AWS-0088",
"name": "Misconfiguration",
"shortDescription": {
"text": "Unencrypted S3 bucket."
},
"fullDescription": {
"text": "S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0088",
"help": {
"text": "Misconfiguration AVD-AWS-0088\\nType: Terraform Security Check\\nSeverity: HIGH\\nCheck: Unencrypted S3 bucket.\\nMessage: Bucket does not have encryption enabled\\nLink: [AVD-AWS-0088](https://avd.aquasec.com/misconfig/avd-aws-0088)\\nS3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.",
"markdown": "**Misconfiguration AVD-AWS-0088**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Terraform Security Check|HIGH|Unencrypted S3 bucket.|Bucket does not have encryption enabled|[AVD-AWS-0088](https://avd.aquasec.com/misconfig/avd-aws-0088)|\\n\\nS3 Buckets should be encrypted to protect the data that is stored within them if access is compromised."
},
"properties": {
"precision": "very-high",
"security-severity": "8.0",
"tags": [
"misconfiguration",
"security",
"HIGH"
]
}
},
{
"id": "AVD-AWS-0089",
"name": "Misconfiguration",
"shortDescription": {
"text": "S3 Bucket Logging"
},
"fullDescription": {
"text": "Ensures S3 bucket logging is enabled for S3 buckets"
},
"defaultConfiguration": {
"level": "note"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0089",
"help": {
"text": "Misconfiguration AVD-AWS-0089\\nType: Terraform Security Check\\nSeverity: LOW\\nCheck: S3 Bucket Logging\\nMessage: Bucket has logging disabled\\nLink: [AVD-AWS-0089](https://avd.aquasec.com/misconfig/avd-aws-0089)\\nEnsures S3 bucket logging is enabled for S3 buckets",
"markdown": "**Misconfiguration AVD-AWS-0089**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Terraform Security Check|LOW|S3 Bucket Logging|Bucket has logging disabled|[AVD-AWS-0089](https://avd.aquasec.com/misconfig/avd-aws-0089)|\\n\\nEnsures S3 bucket logging is enabled for S3 buckets"
},
"properties": {
"precision": "very-high",
"security-severity": "2.0",
"tags": [
"misconfiguration",
"security",
"LOW"
]
}
},
{
"id": "AVD-AWS-0090",
"name": "Misconfiguration",
"shortDescription": {
"text": "S3 Data should be versioned"
},
"fullDescription": {
"text": "\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n"
},
"defaultConfiguration": {
"level": "warning"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0090",
"help": {
"text": "Misconfiguration AVD-AWS-0090\\nType: Terraform Security Check\\nSeverity: MEDIUM\\nCheck: S3 Data should be versioned\\nMessage: Bucket does not have versioning enabled\\nLink: [AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)\\n\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n",
"markdown": "**Misconfiguration AVD-AWS-0090**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Terraform Security Check|MEDIUM|S3 Data should be versioned|Bucket does not have versioning enabled|[AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)|\\n\\n\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n"
},
"properties": {
"precision": "very-high",
"security-severity": "5.5",
"tags": [
"misconfiguration",
"security",
"MEDIUM"
]
}
},
{
"id": "AVD-AWS-0091",
"name": "Misconfiguration",
"shortDescription": {
"text": "S3 Access Block should Ignore Public Acl"
},
"fullDescription": {
"text": "\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n"
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0091",
"help": {
"text": "Misconfiguration AVD-AWS-0091\\nType: Terraform Security Check\\nSeverity: HIGH\\nCheck: S3 Access Block should Ignore Public Acl\\nMessage: No public access block so not ignoring public acls\\nLink: [AVD-AWS-0091](https://avd.aquasec.com/misconfig/avd-aws-0091)\\n\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n",
"markdown": "**Misconfiguration AVD-AWS-0091**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Terraform Security Check|HIGH|S3 Access Block should Ignore Public Acl|No public access block so not ignoring public acls|[AVD-AWS-0091](https://avd.aquasec.com/misconfig/avd-aws-0091)|\\n\\n\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n"
},
"properties": {
"precision": "very-high",
"security-severity": "8.0",
"tags": [
"misconfiguration",
"security",
"HIGH"
]
}
},
{
"id": "AVD-AWS-0093",
"name": "Misconfiguration",
"shortDescription": {
"text": "S3 Access block should restrict public bucket to limit access"
},
"fullDescription": {
"text": "S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0093",
"help": {
"text": "Misconfiguration AVD-AWS-0093\\nType: Terraform Security Check\\nSeverity: HIGH\\nCheck: S3 Access block should restrict public bucket to limit access\\nMessage: No public access block so not restricting public buckets\\nLink: [AVD-AWS-0093](https://avd.aquasec.com/misconfig/avd-aws-0093)\\nS3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.",
"markdown": "**Misconfiguration AVD-AWS-0093**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Terraform Security Check|HIGH|S3 Access block should restrict public bucket to limit access|No public access block so not restricting public buckets|[AVD-AWS-0093](https://avd.aquasec.com/misconfig/avd-aws-0093)|\\n\\nS3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy."
},
"properties": {
"precision": "very-high",
"security-severity": "8.0",
"tags": [
"misconfiguration",
"security",
"HIGH"
]
}
},
{
"id": "AVD-AWS-0094",
"name": "Misconfiguration",
"shortDescription": {
"text": "S3 buckets should each define an aws_s3_bucket_public_access_block"
},
"fullDescription": {
"text": "The \u0026#34;block public access\u0026#34; settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it."
},
"defaultConfiguration": {
"level": "note"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0094",
"help": {
"text": "Misconfiguration AVD-AWS-0094\\nType: Terraform Security Check\\nSeverity: LOW\\nCheck: S3 buckets should each define an aws_s3_bucket_public_access_block\\nMessage: Bucket does not have a corresponding public access block.\\nLink: [AVD-AWS-0094](https://avd.aquasec.com/misconfig/avd-aws-0094)\\nThe \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.",
"markdown": "**Misconfiguration AVD-AWS-0094**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Terraform Security Check|LOW|S3 buckets should each define an aws_s3_bucket_public_access_block|Bucket does not have a corresponding public access block.|[AVD-AWS-0094](https://avd.aquasec.com/misconfig/avd-aws-0094)|\\n\\nThe \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it."
},
"properties": {
"precision": "very-high",
"security-severity": "2.0",
"tags": [
"misconfiguration",
"security",
"LOW"
]
}
},
{
"id": "AVD-AWS-0132",
"name": "Misconfiguration",
"shortDescription": {
"text": "S3 encryption should use Customer Managed Keys"
},
"fullDescription": {
"text": "Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0132",
"help": {
"text": "Misconfiguration AVD-AWS-0132\\nType: Terraform Security Check\\nSeverity: HIGH\\nCheck: S3 encryption should use Customer Managed Keys\\nMessage: Bucket does not encrypt data with a customer managed key.\\nLink: [AVD-AWS-0132](https://avd.aquasec.com/misconfig/avd-aws-0132)\\nEncryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.",
"markdown": "**Misconfiguration AVD-AWS-0132**\\n| Type | Severity | Check | Message | Link |\\n| --- | --- | --- | --- | --- |\\n|Terraform Security Check|HIGH|S3 encryption should use Customer Managed Keys|Bucket does not encrypt data with a customer managed key.|[AVD-AWS-0132](https://avd.aquasec.com/misconfig/avd-aws-0132)|\\n\\nEncryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys."
},
"properties": {
"precision": "very-high",
"security-severity": "8.0",
"tags": [
"misconfiguration",
"security",
"HIGH"
]
}
}
],
"version": "0.45.0"
"version": "0.48.1"
}
},
"results": [
@@ -73,7 +316,7 @@
"ruleIndex": 0,
"level": "error",
"message": {
"text": "Artifact: Dockerfile\nType: dockerfile\nVulnerability DS002\nSeverity: HIGH\nMessage: Specify at least 1 USER command in Dockerfile with non-root user as argument\nLink: [DS002](https://avd.aquasec.com/misconfig/ds002)"
"text": "Artifact: Dockerfile\\nType: dockerfile\\nVulnerability DS002\\nSeverity: HIGH\\nMessage: Specify at least 1 USER command in Dockerfile with non-root user as argument\\nLink: [DS002](https://avd.aquasec.com/misconfig/ds002)"
},
"locations": [
{
@@ -100,7 +343,7 @@
"ruleIndex": 1,
"level": "note",
"message": {
"text": "Artifact: Dockerfile\nType: dockerfile\nVulnerability DS026\nSeverity: LOW\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)"
"text": "Artifact: Dockerfile\\nType: dockerfile\\nVulnerability DS026\\nSeverity: LOW\\nMessage: Add HEALTHCHECK instruction in your Dockerfile\\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)"
},
"locations": [
{
@@ -121,12 +364,255 @@
}
}
]
},
{
"ruleId": "AVD-AWS-0086",
"ruleIndex": 2,
"level": "error",
"message": {
"text": "Artifact: test/data/main.tf\\nType: terraform\\nVulnerability AVD-AWS-0086\\nSeverity: HIGH\\nMessage: No public access block so not blocking public acls\\nLink: [AVD-AWS-0086](https://avd.aquasec.com/misconfig/avd-aws-0086)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "test/data/main.tf",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 8,
"startColumn": 1,
"endLine": 10,
"endColumn": 1
}
},
"message": {
"text": "test/data/main.tf"
}
}
]
},
{
"ruleId": "AVD-AWS-0087",
"ruleIndex": 3,
"level": "error",
"message": {
"text": "Artifact: test/data/main.tf\\nType: terraform\\nVulnerability AVD-AWS-0087\\nSeverity: HIGH\\nMessage: No public access block so not blocking public policies\\nLink: [AVD-AWS-0087](https://avd.aquasec.com/misconfig/avd-aws-0087)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "test/data/main.tf",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 8,
"startColumn": 1,
"endLine": 10,
"endColumn": 1
}
},
"message": {
"text": "test/data/main.tf"
}
}
]
},
{
"ruleId": "AVD-AWS-0088",
"ruleIndex": 4,
"level": "error",
"message": {
"text": "Artifact: test/data/main.tf\\nType: terraform\\nVulnerability AVD-AWS-0088\\nSeverity: HIGH\\nMessage: Bucket does not have encryption enabled\\nLink: [AVD-AWS-0088](https://avd.aquasec.com/misconfig/avd-aws-0088)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "test/data/main.tf",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 8,
"startColumn": 1,
"endLine": 10,
"endColumn": 1
}
},
"message": {
"text": "test/data/main.tf"
}
}
]
},
{
"ruleId": "AVD-AWS-0089",
"ruleIndex": 5,
"level": "note",
"message": {
"text": "Artifact: test/data/main.tf\\nType: terraform\\nVulnerability AVD-AWS-0089\\nSeverity: LOW\\nMessage: Bucket has logging disabled\\nLink: [AVD-AWS-0089](https://avd.aquasec.com/misconfig/avd-aws-0089)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "test/data/main.tf",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 8,
"startColumn": 1,
"endLine": 10,
"endColumn": 1
}
},
"message": {
"text": "test/data/main.tf"
}
}
]
},
{
"ruleId": "AVD-AWS-0090",
"ruleIndex": 6,
"level": "warning",
"message": {
"text": "Artifact: test/data/main.tf\\nType: terraform\\nVulnerability AVD-AWS-0090\\nSeverity: MEDIUM\\nMessage: Bucket does not have versioning enabled\\nLink: [AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "test/data/main.tf",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 16,
"startColumn": 1,
"endLine": 16,
"endColumn": 1
}
},
"message": {
"text": "test/data/main.tf"
}
}
]
},
{
"ruleId": "AVD-AWS-0091",
"ruleIndex": 7,
"level": "error",
"message": {
"text": "Artifact: test/data/main.tf\\nType: terraform\\nVulnerability AVD-AWS-0091\\nSeverity: HIGH\\nMessage: No public access block so not ignoring public acls\\nLink: [AVD-AWS-0091](https://avd.aquasec.com/misconfig/avd-aws-0091)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "test/data/main.tf",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 8,
"startColumn": 1,
"endLine": 10,
"endColumn": 1
}
},
"message": {
"text": "test/data/main.tf"
}
}
]
},
{
"ruleId": "AVD-AWS-0093",
"ruleIndex": 8,
"level": "error",
"message": {
"text": "Artifact: test/data/main.tf\\nType: terraform\\nVulnerability AVD-AWS-0093\\nSeverity: HIGH\\nMessage: No public access block so not restricting public buckets\\nLink: [AVD-AWS-0093](https://avd.aquasec.com/misconfig/avd-aws-0093)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "test/data/main.tf",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 8,
"startColumn": 1,
"endLine": 10,
"endColumn": 1
}
},
"message": {
"text": "test/data/main.tf"
}
}
]
},
{
"ruleId": "AVD-AWS-0094",
"ruleIndex": 9,
"level": "note",
"message": {
"text": "Artifact: test/data/main.tf\\nType: terraform\\nVulnerability AVD-AWS-0094\\nSeverity: LOW\\nMessage: Bucket does not have a corresponding public access block.\\nLink: [AVD-AWS-0094](https://avd.aquasec.com/misconfig/avd-aws-0094)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "test/data/main.tf",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 8,
"startColumn": 1,
"endLine": 10,
"endColumn": 1
}
},
"message": {
"text": "test/data/main.tf"
}
}
]
},
{
"ruleId": "AVD-AWS-0132",
"ruleIndex": 10,
"level": "error",
"message": {
"text": "Artifact: test/data/main.tf\\nType: terraform\\nVulnerability AVD-AWS-0132\\nSeverity: HIGH\\nMessage: Bucket does not encrypt data with a customer managed key.\\nLink: [AVD-AWS-0132](https://avd.aquasec.com/misconfig/avd-aws-0132)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "test/data/main.tf",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 8,
"startColumn": 1,
"endLine": 10,
"endColumn": 1
}
},
"message": {
"text": "test/data/main.tf"
}
}
]
}
],
"columnKind": "utf16CodeUnits",
"originalUriBaseIds": {
"ROOTPATH": {
"uri": "file:///"
"uri": "file:///home/runner/work/trivy-action/trivy-action/"
}
}
}

612
test/data/config.test
View File

@@ -1,5 +1,6 @@
{
"SchemaVersion": 2,
"CreatedAt": "2024-01-02T23:40:12.036390742Z",
"ArtifactName": ".",
"ArtifactType": "filesystem",
"Metadata": {
@@ -78,6 +79,617 @@
}
}
]
},
{
"Target": "test/data",
"Class": "config",
"Type": "terraform",
"MisconfSummary": {
"Successes": 2,
"Failures": 0,
"Exceptions": 0
}
},
{
"Target": "test/data/main.tf",
"Class": "config",
"Type": "terraform",
"MisconfSummary": {
"Successes": 1,
"Failures": 9,
"Exceptions": 0
},
"Misconfigurations": [
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0086",
"AVDID": "AVD-AWS-0086",
"Title": "S3 Access block should block public ACL",
"Description": "\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n",
"Message": "No public access block so not blocking public acls",
"Query": "data..",
"Resolution": "Enable blocking any PUT calls with a public ACL specified",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0086",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html",
"https://avd.aquasec.com/misconfig/avd-aws-0086"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0087",
"AVDID": "AVD-AWS-0087",
"Title": "S3 Access block should block public policy",
"Description": "\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n",
"Message": "No public access block so not blocking public policies",
"Query": "data..",
"Resolution": "Prevent policies that allow public access being PUT",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0087",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html",
"https://avd.aquasec.com/misconfig/avd-aws-0087"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0088",
"AVDID": "AVD-AWS-0088",
"Title": "Unencrypted S3 bucket.",
"Description": "S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.",
"Message": "Bucket does not have encryption enabled",
"Query": "data..",
"Resolution": "Configure bucket encryption",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0088",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html",
"https://avd.aquasec.com/misconfig/avd-aws-0088"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0089",
"AVDID": "AVD-AWS-0089",
"Title": "S3 Bucket Logging",
"Description": "Ensures S3 bucket logging is enabled for S3 buckets",
"Message": "Bucket has logging disabled",
"Namespace": "builtin.aws.s3.aws0089",
"Query": "data.builtin.aws.s3.aws0089.deny",
"Resolution": "Add a logging block to the resource to enable access logging",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0089",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html",
"https://avd.aquasec.com/misconfig/avd-aws-0089"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0090",
"AVDID": "AVD-AWS-0090",
"Title": "S3 Data should be versioned",
"Description": "\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n",
"Message": "Bucket does not have versioning enabled",
"Query": "data..",
"Resolution": "Enable versioning to protect against accidental/malicious removal or modification",
"Severity": "MEDIUM",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0090",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html",
"https://avd.aquasec.com/misconfig/avd-aws-0090"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket_versioning.bucket_versioning",
"Provider": "AWS",
"Service": "s3",
"StartLine": 16,
"EndLine": 16,
"Code": {
"Lines": [
{
"Number": 12,
"Content": "resource \"aws_s3_bucket_versioning\" \"bucket_versioning\" {",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket_versioning\"\u001b[0m \u001b[38;5;37m\"bucket_versioning\"\u001b[0m {",
"FirstCause": false,
"LastCause": false
},
{
"Number": 13,
"Content": " bucket = aws_s3_bucket.bucket.id",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = aws_s3_bucket.bucket.id",
"FirstCause": false,
"LastCause": false
},
{
"Number": 14,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"FirstCause": false,
"LastCause": false
},
{
"Number": 15,
"Content": " versioning_configuration {",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": " versioning_configuration {",
"FirstCause": false,
"LastCause": false
},
{
"Number": 16,
"Content": " status = var.bucket_versioning_enabled",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mstatus\u001b[0m = \u001b[38;5;33mvar\u001b[0m.bucket_versioning_enabled",
"FirstCause": true,
"LastCause": true
},
{
"Number": 17,
"Content": " }",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": " }",
"FirstCause": false,
"LastCause": false
},
{
"Number": 18,
"Content": "}",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": "}",
"FirstCause": false,
"LastCause": false
}
]
},
"Occurrences": [
{
"Resource": "versioning_configuration",
"Filename": "test/data/main.tf",
"Location": {
"StartLine": 15,
"EndLine": 17
}
},
{
"Resource": "aws_s3_bucket_versioning.bucket_versioning",
"Filename": "test/data/main.tf",
"Location": {
"StartLine": 12,
"EndLine": 18
}
}
]
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0091",
"AVDID": "AVD-AWS-0091",
"Title": "S3 Access Block should Ignore Public Acl",
"Description": "\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n",
"Message": "No public access block so not ignoring public acls",
"Query": "data..",
"Resolution": "Enable ignoring the application of public ACLs in PUT calls",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0091",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html",
"https://avd.aquasec.com/misconfig/avd-aws-0091"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0093",
"AVDID": "AVD-AWS-0093",
"Title": "S3 Access block should restrict public bucket to limit access",
"Description": "S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.",
"Message": "No public access block so not restricting public buckets",
"Query": "data..",
"Resolution": "Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0093",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html",
"https://avd.aquasec.com/misconfig/avd-aws-0093"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0094",
"AVDID": "AVD-AWS-0094",
"Title": "S3 buckets should each define an aws_s3_bucket_public_access_block",
"Description": "The \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.",
"Message": "Bucket does not have a corresponding public access block.",
"Query": "data..",
"Resolution": "Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0094",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html",
"https://avd.aquasec.com/misconfig/avd-aws-0094"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0132",
"AVDID": "AVD-AWS-0132",
"Title": "S3 encryption should use Customer Managed Keys",
"Description": "Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.",
"Message": "Bucket does not encrypt data with a customer managed key.",
"Query": "data..",
"Resolution": "Enable encryption using customer managed keys",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0132",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html",
"https://avd.aquasec.com/misconfig/avd-aws-0132"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
}
]
}
]
}

2
test/data/dev.tfvars Normal file
View File

@@ -0,0 +1,2 @@
# test data for trivy config with terraform variables
bucket_versioning_enabled="Enabled"

612
test/data/fs-scheck.test
View File

@@ -1,5 +1,6 @@
{
"SchemaVersion": 2,
"CreatedAt": "2024-01-02T23:40:15.166517221Z",
"ArtifactName": ".",
"ArtifactType": "filesystem",
"Metadata": {
@@ -78,6 +79,617 @@
}
}
]
},
{
"Target": "test/data",
"Class": "config",
"Type": "terraform",
"MisconfSummary": {
"Successes": 2,
"Failures": 0,
"Exceptions": 0
}
},
{
"Target": "test/data/main.tf",
"Class": "config",
"Type": "terraform",
"MisconfSummary": {
"Successes": 1,
"Failures": 9,
"Exceptions": 0
},
"Misconfigurations": [
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0086",
"AVDID": "AVD-AWS-0086",
"Title": "S3 Access block should block public ACL",
"Description": "\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n",
"Message": "No public access block so not blocking public acls",
"Query": "data..",
"Resolution": "Enable blocking any PUT calls with a public ACL specified",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0086",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html",
"https://avd.aquasec.com/misconfig/avd-aws-0086"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0087",
"AVDID": "AVD-AWS-0087",
"Title": "S3 Access block should block public policy",
"Description": "\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n",
"Message": "No public access block so not blocking public policies",
"Query": "data..",
"Resolution": "Prevent policies that allow public access being PUT",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0087",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html",
"https://avd.aquasec.com/misconfig/avd-aws-0087"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0088",
"AVDID": "AVD-AWS-0088",
"Title": "Unencrypted S3 bucket.",
"Description": "S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.",
"Message": "Bucket does not have encryption enabled",
"Query": "data..",
"Resolution": "Configure bucket encryption",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0088",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html",
"https://avd.aquasec.com/misconfig/avd-aws-0088"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0089",
"AVDID": "AVD-AWS-0089",
"Title": "S3 Bucket Logging",
"Description": "Ensures S3 bucket logging is enabled for S3 buckets",
"Message": "Bucket has logging disabled",
"Namespace": "builtin.aws.s3.aws0089",
"Query": "data.builtin.aws.s3.aws0089.deny",
"Resolution": "Add a logging block to the resource to enable access logging",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0089",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html",
"https://avd.aquasec.com/misconfig/avd-aws-0089"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0090",
"AVDID": "AVD-AWS-0090",
"Title": "S3 Data should be versioned",
"Description": "\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n",
"Message": "Bucket does not have versioning enabled",
"Query": "data..",
"Resolution": "Enable versioning to protect against accidental/malicious removal or modification",
"Severity": "MEDIUM",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0090",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html",
"https://avd.aquasec.com/misconfig/avd-aws-0090"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket_versioning.bucket_versioning",
"Provider": "AWS",
"Service": "s3",
"StartLine": 16,
"EndLine": 16,
"Code": {
"Lines": [
{
"Number": 12,
"Content": "resource \"aws_s3_bucket_versioning\" \"bucket_versioning\" {",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket_versioning\"\u001b[0m \u001b[38;5;37m\"bucket_versioning\"\u001b[0m {",
"FirstCause": false,
"LastCause": false
},
{
"Number": 13,
"Content": " bucket = aws_s3_bucket.bucket.id",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = aws_s3_bucket.bucket.id",
"FirstCause": false,
"LastCause": false
},
{
"Number": 14,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"FirstCause": false,
"LastCause": false
},
{
"Number": 15,
"Content": " versioning_configuration {",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": " versioning_configuration {",
"FirstCause": false,
"LastCause": false
},
{
"Number": 16,
"Content": " status = var.bucket_versioning_enabled",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mstatus\u001b[0m = \u001b[38;5;33mvar\u001b[0m.bucket_versioning_enabled",
"FirstCause": true,
"LastCause": true
},
{
"Number": 17,
"Content": " }",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": " }",
"FirstCause": false,
"LastCause": false
},
{
"Number": 18,
"Content": "}",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": "}",
"FirstCause": false,
"LastCause": false
}
]
},
"Occurrences": [
{
"Resource": "versioning_configuration",
"Filename": "test/data/main.tf",
"Location": {
"StartLine": 15,
"EndLine": 17
}
},
{
"Resource": "aws_s3_bucket_versioning.bucket_versioning",
"Filename": "test/data/main.tf",
"Location": {
"StartLine": 12,
"EndLine": 18
}
}
]
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0091",
"AVDID": "AVD-AWS-0091",
"Title": "S3 Access Block should Ignore Public Acl",
"Description": "\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n",
"Message": "No public access block so not ignoring public acls",
"Query": "data..",
"Resolution": "Enable ignoring the application of public ACLs in PUT calls",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0091",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html",
"https://avd.aquasec.com/misconfig/avd-aws-0091"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0093",
"AVDID": "AVD-AWS-0093",
"Title": "S3 Access block should restrict public bucket to limit access",
"Description": "S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.",
"Message": "No public access block so not restricting public buckets",
"Query": "data..",
"Resolution": "Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0093",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html",
"https://avd.aquasec.com/misconfig/avd-aws-0093"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0094",
"AVDID": "AVD-AWS-0094",
"Title": "S3 buckets should each define an aws_s3_bucket_public_access_block",
"Description": "The \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.",
"Message": "Bucket does not have a corresponding public access block.",
"Query": "data..",
"Resolution": "Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0094",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html",
"https://avd.aquasec.com/misconfig/avd-aws-0094"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
},
{
"Type": "Terraform Security Check",
"ID": "AVD-AWS-0132",
"AVDID": "AVD-AWS-0132",
"Title": "S3 encryption should use Customer Managed Keys",
"Description": "Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.",
"Message": "Bucket does not encrypt data with a customer managed key.",
"Query": "data..",
"Resolution": "Enable encryption using customer managed keys",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0132",
"References": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html",
"https://avd.aquasec.com/misconfig/avd-aws-0132"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "aws_s3_bucket.bucket",
"Provider": "AWS",
"Service": "s3",
"StartLine": 8,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": "resource \"aws_s3_bucket\" \"bucket\" {",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket\"\u001b[0m \u001b[38;5;37m\"bucket\"\u001b[0m {",
"FirstCause": true,
"LastCause": false
},
{
"Number": 9,
"Content": " bucket = \"trivy-action-bucket\"",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;245mbucket\u001b[0m = \u001b[38;5;37m\"trivy-action-bucket\"",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": "}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m}",
"FirstCause": false,
"LastCause": true
}
]
}
}
}
]
}
]
}

2
test/data/image-sarif.test
View File

@@ -74,4 +74,4 @@
}
}
]
}
}

18
test/data/main.tf Normal file
View File

@@ -0,0 +1,18 @@
# test data for trivy config with terraform variables
variable "bucket_versioning_enabled" {
type = string
default = "Disabled"
}
resource "aws_s3_bucket" "bucket" {
bucket = "trivy-action-bucket"
}
resource "aws_s3_bucket_versioning" "bucket_versioning" {
bucket = aws_s3_bucket.bucket.id
versioning_configuration {
status = var.bucket_versioning_enabled
}
}

1
test/data/repo.test
View File

@@ -1,5 +1,6 @@
{
"SchemaVersion": 2,
"CreatedAt": "2024-01-02T23:40:04.647712097Z",
"ArtifactName": "https://github.com/krol3/demo-trivy/",
"ArtifactType": "repository",
"Metadata": {

40
test/data/tfvars.test Normal file
View File

@@ -0,0 +1,40 @@
{
"SchemaVersion": 2,
"CreatedAt": "2024-01-02T16:27:32.841193-07:00",
"ArtifactName": "test/data",
"ArtifactType": "filesystem",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
},
"Results": [
{
"Target": ".",
"Class": "config",
"Type": "terraform",
"MisconfSummary": {
"Successes": 2,
"Failures": 0,
"Exceptions": 0
}
},
{
"Target": "main.tf",
"Class": "config",
"Type": "terraform",
"MisconfSummary": {
"Successes": 1,
"Failures": 0,
"Exceptions": 0
}
}
]
}

15
test/data/yamlconfig.test
View File

@@ -1,5 +1,6 @@
{
"SchemaVersion": 2,
"CreatedAt": "2024-01-02T23:40:21.039454971Z",
"ArtifactName": "alpine:3.10",
"ArtifactType": "container_image",
"Metadata": {
@@ -76,7 +77,7 @@
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},
"Title": "an out of boundary read while libfetch uses strtol to parse the relevant numbers into address bytes leads to information leak or crash",
"Title": "libfetch: an out of boundary read while libfetch uses strtol to parse the relevant numbers into address bytes leads to information leak or crash",
"Description": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.",
"Severity": "CRITICAL",
"CweIDs": [
@@ -98,15 +99,15 @@
"https://access.redhat.com/security/cve/CVE-2021-36159",
"https://github.com/freebsd/freebsd-src/commits/main/lib/libfetch",
"https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10749",
"https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E",
"https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E",
"https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E",
"https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E",
"https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cdev.kafka.apache.org%3E",
"https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cusers.kafka.apache.org%3E",
"https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cdev.kafka.apache.org%3E",
"https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cusers.kafka.apache.org%3E",
"https://nvd.nist.gov/vuln/detail/CVE-2021-36159",
"https://www.cve.org/CVERecord?id=CVE-2021-36159"
],
"PublishedDate": "2021-08-03T14:15:00Z",
"LastModifiedDate": "2021-10-18T12:19:00Z"
"PublishedDate": "2021-08-03T14:15:08.233Z",
"LastModifiedDate": "2023-11-07T03:36:43.337Z"
}
]
}

8
test/test.bats
View File

@@ -81,3 +81,11 @@ bats_load_library bats-file
echo "$output"
assert_files_equal yamlconfig.test ./test/data/yamlconfig.test
}
@test "trivy config with terraform variables" {
# trivy config --format json --severity MEDIUM --output tfvars.test --tf-vars ./test/data/dev.tfvars ./test/data
run ./entrypoint.sh "-a config" "-j ./test/data" "-h tfvars.test" "-g MEDIUM" "-x dev.tfvars" "-b json"
run diff tfvars.test ./test/data/tfvars.test
echo "$output"
assert_files_equal tfvars.test ./test/data/tfvars.test
}