chore: Pre-Commit dependencies update

[github-actions]

Pre-Commit Dependencies updates required

There are pre-commit dependencies waiting to be updated. Please see the Files changed tab for details.

Please check results of pre-commit test run with these updates in comments below.

^{Generated automatically with GitHub Actions}

[github-actions]

👍 🚀 😄 The Pre Commit test run succeded. See results here.
👍 🚀 😄 The Pre Commit test run succeded. See results here.
👍 🚀 😄 The Pre Commit test run succeded. See results here.

[sebastianczech]

I checked pre-commit results and before we merge that PR, I propose to resolve Checkov issues detected in asg module and new one in bootstrap module after pre-commit update:

• Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
• Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
• Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
• Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"

For asg module we already have an issue for that #238.

If in near future we are going to resolve Checkov issues, we can wait with that PR.
If not, let's merge it without waiting to resolve it and let's resolve them separately.

[sebastianczech]

/sca

Testing job ID: 6575170189
Job result: SUCCESS

[pimielowski]

/sca

Testing job ID: 6889461118
Job result: SUCCESS

[pimielowski]

I checked pre-commit results and before we merge that PR, I propose to resolve Checkov issues detected in asg module and new one in bootstrap module after pre-commit update:

• Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
• Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
• Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
• Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"

For asg module we already have an issue for that #238.

If in near future we are going to resolve Checkov issues, we can wait with that PR. If not, let's merge it without waiting to resolve it and let's resolve them separately.

I create fix for CKV2_AWS_65 issue #410

[sebastianczech]

/sca

Testing job ID: 7182377953
Job result: FAILURE

[sebastianczech]

/sca

Testing job ID: 7182436222
Job result: SUCCESS

[sebastianczech]

I updated that PR to Checkov 3.1.33 as there is an issue in 3.1.20: ImportError: cannot import name 'sha1sum' from 'cyclonedx.model'

Then I checked new Checkov issues after update of pre-commit configuration:

• for below errors we already have an issue Enhance IAM role in ASG module #238
  • Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
  • Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
  • Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
  • Check: CKV_AWS_364: "Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount"
• for new errors I've opened new issue Fix GitHub workflows security issues #414
  • Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
  • Check: CKV_GHA_7: "The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty. "

In my opinion we can merge that PR and improve code in dedicated issues.