Merge branch 'main' into go2rego-azure-1

aquasecurity · Aug 20, 2024 · 0f4a7c9 · 0f4a7c9
2 parents da443a2 + 557796e
commit 0f4a7c9
Show file tree

Hide file tree

Showing 86 changed files with 1,751 additions and 1,118 deletions.
diff --git a/avd_docs/github/branchprotections/AVD-GIT-0004/Terraform.md b/avd_docs/github/branchprotections/AVD-GIT-0004/Terraform.md
@@ -0,0 +1,16 @@
+
+Require signed commits
+
+```hcl
+ resource "github_branch_protection" "good_example" {
+   repository_id = "example"
+   pattern       = "main"
+
+   require_signed_commits = true
+ }
+ 
+```
+
+#### Remediation Links
+ - https://registry.terraform.io/providers/integrations/github/latest/docs/resources/branch_protection
+
diff --git a/avd_docs/github/branchprotections/AVD-GIT-0004/docs.md b/avd_docs/github/branchprotections/AVD-GIT-0004/docs.md
@@ -0,0 +1,20 @@
+
+GitHub branch protection should be set to require signed commits.
+
+You can do this by setting the <code>require_signed_commits</code> attribute to 'true'.
+
+
+### Impact
+<!-- Add Impact here -->
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- https://registry.terraform.io/providers/integrations/github/latest/docs/resources/branch_protection#require_signed_commits
+
+- https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification
+
+- https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-signed-commits
+
+
diff --git a/avd_docs/github/environmentsecrets/AVD-GIT-0002/Terraform.md b/avd_docs/github/environmentsecrets/AVD-GIT-0002/Terraform.md
@@ -0,0 +1,18 @@
+
+Do not store plaintext values in your code but rather populate the encrypted_value using fields from a resource, data source or variable.
+
+```hcl
+resource "github_actions_environment_secret" "good_example" {
+	repository       = "my repository name"
+	environment       = "my environment"
+	secret_name       = "my secret name"
+	encrypted_value   = var.some_encrypted_secret_string
+}
+
+```
+
+#### Remediation Links
+ - https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_environment_secret
+
+ - https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
+
diff --git a/avd_docs/github/environmentsecrets/AVD-GIT-0002/docs.md b/avd_docs/github/environmentsecrets/AVD-GIT-0002/docs.md
@@ -0,0 +1,16 @@
+
+For the purposes of security, the contents of the plaintext_value field have been marked as sensitive to Terraform, but this does not hide it from state files. State should be treated as sensitive always.
+
+
+### Impact
+<!-- Add Impact here -->
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_environment_secret
+
+- https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
+
+
diff --git a/avd_docs/github/repositories/AVD-GIT-0001/docs.md b/avd_docs/github/repositories/AVD-GIT-0001/docs.md
@@ -1,10 +1,11 @@
 
-Github repository should be set to be private.
+GitHub repository should be set to be private.
 
 You can do this by either setting <code>private</code> attribute to 'true' or <code>visibility</code> attribute to 'internal' or 'private'.
 
+
 ### Impact
-Anyone can read the contents of the GitHub repository and leak IP
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/github/repositories/AVD-GIT-0003/docs.md b/avd_docs/github/repositories/AVD-GIT-0003/docs.md
@@ -3,8 +3,9 @@ GitHub repository should be set to use vulnerability alerts.
 
 You can do this by setting the <code>vulnerability_alerts</code> attribute to 'true'.
 
+
 ### Impact
-Known vulnerabilities may not be discovered
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/google/bigquery/AVD-GCP-0046/docs.md b/avd_docs/google/bigquery/AVD-GCP-0046/docs.md
@@ -1,8 +1,9 @@
 
 Using 'allAuthenticatedUsers' provides any GCP user - even those outside of your organisation - access to your BigQuery dataset.
 
+
 ### Impact
-Exposure of sensitive data to the public iniernet
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/google/dns/AVD-GCP-0012/docs.md b/avd_docs/google/dns/AVD-GCP-0012/docs.md
@@ -1,8 +1,9 @@
 
 RSA SHA1 is a weaker algorithm than SHA2-based algorithms such as RSA SHA256/512
 
+
 ### Impact
-Less secure encryption algorithm than others available
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/google/dns/AVD-GCP-0013/docs.md b/avd_docs/google/dns/AVD-GCP-0013/docs.md
@@ -1,8 +1,9 @@
 
 DNSSEC authenticates DNS responses, preventing MITM attacks and impersonation.
 
+
 ### Impact
-Unverified DNS responses could lead to man-in-the-middle attacks
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/google/kms/AVD-GCP-0065/docs.md b/avd_docs/google/kms/AVD-GCP-0065/docs.md
@@ -1,8 +1,9 @@
 
 Keys should be rotated on a regular basis to limit exposure if a given key should become compromised.
 
+
 ### Impact
-Exposure is greater if the same keys are used over a long period
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/nifcloud/dns/AVD-NIF-0007/docs.md b/avd_docs/nifcloud/dns/AVD-NIF-0007/docs.md
@@ -1,10 +1,11 @@
 
+Removing verified record of TXT auth the risk that
 
-Removing verified record of TXT auth the risk that 
 If the authentication record remains, anyone can register the zone
 
+
 ### Impact
-Risk of DNS records be used by others
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/nifcloud/network/AVD-NIF-0016/docs.md b/avd_docs/nifcloud/network/AVD-NIF-0016/docs.md
@@ -1,8 +1,9 @@
 
 Need to add a security group to your router.
 
+
 ### Impact
-A security group controls the traffic that is allowed to reach and leave the resources that it is associated with.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/nifcloud/network/AVD-NIF-0017/docs.md b/avd_docs/nifcloud/network/AVD-NIF-0017/docs.md
@@ -1,8 +1,9 @@
 
 When handling sensitive data between servers, please consider using a private LAN to isolate the private side network from the shared network.
 
+
 ### Impact
-The common private network is shared with other users
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/nifcloud/network/AVD-NIF-0018/docs.md b/avd_docs/nifcloud/network/AVD-NIF-0018/docs.md
@@ -1,8 +1,9 @@
 
 Need to add a security group to your vpnGateway.
 
+
 ### Impact
-A security group controls the traffic that is allowed to reach and leave the resources that it is associated with.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/nifcloud/network/AVD-NIF-0019/docs.md b/avd_docs/nifcloud/network/AVD-NIF-0019/docs.md
@@ -1,8 +1,9 @@
 
 When handling sensitive data between servers, please consider using a private LAN to isolate the private side network from the shared network.
 
+
 ### Impact
-The common private network is shared with other users
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/nifcloud/network/AVD-NIF-0020/docs.md b/avd_docs/nifcloud/network/AVD-NIF-0020/docs.md
@@ -1,8 +1,9 @@
 
 You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
 
+
 ### Impact
-The SSL policy is outdated and has known vulnerabilities
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/nifcloud/network/AVD-NIF-0021/docs.md b/avd_docs/nifcloud/network/AVD-NIF-0021/docs.md
@@ -3,8 +3,9 @@ Plain HTTP is unencrypted and human-readable. This means that if a malicious act
 
 You should use HTTPS, which is HTTP over an encrypted (TLS) connection, meaning eavesdroppers cannot read your traffic.
 
+
 ### Impact
-Your traffic is not protected
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/nifcloud/sslcertificate/AVD-NIF-0006/docs.md b/avd_docs/nifcloud/sslcertificate/AVD-NIF-0006/docs.md
@@ -1,13 +1,15 @@
 
-
 Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be
-deployed accidentally to a resource such as NIFCLOUD Load Balancer(L4LB), which candamage the 
+
+deployed accidentally to a resource such as NIFCLOUD Load Balancer(L4LB), which candamage the
+
 credibility of the application/website behind the L4LB. As a best practice, it is
+
 recommended to delete expired certificates.
-			
+
 
 ### Impact
-Risk of misconfiguration and damage to credibility
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/checks/cloud/github/actions/no_plain_text_action_secrets.go b/checks/cloud/github/actions/no_plain_text_action_secrets.go
@@ -28,7 +28,8 @@ var CheckNoPlainTextActionEnvironmentSecrets = rules.Register(
 			Links:               terraformNoPlainTextActionSecretsLinks,
 			RemediationMarkdown: terraformNoPlainTextActionSecretsRemediationMarkdown,
 		},
-		Severity: severity.High,
+		Severity:   severity.High,
+		Deprecated: true,
 	},
 	func(s *state.State) (results scan.Results) {
 		for _, environmentSecret := range s.GitHub.EnvironmentSecrets {

diff --git a/checks/cloud/github/actions/no_plain_text_action_secrets.rego b/checks/cloud/github/actions/no_plain_text_action_secrets.rego
@@ -0,0 +1,39 @@
+# METADATA
+# title: Ensure plaintext value is not used for GitHub Action Environment Secret.
+# description: |
+#   For the purposes of security, the contents of the plaintext_value field have been marked as sensitive to Terraform, but this does not hide it from state files. State should be treated as sensitive always.
+# scope: package
+# schemas:
+#   - input: schema["cloud"]
+# related_resources:
+#   - https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_environment_secret
+#   - https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
+# custom:
+#   id: AVD-GIT-0002
+#   avd_id: AVD-GIT-0002
+#   provider: github
+#   service: environmentsecrets
+#   severity: HIGH
+#   short_code: no-plain-text-action-secrets
+#   recommended_action: Do not store plaintext values in your code but rather populate the encrypted_value using fields from a resource, data source or variable.
+#   input:
+#     selector:
+#       - type: cloud
+#         subtypes:
+#           - service: environmentsecrets
+#             provider: github
+#   terraform:
+#     links:
+#       - https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_environment_secret
+#       - https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
+#     good_examples: checks/cloud/github/actions/no_plain_text_action_secrets.tf.go
+#     bad_examples: checks/cloud/github/actions/no_plain_text_action_secrets.tf.go
+package builtin.github.actions.github0002
+
+import rego.v1
+
+deny contains res if {
+	some secret in input.github.environmentsecrets
+	secret.plaintextvalue.value != ""
+	res := result.new("Secret has plain text value", secret.plaintextvalue)
+}
diff --git a/checks/cloud/github/actions/no_plain_text_action_secrets_test.go b/checks/cloud/github/actions/no_plain_text_action_secrets_test.go
diff --git a/checks/cloud/github/actions/no_plain_text_action_secrets_test.rego b/checks/cloud/github/actions/no_plain_text_action_secrets_test.rego
@@ -0,0 +1,20 @@
+package builtin.github.actions.github0002_test
+
+import rego.v1
+
+import data.builtin.github.actions.github0002 as check
+import data.lib.test
+
+test_allow_secret_without_plain_text if {
+	inp := {"github": {"environmentsecrets": [{"plaintextvalue": {"value": ""}}]}}
+
+	res := check.deny with input as inp
+	res == set()
+}
+
+test_deny_secret_with_plain_text if {
+	inp := {"github": {"environmentsecrets": [{"plaintextvalue": {"value": "secret"}}]}}
+
+	res := check.deny with input as inp
+	count(res) == 1
+}
diff --git a/checks/cloud/github/branch_protections/require_signed_commits.go b/checks/cloud/github/branch_protections/require_signed_commits.go
@@ -31,7 +31,8 @@ You can do this by setting the <code>require_signed_commits</code> attribute to
 			Links:               terraformRequireSignedCommitsLinks,
 			RemediationMarkdown: terraformRequireSignedCommitsRemediationMarkdown,
 		},
-		Severity: severity.High,
+		Severity:   severity.High,
+		Deprecated: true,
 	},
 	func(s *state.State) (results scan.Results) {
 		for _, branchProtection := range s.GitHub.BranchProtections {