Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(misconf): do not filter Terraform plan JSON by name #7406

Merged
merged 2 commits into from
Aug 29, 2024

Conversation

nikpivkin
Copy link
Contributor

@nikpivkin nikpivkin commented Aug 27, 2024

Description

Terraform Plan JSON is detected by content, so filtering files by name is unnecessary.

Related issues

Before

ls
test.json

trivy conf .
2024-08-27T15:57:44+06:00	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-27T15:57:44+06:00	INFO	Detected config files	num=0

After

ls
test.json trivy

./trivy conf .
2024/08/27 15:58:35 WARN Check ID is empty file_path=lib/kubernetes/utils.rego
2024/08/27 15:58:35 WARN Check ID is empty file_path=lib/docker/docker.rego
2024/08/27 15:58:35 WARN Check ID is empty file_path=lib/kubernetes/kubernetes.rego
2024-08-27T15:58:35+06:00	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-27T15:58:35+06:00	INFO	[terraform scanner] Scanning root modulefile_path="."
2024-08-27T15:58:35+06:00	INFO	Detected config files	num=2

main.tf (terraformplan)

Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────────────────────────────────────────────
 main.tf:8
   via main.tf:5-9 (metadata_options)
    via main.tf:1-10 (aws_instance.bad_example)
────────────────────────────────────────────────────────────────────────────────
   1   resource "aws_instance" "bad_example" {
   2   	ami = "ami-005e54dee72cc1d00"
   3   	instance_type = "t2.micro"
   4   	source_dest_check = true
   5   	metadata_options {
   6   	http_endpoint = "enabled"
   7   	http_protocol_ipv6 = "disabled"
   8 [ 	http_tokens = "optional"
   9   	}
  10   }
────────────────────────────────────────────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────────────────────────────────────────────
 main.tf:1-10
────────────────────────────────────────────────────────────────────────────────
   1 ┌ resource "aws_instance" "bad_example" {
   2 │ 	ami = "ami-005e54dee72cc1d00"
   3 │ 	instance_type = "t2.micro"
   4 │ 	source_dest_check = true
   5 │ 	metadata_options {
   6 │ 	http_endpoint = "enabled"
   7 │ 	http_protocol_ipv6 = "disabled"
   8 │ 	http_tokens = "optional"
   9 │ 	}
  10 └ }
───────────────────────────────────────────────────────────────────────────────

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@nikpivkin nikpivkin marked this pull request as ready for review August 27, 2024 10:23
@simar7
Copy link
Member

simar7 commented Aug 27, 2024

Can we also add a test for this case?

@nikpivkin
Copy link
Contributor Author

@simar7 Added a test case 5b4ad73

Signed-off-by: nikpivkin <[email protected]>
@simar7 simar7 enabled auto-merge August 28, 2024 23:24
@simar7 simar7 disabled auto-merge August 28, 2024 23:25
@simar7 simar7 enabled auto-merge August 28, 2024 23:34
@simar7 simar7 self-requested a review August 28, 2024 23:51
@simar7 simar7 added this pull request to the merge queue Aug 28, 2024
Merged via the queue into aquasecurity:main with commit 9d7264a Aug 29, 2024
17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

fix(misconf): Improve filtering of terraform JSON
2 participants