From 9b4fcb7c1cb6fd9871ed814415b8369e2702f5e1 Mon Sep 17 00:00:00 2001 From: Sachin Agarwal Date: Thu, 21 Apr 2022 11:15:20 -0400 Subject: [PATCH 1/9] Removing HIGH issues in tfsec --- modules/aws_s3/tf_module/bucket.tf | 3 +++ modules/aws_ses/tf_module/main.tf | 6 ++++-- modules/aws_sqs/tf_module/main.tf | 6 ++++-- 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/modules/aws_s3/tf_module/bucket.tf b/modules/aws_s3/tf_module/bucket.tf index 0a3896247..7de4a80ec 100644 --- a/modules/aws_s3/tf_module/bucket.tf +++ b/modules/aws_s3/tf_module/bucket.tf @@ -68,6 +68,9 @@ resource "aws_s3_bucket_cors_configuration" "bucket" { } } +#Ignore this because in Opta we made a user-friendly +#choice of automatic cloud-provider key management +#tfsec:ignore:aws-s3-encryption-customer-key resource "aws_s3_bucket_server_side_encryption_configuration" "bucket" { bucket = aws_s3_bucket.bucket.id rule { diff --git a/modules/aws_ses/tf_module/main.tf b/modules/aws_ses/tf_module/main.tf index 1f6aa5cee..8281c26ec 100644 --- a/modules/aws_ses/tf_module/main.tf +++ b/modules/aws_ses/tf_module/main.tf @@ -60,8 +60,10 @@ resource "aws_route53_record" "amazonses_dkim_record" { data "aws_iam_policy_document" "sender" { statement { - sid = "SendEmail" - actions = ["ses:Send*"] + sid = "SendEmail" + #tfsec:ignore:aws-iam-no-policy-wildcards + actions = ["ses:Send*"] + #tfsec:ignore:aws-iam-no-policy-wildcards resources = ["*"] condition { test = "StringLike" diff --git a/modules/aws_sqs/tf_module/main.tf b/modules/aws_sqs/tf_module/main.tf index 22f956c45..de110f00a 100644 --- a/modules/aws_sqs/tf_module/main.tf +++ b/modules/aws_sqs/tf_module/main.tf @@ -42,10 +42,11 @@ data "aws_iam_policy_document" "sqs_queue_policy" { } statement { + # Accept the risk + #tfsec:ignore:aws-sqs-no-wildcards-in-policy-documents actions = [ "SQS:*" ] - effect = "Allow" principals { @@ -61,10 +62,11 @@ data "aws_iam_policy_document" "sqs_queue_policy" { } statement { + # Accept the risk + #tfsec:ignore:aws-sqs-no-wildcards-in-policy-documents actions = [ "SQS:*" ] - effect = "Allow" principals { From 140e5e4140efed059596ba10e1f27333c43ece19 Mon Sep 17 00:00:00 2001 From: Sachin Agarwal Date: Thu, 21 Apr 2022 11:29:51 -0400 Subject: [PATCH 2/9] Added tfsec ignores --- modules/aws_sqs/tf_module/main.tf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/aws_sqs/tf_module/main.tf b/modules/aws_sqs/tf_module/main.tf index de110f00a..1799f7913 100644 --- a/modules/aws_sqs/tf_module/main.tf +++ b/modules/aws_sqs/tf_module/main.tf @@ -24,6 +24,8 @@ data "aws_iam_policy_document" "sqs_queue_policy" { statement { actions = [ + # Accept the risk + #tfsec:ignore:aws-sqs-no-wildcards-in-policy-documents "SQS:*" ] @@ -80,4 +82,4 @@ data "aws_iam_policy_document" "sqs_queue_policy" { sid = "events_access" } -} +} \ No newline at end of file From 1cfbcaec0c9276b6d39a0a7eb6c873e1d8d13a49 Mon Sep 17 00:00:00 2001 From: Sachin Agarwal Date: Thu, 21 Apr 2022 12:15:43 -0400 Subject: [PATCH 3/9] Github actions adjustment 1 --- config/tfsecconfig.yaml | 86 ++++++++++++++++++++----------------- scripts/securityreporter.py | 2 +- 2 files changed, 47 insertions(+), 41 deletions(-) diff --git a/config/tfsecconfig.yaml b/config/tfsecconfig.yaml index 5db643adc..3144ab8c1 100644 --- a/config/tfsecconfig.yaml +++ b/config/tfsecconfig.yaml @@ -1,44 +1,50 @@ --- +exclude-path: + - examples/ + +minimum-severity string: + - HIGH + exclude: - - aws-cloudfront-enable-logging - - aws-cloudfront-enable-waf - - aws-cloudfront-use-secure-tls-policy - - aws-cloudwatch-log-group-customer-key - - aws-documentdb-enable-log-export - - aws-documentdb-encryption-customer-key - - aws-eks-no-public-cluster-access - - aws-eks-no-public-cluster-access-to-cidr - - aws-iam-no-policy-wildcards - - aws-lambda-enable-tracing - - aws-rds-enable-performance-insights - - aws-s3-block-public-acls - - aws-s3-block-public-policy - - aws-s3-enable-bucket-logging - - aws-s3-encryption-customer-key - - aws-s3-ignore-public-acls - - aws-s3-no-public-buckets - - aws-s3-specify-public-access-block + # - aws-cloudfront-enable-logging + # - aws-cloudfront-enable-waf + # - aws-cloudfront-use-secure-tls-policy + # - aws-cloudwatch-log-group-customer-key + # - aws-documentdb-enable-log-export + # - aws-documentdb-encryption-customer-key + # - aws-eks-no-public-cluster-access + # - aws-eks-no-public-cluster-access-to-cidr + # - aws-iam-no-policy-wildcards + # - aws-lambda-enable-tracing + # - aws-rds-enable-performance-insights + # - aws-s3-block-public-acls + # - aws-s3-block-public-policy + # - aws-s3-enable-bucket-logging + # - aws-s3-encryption-customer-key + # - aws-s3-ignore-public-acls + # - aws-s3-no-public-buckets + # - aws-s3-specify-public-access-block - aws-sqs-no-wildcards-in-policy-documents - - aws-vpc-add-description-to-security-group-rule - - aws-vpc-no-public-egress-sgr - - azure-container-limit-authorized-ips - - azure-container-logging - - azure-database-postgres-configuration-connection-throttling - - azure-database-postgres-configuration-log-checkpoints - - azure-database-postgres-configuration-log-connections - - azure-keyvault-ensure-key-expiry - - azure-keyvault-no-purge - - azure-keyvault-specify-network-acl - - azure-network-no-public-egress - - azure-network-no-public-ingress - - azure-storage-queue-services-logging-enabled - - azure-storage-use-secure-tls-policy - - general-secrets-no-plaintext-exposure - - google-gke-enable-master-networks - - google-gke-enforce-pod-security-policy - - google-gke-metadata-endpoints-disabled - - google-gke-node-pool-uses-cos - - google-gke-no-legacy-authentication - - google-gke-use-cluster-labels - - google-sql-encrypt-in-transit-data + # - aws-vpc-add-description-to-security-group-rule + # - aws-vpc-no-public-egress-sgr + # - azure-container-limit-authorized-ips + # - azure-container-logging + # - azure-database-postgres-configuration-connection-throttling + # - azure-database-postgres-configuration-log-checkpoints + # - azure-database-postgres-configuration-log-connections + # - azure-keyvault-ensure-key-expiry + # - azure-keyvault-no-purge + # - azure-keyvault-specify-network-acl + # - azure-network-no-public-egress + # - azure-network-no-public-ingress + # - azure-storage-queue-services-logging-enabled + # - azure-storage-use-secure-tls-policy + # - general-secrets-no-plaintext-exposure + # - google-gke-enable-master-networks + # - google-gke-enforce-pod-security-policy + # - google-gke-metadata-endpoints-disabled + # - google-gke-node-pool-uses-cos + # - google-gke-no-legacy-authentication + # - google-gke-use-cluster-labels + # - google-sql-encrypt-in-transit-data diff --git a/scripts/securityreporter.py b/scripts/securityreporter.py index 3ee4814fc..2ab327356 100644 --- a/scripts/securityreporter.py +++ b/scripts/securityreporter.py @@ -40,7 +40,7 @@ def maintain_tallies(passed: str, severity: str) -> None: csvtfsec_output = os.popen( - 'docker run --pull --rm -it -v "$(pwd):/src" aquasec/tfsec /src -f csv --no-colour --include-passed' + 'docker run --pull --rm -it -v "$(pwd):/src" aquasec/tfsec /src -f csv --no-colour --include-passed --exclude-path examples/' ) # csvtfsec_output = os.popen('tfsec --no-colour -f csv') content = "" From 3a4bd693424b7727fa646e69e018928cfe3591f8 Mon Sep 17 00:00:00 2001 From: Sachin Agarwal Date: Thu, 21 Apr 2022 12:25:41 -0400 Subject: [PATCH 4/9] Tweaking --- config/tfsecconfig.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/config/tfsecconfig.yaml b/config/tfsecconfig.yaml index 3144ab8c1..d6011a8c2 100644 --- a/config/tfsecconfig.yaml +++ b/config/tfsecconfig.yaml @@ -1,8 +1,7 @@ --- -exclude-path: - - examples/ +exclude-path: examples/ -minimum-severity string: +minimum-severity: - HIGH exclude: From 43eb4cae05aab46cdd0a23f48449e68e18cb9928 Mon Sep 17 00:00:00 2001 From: Sachin Agarwal Date: Thu, 21 Apr 2022 12:27:37 -0400 Subject: [PATCH 5/9] Tweaking 2 --- config/tfsecconfig.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/tfsecconfig.yaml b/config/tfsecconfig.yaml index d6011a8c2..46580c042 100644 --- a/config/tfsecconfig.yaml +++ b/config/tfsecconfig.yaml @@ -1,5 +1,5 @@ --- -exclude-path: examples/ +exclude-path: ../../examples/ minimum-severity: - HIGH From 5c83523e2a1f68d271ea08d2ff786b59164fbb7a Mon Sep 17 00:00:00 2001 From: Sachin Agarwal Date: Thu, 21 Apr 2022 12:46:33 -0400 Subject: [PATCH 6/9] Tweaks 2 --- .github/workflows/tfsec.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tfsec.yml b/.github/workflows/tfsec.yml index 1e5af0e2e..ae4a147bd 100644 --- a/.github/workflows/tfsec.yml +++ b/.github/workflows/tfsec.yml @@ -20,7 +20,7 @@ jobs: uses: tfsec/tfsec-sarif-action@master with: sarif_file: tfsec.sarif - tfsec_args: --force-all-dirs + tfsec_args: --force-all-dirs --exclude-path examples/ config_file: config/tfsecconfig.yaml - name: Upload SARIF file From 14cd5954868f996f3318a248149a9927b435751b Mon Sep 17 00:00:00 2001 From: Sachin Agarwal Date: Thu, 21 Apr 2022 12:47:06 -0400 Subject: [PATCH 7/9] Tweaks 3 --- .github/workflows/tfsec.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tfsec.yml b/.github/workflows/tfsec.yml index ae4a147bd..f6c7a263c 100644 --- a/.github/workflows/tfsec.yml +++ b/.github/workflows/tfsec.yml @@ -20,7 +20,7 @@ jobs: uses: tfsec/tfsec-sarif-action@master with: sarif_file: tfsec.sarif - tfsec_args: --force-all-dirs --exclude-path examples/ + tfsec_args: --force-all-dirs --exclude-path examples/ --minimum-security HIGH config_file: config/tfsecconfig.yaml - name: Upload SARIF file From 74dce4895fc546ce24a8624e1e108cc3d140f14c Mon Sep 17 00:00:00 2001 From: Sachin Agarwal Date: Thu, 21 Apr 2022 12:49:18 -0400 Subject: [PATCH 8/9] Tweaks 4 --- .github/workflows/tfsec.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tfsec.yml b/.github/workflows/tfsec.yml index f6c7a263c..fefa9f8c0 100644 --- a/.github/workflows/tfsec.yml +++ b/.github/workflows/tfsec.yml @@ -20,7 +20,7 @@ jobs: uses: tfsec/tfsec-sarif-action@master with: sarif_file: tfsec.sarif - tfsec_args: --force-all-dirs --exclude-path examples/ --minimum-security HIGH + tfsec_args: --force-all-dirs --exclude-path examples/ --minimum-severity HIGH config_file: config/tfsecconfig.yaml - name: Upload SARIF file From 9d0b8ba82e50a3cad83b4d9e0523243cdd5343e5 Mon Sep 17 00:00:00 2001 From: Sachin Agarwal Date: Thu, 21 Apr 2022 12:55:52 -0400 Subject: [PATCH 9/9] Removing Azure --- .github/workflows/tfsec.yml | 2 +- config/tfsecconfig.yaml | 4 ---- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/workflows/tfsec.yml b/.github/workflows/tfsec.yml index fefa9f8c0..b05d57b57 100644 --- a/.github/workflows/tfsec.yml +++ b/.github/workflows/tfsec.yml @@ -20,7 +20,7 @@ jobs: uses: tfsec/tfsec-sarif-action@master with: sarif_file: tfsec.sarif - tfsec_args: --force-all-dirs --exclude-path examples/ --minimum-severity HIGH + tfsec_args: --force-all-dirs --exclude-path examples/ --exclude-path modules/azure_base --exclude-path modules/azure_k8s_base --exclude-path modules/azure_aks --minimum-severity HIGH config_file: config/tfsecconfig.yaml - name: Upload SARIF file diff --git a/config/tfsecconfig.yaml b/config/tfsecconfig.yaml index 46580c042..da6cb77c9 100644 --- a/config/tfsecconfig.yaml +++ b/config/tfsecconfig.yaml @@ -1,8 +1,4 @@ --- -exclude-path: ../../examples/ - -minimum-severity: - - HIGH exclude: # - aws-cloudfront-enable-logging