Feature/tfsec high removal

.github/workflows/tfsec.yml

@@ -20,7 +20,7 @@ jobs:
         uses: tfsec/tfsec-sarif-action@master
         with:
           sarif_file: tfsec.sarif
-          tfsec_args: --force-all-dirs
+          tfsec_args: --force-all-dirs --exclude-path examples/ --exclude-path modules/azure_base --exclude-path modules/azure_k8s_base --exclude-path modules/azure_aks --minimum-severity  HIGH
           config_file: config/tfsecconfig.yaml
 
       - name: Upload SARIF file

config/tfsecconfig.yaml

@@ -1,44 +1,45 @@
 ---
+
 exclude:
-  - aws-cloudfront-enable-logging
-  - aws-cloudfront-enable-waf
-  - aws-cloudfront-use-secure-tls-policy
-  - aws-cloudwatch-log-group-customer-key
-  - aws-documentdb-enable-log-export
-  - aws-documentdb-encryption-customer-key
-  - aws-eks-no-public-cluster-access
-  - aws-eks-no-public-cluster-access-to-cidr
-  - aws-iam-no-policy-wildcards
-  - aws-lambda-enable-tracing
-  - aws-rds-enable-performance-insights
-  - aws-s3-block-public-acls
-  - aws-s3-block-public-policy
-  - aws-s3-enable-bucket-logging
-  - aws-s3-encryption-customer-key
-  - aws-s3-ignore-public-acls
-  - aws-s3-no-public-buckets
-  - aws-s3-specify-public-access-block
+  # - aws-cloudfront-enable-logging
+  # - aws-cloudfront-enable-waf
+  # - aws-cloudfront-use-secure-tls-policy
+  # - aws-cloudwatch-log-group-customer-key
+  # - aws-documentdb-enable-log-export
+  # - aws-documentdb-encryption-customer-key
+  # - aws-eks-no-public-cluster-access
+  # - aws-eks-no-public-cluster-access-to-cidr
+  # - aws-iam-no-policy-wildcards
+  # - aws-lambda-enable-tracing
+  # - aws-rds-enable-performance-insights
+  # - aws-s3-block-public-acls
+  # - aws-s3-block-public-policy
+  # - aws-s3-enable-bucket-logging
+  # - aws-s3-encryption-customer-key
+  # - aws-s3-ignore-public-acls
+  # - aws-s3-no-public-buckets
+  # - aws-s3-specify-public-access-block
   - aws-sqs-no-wildcards-in-policy-documents
-  - aws-vpc-add-description-to-security-group-rule
-  - aws-vpc-no-public-egress-sgr
-  - azure-container-limit-authorized-ips
-  - azure-container-logging
-  - azure-database-postgres-configuration-connection-throttling
-  - azure-database-postgres-configuration-log-checkpoints
-  - azure-database-postgres-configuration-log-connections
-  - azure-keyvault-ensure-key-expiry
-  - azure-keyvault-no-purge
-  - azure-keyvault-specify-network-acl
-  - azure-network-no-public-egress
-  - azure-network-no-public-ingress
-  - azure-storage-queue-services-logging-enabled
-  - azure-storage-use-secure-tls-policy
-  - general-secrets-no-plaintext-exposure
-  - google-gke-enable-master-networks
-  - google-gke-enforce-pod-security-policy
-  - google-gke-metadata-endpoints-disabled
-  - google-gke-node-pool-uses-cos
-  - google-gke-no-legacy-authentication
-  - google-gke-use-cluster-labels
-  - google-sql-encrypt-in-transit-data
+  # - aws-vpc-add-description-to-security-group-rule
+  # - aws-vpc-no-public-egress-sgr
+  # - azure-container-limit-authorized-ips
+  # - azure-container-logging
+  # - azure-database-postgres-configuration-connection-throttling
+  # - azure-database-postgres-configuration-log-checkpoints
+  # - azure-database-postgres-configuration-log-connections
+  # - azure-keyvault-ensure-key-expiry
+  # - azure-keyvault-no-purge
+  # - azure-keyvault-specify-network-acl
+  # - azure-network-no-public-egress
+  # - azure-network-no-public-ingress
+  # - azure-storage-queue-services-logging-enabled
+  # - azure-storage-use-secure-tls-policy
+  # - general-secrets-no-plaintext-exposure
+  # - google-gke-enable-master-networks
+  # - google-gke-enforce-pod-security-policy
+  # - google-gke-metadata-endpoints-disabled
+  # - google-gke-node-pool-uses-cos
+  # - google-gke-no-legacy-authentication
+  # - google-gke-use-cluster-labels
+  # - google-sql-encrypt-in-transit-data
 

modules/aws_s3/tf_module/bucket.tf

@@ -68,6 +68,9 @@ resource "aws_s3_bucket_cors_configuration" "bucket" {
   }
 }
 
+#Ignore this because in Opta we made a user-friendly
+#choice of automatic cloud-provider key management
+#tfsec:ignore:aws-s3-encryption-customer-key
 resource "aws_s3_bucket_server_side_encryption_configuration" "bucket" {
   bucket = aws_s3_bucket.bucket.id
   rule {

modules/aws_ses/tf_module/main.tf

@@ -60,8 +60,10 @@ resource "aws_route53_record" "amazonses_dkim_record" {
 
 data "aws_iam_policy_document" "sender" {
   statement {
-    sid       = "SendEmail"
-    actions   = ["ses:Send*"]
+    sid = "SendEmail"
+    #tfsec:ignore:aws-iam-no-policy-wildcards
+    actions = ["ses:Send*"]
+    #tfsec:ignore:aws-iam-no-policy-wildcards
     resources = ["*"]
     condition {
       test     = "StringLike"

modules/aws_sqs/tf_module/main.tf

@@ -24,6 +24,8 @@ data "aws_iam_policy_document" "sqs_queue_policy" {
 
   statement {
     actions = [
+      # Accept the risk
+      #tfsec:ignore:aws-sqs-no-wildcards-in-policy-documents
       "SQS:*"
     ]
 
@@ -42,10 +44,11 @@ data "aws_iam_policy_document" "sqs_queue_policy" {
   }
 
   statement {
+    # Accept the risk
+    #tfsec:ignore:aws-sqs-no-wildcards-in-policy-documents
     actions = [
       "SQS:*"
     ]
-
     effect = "Allow"
 
     principals {
@@ -61,10 +64,11 @@ data "aws_iam_policy_document" "sqs_queue_policy" {
   }
 
   statement {
+    # Accept the risk
+    #tfsec:ignore:aws-sqs-no-wildcards-in-policy-documents
     actions = [
       "SQS:*"
     ]
-
     effect = "Allow"
 
     principals {
@@ -78,4 +82,4 @@ data "aws_iam_policy_document" "sqs_queue_policy" {
 
     sid = "events_access"
   }
-}
+}

scripts/securityreporter.py

@@ -40,7 +40,7 @@ def maintain_tallies(passed: str, severity: str) -> None:
 
 
 csvtfsec_output = os.popen(
-    'docker run --pull --rm -it -v "$(pwd):/src" aquasec/tfsec /src -f csv --no-colour  --include-passed'
+    'docker run --pull --rm -it -v "$(pwd):/src" aquasec/tfsec /src -f csv --no-colour  --include-passed --exclude-path examples/'
 )
 # csvtfsec_output = os.popen('tfsec --no-colour -f csv')
 content = ""