gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-22 15:16:33 -08:00
Code Issues Packages Projects Releases Wiki Activity

feat(misconf): Add compliance check support (#3130)

Browse Source 
Signed-off-by: Simar <simar@linux.com>
Co-authored-by: knqyf263 <knqyf263@gmail.com>
This commit is contained in:
simar7
2022-12-07 12:42:59 -08:00
committed by GitHub
parent 7a6cf5a27c
commit a3eece4fef
20 changed files with 605 additions and 73 deletions
Download Patch File Download Diff File Expand all files Collapse all files

402
docs/docs/cloud/aws/compliance.md Normal file
View File

@@ -0,0 +1,402 @@
# AWS Compliance
## CIS Compliance Report
!!! warning "EXPERIMENTAL"
This feature might change without preserving backwards compatibility.
The Trivy AWS CLI allows you to scan your AWS account resources and generate the `AWS CIS Foundations Benchmark` report
[AWS CIS Foundations Benchmark v1.2](https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf) validates the following control checks:
```shell
+--------------------------------------------+--------------------------------+
| NAME | DESCRIPTION |
+--------------------------------------------+--------------------------------+
| limit-root-account-usage | The "root" account has |
| | unrestricted access to all |
| | resources in the AWS account. |
| | It is highly recommended that |
| | the use of this account be |
| | avoided. |
| no-password-reuse | IAM Password policy should |
| | prevent password reuse. |
| set-max-password-age | IAM Password policy should |
| | have expiry less than or equal |
| | to 90 days. |
| no-root-access-keys | The root user has complete |
| | access to all services and |
| | resources in an AWS account. |
| | AWS Access Keys provide |
| | programmatic access to a given |
| | account. |
| enforce-root-mfa | The "root" account has |
| | unrestricted access to all |
| | resources in the AWS account. |
| | It is highly recommended that |
| | this account have MFA enabled. |
| no-user-attached-policies | IAM policies should not be |
| | granted directly to users. |
| enforce-user-mfa | IAM Users should have MFA |
| | enforcement activated. |
| disable-unused-credentials | Credentials which are |
| | no longer used should be |
| | disabled. |
| rotate-access-keys | Access keys should be rotated |
| | at least every 90 days |
| require-uppercase-in-passwords | IAM Password policy should |
| | have requirement for at least |
| | one uppercase character. |
| require-lowercase-in-passwords | IAM Password policy should |
| | have requirement for at least |
| | one lowercase character. |
| require-symbols-in-passwords | IAM Password policy should |
| | have requirement for at least |
| | one symbol in the password. |
| require-numbers-in-passwords | IAM Password policy should |
| | have requirement for at least |
| | one number in the password. |
| set-minimum-password-length | IAM Password policy should |
| | have minimum password length |
| | of 14 or more characters. |
| no-public-log-access | The S3 Bucket backing |
| | Cloudtrail should be private |
| ensure-cloudwatch-integration | CloudTrail logs should be |
| | stored in S3 and also sent to |
| | CloudWatch Logs |
| enable-all-regions | Cloudtrail should be enabled |
| | in all regions regardless of |
| | where your AWS resources are |
| | generally homed |
| require-bucket-access-logging | You should enable bucket |
| | access logging on the |
| | CloudTrail S3 bucket. |
| require-unauthorised-api-call-alarm | Ensure a log metric filter and |
| | alarm exist for unauthorized |
| | API calls |
| require-sg-change-alarms | Ensure a log metric filter and |
| | alarm exist for security group |
| | changes |
| require-nacl-changes-alarm | Ensure a log metric filter |
| | and alarm exist for changes to |
| | Network Access Control Lists |
| | (NACL) |
| require-network-gateway-changes-alarm | Ensure a log metric filter |
| | and alarm exist for changes to |
| | network gateways |
| require-network-gateway-changes-alarm | Ensure a log metric filter and |
| | alarm exist for route table |
| | changes |
| require-vpc-changes-alarm | Ensure a log metric filter and |
| | alarm exist for VPC changes |
| require-non-mfa-login-alarm | Ensure a log metric filter and |
| | alarm exist for AWS Management |
| | Console sign-in without MFA |
| require-root-user-usage-alarm | Ensure a log metric filter and |
| | alarm exist for usage of root |
| | user |
| require-iam-policy-change-alarm | Ensure a log metric filter |
| | and alarm exist for IAM policy |
| | changes |
| require-cloud-trail-change-alarm | Ensure a log metric filter |
| | and alarm exist for CloudTrail |
| | configuration changes |
| require-console-login-failures-alarm | Ensure a log metric filter and |
| | alarm exist for AWS Management |
| | Console authentication |
| | failures |
| require-cmk-disabled-alarm | Ensure a log metric filter and |
| | alarm exist for disabling or |
| | scheduled deletion of customer |
| | managed keys |
| require-s3-bucket-policy-change-alarm | Ensure a log metric filter |
| | and alarm exist for S3 bucket |
| | policy changes |
| require-config-configuration-changes-alarm | Ensure a log metric filter |
| | and alarm exist for AWS Config |
| | configuration changes |
| no-public-ingress-sgr | An ingress security group rule |
| | allows traffic from /0. |
+--------------------------------------------+--------------------------------+
```
[AWS CIS Foundations Benchmark v1.4](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls-1.4.0.html) validates the following control checks:
```shell
+--------------------------------------------+--------------------------------+
| NAME | DESCRIPTION |
+--------------------------------------------+--------------------------------+
| require-mfa-delete | Buckets should have MFA |
| | deletion protection enabled. |
| disable-unused-credentials-45-days | AWS IAM users can access AWS |
| | resources using different |
| | types of credentials, such |
| | as passwords or access keys. |
| | It is recommended that all |
| | credentials that have been |
| | unused in 45 or greater days |
| | be deactivated or removed. |
| limit-user-access-keys | No user should have more than |
| | one active access key. |
| rotate-access-keys | Access keys should be rotated |
| | at least every 90 days |
| no-user-attached-policies | IAM policies should not be |
| | granted directly to users. |
| no-policy-wildcards | IAM policy should avoid use |
| | of wildcards and instead |
| | apply the principle of least |
| | privilege |
| require-support-role | Missing IAM Role to allow |
| | authorized users to manage |
| | incidents with AWS Support. |
| remove-expired-certificates | Delete expired TLS |
| | certificates |
| enable-access-analyzer | Enable IAM Access analyzer |
| | for IAM policies about all |
| | resources in each region. |
| enforce-user-mfa | IAM Users should have MFA |
| | enforcement activated. |
| no-root-access-keys | The root user has complete |
| | access to all services and |
| | resources in an AWS account. |
| | AWS Access Keys provide |
| | programmatic access to a given |
| | account. |
| enforce-root-mfa | The "root" account has |
| | unrestricted access to all |
| | resources in the AWS account. |
| | It is highly recommended that |
| | this account have MFA enabled. |
| enforce-root-hardware-mfa | The "root" account has |
| | unrestricted access to all |
| | resources in the AWS account. |
| | It is highly recommended that |
| | this account have hardware MFA |
| | enabled. |
| limit-root-account-usage | The "root" account has |
| | unrestricted access to all |
| | resources in the AWS account. |
| | It is highly recommended that |
| | the use of this account be |
| | avoided. |
| set-minimum-password-length | IAM Password policy should |
| | have minimum password length |
| | of 14 or more characters. |
| no-password-reuse | IAM Password policy should |
| | prevent password reuse. |
| enable-object-write-logging | S3 object-level API |
| | operations such as GetObject, |
| | DeleteObject, and PutObject |
| | are called data events. By |
| | default, CloudTrail trails |
| | don't log data events and so |
| | it is recommended to enable |
| | Object-level logging for S3 |
| | buckets. |
| enable-object-read-logging | S3 object-level API |
| | operations such as GetObject, |
| | DeleteObject, and PutObject |
| | are called data events. By |
| | default, CloudTrail trails |
| | don't log data events and so |
| | it is recommended to enable |
| | Object-level logging for S3 |
| | buckets. |
| no-public-log-access | The S3 Bucket backing |
| | Cloudtrail should be private |
| ensure-cloudwatch-integration | CloudTrail logs should be |
| | stored in S3 and also sent to |
| | CloudWatch Logs |
| require-bucket-access-logging | You should enable bucket |
| | access logging on the |
| | CloudTrail S3 bucket. |
| require-sg-change-alarms | Ensure a log metric filter and |
| | alarm exist for security group |
| | changes |
| require-unauthorised-api-call-alarm | Ensure a log metric filter and |
| | alarm exist for unauthorized |
| | API calls |
| require-nacl-changes-alarm | Ensure a log metric filter |
| | and alarm exist for changes to |
| | Network Access Control Lists |
| | (NACL) |
| require-network-gateway-changes-alarm | Ensure a log metric filter |
| | and alarm exist for changes to |
| | network gateways |
| require-network-gateway-changes-alarm | Ensure a log metric filter and |
| | alarm exist for route table |
| | changes |
| require-vpc-changes-alarm | Ensure a log metric filter and |
| | alarm exist for VPC changes |
| require-org-changes-alarm | Ensure a log metric filter and |
| | alarm exist for organisation |
| | changes |
| require-non-mfa-login-alarm | Ensure a log metric filter and |
| | alarm exist for AWS Management |
| | Console sign-in without MFA |
| require-root-user-usage-alarm | Ensure a log metric filter and |
| | alarm exist for usage of root |
| | user |
| require-iam-policy-change-alarm | Ensure a log metric filter |
| | and alarm exist for IAM policy |
| | changes |
| require-cloud-trail-change-alarm | Ensure a log metric filter |
| | and alarm exist for CloudTrail |
| | configuration changes |
| require-console-login-failures-alarm | Ensure a log metric filter and |
| | alarm exist for AWS Management |
| | Console authentication |
| | failures |
| require-cmk-disabled-alarm | Ensure a log metric filter and |
| | alarm exist for disabling or |
| | scheduled deletion of customer |
| | managed keys |
| require-s3-bucket-policy-change-alarm | Ensure a log metric filter |
| | and alarm exist for S3 bucket |
| | policy changes |
| require-config-configuration-changes-alarm | Ensure a log metric filter |
| | and alarm exist for AWS Config |
| | configuration changes |
| restrict-all-in-default-sg | Default security group should |
| | restrict all traffic |
+--------------------------------------------+--------------------------------+
```
[Differences between v1.2 and v1.4](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-cis1.4-vs-cis1.2.html)
## CLI Commands
Scan for misconfigurations in an AWS account based on AWS CIS 1.2 benchmark:
```shell
$ trivy aws --compliance=awscis1.2
arn:aws:iam::123456789:user/DummyRoleManager (cloud)
Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
LOW: One or more policies are attached directly to a user
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
CIS recommends that you apply IAM policies directly to groups and roles but not users. Assigning privileges at the group or role level reduces the complexity of access management as the number of users grow. Reducing access management complexity might in turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.
See https://avd.aquasec.com/misconfig/avd-aws-0143
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
```
You can also summarize the report to get a full compliance report with all the included checks.
```shell
$ trivy aws --compliance=awscis1.2 --report=summary
```
```shell
Summary Report for compliance: awscis1.2
┌──────┬──────────┬────────────────────────────────────────────┬────────┬────────┐
│ ID │ Severity │ Control Name │ Status │ Issues │
├──────┼──────────┼────────────────────────────────────────────┼────────┼────────┤
│ 1.1 │ LOW │ limit-root-account-usage │ PASS │ 0
│ 1.10 │ MEDIUM │ no-password-reuse │ PASS │ 0
│ 1.11 │ MEDIUM │ set-max-password-age │ PASS │ 0
│ 1.12 │ CRITICAL │ no-root-access-keys │ PASS │ 0
│ 1.13 │ CRITICAL │ enforce-root-mfa │ PASS │ 0
│ 1.16 │ LOW │ no-user-attached-policies │ FAIL │ 5
│ 1.2 │ MEDIUM │ enforce-user-mfa │ PASS │ 0
│ 1.3 │ MEDIUM │ disable-unused-credentials │ FAIL │ 2
│ 1.4 │ LOW │ rotate-access-keys │ FAIL │ 7
│ 1.5 │ MEDIUM │ require-uppercase-in-passwords │ PASS │ 0
│ 1.6 │ MEDIUM │ require-lowercase-in-passwords │ PASS │ 0
│ 1.7 │ MEDIUM │ require-symbols-in-passwords │ PASS │ 0
│ 1.8 │ MEDIUM │ require-numbers-in-passwords │ PASS │ 0
│ 1.9 │ MEDIUM │ set-minimum-password-length │ FAIL │ 1
│ 2.3 │ CRITICAL │ no-public-log-access │ PASS │ 0
│ 2.4 │ LOW │ ensure-cloudwatch-integration │ PASS │ 0
│ 2.5 │ MEDIUM │ enable-all-regions │ PASS │ 0
│ 2.6 │ LOW │ require-bucket-access-logging │ PASS │ 0
│ 3.1 │ LOW │ require-unauthorised-api-call-alarm │ PASS │ 0
│ 3.10 │ LOW │ require-sg-change-alarms │ PASS │ 0
│ 3.11 │ LOW │ require-nacl-changes-alarm │ PASS │ 0
│ 3.12 │ LOW │ require-network-gateway-changes-alarm │ PASS │ 0
│ 3.13 │ LOW │ require-network-gateway-changes-alarm │ PASS │ 0
│ 3.14 │ LOW │ require-vpc-changes-alarm │ PASS │ 0
│ 3.2 │ LOW │ require-non-mfa-login-alarm │ PASS │ 0
│ 3.3 │ LOW │ require-root-user-usage-alarm │ PASS │ 0
│ 3.4 │ LOW │ require-iam-policy-change-alarm │ PASS │ 0
│ 3.5 │ LOW │ require-cloud-trail-change-alarm │ PASS │ 0
│ 3.6 │ LOW │ require-console-login-failures-alarm │ PASS │ 0
│ 3.7 │ LOW │ require-cmk-disabled-alarm │ PASS │ 0
│ 3.8 │ LOW │ require-s3-bucket-policy-change-alarm │ PASS │ 0
│ 3.9 │ LOW │ require-config-configuration-changes-alarm │ PASS │ 0
│ 4.1 │ CRITICAL │ no-public-ingress-sgr │ PASS │ 0
└──────┴──────────┴────────────────────────────────────────────┴────────┴────────┘
```
Furthermore, you can also get the report in a JSON format.
```shell
$ trivy aws --compliance=awscis1.2 --report=summary --format=json
```
```json
{
"ID": "0001",
"Title": "awscis1.2",
"SummaryControls": [{
"ID": "1.1",
"Name": "limit-root-account-usage",
"Severity": "LOW",
"TotalFail": 5
},
{
"ID": "1.10",
"Name": "no-password-reuse",
"Severity": "MEDIUM",
"TotalFail": 1
}
]
}
```
## Custom compliance report
The Trivy AWS CLI allows you to create a custom compliance specification and pass it to trivy for generating scan report.
The report is generated based on scanning result mapping between users define controls and trivy checks ID.
The supported checks are from two types and can be found at [Aqua vulnerability DB](https://avd.aquasec.com/):
- [misconfiguration](https://avd.aquasec.com/misconfig/)
### Compliance spec format
The compliance spec file format should be as follows:
```yaml
---
spec:
id: "0001"
title: awscis1.2
description: AWS CIS Foundations
version: "1.2"
relatedResources:
- https://www.cisecurity.org/benchmark/amazon_web_services
controls:
- id: "1.1"
name: limit-root-account-usage
description: |-
The "root" account has unrestricted access to all resources in the AWS account. It is highly
recommended that the use of this account be avoided.
checks:
- id: AVD-AWS-0140
severity: LOW
```
## Custom report CLI Commands
To use a custom spec, the file path should be passed to the `--compliance` flag with `@` prefix as follows:
```
$ trivy aws --compliance=@/spec/my_compliance.yaml
```

7
docs/docs/cloud/aws/scanning.md
View File

@@ -50,6 +50,13 @@ trivy aws --service s3 --arn arn:aws:s3:::example-bucket
All ARNs with detected issues will be displayed when showing results for their associated service.
## Compliance Spec
Trivy can also run specific checks by spec by specifying the compliance flag:
```shell
trivy aws --compliance=awscis1.2
```
Will only target the checks defined under the AWS CIS 1.2 spec. Currently, we support AWS CIS 1.2 and 1.4 specs. More details [here](compliance.md).
## Cached Results
By default, Trivy will cache a representation of each AWS service for 24 hours. This means you can filter and view results for a service without having to wait for the entire scan to run again. If you want to force the cache to be refreshed with the latest data, you can use `--update-cache`. Or if you'd like to use cached data for a different timeframe, you can specify `--max-cache-age` (e.g. `--max-cache-age 2h`.). Regardless of whether the cache is used or not, rules will be evaluated again with each run of `trivy aws`.

4
docs/docs/compliance/compliance.md
View File

@@ -1,8 +1,8 @@
# Compliance Reports
Trivy support producing compliance reports.
Trivy supports producing compliance reports.
## Supported reports
- [NSA, CISA Kubernetes Hardening Guidance v1.0](../kubernetes/cli/compliance.md)
- [AWS CIS v1.2 and v1.4](../cloud/aws/compliance.md)

19
go.mod
View File

@@ -8,7 +8,7 @@ require (
github.com/NYTimes/gziphandler v1.1.1
github.com/alicebob/miniredis/v2 v2.23.0
github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
github.com/aquasecurity/defsec v0.82.0
github.com/aquasecurity/defsec v0.82.6
github.com/aquasecurity/go-dep-parser v0.0.0-20221115110529-0f27198c8fba
github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
@@ -103,14 +103,14 @@ require (
github.com/aws/aws-sdk-go-v2/service/dynamodb v1.17.1 // indirect
github.com/aws/aws-sdk-go-v2/service/ebs v1.15.19 // indirect
github.com/aws/aws-sdk-go-v2/service/ecr v1.17.18 // indirect
github.com/aws/aws-sdk-go-v2/service/ecs v1.18.23 // indirect
github.com/aws/aws-sdk-go-v2/service/ecs v1.18.26 // indirect
github.com/aws/aws-sdk-go-v2/service/efs v1.17.15 // indirect
github.com/aws/aws-sdk-go-v2/service/eks v1.22.1 // indirect
github.com/aws/aws-sdk-go-v2/service/elasticache v1.22.10 // indirect
github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.18.20 // indirect
github.com/aws/aws-sdk-go-v2/service/elasticsearchservice v1.16.10 // indirect
github.com/aws/aws-sdk-go-v2/service/emr v1.20.11 // indirect
github.com/aws/aws-sdk-go-v2/service/iam v1.18.19 // indirect
github.com/aws/aws-sdk-go-v2/service/iam v1.18.23 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.9 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.18 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.7.17 // indirect
@@ -118,9 +118,9 @@ require (
github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.13.17 // indirect
github.com/aws/aws-sdk-go-v2/service/kafka v1.17.19 // indirect
github.com/aws/aws-sdk-go-v2/service/kinesis v1.15.19 // indirect
github.com/aws/aws-sdk-go-v2/service/kms v1.18.11 // indirect
github.com/aws/aws-sdk-go-v2/service/kms v1.18.15 // indirect
github.com/aws/aws-sdk-go-v2/service/lambda v1.24.6 // indirect
github.com/aws/aws-sdk-go-v2/service/mq v1.13.13 // indirect
github.com/aws/aws-sdk-go-v2/service/mq v1.13.15 // indirect
github.com/aws/aws-sdk-go-v2/service/neptune v1.17.12 // indirect
github.com/aws/aws-sdk-go-v2/service/rds v1.26.1 // indirect
github.com/aws/aws-sdk-go-v2/service/redshift v1.26.10 // indirect
@@ -152,6 +152,7 @@ require (
github.com/pelletier/go-toml/v2 v2.0.5 // indirect
github.com/shibumi/go-pathspec v1.3.0 // indirect
github.com/tchap/go-patricia/v2 v2.3.1 // indirect
go.etcd.io/etcd/api/v3 v3.5.4 // indirect
go.mongodb.org/mongo-driver v1.10.0 // indirect
)
@@ -170,7 +171,7 @@ require (
github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
github.com/Azure/go-autorest/logger v0.2.1 // indirect
github.com/Azure/go-autorest/tracing v0.6.0 // indirect
github.com/BurntSushi/toml v1.2.0 // indirect
github.com/BurntSushi/toml v1.2.1 // indirect
github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible
github.com/MakeNowJust/heredoc v1.0.0 // indirect
github.com/Masterminds/goutils v1.1.1 // indirect
@@ -355,11 +356,11 @@ require (
gopkg.in/warnings.v0 v0.1.2 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gotest.tools v2.2.0+incompatible
helm.sh/helm/v3 v3.10.0 // indirect
helm.sh/helm/v3 v3.10.1 // indirect
k8s.io/api v0.25.3 // indirect
k8s.io/apiextensions-apiserver v0.25.0 // indirect
k8s.io/apiextensions-apiserver v0.25.2 // indirect
k8s.io/apimachinery v0.25.3 // indirect
k8s.io/apiserver v0.25.0 // indirect
k8s.io/apiserver v0.25.2 // indirect
k8s.io/cli-runtime v0.25.3 // indirect
k8s.io/client-go v0.25.3 // indirect
k8s.io/component-base v0.25.3 // indirect

38
go.sum
View File

@@ -101,8 +101,8 @@ github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZ
github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo=
github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU=
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
github.com/BurntSushi/toml v1.2.0 h1:Rt8g24XnyGTyglgET/PRUNlrUeu9F5L+7FilkXfZgs0=
github.com/BurntSushi/toml v1.2.0/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
github.com/BurntSushi/toml v1.2.1 h1:9F2/+DoOYIOksmaJFPw1tGFy1eDnIJXg+UHjuD8lTak=
github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
github.com/CycloneDX/cyclonedx-go v0.6.0 h1:SizWGbZzFTC/O/1yh072XQBMxfvsoWqd//oKCIyzFyE=
github.com/CycloneDX/cyclonedx-go v0.6.0/go.mod h1:nQCiF4Tvrg5Ieu8qPhYMvzPGMu5I7fANZkrSsJjl5mg=
@@ -190,8 +190,8 @@ github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6
github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30xLN2sUZcMXl50hg+PJCIDdJgIvIbVcKqLJ/ZrtM=
github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8=
github.com/aquasecurity/defsec v0.82.0 h1:WUpPZ6IR0NgZqDK7CGaY5fOI799FNlqGvGMSboHEHlI=
github.com/aquasecurity/defsec v0.82.0/go.mod h1:4SMepRtX/F8bzTd8CucIpMiqpNOB6/BVPnRktDF5iN0=
github.com/aquasecurity/defsec v0.82.6 h1:whb9ygS+cANcvGSq51s44+hY3nU6OV3VOR2Q4dIz3kc=
github.com/aquasecurity/defsec v0.82.6/go.mod h1:sUdW6pzASralDcs+CDOE+QpWfBJt3/PY1Qbg8CS5flg=
github.com/aquasecurity/go-dep-parser v0.0.0-20221115110529-0f27198c8fba h1:YJTAuz/SimQCplNoqSYuzH3XZYmgmdfgoGdOkjCDceE=
github.com/aquasecurity/go-dep-parser v0.0.0-20221115110529-0f27198c8fba/go.mod h1:ZCiGJgdQxCateSw3nPMwZvp9J/+nU8/3DcGY/NO71e4=
github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=
@@ -283,8 +283,8 @@ github.com/aws/aws-sdk-go-v2/service/ec2 v1.63.1 h1:jSS5gynKz4XaGcs6m25idCTN+tvP
github.com/aws/aws-sdk-go-v2/service/ec2 v1.63.1/go.mod h1:0+6fPoY0SglgzQUs2yml7X/fup12cMlVumJufh5npRQ=
github.com/aws/aws-sdk-go-v2/service/ecr v1.17.18 h1:uiF/RI+Up8H2xdgT2GWa20YzxiKEalHieqNjm6HC3Xk=
github.com/aws/aws-sdk-go-v2/service/ecr v1.17.18/go.mod h1:DQtDYmexqR+z+B6HBCvY7zK/tuXKv6Zy/IwOXOK3eow=
github.com/aws/aws-sdk-go-v2/service/ecs v1.18.23 h1:gdqm7KhgE1COL5CM2eUYD6XFtqOJC1bhOa5vwLGPP0g=
github.com/aws/aws-sdk-go-v2/service/ecs v1.18.23/go.mod h1:6bV2xEub6Vch19ZZASMbrNMNIpBPTwy64r9WIQ+wsSE=
github.com/aws/aws-sdk-go-v2/service/ecs v1.18.26 h1:EHJAYkUnlFJ/KwuFMvUs/bPbb0DaqAI+gTfXxffTPZ0=
github.com/aws/aws-sdk-go-v2/service/ecs v1.18.26/go.mod h1:NpR78BP2STxvF/R1GXLDM4gAEfjz68W/h0nC5b6Jk3s=
github.com/aws/aws-sdk-go-v2/service/efs v1.17.15 h1:HgRxrC7KIUJW6gFf4AEjFPvrgh73aADaa1XZpiFsfgA=
github.com/aws/aws-sdk-go-v2/service/efs v1.17.15/go.mod h1:xwXDmrVGNncQhSXhMbm7pE14Vcyc3QbzblKsvNms0/E=
github.com/aws/aws-sdk-go-v2/service/eks v1.22.1 h1:f07Bk+xMm0Q8PCzvrBg8Bd6m67CTvZSxQWB0H7ZEJOU=
@@ -297,8 +297,8 @@ github.com/aws/aws-sdk-go-v2/service/elasticsearchservice v1.16.10 h1:R8edMXNKBa
github.com/aws/aws-sdk-go-v2/service/elasticsearchservice v1.16.10/go.mod h1:VPuMdyWzqCRgv5qTww9yeauwGsOxVbtP2OyqXVyZB8g=
github.com/aws/aws-sdk-go-v2/service/emr v1.20.11 h1:YpP+XtFfsJQoehZgCsbeaROtKFbAY1bWKId/KJu4JmU=
github.com/aws/aws-sdk-go-v2/service/emr v1.20.11/go.mod h1:0/0//Fz5074ATb+b/Vdhs61Vqhxw5qAHu405lRLjZ4w=
github.com/aws/aws-sdk-go-v2/service/iam v1.18.19 h1:0DiDgcHWW0HtKlmqUEafLtOVOTFI2FT2M7/uQfcLskk=
github.com/aws/aws-sdk-go-v2/service/iam v1.18.19/go.mod h1:pDBRPE4AibneAh4P6fZuU3eUkAgYirM88o2M2MxIXlg=
github.com/aws/aws-sdk-go-v2/service/iam v1.18.23 h1:HOtW30EkfQevdv++mKguMyn8/agh1z2VuBGR4Hou/u8=
github.com/aws/aws-sdk-go-v2/service/iam v1.18.23/go.mod h1:yQ92mKfw/Gg5AvgxGmfdufKEyVoa9RNBsdnB9j5Gzkk=
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.9 h1:Lh1AShsuIJTwMkoxVCAYPJgNG5H+eN6SmoUn8nOZ5wE=
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.9/go.mod h1:a9j48l6yL5XINLHLcOKInjdvknN+vWqPBxqeIDw7ktw=
github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.18 h1:BBYoNQt2kUZUUK4bIPsKrCcjVPUMNsgQpNAwhznK/zo=
@@ -314,12 +314,12 @@ github.com/aws/aws-sdk-go-v2/service/kafka v1.17.19 h1:H3U7TVZCYODgkXVYDGcNZWTjN
github.com/aws/aws-sdk-go-v2/service/kafka v1.17.19/go.mod h1:wiajSLYucUJ6xcvo4gGGl+xBRgrXt75vXwa2Xr73eRA=
github.com/aws/aws-sdk-go-v2/service/kinesis v1.15.19 h1:qVaBkJxFxm6o/9DPNnJU6L9O3V7ycEKhCvRm2BFBQTU=
github.com/aws/aws-sdk-go-v2/service/kinesis v1.15.19/go.mod h1:9rLNg+J9SEe7rhge/YzKU3QTovlLqOmqH8akb0IB1ko=
github.com/aws/aws-sdk-go-v2/service/kms v1.18.11 h1:IxfVvdMedvCHXOWIuypaCjmNqGOP1uaXnaSVQzut7KE=
github.com/aws/aws-sdk-go-v2/service/kms v1.18.11/go.mod h1:DZtboupHLNr0p6qHw9r3kR8MUnN/rc4AAVmNpe2ocuU=
github.com/aws/aws-sdk-go-v2/service/kms v1.18.15 h1:hWPFd4GjCZLTb9Nvw+GuzZ4qTnvWoaqcLcrgofQGkhw=
github.com/aws/aws-sdk-go-v2/service/kms v1.18.15/go.mod h1:kZodDPTQjSH/qM6/OvyTfM5mms5JHB/EKYp5dhn/vI4=
github.com/aws/aws-sdk-go-v2/service/lambda v1.24.6 h1:N7RkXX2SJbN+TCp295J3LdMR0KRFd2Bhi5nIO+svLQY=
github.com/aws/aws-sdk-go-v2/service/lambda v1.24.6/go.mod h1:oTJIIluTaJCRT6xP1AZpuU3JwRHBC0Q5O4Hg+SUxFHw=
github.com/aws/aws-sdk-go-v2/service/mq v1.13.13 h1:EwRZG7zO6f81vd3xfe3dgSQcGHu3LjsFXezx6sfmWpA=
github.com/aws/aws-sdk-go-v2/service/mq v1.13.13/go.mod h1:8+R6AD/LfQTdn4fhUdb5/z7LonKkJI2fsIJZz+bJs3s=
github.com/aws/aws-sdk-go-v2/service/mq v1.13.15 h1:K0UbxNfaPHoIXo0T4L4jrbE+TKcVPYp55nEnMLxVRPk=
github.com/aws/aws-sdk-go-v2/service/mq v1.13.15/go.mod h1:ycghPMXYItx5Y74iehFgGwDNUMXdq0xCxLaYC5uYZO0=
github.com/aws/aws-sdk-go-v2/service/neptune v1.17.12 h1:QxMwblYXBaAUnQsSbGGmGlqj5/lHJKaEr1HcMXnnaok=
github.com/aws/aws-sdk-go-v2/service/neptune v1.17.12/go.mod h1:0arQRjGdCQgRNLiCIv5FEFCgQkDMUiLkv0mkrUbSrNE=
github.com/aws/aws-sdk-go-v2/service/rds v1.26.1 h1:tiXsw36GaRUWMcH5uRM2uM7vo+bNsa1mEOn68ZOBjWA=
@@ -1581,6 +1581,8 @@ go.etcd.io/bbolt v1.3.6 h1:/ecaJf0sk1l4l6V4awd65v2C3ILy7MSj+s/x1ADCIMU=
go.etcd.io/bbolt v1.3.6/go.mod h1:qXsaaIqmgQH0T+OPdb99Bf+PKfBBQVAdyD6TY9G8XM4=
go.etcd.io/etcd v0.5.0-alpha.5.0.20200910180754-dd1b699fc489/go.mod h1:yVHk9ub3CSBatqGNg7GRmsnfLWtoW60w4eDYfh7vHDg=
go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs=
go.etcd.io/etcd/api/v3 v3.5.4 h1:OHVyt3TopwtUQ2GKdd5wu3PmmipR4FTwCqoEjSyRdIc=
go.etcd.io/etcd/api/v3 v3.5.4/go.mod h1:5GB2vv4A4AOn3yk7MftYGHkUfGtDHnEraIjym4dYz5A=
go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g=
go.etcd.io/etcd/client/v2 v2.305.0/go.mod h1:h9puh54ZTgAKtEbut2oe9P4L/oqKCVB6xsXlzd7alYQ=
go.mongodb.org/mongo-driver v1.7.3/go.mod h1:NqaYOwnXWr5Pm7AOpO5QFxKJ503nbMse/R79oO62zWg=
@@ -2289,8 +2291,8 @@ gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81
gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk=
gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o=
helm.sh/helm/v3 v3.10.0 h1:y/MYONZ/bsld9kHwqgBX2uPggnUr5hahpjwt9/jrHlI=
helm.sh/helm/v3 v3.10.0/go.mod h1:paPw0hO5KVfrCMbi1M8+P8xdfBri3IiJiVKATZsFR94=
helm.sh/helm/v3 v3.10.1 h1:uTnNlYx8QcTSNA4ZJ50Llwife4CSohUY4ehumyVf2QE=
helm.sh/helm/v3 v3.10.1/go.mod h1:CXOcs02AYvrlPMWARNYNRgf2rNP7gLJQsi/Ubd4EDrI=
honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
@@ -2303,8 +2305,8 @@ k8s.io/api v0.20.4/go.mod h1:++lNL1AJMkDymriNniQsWRkMDzRaX2Y/POTUi8yvqYQ=
k8s.io/api v0.20.6/go.mod h1:X9e8Qag6JV/bL5G6bU8sdVRltWKmdHsFUGS3eVndqE8=
k8s.io/api v0.25.3 h1:Q1v5UFfYe87vi5H7NU0p4RXC26PPMT8KOpr1TLQbCMQ=
k8s.io/api v0.25.3/go.mod h1:o42gKscFrEVjHdQnyRenACrMtbuJsVdP+WVjqejfzmI=
k8s.io/apiextensions-apiserver v0.25.0 h1:CJ9zlyXAbq0FIW8CD7HHyozCMBpDSiH7EdrSTCZcZFY=
k8s.io/apiextensions-apiserver v0.25.0/go.mod h1:3pAjZiN4zw7R8aZC5gR0y3/vCkGlAjCazcg1me8iB/E=
k8s.io/apiextensions-apiserver v0.25.2 h1:8uOQX17RE7XL02ngtnh3TgifY7EhekpK+/piwzQNnBo=
k8s.io/apiextensions-apiserver v0.25.2/go.mod h1:iRwwRDlWPfaHhuBfQ0WMa5skdQfrE18QXJaJvIDLvE8=
k8s.io/apimachinery v0.20.1/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU=
k8s.io/apimachinery v0.20.4/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU=
k8s.io/apimachinery v0.20.6/go.mod h1:ejZXtW1Ra6V1O5H8xPBGz+T3+4gfkTCeExAHKU57MAc=
@@ -2313,8 +2315,8 @@ k8s.io/apimachinery v0.25.3/go.mod h1:jaF9C/iPNM1FuLl7Zuy5b9v+n35HGSh6AQ4HYRkCqw
k8s.io/apiserver v0.20.1/go.mod h1:ro5QHeQkgMS7ZGpvf4tSMx6bBOgPfE+f52KwvXfScaU=
k8s.io/apiserver v0.20.4/go.mod h1:Mc80thBKOyy7tbvFtB4kJv1kbdD0eIH8k8vianJcbFM=
k8s.io/apiserver v0.20.6/go.mod h1:QIJXNt6i6JB+0YQRNcS0hdRHJlMhflFmsBDeSgT1r8Q=
k8s.io/apiserver v0.25.0 h1:8kl2ifbNffD440MyvHtPaIz1mw4mGKVgWqM0nL+oyu4=
k8s.io/apiserver v0.25.0/go.mod h1:BKwsE+PTC+aZK+6OJQDPr0v6uS91/HWxX7evElAH6xo=
k8s.io/apiserver v0.25.2 h1:YePimobk187IMIdnmsMxsfIbC5p4eX3WSOrS9x6FEYw=
k8s.io/apiserver v0.25.2/go.mod h1:30r7xyQTREWCkG2uSjgjhQcKVvAAlqoD+YyrqR6Cn+I=
k8s.io/cli-runtime v0.25.3 h1:Zs7P7l7db/5J+KDePOVtDlArAa9pZXaDinGWGZl0aM8=
k8s.io/cli-runtime v0.25.3/go.mod h1:InHHsjkyW5hQsILJGpGjeruiDZT/R0OkROQgD6GzxO4=
k8s.io/client-go v0.20.1/go.mod h1:/zcHdt1TeWSd5HoUe6elJmHSQ6uLLgp4bIJHVEuy+/Y=

6
integration/testdata/helm.json.golden vendored
View File

@@ -20,7 +20,7 @@
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 77,
"Successes": 80,
"Failures": 2,
"Exceptions": 0
},
@@ -270,7 +270,7 @@
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 79,
"Successes": 82,
"Failures": 0,
"Exceptions": 0
}
@@ -280,7 +280,7 @@
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 79,
"Successes": 82,
"Failures": 0,
"Exceptions": 0
}

6
integration/testdata/helm_testchart.json.golden vendored
View File

@@ -20,7 +20,7 @@
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 77,
"Successes": 80,
"Failures": 2,
"Exceptions": 0
},
@@ -270,7 +270,7 @@
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 79,
"Successes": 82,
"Failures": 0,
"Exceptions": 0
}
@@ -280,7 +280,7 @@
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 79,
"Successes": 82,
"Failures": 0,
"Exceptions": 0
}

6
integration/testdata/helm_testchart.overridden.json.golden vendored
View File

@@ -20,7 +20,7 @@
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 75,
"Successes": 78,
"Failures": 4,
"Exceptions": 0
},
@@ -481,7 +481,7 @@
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 79,
"Successes": 82,
"Failures": 0,
"Exceptions": 0
}
@@ -491,7 +491,7 @@
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 79,
"Successes": 82,
"Failures": 0,
"Exceptions": 0
}

6
mkdocs.yml
View File

@@ -90,12 +90,12 @@ nav:
- Operator:
- Overview: docs/kubernetes/operator/index.md
- Cloud:
- AWS: docs/cloud/aws/scanning.md
- AWS:
- Scanning: docs/cloud/aws/scanning.md
- Compliance: docs/cloud/aws/compliance.md
- Virtual Machine Image:
- Overview: docs/vm/index.md
- AWS EC2: docs/vm/aws.md
- Compliance:
- Reports: docs/compliance/compliance.md
- SBOM:
- Overview: docs/sbom/index.md
- CycloneDX: docs/sbom/cyclonedx.md

50
pkg/cloud/aws/commands/run.go
View File

@@ -6,23 +6,22 @@ import (
"fmt"
"strings"
"github.com/aquasecurity/defsec/pkg/errs"
cmd "github.com/aquasecurity/trivy/pkg/commands/artifact"
"github.com/aquasecurity/trivy/pkg/cloud"
"github.com/aquasecurity/trivy/pkg/flag"
"github.com/aws/aws-sdk-go-v2/config"
"github.com/aws/aws-sdk-go-v2/service/sts"
"golang.org/x/xerrors"
"gopkg.in/yaml.v3"
"github.com/aquasecurity/defsec/pkg/errs"
awsScanner "github.com/aquasecurity/defsec/pkg/scanners/cloud/aws"
"github.com/aquasecurity/trivy/pkg/cloud"
"github.com/aquasecurity/trivy/pkg/cloud/aws/scanner"
"github.com/aquasecurity/trivy/pkg/cloud/report"
cmd "github.com/aquasecurity/trivy/pkg/commands/artifact"
cr "github.com/aquasecurity/trivy/pkg/compliance/report"
"github.com/aquasecurity/trivy/pkg/compliance/spec"
"github.com/aquasecurity/trivy/pkg/flag"
"github.com/aquasecurity/trivy/pkg/log"
awsScanner "github.com/aquasecurity/defsec/pkg/scanners/cloud/aws"
"github.com/aquasecurity/trivy/pkg/types"
)
func getAccountIDAndRegion(ctx context.Context, region string) (string, string, error) {
@@ -124,9 +123,36 @@ func Run(ctx context.Context, opt flag.Options) error {
return fmt.Errorf("aws scan error: %w", err)
}
}
r := report.New(cloud.ProviderAWS, opt.Account, opt.Region, results.GetFailed(), opt.Services)
log.Logger.Debug("Writing report to output...")
if len(opt.Compliance) > 0 {
var complianceSpec spec.ComplianceSpec
cs, err := spec.GetComplianceSpec(opt.Compliance)
if err != nil {
return xerrors.Errorf("spec loading from file system error: %w", err)
}
if err = yaml.Unmarshal(cs, &complianceSpec); err != nil {
return xerrors.Errorf("yaml unmarshal error: %w", err)
}
convertedResults := report.ConvertResults(results, cloud.ProviderAWS, opt.Services)
var crr []types.Results
for _, r := range convertedResults {
crr = append(crr, r.Results)
}
complianceReport, err := cr.BuildComplianceReport(crr, complianceSpec)
if err != nil {
return xerrors.Errorf("compliance report build error: %w", err)
}
return cr.Write(complianceReport, cr.Option{
Format: opt.Format,
Report: opt.ReportFormat,
Output: opt.Output})
}
r := report.New(cloud.ProviderAWS, opt.Account, opt.Region, results.GetFailed(), opt.Services)
if err := report.Write(r, opt, cached); err != nil {
return fmt.Errorf("unable to write results: %w", err)
}

61
pkg/cloud/aws/commands/run_test.go
View File

@@ -100,6 +100,7 @@ func Test_Run(t *testing.T) {
{
"Type": "AWS",
"ID": "AVD-AWS-0086",
"AVDID": "AVD-AWS-0086",
"Title": "S3 Access block should block public ACL",
"Description": "S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.",
"Message": "No public access block so not blocking public acls",
@@ -123,6 +124,7 @@ func Test_Run(t *testing.T) {
{
"Type": "AWS",
"ID": "AVD-AWS-0087",
"AVDID": "AVD-AWS-0087",
"Title": "S3 Access block should block public policy",
"Description": "S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.",
"Message": "No public access block so not blocking public policies",
@@ -146,6 +148,7 @@ func Test_Run(t *testing.T) {
{
"Type": "AWS",
"ID": "AVD-AWS-0088",
"AVDID": "AVD-AWS-0088",
"Title": "Unencrypted S3 bucket.",
"Description": "S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.",
"Message": "Bucket does not have encryption enabled",
@@ -169,6 +172,7 @@ func Test_Run(t *testing.T) {
{
"Type": "AWS",
"ID": "AVD-AWS-0089",
"AVDID": "AVD-AWS-0089",
"Title": "S3 Bucket does not have logging enabled.",
"Description": "Buckets should have logging enabled so that access can be audited.",
"Message": "Bucket does not have logging enabled",
@@ -192,6 +196,7 @@ func Test_Run(t *testing.T) {
{
"Type": "AWS",
"ID": "AVD-AWS-0090",
"AVDID": "AVD-AWS-0090",
"Title": "S3 Data should be versioned",
"Description": "Versioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.",
"Message": "Bucket does not have versioning enabled",
@@ -215,6 +220,7 @@ func Test_Run(t *testing.T) {
{
"Type": "AWS",
"ID": "AVD-AWS-0132",
"AVDID": "AVD-AWS-0132",
"Title": "S3 encryption should use Customer Managed Keys",
"Description": "Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.",
"Message": "Bucket does not encrypt data with a customer managed key.",
@@ -238,6 +244,7 @@ func Test_Run(t *testing.T) {
{
"Type": "AWS",
"ID": "AVD-AWS-0091",
"AVDID": "AVD-AWS-0091",
"Title": "S3 Access Block should Ignore Public Acl",
"Description": "S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.",
"Message": "No public access block so not ignoring public acls",
@@ -261,6 +268,7 @@ func Test_Run(t *testing.T) {
{
"Type": "AWS",
"ID": "AVD-AWS-0093",
"AVDID": "AVD-AWS-0093",
"Title": "S3 Access block should restrict public bucket to limit access",
"Description": "S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.",
"Message": "No public access block so not restricting public buckets",
@@ -284,6 +292,7 @@ func Test_Run(t *testing.T) {
{
"Type": "AWS",
"ID": "AVD-AWS-0094",
"AVDID": "AVD-AWS-0094",
"Title": "S3 buckets should each define an aws_s3_bucket_public_access_block",
"Description": "The \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.",
"Message": "Bucket does not have a corresponding public access block.",
@@ -381,6 +390,7 @@ deny[res] {
{
"Type": "AWS",
"ID": "AVD-AWS-0086",
"AVDID": "AVD-AWS-0086",
"Title": "S3 Access block should block public ACL",
"Description": "S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.",
"Message": "No public access block so not blocking public acls",
@@ -404,6 +414,7 @@ deny[res] {
{
"Type": "AWS",
"ID": "AVD-AWS-0087",
"AVDID": "AVD-AWS-0087",
"Title": "S3 Access block should block public policy",
"Description": "S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.",
"Message": "No public access block so not blocking public policies",
@@ -427,6 +438,7 @@ deny[res] {
{
"Type": "AWS",
"ID": "AVD-AWS-0088",
"AVDID": "AVD-AWS-0088",
"Title": "Unencrypted S3 bucket.",
"Description": "S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.",
"Message": "Bucket does not have encryption enabled",
@@ -450,6 +462,7 @@ deny[res] {
{
"Type": "AWS",
"ID": "AVD-AWS-0089",
"AVDID": "AVD-AWS-0089",
"Title": "S3 Bucket does not have logging enabled.",
"Description": "Buckets should have logging enabled so that access can be audited.",
"Message": "Bucket does not have logging enabled",
@@ -473,6 +486,7 @@ deny[res] {
{
"Type": "AWS",
"ID": "AVD-AWS-0090",
"AVDID": "AVD-AWS-0090",
"Title": "S3 Data should be versioned",
"Description": "Versioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.",
"Message": "Bucket does not have versioning enabled",
@@ -496,6 +510,7 @@ deny[res] {
{
"Type": "AWS",
"ID": "AVD-AWS-0132",
"AVDID": "AVD-AWS-0132",
"Title": "S3 encryption should use Customer Managed Keys",
"Description": "Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.",
"Message": "Bucket does not encrypt data with a customer managed key.",
@@ -519,6 +534,7 @@ deny[res] {
{
"Type": "AWS",
"ID": "AVD-AWS-0091",
"AVDID": "AVD-AWS-0091",
"Title": "S3 Access Block should Ignore Public Acl",
"Description": "S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.",
"Message": "No public access block so not ignoring public acls",
@@ -542,6 +558,7 @@ deny[res] {
{
"Type": "AWS",
"ID": "AVD-AWS-0093",
"AVDID": "AVD-AWS-0093",
"Title": "S3 Access block should restrict public bucket to limit access",
"Description": "S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.",
"Message": "No public access block so not restricting public buckets",
@@ -565,6 +582,7 @@ deny[res] {
{
"Type": "AWS",
"ID": "AVD-AWS-0094",
"AVDID": "AVD-AWS-0094",
"Title": "S3 buckets should each define an aws_s3_bucket_public_access_block",
"Description": "The \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.",
"Message": "Bucket does not have a corresponding public access block.",
@@ -613,6 +631,47 @@ deny[res] {
}
`,
},
{
name: "compliance report summary",
options: flag.Options{
AWSOptions: flag.AWSOptions{
Region: "us-east-1",
Services: []string{"s3"},
Account: "12345678",
},
CloudOptions: flag.CloudOptions{
MaxCacheAge: time.Hour * 24 * 365 * 100,
},
ReportOptions: flag.ReportOptions{Compliance: "@./testdata/example-spec.yaml", Format: "table", ReportFormat: "summary"},
},
cacheContent: exampleS3Cache,
want: `
Summary Report for compliance: my-custom-spec
┌─────┬──────────┬───────────────────────┬────────┬────────┐
│ ID │ Severity │ Control Name │ Status │ Issues │
├─────┼──────────┼───────────────────────┼────────┼────────┤
│ 1.1 │ HIGH │ Unencrypted S3 bucket │ FAIL │ 1 │
└─────┴──────────┴───────────────────────┴────────┴────────┘
`,
},
{
name: "error loading compliance report",
expectErr: true,
options: flag.Options{
AWSOptions: flag.AWSOptions{
Region: "us-east-1",
Services: []string{"s3"},
Account: "12345678",
},
CloudOptions: flag.CloudOptions{
MaxCacheAge: time.Hour * 24 * 365 * 100,
},
ReportOptions: flag.ReportOptions{Compliance: "@./testdata/nosuchspec.yaml", Format: "table", ReportFormat: "summary"},
},
cacheContent: exampleS3Cache,
},
}
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
@@ -620,7 +679,9 @@ deny[res] {
test.options.Output = buffer
test.options.Debug = true
test.options.GlobalOptions.Timeout = time.Minute
if test.options.Format == "" {
test.options.Format = "json"
}
test.options.Severities = []dbTypes.Severity{
dbTypes.SeverityUnknown,
dbTypes.SeverityLow,

13
pkg/cloud/aws/commands/testdata/example-spec.yaml vendored Normal file
View File

@@ -0,0 +1,13 @@
spec:
id: "0001"
title: my-custom-spec
description: My fancy spec
version: "1.2"
controls:
- id: "1.1"
name: Unencrypted S3 bucket
description: |-
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.
checks:
- id: AVD-AWS-0088
severity: HIGH

18
pkg/cloud/aws/scanner/scanner.go
View File

@@ -5,17 +5,14 @@ import (
"fmt"
"strings"
"github.com/aquasecurity/defsec/pkg/state"
"github.com/aquasecurity/defsec/pkg/framework"
"github.com/aquasecurity/trivy/pkg/cloud/aws/cache"
"github.com/aquasecurity/trivy/pkg/flag"
"github.com/aquasecurity/trivy/pkg/log"
"github.com/aquasecurity/defsec/pkg/scan"
"github.com/aquasecurity/defsec/pkg/scanners/cloud/aws"
"github.com/aquasecurity/defsec/pkg/scanners/options"
"github.com/aquasecurity/defsec/pkg/state"
"github.com/aquasecurity/trivy/pkg/cloud/aws/cache"
"github.com/aquasecurity/trivy/pkg/flag"
"github.com/aquasecurity/trivy/pkg/log"
)
type AWSScanner struct {
@@ -77,10 +74,13 @@ func (s *AWSScanner) Scan(ctx context.Context, option flag.Options) (scan.Result
)
}
if len(option.Compliance) > 0 {
scannerOpts = append(scannerOpts, options.ScannerWithSpec(option.Compliance))
} else {
scannerOpts = append(scannerOpts, options.ScannerWithFrameworks(
framework.Default,
framework.CIS_AWS_1_2,
))
framework.CIS_AWS_1_2))
}
scanner := aws.New(scannerOpts...)

3
pkg/cloud/report/convert.go
View File

@@ -12,7 +12,7 @@ import (
"github.com/aquasecurity/trivy/pkg/types"
)
func convertResults(results scan.Results, provider string, scoped []string) map[string]ResultsAtTime {
func ConvertResults(results scan.Results, provider string, scoped []string) map[string]ResultsAtTime {
convertedResults := make(map[string]ResultsAtTime)
resultsByServiceAndARN := make(map[string]map[string]scan.Results)
for _, result := range results {
@@ -74,6 +74,7 @@ func convertResults(results scan.Results, provider string, scoped []string) map[
arnResult.Misconfigurations = append(arnResult.Misconfigurations, types.DetectedMisconfiguration{
Type: provider,
ID: result.Rule().AVDID,
AVDID: result.Rule().AVDID,
Title: result.Rule().Summary,
Description: strings.TrimSpace(result.Rule().Explanation),
Message: strings.TrimSpace(result.Description()),

6
pkg/cloud/report/convert_test.go
View File

@@ -117,6 +117,7 @@ func Test_ResultConversion(t *testing.T) {
{
Type: "AWS",
ID: "AVD-AWS-9999",
AVDID: "AVD-AWS-9999",
Title: "Do not use bad stuff",
Description: "Bad stuff is... bad",
Message: "something failed",
@@ -146,6 +147,7 @@ func Test_ResultConversion(t *testing.T) {
{
Type: "AWS",
ID: "AVD-AWS-9999",
AVDID: "AVD-AWS-9999",
Title: "Do not use bad stuff",
Description: "Bad stuff is... bad",
Message: "something else failed",
@@ -165,6 +167,7 @@ func Test_ResultConversion(t *testing.T) {
{
Type: "AWS",
ID: "AVD-AWS-9999",
AVDID: "AVD-AWS-9999",
Title: "Do not use bad stuff",
Description: "Bad stuff is... bad",
Message: "something else failed again",
@@ -195,6 +198,7 @@ func Test_ResultConversion(t *testing.T) {
{
Type: "AWS",
ID: "AVD-AWS-9999",
AVDID: "AVD-AWS-9999",
Title: "Do not use bad stuff",
Description: "Bad stuff is... bad",
Message: "instance is bad",
@@ -221,7 +225,7 @@ func Test_ResultConversion(t *testing.T) {
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
converted := convertResults(test.results, test.provider, test.scoped)
converted := ConvertResults(test.results, test.provider, test.scoped)
assertConvertedResultsMatch(t, test.expected, converted)
})
}

2
pkg/cloud/report/report.go
View File

@@ -43,7 +43,7 @@ func New(provider, accountID, region string, defsecResults scan.Results, scopedS
return &Report{
Provider: provider,
AccountID: accountID,
Results: convertResults(defsecResults, provider, scopedServices),
Results: ConvertResults(defsecResults, provider, scopedServices),
ServicesInScope: scopedServices,
Region: region,
}

4
pkg/cloud/report/service_test.go
View File

@@ -177,6 +177,7 @@ Scan Overview for AWS Account
{
"Type": "AWS",
"ID": "AVD-AWS-9999",
"AVDID": "AVD-AWS-9999",
"Title": "Do not use bad stuff",
"Description": "Bad stuff is... bad",
"Message": "instance is bad",
@@ -212,6 +213,7 @@ Scan Overview for AWS Account
{
"Type": "AWS",
"ID": "AVD-AWS-9999",
"AVDID": "AVD-AWS-9999",
"Title": "Do not use bad stuff",
"Description": "Bad stuff is... bad",
"Message": "something failed",
@@ -247,6 +249,7 @@ Scan Overview for AWS Account
{
"Type": "AWS",
"ID": "AVD-AWS-9999",
"AVDID": "AVD-AWS-9999",
"Title": "Do not use bad stuff",
"Description": "Bad stuff is... bad",
"Message": "something else failed",
@@ -270,6 +273,7 @@ Scan Overview for AWS Account
{
"Type": "AWS",
"ID": "AVD-AWS-9999",
"AVDID": "AVD-AWS-9999",
"Title": "Do not use bad stuff",
"Description": "Bad stuff is... bad",
"Message": "something else failed again",

13
pkg/commands/app.go
View File

@@ -753,6 +753,11 @@ func NewKubernetesCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
)
scanFlags.SecurityChecks = &securityChecks
reportFlagGroup := flag.NewReportFlagGroup()
compliance := flag.ComplianceFlag
compliance.Usage += fmt.Sprintf(" (%s)", types.ComplianceNsa)
reportFlagGroup.Compliance = &compliance // override usage as the accepted values differ for each subcommand.
k8sFlags := &flag.Flags{
CacheFlagGroup: flag.NewCacheFlagGroup(),
DBFlagGroup: flag.NewDBFlagGroup(),
@@ -760,7 +765,7 @@ func NewKubernetesCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
LicenseFlagGroup: flag.NewLicenseFlagGroup(),
MisconfFlagGroup: flag.NewMisconfFlagGroup(),
RegoFlagGroup: flag.NewRegoFlagGroup(),
ReportFlagGroup: flag.NewReportFlagGroup(),
ReportFlagGroup: reportFlagGroup,
ScanFlagGroup: scanFlags,
SecretFlagGroup: flag.NewSecretFlagGroup(),
VulnerabilityFlagGroup: flag.NewVulnerabilityFlagGroup(),
@@ -810,13 +815,17 @@ func NewKubernetesCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
}
func NewAWSCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
reportFlagGroup := flag.NewReportFlagGroup()
compliance := flag.ComplianceFlag
compliance.Usage += fmt.Sprintf(" (%s, %s)", types.ComplianceAWSCIS12, types.ComplianceAWSCIS14)
reportFlagGroup.Compliance = &compliance // override usage as the accepted values differ for each subcommand.
awsFlags := &flag.Flags{
AWSFlagGroup: flag.NewAWSFlagGroup(),
CloudFlagGroup: flag.NewCloudFlagGroup(),
MisconfFlagGroup: flag.NewMisconfFlagGroup(),
RegoFlagGroup: flag.NewRegoFlagGroup(),
ReportFlagGroup: flag.NewReportFlagGroup(),
ReportFlagGroup: reportFlagGroup,
}
services := awsScanner.AllSupportedServices()

2
pkg/flag/report_flags.go
View File

@@ -89,7 +89,7 @@ var (
Name: "compliance",
ConfigName: "scan.compliance",
Value: "",
Usage: "compliance report to generate (nsa)",
Usage: "compliance report to generate",
}
)

4
pkg/types/report.go
View File

@@ -8,7 +8,7 @@ import (
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
)
var Compliances = []string{ComplianceNsa}
var Compliances = []string{ComplianceNsa, ComplianceAWSCIS12, ComplianceAWSCIS14}
// Report represents a scan result
type Report struct {
@@ -52,6 +52,8 @@ const (
// ComplianceNsa is the compliance checks for nsa
ComplianceNsa = Compliance("nsa")
ComplianceAWSCIS12 = Compliance("awscis1.2")
ComplianceAWSCIS14 = Compliance("awscis1.4")
)
// Result holds a target and detected vulnerabilities