gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-22 07:10:41 -08:00
Code Issues Packages Projects Releases Wiki Activity

feat: add k8s cis bench (#3315)

Browse Source 
Signed-off-by: chenk <hen.keinan@gmail.com>
This commit is contained in:
chenk
2022-12-28 20:38:48 +02:00
committed by GitHub
parent 62b369ee39
commit a888440922
12 changed files with 580 additions and 329 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
docs/docs/compliance/compliance.md
View File

@@ -4,5 +4,6 @@ Trivy supports producing compliance reports.
## Supported reports ## Supported reports
- [NSA, CISA Kubernetes Hardening Guidance v1.0](../kubernetes/cli/compliance.md) - [NSA, CISA Kubernetes Hardening Guidance v1.0](../kubernetes/cli/compliance.md)
- [AWS CIS v1.2 and v1.4](../cloud/aws/compliance.md) - [CIS Benchmark for Kubernetes v1.23](../kubernetes/cli/compliance.md)
- [AWS CIS v1.2 and v1.4](../cloud/aws/compliance.md)

189
docs/docs/kubernetes/cli/compliance.md
View File

@@ -1,86 +1,46 @@
# Kubernetes Compliance # Kubernetes Compliance
## NSA Compliance Report
!!! warning "EXPERIMENTAL" !!! warning "EXPERIMENTAL"
This feature might change without preserving backwards compatibility. This feature might change without preserving backwards compatibility.
The Trivy K8s CLI allows you to scan your Kubernetes cluster resources and generate the `NSA, CISA Kubernetes Hardening Guidance` report </details>
[NSA, CISA Kubernetes Hardening Guidance v1.2](https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF) cybersecurity technical report is produced by trivy and validate the following control checks :
| NAME | DESCRIPTION | |
|----------------------------------------------------------|---------------------------------------------------------------------------------------------------------|---------------|
| Non-root containers | Check that container is not running as root |
| Immutable container file systems | Check that container root file system is immutable |
| Preventing privileged containers | Controls whether Pods can run privileged containers |
| Share containers process namespaces | Controls whether containers can share process namespaces |
| Share host process namespaces | Controls whether share host process namespaces |
| Use the host network | Controls whether containers can use the host network |
| Run with root privileges or with root group membership | Controls whether container applications can run with <br/>root privileges or with root group membership |
| Restricts escalation to root privileges | Control check restrictions escalation to root privileges |
| Sets the SELinux context of the container | Control checks if pod sets the SELinux context of the container |
| Restrict a container's access to resources with AppArmor | Control checks the restriction of containers access to resources with AppArmor |
| Sets the seccomp profile used to sandbox containers | Control checks the sets the seccomp profile used to sandbox containers |
| Protecting Pod service account tokens | Control check whether disable secret token been mount ,automountServiceAccountToken: false |
| Namespace kube-system should not be used by users | Control check whether Namespace kube-system is not be used by users |
| Pod and/or namespace Selectors usage | Control check validate the pod and/or namespace Selectors usage |
| Use CNI plugin that supports NetworkPolicy API | Control check whether check cni plugin installed |
| Use ResourceQuota policies to limit resources | Control check the use of ResourceQuota policy to limit aggregate resource usage within namespace |
| Use LimitRange policies to limit resources | Control check the use of LimitRange policy limit resource usage for namespaces or nodes |
| Control plan disable insecure port | Control check whether control plan disable insecure port |
| Encrypt etcd communication | Control check whether etcd communication is encrypted |
| Ensure kube config file permission | Control check whether kube config file permissions |
| Check that encryption resource has been set | Control checks whether encryption resource has been set |
| Check encryption provider | Control checks whether encryption provider has been set |
| Make sure anonymous-auth is unset | Control checks whether anonymous-auth is unset |
| Make sure -authorization-mode=RBAC | Control check whether RBAC permission is in use |
| Audit policy is configure | Control check whether audit policy is configure |
| Audit log path is configure | Control check whether audit log path is configure |
| Audit log aging | Control check whether audit log aging is configure |
## CLI Commands ## CLI Commands
Scan a full cluster and generate a complliance NSA / CIS Kubernetes Benchmark summary report:
Scan a full cluster and generate a complliance NSA summary report:
``` ```
$ trivy k8s cluster --compliance=nsa --report summary trivy k8s cluster --compliance=nsa --report summary
``` ```
![k8s Summary Report](../../../imgs/trivy-nsa-summary.png)
***Note*** : The `Issues` column represent the total number of failed checks for this control. ***Note*** : The `Issues` column represent the total number of failed checks for this control.
An additional report is supported to get all of the detail the output contains, use `--report all` An additional report is supported to get all of the detail the output contains, use `--report all`
``` ```
$ trivy k8s cluster --compliance=nsa --report all trivy k8s cluster --compliance=cis --report all
``` ```
Report also supported in json format examples : Report also supported in json format examples :
``` ```
$ trivy k8s cluster --compliance=nsa --report summary --format json trivy k8s cluster --compliance=nsa --report summary --format json
``` ```
``` ```
$ trivy k8s cluster --compliance=nsa --report all --format json trivy k8s cluster --compliance=cis --report all --format json
``` ```
## Custom compliance report ## Custom compliance report
The Trivy K8s CLI allows you to create a custom compliance specification and pass it to trivy for generating scan report . The Trivy K8s CLI allows you to create a custom compliance specification and pass it to trivy for generating scan report .
The report is generated based on scanning result mapping between users define controls and trivy checks ID.
The supported checks are from two types and can be found at [Aqua vulnerability DB](https://avd.aquasec.com/): The supported checks are from two types and can be found at [Aqua vulnerability DB](https://avd.aquasec.com/):
- [misconfiguration](https://avd.aquasec.com/misconfig/)
- [vulnerabilities](https://avd.aquasec.com/nvd)
- [misconfiguration](https://avd.aquasec.com/misconfig/)
- [vulnerabilities](https://avd.aquasec.com/nvd)
### Compliance spec format ### Compliance spec format
The compliance spec file format should look as follow : The compliance spec file format should look as follow :
```yaml ```yaml
--- ---
spec: spec:
@@ -109,8 +69,133 @@ spec:
To generate the custom report, an custom spec file path should be passed to the `--compliance` flag with `@` prefix as follow: To generate the custom report, an custom spec file path should be passed to the `--compliance` flag with `@` prefix as follow:
``` ```
$ trivy k8s cluster --compliance=@/spec/my_complaince.yaml --report summary trivy k8s cluster --compliance=@/spec/my_complaince.yaml --report summary
``` ```
The Trivy K8s CLI allows you to scan your Kubernetes cluster resources and generate the `NSA, CISA Kubernetes Hardening Guidance` report
## NSA Compliance Report
[NSA, CISA Kubernetes Hardening Guidance v1.2](https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF) cybersecurity technical report is produced by trivy and validate the following control checks :
<details>
<summary>NSA Control Checks</summary>
```
| ID | Name |
|-------|---------------------------------------------------------------------------------------------------------|
| 1.0 | Check that container is not running as root |
| 1.1 | Check that container root file system is immutable |
| 1.2 | Controls whether Pods can run privileged containers |
| 1.3 | Controls whether containers can share process namespaces |
| 1.4 | Controls whether share host process namespaces |
| 1.5 | Controls whether containers can use the host network |
| 1.6 | Controls whether container applications can run with <br/>root privileges or with root group membership |
| 1.7 | Control check restrictions escalation to root privileges |
| 1.8 | Control checks if pod sets the SELinux context of the container |
| 1.9 | Control checks the restriction of containers access to resources with AppArmor |
| 1.10 | Control checks the sets the seccomp profile used to sandbox containers |
| 1.11 | Control check whether disable secret token been mount ,automountServiceAccountToken: false |
| 1.12 | Control check whether Namespace kube-system is not be used by users |
| 2.0 | Control check validate the pod and/or namespace Selectors usage |
| 3.0 | Control check whether check cni plugin installed |
| 4.0 | Control check the use of ResourceQuota policy to limit aggregate resource usage within namespace |
| 4.1 | Control check the use of LimitRange policy limit resource usage for namespaces or nodes |
| 5.0 | Control check whether control plan disable insecure port |
| 5.1 | Control check whether etcd communication is encrypted |
| 6.0 | Control check whether kube config file permissions |
| 6.1 | Control checks whether encryption resource has been set |
| 6.2 | Control checks whether encryption provider has been set |
| 7.0 | Control checks whether anonymous-auth is unset |
| 7.1 | Control check whether RBAC permission is in use |
| 8.0 | Control check whether audit policy is configure |
| 8.1 | Control check whether audit log path is configure |
| 8.2 | Control check whether audit log aging is configure |
```
</details>
## CIS Bebchmark Report
The Trivy K8s CLI allows you to scan your Kubernetes cluster resources and generate the `CIS Kubernetes Benchmark` report
[CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes) report is produced by trivy and validate the following control checks :
<details>
<summary>CIS Benchmark Control Checks</summary>
```
| ID | Name |
| ------ | ------------------------------------------------------------------------------------------------------ |
| 1.2.1 | Ensure that the --anonymous-auth argument is set to false | server |
| 1.2.2 | Ensure that the --token-auth-file parameter is not set |
| 1.2.3 | Ensure that the --DenyServiceExternalIPs is not set |
| 1.2.4 | Ensure that the --kubelet-https argument is set to true |
| 1.2.5 | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set |
| 1.2.6 | Ensure that the --kubelet-certificate-authority argument is set as appropriate |
| 1.2.7 | Ensure that the --authorization-mode argument is not set to AlwaysAllow |
| 1.2.8 | Ensure that the --authorization-mode argument includes Node |
| 1.2.9 | Ensure that the --authorization-mode argument includes RBAC |
| 1.2.10 | Ensure that the admission control plugin EventRateLimit is set |
| 1.2.11 | Ensure that the admission control plugin AlwaysAdmit is not set |
| 1.2.12 | Ensure that the admission control plugin AlwaysPullImages is set |
| 1.2.13 | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used |
| 1.2.14 | Ensure that the admission control plugin ServiceAccount is set |
| 1.2.15 | Ensure that the admission control plugin NamespaceLifecycle is set |
| 1.2.16 | Ensure that the admission control plugin NodeRestriction is set |
| 1.2.17 | Ensure that the --secure-port argument is not set to 0 |
| 1.2.18 | Ensure that the --profiling argument is set to false |
| 1.2.19 | Ensure that the --audit-log-path argument is set |
| 1.2.20 | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate |
| 1.2.21 | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate |
| 1.2.22 | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate |
| 1.2.24 | Ensure that the --service-account-lookup argument is set to true |
| 1.2.25 | Ensure that the --service-account-key-file argument is set as appropriate |
| 1.2.26 | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate |
| 1.2.27 | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as |
| 1.2.28 | Ensure that the --client-ca-file argument is set appropriate |
| 1.2.29 | Ensure that the --etcd-cafile argument is set as appropriate |
| 1.2.30 | Ensure that the --encryption-provider-config argument is set as appropriate |
| 1.3.1 | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate |
| 1.3.3 | Ensure that the --use-service-account-credentials argument is set to true |
| 1.3.4 | Ensure that the --service-account-private-key-file argument is set as appropriate |
| 1.3.5 | Ensure that the --root-ca-file argument is set as appropriate |
| 1.3.6 | Ensure that the RotateKubeletServerCertificate argument is set |
| 1.3.7 | Ensure that the --bind-address argument is set to 127.0.0.1 |
| 1.4.1 | Ensure that the --profiling argument is set to false |
| 1.4.2 | Ensure that the --bind-address argument is set to 127.0.0.1 |
| 2.1 | Ensure that the --cert-file and --key-file arguments are set as appropriate |
| 2.2 | Ensure that the --client-cert-auth argument is set to true |
| 2.3 | Ensure that the --auto-tls argument is not set to true |
| 2.4 | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate |
| 2.5 | Ensure that the --peer-client-cert-auth argument is set to true |
| 2.6 | Ensure that the --peer-auto-tls argument is not set to true |
| 3.1.1 | Client certificate authentication should not be used for users (Manual) |
| 3.2.1 | Ensure that a minimal audit policy is created (Manual) |
| 3.2.2 | Ensure that the audit policy covers key security concerns (Manual) |
| 5.1.1 | Ensure that the cluster-admin role is only used where required |
| 5.1.2 | Minimize access to secrets |
| 5.1.3 | Minimize wildcard use in Roles and ClusterRoles |
| 5.1.6 | Ensure that Service Account Tokens are only mounted where necessary |
| 5.1.8 | Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster |
| 5.2.2 | Minimize the admission of privileged containers |
| 5.2.3 | Minimize the admission of containers wishing to share the host process ID namespace |
| 5.2.4 | Minimize the admission of containers wishing to share the host IPC namespace |
| 5.2.5 | Minimize the admission of containers wishing to share the host network namespace |
| 5.2.6 | Minimize the admission of containers with allowPrivilegeEscalation |
| 5.2.7 | Minimize the admission of root containers |
| 5.2.8 | Minimize the admission of containers with the NET_RAW capability |
| 5.2.9 | Minimize the admission of containers with added capabilities |
| 5.2.10 | Minimize the admission of containers with capabilities assigned |
| 5.2.11 | Minimize the admission of containers with capabilities assigned |
| 5.2.12 | Minimize the admission of HostPath volumes |
| 5.2.13 | Minimize the admission of containers which use HostPorts |
| 5.3.1 | Ensure that the CNI in use supports Network Policies (Manual) |
| 5.3.2 | Ensure that all Namespaces have Network Policies defined |
| 5.4.1 | Prefer using secrets as files over secrets as environment variables (Manual) |
| 5.4.2 | Consider external secret storage (Manual) |
| 5.5.1 | Configure Image Provenance using ImagePolicyWebhook admission controller (Manual) |
| 5.7.1 | Create administrative boundaries between resources using namespaces (Manual) |
| 5.7.2 | Ensure that the seccomp profile is set to docker/default in your pod definitions |
| 5.7.3 | Apply Security Context to Your Pods and Containers |
| 5.7.4 | The default namespace should not be used |
```
</details>

BIN
docs/imgs/trivy-nsa-summary.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 318 KiB

2
go.mod
View File

@@ -8,7 +8,7 @@ require (
github.com/NYTimes/gziphandler v1.1.1 github.com/NYTimes/gziphandler v1.1.1
github.com/alicebob/miniredis/v2 v2.23.0 github.com/alicebob/miniredis/v2 v2.23.0
github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
github.com/aquasecurity/defsec v0.82.6 github.com/aquasecurity/defsec v0.82.7-0.20221225070347-3a6cfb67e460
github.com/aquasecurity/go-dep-parser v0.0.0-20221208150335-299772f066c4 github.com/aquasecurity/go-dep-parser v0.0.0-20221208150335-299772f066c4
github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798 github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798

4
go.sum
View File

@@ -193,8 +193,8 @@ github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6
github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo= github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30xLN2sUZcMXl50hg+PJCIDdJgIvIbVcKqLJ/ZrtM= github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30xLN2sUZcMXl50hg+PJCIDdJgIvIbVcKqLJ/ZrtM=
github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8= github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8=
github.com/aquasecurity/defsec v0.82.6 h1:whb9ygS+cANcvGSq51s44+hY3nU6OV3VOR2Q4dIz3kc= github.com/aquasecurity/defsec v0.82.7-0.20221225070347-3a6cfb67e460 h1:XHYo9HDWlrn3l+GH1ZTVUQAeP//r/iyEVUoP4Rmhuuw=
github.com/aquasecurity/defsec v0.82.6/go.mod h1:sUdW6pzASralDcs+CDOE+QpWfBJt3/PY1Qbg8CS5flg= github.com/aquasecurity/defsec v0.82.7-0.20221225070347-3a6cfb67e460/go.mod h1:sUdW6pzASralDcs+CDOE+QpWfBJt3/PY1Qbg8CS5flg=
github.com/aquasecurity/go-dep-parser v0.0.0-20221208150335-299772f066c4 h1:cFQv/JghmN6dC/vuu6JbDkziwhBgLPfQvyi/TxJN+6I= github.com/aquasecurity/go-dep-parser v0.0.0-20221208150335-299772f066c4 h1:cFQv/JghmN6dC/vuu6JbDkziwhBgLPfQvyi/TxJN+6I=
github.com/aquasecurity/go-dep-parser v0.0.0-20221208150335-299772f066c4/go.mod h1:ZCiGJgdQxCateSw3nPMwZvp9J/+nU8/3DcGY/NO71e4= github.com/aquasecurity/go-dep-parser v0.0.0-20221208150335-299772f066c4/go.mod h1:ZCiGJgdQxCateSw3nPMwZvp9J/+nU8/3DcGY/NO71e4=
github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM= github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=

6
integration/testdata/helm.json.golden vendored
View File

@@ -20,7 +20,7 @@
"Class": "config", "Class": "config",
"Type": "helm", "Type": "helm",
"MisconfSummary": { "MisconfSummary": {
"Successes": 80, "Successes": 82,
"Failures": 2, "Failures": 2,
"Exceptions": 0 "Exceptions": 0
}, },
@@ -270,7 +270,7 @@
"Class": "config", "Class": "config",
"Type": "helm", "Type": "helm",
"MisconfSummary": { "MisconfSummary": {
"Successes": 82, "Successes": 84,
"Failures": 0, "Failures": 0,
"Exceptions": 0 "Exceptions": 0
} }
@@ -280,7 +280,7 @@
"Class": "config", "Class": "config",
"Type": "helm", "Type": "helm",
"MisconfSummary": { "MisconfSummary": {
"Successes": 82, "Successes": 84,
"Failures": 0, "Failures": 0,
"Exceptions": 0 "Exceptions": 0
} }

6
integration/testdata/helm_testchart.json.golden vendored
View File

@@ -20,7 +20,7 @@
"Class": "config", "Class": "config",
"Type": "helm", "Type": "helm",
"MisconfSummary": { "MisconfSummary": {
"Successes": 80, "Successes": 82,
"Failures": 2, "Failures": 2,
"Exceptions": 0 "Exceptions": 0
}, },
@@ -270,7 +270,7 @@
"Class": "config", "Class": "config",
"Type": "helm", "Type": "helm",
"MisconfSummary": { "MisconfSummary": {
"Successes": 82, "Successes": 84,
"Failures": 0, "Failures": 0,
"Exceptions": 0 "Exceptions": 0
} }
@@ -280,7 +280,7 @@
"Class": "config", "Class": "config",
"Type": "helm", "Type": "helm",
"MisconfSummary": { "MisconfSummary": {
"Successes": 82, "Successes": 84,
"Failures": 0, "Failures": 0,
"Exceptions": 0 "Exceptions": 0
} }

6
integration/testdata/helm_testchart.overridden.json.golden vendored
View File

@@ -20,7 +20,7 @@
"Class": "config", "Class": "config",
"Type": "helm", "Type": "helm",
"MisconfSummary": { "MisconfSummary": {
"Successes": 78, "Successes": 80,
"Failures": 4, "Failures": 4,
"Exceptions": 0 "Exceptions": 0
}, },
@@ -481,7 +481,7 @@
"Class": "config", "Class": "config",
"Type": "helm", "Type": "helm",
"MisconfSummary": { "MisconfSummary": {
"Successes": 82, "Successes": 84,
"Failures": 0, "Failures": 0,
"Exceptions": 0 "Exceptions": 0
} }
@@ -491,7 +491,7 @@
"Class": "config", "Class": "config",
"Type": "helm", "Type": "helm",
"MisconfSummary": { "MisconfSummary": {
"Successes": 82, "Successes": 84,
"Failures": 0, "Failures": 0,
"Exceptions": 0 "Exceptions": 0
} }

2
mkdocs.yml
View File

@@ -92,6 +92,8 @@ nav:
- Virtual Machine Image: - Virtual Machine Image:
- Overview: docs/vm/index.md - Overview: docs/vm/index.md
- AWS EC2: docs/vm/aws.md - AWS EC2: docs/vm/aws.md
- Compliance:
- Reports: docs/compliance/compliance.md
- SBOM: - SBOM:
- Overview: docs/sbom/index.md - Overview: docs/sbom/index.md
- Supported: docs/sbom/supported.md - Supported: docs/sbom/supported.md

2
pkg/commands/app.go
View File

@@ -755,7 +755,7 @@ func NewKubernetesCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
reportFlagGroup := flag.NewReportFlagGroup() reportFlagGroup := flag.NewReportFlagGroup()
compliance := flag.ComplianceFlag compliance := flag.ComplianceFlag
compliance.Usage += fmt.Sprintf(" (%s)", types.ComplianceNsa) compliance.Usage += fmt.Sprintf(" (%s,%s)", types.ComplianceNsa, types.ComplianceCIS)
reportFlagGroup.Compliance = &compliance // override usage as the accepted values differ for each subcommand. reportFlagGroup.Compliance = &compliance // override usage as the accepted values differ for each subcommand.
k8sFlags := &flag.Flags{ k8sFlags := &flag.Flags{

684
pkg/fanal/artifact/local/fs_test.go
View File

@@ -391,6 +391,24 @@ func TestTerraformMisconfigurationScan(t *testing.T) {
Code: types.Code{Lines: []types.Line(nil)}, Code: types.Code{Lines: []types.Line(nil)},
}, Traces: []string(nil), }, Traces: []string(nil),
}, },
{
Namespace: "builtin.aws.rds.aws0180",
Query: "data.builtin.aws.rds.aws0180.deny",
PolicyMetadata: types.PolicyMetadata{
ID: "N/A",
AVDID: "AVD-AWS-0180",
Type: "Terraform Security Check",
Title: "RDS Publicly Accessible",
Description: "Ensures RDS instances are not launched into the public cloud.",
Severity: "HIGH",
RecommendedActions: "Remove the public endpoint from the RDS instance'",
References: []string{"http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.html"},
},
CauseMetadata: types.CauseMetadata{
Resource: "", Provider: "AWS", Service: "rds", StartLine: 0, EndLine: 0,
Code: types.Code{Lines: []types.Line(nil)},
}, Traces: []string(nil),
},
}, },
}, },
{ {
@@ -429,9 +447,9 @@ func TestTerraformMisconfigurationScan(t *testing.T) {
want: types.ArtifactReference{ want: types.ArtifactReference{
Name: "testdata/misconfig/terraform/single-failure/src", Name: "testdata/misconfig/terraform/single-failure/src",
Type: types.ArtifactFilesystem, Type: types.ArtifactFilesystem,
ID: "sha256:c489d24f0bf3e58d86c9d5d9fadfe5a78826a7cc98235a4519c97ad3565eee17", ID: "sha256:7695efb9660d47bc53851aea5ca7d7e1bb1c90c22a18e8fd37b6d0634a03b69d",
BlobIDs: []string{ BlobIDs: []string{
"sha256:c489d24f0bf3e58d86c9d5d9fadfe5a78826a7cc98235a4519c97ad3565eee17", "sha256:7695efb9660d47bc53851aea5ca7d7e1bb1c90c22a18e8fd37b6d0634a03b69d",
}, },
}, },
}, },
@@ -493,6 +511,24 @@ func TestTerraformMisconfigurationScan(t *testing.T) {
Service: "rds", Service: "rds",
}, },
}, },
{
Namespace: "builtin.aws.rds.aws0180",
Query: "data.builtin.aws.rds.aws0180.deny",
PolicyMetadata: types.PolicyMetadata{
ID: "N/A",
AVDID: "AVD-AWS-0180",
Type: "Terraform Security Check",
Title: "RDS Publicly Accessible",
Description: "Ensures RDS instances are not launched into the public cloud.",
Severity: "HIGH",
RecommendedActions: "Remove the public endpoint from the RDS instance'",
References: []string{"http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.html"},
},
CauseMetadata: types.CauseMetadata{
Resource: "", Provider: "AWS", Service: "rds", StartLine: 0, EndLine: 0,
Code: types.Code{Lines: []types.Line(nil)},
}, Traces: []string(nil),
},
}, },
}, },
{ {
@@ -580,9 +616,9 @@ func TestTerraformMisconfigurationScan(t *testing.T) {
want: types.ArtifactReference{ want: types.ArtifactReference{
Name: "testdata/misconfig/terraform/multiple-failures/src", Name: "testdata/misconfig/terraform/multiple-failures/src",
Type: types.ArtifactFilesystem, Type: types.ArtifactFilesystem,
ID: "sha256:b5a4f680b5b7fbf9125f9d2209015e39c8eb30acc5daad9423b44089a5b48f5f", ID: "sha256:61728a22aeefbe2b0f30bdb01ee623cb16b64488eaa6e0b1d488a47b2bd4c3fb",
BlobIDs: []string{ BlobIDs: []string{
"sha256:b5a4f680b5b7fbf9125f9d2209015e39c8eb30acc5daad9423b44089a5b48f5f", "sha256:61728a22aeefbe2b0f30bdb01ee623cb16b64488eaa6e0b1d488a47b2bd4c3fb",
}, },
}, },
}, },
@@ -674,6 +710,24 @@ func TestTerraformMisconfigurationScan(t *testing.T) {
Service: "rds", Service: "rds",
}, },
}, },
{
Namespace: "builtin.aws.rds.aws0180",
Query: "data.builtin.aws.rds.aws0180.deny",
PolicyMetadata: types.PolicyMetadata{
ID: "N/A",
AVDID: "AVD-AWS-0180",
Type: "Terraform Security Check",
Title: "RDS Publicly Accessible",
Description: "Ensures RDS instances are not launched into the public cloud.",
Severity: "HIGH",
RecommendedActions: "Remove the public endpoint from the RDS instance'",
References: []string{"http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.html"},
},
CauseMetadata: types.CauseMetadata{
Resource: "", Provider: "AWS", Service: "rds", StartLine: 0, EndLine: 0,
Code: types.Code{Lines: []types.Line(nil)},
}, Traces: []string(nil),
},
{ {
Namespace: "user.something", Namespace: "user.something",
Query: "data.user.something.deny", Query: "data.user.something.deny",
@@ -702,9 +756,9 @@ func TestTerraformMisconfigurationScan(t *testing.T) {
want: types.ArtifactReference{ want: types.ArtifactReference{
Name: "testdata/misconfig/terraform/passed/src", Name: "testdata/misconfig/terraform/passed/src",
Type: types.ArtifactFilesystem, Type: types.ArtifactFilesystem,
ID: "sha256:8b0f0a9c59edc58b713bab8b7e28b56c7fcc9879dab6914df8fc7fd5d38822c5", ID: "sha256:0e792318cb431f2306399f28038a09f7ccbe3cb46d77f13b9f4c5da74fd03c61",
BlobIDs: []string{ BlobIDs: []string{
"sha256:8b0f0a9c59edc58b713bab8b7e28b56c7fcc9879dab6914df8fc7fd5d38822c5", "sha256:0e792318cb431f2306399f28038a09f7ccbe3cb46d77f13b9f4c5da74fd03c61",
}, },
}, },
}, },
@@ -739,253 +793,289 @@ func TestCloudFormationMisconfigurationScan(t *testing.T) {
want types.ArtifactReference want types.ArtifactReference
}{ }{
{ {
name: "single failure", name: "single failure",
fields: fields{ fields: fields{
dir: "./testdata/misconfig/cloudformation/single-failure/src", dir: "./testdata/misconfig/cloudformation/single-failure/src",
}, },
artifactOpt: artifact.Option{ artifactOpt: artifact.Option{
MisconfScannerOption: config.ScannerOption{ MisconfScannerOption: config.ScannerOption{
RegoOnly: true, RegoOnly: true,
Namespaces: []string{"user"}, Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/cloudformation/single-failure/rego"}, PolicyPaths: []string{"./testdata/misconfig/cloudformation/single-failure/rego"},
}, },
}, },
putBlobExpectation: cache.ArtifactCachePutBlobExpectation{ putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
Args: cache.ArtifactCachePutBlobArgs{ Args: cache.ArtifactCachePutBlobArgs{
BlobIDAnything: true, BlobIDAnything: true,
BlobInfo: types.BlobInfo{ BlobInfo: types.BlobInfo{
SchemaVersion: 2, SchemaVersion: 2,
Misconfigurations: []types.Misconfiguration{ Misconfigurations: []types.Misconfiguration{
{ {
FileType: "cloudformation", FileType: "cloudformation",
FilePath: "main.yaml", FilePath: "main.yaml",
Successes: types.MisconfResults{ Successes: types.MisconfResults{
{ {
Namespace: "builtin.aws.rds.aws0176", Namespace: "builtin.aws.rds.aws0176",
Query: "data.builtin.aws.rds.aws0176.deny", Query: "data.builtin.aws.rds.aws0176.deny",
PolicyMetadata: types.PolicyMetadata{ PolicyMetadata: types.PolicyMetadata{
ID: "N/A", ID: "N/A",
AVDID: "AVD-AWS-0176", AVDID: "AVD-AWS-0176",
Type: "CloudFormation Security Check", Type: "CloudFormation Security Check",
Title: "RDS IAM Database Authentication Disabled", Title: "RDS IAM Database Authentication Disabled",
Description: "Ensure IAM Database Authentication is enabled for RDS database instances to manage database access", Description: "Ensure IAM Database Authentication is enabled for RDS database instances to manage database access",
Severity: "MEDIUM", Severity: "MEDIUM",
RecommendedActions: "Modify the PostgreSQL and MySQL type RDS instances to enable IAM database authentication.", RecommendedActions: "Modify the PostgreSQL and MySQL type RDS instances to enable IAM database authentication.",
References: []string{"https://docs.aws.amazon.com/neptune/latest/userguide/iam-auth.html"}, References: []string{"https://docs.aws.amazon.com/neptune/latest/userguide/iam-auth.html"},
}, },
CauseMetadata: types.CauseMetadata{ CauseMetadata: types.CauseMetadata{
Provider: "AWS", Provider: "AWS",
Service: "rds", Service: "rds",
}, },
}, },
{ {
Namespace: "builtin.aws.rds.aws0177", Namespace: "builtin.aws.rds.aws0177",
Query: "data.builtin.aws.rds.aws0177.deny", Query: "data.builtin.aws.rds.aws0177.deny",
PolicyMetadata: types.PolicyMetadata{ PolicyMetadata: types.PolicyMetadata{
ID: "N/A", ID: "N/A",
AVDID: "AVD-AWS-0177", AVDID: "AVD-AWS-0177",
Type: "CloudFormation Security Check", Type: "CloudFormation Security Check",
Title: "RDS Deletion Protection Disabled", Title: "RDS Deletion Protection Disabled",
Description: "Ensure deletion protection is enabled for RDS database instances.", Description: "Ensure deletion protection is enabled for RDS database instances.",
Severity: "MEDIUM", Severity: "MEDIUM",
RecommendedActions: "Modify the RDS instances to enable deletion protection.", RecommendedActions: "Modify the RDS instances to enable deletion protection.",
References: []string{"https://aws.amazon.com/about-aws/whats-new/2018/09/amazon-rds-now-provides-database-deletion-protection/"}, References: []string{"https://aws.amazon.com/about-aws/whats-new/2018/09/amazon-rds-now-provides-database-deletion-protection/"},
}, },
CauseMetadata: types.CauseMetadata{ CauseMetadata: types.CauseMetadata{
Provider: "AWS", Provider: "AWS",
Service: "rds", Service: "rds",
}, },
}, },
}, {
Failures: types.MisconfResults{ Namespace: "builtin.aws.rds.aws0180",
{ Query: "data.builtin.aws.rds.aws0180.deny",
Namespace: "user.something", PolicyMetadata: types.PolicyMetadata{
Query: "data.user.something.deny", ID: "N/A",
Message: "No buckets allowed!", AVDID: "AVD-AWS-0180",
PolicyMetadata: types.PolicyMetadata{ Type: "CloudFormation Security Check",
ID: "TEST001", Title: "RDS Publicly Accessible",
AVDID: "AVD-TEST-0001", Description: "Ensures RDS instances are not launched into the public cloud.",
Type: "CloudFormation Security Check", Severity: "HIGH",
Title: "Test policy", RecommendedActions: "Remove the public endpoint from the RDS instance'",
Description: "This is a test policy.", References: []string{"http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.html"},
Severity: "LOW", },
RecommendedActions: "Have a cup of tea.", CauseMetadata: types.CauseMetadata{
References: []string{"https://trivy.dev/"}, Resource: "", Provider: "AWS", Service: "rds", StartLine: 0, EndLine: 0,
}, Code: types.Code{Lines: []types.Line(nil)},
CauseMetadata: types.CauseMetadata{ }, Traces: []string(nil),
Resource: "main.yaml:3-6", },
Provider: "Generic", },
Service: "general", Failures: types.MisconfResults{
StartLine: 3, {
EndLine: 6, Namespace: "user.something",
}, Query: "data.user.something.deny",
}, Message: "No buckets allowed!",
}, PolicyMetadata: types.PolicyMetadata{
}, ID: "TEST001",
}, AVDID: "AVD-TEST-0001",
}, Type: "CloudFormation Security Check",
}, Title: "Test policy",
Returns: cache.ArtifactCachePutBlobReturns{}, Description: "This is a test policy.",
}, Severity: "LOW",
want: types.ArtifactReference{ RecommendedActions: "Have a cup of tea.",
Name: "testdata/misconfig/cloudformation/single-failure/src", References: []string{"https://trivy.dev/"},
Type: types.ArtifactFilesystem, },
ID: "sha256:6504ec9ca79c48ec9e993d0cff076c4954843b95f1b1664ec0be2d8c986cbe8d", CauseMetadata: types.CauseMetadata{
BlobIDs: []string{ Resource: "main.yaml:3-6",
"sha256:6504ec9ca79c48ec9e993d0cff076c4954843b95f1b1664ec0be2d8c986cbe8d", Provider: "Generic",
}, Service: "general",
}, StartLine: 3,
}, EndLine: 6,
{ },
name: "multiple failures", },
fields: fields{ },
dir: "./testdata/misconfig/cloudformation/multiple-failures/src", },
}, },
artifactOpt: artifact.Option{ },
MisconfScannerOption: config.ScannerOption{ },
RegoOnly: true, Returns: cache.ArtifactCachePutBlobReturns{},
Namespaces: []string{"user"}, },
PolicyPaths: []string{"./testdata/misconfig/cloudformation/multiple-failures/rego"}, want: types.ArtifactReference{
}, Name: "testdata/misconfig/cloudformation/single-failure/src",
}, Type: types.ArtifactFilesystem,
putBlobExpectation: cache.ArtifactCachePutBlobExpectation{ ID: "sha256:793d3e4cb82fa4d73e62267c358bd038b453fca36297064e5d240d5809ad241e",
Args: cache.ArtifactCachePutBlobArgs{ BlobIDs: []string{
BlobIDAnything: true, "sha256:793d3e4cb82fa4d73e62267c358bd038b453fca36297064e5d240d5809ad241e",
BlobInfo: types.BlobInfo{ },
SchemaVersion: 2, },
Misconfigurations: []types.Misconfiguration{ },
{ {
FileType: "cloudformation", name: "multiple failures",
FilePath: "main.yaml", fields: fields{
Successes: types.MisconfResults{ dir: "./testdata/misconfig/cloudformation/multiple-failures/src",
{ },
Namespace: "builtin.aws.rds.aws0176", artifactOpt: artifact.Option{
Query: "data.builtin.aws.rds.aws0176.deny", MisconfScannerOption: config.ScannerOption{
PolicyMetadata: types.PolicyMetadata{ RegoOnly: true,
ID: "N/A", Namespaces: []string{"user"},
AVDID: "AVD-AWS-0176", PolicyPaths: []string{"./testdata/misconfig/cloudformation/multiple-failures/rego"},
Type: "CloudFormation Security Check", },
Title: "RDS IAM Database Authentication Disabled", },
Description: "Ensure IAM Database Authentication is enabled for RDS database instances to manage database access", putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
Severity: "MEDIUM", Args: cache.ArtifactCachePutBlobArgs{
RecommendedActions: "Modify the PostgreSQL and MySQL type RDS instances to enable IAM database authentication.", BlobIDAnything: true,
References: []string{"https://docs.aws.amazon.com/neptune/latest/userguide/iam-auth.html"}, BlobInfo: types.BlobInfo{
}, SchemaVersion: 2,
CauseMetadata: types.CauseMetadata{ Misconfigurations: []types.Misconfiguration{
Provider: "AWS", {
Service: "rds", FileType: "cloudformation",
}, FilePath: "main.yaml",
}, Successes: types.MisconfResults{
{ {
Namespace: "builtin.aws.rds.aws0177", Namespace: "builtin.aws.rds.aws0176",
Query: "data.builtin.aws.rds.aws0177.deny", Query: "data.builtin.aws.rds.aws0176.deny",
PolicyMetadata: types.PolicyMetadata{ PolicyMetadata: types.PolicyMetadata{
ID: "N/A", ID: "N/A",
AVDID: "AVD-AWS-0177", AVDID: "AVD-AWS-0176",
Type: "CloudFormation Security Check", Type: "CloudFormation Security Check",
Title: "RDS Deletion Protection Disabled", Title: "RDS IAM Database Authentication Disabled",
Description: "Ensure deletion protection is enabled for RDS database instances.", Description: "Ensure IAM Database Authentication is enabled for RDS database instances to manage database access",
Severity: "MEDIUM", Severity: "MEDIUM",
RecommendedActions: "Modify the RDS instances to enable deletion protection.", RecommendedActions: "Modify the PostgreSQL and MySQL type RDS instances to enable IAM database authentication.",
References: []string{"https://aws.amazon.com/about-aws/whats-new/2018/09/amazon-rds-now-provides-database-deletion-protection/"}, References: []string{"https://docs.aws.amazon.com/neptune/latest/userguide/iam-auth.html"},
}, },
CauseMetadata: types.CauseMetadata{ CauseMetadata: types.CauseMetadata{
Provider: "AWS", Provider: "AWS",
Service: "rds", Service: "rds",
}, },
}, },
}, {
Failures: types.MisconfResults{ Namespace: "builtin.aws.rds.aws0177",
types.MisconfResult{ Query: "data.builtin.aws.rds.aws0177.deny",
Namespace: "user.something", PolicyMetadata: types.PolicyMetadata{
Query: "data.user.something.deny", ID: "N/A",
Message: "No buckets allowed!", AVDID: "AVD-AWS-0177",
PolicyMetadata: types.PolicyMetadata{ Type: "CloudFormation Security Check",
ID: "TEST001", Title: "RDS Deletion Protection Disabled",
AVDID: "AVD-TEST-0001", Description: "Ensure deletion protection is enabled for RDS database instances.",
Type: "CloudFormation Security Check", Severity: "MEDIUM",
Title: "Test policy", RecommendedActions: "Modify the RDS instances to enable deletion protection.",
Description: "This is a test policy.", References: []string{"https://aws.amazon.com/about-aws/whats-new/2018/09/amazon-rds-now-provides-database-deletion-protection/"},
Severity: "LOW", },
RecommendedActions: "Have a cup of tea.", CauseMetadata: types.CauseMetadata{
References: []string{"https://trivy.dev/"}, Provider: "AWS",
}, Service: "rds",
CauseMetadata: types.CauseMetadata{ },
Resource: "main.yaml:2-5", },
Provider: "Generic", {
Service: "general", Namespace: "builtin.aws.rds.aws0180",
StartLine: 2, Query: "data.builtin.aws.rds.aws0180.deny",
EndLine: 5, PolicyMetadata: types.PolicyMetadata{
}, ID: "N/A",
}, AVDID: "AVD-AWS-0180",
{ Type: "CloudFormation Security Check",
Namespace: "user.something", Title: "RDS Publicly Accessible",
Query: "data.user.something.deny", Description: "Ensures RDS instances are not launched into the public cloud.",
Message: "No buckets allowed!", Severity: "HIGH",
PolicyMetadata: types.PolicyMetadata{ RecommendedActions: "Remove the public endpoint from the RDS instance'",
ID: "TEST001", References: []string{"http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.html"},
AVDID: "AVD-TEST-0001", },
Type: "CloudFormation Security Check", CauseMetadata: types.CauseMetadata{
Title: "Test policy", Resource: "", Provider: "AWS", Service: "rds", StartLine: 0, EndLine: 0,
Description: "This is a test policy.", Code: types.Code{Lines: []types.Line(nil)},
Severity: "LOW", }, Traces: []string(nil),
RecommendedActions: "Have a cup of tea.", },
References: []string{"https://trivy.dev/"}, },
}, Failures: types.MisconfResults{
CauseMetadata: types.CauseMetadata{ types.MisconfResult{
Resource: "main.yaml:6-9", Namespace: "user.something",
Provider: "Generic", Query: "data.user.something.deny",
Service: "general", Message: "No buckets allowed!",
StartLine: 6, PolicyMetadata: types.PolicyMetadata{
EndLine: 9, ID: "TEST001",
}, AVDID: "AVD-TEST-0001",
}, Type: "CloudFormation Security Check",
}, Title: "Test policy",
}, Description: "This is a test policy.",
}, Severity: "LOW",
}, RecommendedActions: "Have a cup of tea.",
}, References: []string{"https://trivy.dev/"},
Returns: cache.ArtifactCachePutBlobReturns{}, },
}, CauseMetadata: types.CauseMetadata{
want: types.ArtifactReference{ Resource: "main.yaml:2-5",
Name: "testdata/misconfig/cloudformation/multiple-failures/src", Provider: "Generic",
Type: types.ArtifactFilesystem, Service: "general",
ID: "sha256:6da37a417407a0fe4116da5992809aaf58ce933cec84262acb1eae2411fb3115", StartLine: 2,
BlobIDs: []string{ EndLine: 5,
"sha256:6da37a417407a0fe4116da5992809aaf58ce933cec84262acb1eae2411fb3115", },
}, },
}, {
}, Namespace: "user.something",
{ Query: "data.user.something.deny",
name: "no results", Message: "No buckets allowed!",
fields: fields{ PolicyMetadata: types.PolicyMetadata{
dir: "./testdata/misconfig/cloudformation/no-results/src", ID: "TEST001",
}, AVDID: "AVD-TEST-0001",
artifactOpt: artifact.Option{ Type: "CloudFormation Security Check",
MisconfScannerOption: config.ScannerOption{ Title: "Test policy",
RegoOnly: true, Description: "This is a test policy.",
Namespaces: []string{"user"}, Severity: "LOW",
PolicyPaths: []string{"./testdata/misconfig/cloudformation/no-results/rego"}, RecommendedActions: "Have a cup of tea.",
}, References: []string{"https://trivy.dev/"},
}, },
putBlobExpectation: cache.ArtifactCachePutBlobExpectation{ CauseMetadata: types.CauseMetadata{
Args: cache.ArtifactCachePutBlobArgs{ Resource: "main.yaml:6-9",
BlobIDAnything: true, Provider: "Generic",
BlobInfo: types.BlobInfo{ Service: "general",
SchemaVersion: types.BlobJSONSchemaVersion, StartLine: 6,
}, EndLine: 9,
}, },
Returns: cache.ArtifactCachePutBlobReturns{}, },
}, },
want: types.ArtifactReference{ },
Name: "testdata/misconfig/cloudformation/no-results/src", },
Type: types.ArtifactFilesystem, },
ID: "sha256:6612c1db6d6c52c11de53447264b552ee96bf9cc317de37b3374687a8fc4c4ac", },
BlobIDs: []string{ Returns: cache.ArtifactCachePutBlobReturns{},
"sha256:6612c1db6d6c52c11de53447264b552ee96bf9cc317de37b3374687a8fc4c4ac", },
}, want: types.ArtifactReference{
}, Name: "testdata/misconfig/cloudformation/multiple-failures/src",
}, Type: types.ArtifactFilesystem,
ID: "sha256:49edf1eecd461fd56eccb1221aaff26c0c5939f2d8128e9cb867cc8e7552b8aa",
BlobIDs: []string{
"sha256:49edf1eecd461fd56eccb1221aaff26c0c5939f2d8128e9cb867cc8e7552b8aa",
},
},
},
{
name: "no results",
fields: fields{
dir: "./testdata/misconfig/cloudformation/no-results/src",
},
artifactOpt: artifact.Option{
MisconfScannerOption: config.ScannerOption{
RegoOnly: true,
Namespaces: []string{"user"},
PolicyPaths: []string{"./testdata/misconfig/cloudformation/no-results/rego"},
},
},
putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
Args: cache.ArtifactCachePutBlobArgs{
BlobIDAnything: true,
BlobInfo: types.BlobInfo{
SchemaVersion: types.BlobJSONSchemaVersion,
},
},
Returns: cache.ArtifactCachePutBlobReturns{},
},
want: types.ArtifactReference{
Name: "testdata/misconfig/cloudformation/no-results/src",
Type: types.ArtifactFilesystem,
ID: "sha256:6612c1db6d6c52c11de53447264b552ee96bf9cc317de37b3374687a8fc4c4ac",
BlobIDs: []string{
"sha256:6612c1db6d6c52c11de53447264b552ee96bf9cc317de37b3374687a8fc4c4ac",
},
},
},
{ {
name: "passed", name: "passed",
fields: fields{ fields: fields{
@@ -1044,6 +1134,24 @@ func TestCloudFormationMisconfigurationScan(t *testing.T) {
Service: "rds", Service: "rds",
}, },
}, },
{
Namespace: "builtin.aws.rds.aws0180",
Query: "data.builtin.aws.rds.aws0180.deny",
PolicyMetadata: types.PolicyMetadata{
ID: "N/A",
AVDID: "AVD-AWS-0180",
Type: "CloudFormation Security Check",
Title: "RDS Publicly Accessible",
Description: "Ensures RDS instances are not launched into the public cloud.",
Severity: "HIGH",
RecommendedActions: "Remove the public endpoint from the RDS instance'",
References: []string{"http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.html"},
},
CauseMetadata: types.CauseMetadata{
Resource: "", Provider: "AWS", Service: "rds", StartLine: 0, EndLine: 0,
Code: types.Code{Lines: []types.Line(nil)},
}, Traces: []string(nil),
},
{ {
Namespace: "user.something", Namespace: "user.something",
Query: "data.user.something.deny", Query: "data.user.something.deny",
@@ -1072,9 +1180,9 @@ func TestCloudFormationMisconfigurationScan(t *testing.T) {
want: types.ArtifactReference{ want: types.ArtifactReference{
Name: "testdata/misconfig/cloudformation/passed/src", Name: "testdata/misconfig/cloudformation/passed/src",
Type: types.ArtifactFilesystem, Type: types.ArtifactFilesystem,
ID: "sha256:3b0a4c2f8cd71e7d3a81fe535e89b3524710c47ea219575ce3f6d1d6a87595a2", ID: "sha256:a923fba51d802d1634246662e2e674b4abbce3ed796c8cfd4839f287dfd9033e",
BlobIDs: []string{ BlobIDs: []string{
"sha256:3b0a4c2f8cd71e7d3a81fe535e89b3524710c47ea219575ce3f6d1d6a87595a2", "sha256:a923fba51d802d1634246662e2e674b4abbce3ed796c8cfd4839f287dfd9033e",
}, },
}, },
}, },
@@ -1665,6 +1773,24 @@ func TestAzureARMMisconfigurationScan(t *testing.T) {
Service: "rds", Service: "rds",
}, },
}, },
{
Namespace: "builtin.aws.rds.aws0180",
Query: "data.builtin.aws.rds.aws0180.deny",
PolicyMetadata: types.PolicyMetadata{
ID: "N/A",
AVDID: "AVD-AWS-0180",
Type: "Azure ARM Security Check",
Title: "RDS Publicly Accessible",
Description: "Ensures RDS instances are not launched into the public cloud.",
Severity: "HIGH",
RecommendedActions: "Remove the public endpoint from the RDS instance'",
References: []string{"http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.html"},
},
CauseMetadata: types.CauseMetadata{
Resource: "", Provider: "AWS", Service: "rds", StartLine: 0, EndLine: 0,
Code: types.Code{Lines: []types.Line(nil)},
}, Traces: []string(nil),
},
}, },
Failures: types.MisconfResults{ Failures: types.MisconfResults{
{ {
@@ -1699,9 +1825,9 @@ func TestAzureARMMisconfigurationScan(t *testing.T) {
want: types.ArtifactReference{ want: types.ArtifactReference{
Name: "testdata/misconfig/azurearm/single-failure/src", Name: "testdata/misconfig/azurearm/single-failure/src",
Type: types.ArtifactFilesystem, Type: types.ArtifactFilesystem,
ID: "sha256:22fc5cecab78634bc975b601ea5df0018f850b92702db94cecd13c09c9854a86", ID: "sha256:50155d7398d717aac20a616af8ac17964d20a24f5423b868871005dfa2cf4a61",
BlobIDs: []string{ BlobIDs: []string{
"sha256:22fc5cecab78634bc975b601ea5df0018f850b92702db94cecd13c09c9854a86", "sha256:50155d7398d717aac20a616af8ac17964d20a24f5423b868871005dfa2cf4a61",
}, },
}, },
}, },
@@ -1763,6 +1889,24 @@ func TestAzureARMMisconfigurationScan(t *testing.T) {
Service: "rds", Service: "rds",
}, },
}, },
{
Namespace: "builtin.aws.rds.aws0180",
Query: "data.builtin.aws.rds.aws0180.deny",
PolicyMetadata: types.PolicyMetadata{
ID: "N/A",
AVDID: "AVD-AWS-0180",
Type: "Azure ARM Security Check",
Title: "RDS Publicly Accessible",
Description: "Ensures RDS instances are not launched into the public cloud.",
Severity: "HIGH",
RecommendedActions: "Remove the public endpoint from the RDS instance'",
References: []string{"http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.html"},
},
CauseMetadata: types.CauseMetadata{
Resource: "", Provider: "AWS", Service: "rds", StartLine: 0, EndLine: 0,
Code: types.Code{Lines: []types.Line(nil)},
}, Traces: []string(nil),
},
}, },
Failures: types.MisconfResults{ Failures: types.MisconfResults{
{ {
@@ -1819,9 +1963,9 @@ func TestAzureARMMisconfigurationScan(t *testing.T) {
want: types.ArtifactReference{ want: types.ArtifactReference{
Name: "testdata/misconfig/azurearm/multiple-failures/src", Name: "testdata/misconfig/azurearm/multiple-failures/src",
Type: types.ArtifactFilesystem, Type: types.ArtifactFilesystem,
ID: "sha256:3e7aacf9f4fd44c0ff9df212da350ef74283114baf823b677ffdecd11a4d5ed0", ID: "sha256:e31c260a87a099d00acc76b7afe5d6a88e18c5e0fd26153d15e1b4f491b7c42c",
BlobIDs: []string{ BlobIDs: []string{
"sha256:3e7aacf9f4fd44c0ff9df212da350ef74283114baf823b677ffdecd11a4d5ed0", "sha256:e31c260a87a099d00acc76b7afe5d6a88e18c5e0fd26153d15e1b4f491b7c42c",
}, },
}, },
}, },
@@ -1912,6 +2056,24 @@ func TestAzureARMMisconfigurationScan(t *testing.T) {
Service: "rds", Service: "rds",
}, },
}, },
{
Namespace: "builtin.aws.rds.aws0180",
Query: "data.builtin.aws.rds.aws0180.deny",
PolicyMetadata: types.PolicyMetadata{
ID: "N/A",
AVDID: "AVD-AWS-0180",
Type: "Azure ARM Security Check",
Title: "RDS Publicly Accessible",
Description: "Ensures RDS instances are not launched into the public cloud.",
Severity: "HIGH",
RecommendedActions: "Remove the public endpoint from the RDS instance'",
References: []string{"http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.html"},
},
CauseMetadata: types.CauseMetadata{
Resource: "", Provider: "AWS", Service: "rds", StartLine: 0, EndLine: 0,
Code: types.Code{Lines: []types.Line(nil)},
}, Traces: []string(nil),
},
{ {
Namespace: "user.something", Namespace: "user.something",
Query: "data.user.something.deny", Query: "data.user.something.deny",
@@ -1940,9 +2102,9 @@ func TestAzureARMMisconfigurationScan(t *testing.T) {
want: types.ArtifactReference{ want: types.ArtifactReference{
Name: "testdata/misconfig/azurearm/passed/src", Name: "testdata/misconfig/azurearm/passed/src",
Type: types.ArtifactFilesystem, Type: types.ArtifactFilesystem,
ID: "sha256:90db6162959dae5bf9a06e03aac98dd2f5e0fe5a5be68984e1b895b646419b82", ID: "sha256:e9289e2efc545895a2199fab4583d5f3ef52c20eda1afcf4b0505bb2014ba3e4",
BlobIDs: []string{ BlobIDs: []string{
"sha256:90db6162959dae5bf9a06e03aac98dd2f5e0fe5a5be68984e1b895b646419b82", "sha256:e9289e2efc545895a2199fab4583d5f3ef52c20eda1afcf4b0505bb2014ba3e4",
}, },
}, },
}, },

3
pkg/types/report.go
View File

@@ -8,7 +8,7 @@ import (
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types" ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
) )
var Compliances = []string{ComplianceNsa, ComplianceAWSCIS12, ComplianceAWSCIS14} var Compliances = []string{ComplianceNsa, ComplianceCIS, ComplianceAWSCIS12, ComplianceAWSCIS14}
// Report represents a scan result // Report represents a scan result
type Report struct { type Report struct {
@@ -52,6 +52,7 @@ const (
// ComplianceNsa is the compliance checks for nsa // ComplianceNsa is the compliance checks for nsa
ComplianceNsa = Compliance("nsa") ComplianceNsa = Compliance("nsa")
ComplianceCIS = Compliance("cis")
ComplianceAWSCIS12 = Compliance("awscis1.2") ComplianceAWSCIS12 = Compliance("awscis1.2")
ComplianceAWSCIS14 = Compliance("awscis1.4") ComplianceAWSCIS14 = Compliance("awscis1.4")
) )