fix examples

Signed-off-by: Nikita Pivkin <[email protected]>
aquasecurity · Sep 24, 2024 · 02a0323 · 02a0323
1 parent 5631ba6
commit 02a0323
Show file tree

Hide file tree

Showing 24 changed files with 296 additions and 161 deletions.
diff --git a/checks/cloud/aws/apigateway/no_public_access.rego b/checks/cloud/aws/apigateway/no_public_access.rego
@@ -35,11 +35,11 @@ deny contains res if {
 	isManaged(api)
 	some method in api.resources[_].methods
 	not method_is_option(method)
-	not is_apikey_required(api)
+	not is_apikey_required(method)
 	method.authorizationtype.value == authorization_none
 	res := result.new("Authorization is not enabled for this method.", method.authorizationtype)
 }
 
 method_is_option(method) := method.httpmethod.value == "OPTION"
 
-is_apikey_required(api) := api.apikeyrequired.value
+is_apikey_required(method) := method.apikeyrequired.value
diff --git a/checks/cloud/aws/apigateway/no_public_access_test.rego b/checks/cloud/aws/apigateway/no_public_access_test.rego
@@ -19,7 +19,7 @@ test_allow_get_method_with_auth if {
 }
 
 test_allow_if_api_required if {
-	test.assert_empty(check.deny) with input as input_with_method({"httpmethod": {"value": "GET"}, "authorizationtype": {"value": "AWS_IAM"}})
+	test.assert_empty(check.deny) with input as input_with_method({"httpmethod": {"value": "GET"}, "authorizationtype": {"value": "AWS_IAM"}, "apikeyrequired": {"value": true}})
 }
 
 input_with_method(method) = {"aws": {"apigateway": {"v1": {"apis": [{"resources": [{"methods": [method]}]}]}}}}
diff --git a/checks/cloud/aws/cloudtrail/encryption_customer_key.tf.go b/checks/cloud/aws/cloudtrail/encryption_customer_key.tf.go
@@ -2,10 +2,19 @@ package cloudtrail
 
 var terraformEncryptionCustomerManagedKeyGoodExamples = []string{
 	`
+resource "aws_kms_key" "trail" {
+  enable_key_rotation = true
+}
+
+resource "aws_kms_alias" "trail" {
+  name          = "alias/trail"
+  target_key_id = aws_kms_key.trail.key_id
+}
+
  resource "aws_cloudtrail" "good_example" {
    is_multi_region_trail = true
    enable_log_file_validation = true
-   kms_key_id = var.kms_id
+   kms_key_id = aws_kms_alias.trail.arn
  
    event_selector {
      read_write_type           = "All"

diff --git a/checks/cloud/aws/cloudwatch/log_group_customer_key.tf.go b/checks/cloud/aws/cloudwatch/log_group_customer_key.tf.go
@@ -2,10 +2,19 @@ package cloudwatch
 
 var terraformLogGroupCustomerKeyGoodExamples = []string{
 	`
+resource "aws_kms_key" "cloudwatch" {
+  enable_key_rotation = true
+}
+
+resource "aws_kms_alias" "cloudwatch" {
+  name          = "alias/cloudwatch"
+  target_key_id = aws_kms_key.cloudwatch.key_id
+}
+
  resource "aws_cloudwatch_log_group" "good_example" {
  	name = "good_example"
  
- 	kms_key_id = aws_kms_key.log_key.arn
+ 	kms_key_id = aws_kms_alias.cloudwatch.arn
  }
  `,
 }

diff --git a/checks/cloud/aws/ec2/encryption_customer_key.cf.go b/checks/cloud/aws/ec2/encryption_customer_key.cf.go
@@ -13,12 +13,18 @@ Resources:
 `,
 	`---
 Resources:
+  MyKey:
+    Type: 'AWS::KMS::Key'
+    Properties:
+      KeyPolicy:
+        Version: 2012-10-17
+        Id: key-default-1
   GoodExample:
     Type: AWS::EC2::Volume
     Properties: 
       Size: 100
       Encrypted: true
-      KmsKeyId: !ImportValue "MyStack:Key"
+      KmsKeyId: !Ref MyKey 
     DeletionPolicy: Snapshot
 `,
 }

diff --git a/checks/cloud/aws/ec2/no_default_vpc.tf.go b/checks/cloud/aws/ec2/no_default_vpc.tf.go
@@ -3,6 +3,9 @@ package ec2
 var terraformNoDefaultVpcGoodExamples = []string{
 	`
  # no aws default vpc present
+resource "aws_vpc" "main" {
+  cidr_block = "10.0.0.0/16"
+}
  `,
 }
 

diff --git a/checks/cloud/aws/ec2/no_excessive_port_access.cf.go b/checks/cloud/aws/ec2/no_excessive_port_access.cf.go
@@ -9,7 +9,7 @@ Resources:
     Type: AWS::EC2::NetworkAcl
     Properties:
       VpcId: "something"
-	  RuleAction: "allow"
+    RuleAction: "allow"
   Rule:
     Type: AWS::EC2::NetworkAclEntry
     Properties:

diff --git a/checks/cloud/aws/ec2/no_public_ingress_sgr.tf.go b/checks/cloud/aws/ec2/no_public_ingress_sgr.tf.go
@@ -8,9 +8,9 @@ var terraformNoPublicIngressSgrGoodExamples = []string{
  }
  `,
 	`
-resource "aws_security_group_rule" "allow_partner_rsync" {
+resource "aws_security_group_rule" "example" {
   type              = "ingress"
-  security_group_id = aws_security_group.….id
+  security_group_id = "sg-123456"
   from_port         = 22
   to_port           = 22
   protocol          = "tcp"

diff --git a/checks/cloud/aws/eks/encrypt_secrets.cf.go b/checks/cloud/aws/eks/encrypt_secrets.cf.go
@@ -11,10 +11,10 @@ Resources:
       RoleArn: >-
         arn:aws:iam::012345678910:role/eks-service-role-good-example
       EncryptionConfig:
-        Provider:
-          KeyArn: alias/eks-kms
-        Resources:
-        - secrets
+        - Provider:
+            KeyArn: alias/eks-kms
+          Resources:
+            - secrets
       ResourcesVpcConfig:
         SecurityGroupIds:
           - sg-6979fe18

diff --git a/checks/cloud/aws/eks/encrypt_secrets.rego b/checks/cloud/aws/eks/encrypt_secrets.rego
@@ -35,13 +35,22 @@ import rego.v1
 
 deny contains res if {
 	some cluster in input.aws.eks.clusters
-	cluster.encryption.secrets.value == false
-	res := result.new("Cluster does not have secret encryption enabled.", cluster.encryption.secrets)
+	not has_secrets(cluster)
+	res := result.new(
+		"Cluster does not have secret encryption enabled.", 
+		object.get(cluster, ["encryption", "secrets"], cluster),
+	)
 }
 
 deny contains res if {
 	some cluster in input.aws.eks.clusters
-	cluster.encryption.secrets.value == true
-	cluster.encryption.kmskeyid.value == ""
-	res := result.new("Cluster encryption requires a KMS key ID, which is missing", cluster.encryption.kmskeyid)
+	has_secrets(cluster)
+	not has_key(cluster)
+	res := result.new(
+		"Cluster encryption requires a KMS key ID, which is missing", 
+		object.get(cluster, ["encryption", "kmskeyid"], cluster),
+	)
 }
+
+has_secrets(cluster) if cluster.encryption.secrets.value
+has_key(cluster) if cluster.encryption.kmskeyid.value != ""
diff --git a/checks/cloud/aws/eks/encrypt_secrets.tf.go b/checks/cloud/aws/eks/encrypt_secrets.tf.go
@@ -2,11 +2,15 @@ package eks
 
 var terraformEncryptSecretsGoodExamples = []string{
 	`
+resource "aws_kms_key" "eks" {
+	enable_key_rotation = true
+}
+
  resource "aws_eks_cluster" "good_example" {
      encryption_config {
          resources = [ "secrets" ]
          provider {
-             key_arn = var.kms_arn
+             key_arn = aws_kms_key.eks.arn
          }
      }
  

diff --git a/checks/cloud/aws/kinesis/enable_in_transit_encryption.rego b/checks/cloud/aws/kinesis/enable_in_transit_encryption.rego
@@ -35,13 +35,22 @@ import rego.v1
 
 deny contains res if {
 	some stream in input.aws.kinesis.streams
-	stream.encryption.type.value != "KMS"
-	res := result.new("Stream does not use KMS encryption.", stream.encryption.type)
+	not is_kms_encryption(stream)
+	res := result.new(
+		"Stream does not use KMS encryption.", 
+		object.get(stream, ["encryption", "type"], stream),
+	)
 }
 
 deny contains res if {
 	some stream in input.aws.kinesis.streams
-	stream.encryption.type.value == "KMS"
-	stream.encryption.kmskeyid.value == ""
-	res := result.new("Stream does not use a custom-managed KMS key.", stream.encryption.kmskeyid)
+	is_kms_encryption(stream)
+	not has_kms_key(stream)
+	res := result.new(
+		"Stream does not use a custom-managed KMS key.", 
+		object.get(stream, ["encryption", "kmskeyid"], stream),
+	)
 }
+
+is_kms_encryption(stream) if stream.encryption.type.value == "KMS"
+has_kms_key(stream) if stream.encryption.kmskeyid.value != ""
diff --git a/checks/cloud/aws/lambda/enable_tracing.rego b/checks/cloud/aws/lambda/enable_tracing.rego
@@ -35,6 +35,11 @@ import rego.v1
 
 deny contains res if {
 	some func in input.aws.lambda.functions
-	func.tracing.mode.value != "Active"
-	res := result.new("Function does not have tracing enabled.", func.tracing.mode)
+	not is_active_mode(func)
+	res := result.new(
+		"Function does not have tracing enabled.", 
+		object.get(func, ["tracing", "mode"], func),
+	)
 }
+
+is_active_mode(func) if func.tracing.mode.value == "Active"
diff --git a/checks/cloud/aws/redshift/no_classic_resources.cf.go b/checks/cloud/aws/redshift/no_classic_resources.cf.go
@@ -5,7 +5,10 @@ var cloudFormationNoClassicResourcesGoodExamples = []string{
 AWSTemplateFormatVersion: 2010-09-09
 Description: Good example of redshift sgr
 Resources:
-
+  myCluster:
+    Type: "AWS::Redshift::Cluster"
+    Properties:
+      DBName: "mydb"
 `,
 }
 
@@ -14,7 +17,7 @@ var cloudFormationNoClassicResourcesBadExamples = []string{
 AWSTemplateFormatVersion: 2010-09-09
 Description: Bad example of redshift sgr
 Resources:
-  Queue:
+  SecGroup:
     Type: AWS::Redshift::ClusterSecurityGroup
     Properties:
       Description: ""

diff --git a/checks/cloud/aws/redshift/no_classic_resources.rego b/checks/cloud/aws/redshift/no_classic_resources.rego
@@ -29,6 +29,8 @@ package builtin.aws.redshift.aws0085
 
 import rego.v1
 
+# TODO: detection of classic resources needs to be improved. Most likely this check is not relevant for Rego
+# https://github.com/aws-samples/ec2-classic-resource-finder/tree/main
 deny contains res if {
 	some group in input.aws.redshift.securitygroups
 	res := result.new(

diff --git a/checks/cloud/aws/s3/enable_bucket_encryption.cf.go b/checks/cloud/aws/s3/enable_bucket_encryption.cf.go
@@ -19,13 +19,6 @@ var cloudFormationEnableBucketEncryptionBadExamples = []string{
 Resources:
   BadExample:
     Type: AWS::S3::Bucket
-    Properties:
-      BucketEncryption:
-        ServerSideEncryptionConfiguration:
-          - BucketKeyEnabled: false
-            ServerSideEncryptionByDefault:
-              KMSMasterKeyID: alias/alias-name
-              SSEAlgorithm: aws:kms
 `,
 }
 

diff --git a/checks/cloud/aws/s3/no_public_buckets.cf.go b/checks/cloud/aws/s3/no_public_buckets.cf.go
@@ -17,8 +17,8 @@ Resources:
 var cloudFormationNoPublicBucketsBadExamples = []string{
 	`---
 Resources:
-  Type: AWS::S3::Bucket
   BadExample:
+    Type: AWS::S3::Bucket
     Properties:
       AccessControl: AuthenticatedRead
 `,

diff --git a/checks/cloud/aws/s3/no_public_buckets.rego b/checks/cloud/aws/s3/no_public_buckets.rego
@@ -54,4 +54,4 @@ deny contains res if {
 			bucket.publicaccessblock,
 		),
 	)
-}
+}
diff --git a/checks/cloud/aws/sns/enable_topic_encryption.cf.go b/checks/cloud/aws/sns/enable_topic_encryption.cf.go
@@ -4,7 +4,7 @@ var cloudFormationEnableTopicEncryptionGoodExamples = []string{
 	`---
 Resources:
   GoodTopic:
-    Type: AWS::SQS::Topic
+    Type: AWS::SNS::Topic
     Properties:
       TopicName: blah
       KmsMasterKeyId: some-key

diff --git a/checks/cloud/nifcloud/computing/no_public_ingress_sgr.tf.go b/checks/cloud/nifcloud/computing/no_public_ingress_sgr.tf.go
@@ -8,9 +8,14 @@ var terraformNoPublicIngressSgrGoodExamples = []string{
  }
  `,
 	`
-resource "nifcloud_security_group_rule" "allow_partner_rsync" {
+resource "nifcloud_security_group" "example" {
+  group_name        = "allowtcp"
+  availability_zone = "east-11"
+}
+
+resource "nifcloud_security_group_rule" "example" {
   type                 = "IN"
-  security_group_names = [nifcloud_security_group.….group_name]
+  security_group_names = [nifcloud_security_group.example.group_name]
   from_port            = 22
   to_port              = 22
   protocol             = "TCP"

diff --git a/checks/cloud/nifcloud/network/add_security_group_to_router.rego b/checks/cloud/nifcloud/network/add_security_group_to_router.rego
@@ -32,6 +32,11 @@ import rego.v1
 
 deny contains res if {
 	some router in input.nifcloud.network.routers
-	router.securitygroup.value == ""
-	res := result.new("Router does not have a securiy group.", router.securitygroup)
+	not has_security_group(router)
+	res := result.new(
+		"Router does not have a securiy group.", 
+		object.get(router, "securitygroup", router),
+	)
 }
+
+has_security_group(router) if router.securitygroup.value != ""
diff --git a/internal/checks/checks.go b/internal/checks/checks.go
@@ -0,0 +1,30 @@
+package checks
+
+import (
+	"sort"
+
+	"github.com/aquasecurity/trivy/pkg/iac/framework"
+	"github.com/aquasecurity/trivy/pkg/iac/rego"
+	"github.com/aquasecurity/trivy/pkg/iac/rules"
+	"github.com/aquasecurity/trivy/pkg/iac/scan"
+)
+
+func LoadRegoChecks() []scan.Rule {
+	// Clean up all Go checks
+	rules.Reset()
+
+	// Load Rego checks
+	rego.LoadAndRegister()
+
+	var res []scan.Rule
+
+	for _, metadata := range rules.GetRegistered(framework.ALL) {
+		res = append(res, metadata.Rule)
+	}
+
+	sort.Slice(res, func(i, j int) bool {
+		return res[i].AVDID < res[j].AVDID
+	})
+
+	return res
+}