-
Notifications
You must be signed in to change notification settings - Fork 30
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
refactor(checks): migrate AWS codebuild, config, documentdb, dynamodb…
… to Rego Signed-off-by: Nikita Pivkin <[email protected]>
- Loading branch information
Showing
40 changed files
with
604 additions
and
657 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
# METADATA | ||
# title: CodeBuild Project artifacts encryption should not be disabled | ||
# description: | | ||
# All artifacts produced by your CodeBuild project pipeline should always be encrypted | ||
# scope: package | ||
# schemas: | ||
# - input: schema["cloud"] | ||
# related_resources: | ||
# - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codebuild-project-artifacts.html | ||
# - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-codebuild-project.html | ||
# custom: | ||
# id: AVD-AWS-0018 | ||
# avd_id: AVD-AWS-0018 | ||
# provider: aws | ||
# service: codebuild | ||
# severity: HIGH | ||
# short_code: enable-encryption | ||
# recommended_action: Enable encryption for CodeBuild project artifacts | ||
# input: | ||
# selector: | ||
# - type: cloud | ||
# subtypes: | ||
# - service: codebuild | ||
# provider: aws | ||
# terraform: | ||
# links: | ||
# - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project#encryption_disabled | ||
# good_examples: checks/cloud/aws/codebuild/enable_encryption.tf.go | ||
# bad_examples: checks/cloud/aws/codebuild/enable_encryption.tf.go | ||
# cloudformation: | ||
# good_examples: checks/cloud/aws/codebuild/enable_encryption.cf.go | ||
# bad_examples: checks/cloud/aws/codebuild/enable_encryption.cf.go | ||
package builtin.aws.codebuild.aws0018 | ||
|
||
import rego.v1 | ||
|
||
deny contains res if { | ||
some project in input.aws.codebuild.projects | ||
encryptionenabled := project.artifactsettings.encryptionenabled | ||
not encryptionenabled.value | ||
res := result.new("Encryption is not enabled for project artifacts.", encryptionenabled) | ||
} | ||
|
||
deny contains res if { | ||
some project in input.aws.codebuild.projects | ||
some setting in project.secondaryartifactsettings | ||
not setting.encryptionenabled.value | ||
res := result.new("Encryption is not enabled for secondary project artifacts.", setting.encryptionenabled) | ||
} |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
package builtin.aws.codebuild.aws0018_test | ||
|
||
import rego.v1 | ||
|
||
import data.builtin.aws.codebuild.aws0018 as check | ||
import data.lib.test | ||
|
||
test_allow_artifact_settings_with_encryption if { | ||
test.assert_empty(check.deny) with input as build_input({"artifactsettings": {"encryptionenabled": {"value": true}}}) | ||
} | ||
|
||
test_allow_secondary_artifact_settings_with_encryption if { | ||
test.assert_empty(check.deny) with input as build_input({"secondaryartifactsettings": [{"encryptionenabled": {"value": true}}]}) | ||
} | ||
|
||
test_disallow_artifact_settings_without_encryption if { | ||
test.assert_equal_message("Encryption is not enabled for project artifacts.", check.deny) with input as build_input({"artifactsettings": {"encryptionenabled": {"value": false}}}) | ||
} | ||
|
||
test_disallow_secondary_artifact_settings_without_encryption if { | ||
test.assert_equal_message("Encryption is not enabled for secondary project artifacts.", check.deny) with input as build_input({"secondaryartifactsettings": [{"encryptionenabled": {"value": false}}]}) | ||
} | ||
|
||
build_input(project) := {"aws": {"codebuild": {"projects": [project]}}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
# METADATA | ||
# title: Config configuration aggregator should be using all regions for source | ||
# description: | | ||
# Sources that aren't covered by the aggregator are not include in the configuration. The configuration aggregator should be configured with all_regions for the source. | ||
# This will help limit the risk of any unmonitored configuration in regions that are thought to be unused. | ||
# scope: package | ||
# schemas: | ||
# - input: schema["cloud"] | ||
# related_resources: | ||
# - https://docs.aws.amazon.com/config/latest/developerguide/aggregate-data.html | ||
# custom: | ||
# id: AVD-AWS-0019 | ||
# avd_id: AVD-AWS-0019 | ||
# provider: aws | ||
# service: config | ||
# severity: HIGH | ||
# short_code: aggregate-all-regions | ||
# recommended_action: Set the aggregator to cover all regions | ||
# input: | ||
# selector: | ||
# - type: cloud | ||
# subtypes: | ||
# - service: config | ||
# provider: aws | ||
# terraform: | ||
# links: | ||
# - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_configuration_aggregator#all_regions | ||
# good_examples: checks/cloud/aws/config/aggregate_all_regions.tf.go | ||
# bad_examples: checks/cloud/aws/config/aggregate_all_regions.tf.go | ||
# cloudformation: | ||
# good_examples: checks/cloud/aws/config/aggregate_all_regions.cf.go | ||
# bad_examples: checks/cloud/aws/config/aggregate_all_regions.cf.go | ||
package builtin.aws.config.aws0019 | ||
|
||
import rego.v1 | ||
|
||
deny contains res if { | ||
cfg_aggregator := input.aws.config.configurationaggregrator | ||
cfg_aggregator.__defsec_metadata.managed | ||
not cfg_aggregator.sourceallregions.value | ||
res := result.new("Configuration aggregation is not set to source from all regions.", cfg_aggregator.sourceallregions) | ||
} |
This file was deleted.
Oops, something went wrong.
Oops, something went wrong.