Skip to content

Commit

Permalink
Merge branch 'main' into meta-checks
Browse files Browse the repository at this point in the history
  • Loading branch information
@nikpivkin
nikpivkin authored Oct 11, 2024
2 parents 24e29ea + c00f263 commit a1b1ee9
Show file tree
Hide file tree
Showing 39 changed files with 180 additions and 22 deletions.
4 changes: 2 additions & 2 deletions .github/workflows/release.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ jobs:
tags=(latest ${{ env.RELEASE_VERSION}} ${{env.MINOR_VERSION }} ${{ env.MAJOR_VERSION }})
for tag in ${tags[@]}; do
oras push ghcr.io/aquasecurity/trivy-policies:${tag} \
--config /dev/null:application/vnd.cncf.openpolicyagent.config.v1+json \
--artifact-type application/vnd.cncf.openpolicyagent.config.v1+json \
--annotation "org.opencontainers.image.source=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY" \
--annotation "org.opencontainers.image.revision=$GITHUB_SHA" \
bundle.tar.gz:application/vnd.cncf.openpolicyagent.layer.v1.tar+gzip
Expand All @@ -37,6 +37,6 @@ jobs:
tags=(latest ${{ env.RELEASE_VERSION}} ${{env.MINOR_VERSION }} ${{ env.MAJOR_VERSION }})
for tag in ${tags[@]}; do
oras push ghcr.io/${{ github.repository }}:${tag} \
--config /dev/null:application/vnd.cncf.openpolicyagent.config.v1+json \
--artifact-type application/vnd.cncf.openpolicyagent.config.v1+json \
bundle.tar.gz:application/vnd.cncf.openpolicyagent.layer.v1.tar+gzip
done
2 changes: 2 additions & 0 deletions checks/cloud/aws/ec2/add_description_to_security_group.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@
# custom:
# id: AVD-AWS-0099
# avd_id: AVD-AWS-0099
# aliases:
# - aws-vpc-add-description-to-security-group
# provider: aws
# service: ec2
# severity: LOW
Expand Down
2 changes: 2 additions & 0 deletions checks/cloud/aws/ec2/add_description_to_security_group_rule.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@
# custom:
# id: AVD-AWS-0124
# avd_id: AVD-AWS-0124
# aliases:
# - aws-vpc-add-description-to-security-group-rule
# provider: aws
# service: ec2
# severity: LOW
Expand Down
2 changes: 2 additions & 0 deletions checks/cloud/aws/ec2/as_enable_at_rest_encryption.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@
# custom:
# id: AVD-AWS-0008
# avd_id: AVD-AWS-0008
# aliases:
# - aws-autoscaling-enable-at-rest-encryption
# provider: aws
# service: ec2
# severity: HIGH
Expand Down
2 changes: 2 additions & 0 deletions checks/cloud/aws/ec2/as_enforce_http_token_imds.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@
# custom:
# id: AVD-AWS-0130
# avd_id: AVD-AWS-0130
# aliases:
# - aws-autoscaling-enforce-http-token-imds
# provider: aws
# service: ec2
# severity: HIGH
Expand Down
2 changes: 2 additions & 0 deletions checks/cloud/aws/ec2/as_no_secrets_in_user_data.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@
# custom:
# id: AVD-AWS-0129
# avd_id: AVD-AWS-0129
# aliases:
# - aws-autoscaling-no-secrets-in-user-data
# provider: aws
# service: ec2
# severity: CRITICAL
Expand Down
2 changes: 2 additions & 0 deletions checks/cloud/aws/ec2/enable_volume_encryption.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@
# custom:
# id: AVD-AWS-0026
# avd_id: AVD-AWS-0026
# aliases:
# - aws-ebs-enable-volume-encryption
# provider: aws
# service: ec2
# severity: HIGH
Expand Down
2 changes: 2 additions & 0 deletions checks/cloud/aws/ec2/encryption_customer_key.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@
# custom:
# id: AVD-AWS-0027
# avd_id: AVD-AWS-0027
# aliases:
# - aws-ebs-encryption-customer-key
# provider: aws
# service: ec2
# severity: LOW
Expand Down
2 changes: 2 additions & 0 deletions checks/cloud/aws/ec2/no_default_vpc.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@
# custom:
# id: AVD-AWS-0101
# avd_id: AVD-AWS-0101
# aliases:
# - aws-vpc-no-default-vpc
# provider: aws
# service: ec2
# severity: HIGH
Expand Down
2 changes: 2 additions & 0 deletions checks/cloud/aws/ec2/no_excessive_port_access.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@
# custom:
# id: AVD-AWS-0102
# avd_id: AVD-AWS-0102
# aliases:
# - aws-vpc-no-excessive-port-access
# provider: aws
# service: ec2
# severity: CRITICAL
Expand Down
2 changes: 2 additions & 0 deletions checks/cloud/aws/ec2/no_public_egress_sgr.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@
# custom:
# id: AVD-AWS-0104
# avd_id: AVD-AWS-0104
# aliases:
# - aws-vpc-no-public-egress-sgr
# provider: aws
# service: ec2
# severity: CRITICAL
Expand Down
2 changes: 2 additions & 0 deletions checks/cloud/aws/ec2/no_public_ingress_acl.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@
# custom:
# id: AVD-AWS-0105
# avd_id: AVD-AWS-0105
# aliases:
# - aws-vpc-no-public-ingress-acl
# provider: aws
# service: ec2
# severity: MEDIUM
Expand Down
2 changes: 2 additions & 0 deletions checks/cloud/aws/ec2/no_public_ip_subnet.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@
# custom:
# id: AVD-AWS-0164
# avd_id: AVD-AWS-0164
# aliases:
# - aws-vpc-no-public-ingress-sgr
# provider: aws
# service: ec2
# severity: HIGH
Expand Down
2 changes: 2 additions & 0 deletions checks/cloud/aws/ec2/no_secrets_in_user_data.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@
# custom:
# id: AVD-AWS-0029
# avd_id: AVD-AWS-0029
# aliases:
# - aws-autoscaling-no-public-ip
# provider: aws
# service: ec2
# severity: CRITICAL
Expand Down
2 changes: 2 additions & 0 deletions checks/cloud/aws/ec2/no_sensitive_info.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@
# custom:
# id: AVD-AWS-0122
# avd_id: AVD-AWS-0122
# aliases:
# - aws-autoscaling-no-sensitive-info
# provider: aws
# service: ec2
# severity: HIGH
Expand Down
2 changes: 2 additions & 0 deletions checks/cloud/aws/ec2/require_vpc_flow_logs_for_all_vpcs.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@
# custom:
# id: AVD-AWS-0178
# avd_id: AVD-AWS-0178
# aliases:
# - aws-autoscaling-enable-at-rest-encryption
# provider: aws
# service: ec2
# severity: MEDIUM
Expand Down
6 changes: 2 additions & 4 deletions checks/cloud/aws/iam/enforce_group_mfa.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,8 @@ import (

var CheckEnforceGroupMFA = rules.Register(
scan.Rule{
AVDID: "AVD-AWS-0123",
Aliases: []string{
"aws-iam-enforce-mfa",
},
AVDID: "AVD-AWS-0123",
Aliases: []string{"aws-iam-enforce-mfa"},
Provider: providers.AWSProvider,
Service: "iam",
ShortCode: "enforce-group-mfa",
Expand Down
2 changes: 2 additions & 0 deletions checks/cloud/aws/iam/enforce_group_mfa.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@
# custom:
# id: AVD-AWS-0123
# avd_id: AVD-AWS-0123
# aliases:
# - aws-iam-enforce-mfa
# provider: aws
# service: iam
# severity: MEDIUM
Expand Down
5 changes: 4 additions & 1 deletion checks/cloud/azure/network/disable_rdp_from_internet.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,4 +49,7 @@ deny contains res if {
)
}

port_range_includes(from, to, port) if from <= port <= to
port_range_includes(from, to, port) if {
from.value <= port
port <= to.value
}
28 changes: 22 additions & 6 deletions checks/cloud/azure/network/disable_rdp_from_internet_test.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,8 @@ test_deny_inbound_rule_allows_rdp_access_from_internet if {
"protocol": {"value": "Tcp"},
"sourceaddresses": [{"value": "*"}],
"destinationports": [{
"start": 3310,
"end": 3390,
"start": {"value": 3310},
"end": {"value": 3390},
}],
}]}]}}}

Expand All @@ -28,8 +28,8 @@ test_allow_inbound_rule_allow_rdp_access_from_specific_address if {
"protocol": {"value": "Tcp"},
"sourceaddresses": [{"value": "237.84.2.178"}],
"destinationports": [{
"start": 3310,
"end": 3390,
"start": {"value": 3310},
"end": {"value": 3390},
}],
}]}]}}}

Expand All @@ -44,8 +44,24 @@ test_allow_inbound_rule_allow_access_for_icmp if {
"protocol": {"value": "Icmp"},
"sourceaddresses": [{"value": "*"}],
"destinationports": [{
"start": 3310,
"end": 3390,
"start": {"value": 3310},
"end": {"value": 3390},
}],
}]}]}}}

res := check.deny with input as inp
res == set()
}

test_allow_inbound_rule_allow_access_for_non_rdp_port if {
inp := {"azure": {"network": {"securitygroups": [{"rules": [{
"outbound": {"value": false},
"allow": {"value": true},
"protocol": {"value": "Icmp"},
"sourceaddresses": [{"value": "*"}],
"destinationports": [{
"start": {"value": 8080},
"end": {"value": 8080},
}],
}]}]}}}

Expand Down
5 changes: 4 additions & 1 deletion checks/cloud/azure/network/ssh_blocked_from_internet.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,4 +47,7 @@ deny contains res if {
)
}

port_range_includes(from, to, port) if from <= port <= to
port_range_includes(from, to, port) if {
from.value <= port
port <= to.value
}
28 changes: 22 additions & 6 deletions checks/cloud/azure/network/ssh_blocked_from_internet_test.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,8 @@ test_deny_inbound_rule_allows_rdp_access_from_internet if {
"protocol": {"value": "Tcp"},
"sourceaddresses": [{"value": "*"}],
"destinationports": [{
"start": 22,
"end": 22,
"start": {"value": 22},
"end": {"value": 22},
}],
}]}]}}}

Expand All @@ -28,8 +28,8 @@ test_allow_inbound_rule_allow_rdp_access_from_specific_address if {
"protocol": {"value": "Tcp"},
"sourceaddresses": [{"value": "237.84.2.178"}],
"destinationports": [{
"start": 22,
"end": 22,
"start": {"value": 22},
"end": {"value": 22},
}],
}]}]}}}

Expand All @@ -44,8 +44,24 @@ test_allow_inbound_rule_allow_access_for_icmp if {
"protocol": {"value": "Icmp"},
"sourceaddresses": [{"value": "*"}],
"destinationports": [{
"start": 22,
"end": 22,
"start": {"value": 22},
"end": {"value": 22},
}],
}]}]}}}

res := check.deny with input as inp
res == set()
}

test_allow_inbound_rule_allow_access_for_non_ssh_port if {
inp := {"azure": {"network": {"securitygroups": [{"rules": [{
"outbound": {"value": false},
"allow": {"value": true},
"protocol": {"value": "Tcp"},
"sourceaddresses": [{"value": "*"}],
"destinationports": [{
"start": {"value": 8080},
"end": {"value": 8080},
}],
}]}]}}}

Expand Down
2 changes: 2 additions & 0 deletions checks/cloud/nifcloud/computing/add_description_to_security_group.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@
# custom:
# id: AVD-NIF-0002
# avd_id: AVD-NIF-0002
# aliases:
# - nifcloud-computing-add-description-to-security-group
# provider: nifcloud
# service: computing
# severity: LOW
Expand Down
2 changes: 2 additions & 0 deletions checks/cloud/nifcloud/computing/add_description_to_security_group_rule.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@
# custom:
# id: AVD-NIF-0003
# avd_id: AVD-NIF-0003
# aliases:
# - nifcloud-computing-add-description-to-security-group-rule
# provider: nifcloud
# service: computing
# severity: LOW
Expand Down
2 changes: 2 additions & 0 deletions checks/cloud/nifcloud/computing/add_security_group_to_instance.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@
# custom:
# id: AVD-NIF-0004
# avd_id: AVD-NIF-0004
# aliases:
# - nifcloud-computing-add-security-group-to-instance
# provider: nifcloud
# service: computing
# severity: CRITICAL
Expand Down
2 changes: 2 additions & 0 deletions checks/cloud/nifcloud/computing/no_common_private_instance.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@
# custom:
# id: AVD-NIF-0005
# avd_id: AVD-NIF-0005
# aliases:
# - nifcloud-computing-no-common-private-instance
# provider: nifcloud
# service: computing
# severity: LOW
Expand Down
4 changes: 3 additions & 1 deletion checks/cloud/nifcloud/computing/no_public_ingress_sgr.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@
# custom:
# id: AVD-NIF-0001
# avd_id: AVD-NIF-0001
# aliases:
# - nifcloud-computing-no-public-ingress-sgr
# provider: nifcloud
# service: computing
# severity: CRITICAL
Expand All @@ -36,6 +38,6 @@ deny contains res if {
some sg in input.nifcloud.computing.securitygroups
some rule in sg.ingressrules
cidr.is_public(rule.cidr.value)
cidr.count_addresses(rule.cidr.value) > 0
cidr.count_addresses(rule.cidr.value) > 1
res := result.new("Security group rule allows ingress from public internet.", rule.cidr)
}
2 changes: 2 additions & 0 deletions checks/cloud/nifcloud/nas/add_description_to_nas_security_group.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@
# custom:
# id: AVD-NIF-0015
# avd_id: AVD-NIF-0015
# aliases:
# - nifcloud-nas-add-description-to-nas-security-group
# provider: nifcloud
# service: nas
# severity: LOW
Expand Down
2 changes: 2 additions & 0 deletions checks/cloud/nifcloud/nas/no_common_private_nas_instance.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@
# custom:
# id: AVD-NIF-0013
# avd_id: AVD-NIF-0013
# aliases:
# - nifcloud-nas-no-common-private-nas-instance
# provider: nifcloud
# service: nas
# severity: LOW
Expand Down
2 changes: 2 additions & 0 deletions checks/cloud/nifcloud/nas/no_public_ingress_nas_sgr.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@
# custom:
# id: AVD-NIF-0014
# avd_id: AVD-NIF-0014
# aliases:
# - nifcloud-nas-no-public-ingress-nas-sgr
# provider: nifcloud
# service: nas
# severity: CRITICAL
Expand Down
2 changes: 2 additions & 0 deletions checks/cloud/nifcloud/network/add_security_group_to_router.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@
# custom:
# id: AVD-NIF-0016
# avd_id: AVD-NIF-0016
# aliases:
# - nifcloud-computing-add-security-group-to-router
# provider: nifcloud
# service: network
# severity: CRITICAL
Expand Down
2 changes: 2 additions & 0 deletions checks/cloud/nifcloud/network/add_security_group_to_vpn_gateway.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@
# custom:
# id: AVD-NIF-0018
# avd_id: AVD-NIF-0018
# aliases:
# - nifcloud-computing-add-security-group-to-vpn-gateway
# provider: nifcloud
# service: network
# severity: CRITICAL
Expand Down
2 changes: 2 additions & 0 deletions checks/cloud/nifcloud/network/no_common_private_elb.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@
# custom:
# id: AVD-NIF-0019
# avd_id: AVD-NIF-0019
# aliases:
# - nifcloud-network-no-common-private-elb
# provider: nifcloud
# service: network
# severity: LOW
Expand Down
Loading

0 comments on commit a1b1ee9

Please sign in to comment.