False Positive - Code scanning - CFT- SQS Queue Unencrypted Finding #5144
Closed
tzurielweisberg
started this conversation in
False Detection
Replies: 2 comments
-
|
Track #5167 |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
IDs
.
Description
Hey, supply chain customer gets a false positive, can you please take a look?
Issue:
Customer Reported that Supply Chain Code Repository False Positive with the Unencrypted SQS Queue even after the CFT provided the KMS Key details
Review of the issue, Looks like the issue is happening when the KMSKEY ARN in CFT is referenced from parameters. If we pass the KMS ARN directly, issue is not identified
Example CFT
AWSTemplateFormatVersion: 2010-09-09
Description: ECS service and task configuration
Parameters:
MessageInQueueKms:
Type: String
Description: ARN of kms to assign to input message queue
Resources:
nisadtestR1:
Type: 'AWS::SQS::Queue'
Properties:
QueueName: nishad-test-queue
KmsMasterKeyId: !Ref MessageInQueueKms
Reproduction Steps
1. Integrate Github Repo to Supply Chain for CodeRepositories scan 2. Push the above shared CFT sample to GIt 3. Scan the Code Repo and Review the ResultsTarget
Filesystem
Scanner
Secret
Target OS
No response
Debug Output
.Version
Checklist
-f jsonthat shows data sources and confirmed that the security advisory in data sources was correctBeta Was this translation helpful? Give feedback.
All reactions