diff --git a/.gitignore b/.gitignore
index c06f94fdf5..31d7caf42f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,6 +2,7 @@
/tfsec-docs
/bin
/.idea
+vendor/
# ignore windows compiled binary
/tfsec.exe
diff --git a/docs/checks/aws/api-gateway/enable-cache-encryption/index.md b/docs/checks/aws/api-gateway/enable-cache-encryption/index.md
index 50b804927b..b6283bb9a4 100644
--- a/docs/checks/aws/api-gateway/enable-cache-encryption/index.md
+++ b/docs/checks/aws/api-gateway/enable-cache-encryption/index.md
@@ -38,6 +38,7 @@ The following example will fail the aws-api-gateway-enable-cache-encryption chec
settings {
metrics_enabled = true
logging_level = "INFO"
+ caching_enabled = true
cache_data_encrypted = false
}
}
@@ -67,6 +68,7 @@ The following example will pass the aws-api-gateway-enable-cache-encryption chec
settings {
metrics_enabled = true
logging_level = "INFO"
+ caching_enabled = true
cache_data_encrypted = true
}
}
diff --git a/docs/checks/aws/api-gateway/no-public-access/index.md b/docs/checks/aws/api-gateway/no-public-access/index.md
index 658de5e61f..6ee57803b3 100644
--- a/docs/checks/aws/api-gateway/no-public-access/index.md
+++ b/docs/checks/aws/api-gateway/no-public-access/index.md
@@ -26,6 +26,10 @@ The following example will fail the aws-api-gateway-no-public-access check.
}
+ resource "aws_api_gateway_resource" "MyDemoResource" {
+ rest_api_id = aws_api_gateway_rest_api.MyDemoAPI.id
+ }
+
resource "aws_api_gateway_method" "bad_example" {
rest_api_id = aws_api_gateway_rest_api.MyDemoAPI.id
resource_id = aws_api_gateway_resource.MyDemoResource.id
@@ -46,6 +50,10 @@ The following example will pass the aws-api-gateway-no-public-access check.
}
+ resource "aws_api_gateway_resource" "MyDemoResource" {
+ rest_api_id = aws_api_gateway_rest_api.MyDemoAPI.id
+ }
+
resource "aws_api_gateway_method" "good_example" {
rest_api_id = aws_api_gateway_rest_api.MyDemoAPI.id
resource_id = aws_api_gateway_resource.MyDemoResource.id
diff --git a/docs/checks/aws/dynamodb/enable-at-rest-encryption/index.md b/docs/checks/aws/dynamodb/enable-at-rest-encryption/index.md
index 9d3ef0d4b9..4903137d9e 100644
--- a/docs/checks/aws/dynamodb/enable-at-rest-encryption/index.md
+++ b/docs/checks/aws/dynamodb/enable-at-rest-encryption/index.md
@@ -1,14 +1,14 @@
---
-title: DAX Cluster should always encrypt data at rest
+title: DAX Cluster and tables should always encrypt data at rest
---
-# DAX Cluster should always encrypt data at rest
+# DAX Cluster and tables should always encrypt data at rest
### Default Severity: high
### Explanation
-Amazon DynamoDB Accelerator (DAX) encryption at rest provides an additional layer of data protection by helping secure your data from unauthorized access to the underlying storage.
+Amazon DynamoDB Accelerator (DAX) and table encryption at rest provides an additional layer of data protection by helping secure your data from unauthorized access to the underlying storage.
### Possible Impact
Data can be freely read if compromised
diff --git a/docs/checks/aws/dynamodb/index.md b/docs/checks/aws/dynamodb/index.md
index 4f070760e8..f86c833e28 100644
--- a/docs/checks/aws/dynamodb/index.md
+++ b/docs/checks/aws/dynamodb/index.md
@@ -7,7 +7,7 @@ title: dynamodb
## Checks
-- [enable-at-rest-encryption](enable-at-rest-encryption) DAX Cluster should always encrypt data at rest
+- [enable-at-rest-encryption](enable-at-rest-encryption) DAX Cluster and tables should always encrypt data at rest
- [enable-recovery](enable-recovery) Point in time recovery should be enabled to protect DynamoDB table
diff --git a/docs/checks/aws/ec2/add-description-to-security-group-rule/index.md b/docs/checks/aws/ec2/add-description-to-security-group-rule/index.md
new file mode 100644
index 0000000000..e87a78f640
--- /dev/null
+++ b/docs/checks/aws/ec2/add-description-to-security-group-rule/index.md
@@ -0,0 +1,74 @@
+---
+title: Missing description for security group rule.
+---
+
+# Missing description for security group rule.
+
+### Default Severity: low
+
+### Explanation
+
+Security group rules should include a description for auditing purposes.
+
+Simplifies auditing, debugging, and managing security groups.
+
+### Possible Impact
+Descriptions provide context for the firewall rule reasons
+
+### Suggested Resolution
+Add descriptions for all security groups rules
+
+
+### Insecure Example
+
+The following example will fail the aws-ec2-add-description-to-security-group-rule check.
+```terraform
+
+ resource "aws_security_group" "bad_example" {
+ name = "http"
+
+ ingress {
+ from_port = 80
+ to_port = 80
+ protocol = "tcp"
+ cidr_blocks = [aws_vpc.main.cidr_block]
+ }
+ }
+
+```
+
+
+
+### Secure Example
+
+The following example will pass the aws-ec2-add-description-to-security-group-rule check.
+```terraform
+
+ resource "aws_security_group" "good_example" {
+ name = "http"
+ description = "Allow inbound HTTP traffic"
+
+ ingress {
+ description = "HTTP from VPC"
+ from_port = 80
+ to_port = 80
+ protocol = "tcp"
+ cidr_blocks = [aws_vpc.main.cidr_block]
+ }
+ }
+
+```
+
+
+
+### Links
+
+
+- [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group){:target="_blank" rel="nofollow noreferrer noopener"}
+
+- [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule){:target="_blank" rel="nofollow noreferrer noopener"}
+
+- [https://www.cloudconformity.com/knowledge-base/aws/EC2/security-group-rules-description.html](https://www.cloudconformity.com/knowledge-base/aws/EC2/security-group-rules-description.html){:target="_blank" rel="nofollow noreferrer noopener"}
+
+
+
diff --git a/docs/checks/aws/ec2/add-description-to-security-group/index.md b/docs/checks/aws/ec2/add-description-to-security-group/index.md
new file mode 100644
index 0000000000..3b195a310e
--- /dev/null
+++ b/docs/checks/aws/ec2/add-description-to-security-group/index.md
@@ -0,0 +1,76 @@
+---
+title: Missing description for security group.
+---
+
+# Missing description for security group.
+
+### Default Severity: low
+
+### Explanation
+
+Security groups should include a description for auditing purposes.
+
+Simplifies auditing, debugging, and managing security groups.
+
+### Possible Impact
+Descriptions provide context for the firewall rule reasons
+
+### Suggested Resolution
+Add descriptions for all security groups
+
+
+### Insecure Example
+
+The following example will fail the aws-ec2-add-description-to-security-group check.
+```terraform
+
+ resource "aws_security_group" "bad_example" {
+ name = "http"
+ description = ""
+
+ ingress {
+ description = "HTTP from VPC"
+ from_port = 80
+ to_port = 80
+ protocol = "tcp"
+ cidr_blocks = [aws_vpc.main.cidr_block]
+ }
+ }
+
+```
+
+
+
+### Secure Example
+
+The following example will pass the aws-ec2-add-description-to-security-group check.
+```terraform
+
+ resource "aws_security_group" "good_example" {
+ name = "http"
+ description = "Allow inbound HTTP traffic"
+
+ ingress {
+ description = "HTTP from VPC"
+ from_port = 80
+ to_port = 80
+ protocol = "tcp"
+ cidr_blocks = [aws_vpc.main.cidr_block]
+ }
+ }
+
+```
+
+
+
+### Links
+
+
+- [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group){:target="_blank" rel="nofollow noreferrer noopener"}
+
+- [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule){:target="_blank" rel="nofollow noreferrer noopener"}
+
+- [https://www.cloudconformity.com/knowledge-base/aws/EC2/security-group-rules-description.html](https://www.cloudconformity.com/knowledge-base/aws/EC2/security-group-rules-description.html){:target="_blank" rel="nofollow noreferrer noopener"}
+
+
+
diff --git a/docs/checks/aws/ec2/enable-launch-config-at-rest-encryption/index.md b/docs/checks/aws/ec2/enable-launch-config-at-rest-encryption/index.md
new file mode 100644
index 0000000000..365e972b15
--- /dev/null
+++ b/docs/checks/aws/ec2/enable-launch-config-at-rest-encryption/index.md
@@ -0,0 +1,58 @@
+---
+title: Launch configuration with unencrypted block device.
+---
+
+# Launch configuration with unencrypted block device.
+
+### Default Severity: high
+
+### Explanation
+
+Block devices should be encrypted to ensure sensitive data is held securely at rest.
+
+### Possible Impact
+The block device could be compromised and read from
+
+### Suggested Resolution
+Turn on encryption for all block devices
+
+
+### Insecure Example
+
+The following example will fail the aws-ec2-enable-launch-config-at-rest-encryption check.
+```terraform
+
+ resource "aws_launch_configuration" "bad_example" {
+ root_block_device {
+ encrypted = false
+ }
+ }
+
+```
+
+
+
+### Secure Example
+
+The following example will pass the aws-ec2-enable-launch-config-at-rest-encryption check.
+```terraform
+
+ resource "aws_launch_configuration" "good_example" {
+ root_block_device {
+ encrypted = true
+ }
+ }
+
+```
+
+
+
+### Links
+
+
+- [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#ebs-ephemeral-and-root-block-devices](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#ebs-ephemeral-and-root-block-devices){:target="_blank" rel="nofollow noreferrer noopener"}
+
+- [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/RootDeviceStorage.html](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/RootDeviceStorage.html){:target="_blank" rel="nofollow noreferrer noopener"}
+
+
+
diff --git a/docs/checks/aws/ec2/enable-volume-encryption/index.md b/docs/checks/aws/ec2/enable-volume-encryption/index.md
new file mode 100644
index 0000000000..347402a74b
--- /dev/null
+++ b/docs/checks/aws/ec2/enable-volume-encryption/index.md
@@ -0,0 +1,66 @@
+---
+title: EBS volumes must be encrypted
+---
+
+# EBS volumes must be encrypted
+
+### Default Severity: high
+
+### Explanation
+
+By enabling encryption on EBS volumes you protect the volume, the disk I/O and any derived snapshots from compromise if intercepted.
+
+### Possible Impact
+Unencrypted sensitive data is vulnerable to compromise.
+
+### Suggested Resolution
+Enable encryption of EBS volumes
+
+
+### Insecure Example
+
+The following example will fail the aws-ec2-enable-volume-encryption check.
+```terraform
+
+ resource "aws_ebs_volume" "bad_example" {
+ availability_zone = "us-west-2a"
+ size = 40
+
+ tags = {
+ Name = "HelloWorld"
+ }
+ encrypted = false
+ }
+
+```
+
+
+
+### Secure Example
+
+The following example will pass the aws-ec2-enable-volume-encryption check.
+```terraform
+
+ resource "aws_ebs_volume" "good_example" {
+ availability_zone = "us-west-2a"
+ size = 40
+
+ tags = {
+ Name = "HelloWorld"
+ }
+ encrypted = true
+ }
+
+```
+
+
+
+### Links
+
+
+- [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_volume#encrypted](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_volume#encrypted){:target="_blank" rel="nofollow noreferrer noopener"}
+
+- [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html){:target="_blank" rel="nofollow noreferrer noopener"}
+
+
+
diff --git a/docs/checks/aws/ec2/enforce-launch-config-http-token-imds/index.md b/docs/checks/aws/ec2/enforce-launch-config-http-token-imds/index.md
new file mode 100644
index 0000000000..5c4844b558
--- /dev/null
+++ b/docs/checks/aws/ec2/enforce-launch-config-http-token-imds/index.md
@@ -0,0 +1,63 @@
+---
+title: aws_instance should activate session tokens for Instance Metadata Service.
+---
+
+# aws_instance should activate session tokens for Instance Metadata Service.
+
+### Default Severity: high
+
+### Explanation
+
+
+IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
+By default aws_instance resource sets IMDS session auth tokens to be optional.
+To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
+
+
+### Possible Impact
+Instance metadata service can be interacted with freely
+
+### Suggested Resolution
+Enable HTTP token requirement for IMDS
+
+
+### Insecure Example
+
+The following example will fail the aws-ec2-enforce-launch-config-http-token-imds check.
+```terraform
+
+ resource "aws_launch_template" "bad_example" {
+ image_id = "ami-005e54dee72cc1d00"
+ instance_type = "t2.micro"
+ }
+
+```
+
+
+
+### Secure Example
+
+The following example will pass the aws-ec2-enforce-launch-config-http-token-imds check.
+```terraform
+
+ resource "aws_launch_template" "good_example" {
+ image_id = "ami-005e54dee72cc1d00"
+ instance_type = "t2.micro"
+ metadata_options {
+ http_tokens = "required"
+ }
+ }
+
+```
+
+
+
+### Links
+
+
+- [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#metadata-options](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#metadata-options){:target="_blank" rel="nofollow noreferrer noopener"}
+
+- [https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service](https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service){:target="_blank" rel="nofollow noreferrer noopener"}
+
+
+
diff --git a/docs/checks/aws/ec2/index.md b/docs/checks/aws/ec2/index.md
index 63ff061446..2ec0ce80cc 100644
--- a/docs/checks/aws/ec2/index.md
+++ b/docs/checks/aws/ec2/index.md
@@ -7,11 +7,39 @@ title: ec2
## Checks
+- [add-description-to-security-group](add-description-to-security-group) Missing description for security group.
+
+- [add-description-to-security-group-rule](add-description-to-security-group-rule) Missing description for security group rule.
+
- [enable-at-rest-encryption](enable-at-rest-encryption) Instance with unencrypted block device.
+- [enable-launch-config-at-rest-encryption](enable-launch-config-at-rest-encryption) Launch configuration with unencrypted block device.
+
+- [enable-volume-encryption](enable-volume-encryption) EBS volumes must be encrypted
+
- [enforce-http-token-imds](enforce-http-token-imds) aws_instance should activate session tokens for Instance Metadata Service.
+- [enforce-launch-config-http-token-imds](enforce-launch-config-http-token-imds) aws_instance should activate session tokens for Instance Metadata Service.
+
+- [no-default-vpc](no-default-vpc) AWS best practice to not use the default VPC for workflows
+
+- [no-excessive-port-access](no-excessive-port-access) An ingress Network ACL rule allows ALL ports.
+
+- [no-public-egress-sgr](no-public-egress-sgr) An egress security group rule allows traffic to /0.
+
+- [no-public-ingress-acl](no-public-ingress-acl) An ingress Network ACL rule allows specific ports from /0.
+
+- [no-public-ingress-sgr](no-public-ingress-sgr) An ingress security group rule allows traffic from /0.
+
+- [no-public-ip](no-public-ip) Launch configuration should not have a public IP address.
+
+- [no-secrets-in-launch-template-user-data](no-secrets-in-launch-template-user-data) User data for EC2 instances must not contain sensitive AWS keys
+
- [no-secrets-in-user-data](no-secrets-in-user-data) User data for EC2 instances must not contain sensitive AWS keys
+- [no-sensitive-info](no-sensitive-info) Ensure all data stored in the launch configuration EBS is securely encrypted
+
+- [volume-encryption-customer-key](volume-encryption-customer-key) EBS volume encryption should use Customer Managed Keys
+
diff --git a/docs/checks/aws/ec2/no-default-vpc/index.md b/docs/checks/aws/ec2/no-default-vpc/index.md
new file mode 100644
index 0000000000..b652ec25d7
--- /dev/null
+++ b/docs/checks/aws/ec2/no-default-vpc/index.md
@@ -0,0 +1,54 @@
+---
+title: AWS best practice to not use the default VPC for workflows
+---
+
+# AWS best practice to not use the default VPC for workflows
+
+### Default Severity: high
+
+### Explanation
+
+Default VPC does not have a lot of the critical security features that standard VPC comes with, new resources should not be created in the default VPC and it should not be present in the Terraform.
+
+### Possible Impact
+The default VPC does not have critical security features applied
+
+### Suggested Resolution
+Create a non-default vpc for resources to be created in
+
+
+### Insecure Example
+
+The following example will fail the aws-ec2-no-default-vpc check.
+```terraform
+
+ resource "aws_default_vpc" "default" {
+ tags = {
+ Name = "Default VPC"
+ }
+ }
+
+```
+
+
+
+### Secure Example
+
+The following example will pass the aws-ec2-no-default-vpc check.
+```terraform
+
+ # no aws default vpc present
+
+```
+
+
+
+### Links
+
+
+- [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_vpc){:target="_blank" rel="nofollow noreferrer noopener"}
+
+- [https://docs.aws.amazon.com/vpc/latest/userguide/default-vpc.html](https://docs.aws.amazon.com/vpc/latest/userguide/default-vpc.html){:target="_blank" rel="nofollow noreferrer noopener"}
+
+
+
diff --git a/docs/checks/aws/ec2/no-excessive-port-access/index.md b/docs/checks/aws/ec2/no-excessive-port-access/index.md
new file mode 100644
index 0000000000..fdb659cc60
--- /dev/null
+++ b/docs/checks/aws/ec2/no-excessive-port-access/index.md
@@ -0,0 +1,62 @@
+---
+title: An ingress Network ACL rule allows ALL ports.
+---
+
+# An ingress Network ACL rule allows ALL ports.
+
+### Default Severity: critical
+
+### Explanation
+
+Ensure access to specific required ports is allowed, and nothing else.
+
+### Possible Impact
+All ports exposed for egressing data
+
+### Suggested Resolution
+Set specific allowed ports
+
+
+### Insecure Example
+
+The following example will fail the aws-ec2-no-excessive-port-access check.
+```terraform
+
+ resource "aws_network_acl_rule" "bad_example" {
+ egress = false
+ protocol = "all"
+ rule_action = "allow"
+ cidr_block = "0.0.0.0/0"
+ }
+
+```
+
+
+
+### Secure Example
+
+The following example will pass the aws-ec2-no-excessive-port-access check.
+```terraform
+
+ resource "aws_network_acl_rule" "good_example" {
+ egress = false
+ protocol = "tcp"
+ from_port = 22
+ to_port = 22
+ rule_action = "allow"
+ cidr_block = "0.0.0.0/0"
+ }
+
+```
+
+
+
+### Links
+
+
+- [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule#to_port](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule#to_port){:target="_blank" rel="nofollow noreferrer noopener"}
+
+- [https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html){:target="_blank" rel="nofollow noreferrer noopener"}
+
+
+
diff --git a/docs/checks/aws/ec2/no-public-egress-sgr/index.md b/docs/checks/aws/ec2/no-public-egress-sgr/index.md
new file mode 100644
index 0000000000..f018ce244d
--- /dev/null
+++ b/docs/checks/aws/ec2/no-public-egress-sgr/index.md
@@ -0,0 +1,58 @@
+---
+title: An egress security group rule allows traffic to /0.
+---
+
+# An egress security group rule allows traffic to /0.
+
+### Default Severity: critical
+
+### Explanation
+
+Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
+
+### Possible Impact
+Your port is egressing data to the internet
+
+### Suggested Resolution
+Set a more restrictive cidr range
+
+
+### Insecure Example
+
+The following example will fail the aws-ec2-no-public-egress-sgr check.
+```terraform
+
+ resource "aws_security_group" "bad_example" {
+ egress {
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+ }
+
+```
+
+
+
+### Secure Example
+
+The following example will pass the aws-ec2-no-public-egress-sgr check.
+```terraform
+
+ resource "aws_security_group" "good_example" {
+ egress {
+ cidr_blocks = ["1.2.3.4/32"]
+ }
+ }
+
+```
+
+
+
+### Links
+
+
+- [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group){:target="_blank" rel="nofollow noreferrer noopener"}
+
+- [https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/centralized-egress-to-internet.html](https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/centralized-egress-to-internet.html){:target="_blank" rel="nofollow noreferrer noopener"}
+
+
+
diff --git a/docs/checks/aws/ec2/no-public-ingress-acl/index.md b/docs/checks/aws/ec2/no-public-ingress-acl/index.md
new file mode 100644
index 0000000000..722382e2f6
--- /dev/null
+++ b/docs/checks/aws/ec2/no-public-ingress-acl/index.md
@@ -0,0 +1,64 @@
+---
+title: An ingress Network ACL rule allows specific ports from /0.
+---
+
+# An ingress Network ACL rule allows specific ports from /0.
+
+### Default Severity: critical
+
+### Explanation
+
+Opening up ACLs to the public internet is potentially dangerous. You should restrict access to IP addresses or ranges that explicitly require it where possible.
+
+### Possible Impact
+The ports are exposed for ingressing data to the internet
+
+### Suggested Resolution
+Set a more restrictive cidr range
+
+
+### Insecure Example
+
+The following example will fail the aws-ec2-no-public-ingress-acl check.
+```terraform
+
+ resource "aws_network_acl_rule" "bad_example" {
+ egress = false
+ protocol = "tcp"
+ from_port = 22
+ to_port = 22
+ rule_action = "allow"
+ cidr_block = "0.0.0.0/0"
+ }
+
+```
+
+
+
+### Secure Example
+
+The following example will pass the aws-ec2-no-public-ingress-acl check.
+```terraform
+
+ resource "aws_network_acl_rule" "good_example" {
+ egress = false
+ protocol = "tcp"
+ from_port = 22
+ to_port = 22
+ rule_action = "allow"
+ cidr_block = "10.0.0.0/16"
+ }
+
+```
+
+
+
+### Links
+
+
+- [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule#cidr_block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule#cidr_block){:target="_blank" rel="nofollow noreferrer noopener"}
+
+- [https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html){:target="_blank" rel="nofollow noreferrer noopener"}
+
+
+
diff --git a/docs/checks/aws/ec2/no-public-ingress-sgr/index.md b/docs/checks/aws/ec2/no-public-ingress-sgr/index.md
new file mode 100644
index 0000000000..b0547ddf03
--- /dev/null
+++ b/docs/checks/aws/ec2/no-public-ingress-sgr/index.md
@@ -0,0 +1,56 @@
+---
+title: An ingress security group rule allows traffic from /0.
+---
+
+# An ingress security group rule allows traffic from /0.
+
+### Default Severity: critical
+
+### Explanation
+
+Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.
+
+### Possible Impact
+Your port exposed to the internet
+
+### Suggested Resolution
+Set a more restrictive cidr range
+
+
+### Insecure Example
+
+The following example will fail the aws-ec2-no-public-ingress-sgr check.
+```terraform
+
+ resource "aws_security_group_rule" "bad_example" {
+ type = "ingress"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+```
+
+
+
+### Secure Example
+
+The following example will pass the aws-ec2-no-public-ingress-sgr check.
+```terraform
+
+ resource "aws_security_group_rule" "good_example" {
+ type = "ingress"
+ cidr_blocks = ["10.0.0.0/16"]
+ }
+
+```
+
+
+
+### Links
+
+
+- [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks){:target="_blank" rel="nofollow noreferrer noopener"}
+
+- [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html){:target="_blank" rel="nofollow noreferrer noopener"}
+
+
+
diff --git a/docs/checks/aws/ec2/no-public-ip/index.md b/docs/checks/aws/ec2/no-public-ip/index.md
new file mode 100644
index 0000000000..b385bf5c6f
--- /dev/null
+++ b/docs/checks/aws/ec2/no-public-ip/index.md
@@ -0,0 +1,56 @@
+---
+title: Launch configuration should not have a public IP address.
+---
+
+# Launch configuration should not have a public IP address.
+
+### Default Severity: high
+
+### Explanation
+
+You should limit the provision of public IP addresses for resources. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application.
+
+### Possible Impact
+The instance or configuration is publicly accessible
+
+### Suggested Resolution
+Set the instance to not be publicly accessible
+
+
+### Insecure Example
+
+The following example will fail the aws-ec2-no-public-ip check.
+```terraform
+
+ resource "aws_launch_configuration" "bad_example" {
+ associate_public_ip_address = true
+ }
+
+```
+
+
+
+### Secure Example
+
+The following example will pass the aws-ec2-no-public-ip check.
+```terraform
+
+ resource "aws_launch_configuration" "good_example" {
+ associate_public_ip_address = false
+ }
+
+```
+
+
+
+### Links
+
+
+- [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#associate_public_ip_address](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#associate_public_ip_address){:target="_blank" rel="nofollow noreferrer noopener"}
+
+- [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#associate_public_ip_address](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#associate_public_ip_address){:target="_blank" rel="nofollow noreferrer noopener"}
+
+- [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html){:target="_blank" rel="nofollow noreferrer noopener"}
+
+
+
diff --git a/docs/checks/aws/ec2/no-secrets-in-launch-template-user-data/index.md b/docs/checks/aws/ec2/no-secrets-in-launch-template-user-data/index.md
new file mode 100644
index 0000000000..f7aa8b6678
--- /dev/null
+++ b/docs/checks/aws/ec2/no-secrets-in-launch-template-user-data/index.md
@@ -0,0 +1,74 @@
+---
+title: User data for EC2 instances must not contain sensitive AWS keys
+---
+
+# User data for EC2 instances must not contain sensitive AWS keys
+
+### Default Severity: critical
+
+### Explanation
+
+EC2 instance data is used to pass start up information into the EC2 instance. This userdata must not contain access key credentials. Instead use an IAM Instance Profile assigned to the instance to grant access to other AWS Services.
+
+### Possible Impact
+User data is visible through the AWS Management console
+
+### Suggested Resolution
+Remove sensitive data from the EC2 instance user-data generated by launch templates
+
+
+### Insecure Example
+
+The following example will fail the aws-ec2-no-secrets-in-launch-template-user-data check.
+```terraform
+
+ resource "aws_launch_template" "bad_example" {
+
+ image_id = "ami-12345667"
+ instance_type = "t2.small"
+
+ user_data = <high
+
+### Explanation
+
+When creating Launch Configurations, user data can be used for the initial configuration of the instance. User data must not contain any sensitive data.
+
+### Possible Impact
+Sensitive credentials in user data can be leaked
+
+### Suggested Resolution
+Don't use sensitive data in user data
+
+
+### Insecure Example
+
+The following example will fail the aws-ec2-no-sensitive-info check.
+```terraform
+
+ resource "aws_launch_configuration" "as_conf" {
+ name = "web_config"
+ image_id = data.aws_ami.ubuntu.id
+ instance_type = "t2.micro"
+ user_data = <low
+
+### Explanation
+
+Encryption using AWS keys provides protection for your EBS volume. To increase control of the encryption and manage factors like rotation use customer managed keys.
+
+### Possible Impact
+Using AWS managed keys does not allow for fine grained control
+
+### Suggested Resolution
+Enable encryption using customer managed keys
+
+
+### Insecure Example
+
+The following example will fail the aws-ec2-volume-encryption-customer-key check.
+```terraform
+
+ resource "aws_ebs_volume" "example" {
+ availability_zone = "us-west-2a"
+ size = 40
+
+ tags = {
+ Name = "HelloWorld"
+ }
+ }
+
+```
+
+
+
+### Secure Example
+
+The following example will pass the aws-ec2-volume-encryption-customer-key check.
+```terraform
+
+ resource "aws_kms_key" "ebs_encryption" {
+ enable_key_rotation = true
+ }
+
+ resource "aws_ebs_volume" "example" {
+ availability_zone = "us-west-2a"
+ size = 40
+
+ kms_key_id = aws_kms_key.ebs_encryption.arn
+
+ tags = {
+ Name = "HelloWorld"
+ }
+ }
+
+```
+
+
+
+### Links
+
+
+- [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_volume#kms_key_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_volume#kms_key_id){:target="_blank" rel="nofollow noreferrer noopener"}
+
+- [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html){:target="_blank" rel="nofollow noreferrer noopener"}
+
+
+
diff --git a/docs/checks/aws/emr/enable-at-rest-encryption/index.md b/docs/checks/aws/emr/enable-at-rest-encryption/index.md
new file mode 100644
index 0000000000..de979c7709
--- /dev/null
+++ b/docs/checks/aws/emr/enable-at-rest-encryption/index.md
@@ -0,0 +1,88 @@
+---
+title: Enable at-rest encryption for EMR clusters.
+---
+
+# Enable at-rest encryption for EMR clusters.
+
+### Default Severity: high
+
+### Explanation
+
+Data stored within an EMR cluster should be encrypted to ensure sensitive data is kept private.
+
+### Possible Impact
+At-rest data in the EMR cluster could be compromised if accessed.
+
+### Suggested Resolution
+Enable at-rest encryption for EMR cluster
+
+
+### Insecure Example
+
+The following example will fail the aws-emr-enable-at-rest-encryption check.
+```terraform
+
+ resource "aws_emr_security_configuration" "bad_example" {
+ name = "emrsc_other"
+
+ configuration = <high
+
+### Explanation
+
+Data stored within an EMR cluster should be encrypted to ensure sensitive data is kept private.
+
+### Possible Impact
+In-transit data in the EMR cluster could be compromised if accessed.
+
+### Suggested Resolution
+Enable in-transit encryption for EMR cluster
+
+
+### Insecure Example
+
+The following example will fail the aws-emr-enable-in-transit-encryption check.
+```terraform
+
+ resource "aws_emr_security_configuration" "bad_example" {
+ name = "emrsc_other"
+
+ configuration = <high
+
+### Explanation
+
+Data stored within an EMR instances should be encrypted to ensure sensitive data is kept private.
+
+### Possible Impact
+Local-disk data in the EMR cluster could be compromised if accessed.
+
+### Suggested Resolution
+Enable local-disk encryption for EMR cluster
+
+
+### Insecure Example
+
+The following example will fail the aws-emr-enable-local-disk-encryption check.
+```terraform
+
+ resource "aws_emr_security_configuration" "bad_example" {
+ name = "emrsc_other"
+
+ configuration = <medium
+
+### Explanation
+
+
+IAM groups should be protected with multi factor authentication to add safe guards to password compromise.
+
+
+### Possible Impact
+IAM groups are more vulnerable to compromise without multi factor authentication activated
+
+### Suggested Resolution
+Use terraform-module/enforce-mfa/aws to ensure that MFA is enforced
+
+
+### Insecure Example
+
+The following example will fail the aws-iam-enforce-group-mfa check.
+```terraform
+
+data aws_caller_identity current {}
+resource aws_iam_group developers {
+ name = "developers"
+}
+
+```
+
+
+
+### Secure Example
+
+The following example will pass the aws-iam-enforce-group-mfa check.
+```terraform
+
+resource "aws_iam_group" "support" {
+ name = "support"
+}
+resource aws_iam_group_policy mfa {
+
+ group = aws_iam_group.support.name
+ policy = <critical
+
+### Explanation
+
+
+CIS recommends that all access keys be associated with the root user be removed. Removing access keys associated with the root user limits vectors that the account can be compromised by. Removing the root user access keys also encourages the creation and use of role-based accounts that are least privileged.
+
+
+### Possible Impact
+Compromise of the root account compromises the entire AWS account and all resources within it.
+
+### Suggested Resolution
+Use lower privileged accounts instead, so only required privileges are available.
+
+
+### Insecure Example
+
+The following example will fail the aws-iam-no-root-access-keys check.
+```terraform
+
+resource "aws_iam_access_key" "good_example" {
+ user = "root"
+}
+
+```
+
+
+
+### Secure Example
+
+The following example will pass the aws-iam-no-root-access-keys check.
+```terraform
+
+resource "aws_iam_access_key" "good_example" {
+ user = "lowprivuser"
+}
+
+```
+
+
+
+### Links
+
+
+- [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key){:target="_blank" rel="nofollow noreferrer noopener"}
+
+- [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html){:target="_blank" rel="nofollow noreferrer noopener"}
+
+
+
diff --git a/docs/checks/aws/iam/no-user-attached-policies/index.md b/docs/checks/aws/iam/no-user-attached-policies/index.md
new file mode 100644
index 0000000000..77e23ddadd
--- /dev/null
+++ b/docs/checks/aws/iam/no-user-attached-policies/index.md
@@ -0,0 +1,111 @@
+---
+title: IAM policies should not be granted directly to users.
+---
+
+# IAM policies should not be granted directly to users.
+
+### Default Severity: low
+
+### Explanation
+
+
+CIS recommends that you apply IAM policies directly to groups and roles but not users. Assigning privileges at the group or role level reduces the complexity of access management as the number of users grow. Reducing access management complexity might in turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.
+
+
+### Possible Impact
+Complex access control is difficult to manage and maintain.
+
+### Suggested Resolution
+Grant policies at the group level instead.
+
+
+### Insecure Example
+
+The following example will fail the aws-iam-no-user-attached-policies check.
+```terraform
+
+resource "aws_iam_user" "jim" {
+ name = "jim"
+}
+
+resource "aws_iam_user_policy" "ec2policy" {
+ name = "test"
+ user = aws_iam_user.jim.name
+
+ policy = <high
+
+### Explanation
+
+Topics should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular key management.
+
+### Possible Impact
+Key management very limited when using default keys.
+
+### Suggested Resolution
+Use a CMK for SNS Topic encryption
+
+
+### Insecure Example
+
+The following example will fail the aws-sns-topic-encryption-use-cmk check.
+```terraform
+
+ resource "aws_sns_topic" "bad_example" {
+ kms_master_key_id = "alias/aws/sns"
+ }
+
+```
+
+
+
+### Secure Example
+
+The following example will pass the aws-sns-topic-encryption-use-cmk check.
+```terraform
+
+ resource "aws_sns_topic" "good_example" {
+ kms_master_key_id = "/blah"
+ }
+
+```
+
+
+
+### Links
+
+
+- [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic#example-with-server-side-encryption-sse](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic#example-with-server-side-encryption-sse){:target="_blank" rel="nofollow noreferrer noopener"}
+
+- [https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html](https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html){:target="_blank" rel="nofollow noreferrer noopener"}
+
+
+
diff --git a/docs/checks/aws/sqs/enable-queue-encryption/index.md b/docs/checks/aws/sqs/enable-queue-encryption/index.md
index 2a6e667b0b..93b3c1dc0f 100644
--- a/docs/checks/aws/sqs/enable-queue-encryption/index.md
+++ b/docs/checks/aws/sqs/enable-queue-encryption/index.md
@@ -8,7 +8,7 @@ title: Unencrypted SQS queue.
### Explanation
-Queues should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular control over access to specific queues.
+Queues should be encrypted to protect queue contents.
### Possible Impact
The SQS queue messages could be read if compromised
diff --git a/docs/checks/aws/sqs/index.md b/docs/checks/aws/sqs/index.md
index 73dcae4700..997fbddd45 100644
--- a/docs/checks/aws/sqs/index.md
+++ b/docs/checks/aws/sqs/index.md
@@ -11,5 +11,7 @@ title: sqs
- [no-wildcards-in-policy-documents](no-wildcards-in-policy-documents) AWS SQS policy document has wildcard action statement.
+- [queue-encryption-use-cmk](queue-encryption-use-cmk) SQS queue should be encrypted with a CMK.
+
diff --git a/docs/checks/aws/sqs/queue-encryption-use-cmk/index.md b/docs/checks/aws/sqs/queue-encryption-use-cmk/index.md
new file mode 100644
index 0000000000..90cb7c5e29
--- /dev/null
+++ b/docs/checks/aws/sqs/queue-encryption-use-cmk/index.md
@@ -0,0 +1,54 @@
+---
+title: SQS queue should be encrypted with a CMK.
+---
+
+# SQS queue should be encrypted with a CMK.
+
+### Default Severity: high
+
+### Explanation
+
+Queues should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular control over access to specific queues.
+
+### Possible Impact
+The SQS queue messages could be read if compromised. Key management is very limited when using default keys.
+
+### Suggested Resolution
+Encrypt SQS Queue with a customer-managed key
+
+
+### Insecure Example
+
+The following example will fail the aws-sqs-queue-encryption-use-cmk check.
+```terraform
+
+ resource "aws_sqs_queue" "bad_example" {
+ kms_master_key_id = "alias/aws/sqs"
+ }
+
+```
+
+
+
+### Secure Example
+
+The following example will pass the aws-sqs-queue-encryption-use-cmk check.
+```terraform
+
+ resource "aws_sqs_queue" "good_example" {
+ kms_master_key_id = "/blah"
+ }
+
+```
+
+
+
+### Links
+
+
+- [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue#server-side-encryption-sse](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue#server-side-encryption-sse){:target="_blank" rel="nofollow noreferrer noopener"}
+
+- [https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html){:target="_blank" rel="nofollow noreferrer noopener"}
+
+
+
diff --git a/docs/checks/google/gke/metadata-endpoints-disabled/index.md b/docs/checks/google/gke/metadata-endpoints-disabled/index.md
index 368ef1ec79..ab3d2080d7 100644
--- a/docs/checks/google/gke/metadata-endpoints-disabled/index.md
+++ b/docs/checks/google/gke/metadata-endpoints-disabled/index.md
@@ -29,9 +29,11 @@ The following example will fail the google-gke-metadata-endpoints-disabled check
```terraform
resource "google_container_cluster" "bad_example" {
- metadata {
- disable-legacy-endpoints = false
- }
+ node_config {
+ metadata = {
+ disable-legacy-endpoints = false
+ }
+ }
}
```
@@ -43,9 +45,11 @@ The following example will pass the google-gke-metadata-endpoints-disabled check
```terraform
resource "google_container_cluster" "good_example" {
- metadata {
- disable-legacy-endpoints = true
- }
+ node_config {
+ metadata = {
+ disable-legacy-endpoints = true
+ }
+ }
}
```
diff --git a/docs/checks/openstack/index.md b/docs/checks/openstack/index.md
index 92a43c7301..f2a095dd6e 100644
--- a/docs/checks/openstack/index.md
+++ b/docs/checks/openstack/index.md
@@ -9,4 +9,6 @@ title: openstack
- [compute](compute)
+- [networking](networking)
+
diff --git a/docs/checks/openstack/networking/describe-security-group/index.md b/docs/checks/openstack/networking/describe-security-group/index.md
new file mode 100644
index 0000000000..442a4a2343
--- /dev/null
+++ b/docs/checks/openstack/networking/describe-security-group/index.md
@@ -0,0 +1,45 @@
+---
+title: Missing description for security group.
+---
+
+# Missing description for security group.
+
+### Default Severity: medium
+
+### Explanation
+
+Security groups should include a description for auditing purposes. Simplifies auditing, debugging, and managing security groups.
+
+### Possible Impact
+Auditing capability and awareness limited.
+
+### Suggested Resolution
+Add descriptions for all security groups
+
+
+### Insecure Example
+
+The following example will fail the openstack-networking-describe-security-group check.
+```terraform
+
+ resource "openstack_networking_secgroup_v2" "group_1" {
+ }
+
+```
+
+
+
+### Secure Example
+
+The following example will pass the openstack-networking-describe-security-group check.
+```terraform
+
+ resource "openstack_networking_secgroup_v2" "group_1" {
+ description = "don't let just anyone in"
+ }
+
+```
+
+
+
+
diff --git a/docs/checks/openstack/networking/index.md b/docs/checks/openstack/networking/index.md
new file mode 100644
index 0000000000..0ddedb4339
--- /dev/null
+++ b/docs/checks/openstack/networking/index.md
@@ -0,0 +1,17 @@
+---
+title: networking
+---
+
+# networking
+
+## Checks
+
+
+- [describe-security-group](describe-security-group) Missing description for security group.
+
+- [no-public-egress](no-public-egress) A security group rule allows egress traffic to multiple public addresses
+
+- [no-public-ingress](no-public-ingress) A security group rule allows ingress traffic from multiple public addresses
+
+
+
diff --git a/docs/checks/openstack/networking/no-public-egress/index.md b/docs/checks/openstack/networking/no-public-egress/index.md
new file mode 100644
index 0000000000..2fba4c48ff
--- /dev/null
+++ b/docs/checks/openstack/networking/no-public-egress/index.md
@@ -0,0 +1,62 @@
+---
+title: A security group rule allows egress traffic to multiple public addresses
+---
+
+# A security group rule allows egress traffic to multiple public addresses
+
+### Default Severity: medium
+
+### Explanation
+
+Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.
+
+### Possible Impact
+Potential exfiltration of data to the public internet
+
+### Suggested Resolution
+Employ more restrictive security group rules
+
+
+### Insecure Example
+
+The following example will fail the openstack-networking-no-public-egress check.
+```terraform
+
+ resource "openstack_networking_secgroup_rule_v2" "rule_1" {
+ direction = "egress"
+ ethertype = "IPv4"
+ protocol = "tcp"
+ port_range_min = 22
+ port_range_max = 22
+ remote_ip_prefix = "0.0.0.0/0"
+ }
+
+```
+
+
+
+### Secure Example
+
+The following example will pass the openstack-networking-no-public-egress check.
+```terraform
+
+resource "openstack_networking_secgroup_rule_v2" "rule_1" {
+ direction = "egress"
+ ethertype = "IPv4"
+ protocol = "tcp"
+ port_range_min = 22
+ port_range_max = 22
+ remote_ip_prefix = "1.2.3.4/32"
+}
+
+```
+
+
+
+### Links
+
+
+- [https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_secgroup_rule_v2](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_secgroup_rule_v2){:target="_blank" rel="nofollow noreferrer noopener"}
+
+
+
diff --git a/docs/checks/openstack/networking/no-public-ingress/index.md b/docs/checks/openstack/networking/no-public-ingress/index.md
new file mode 100644
index 0000000000..02cf95218b
--- /dev/null
+++ b/docs/checks/openstack/networking/no-public-ingress/index.md
@@ -0,0 +1,62 @@
+---
+title: A security group rule allows ingress traffic from multiple public addresses
+---
+
+# A security group rule allows ingress traffic from multiple public addresses
+
+### Default Severity: medium
+
+### Explanation
+
+Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.
+
+### Possible Impact
+Exposure of infrastructure to the public internet
+
+### Suggested Resolution
+Employ more restrictive security group rules
+
+
+### Insecure Example
+
+The following example will fail the openstack-networking-no-public-ingress check.
+```terraform
+
+ resource "openstack_networking_secgroup_rule_v2" "rule_1" {
+ direction = "ingress"
+ ethertype = "IPv4"
+ protocol = "tcp"
+ port_range_min = 22
+ port_range_max = 22
+ remote_ip_prefix = "0.0.0.0/0"
+ }
+
+```
+
+
+
+### Secure Example
+
+The following example will pass the openstack-networking-no-public-ingress check.
+```terraform
+
+ resource "openstack_networking_secgroup_rule_v2" "rule_1" {
+ direction = "ingress"
+ ethertype = "IPv4"
+ protocol = "tcp"
+ port_range_min = 22
+ port_range_max = 22
+ remote_ip_prefix = "1.2.3.4/32"
+ }
+
+```
+
+
+
+### Links
+
+
+- [https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/fw_rule_v1](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/fw_rule_v1){:target="_blank" rel="nofollow noreferrer noopener"}
+
+
+
diff --git a/go.mod b/go.mod
index 56397a15d1..ca08f3ae18 100644
--- a/go.mod
+++ b/go.mod
@@ -5,7 +5,7 @@ go 1.18
require (
github.com/AlecAivazis/survey/v2 v2.3.5
github.com/Masterminds/semver v1.5.0
- github.com/aquasecurity/defsec v0.68.10
+ github.com/aquasecurity/defsec v0.69.0
github.com/google/uuid v1.3.0
github.com/hashicorp/go-version v1.6.0
github.com/inconshreveable/go-update v0.0.0-20160112193335-8152e7eb6ccf
@@ -21,7 +21,7 @@ require (
require (
cloud.google.com/go v0.99.0 // indirect
cloud.google.com/go/storage v1.10.0 // indirect
- github.com/Microsoft/go-winio v0.5.1 // indirect
+ github.com/Microsoft/go-winio v0.5.2 // indirect
github.com/OneOfOne/xxhash v1.2.8 // indirect
github.com/ProtonMail/go-crypto v0.0.0-20210428141323-04723f9f07d7 // indirect
github.com/acomagu/bufpipe v1.0.3 // indirect
@@ -30,7 +30,7 @@ require (
github.com/alecthomas/chroma v0.10.0 // indirect
github.com/apparentlymart/go-cidr v1.1.0 // indirect
github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
- github.com/aws/aws-sdk-go v1.34.9 // indirect
+ github.com/aws/aws-sdk-go v1.44.48 // indirect
github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
github.com/bmatcuk/doublestar v1.3.4 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
@@ -54,7 +54,7 @@ require (
github.com/imdario/mergo v0.3.12 // indirect
github.com/inconshreveable/mousetrap v1.0.0 // indirect
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
- github.com/jmespath/go-jmespath v0.3.0 // indirect
+ github.com/jmespath/go-jmespath v0.4.0 // indirect
github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351 // indirect
github.com/klauspost/compress v1.15.1 // indirect
@@ -73,6 +73,7 @@ require (
github.com/pkg/errors v0.9.1 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 // indirect
+ github.com/rogpeppe/go-internal v1.8.1 // indirect
github.com/sergi/go-diff v1.1.0 // indirect
github.com/sirupsen/logrus v1.8.1 // indirect
github.com/spf13/pflag v1.0.5 // indirect
@@ -85,12 +86,12 @@ require (
github.com/zclconf/go-cty-yaml v1.0.2 // indirect
go.opencensus.io v0.23.0 // indirect
golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd // indirect
- golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd // indirect
+ golang.org/x/net v0.0.0-20220412020605-290c469a71a5 // indirect
golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
golang.org/x/sys v0.0.0-20220517195934-5e4e11fc645e // indirect
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
golang.org/x/text v0.3.7 // indirect
- golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
+ golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f // indirect
google.golang.org/api v0.62.0 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/genproto v0.0.0-20220107163113-42d7afdf6368 // indirect
diff --git a/go.sum b/go.sum
index 9bcae1e9ad..fe813b339d 100644
--- a/go.sum
+++ b/go.sum
@@ -86,8 +86,9 @@ github.com/Microsoft/go-winio v0.4.16/go.mod h1:XB6nPKklQyQ7GC9LdcBEcBl8PF76WugX
github.com/Microsoft/go-winio v0.4.17-0.20210211115548-6eac466e5fa3/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84=
github.com/Microsoft/go-winio v0.4.17-0.20210324224401-5516f17a5958/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84=
github.com/Microsoft/go-winio v0.4.17/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84=
-github.com/Microsoft/go-winio v0.5.1 h1:aPJp2QD7OOrhO5tQXqQoGSJc+DjDtWTGLOmNyAm6FgY=
github.com/Microsoft/go-winio v0.5.1/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84=
+github.com/Microsoft/go-winio v0.5.2 h1:a9IhgEQBCUEk6QCdml9CiJGhAws+YwffDHEMp1VMrpA=
+github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
github.com/Microsoft/hcsshim v0.8.6/go.mod h1:Op3hHsoHPAvb6lceZHDtd9OkTew38wNoXnJs8iY7rUg=
github.com/Microsoft/hcsshim v0.8.7-0.20190325164909-8abdbb8205e4/go.mod h1:Op3hHsoHPAvb6lceZHDtd9OkTew38wNoXnJs8iY7rUg=
github.com/Microsoft/hcsshim v0.8.7/go.mod h1:OHd7sQqRFrYd3RmSgbgji+ctCwkbq2wbEYNSzOYtcBQ=
@@ -142,8 +143,8 @@ github.com/apparentlymart/go-dump v0.0.0-20180507223929-23540a00eaa3/go.mod h1:o
github.com/apparentlymart/go-textseg v1.0.0/go.mod h1:z96Txxhf3xSFMPmb5X/1W05FF/Nj9VFpLOpjS5yuumk=
github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6iT90AvPUL1NNfNw=
github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
-github.com/aquasecurity/defsec v0.68.10 h1:RSOPI43PWckgDzdSg6EifGcbF6DeoZBuo2tAy8XXH2w=
-github.com/aquasecurity/defsec v0.68.10/go.mod h1:NdjAkq2LAbsu3sFHbWfA+DDR5BxiajELQAMUrfJ6PFg=
+github.com/aquasecurity/defsec v0.69.0 h1:q4QVm+s0GfXH0u6eeI11lq+h+5a4W0JQgWZPAK7fj8s=
+github.com/aquasecurity/defsec v0.69.0/go.mod h1:iSe2EWVPjIhnCCzpM0VL+f+WTNy7pKDnZ1BJcl082KU=
github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
@@ -153,8 +154,9 @@ github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkY
github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
github.com/aws/aws-sdk-go v1.15.11/go.mod h1:mFuSZ37Z9YOHbQEwBWztmVzqXrEkub65tZoCYDt7FT0=
github.com/aws/aws-sdk-go v1.15.78/go.mod h1:E3/ieXAlvM0XWO57iftYVDLLvQ824smPP3ATZkfNZeM=
-github.com/aws/aws-sdk-go v1.34.9 h1:cUGBW9CVdi0mS7K1hDzxIqTpfeWhpoQiguq81M1tjK0=
github.com/aws/aws-sdk-go v1.34.9/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0=
+github.com/aws/aws-sdk-go v1.44.48 h1:jLDC9RsNoYMLFlKpB8LdqUnoDdC2yvkS4QbuyPQJ8+M=
+github.com/aws/aws-sdk-go v1.44.48/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
github.com/benbjohnson/clock v1.0.3/go.mod h1:bGMdMPoPVvcYyt1gHDf4J2KE153Yf9BuiUKYMaxlTDM=
github.com/beorn7/perks v0.0.0-20160804104726-4c0e84591b9a/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
@@ -564,8 +566,8 @@ github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.7 h1:81/ik6ipDQS2aGcBfIN5dHDB36BwrStyeAQquSYCV4o=
github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE=
+github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg=
github.com/google/go-containerregistry v0.5.1/go.mod h1:Ct15B4yir3PLOP5jsy0GNeYVaIZs/MK/Jz5any1wFW0=
github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
@@ -684,8 +686,11 @@ github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i
github.com/jessevdk/go-flags v1.5.0/go.mod h1:Fw0T6WPc1dYxT4mKEZRfG5kJhaTDP9pj1c2EWnYs/m4=
github.com/jmespath/go-jmespath v0.0.0-20160202185014-0b12d6b521d8/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
github.com/jmespath/go-jmespath v0.0.0-20160803190731-bd40a432e4c7/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
-github.com/jmespath/go-jmespath v0.3.0 h1:OS12ieG61fsCg5+qLJ+SsW9NicxNkg3b25OyT2yCeUc=
github.com/jmespath/go-jmespath v0.3.0/go.mod h1:9QtRXoHjLGCJ5IBSaohpXITPlowMeeYCZ7fLUTSywik=
+github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
+github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
+github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
+github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
github.com/joefitzgerald/rainbow-reporter v0.1.0/go.mod h1:481CNgqmVHQZzdIbN52CupLJyoVwB10FQ/IQlF1pdL8=
github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
@@ -723,8 +728,8 @@ github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
-github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI=
github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0=
github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA=
github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
@@ -904,6 +909,7 @@ github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCko
github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
github.com/peterh/liner v0.0.0-20170211195444-bf27d3ba8e1d/go.mod h1:xIteQHvHuaLYG9IFj6mSxM0fCKrs34IrEQUhOYuGPHc=
github.com/phayes/freeport v0.0.0-20180830031419-95f893ade6f2/go.mod h1:iIss55rKnNBTvrwdmkUpLnDpZoAHvWaiq5+iMmen4AE=
+github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pkg/errors v0.8.1-0.20171018195549-f15c970de5b7/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -964,6 +970,8 @@ github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJ
github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
+github.com/rogpeppe/go-internal v1.8.1 h1:geMPLpDpQOgVyCg5z5GoRwLHepNdb71NXb67XFkP+Eg=
+github.com/rogpeppe/go-internal v1.8.1/go.mod h1:JeRgkft04UBgHMgCIwADu4Pn6Mtm5d4nPKWu0nJ5d+o=
github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
@@ -1287,8 +1295,9 @@ golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qx
golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
golang.org/x/net v0.0.0-20211216030914-fe4d6282115f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
golang.org/x/net v0.0.0-20220107192237-5cfca573fb4d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd h1:O7DYs+zxREGLKzKoMQrtrEacpb0ZVXA5rIwylE2Xchk=
golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
+golang.org/x/net v0.0.0-20220412020605-290c469a71a5 h1:bRb386wvrE+oBNdF1d/Xh9mQrfQ4ecYhW5qJ5GvTGT4=
+golang.org/x/net v0.0.0-20220412020605-290c469a71a5/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1534,8 +1543,9 @@ golang.org/x/tools v0.1.9/go.mod h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f h1:GGU+dLjvlC3qDwqYgL6UgRmHXhOOgns0bZu2Ty5mm6U=
+golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
google.golang.org/api v0.0.0-20160322025152-9bf6e6e569ff/go.mod h1:4mhQ8q/RsB7i+udVvVy5NUi08OU8ZlA0gRVgrF7VFY0=
google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
diff --git a/internal/app/tfsec/cmd/flags.go b/internal/app/tfsec/cmd/flags.go
index 77f24f3da6..61c7372de8 100644
--- a/internal/app/tfsec/cmd/flags.go
+++ b/internal/app/tfsec/cmd/flags.go
@@ -33,6 +33,7 @@ var format string
var softFail bool
var filterResults string
var excludedRuleIDs string
+var excludeIgnoresIDs string
var tfvarsPaths []string
var excludePaths []string
var outputFlag string
@@ -74,6 +75,7 @@ func configureFlags(cmd *cobra.Command) {
cmd.Flags().BoolVar(&migrateIgnores, "migrate-ignores", false, "Migrate ignore codes to the new ID structure")
cmd.Flags().StringVarP(&format, "format", "f", "lovely", "Select output format: lovely, json, csv, checkstyle, junit, sarif, text, markdown, html, gif. To use multiple formats, separate with a comma and specify a base output filename with --out. A file will be written for each type. The first format will additionally be written stdout.")
cmd.Flags().StringVarP(&excludedRuleIDs, "exclude", "e", "", "Provide comma-separated list of rule IDs to exclude from run.")
+ cmd.Flags().StringVarP(&excludeIgnoresIDs, "exclude-ignores", "E", "", "Provide comma-separated list of ignored rule to exclude from run.")
cmd.Flags().StringVar(&filterResults, "filter-results", "", "Filter results to return specific checks only (supports comma-delimited input).")
cmd.Flags().BoolVarP(&softFail, "soft-fail", "s", false, "Runs checks but suppresses error code")
cmd.Flags().StringSliceVar(&tfvarsPaths, "tfvars-file", nil, "Path to .tfvars file, can be used multiple times and evaluated in order of specification")
@@ -216,6 +218,10 @@ func configureOptions(cmd *cobra.Command, fsRoot, dir string) ([]options.Scanner
scannerOptions = append(scannerOptions, scanner.ScannerWithExcludedRules(strings.Split(excludedRuleIDs, ",")))
}
+ if excludeIgnoresIDs != "" {
+ scannerOptions = append(scannerOptions, scanner.ScannerWithExcludeIgnores(strings.Split(excludeIgnoresIDs, ",")))
+ }
+
if debug {
scannerOptions = append(scannerOptions, options.ScannerWithDebug(cmd.ErrOrStderr()))
}
@@ -285,6 +291,9 @@ func applyConfigFiles(options []options.ScannerOption, dir string) ([]options.Sc
if len(conf.ExcludedChecks) > 0 {
options = append(options, scanner.ScannerWithExcludedRules(append(conf.ExcludedChecks, excludedRuleIDs)))
}
+ if len(conf.ExcludeIgnores) > 0 {
+ options = append(options, scanner.ScannerWithExcludeIgnores(append(conf.ExcludeIgnores, excludeIgnoresIDs)))
+ }
} else {
logger.Log("Failed to load config file: %s", err)
}
diff --git a/internal/pkg/config/config.go b/internal/pkg/config/config.go
index ba49f84aec..d377b89ea4 100644
--- a/internal/pkg/config/config.go
+++ b/internal/pkg/config/config.go
@@ -17,6 +17,7 @@ type Config struct {
SeverityOverrides map[string]string `json:"severity_overrides,omitempty" yaml:"severity_overrides,omitempty"`
ExcludedChecks []string `json:"exclude,omitempty" yaml:"exclude,omitempty"`
IncludedChecks []string `json:"include,omitempty" yaml:"include,omitempty"`
+ ExcludeIgnores []string `json:"exclude_ignores,omitempty" yaml:"exclude_ignores,omitempty"`
MinimumRequiredVersion string `json:"min_required_version" yaml:"min_required_version,omitempty"`
}
diff --git a/internal/pkg/config/config_test.go b/internal/pkg/config/config_test.go
index 606de32207..153c26fef9 100644
--- a/internal/pkg/config/config_test.go
+++ b/internal/pkg/config/config_test.go
@@ -37,11 +37,15 @@ severity_overrides:
exclude:
- DP001
+
+exclude_ignores:
+ - DP002
`
c := load(t, "config.yaml", content)
assert.Contains(t, c.SeverityOverrides, "AWS018")
assert.Contains(t, c.ExcludedChecks, "DP001")
+ assert.Contains(t, c.ExcludeIgnores, "DP002")
}
func TestExcludesElementsFromYML(t *testing.T) {
@@ -51,11 +55,15 @@ severity_overrides:
exclude:
- DP001
+
+exclude_ignores:
+ - DP002
`
c := load(t, "config.yml", content)
assert.Contains(t, c.SeverityOverrides, "AWS018")
assert.Contains(t, c.ExcludedChecks, "DP001")
+ assert.Contains(t, c.ExcludeIgnores, "DP002")
}
func TestExcludesElementsFromJSON(t *testing.T) {
@@ -65,6 +73,9 @@ func TestExcludesElementsFromJSON(t *testing.T) {
},
"exclude": [
"DP001"
+ ],
+ "exclude_ignores": [
+ "DP002"
]
}
`
@@ -72,6 +83,7 @@ func TestExcludesElementsFromJSON(t *testing.T) {
assert.Contains(t, c.SeverityOverrides, "AWS018")
assert.Contains(t, c.ExcludedChecks, "DP001")
+ assert.Contains(t, c.ExcludeIgnores, "DP002")
}
func TestWarningIsRewrittenAsMedium(t *testing.T) {
diff --git a/mkdocs.yml b/mkdocs.yml
index dfb3e19128..f909460bfe 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -83,9 +83,23 @@ nav:
- enable-volume-encryption: checks/aws/ebs/enable-volume-encryption/index.md
- encryption-customer-key: checks/aws/ebs/encryption-customer-key/index.md
- ec2:
+ - add-description-to-security-group: checks/aws/ec2/add-description-to-security-group/index.md
+ - add-description-to-security-group-rule: checks/aws/ec2/add-description-to-security-group-rule/index.md
- enable-at-rest-encryption: checks/aws/ec2/enable-at-rest-encryption/index.md
+ - enable-launch-config-at-rest-encryption: checks/aws/ec2/enable-launch-config-at-rest-encryption/index.md
+ - enable-volume-encryption: checks/aws/ec2/enable-volume-encryption/index.md
- enforce-http-token-imds: checks/aws/ec2/enforce-http-token-imds/index.md
+ - enforce-launch-config-http-token-imds: checks/aws/ec2/enforce-launch-config-http-token-imds/index.md
+ - no-default-vpc: checks/aws/ec2/no-default-vpc/index.md
+ - no-excessive-port-access: checks/aws/ec2/no-excessive-port-access/index.md
+ - no-public-egress-sgr: checks/aws/ec2/no-public-egress-sgr/index.md
+ - no-public-ingress-acl: checks/aws/ec2/no-public-ingress-acl/index.md
+ - no-public-ingress-sgr: checks/aws/ec2/no-public-ingress-sgr/index.md
+ - no-public-ip: checks/aws/ec2/no-public-ip/index.md
+ - no-secrets-in-launch-template-user-data: checks/aws/ec2/no-secrets-in-launch-template-user-data/index.md
- no-secrets-in-user-data: checks/aws/ec2/no-secrets-in-user-data/index.md
+ - no-sensitive-info: checks/aws/ec2/no-sensitive-info/index.md
+ - volume-encryption-customer-key: checks/aws/ec2/volume-encryption-customer-key/index.md
- ecr:
- enable-image-scans: checks/aws/ecr/enable-image-scans/index.md
- enforce-immutable-repository: checks/aws/ecr/enforce-immutable-repository/index.md
@@ -118,10 +132,17 @@ nav:
- drop-invalid-headers: checks/aws/elb/drop-invalid-headers/index.md
- http-not-used: checks/aws/elb/http-not-used/index.md
- use-secure-tls-policy: checks/aws/elb/use-secure-tls-policy/index.md
+ - emr:
+ - enable-at-rest-encryption: checks/aws/emr/enable-at-rest-encryption/index.md
+ - enable-in-transit-encryption: checks/aws/emr/enable-in-transit-encryption/index.md
+ - enable-local-disk-encryption: checks/aws/emr/enable-local-disk-encryption/index.md
- iam:
+ - enforce-group-mfa: checks/aws/iam/enforce-group-mfa/index.md
- enforce-mfa: checks/aws/iam/enforce-mfa/index.md
- no-password-reuse: checks/aws/iam/no-password-reuse/index.md
- no-policy-wildcards: checks/aws/iam/no-policy-wildcards/index.md
+ - no-root-access-keys: checks/aws/iam/no-root-access-keys/index.md
+ - no-user-attached-policies: checks/aws/iam/no-user-attached-policies/index.md
- require-lowercase-in-passwords: checks/aws/iam/require-lowercase-in-passwords/index.md
- require-numbers-in-passwords: checks/aws/iam/require-numbers-in-passwords/index.md
- require-symbols-in-passwords: checks/aws/iam/require-symbols-in-passwords/index.md
@@ -171,9 +192,11 @@ nav:
- specify-public-access-block: checks/aws/s3/specify-public-access-block/index.md
- sns:
- enable-topic-encryption: checks/aws/sns/enable-topic-encryption/index.md
+ - topic-encryption-use-cmk: checks/aws/sns/topic-encryption-use-cmk/index.md
- sqs:
- enable-queue-encryption: checks/aws/sqs/enable-queue-encryption/index.md
- no-wildcards-in-policy-documents: checks/aws/sqs/no-wildcards-in-policy-documents/index.md
+ - queue-encryption-use-cmk: checks/aws/sqs/queue-encryption-use-cmk/index.md
- ssm:
- avoid-leaks-via-http: checks/aws/ssm/avoid-leaks-via-http/index.md
- secret-use-customer-key: checks/aws/ssm/secret-use-customer-key/index.md
@@ -363,6 +386,10 @@ nav:
- no-plaintext-password: checks/openstack/compute/no-plaintext-password/index.md
- no-public-access: checks/openstack/compute/no-public-access/index.md
- openstack: checks/openstack/home.md
+ - networking:
+ - describe-security-group: checks/openstack/networking/describe-security-group/index.md
+ - no-public-egress: checks/openstack/networking/no-public-egress/index.md
+ - no-public-ingress: checks/openstack/networking/no-public-ingress/index.md
- oracle:
- compute:
- no-public-ip: checks/oracle/compute/no-public-ip/index.md