feat(aws): Add support to see successes in results (#4427)

Fixes: #4417 Signed-off-by: Simar <simar@linux.com>
aquasecurity · Jun 13, 2023 · aecd2f0 · aecd2f0
1 parent 2cbf402
commit aecd2f0
Show file tree

Hide file tree

Showing 3 changed files with 61 additions and 5 deletions.
diff --git a/pkg/cloud/aws/commands/run.go b/pkg/cloud/aws/commands/run.go
@@ -142,7 +142,12 @@ func Run(ctx context.Context, opt flag.Options) error {
 		})
 	}
 
-	r := report.New(cloud.ProviderAWS, opt.Account, opt.Region, results.GetFailed(), opt.Services)
+	res := results.GetFailed()
+	if opt.MisconfOptions.IncludeNonFailures {
+		res = results
+	}
+
+	r := report.New(cloud.ProviderAWS, opt.Account, opt.Region, res, opt.Services)
 	if err := report.Write(r, opt, cached); err != nil {
 		return fmt.Errorf("unable to write results: %w", err)
 	}

diff --git a/pkg/cloud/aws/commands/run_test.go b/pkg/cloud/aws/commands/run_test.go
@@ -76,6 +76,7 @@ func Test_Run(t *testing.T) {
 				CloudOptions: flag.CloudOptions{
 					MaxCacheAge: time.Hour * 24 * 365 * 100,
 				},
+				MisconfOptions: flag.MisconfOptions{IncludeNonFailures: true},
 			},
 			cacheContent: exampleS3Cache,
 			want: `{
@@ -99,7 +100,7 @@ func Test_Run(t *testing.T) {
       "Class": "config",
       "Type": "cloud",
       "MisconfSummary": {
-        "Successes": 0,
+        "Successes": 1,
         "Failures": 9,
         "Exceptions": 0
       },
@@ -272,6 +273,29 @@ func Test_Run(t *testing.T) {
             }
           }
         },
+        {
+          "Type": "AWS",
+          "ID": "AVD-AWS-0092",
+          "AVDID": "AVD-AWS-0092",
+          "Title": "S3 Buckets not publicly accessible through ACL.",
+          "Description": "Buckets should not have ACLs that allow public access",
+          "Resolution": "Don't use canned ACLs or switch to private acl",
+          "Severity": "HIGH",
+          "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0092",
+          "References": [
+            "https://avd.aquasec.com/misconfig/avd-aws-0092"
+          ],
+          "Status": "PASS",
+          "Layer": {},
+          "CauseMetadata": {
+            "Resource": "arn:aws:s3:::examplebucket",
+            "Provider": "aws",
+            "Service": "s3",
+            "Code": {
+              "Lines": null
+            }
+          }
+        },
         {
           "Type": "AWS",
           "ID": "AVD-AWS-0093",
@@ -327,7 +351,7 @@ func Test_Run(t *testing.T) {
 `,
 		},
 		{
-			name: "custom rego rule",
+			name: "custom rego rule with passed results",
 			options: flag.Options{
 				AWSOptions: flag.AWSOptions{
 					Region:   "us-east-1",
@@ -347,6 +371,7 @@ func Test_Run(t *testing.T) {
 					},
 					SkipPolicyUpdate: true,
 				},
+				MisconfOptions: flag.MisconfOptions{IncludeNonFailures: true},
 			},
 			regoPolicy: `# METADATA
 # title: No example buckets
@@ -390,7 +415,7 @@ deny[res] {
       "Class": "config",
       "Type": "cloud",
       "MisconfSummary": {
-        "Successes": 0,
+        "Successes": 1,
         "Failures": 10,
         "Exceptions": 0
       },
@@ -563,6 +588,29 @@ deny[res] {
             }
           }
         },
+        {
+          "Type": "AWS",
+          "ID": "AVD-AWS-0092",
+          "AVDID": "AVD-AWS-0092",
+          "Title": "S3 Buckets not publicly accessible through ACL.",
+          "Description": "Buckets should not have ACLs that allow public access",
+          "Resolution": "Don't use canned ACLs or switch to private acl",
+          "Severity": "HIGH",
+          "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0092",
+          "References": [
+            "https://avd.aquasec.com/misconfig/avd-aws-0092"
+          ],
+          "Status": "PASS",
+          "Layer": {},
+          "CauseMetadata": {
+            "Resource": "arn:aws:s3:::examplebucket",
+            "Provider": "aws",
+            "Service": "s3",
+            "Code": {
+              "Lines": null
+            }
+          }
+        },
         {
           "Type": "AWS",
           "ID": "AVD-AWS-0093",

diff --git a/pkg/cloud/report/report.go b/pkg/cloud/report/report.go
@@ -64,7 +64,10 @@ func Write(rep *Report, opt flag.Options, fromCache bool) error {
 	for _, resultsAtTime := range rep.Results {
 		for _, res := range resultsAtTime.Results {
 			resCopy := res
-			if err := result.FilterResult(ctx, &resCopy, result.FilterOption{Severities: opt.Severities}); err != nil {
+			if err := result.FilterResult(ctx, &resCopy, result.FilterOption{
+				Severities:         opt.Severities,
+				IncludeNonFailures: opt.IncludeNonFailures,
+			}); err != nil {
 				return err
 			}
 			sort.Slice(resCopy.Misconfigurations, func(i, j int) bool {