Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Add AWS Cloud scanning #2493

Merged
merged 43 commits into from Aug 11, 2022
Merged

feat: Add AWS Cloud scanning #2493

merged 43 commits into from Aug 11, 2022

Conversation

liamg
Copy link
Contributor

@liamg liamg commented Jul 11, 2022
edited

Description

Adds the ability to scan live AWS cloud accounts, using the same rules as supplied by defsec for misconfiguration scanning.

The rules currently cover the AWS CIS 1.2 benchmarks.

See the docs for more information.

Related issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@liamg liamg marked this pull request as ready for review August 10, 2022 16:05
@liamg liamg requested a review from knqyf263 as a code owner August 10, 2022 16:05
knqyf263
knqyf263 reviewed Aug 11, 2022
View reviewed changes
Copy link
Collaborator

@knqyf263 knqyf263 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. I left some small comments. Note I don't have an AWS account and couldn't test this PR against the live environment.

go.mod Outdated
@@ -327,3 +380,5 @@ replace github.com/docker/docker => github.com/docker/docker v20.10.3-0.20220224
// v1.2.0 is taken from github.com/open-policy-agent/opa v0.42.0
// v1.2.0 incompatible with github.com/docker/docker v20.10.3-0.20220224222438-c78f6963a1c0+incompatible
replace oras.land/oras-go => oras.land/oras-go v1.1.1

replace github.com/elgohr/go-localstack => github.com/aquasecurity/go-localstack v0.0.0-20220706080605-1ec0e9b8753c
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you think our changes have a chance to get merged upstream?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think @owenrumney already raised a PR there 👍

pkg/commands/app.go Outdated Show resolved Hide resolved
pkg/commands/option/aws.go Outdated Show resolved Hide resolved
pkg/fanal/analyzer/const.go Outdated Show resolved Hide resolved
@knqyf263
Copy link
Collaborator 

$ ./trivy aws --region eu-central-1 --service ec2

Scan Overview for AWS Account XXXXXXXXXX
┌───────────────┬──────────────────────────────────────────────────┬────────────────┐
│               │                Misconfigurations                 │                │
│               ├──────────┬──────────────┬────────┬─────┬─────────┤                │
│ Service       │ Critical │     High     │ Medium │ Low │ Unknown │  Last Scanned  │
├───────────────┼──────────┼──────────────┼────────┼─────┼─────────┼────────────────┤
│ api-gateway   │        0 │            0 │      0 │   0 │       0 │ 22 minutes ago │
│ athena        │        0 │            2 │      0 │   0 │       0 │ 22 minutes ago │
│ cloudfront    │        0 │            0 │      0 │   0 │       0 │ 22 minutes ago │
│ cloudtrail    │        0 │            0 │      0 │   0 │       0 │ 22 minutes ago │
│ cloudwatch    │        0 │            0 │      0 │   4 │       0 │ 22 minutes ago │
│ codebuild     │        0 │            0 │      0 │   0 │       0 │ 22 minutes ago │
│ documentdb    │        0 │            0 │      0 │   0 │       0 │ 22 minutes ago │
│ dynamodb      │        0 │            0 │      0 │   0 │       0 │ 22 minutes ago │
│ ec2           │        5 │            1 │      0 │   0 │       0 │ 22 minutes ago │
│ ecr           │        0 │            0 │      0 │   0 │       0 │ 22 minutes ago │
│ ecs           │        0 │            0 │      0 │   0 │       0 │ 22 minutes ago │
│ efs           │        0 │            0 │      0 │   0 │       0 │ 22 minutes ago │
│ eks           │        0 │            0 │      0 │   0 │       0 │ 22 minutes ago │
│ elasticache   │        0 │            0 │      0 │   0 │       0 │ 22 minutes ago │
│ elasticsearch │        0 │            0 │      0 │   0 │       0 │ 22 minutes ago │
│ elb           │        0 │            0 │      0 │   0 │       0 │ 22 minutes ago │
│ emr           │        0 │            0 │      0 │   0 │       0 │ 22 minutes ago │
│ iam           │        0 │          507 │      0 │   8 │       0 │ 22 minutes ago │
│ kinesis       │        0 │            0 │      0 │   0 │       0 │ 22 minutes ago │
│ kms           │        0 │            0 │      0 │   0 │       0 │ 22 minutes ago │
│ lambda        │        0 │            0 │      0 │   0 │       0 │ 22 minutes ago │
│ mq            │        0 │            0 │      0 │   0 │       0 │ 22 minutes ago │
│ msk           │        0 │            0 │      0 │   0 │       0 │ 22 minutes ago │
│ neptune       │        0 │            0 │      0 │   0 │       0 │ 22 minutes ago │
│ rds           │        1 │            0 │      0 │   0 │       0 │ 22 minutes ago │
│ redshift      │        0 │            0 │      0 │   0 │       0 │ 22 minutes ago │
│ s3            │        0 │            0 │      0 │   0 │       0 │ 22 minutes ago │
│ sns           │        0 │            0 │      0 │   0 │       0 │ 22 minutes ago │
│ sqs           │        0 │            0 │      0 │   0 │       0 │ 22 minutes ago │
│ ssm           │        0 │            0 │      0 │   0 │       0 │ 22 minutes ago │
│ workspaces    │        0 │            0 │      0 │   0 │       0 │ 22 minutes ago │
└───────────────┴──────────┴──────────────┴────────┴─────┴─────────┴────────────────┘

This scan report was loaded from cached results. If you'd like to run a fresh scan, use --update-cache.

Is this behavior intended? Seems like it scans all the resources even with --update-cache.

$ ./trivy aws --region eu-central-1 --service ec2 --update-cache
[1/31] Scanning api-gateway...
[2/31] Scanning athena...
[3/31] Scanning cloudfront...
[4/31] Scanning cloudtrail...
[5/31] Scanning cloudwatch...
[6/31] Scanning codebuild...
[7/31] Scanning documentdb...
[8/31] Scanning dynamodb...
[9/31] Scanning ec2...
[10/31] Scanning ecr...
[11/31] Scanning ecs...
[12/31] Scanning efs...

@knqyf263
Copy link
Collaborator

I confirmed 633034d worked.

@liamg liamg merged commit b259b25 into main Aug 11, 2022
@liamg liamg deleted the liamg-aws-poc branch August 11, 2022 13:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knqyf263 knqyf263 knqyf263 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

AWS scanning
2 participants
@liamg @knqyf263