/
aws-provisioner-exec.yaml
38 lines (38 loc) · 1.14 KB
/
aws-provisioner-exec.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
rules:
- patterns:
- pattern-either:
- pattern: |
provisioner "remote-exec" {
...
}
- pattern: |
provisioner "local-exec" {
...
}
- pattern-inside: |
resource "aws_instance" "..." {
...
}
id: aws-provisioner-exec
message: Provisioners are a tool of last resort and should be avoided where possible. Provisioner behavior cannot be mapped by Terraform as part of a plan, and execute arbitrary shell commands by design.
languages:
- terraform
severity: WARNING
metadata:
category: security
owasp:
- 'A03:2021 - Injection'
- 'A01:2017 - Injection'
cwe:
- "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')"
- "CWE-94: Improper Control of Generation of Code ('Code Injection')"
subcategory:
- guardrail
confidence: HIGH
likelihood: HIGH
impact: MEDIUM
technology:
- terraform
references:
- https://developer.hashicorp.com/terraform/language/resources/provisioners/remote-exec
- https://developer.hashicorp.com/terraform/language/resources/provisioners/local-exec