Repository | alphagov / govuk-infrastructure |
Description | Terraform turnup automation for the EKS Kubernetes clusters that host GOV.UK. See https://github.com/alphagov/govuk-helm-charts for application config. |
Stars | 107 |
---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkov
output found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 15:04:25,444 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/iam/aws//modules/iam-eks-role:~>5.27 (for external modules, the --download-external-modules flag is required)
2023-10-05 15:04:25,444 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks:~>5.5 (for external modules, the --download-external-modules flag is required)
2023-10-05 15:04:25,444 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc:~>4.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 15:04:25,445 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/eks/aws:~>19.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 15:04:25,445 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/rds-aurora/aws:~>7.6.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 15:04:25,445 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks:~>5.20 (for external modules, the --download-external-modules flag is required)
2023-10-05 15:04:25,445 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/iam/aws//modules/iam-eks-role:~>5.28 (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 497, Failed checks: 91, Skipped checks: 0
Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
FAILED for resource: aws_wafv2_web_acl.cdn_poc_govuk
File: /terraform/deployments/cloudfront/main.tf:177-317
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.aws_ebs_csi_driver
File: /terraform/deployments/cluster-infrastructure/aws_ebs_csi_iam.tf:16-169
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy.aws_ebs_csi_driver
File: /terraform/deployments/cluster-infrastructure/aws_ebs_csi_iam.tf:16-169
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.aws_lb_controller
File: /terraform/deployments/cluster-infrastructure/aws_lb_controller_iam.tf:23-249
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy.aws_lb_controller
File: /terraform/deployments/cluster-infrastructure/aws_lb_controller_iam.tf:23-249
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_184: "Ensure resource is encrypted by KMS using a customer managed Key (CMK)"
FAILED for resource: aws_efs_file_system.clamav-db
File: /terraform/deployments/cluster-infrastructure/clamav_db_efs.tf:5-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-104.html
5 | resource "aws_efs_file_system" "clamav-db" {
6 | creation_token = local.clamav_db_name
7 | tags = { "Description" = "EFS where Clamav virus signature database is stored" }
8 | }
Check: CKV_AWS_42: "Ensure EFS is securely encrypted"
FAILED for resource: aws_efs_file_system.clamav-db
File: /terraform/deployments/cluster-infrastructure/clamav_db_efs.tf:5-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-17.html
5 | resource "aws_efs_file_system" "clamav-db" {
6 | creation_token = local.clamav_db_name
7 | tags = { "Description" = "EFS where Clamav virus signature database is stored" }
8 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy_document.cluster_autoscaler
File: /terraform/deployments/cluster-infrastructure/cluster_autoscaler_iam.tf:46-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
46 | data "aws_iam_policy_document" "cluster_autoscaler" {
47 | statement {
48 | sid = "clusterAutoscalerAll"
49 | effect = "Allow"
50 |
51 | actions = [
52 | "autoscaling:DescribeAutoScalingGroups",
53 | "autoscaling:DescribeAutoScalingInstances",
54 | "autoscaling:DescribeLaunchConfigurations",
55 | "autoscaling:DescribeTags",
56 | "ec2:DescribeLaunchTemplateVersions",
57 | "autoscaling:SetDesiredCapacity",
58 | "autoscaling:TerminateInstanceInAutoScalingGroup",
59 | "autoscaling:UpdateAutoScalingGroup",
60 | "ec2:DescribeInstanceTypes",
61 | "eks:DescribeNodegroup"
62 | ]
63 |
64 | resources = ["*"]
65 | }
66 |
67 | statement {
68 | sid = "clusterAutoscalerOwn"
69 | effect = "Allow"
70 |
71 | actions = [
72 | "autoscaling:SetDesiredCapacity",
73 | "autoscaling:TerminateInstanceInAutoScalingGroup",
74 | "autoscaling:UpdateAutoScalingGroup",
75 | ]
76 |
77 | resources = ["*"]
78 |
79 | condition {
80 | test = "StringEquals"
81 | variable = "autoscaling:ResourceTag/k8s.io/cluster-autoscaler/${module.eks.cluster_name}"
82 | values = ["owned"]
83 | }
84 |
85 | condition {
86 | test = "StringEquals"
87 | variable = "autoscaling:ResourceTag/k8s.io/cluster-autoscaler/enabled"
88 | values = ["true"]
89 | }
90 | }
91 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.cluster_autoscaler
File: /terraform/deployments/cluster-infrastructure/cluster_autoscaler_iam.tf:46-91
46 | data "aws_iam_policy_document" "cluster_autoscaler" {
47 | statement {
48 | sid = "clusterAutoscalerAll"
49 | effect = "Allow"
50 |
51 | actions = [
52 | "autoscaling:DescribeAutoScalingGroups",
53 | "autoscaling:DescribeAutoScalingInstances",
54 | "autoscaling:DescribeLaunchConfigurations",
55 | "autoscaling:DescribeTags",
56 | "ec2:DescribeLaunchTemplateVersions",
57 | "autoscaling:SetDesiredCapacity",
58 | "autoscaling:TerminateInstanceInAutoScalingGroup",
59 | "autoscaling:UpdateAutoScalingGroup",
60 | "ec2:DescribeInstanceTypes",
61 | "eks:DescribeNodegroup"
62 | ]
63 |
64 | resources = ["*"]
65 | }
66 |
67 | statement {
68 | sid = "clusterAutoscalerOwn"
69 | effect = "Allow"
70 |
71 | actions = [
72 | "autoscaling:SetDesiredCapacity",
73 | "autoscaling:TerminateInstanceInAutoScalingGroup",
74 | "autoscaling:UpdateAutoScalingGroup",
75 | ]
76 |
77 | resources = ["*"]
78 |
79 | condition {
80 | test = "StringEquals"
81 | variable = "autoscaling:ResourceTag/k8s.io/cluster-autoscaler/${module.eks.cluster_name}"
82 | values = ["owned"]
83 | }
84 |
85 | condition {
86 | test = "StringEquals"
87 | variable = "autoscaling:ResourceTag/k8s.io/cluster-autoscaler/enabled"
88 | values = ["true"]
89 | }
90 | }
91 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.external_dns
File: /terraform/deployments/cluster-infrastructure/external_dns.tf:32-46
32 | data "aws_iam_policy_document" "external_dns" {
33 | statement {
34 | effect = "Allow"
35 | actions = ["route53:ChangeResourceRecordSets"]
36 | resources = [aws_route53_zone.cluster_public.arn]
37 | }
38 | statement {
39 | effect = "Allow"
40 | actions = [
41 | "route53:ListHostedZones",
42 | "route53:ListResourceRecordSets",
43 | ]
44 | resources = ["*"]
45 | }
46 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.grafana
File: /terraform/deployments/cluster-infrastructure/grafana.tf:17-66
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: aws_secretsmanager_secret.grafana_db
File: /terraform/deployments/cluster-infrastructure/grafana.tf:129-132
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms.html
129 | resource "aws_secretsmanager_secret" "grafana_db" {
130 | name = "${module.eks.cluster_name}/grafana/database"
131 | recovery_window_in_days = var.secrets_recovery_window_in_days
132 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.eks_public
File: /terraform/deployments/cluster-infrastructure/vpc.tf:67-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
67 | resource "aws_subnet" "eks_public" {
68 | for_each = var.eks_public_subnets
69 | vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id
70 | cidr_block = each.value.cidr
71 | availability_zone = each.value.az
72 | tags = {
73 | Name = "${var.cluster_name}-eks-public-${each.key}"
74 | # https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html
75 | "kubernetes.io/cluster/${var.cluster_name}" = "owned"
76 | "kubernetes.io/role/elb" = "1"
77 | }
78 | map_public_ip_on_launch = true
79 | }
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: kubernetes_cluster_role.poweruser
File: /terraform/deployments/cluster-services/aws_auth_configmap.tf:129-138
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
129 | resource "kubernetes_cluster_role" "poweruser" {
130 | metadata {
131 | name = "poweruser"
132 | }
133 | rule {
134 | api_groups = ["*"]
135 | resources = ["*"]
136 | verbs = ["*"]
137 | }
138 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_vpc_security_group_ingress_rule.rds
File: /terraform/deployments/datagovuk-infrastructure/security.tf:7-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
7 | resource "aws_vpc_security_group_ingress_rule" "rds" {
8 | security_group_id = aws_security_group.rds.id
9 |
10 | from_port = 5432
11 | to_port = 5432
12 | ip_protocol = "tcp"
13 |
14 | referenced_security_group_id = data.terraform_remote_state.cluster_infrastructure.outputs.node_security_group_id
15 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy_document.topic-policy-ecr-sns
File: /terraform/deployments/ecr/data.tf:1-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
1 | data "aws_iam_policy_document" "topic-policy-ecr-sns" {
2 |
3 | policy_id = "ecr_scan_id"
4 |
5 | statement {
6 | actions = [
7 | "SNS:GetTopicAttributes",
8 | "SNS:SetTopicAttributes",
9 | "SNS:AddPermission",
10 | "SNS:RemovePermission",
11 | "SNS:DeleteTopic",
12 | "SNS:Subscribe",
13 | "SNS:ListSubscriptionsByTopic",
14 | "SNS:Publish",
15 | "SNS:Receive"
16 | ]
17 |
18 | condition {
19 | test = "StringEquals"
20 | variable = "AWS:SourceOwner"
21 |
22 | values = [data.aws_caller_identity.current.account_id]
23 | }
24 | effect = "Allow"
25 |
26 | principals {
27 | type = "AWS"
28 | identifiers = ["*"]
29 | }
30 |
31 | resources = ["*"]
32 | }
33 |
34 | statement {
35 | actions = ["sns:Publish"]
36 | effect = "Allow"
37 |
38 | principals {
39 | type = "Service"
40 | identifiers = ["events.amazonaws.com"]
41 | }
42 |
43 | resources = ["*"]
44 | sid = "TrustCWEToPublishEventsToMyTopic"
45 | }
46 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.topic-policy-ecr-sns
File: /terraform/deployments/ecr/data.tf:1-46
1 | data "aws_iam_policy_document" "topic-policy-ecr-sns" {
2 |
3 | policy_id = "ecr_scan_id"
4 |
5 | statement {
6 | actions = [
7 | "SNS:GetTopicAttributes",
8 | "SNS:SetTopicAttributes",
9 | "SNS:AddPermission",
10 | "SNS:RemovePermission",
11 | "SNS:DeleteTopic",
12 | "SNS:Subscribe",
13 | "SNS:ListSubscriptionsByTopic",
14 | "SNS:Publish",
15 | "SNS:Receive"
16 | ]
17 |
18 | condition {
19 | test = "StringEquals"
20 | variable = "AWS:SourceOwner"
21 |
22 | values = [data.aws_caller_identity.current.account_id]
23 | }
24 | effect = "Allow"
25 |
26 | principals {
27 | type = "AWS"
28 | identifiers = ["*"]
29 | }
30 |
31 | resources = ["*"]
32 | }
33 |
34 | statement {
35 | actions = ["sns:Publish"]
36 | effect = "Allow"
37 |
38 | principals {
39 | type = "Service"
40 | identifiers = ["events.amazonaws.com"]
41 | }
42 |
43 | resources = ["*"]
44 | sid = "TrustCWEToPublishEventsToMyTopic"
45 | }
46 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.ecr_scan_topic
File: /terraform/deployments/ecr/ecr-scan.tf:21-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-15.html
21 | resource "aws_sns_topic" "ecr_scan_topic" {
22 | name = "ecr_scan_topic"
23 | tags = {
24 | Name = "ECR-Scan"
25 | }
26 | }
Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
FAILED for resource: aws_ecr_repository.repositories
File: /terraform/deployments/ecr/main.tf:53-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-24.html
53 | resource "aws_ecr_repository" "repositories" {
54 | for_each = toset(local.repositories)
55 | name = each.key
56 | image_tag_mutability = "MUTABLE" # TODO: consider not allowing mutable tags.
57 |
58 | image_scanning_configuration {
59 | scan_on_push = true
60 | }
61 | }
Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
FAILED for resource: aws_ecr_repository.repositories
File: /terraform/deployments/ecr/main.tf:53-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted.html
53 | resource "aws_ecr_repository" "repositories" {
54 | for_each = toset(local.repositories)
55 | name = each.key
56 | image_tag_mutability = "MUTABLE" # TODO: consider not allowing mutable tags.
57 |
58 | image_scanning_configuration {
59 | scan_on_push = true
60 | }
61 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.concourse_ecr_user
File: /terraform/deployments/ecr/main.tf:63-65
63 | resource "aws_iam_user" "concourse_ecr_user" {
64 | name = "concourse_ecr_user"
65 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.github_ecr_user
File: /terraform/deployments/ecr/main.tf:67-70
67 | resource "aws_iam_user" "github_ecr_user" {
68 | name = "github_ecr_user"
69 | tags = { "Description" = "GitHub Actions publishes images to ECR." }
70 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.pull_from_ecr
File: /terraform/deployments/ecr/main.tf:159-184
159 | resource "aws_iam_policy" "pull_from_ecr" {
160 | name = "pull_from_ecr"
161 | policy = jsonencode({
162 | "Version" : "2012-10-17",
163 | "Statement" : [
164 | {
165 | "Sid" : "AllowECRPull",
166 | "Effect" : "Allow",
167 | "Resource" : ["*"],
168 | "Action" : [
169 | "ecr:GetDownloadUrlForLayer",
170 | "ecr:BatchCheckLayerAvailability",
171 | "ecr:BatchGetImage",
172 | "ecr:List*",
173 | "ecr:Describe*"
174 | ]
175 | },
176 | {
177 | "Sid" : "AllowECRToken",
178 | "Effect" : "Allow",
179 | "Resource" : ["*"],
180 | "Action" : ["ecr:GetAuthorizationToken"]
181 | }
182 | ]
183 | })
184 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.github_ecr_user_policy
File: /terraform/deployments/ecr/main.tf:186-210
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
186 | resource "aws_iam_user_policy" "github_ecr_user_policy" {
187 | name = "github_ecr_user_policy"
188 | user = aws_iam_user.github_ecr_user.name
189 | policy = jsonencode({
190 | "Version" : "2012-10-17",
191 | "Statement" : [
192 | {
193 | "Sid" : "AllowPush",
194 | "Effect" : "Allow",
195 | "Action" : [
196 | "ecr:GetDownloadUrlForLayer",
197 | "ecr:BatchGetImage",
198 | "ecr:BatchCheckLayerAvailability",
199 | "ecr:DescribeImages",
200 | "ecr:PutImage",
201 | "ecr:InitiateLayerUpload",
202 | "ecr:UploadLayerPart",
203 | "ecr:GetAuthorizationToken",
204 | "ecr:CompleteLayerUpload"
205 | ],
206 | "Resource" : ["*"],
207 | }
208 | ]
209 | })
210 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.github_ecr_user_policy
File: /terraform/deployments/ecr/main.tf:186-210
186 | resource "aws_iam_user_policy" "github_ecr_user_policy" {
187 | name = "github_ecr_user_policy"
188 | user = aws_iam_user.github_ecr_user.name
189 | policy = jsonencode({
190 | "Version" : "2012-10-17",
191 | "Statement" : [
192 | {
193 | "Sid" : "AllowPush",
194 | "Effect" : "Allow",
195 | "Action" : [
196 | "ecr:GetDownloadUrlForLayer",
197 | "ecr:BatchGetImage",
198 | "ecr:BatchCheckLayerAvailability",
199 | "ecr:DescribeImages",
200 | "ecr:PutImage",
201 | "ecr:InitiateLayerUpload",
202 | "ecr:UploadLayerPart",
203 | "ecr:GetAuthorizationToken",
204 | "ecr:CompleteLayerUpload"
205 | ],
206 | "Resource" : ["*"],
207 | }
208 | ]
209 | })
210 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.github_ecr_user_policy
File: /terraform/deployments/ecr/main.tf:186-210
186 | resource "aws_iam_user_policy" "github_ecr_user_policy" {
187 | name = "github_ecr_user_policy"
188 | user = aws_iam_user.github_ecr_user.name
189 | policy = jsonencode({
190 | "Version" : "2012-10-17",
191 | "Statement" : [
192 | {
193 | "Sid" : "AllowPush",
194 | "Effect" : "Allow",
195 | "Action" : [
196 | "ecr:GetDownloadUrlForLayer",
197 | "ecr:BatchGetImage",
198 | "ecr:BatchCheckLayerAvailability",
199 | "ecr:DescribeImages",
200 | "ecr:PutImage",
201 | "ecr:InitiateLayerUpload",
202 | "ecr:UploadLayerPart",
203 | "ecr:GetAuthorizationToken",
204 | "ecr:CompleteLayerUpload"
205 | ],
206 | "Resource" : ["*"],
207 | }
208 | ]
209 | })
210 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_role_policy.github_action_mirror_repos_policy
File: /terraform/deployments/github/mirror.tf:34-50
34 | resource "aws_iam_role_policy" "github_action_mirror_repos_policy" {
35 | name = "github_action_mirror_repos_policy"
36 | role = aws_iam_role.github_action_mirror_repos_role.id
37 |
38 | policy = jsonencode({
39 | Version = "2012-10-17"
40 | Statement = [
41 | {
42 | Action = [
43 | "codecommit:GitPush"
44 | ]
45 | Effect = "Allow"
46 | Resource = "*"
47 | },
48 | ]
49 | })
50 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_role_policy.github_action_mirror_repos_policy
File: /terraform/deployments/github/mirror.tf:34-50
34 | resource "aws_iam_role_policy" "github_action_mirror_repos_policy" {
35 | name = "github_action_mirror_repos_policy"
36 | role = aws_iam_role.github_action_mirror_repos_role.id
37 |
38 | policy = jsonencode({
39 | Version = "2012-10-17"
40 | Statement = [
41 | {
42 | Action = [
43 | "codecommit:GitPush"
44 | ]
45 | Effect = "Allow"
46 | Resource = "*"
47 | },
48 | ]
49 | })
50 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy_document.learn_to_rank_job
File: /terraform/deployments/govuk-publishing-infrastructure/search_api_learn_to_rank_role.tf:21-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.learn_to_rank_job
File: /terraform/deployments/govuk-publishing-infrastructure/search_api_learn_to_rank_role.tf:21-74
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy_document.learn_to_rank_sagemaker
File: /terraform/deployments/govuk-publishing-infrastructure/search_api_learn_to_rank_role.tf:87-122
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
87 | data "aws_iam_policy_document" "learn_to_rank_sagemaker" {
88 | statement {
89 | actions = [
90 | "s3:Put*",
91 | "s3:List*",
92 | "s3:Get*",
93 | "s3:DeleteObject"
94 | ]
95 | resources = [
96 | "arn:aws:s3:::govuk-${var.govuk_environment}-search-relevancy/*",
97 | "arn:aws:s3:::govuk-${var.govuk_environment}-search-relevancy"
98 | ]
99 | }
100 |
101 | statement {
102 | actions = [
103 | "logs:PutLogEvents",
104 | "logs:GetLogEvents",
105 | "logs:DescribeLogStreams",
106 | "logs:CreateLogStream",
107 | "logs:CreateLogGroup",
108 | "ecr:GetAuthorizationToken",
109 | "cloudwatch:PutMetricData"
110 | ]
111 | resources = ["*"]
112 | }
113 |
114 | statement {
115 | actions = [
116 | "ecr:BatchCheckLayerAvailability",
117 | "ecr:GetDownloadUrlForLayer",
118 | "ecr:BatchGetImage"
119 | ]
120 | resources = ["arn:aws:ecr:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:repository/search"]
121 | }
122 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.learn_to_rank_sagemaker
File: /terraform/deployments/govuk-publishing-infrastructure/search_api_learn_to_rank_role.tf:87-122
87 | data "aws_iam_policy_document" "learn_to_rank_sagemaker" {
88 | statement {
89 | actions = [
90 | "s3:Put*",
91 | "s3:List*",
92 | "s3:Get*",
93 | "s3:DeleteObject"
94 | ]
95 | resources = [
96 | "arn:aws:s3:::govuk-${var.govuk_environment}-search-relevancy/*",
97 | "arn:aws:s3:::govuk-${var.govuk_environment}-search-relevancy"
98 | ]
99 | }
100 |
101 | statement {
102 | actions = [
103 | "logs:PutLogEvents",
104 | "logs:GetLogEvents",
105 | "logs:DescribeLogStreams",
106 | "logs:CreateLogStream",
107 | "logs:CreateLogGroup",
108 | "ecr:GetAuthorizationToken",
109 | "cloudwatch:PutMetricData"
110 | ]
111 | resources = ["*"]
112 | }
113 |
114 | statement {
115 | actions = [
116 | "ecr:BatchCheckLayerAvailability",
117 | "ecr:GetDownloadUrlForLayer",
118 | "ecr:BatchGetImage"
119 | ]
120 | resources = ["arn:aws:ecr:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:repository/search"]
121 | }
122 | }
Check: CKV_AWS_191: "Ensure Elasticache replication group is encrypted by KMS using a customer managed Key (CMK)"
FAILED for resource: aws_elasticache_replication_group.shared_redis_cluster
File: /terraform/deployments/govuk-publishing-infrastructure/shared_redis.tf:19-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-111.html
19 | resource "aws_elasticache_replication_group" "shared_redis_cluster" {
20 | apply_immediately = var.govuk_environment != "production"
21 | replication_group_id = local.shared_redis_name
22 | description = "${local.shared_redis_name} Redis cluster with Redis master and replica"
23 | node_type = var.shared_redis_cluster_node_type
24 | num_cache_clusters = 2
25 | automatic_failover_enabled = true
26 | multi_az_enabled = true
27 | parameter_group_name = "default.redis6.x"
28 | engine_version = "6.x"
29 | subnet_group_name = aws_elasticache_subnet_group.shared_redis_cluster.name
30 | security_group_ids = [aws_security_group.shared_redis_cluster.id]
31 | tags = {
32 | Name = local.shared_redis_name
33 | }
34 | }
Check: CKV_AWS_30: "Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit"
FAILED for resource: aws_elasticache_replication_group.shared_redis_cluster
File: /terraform/deployments/govuk-publishing-infrastructure/shared_redis.tf:19-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-10.html
19 | resource "aws_elasticache_replication_group" "shared_redis_cluster" {
20 | apply_immediately = var.govuk_environment != "production"
21 | replication_group_id = local.shared_redis_name
22 | description = "${local.shared_redis_name} Redis cluster with Redis master and replica"
23 | node_type = var.shared_redis_cluster_node_type
24 | num_cache_clusters = 2
25 | automatic_failover_enabled = true
26 | multi_az_enabled = true
27 | parameter_group_name = "default.redis6.x"
28 | engine_version = "6.x"
29 | subnet_group_name = aws_elasticache_subnet_group.shared_redis_cluster.name
30 | security_group_ids = [aws_security_group.shared_redis_cluster.id]
31 | tags = {
32 | Name = local.shared_redis_name
33 | }
34 | }
Check: CKV_AWS_31: "Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token"
FAILED for resource: aws_elasticache_replication_group.shared_redis_cluster
File: /terraform/deployments/govuk-publishing-infrastructure/shared_redis.tf:19-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-11.html
19 | resource "aws_elasticache_replication_group" "shared_redis_cluster" {
20 | apply_immediately = var.govuk_environment != "production"
21 | replication_group_id = local.shared_redis_name
22 | description = "${local.shared_redis_name} Redis cluster with Redis master and replica"
23 | node_type = var.shared_redis_cluster_node_type
24 | num_cache_clusters = 2
25 | automatic_failover_enabled = true
26 | multi_az_enabled = true
27 | parameter_group_name = "default.redis6.x"
28 | engine_version = "6.x"
29 | subnet_group_name = aws_elasticache_subnet_group.shared_redis_cluster.name
30 | security_group_ids = [aws_security_group.shared_redis_cluster.id]
31 | tags = {
32 | Name = local.shared_redis_name
33 | }
34 | }
Check: CKV_AWS_29: "Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest"
FAILED for resource: aws_elasticache_replication_group.shared_redis_cluster
File: /terraform/deployments/govuk-publishing-infrastructure/shared_redis.tf:19-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-9.html
19 | resource "aws_elasticache_replication_group" "shared_redis_cluster" {
20 | apply_immediately = var.govuk_environment != "production"
21 | replication_group_id = local.shared_redis_name
22 | description = "${local.shared_redis_name} Redis cluster with Redis master and replica"
23 | node_type = var.shared_redis_cluster_node_type
24 | num_cache_clusters = 2
25 | automatic_failover_enabled = true
26 | multi_az_enabled = true
27 | parameter_group_name = "default.redis6.x"
28 | engine_version = "6.x"
29 | subnet_group_name = aws_elasticache_subnet_group.shared_redis_cluster.name
30 | security_group_ids = [aws_security_group.shared_redis_cluster.id]
31 | tags = {
32 | Name = local.shared_redis_name
33 | }
34 | }
Check: CKV_AWS_119: "Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK"
FAILED for resource: aws_dynamodb_table.terraform_state_lock
File: /terraform/deployments/terraform-lock/main.tf:17-34
Guide: https://docs.bridgecrew.io/docs/ensure-that-dynamodb-tables-are-encrypted
17 | resource "aws_dynamodb_table" "terraform_state_lock" {
18 | name = "terraform-lock"
19 | hash_key = "LockID"
20 | billing_mode = "PAY_PER_REQUEST"
21 |
22 | attribute {
23 | name = "LockID"
24 | type = "S"
25 | }
26 |
27 | tags = {
28 | chargeable_entity = "terraform-lock"
29 | project = "replatforming"
30 | repository = "govuk-infrastructure"
31 | terraform_deployment = "terraform-lock"
32 | terraform_workspace = terraform.workspace
33 | }
34 | }
Check: CKV_AWS_28: "Ensure Dynamodb point in time recovery (backup) is enabled"
FAILED for resource: aws_dynamodb_table.terraform_state_lock
File: /terraform/deployments/terraform-lock/main.tf:17-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-6.html
17 | resource "aws_dynamodb_table" "terraform_state_lock" {
18 | name = "terraform-lock"
19 | hash_key = "LockID"
20 | billing_mode = "PAY_PER_REQUEST"
21 |
22 | attribute {
23 | name = "LockID"
24 | type = "S"
25 | }
26 |
27 | tags = {
28 | chargeable_entity = "terraform-lock"
29 | project = "replatforming"
30 | repository = "govuk-infrastructure"
31 | terraform_deployment = "terraform-lock"
32 | terraform_workspace = terraform.workspace
33 | }
34 | }
Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
FAILED for resource: aws_iam_policy.tfc_policy
File: /terraform/deployments/tfc-configuration/aws/main.tf:38-94
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_policy.tfc_policy
File: /terraform/deployments/tfc-configuration/aws/main.tf:38-94
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: aws_iam_policy.tfc_policy
File: /terraform/deployments/tfc-configuration/aws/main.tf:38-94
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
FAILED for resource: aws_iam_policy.tfc_policy
File: /terraform/deployments/tfc-configuration/aws/main.tf:38-94
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.tfc_policy
File: /terraform/deployments/tfc-configuration/aws/main.tf:38-94
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy.tfc_policy
File: /terraform/deployments/tfc-configuration/aws/main.tf:38-94
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_31: "Ensure WAF2 has a Logging Configuration"
FAILED for resource: aws_wafv2_web_acl.cdn_poc_govuk
File: /terraform/deployments/cloudfront/main.tf:177-317
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-33.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.tempo
File: /terraform/deployments/cluster-services/tempo.tf:6-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
6 | resource "aws_s3_bucket" "tempo" {
7 | bucket = "govuk-${var.govuk_environment}-tempo"
8 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.app_assets
File: /terraform/deployments/govuk-publishing-infrastructure/app_assets_s3.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
1 | resource "aws_s3_bucket" "app_assets" {
2 | bucket = "govuk-app-assets-${var.govuk_environment}"
3 | force_destroy = var.force_destroy
4 | tags = {
5 | Name = "App static assets for ${var.govuk_environment}"
6 | Environment = var.govuk_environment
7 | }
8 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.location_api_import_csvs
File: /terraform/deployments/govuk-publishing-infrastructure/locations_api_s3.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
1 | resource "aws_s3_bucket" "location_api_import_csvs" {
2 | bucket = "govuk-${var.govuk_environment}-locations-api-import-csvs"
3 | force_destroy = var.force_destroy
4 | tags = {
5 | Name = "CSVs used for importing postcode information into Locations API in ${var.govuk_environment}"
6 | Environment = var.govuk_environment
7 | }
8 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.publisher_csvs
File: /terraform/deployments/govuk-publishing-infrastructure/publisher_s3.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
1 | resource "aws_s3_bucket" "publisher_csvs" {
2 | bucket = "govuk-${var.govuk_environment}-publisher-csvs"
3 | force_destroy = var.force_destroy
4 | tags = {
5 | Name = "CSVs generated by Publisher in ${var.govuk_environment}"
6 | Environment = var.govuk_environment
7 | }
8 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.search_analytics
File: /terraform/deployments/govuk-publishing-infrastructure/search_analytics_s3.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
1 | resource "aws_s3_bucket" "search_analytics" {
2 | bucket = "govuk-search-analytics-${var.govuk_environment}"
3 | force_destroy = var.force_destroy
4 | tags = {
5 | Name = "Search analytics reports for ${var.govuk_environment}"
6 | Environment = var.govuk_environment
7 | }
8 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.tempo
File: /terraform/deployments/cluster-services/tempo.tf:6-8
6 | resource "aws_s3_bucket" "tempo" {
7 | bucket = "govuk-${var.govuk_environment}-tempo"
8 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.app_assets
File: /terraform/deployments/govuk-publishing-infrastructure/app_assets_s3.tf:1-8
1 | resource "aws_s3_bucket" "app_assets" {
2 | bucket = "govuk-app-assets-${var.govuk_environment}"
3 | force_destroy = var.force_destroy
4 | tags = {
5 | Name = "App static assets for ${var.govuk_environment}"
6 | Environment = var.govuk_environment
7 | }
8 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.location_api_import_csvs
File: /terraform/deployments/govuk-publishing-infrastructure/locations_api_s3.tf:1-8
1 | resource "aws_s3_bucket" "location_api_import_csvs" {
2 | bucket = "govuk-${var.govuk_environment}-locations-api-import-csvs"
3 | force_destroy = var.force_destroy
4 | tags = {
5 | Name = "CSVs used for importing postcode information into Locations API in ${var.govuk_environment}"
6 | Environment = var.govuk_environment
7 | }
8 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.publisher_csvs
File: /terraform/deployments/govuk-publishing-infrastructure/publisher_s3.tf:1-8
1 | resource "aws_s3_bucket" "publisher_csvs" {
2 | bucket = "govuk-${var.govuk_environment}-publisher-csvs"
3 | force_destroy = var.force_destroy
4 | tags = {
5 | Name = "CSVs generated by Publisher in ${var.govuk_environment}"
6 | Environment = var.govuk_environment
7 | }
8 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.search_analytics
File: /terraform/deployments/govuk-publishing-infrastructure/search_analytics_s3.tf:1-8
1 | resource "aws_s3_bucket" "search_analytics" {
2 | bucket = "govuk-search-analytics-${var.govuk_environment}"
3 | force_destroy = var.force_destroy
4 | tags = {
5 | Name = "Search analytics reports for ${var.govuk_environment}"
6 | Environment = var.govuk_environment
7 | }
8 | }
Check: CKV2_AWS_47: "Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability"
FAILED for resource: aws_cloudfront_distribution.www_distribution
File: /terraform/deployments/cloudfront/main.tf:319-421
Guide: https://docs.bridgecrew.io/docs/ensure-aws-cloudfront-attached-wafv2-webacl-is-configured-with-amr-for-log4j-vulnerability
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_47: "Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability"
FAILED for resource: aws_cloudfront_distribution.assets_distribution
File: /terraform/deployments/cloudfront/main.tf:423-480
Guide: https://docs.bridgecrew.io/docs/ensure-aws-cloudfront-attached-wafv2-webacl-is-configured-with-amr-for-log4j-vulnerability
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_64: "Ensure KMS key Policy is defined"
FAILED for resource: aws_kms_key.eks
File: /terraform/deployments/cluster-infrastructure/main.tf:104-108
104 | resource "aws_kms_key" "eks" {
105 | description = "EKS Secret Encryption Key"
106 | deletion_window_in_days = 7
107 | enable_key_rotation = true
108 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: aws_secretsmanager_secret.grafana_db
File: /terraform/deployments/cluster-infrastructure/grafana.tf:129-132
129 | resource "aws_secretsmanager_secret" "grafana_db" {
130 | name = "${module.eks.cluster_name}/grafana/database"
131 | recovery_window_in_days = var.secrets_recovery_window_in_days
132 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.tempo
File: /terraform/deployments/cluster-services/tempo.tf:6-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
6 | resource "aws_s3_bucket" "tempo" {
7 | bucket = "govuk-${var.govuk_environment}-tempo"
8 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.app_assets
File: /terraform/deployments/govuk-publishing-infrastructure/app_assets_s3.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
1 | resource "aws_s3_bucket" "app_assets" {
2 | bucket = "govuk-app-assets-${var.govuk_environment}"
3 | force_destroy = var.force_destroy
4 | tags = {
5 | Name = "App static assets for ${var.govuk_environment}"
6 | Environment = var.govuk_environment
7 | }
8 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.location_api_import_csvs
File: /terraform/deployments/govuk-publishing-infrastructure/locations_api_s3.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
1 | resource "aws_s3_bucket" "location_api_import_csvs" {
2 | bucket = "govuk-${var.govuk_environment}-locations-api-import-csvs"
3 | force_destroy = var.force_destroy
4 | tags = {
5 | Name = "CSVs used for importing postcode information into Locations API in ${var.govuk_environment}"
6 | Environment = var.govuk_environment
7 | }
8 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.publisher_csvs
File: /terraform/deployments/govuk-publishing-infrastructure/publisher_s3.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
1 | resource "aws_s3_bucket" "publisher_csvs" {
2 | bucket = "govuk-${var.govuk_environment}-publisher-csvs"
3 | force_destroy = var.force_destroy
4 | tags = {
5 | Name = "CSVs generated by Publisher in ${var.govuk_environment}"
6 | Environment = var.govuk_environment
7 | }
8 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: aws_security_group.rds
File: /terraform/deployments/datagovuk-infrastructure/security.tf:1-5
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
1 | resource "aws_security_group" "rds" {
2 | name = "ckan-rds-eks"
3 | description = "Allow access to CKAN DB from EKS nodes"
4 | vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id
5 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: aws_security_group.eks_ingress_www_origin
File: /terraform/deployments/govuk-publishing-infrastructure/security.tf:168-175
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
168 | resource "aws_security_group" "eks_ingress_www_origin" {
169 | name = "eks_ingress_www_origin"
170 | vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id
171 | description = "ALBs serving EKS www-origin ingress (and signon ALBs in non-prod environments)."
172 | tags = {
173 | Name = "eks_ingress_www_origin"
174 | }
175 | }
Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
FAILED for resource: aws_route53_zone.cluster_public
File: /terraform/deployments/cluster-infrastructure/external_dns.tf:48-51
48 | resource "aws_route53_zone" "cluster_public" {
49 | name = local.external_dns_zone_name
50 | force_destroy = var.force_destroy
51 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.tempo
File: /terraform/deployments/cluster-services/tempo.tf:6-8
6 | resource "aws_s3_bucket" "tempo" {
7 | bucket = "govuk-${var.govuk_environment}-tempo"
8 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.app_assets
File: /terraform/deployments/govuk-publishing-infrastructure/app_assets_s3.tf:1-8
1 | resource "aws_s3_bucket" "app_assets" {
2 | bucket = "govuk-app-assets-${var.govuk_environment}"
3 | force_destroy = var.force_destroy
4 | tags = {
5 | Name = "App static assets for ${var.govuk_environment}"
6 | Environment = var.govuk_environment
7 | }
8 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.location_api_import_csvs
File: /terraform/deployments/govuk-publishing-infrastructure/locations_api_s3.tf:1-8
1 | resource "aws_s3_bucket" "location_api_import_csvs" {
2 | bucket = "govuk-${var.govuk_environment}-locations-api-import-csvs"
3 | force_destroy = var.force_destroy
4 | tags = {
5 | Name = "CSVs used for importing postcode information into Locations API in ${var.govuk_environment}"
6 | Environment = var.govuk_environment
7 | }
8 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.publisher_csvs
File: /terraform/deployments/govuk-publishing-infrastructure/publisher_s3.tf:1-8
1 | resource "aws_s3_bucket" "publisher_csvs" {
2 | bucket = "govuk-${var.govuk_environment}-publisher-csvs"
3 | force_destroy = var.force_destroy
4 | tags = {
5 | Name = "CSVs generated by Publisher in ${var.govuk_environment}"
6 | Environment = var.govuk_environment
7 | }
8 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.search_analytics
File: /terraform/deployments/govuk-publishing-infrastructure/search_analytics_s3.tf:1-8
1 | resource "aws_s3_bucket" "search_analytics" {
2 | bucket = "govuk-search-analytics-${var.govuk_environment}"
3 | force_destroy = var.force_destroy
4 | tags = {
5 | Name = "Search analytics reports for ${var.govuk_environment}"
6 | Environment = var.govuk_environment
7 | }
8 | }
Check: CKV2_AWS_37: "Ensure Codecommit associates an approval rule"
FAILED for resource: aws_codecommit_repository.govuk_repos
File: /terraform/deployments/github/mirror.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-codecommit-is-associated-with-an-approval-rule.html
1 | resource "aws_codecommit_repository" "govuk_repos" {
2 | for_each = data.github_repository.govuk
3 |
4 | repository_name = each.value.name
5 | description = each.value.description
6 | default_branch = each.value.default_branch
7 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.tempo
File: /terraform/deployments/cluster-services/tempo.tf:6-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
6 | resource "aws_s3_bucket" "tempo" {
7 | bucket = "govuk-${var.govuk_environment}-tempo"
8 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.app_assets
File: /terraform/deployments/govuk-publishing-infrastructure/app_assets_s3.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
1 | resource "aws_s3_bucket" "app_assets" {
2 | bucket = "govuk-app-assets-${var.govuk_environment}"
3 | force_destroy = var.force_destroy
4 | tags = {
5 | Name = "App static assets for ${var.govuk_environment}"
6 | Environment = var.govuk_environment
7 | }
8 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.location_api_import_csvs
File: /terraform/deployments/govuk-publishing-infrastructure/locations_api_s3.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
1 | resource "aws_s3_bucket" "location_api_import_csvs" {
2 | bucket = "govuk-${var.govuk_environment}-locations-api-import-csvs"
3 | force_destroy = var.force_destroy
4 | tags = {
5 | Name = "CSVs used for importing postcode information into Locations API in ${var.govuk_environment}"
6 | Environment = var.govuk_environment
7 | }
8 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.publisher_csvs
File: /terraform/deployments/govuk-publishing-infrastructure/publisher_s3.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
1 | resource "aws_s3_bucket" "publisher_csvs" {
2 | bucket = "govuk-${var.govuk_environment}-publisher-csvs"
3 | force_destroy = var.force_destroy
4 | tags = {
5 | Name = "CSVs generated by Publisher in ${var.govuk_environment}"
6 | Environment = var.govuk_environment
7 | }
8 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.search_analytics
File: /terraform/deployments/govuk-publishing-infrastructure/search_analytics_s3.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
1 | resource "aws_s3_bucket" "search_analytics" {
2 | bucket = "govuk-search-analytics-${var.govuk_environment}"
3 | force_destroy = var.force_destroy
4 | tags = {
5 | Name = "Search analytics reports for ${var.govuk_environment}"
6 | Environment = var.govuk_environment
7 | }
8 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: aws_s3_bucket.tempo
File: /terraform/deployments/cluster-services/tempo.tf:6-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
6 | resource "aws_s3_bucket" "tempo" {
7 | bucket = "govuk-${var.govuk_environment}-tempo"
8 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: aws_s3_bucket.app_assets
File: /terraform/deployments/govuk-publishing-infrastructure/app_assets_s3.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
1 | resource "aws_s3_bucket" "app_assets" {
2 | bucket = "govuk-app-assets-${var.govuk_environment}"
3 | force_destroy = var.force_destroy
4 | tags = {
5 | Name = "App static assets for ${var.govuk_environment}"
6 | Environment = var.govuk_environment
7 | }
8 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: aws_s3_bucket.location_api_import_csvs
File: /terraform/deployments/govuk-publishing-infrastructure/locations_api_s3.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
1 | resource "aws_s3_bucket" "location_api_import_csvs" {
2 | bucket = "govuk-${var.govuk_environment}-locations-api-import-csvs"
3 | force_destroy = var.force_destroy
4 | tags = {
5 | Name = "CSVs used for importing postcode information into Locations API in ${var.govuk_environment}"
6 | Environment = var.govuk_environment
7 | }
8 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: aws_s3_bucket.publisher_csvs
File: /terraform/deployments/govuk-publishing-infrastructure/publisher_s3.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
1 | resource "aws_s3_bucket" "publisher_csvs" {
2 | bucket = "govuk-${var.govuk_environment}-publisher-csvs"
3 | force_destroy = var.force_destroy
4 | tags = {
5 | Name = "CSVs generated by Publisher in ${var.govuk_environment}"
6 | Environment = var.govuk_environment
7 | }
8 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: aws_s3_bucket.search_analytics
File: /terraform/deployments/govuk-publishing-infrastructure/search_analytics_s3.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
1 | resource "aws_s3_bucket" "search_analytics" {
2 | bucket = "govuk-search-analytics-${var.govuk_environment}"
3 | force_destroy = var.force_destroy
4 | tags = {
5 | Name = "Search analytics reports for ${var.govuk_environment}"
6 | Environment = var.govuk_environment
7 | }
8 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.tempo
File: /terraform/deployments/cluster-services/tempo.tf:6-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
6 | resource "aws_s3_bucket" "tempo" {
7 | bucket = "govuk-${var.govuk_environment}-tempo"
8 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.app_assets
File: /terraform/deployments/govuk-publishing-infrastructure/app_assets_s3.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
1 | resource "aws_s3_bucket" "app_assets" {
2 | bucket = "govuk-app-assets-${var.govuk_environment}"
3 | force_destroy = var.force_destroy
4 | tags = {
5 | Name = "App static assets for ${var.govuk_environment}"
6 | Environment = var.govuk_environment
7 | }
8 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.location_api_import_csvs
File: /terraform/deployments/govuk-publishing-infrastructure/locations_api_s3.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
1 | resource "aws_s3_bucket" "location_api_import_csvs" {
2 | bucket = "govuk-${var.govuk_environment}-locations-api-import-csvs"
3 | force_destroy = var.force_destroy
4 | tags = {
5 | Name = "CSVs used for importing postcode information into Locations API in ${var.govuk_environment}"
6 | Environment = var.govuk_environment
7 | }
8 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.publisher_csvs
File: /terraform/deployments/govuk-publishing-infrastructure/publisher_s3.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
1 | resource "aws_s3_bucket" "publisher_csvs" {
2 | bucket = "govuk-${var.govuk_environment}-publisher-csvs"
3 | force_destroy = var.force_destroy
4 | tags = {
5 | Name = "CSVs generated by Publisher in ${var.govuk_environment}"
6 | Environment = var.govuk_environment
7 | }
8 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.search_analytics
File: /terraform/deployments/govuk-publishing-infrastructure/search_analytics_s3.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
1 | resource "aws_s3_bucket" "search_analytics" {
2 | bucket = "govuk-search-analytics-${var.govuk_environment}"
3 | force_destroy = var.force_destroy
4 | tags = {
5 | Name = "Search analytics reports for ${var.govuk_environment}"
6 | Environment = var.govuk_environment
7 | }
8 | }
Check: CKV2_AWS_32: "Ensure CloudFront distribution has a response headers policy attached"
FAILED for resource: aws_cloudfront_distribution.www_distribution
File: /terraform/deployments/cloudfront/main.tf:319-421
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_65
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_32: "Ensure CloudFront distribution has a response headers policy attached"
FAILED for resource: aws_cloudfront_distribution.assets_distribution
File: /terraform/deployments/cloudfront/main.tf:423-480
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_65
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
FAILED for resource: aws_route53_zone.cluster_public
File: /terraform/deployments/cluster-infrastructure/external_dns.tf:48-51
48 | resource "aws_route53_zone" "cluster_public" {
49 | name = local.external_dns_zone_name
50 | force_destroy = var.force_destroy
51 | }
Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
FAILED for resource: aws_iam_policy.tfc_policy
File: /terraform/deployments/tfc-configuration/aws/main.tf:38-94
Code lines for this resource are too many. Please use IDE of your choice to review the file.
dockerfile scan results:
Passed checks: 132, Failed checks: 2, Skipped checks: 0
Check: CKV_DOCKER_4: "Ensure that COPY is used instead of ADD in Dockerfiles"
FAILED for resource: /images/toolbox/Dockerfile.ADD
File: /images/toolbox/Dockerfile:11-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-copy-is-used-instead-of-add-in-dockerfiles.html
11 | ADD ${github_apt_repo}/githubcli-archive-keyring.gpg github.gpg
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /images/toolbox/Dockerfile.
File: /images/toolbox/Dockerfile:1-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
secrets scan results:
Passed checks: 0, Failed checks: 6, Skipped checks: 0
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 4d26b34fa28f6e91a191c88ba3d4e1419d68fdc1
File: /terraform/deployments/cluster-infrastructure/external_secrets_iam.tf:8-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
8 | external_secrets_service_account_name = "exte************"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: c73577e34679e7ef336b540dbb34efc28c8e2652
File: /terraform/deployments/cluster-services/dex.tf:53-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
53 | secretEnv = "ARGO_W**********************"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 79ad3622a7a1970fcc14e645ab4bbf3dadc1adbd
File: /terraform/deployments/cluster-services/dex.tf:59-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
59 | secretEnv = "ARGOC***************"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: bc307ba77099bb4925b71e90012dfaec2161f6cd
File: /terraform/deployments/cluster-services/dex.tf:65-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
65 | secretEnv = "GRAFA****************"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: d501e390e19907f0ada5caeeb48987c78788b17b
File: /terraform/deployments/cluster-services/dex.tf:71-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
71 | secretEnv = "PROMET******************"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 49f89ae8ca7867458586c1c25136df416c7da8de
File: /terraform/deployments/cluster-services/dex.tf:77-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
77 | secretEnv = "ALERT_*********************"
github_actions scan results:
Passed checks: 322, Failed checks: 14, Skipped checks: 0
Check: CKV_GHA_7: "The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty. "
FAILED for resource: on(Build and publish toolbox image to ECR)
File: /.github/workflows/build-toolbox-image.yml:6-13
6 | gitRef:
7 | description: 'Commit, tag or branch name to deploy'
8 | required: true
9 | type: string
10 | default: 'main'
11 |
12 | push:
13 | branches:
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Build and publish toolbox image to ECR)
File: /.github/workflows/build-toolbox-image.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Run Jasmine)
File: /.github/workflows/jasmine.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Set automatic deploys)
File: /.github/workflows/set-automatic-deploys.yml:78-79
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Run RuboCop)
File: /.github/workflows/rubocop.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Release)
File: /.github/workflows/release.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Deploy)
File: /.github/workflows/deploy.yml:85-86
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Terraform validation and linting)
File: /.github/workflows/ci-terraform.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Publish a Rubygem)
File: /.github/workflows/publish-rubygem.yml:19-20
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Run Brakeman)
File: /.github/workflows/brakeman.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Run Stylelint)
File: /.github/workflows/stylelint.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Run Standardx)
File: /.github/workflows/standardx.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(CodeQL Analysis)
File: /.github/workflows/codeql-analysis.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Build and push image)
File: /.github/workflows/build-and-push-image.yml:0-1