Repository | hashicorp / learn-terraform-github-actions |
Description | |
Stars | 143 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
terraform scan results:
Passed checks: 8, Failed checks: 6, Skipped checks: 0
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.web
File: /main.tf:48-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
48 | resource "aws_instance" "web" {
49 | ami = data.aws_ami.ubuntu.id
50 | instance_type = "t2.micro"
51 | vpc_security_group_ids = [aws_security_group.web-sg.id]
52 |
53 | user_data = <<-EOF
54 | #!/bin/bash
55 | apt-get update
56 | apt-get install -y apache2
57 | sed -i -e 's/80/8080/' /etc/apache2/ports.conf
58 | echo "Hello World" > /var/www/html/index.html
59 | systemctl restart apache2
60 | EOF
61 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.web
File: /main.tf:48-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
48 | resource "aws_instance" "web" {
49 | ami = data.aws_ami.ubuntu.id
50 | instance_type = "t2.micro"
51 | vpc_security_group_ids = [aws_security_group.web-sg.id]
52 |
53 | user_data = <<-EOF
54 | #!/bin/bash
55 | apt-get update
56 | apt-get install -y apache2
57 | sed -i -e 's/80/8080/' /etc/apache2/ports.conf
58 | echo "Hello World" > /var/www/html/index.html
59 | systemctl restart apache2
60 | EOF
61 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.web
File: /main.tf:48-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
48 | resource "aws_instance" "web" {
49 | ami = data.aws_ami.ubuntu.id
50 | instance_type = "t2.micro"
51 | vpc_security_group_ids = [aws_security_group.web-sg.id]
52 |
53 | user_data = <<-EOF
54 | #!/bin/bash
55 | apt-get update
56 | apt-get install -y apache2
57 | sed -i -e 's/80/8080/' /etc/apache2/ports.conf
58 | echo "Hello World" > /var/www/html/index.html
59 | systemctl restart apache2
60 | EOF
61 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.web
File: /main.tf:48-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
48 | resource "aws_instance" "web" {
49 | ami = data.aws_ami.ubuntu.id
50 | instance_type = "t2.micro"
51 | vpc_security_group_ids = [aws_security_group.web-sg.id]
52 |
53 | user_data = <<-EOF
54 | #!/bin/bash
55 | apt-get update
56 | apt-get install -y apache2
57 | sed -i -e 's/80/8080/' /etc/apache2/ports.conf
58 | echo "Hello World" > /var/www/html/index.html
59 | systemctl restart apache2
60 | EOF
61 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.web-sg
File: /main.tf:63-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
63 | resource "aws_security_group" "web-sg" {
64 | name = "${random_pet.sg.id}-sg"
65 | ingress {
66 | from_port = 8080
67 | to_port = 8080
68 | protocol = "tcp"
69 | cidr_blocks = ["0.0.0.0/0"]
70 | }
71 | // connectivity to ubuntu mirrors is required to run `apt-get update` and `apt-get install apache2`
72 | egress {
73 | from_port = 0
74 | to_port = 0
75 | protocol = "-1"
76 | cidr_blocks = ["0.0.0.0/0"]
77 | }
78 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.web
File: /main.tf:48-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
48 | resource "aws_instance" "web" {
49 | ami = data.aws_ami.ubuntu.id
50 | instance_type = "t2.micro"
51 | vpc_security_group_ids = [aws_security_group.web-sg.id]
52 |
53 | user_data = <<-EOF
54 | #!/bin/bash
55 | apt-get update
56 | apt-get install -y apache2
57 | sed -i -e 's/80/8080/' /etc/apache2/ports.conf
58 | echo "Hello World" > /var/www/html/index.html
59 | systemctl restart apache2
60 | EOF
61 | }
github_actions scan results:
Passed checks: 54, Failed checks: 2, Skipped checks: 0
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Your Fork)
File: /.github/workflows/your-fork.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Terraform)
File: /.github/workflows/terraform.yml:13-14