Repository | hashicorp / terraform-provider-awscc |
Description | Terraform AWS Cloud Control provider |
Stars | 186 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
terraform scan results:
Passed checks: 179, Failed checks: 34, Skipped checks: 0
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.example_alarm_actions
File: /examples/resources/awscc_cloudwatch_composite_alarm/with_actions_suppressor.tf:14-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-15.html
14 | resource "aws_sns_topic" "example_alarm_actions" {
15 | name = "example-alarm-actions"
16 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.example_alarm_actions
File: /examples/resources/awscc_cloudwatch_composite_alarm/with_two_sub_alarms.tf:12-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-15.html
12 | resource "aws_sns_topic" "example_alarm_actions" {
13 | name = "example-alarm-actions"
14 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.example_ok_actions
File: /examples/resources/awscc_cloudwatch_composite_alarm/with_two_sub_alarms.tf:16-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-15.html
16 | resource "aws_sns_topic" "example_ok_actions" {
17 | name = "example-ok-actions"
18 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.example_insufficient_data_actions
File: /examples/resources/awscc_cloudwatch_composite_alarm/with_two_sub_alarms.tf:20-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-15.html
20 | resource "aws_sns_topic" "example_insufficient_data_actions" {
21 | name = "example-insufficient-data-actions"
22 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.web
File: /examples/resources/awscc_ec2_volume_attachment/ec2_volume_attachment.tf:6-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
6 | resource "aws_instance" "web" {
7 | ami = "ami-08541bb85074a743a"
8 | instance_type = "t3.micro"
9 | availability_zone = "us-west-2a"
10 |
11 | tags = {
12 | Name = "HelloWorld"
13 | }
14 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.web
File: /examples/resources/awscc_ec2_volume_attachment/ec2_volume_attachment.tf:6-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
6 | resource "aws_instance" "web" {
7 | ami = "ami-08541bb85074a743a"
8 | instance_type = "t3.micro"
9 | availability_zone = "us-west-2a"
10 |
11 | tags = {
12 | Name = "HelloWorld"
13 | }
14 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.web
File: /examples/resources/awscc_ec2_volume_attachment/ec2_volume_attachment.tf:6-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
6 | resource "aws_instance" "web" {
7 | ami = "ami-08541bb85074a743a"
8 | instance_type = "t3.micro"
9 | availability_zone = "us-west-2a"
10 |
11 | tags = {
12 | Name = "HelloWorld"
13 | }
14 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.web
File: /examples/resources/awscc_ec2_volume_attachment/ec2_volume_attachment.tf:6-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
6 | resource "aws_instance" "web" {
7 | ami = "ami-08541bb85074a743a"
8 | instance_type = "t3.micro"
9 | availability_zone = "us-west-2a"
10 |
11 | tags = {
12 | Name = "HelloWorld"
13 | }
14 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: aws_lb.test
File: /examples/resources/awscc_ec2_vpc_endpoint/vpc_endpoint_gateway_type.tf:17-21
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
17 | resource "aws_lb" "test" {
18 | name = "test-lb-tf"
19 | load_balancer_type = "gateway"
20 | subnets = [awscc_ec2_subnet.main.id]
21 | }
Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
FAILED for resource: aws_lb.test
File: /examples/resources/awscc_ec2_vpc_endpoint/vpc_endpoint_gateway_type.tf:17-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled.html
17 | resource "aws_lb" "test" {
18 | name = "test-lb-tf"
19 | load_balancer_type = "gateway"
20 | subnets = [awscc_ec2_subnet.main.id]
21 | }
Check: CKV_AWS_123: "Ensure that VPC Endpoint Service is configured for Manual Acceptance"
FAILED for resource: aws_vpc_endpoint_service.example
File: /examples/resources/awscc_ec2_vpc_endpoint/vpc_endpoint_gateway_type.tf:23-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-vpc-endpoint-service-is-configured-for-manual-acceptance.html
23 | resource "aws_vpc_endpoint_service" "example" {
24 | acceptance_required = false
25 | gateway_load_balancer_arns = [aws_lb.test.arn]
26 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.sg1
File: /examples/resources/awscc_ec2_vpc_endpoint/vpc_endpoint_interface_type.tf:9-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
9 | resource "aws_security_group" "sg1" {
10 | name = "allow_tls"
11 | description = "Allow TLS inbound traffic"
12 | vpc_id = awscc_ec2_vpc.main.id
13 |
14 | ingress {
15 | description = "TLS from VPC"
16 | from_port = 443
17 | to_port = 443
18 | protocol = "tcp"
19 | cidr_blocks = [awscc_ec2_vpc.main.cidr_block]
20 | }
21 |
22 | egress {
23 | from_port = 0
24 | to_port = 0
25 | protocol = "-1"
26 | cidr_blocks = ["0.0.0.0/0"]
27 | ipv6_cidr_blocks = ["::/0"]
28 | }
29 |
30 | tags = {
31 | Name = "allow_tls"
32 | }
33 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_policy.example
File: /examples/resources/awscc_gamelift_build/gamelift_build.tf:43-56
43 | resource "aws_iam_policy" "example" {
44 | name = "gamelift-s3-access-policy"
45 |
46 | policy = jsonencode({
47 | Version = "2012-10-17"
48 | Statement = [
49 | {
50 | Effect = "Allow"
51 | Action = ["s3:*"]
52 | Resource = "*"
53 | },
54 | ]
55 | })
56 | }
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: aws_iam_policy.example
File: /examples/resources/awscc_gamelift_build/gamelift_build.tf:43-56
43 | resource "aws_iam_policy" "example" {
44 | name = "gamelift-s3-access-policy"
45 |
46 | policy = jsonencode({
47 | Version = "2012-10-17"
48 | Statement = [
49 | {
50 | Effect = "Allow"
51 | Action = ["s3:*"]
52 | Resource = "*"
53 | },
54 | ]
55 | })
56 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.example
File: /examples/resources/awscc_gamelift_build/gamelift_build.tf:43-56
43 | resource "aws_iam_policy" "example" {
44 | name = "gamelift-s3-access-policy"
45 |
46 | policy = jsonencode({
47 | Version = "2012-10-17"
48 | Statement = [
49 | {
50 | Effect = "Allow"
51 | Action = ["s3:*"]
52 | Resource = "*"
53 | },
54 | ]
55 | })
56 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy.example
File: /examples/resources/awscc_gamelift_build/gamelift_build.tf:43-56
43 | resource "aws_iam_policy" "example" {
44 | name = "gamelift-s3-access-policy"
45 |
46 | policy = jsonencode({
47 | Version = "2012-10-17"
48 | Statement = [
49 | {
50 | Effect = "Allow"
51 | Action = ["s3:*"]
52 | Resource = "*"
53 | },
54 | ]
55 | })
56 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.sample_inline_1
File: /examples/resources/awscc_iam_role/iam_role_with_inline.tf:13-19
13 | data "aws_iam_policy_document" "sample_inline_1" {
14 | statement {
15 | sid = "AccessS3"
16 | actions = ["s3:ListAllMyBuckets", "s3:ListBucket", "s3:HeadBucket"]
17 | resources = ["*"]
18 | }
19 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.sample_inline_2
File: /examples/resources/awscc_iam_role/iam_role_with_inline.tf:22-28
22 | data "aws_iam_policy_document" "sample_inline_2" {
23 | statement {
24 | sid = "AccessEC2"
25 | actions = ["ec2:Describe*"]
26 | resources = ["*"]
27 | }
28 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.policy_one
File: /examples/resources/awscc_iam_role/iam_role_with_managed.tf:12-25
12 | resource "aws_iam_policy" "policy_one" {
13 | name = "policy_one"
14 |
15 | policy = jsonencode({
16 | Version = "2012-10-17"
17 | Statement = [
18 | {
19 | Action = ["ec2:Describe*"]
20 | Effect = "Allow"
21 | Resource = "*"
22 | },
23 | ]
24 | })
25 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.policy_two
File: /examples/resources/awscc_iam_role/iam_role_with_managed.tf:27-40
27 | resource "aws_iam_policy" "policy_two" {
28 | name = "policy_two"
29 |
30 | policy = jsonencode({
31 | Version = "2012-10-17"
32 | Statement = [
33 | {
34 | Action = ["s3:ListAllMyBuckets", "s3:ListBucket", "s3:HeadBucket"]
35 | Effect = "Allow"
36 | Resource = "*"
37 | },
38 | ]
39 | })
40 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.policy_one
File: /examples/resources/awscc_iam_role/iam_role_with_permission_boundary.tf:13-26
13 | resource "aws_iam_policy" "policy_one" {
14 | name = "policy_one"
15 |
16 | policy = jsonencode({
17 | Version = "2012-10-17"
18 | Statement = [
19 | {
20 | Action = ["s3:ListAllMyBuckets", "s3:ListBucket", "s3:HeadBucket"]
21 | Effect = "Allow"
22 | Resource = "*"
23 | },
24 | ]
25 | })
26 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_policy.s3_permission_boundary_policy
File: /examples/resources/awscc_iam_role/iam_role_with_permission_boundary.tf:28-41
28 | resource "aws_iam_policy" "s3_permission_boundary_policy" {
29 | name = "s3_permission_boundary_policy"
30 |
31 | policy = jsonencode({
32 | Version = "2012-10-17"
33 | Statement = [
34 | {
35 | Action = ["s3:Get*", "s3:List"]
36 | Effect = "Allow"
37 | Resource = "*"
38 | },
39 | ]
40 | })
41 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.s3_permission_boundary_policy
File: /examples/resources/awscc_iam_role/iam_role_with_permission_boundary.tf:28-41
28 | resource "aws_iam_policy" "s3_permission_boundary_policy" {
29 | name = "s3_permission_boundary_policy"
30 |
31 | policy = jsonencode({
32 | Version = "2012-10-17"
33 | Statement = [
34 | {
35 | Action = ["s3:Get*", "s3:List"]
36 | Effect = "Allow"
37 | Resource = "*"
38 | },
39 | ]
40 | })
41 | }
Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
FAILED for resource: aws_kms_key.this
File: /examples/resources/awscc_rds_db_instance/rds_db_instance_secret_manager_cmk.tf:1-3
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-8.html
1 | resource "aws_kms_key" "this" {
2 | description = "Example KMS Key"
3 | }
Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
FAILED for resource: aws_kms_key.this
File: /examples/resources/awscc_timestream_database/database.tf:1-3
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-8.html
1 | resource "aws_kms_key" "this" {
2 | description = "Timestream KMS Key"
3 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.example
File: /examples/resources/awscc_wafv2_logging_configuration/wafv2_logging_configuration.tf:11-13
11 | resource "aws_cloudwatch_log_group" "example" {
12 | name = "example"
13 | }
Check: CKV_AWS_66: "Ensure that CloudWatch Log Group specifies retention days"
FAILED for resource: aws_cloudwatch_log_group.example
File: /examples/resources/awscc_wafv2_logging_configuration/wafv2_logging_configuration.tf:11-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-13.html
11 | resource "aws_cloudwatch_log_group" "example" {
12 | name = "example"
13 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.example
File: /examples/resources/awscc_wafv2_logging_configuration/wafv2_logging_configuration.tf:11-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
11 | resource "aws_cloudwatch_log_group" "example" {
12 | name = "example"
13 | }
Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
FAILED for resource: aws_wafv2_web_acl.example
File: /examples/resources/awscc_wafv2_logging_configuration/wafv2_logging_configuration.tf:15-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2.html
15 | resource "aws_wafv2_web_acl" "example" {
16 | name = "managed-rule-example"
17 | description = "Example of a managed rule."
18 | scope = "REGIONAL"
19 |
20 | default_action {
21 | block {}
22 | }
23 |
24 | rule {
25 | name = "AWS-AWSManagedRulesCommonRuleSet"
26 | priority = 1
27 |
28 | override_action {
29 | none {}
30 | }
31 |
32 | statement {
33 | managed_rule_group_statement {
34 | name = "AWSManagedRulesCommonRuleSet"
35 | vendor_name = "AWS"
36 | }
37 | }
38 |
39 | visibility_config {
40 | cloudwatch_metrics_enabled = true
41 | metric_name = "AWS-AWSManagedRulesCommonRuleSet"
42 | sampled_requests_enabled = true
43 | }
44 | }
45 |
46 | visibility_config {
47 | cloudwatch_metrics_enabled = true
48 | metric_name = "ExternalACL"
49 | sampled_requests_enabled = true
50 | }
51 | }
Check: CKV2_AWS_31: "Ensure WAF2 has a Logging Configuration"
FAILED for resource: aws_wafv2_web_acl.example
File: /examples/resources/awscc_wafv2_logging_configuration/wafv2_logging_configuration.tf:15-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-33.html
15 | resource "aws_wafv2_web_acl" "example" {
16 | name = "managed-rule-example"
17 | description = "Example of a managed rule."
18 | scope = "REGIONAL"
19 |
20 | default_action {
21 | block {}
22 | }
23 |
24 | rule {
25 | name = "AWS-AWSManagedRulesCommonRuleSet"
26 | priority = 1
27 |
28 | override_action {
29 | none {}
30 | }
31 |
32 | statement {
33 | managed_rule_group_statement {
34 | name = "AWSManagedRulesCommonRuleSet"
35 | vendor_name = "AWS"
36 | }
37 | }
38 |
39 | visibility_config {
40 | cloudwatch_metrics_enabled = true
41 | metric_name = "AWS-AWSManagedRulesCommonRuleSet"
42 | sampled_requests_enabled = true
43 | }
44 | }
45 |
46 | visibility_config {
47 | cloudwatch_metrics_enabled = true
48 | metric_name = "ExternalACL"
49 | sampled_requests_enabled = true
50 | }
51 | }
Check: CKV2_AWS_64: "Ensure KMS key Policy is defined"
FAILED for resource: aws_kms_key.this
File: /examples/resources/awscc_rds_db_instance/rds_db_instance_secret_manager_cmk.tf:1-3
1 | resource "aws_kms_key" "this" {
2 | description = "Example KMS Key"
3 | }
Check: CKV2_AWS_64: "Ensure KMS key Policy is defined"
FAILED for resource: aws_kms_key.this
File: /examples/resources/awscc_timestream_database/database.tf:1-3
1 | resource "aws_kms_key" "this" {
2 | description = "Timestream KMS Key"
3 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: aws_security_group.sg1
File: /examples/resources/awscc_ec2_vpc_endpoint/vpc_endpoint_interface_type.tf:9-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
9 | resource "aws_security_group" "sg1" {
10 | name = "allow_tls"
11 | description = "Allow TLS inbound traffic"
12 | vpc_id = awscc_ec2_vpc.main.id
13 |
14 | ingress {
15 | description = "TLS from VPC"
16 | from_port = 443
17 | to_port = 443
18 | protocol = "tcp"
19 | cidr_blocks = [awscc_ec2_vpc.main.cidr_block]
20 | }
21 |
22 | egress {
23 | from_port = 0
24 | to_port = 0
25 | protocol = "-1"
26 | cidr_blocks = ["0.0.0.0/0"]
27 | ipv6_cidr_blocks = ["::/0"]
28 | }
29 |
30 | tags = {
31 | Name = "allow_tls"
32 | }
33 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.web
File: /examples/resources/awscc_ec2_volume_attachment/ec2_volume_attachment.tf:6-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
6 | resource "aws_instance" "web" {
7 | ami = "ami-08541bb85074a743a"
8 | instance_type = "t3.micro"
9 | availability_zone = "us-west-2a"
10 |
11 | tags = {
12 | Name = "HelloWorld"
13 | }
14 | }
secrets scan results:
Passed checks: 0, Failed checks: 2, Skipped checks: 0
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 45d676e7c6ab44cf4b8fa366ef2d8fccd3e6d6e6
File: /examples/resources/awscc_amplify_app/basic_authorization.tf:7-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
7 | password = "you**********"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 45d676e7c6ab44cf4b8fa366ef2d8fccd3e6d6e6
File: /examples/resources/awscc_amplify_branch/amplify_branch.tf:13-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
13 | password = "you**********"
github_actions scan results:
Passed checks: 384, Failed checks: 7, Skipped checks: 0
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(GoReleaser CI)
File: /.github/workflows/goreleaser-ci.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Add new issues to Project)
File: /.github/workflows/project.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Pull Request Target (All types))
File: /.github/workflows/pull_requests.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Documentation Linters)
File: /.github/workflows/documentation-linters.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Linters)
File: /.github/workflows/linters.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Check if tfplugindocs result matches /docs)
File: /.github/workflows/tfplugindocs-check.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Issue triage)
File: /.github/workflows/issues.yml:0-1
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools