Repository | mineiros-io / terraform-github-repository |
Description | A Terraform module to manage GitHub Repositories. https://github.com/ |
Stars | 140 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:55:14,770 [MainThread ] [WARNI] Failed to download module mineiros-io/repository/github:~>0.13.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:14,771 [MainThread ] [WARNI] Failed to download module mineiros-io/team/github:~>0.8.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 4, Failed checks: 10, Skipped checks: 0
Check: CKV_GIT_1: "Ensure GitHub repository is Private"
FAILED for resource: module.repository.github_repository.repository
File: /main.tf:91-144
Calling File: /test/unit-complete/main.tf:25-161
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/ensure-repository-is-private.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GIT_5: "GitHub pull requests should require at least 2 approvals"
FAILED for resource: module.repository.github_branch_protection.branch_protection
File: /main.tf:187-233
Calling File: /test/unit-complete/main.tf:25-161
Guide: https://docs.bridgecrew.io/docs/merge-requests-should-require-at-least-2-approvals
187 | resource "github_branch_protection" "branch_protection" {
188 | for_each = local.branch_protections_v4_map
189 |
190 | # ensure we have all members and collaborators added before applying
191 | # any configuration for them
192 | depends_on = [
193 | github_repository_collaborator.collaborator,
194 | github_team_repository.team_repository,
195 | github_team_repository.team_repository_by_slug,
196 | github_branch.branch,
197 | ]
198 |
199 | repository_id = github_repository.repository.node_id
200 |
201 | pattern = var.branch_protections_v4[each.value].pattern
202 |
203 | allows_deletions = try(var.branch_protections_v4[each.value].allows_deletions, false)
204 | allows_force_pushes = try(var.branch_protections_v4[each.value].allows_force_pushes, false)
205 | blocks_creations = try(var.branch_protections_v4[each.value].blocks_creations, false)
206 | enforce_admins = try(var.branch_protections_v4[each.value].enforce_admins, true)
207 | push_restrictions = try(var.branch_protections_v4[each.value].push_restrictions, [])
208 | require_conversation_resolution = try(var.branch_protections_v4[each.value].require_conversation_resolution, false)
209 | require_signed_commits = try(var.branch_protections_v4[each.value].require_signed_commits, false)
210 | required_linear_history = try(var.branch_protections_v4[each.value].required_linear_history, false)
211 |
212 | dynamic "required_pull_request_reviews" {
213 | for_each = try([var.branch_protections_v4[each.value].required_pull_request_reviews], [])
214 |
215 | content {
216 | dismiss_stale_reviews = try(required_pull_request_reviews.value.dismiss_stale_reviews, true)
217 | restrict_dismissals = try(required_pull_request_reviews.value.restrict_dismissals, null)
218 | dismissal_restrictions = try(required_pull_request_reviews.value.dismissal_restrictions, [])
219 | pull_request_bypassers = try(required_pull_request_reviews.value.pull_request_bypassers, [])
220 | require_code_owner_reviews = try(required_pull_request_reviews.value.require_code_owner_reviews, true)
221 | required_approving_review_count = try(required_pull_request_reviews.value.required_approving_review_count, 0)
222 | }
223 | }
224 |
225 | dynamic "required_status_checks" {
226 | for_each = try([var.branch_protections_v4[each.value].required_status_checks], [])
227 |
228 | content {
229 | strict = try(required_status_checks.value.strict, false)
230 | contexts = try(required_status_checks.value.contexts, [])
231 | }
232 | }
233 | }
Check: CKV_GIT_6: "Ensure GitHub branch protection rules requires signed commits"
FAILED for resource: module.repository.github_branch_protection.branch_protection
File: /main.tf:187-233
Calling File: /test/unit-complete/main.tf:25-161
Guide: https://docs.bridgecrew.io/docs/ensure-github-branch-protection-rules-requires-signed-commits
187 | resource "github_branch_protection" "branch_protection" {
188 | for_each = local.branch_protections_v4_map
189 |
190 | # ensure we have all members and collaborators added before applying
191 | # any configuration for them
192 | depends_on = [
193 | github_repository_collaborator.collaborator,
194 | github_team_repository.team_repository,
195 | github_team_repository.team_repository_by_slug,
196 | github_branch.branch,
197 | ]
198 |
199 | repository_id = github_repository.repository.node_id
200 |
201 | pattern = var.branch_protections_v4[each.value].pattern
202 |
203 | allows_deletions = try(var.branch_protections_v4[each.value].allows_deletions, false)
204 | allows_force_pushes = try(var.branch_protections_v4[each.value].allows_force_pushes, false)
205 | blocks_creations = try(var.branch_protections_v4[each.value].blocks_creations, false)
206 | enforce_admins = try(var.branch_protections_v4[each.value].enforce_admins, true)
207 | push_restrictions = try(var.branch_protections_v4[each.value].push_restrictions, [])
208 | require_conversation_resolution = try(var.branch_protections_v4[each.value].require_conversation_resolution, false)
209 | require_signed_commits = try(var.branch_protections_v4[each.value].require_signed_commits, false)
210 | required_linear_history = try(var.branch_protections_v4[each.value].required_linear_history, false)
211 |
212 | dynamic "required_pull_request_reviews" {
213 | for_each = try([var.branch_protections_v4[each.value].required_pull_request_reviews], [])
214 |
215 | content {
216 | dismiss_stale_reviews = try(required_pull_request_reviews.value.dismiss_stale_reviews, true)
217 | restrict_dismissals = try(required_pull_request_reviews.value.restrict_dismissals, null)
218 | dismissal_restrictions = try(required_pull_request_reviews.value.dismissal_restrictions, [])
219 | pull_request_bypassers = try(required_pull_request_reviews.value.pull_request_bypassers, [])
220 | require_code_owner_reviews = try(required_pull_request_reviews.value.require_code_owner_reviews, true)
221 | required_approving_review_count = try(required_pull_request_reviews.value.required_approving_review_count, 0)
222 | }
223 | }
224 |
225 | dynamic "required_status_checks" {
226 | for_each = try([var.branch_protections_v4[each.value].required_status_checks], [])
227 |
228 | content {
229 | strict = try(required_status_checks.value.strict, false)
230 | contexts = try(required_status_checks.value.contexts, [])
231 | }
232 | }
233 | }
Check: CKV_GIT_5: "GitHub pull requests should require at least 2 approvals"
FAILED for resource: module.repository.github_branch_protection_v3.branch_protection[0]
File: /main.tf:240-288
Calling File: /test/unit-complete/main.tf:25-161
Guide: https://docs.bridgecrew.io/docs/merge-requests-should-require-at-least-2-approvals
240 | resource "github_branch_protection_v3" "branch_protection" {
241 | count = length(local.branch_protections_v3)
242 |
243 | # ensure we have all members and collaborators added before applying
244 | # any configuration for them
245 | depends_on = [
246 | github_repository_collaborator.collaborator,
247 | github_team_repository.team_repository,
248 | github_team_repository.team_repository_by_slug,
249 | github_branch.branch,
250 | ]
251 |
252 | repository = github_repository.repository.name
253 | branch = local.branch_protections_v3[count.index].branch
254 | enforce_admins = local.branch_protections_v3[count.index].enforce_admins
255 | require_conversation_resolution = local.branch_protections_v3[count.index].require_conversation_resolution
256 | require_signed_commits = local.branch_protections_v3[count.index].require_signed_commits
257 |
258 | dynamic "required_status_checks" {
259 | for_each = local.required_status_checks[count.index]
260 |
261 | content {
262 | strict = required_status_checks.value.strict
263 | contexts = required_status_checks.value.contexts
264 | }
265 | }
266 |
267 | dynamic "required_pull_request_reviews" {
268 | for_each = local.required_pull_request_reviews[count.index]
269 |
270 | content {
271 | dismiss_stale_reviews = required_pull_request_reviews.value.dismiss_stale_reviews
272 | dismissal_users = required_pull_request_reviews.value.dismissal_users
273 | dismissal_teams = [for t in required_pull_request_reviews.value.dismissal_teams : replace(lower(t), "/[^a-z0-9_]/", "-")]
274 | require_code_owner_reviews = required_pull_request_reviews.value.require_code_owner_reviews
275 | required_approving_review_count = required_pull_request_reviews.value.required_approving_review_count
276 | }
277 | }
278 |
279 | dynamic "restrictions" {
280 | for_each = local.restrictions[count.index]
281 |
282 | content {
283 | users = restrictions.value.users
284 | teams = [for t in restrictions.value.teams : replace(lower(t), "/[^a-z0-9_]/", "-")]
285 | apps = restrictions.value.apps
286 | }
287 | }
288 | }
Check: CKV_GIT_5: "GitHub pull requests should require at least 2 approvals"
FAILED for resource: module.repository.github_branch_protection_v3.branch_protection[1]
File: /main.tf:240-288
Calling File: /test/unit-complete/main.tf:25-161
Guide: https://docs.bridgecrew.io/docs/merge-requests-should-require-at-least-2-approvals
240 | resource "github_branch_protection_v3" "branch_protection" {
241 | count = length(local.branch_protections_v3)
242 |
243 | # ensure we have all members and collaborators added before applying
244 | # any configuration for them
245 | depends_on = [
246 | github_repository_collaborator.collaborator,
247 | github_team_repository.team_repository,
248 | github_team_repository.team_repository_by_slug,
249 | github_branch.branch,
250 | ]
251 |
252 | repository = github_repository.repository.name
253 | branch = local.branch_protections_v3[count.index].branch
254 | enforce_admins = local.branch_protections_v3[count.index].enforce_admins
255 | require_conversation_resolution = local.branch_protections_v3[count.index].require_conversation_resolution
256 | require_signed_commits = local.branch_protections_v3[count.index].require_signed_commits
257 |
258 | dynamic "required_status_checks" {
259 | for_each = local.required_status_checks[count.index]
260 |
261 | content {
262 | strict = required_status_checks.value.strict
263 | contexts = required_status_checks.value.contexts
264 | }
265 | }
266 |
267 | dynamic "required_pull_request_reviews" {
268 | for_each = local.required_pull_request_reviews[count.index]
269 |
270 | content {
271 | dismiss_stale_reviews = required_pull_request_reviews.value.dismiss_stale_reviews
272 | dismissal_users = required_pull_request_reviews.value.dismissal_users
273 | dismissal_teams = [for t in required_pull_request_reviews.value.dismissal_teams : replace(lower(t), "/[^a-z0-9_]/", "-")]
274 | require_code_owner_reviews = required_pull_request_reviews.value.require_code_owner_reviews
275 | required_approving_review_count = required_pull_request_reviews.value.required_approving_review_count
276 | }
277 | }
278 |
279 | dynamic "restrictions" {
280 | for_each = local.restrictions[count.index]
281 |
282 | content {
283 | users = restrictions.value.users
284 | teams = [for t in restrictions.value.teams : replace(lower(t), "/[^a-z0-9_]/", "-")]
285 | apps = restrictions.value.apps
286 | }
287 | }
288 | }
Check: CKV_GIT_1: "Ensure GitHub repository is Private"
FAILED for resource: module.repository-with-defaults.github_repository.repository
File: /main.tf:91-144
Calling File: /test/unit-complete/main.tf:169-180
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/ensure-repository-is-private.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GIT_5: "GitHub pull requests should require at least 2 approvals"
FAILED for resource: module.repository-with-defaults.github_branch_protection.branch_protection
File: /main.tf:187-233
Calling File: /test/unit-complete/main.tf:169-180
Guide: https://docs.bridgecrew.io/docs/merge-requests-should-require-at-least-2-approvals
187 | resource "github_branch_protection" "branch_protection" {
188 | for_each = local.branch_protections_v4_map
189 |
190 | # ensure we have all members and collaborators added before applying
191 | # any configuration for them
192 | depends_on = [
193 | github_repository_collaborator.collaborator,
194 | github_team_repository.team_repository,
195 | github_team_repository.team_repository_by_slug,
196 | github_branch.branch,
197 | ]
198 |
199 | repository_id = github_repository.repository.node_id
200 |
201 | pattern = var.branch_protections_v4[each.value].pattern
202 |
203 | allows_deletions = try(var.branch_protections_v4[each.value].allows_deletions, false)
204 | allows_force_pushes = try(var.branch_protections_v4[each.value].allows_force_pushes, false)
205 | blocks_creations = try(var.branch_protections_v4[each.value].blocks_creations, false)
206 | enforce_admins = try(var.branch_protections_v4[each.value].enforce_admins, true)
207 | push_restrictions = try(var.branch_protections_v4[each.value].push_restrictions, [])
208 | require_conversation_resolution = try(var.branch_protections_v4[each.value].require_conversation_resolution, false)
209 | require_signed_commits = try(var.branch_protections_v4[each.value].require_signed_commits, false)
210 | required_linear_history = try(var.branch_protections_v4[each.value].required_linear_history, false)
211 |
212 | dynamic "required_pull_request_reviews" {
213 | for_each = try([var.branch_protections_v4[each.value].required_pull_request_reviews], [])
214 |
215 | content {
216 | dismiss_stale_reviews = try(required_pull_request_reviews.value.dismiss_stale_reviews, true)
217 | restrict_dismissals = try(required_pull_request_reviews.value.restrict_dismissals, null)
218 | dismissal_restrictions = try(required_pull_request_reviews.value.dismissal_restrictions, [])
219 | pull_request_bypassers = try(required_pull_request_reviews.value.pull_request_bypassers, [])
220 | require_code_owner_reviews = try(required_pull_request_reviews.value.require_code_owner_reviews, true)
221 | required_approving_review_count = try(required_pull_request_reviews.value.required_approving_review_count, 0)
222 | }
223 | }
224 |
225 | dynamic "required_status_checks" {
226 | for_each = try([var.branch_protections_v4[each.value].required_status_checks], [])
227 |
228 | content {
229 | strict = try(required_status_checks.value.strict, false)
230 | contexts = try(required_status_checks.value.contexts, [])
231 | }
232 | }
233 | }
Check: CKV_GIT_6: "Ensure GitHub branch protection rules requires signed commits"
FAILED for resource: module.repository-with-defaults.github_branch_protection.branch_protection
File: /main.tf:187-233
Calling File: /test/unit-complete/main.tf:169-180
Guide: https://docs.bridgecrew.io/docs/ensure-github-branch-protection-rules-requires-signed-commits
187 | resource "github_branch_protection" "branch_protection" {
188 | for_each = local.branch_protections_v4_map
189 |
190 | # ensure we have all members and collaborators added before applying
191 | # any configuration for them
192 | depends_on = [
193 | github_repository_collaborator.collaborator,
194 | github_team_repository.team_repository,
195 | github_team_repository.team_repository_by_slug,
196 | github_branch.branch,
197 | ]
198 |
199 | repository_id = github_repository.repository.node_id
200 |
201 | pattern = var.branch_protections_v4[each.value].pattern
202 |
203 | allows_deletions = try(var.branch_protections_v4[each.value].allows_deletions, false)
204 | allows_force_pushes = try(var.branch_protections_v4[each.value].allows_force_pushes, false)
205 | blocks_creations = try(var.branch_protections_v4[each.value].blocks_creations, false)
206 | enforce_admins = try(var.branch_protections_v4[each.value].enforce_admins, true)
207 | push_restrictions = try(var.branch_protections_v4[each.value].push_restrictions, [])
208 | require_conversation_resolution = try(var.branch_protections_v4[each.value].require_conversation_resolution, false)
209 | require_signed_commits = try(var.branch_protections_v4[each.value].require_signed_commits, false)
210 | required_linear_history = try(var.branch_protections_v4[each.value].required_linear_history, false)
211 |
212 | dynamic "required_pull_request_reviews" {
213 | for_each = try([var.branch_protections_v4[each.value].required_pull_request_reviews], [])
214 |
215 | content {
216 | dismiss_stale_reviews = try(required_pull_request_reviews.value.dismiss_stale_reviews, true)
217 | restrict_dismissals = try(required_pull_request_reviews.value.restrict_dismissals, null)
218 | dismissal_restrictions = try(required_pull_request_reviews.value.dismissal_restrictions, [])
219 | pull_request_bypassers = try(required_pull_request_reviews.value.pull_request_bypassers, [])
220 | require_code_owner_reviews = try(required_pull_request_reviews.value.require_code_owner_reviews, true)
221 | required_approving_review_count = try(required_pull_request_reviews.value.required_approving_review_count, 0)
222 | }
223 | }
224 |
225 | dynamic "required_status_checks" {
226 | for_each = try([var.branch_protections_v4[each.value].required_status_checks], [])
227 |
228 | content {
229 | strict = try(required_status_checks.value.strict, false)
230 | contexts = try(required_status_checks.value.contexts, [])
231 | }
232 | }
233 | }
Check: CKV_GIT_4: "Ensure GitHub Actions secrets are encrypted"
FAILED for resource: module.repository.github_actions_secret.repository_secret
File: /secrets.tf:12-19
Calling File: /test/unit-complete/main.tf:25-161
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/build-integrity-policies/github-policies/ensure-github-actions-secrets-are-encrypted.html
12 | resource "github_actions_secret" "repository_secret" {
13 | for_each = local.secrets
14 |
15 | repository = github_repository.repository.name
16 | secret_name = each.key
17 | plaintext_value = try(each.value.plaintext, null)
18 | encrypted_value = try(each.value.encrypted, null)
19 | }
Check: CKV_GIT_4: "Ensure GitHub Actions secrets are encrypted"
FAILED for resource: module.repository-with-defaults.github_actions_secret.repository_secret
File: /secrets.tf:12-19
Calling File: /test/unit-complete/main.tf:169-180
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/build-integrity-policies/github-policies/ensure-github-actions-secrets-are-encrypted.html
12 | resource "github_actions_secret" "repository_secret" {
13 | for_each = local.secrets
14 |
15 | repository = github_repository.repository.name
16 | secret_name = each.key
17 | plaintext_value = try(each.value.plaintext, null)
18 | encrypted_value = try(each.value.encrypted, null)
19 | }
secrets scan results:
Passed checks: 0, Failed checks: 4, Skipped checks: 0
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 5c77b9746b080e997e01a9d96c354140df28dc05
File: /README.tfdoc.hcl:1149-1150
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
1149 | SECRET_NAME_1 = "plaint******************"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 60e57139852f3ff03aba4f1352e1d036bf55e3e4
File: /README.tfdoc.hcl:1150-1151
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
1150 | SECRET_NAME_2 = "plaint******************"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 9440ef5816492d117e79da38923e9a2de6511814
File: /README.tfdoc.hcl:1168-1169
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
1168 | SECRET_NAME_1 = "c2Vjc***************"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: f724870d212bccf8e9cfebd5a41f7169e6b8d966
File: /README.tfdoc.hcl:1169-1170
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
1169 | SECRET_NAME_2 = "c2Vjc***************"
github_actions scan results:
Passed checks: 31, Failed checks: 1, Skipped checks: 0
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(CI/CD Pipeline)
File: /.github/workflows/main.yml:0-1
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools