Repository | oracle-quickstart / oci-cis-landingzone-quickstart |
Description | Quickstart Terraform configuration for tenancy setup according to CIS OCI Foundations Benchmark. |
Stars | 114 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-11 09:56:51,357 [MainThread ] [WARNI] Failed to download module github.com/oracle-quickstart/terraform-oci-cis-landing-zone-iam/policies:None (for external modules, the --download-external-modules flag is required)
2023-10-11 09:56:51,357 [MainThread ] [WARNI] Failed to download module github.com/oracle-quickstart/terraform-oci-cis-landing-zone-iam/dynamic-groups:None (for external modules, the --download-external-modules flag is required)
2023-10-11 09:56:51,357 [MainThread ] [WARNI] Failed to download module github.com/oracle-quickstart/terraform-oci-cis-landing-zone-iam/groups:None (for external modules, the --download-external-modules flag is required)
2023-10-11 09:56:51,358 [MainThread ] [WARNI] Failed to download module github.com/oracle-quickstart/terraform-oci-cis-landing-zone-iam//compartments?ref=v0.1.6:None (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 27, Failed checks: 10, Skipped checks: 0
Check: CKV_OCI_1: "Ensure no hard coded OCI private key in provider"
FAILED for resource: oci.default
File: /config/provider.tf:4-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/oci-policies/secrets-1/bc-oci-secrets-1.html
4 | provider "oci" {
5 | region = var.region
6 | tenancy_ocid = var.tenancy_ocid
7 | user_ocid = var.user_ocid
8 | fingerprint = var.fingerprint
9 | private_key_path = var.private_key_path
10 | private_key_password = var.private_key_password
11 | }
Check: CKV_OCI_1: "Ensure no hard coded OCI private key in provider"
FAILED for resource: oci.home
File: /config/provider.tf:13-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/oci-policies/secrets-1/bc-oci-secrets-1.html
13 | provider "oci" {
14 | alias = "home"
15 | region = local.regions_map[local.home_region_key]
16 | tenancy_ocid = var.tenancy_ocid
17 | user_ocid = var.user_ocid
18 | fingerprint = var.fingerprint
19 | private_key_path = var.private_key_path
20 | private_key_password = var.private_key_password
21 | }
Check: CKV_OCI_17: "Ensure VCN inbound security lists are stateless"
FAILED for resource: module.lz_exacs_nsgs.oci_core_security_list.these
File: /modules/network/security/main_security_list.tf:16-623
Calling File: /config/net_exacs_nsgs.tf:262-267
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/oci-policies/networking/ensure-vcn-inbound-security-lists-are-stateless.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_OCI_17: "Ensure VCN inbound security lists are stateless"
FAILED for resource: module.lz_nsgs_spokes.oci_core_security_list.these
File: /modules/network/security/main_security_list.tf:16-623
Calling File: /config/net_nsgs.tf:438-443
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/oci-policies/networking/ensure-vcn-inbound-security-lists-are-stateless.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_OCI_17: "Ensure VCN inbound security lists are stateless"
FAILED for resource: module.lz_vcn_dmz.oci_core_security_list.these
File: /modules/network/vcn-basic/main.tf:154-723
Calling File: /config/net_dmz.tf:103-111
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/oci-policies/networking/ensure-vcn-inbound-security-lists-are-stateless.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_OCI_17: "Ensure VCN inbound security lists are stateless"
FAILED for resource: module.lz_exacs_vcns.oci_core_security_list.these
File: /modules/network/vcn-basic/main.tf:154-723
Calling File: /config/net_exacs_vcns.tf:198-205
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/oci-policies/networking/ensure-vcn-inbound-security-lists-are-stateless.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_OCI_17: "Ensure VCN inbound security lists are stateless"
FAILED for resource: module.lz_vcn_spokes.oci_core_security_list.these
File: /modules/network/vcn-basic/main.tf:154-723
Calling File: /config/net_vcn.tf:236-244
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/oci-policies/networking/ensure-vcn-inbound-security-lists-are-stateless.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_OCI_1: "Ensure no hard coded OCI private key in provider"
FAILED for resource: oci.default
File: /pre-config/provider.tf:4-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/oci-policies/secrets-1/bc-oci-secrets-1.html
4 | provider "oci" {
5 | region = var.home_region
6 | tenancy_ocid = var.tenancy_ocid
7 | user_ocid = var.user_ocid
8 | fingerprint = var.fingerprint
9 | private_key_path = var.private_key_path
10 | private_key_password = var.private_key_password
11 | }
Check: CKV_OCI_1: "Ensure no hard coded OCI private key in provider"
FAILED for resource: oci.default
File: /workloads/generic_workload_compartments/provider.tf:4-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/oci-policies/secrets-1/bc-oci-secrets-1.html
4 | provider "oci" {
5 | region = var.region
6 | tenancy_ocid = var.tenancy_ocid
7 | user_ocid = var.user_ocid
8 | fingerprint = var.fingerprint
9 | private_key_path = var.private_key_path
10 | private_key_password = var.private_key_password
11 | }
Check: CKV_OCI_1: "Ensure no hard coded OCI private key in provider"
FAILED for resource: oci.home
File: /workloads/generic_workload_compartments/provider.tf:13-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/oci-policies/secrets-1/bc-oci-secrets-1.html
13 | provider "oci" {
14 | alias = "home"
15 | region = local.regions_map[local.home_region_key]
16 | tenancy_ocid = var.tenancy_ocid
17 | user_ocid = var.user_ocid
18 | fingerprint = var.fingerprint
19 | private_key_path = var.private_key_path
20 | private_key_password = var.private_key_password
21 | }
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools