Experience Builder

Security Scanning

This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.

There is an opportunity to:

• Remediate the findings identified by one of the recommended Terraform security scanning tools (example checkov output found below)
• Implement one of the security scanning tools within the CICD framework used by the repository

Checkov Output

                
                  terraform scan results:

Passed checks: 9, Failed checks: 11, Skipped checks: 0

Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
	FAILED for resource: aws_subnet.tf_public_subnet
	File: /main.tf:13-22
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html

		13 | resource "aws_subnet" "tf_public_subnet" {
		14 |   vpc_id                  = aws_vpc.tf_vpc.id
		15 |   cidr_block              = "10.0.1.0/24"
		16 |   availability_zone       = "us-east-1a"
		17 |   map_public_ip_on_launch = true
		18 | 
		19 |   tags = {
		20 |     Name = "tf_public_subnet"
		21 |   }
		22 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.tf_sg
	File: /main.tf:61-194
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_security_group.tf_sg
	File: /main.tf:61-194
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_security_group.tf_sg
	File: /main.tf:61-194
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
	FAILED for resource: aws_instance.tf_instance
	File: /main.tf:216-226
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html

		216 | resource "aws_instance" "tf_instance" {
		217 |   ami                    = data.aws_ami.tf_ami.id
		218 |   instance_type          = "t2.micro"
		219 |   key_name               = "ansible_user"
		220 |   subnet_id              = aws_subnet.tf_public_subnet.id
		221 |   vpc_security_group_ids = [aws_security_group.tf_sg.id]
		222 | 
		223 |   tags = {
		224 |     Name = "tf_instance"
		225 |   }
		226 | }

Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.tf_instance
	File: /main.tf:216-226
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html

		216 | resource "aws_instance" "tf_instance" {
		217 |   ami                    = data.aws_ami.tf_ami.id
		218 |   instance_type          = "t2.micro"
		219 |   key_name               = "ansible_user"
		220 |   subnet_id              = aws_subnet.tf_public_subnet.id
		221 |   vpc_security_group_ids = [aws_security_group.tf_sg.id]
		222 | 
		223 |   tags = {
		224 |     Name = "tf_instance"
		225 |   }
		226 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.tf_instance
	File: /main.tf:216-226
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html

		216 | resource "aws_instance" "tf_instance" {
		217 |   ami                    = data.aws_ami.tf_ami.id
		218 |   instance_type          = "t2.micro"
		219 |   key_name               = "ansible_user"
		220 |   subnet_id              = aws_subnet.tf_public_subnet.id
		221 |   vpc_security_group_ids = [aws_security_group.tf_sg.id]
		222 | 
		223 |   tags = {
		224 |     Name = "tf_instance"
		225 |   }
		226 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.tf_instance
	File: /main.tf:216-226
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html

		216 | resource "aws_instance" "tf_instance" {
		217 |   ami                    = data.aws_ami.tf_ami.id
		218 |   instance_type          = "t2.micro"
		219 |   key_name               = "ansible_user"
		220 |   subnet_id              = aws_subnet.tf_public_subnet.id
		221 |   vpc_security_group_ids = [aws_security_group.tf_sg.id]
		222 | 
		223 |   tags = {
		224 |     Name = "tf_instance"
		225 |   }
		226 | }

Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
	FAILED for resource: aws_vpc.tf_vpc
	File: /main.tf:5-11
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html

		5  | resource "aws_vpc" "tf_vpc" {
		6  |   cidr_block = "10.0.0.0/16"
		7  | 
		8  |   tags = {
		9  |     Name = "tf_vpc"
		10 |   }
		11 | }

Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
	FAILED for resource: aws_vpc.tf_vpc
	File: /main.tf:5-11
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html

		5  | resource "aws_vpc" "tf_vpc" {
		6  |   cidr_block = "10.0.0.0/16"
		7  | 
		8  |   tags = {
		9  |     Name = "tf_vpc"
		10 |   }
		11 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.tf_instance
	File: /main.tf:216-226
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html

		216 | resource "aws_instance" "tf_instance" {
		217 |   ami                    = data.aws_ami.tf_ami.id
		218 |   instance_type          = "t2.micro"
		219 |   key_name               = "ansible_user"
		220 |   subnet_id              = aws_subnet.tf_public_subnet.id
		221 |   vpc_security_group_ids = [aws_security_group.tf_sg.id]
		222 | 
		223 |   tags = {
		224 |     Name = "tf_instance"
		225 |   }
		226 | }

ansible scan results:

Passed checks: 7, Failed checks: 0, Skipped checks: 0



                
              

Linting

This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.

There is an opportunity to:

• Remediate the findings identified by one of the recommended Terraform linting tools