Repository | transcend-io / terragrunt-atlantis-config |
Description | Generate Atlantis config for Terragrunt projects. |
Stars | 501 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:45:35,971 [MainThread ] [WARNI] Failed to download module github.com/terraform-aws-modules/terraform-aws-vpc:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:45:35,971 [MainThread ] [WARNI] Failed to download module github.com/terraform-aws-modules/terraform-aws-security-group:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:45:35,972 [MainThread ] [WARNI] Failed to download module github.com/terraform-aws-modules/terraform-aws-route53/modules/zones:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:45:35,972 [MainThread ] [WARNI] Failed to download module github.com/terraform-aws-modules/terraform-aws-rds:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:45:35,972 [MainThread ] [WARNI] Failed to download module github.com/Sebor/terraform-aws-ec2-instance:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:45:35,972 [MainThread ] [WARNI] Failed to download module github.com/terraform-aws-modules/terraform-aws-notify-slack:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:45:35,972 [MainThread ] [WARNI] Failed to download module github.com/terraform-aws-modules/terraform-aws-iam/modules/iam-assumable-role:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:45:35,972 [MainThread ] [WARNI] Failed to download module git::[email protected]:transcend-io/terraform-aws-fargate-container?ref=v0.0.4:None (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 2, Failed checks: 1, Skipped checks: 0
Check: CKV2_AWS_23: "Route53 A Record has Attached Resource"
FAILED for resource: aws_route53_record.openvpn
File: /test_examples/no_terraform_blocks/myproject/eu-south-1/infra/apps/openvpn.tf:48-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-route53-a-record-has-an-attached-resource.html
48 | resource "aws_route53_record" "openvpn" {
49 | zone_id = values(var.dns_zone_id)[0]
50 | name = "${local.vm_name}.${var.env}.local"
51 | type = "A"
52 | ttl = "300"
53 | records = module.openvpn.private_ip
54 | }
dockerfile scan results:
Passed checks: 43, Failed checks: 3, Skipped checks: 0
Check: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"
FAILED for resource: /Dockerfile.FROM
File: /Dockerfile:1-1
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-the-base-image-uses-a-non-latest-version-tag.html
1 | FROM golang AS build
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /Dockerfile.
File: /Dockerfile:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM golang AS build
2 |
3 | ENV GO111MODULE=on
4 | WORKDIR /app
5 |
6 | # copy source
7 | COPY go.mod go.sum main.go ./
8 |
9 | # fetch deps separately (for layer caching)
10 | RUN go mod download
11 |
12 | # build the executable
13 | COPY cmd ./cmd
14 | RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build
15 |
16 | # create super thin container with the binary only
17 | FROM scratch
18 | COPY --from=build /app/terragrunt-atlantis-config /app/terragrunt-atlantis-config
19 | ENTRYPOINT [ "/app/terragrunt-atlantis-config" ]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /Dockerfile.
File: /Dockerfile:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM golang AS build
2 |
3 | ENV GO111MODULE=on
4 | WORKDIR /app
5 |
6 | # copy source
7 | COPY go.mod go.sum main.go ./
8 |
9 | # fetch deps separately (for layer caching)
10 | RUN go mod download
11 |
12 | # build the executable
13 | COPY cmd ./cmd
14 | RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build
15 |
16 | # create super thin container with the binary only
17 | FROM scratch
18 | COPY --from=build /app/terragrunt-atlantis-config /app/terragrunt-atlantis-config
19 | ENTRYPOINT [ "/app/terragrunt-atlantis-config" ]
github_actions scan results:
Passed checks: 114, Failed checks: 5, Skipped checks: 0
Check: CKV_GHA_7: "The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty. "
FAILED for resource: on(Build and publish container image)
File: /.github/workflows/container-build.yml:16-21
16 | tag:
17 | description: Build a container image for this git tag
18 | required: true
19 |
20 | env:
21 | # GitHub Container Registry hostname
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Contributors)
File: /.github/workflows/contributors.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(release)
File: /.github/workflows/release.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Build and publish container image)
File: /.github/workflows/container-build.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Build and test code)
File: /.github/workflows/run_tests.yml:0-1
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools