Repository | Young-ook / terraform-aws-eks |
Description | Terraform Module: Amazon EKS |
Stars | 128 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:55:50,773 [MainThread ] [WARNI] Failed to download module Young-ook/spinnaker/aws//modules/aws-partitions:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:50,773 [MainThread ] [WARNI] Failed to download module Young-ook/spinnaker/aws//modules/frigga:2.3.5 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:50,773 [MainThread ] [WARNI] Failed to download module Young-ook/eks/aws//modules/iam-role-for-serviceaccount:1.7.10 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:50,774 [MainThread ] [WARNI] Failed to download module Young-ook/vpc/aws:1.0.3 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:50,774 [MainThread ] [WARNI] Failed to download module Young-ook/eks/aws:2.0.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:50,774 [MainThread ] [WARNI] Failed to download module Young-ook/eks/aws:2.0.3 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:50,774 [MainThread ] [WARNI] Failed to download module Young-ook/eks/aws//modules/irsa:2.0.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:50,774 [MainThread ] [WARNI] Failed to download module Young-ook/eks/aws//modules/helm-addons:2.0.4 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:50,774 [MainThread ] [WARNI] Failed to download module Young-ook/eks/aws//modules/eks-addons:2.0.4 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:50,774 [MainThread ] [WARNI] Failed to download module Young-ook/eks/aws//modules/helm-addons:2.0.3 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:50,775 [MainThread ] [WARNI] Failed to download module Young-ook/spinnaker/aws//modules/codebuild:2.3.6 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:50,776 [MainThread ] [WARNI] Failed to download module Young-ook/eks/aws//modules/ecr:1.7.11 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:50,776 [MainThread ] [WARNI] Failed to download module Young-ook/eventbridge/aws//modules/logs:0.0.6 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:50,776 [MainThread ] [WARNI] Failed to download module Young-ook/eks/aws//modules/helm-addons:2.0.6 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:50,776 [MainThread ] [WARNI] Failed to download module Young-ook/eks/aws//modules/eks-addons:2.0.3 (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 85, Failed checks: 13, Skipped checks: 0
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: module.main.aws_eks_cluster.cp
File: /main.tf:32-47
Calling File: /tests/defaults/main.tf:14-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
32 | resource "aws_eks_cluster" "cp" {
33 | name = format("%s", local.name)
34 | role_arn = aws_iam_role.cp.arn
35 | version = var.kubernetes_version
36 | tags = merge(local.default-tags, var.tags)
37 |
38 | enabled_cluster_log_types = var.enabled_cluster_log_types
39 |
40 | vpc_config {
41 | subnet_ids = var.subnets
42 | }
43 |
44 | depends_on = [
45 | aws_iam_role_policy_attachment.eks-cluster,
46 | ]
47 | }
Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
FAILED for resource: module.main.aws_eks_cluster.cp
File: /main.tf:32-47
Calling File: /tests/defaults/main.tf:14-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
32 | resource "aws_eks_cluster" "cp" {
33 | name = format("%s", local.name)
34 | role_arn = aws_iam_role.cp.arn
35 | version = var.kubernetes_version
36 | tags = merge(local.default-tags, var.tags)
37 |
38 | enabled_cluster_log_types = var.enabled_cluster_log_types
39 |
40 | vpc_config {
41 | subnet_ids = var.subnets
42 | }
43 |
44 | depends_on = [
45 | aws_iam_role_policy_attachment.eks-cluster,
46 | ]
47 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: module.main.aws_eks_cluster.cp
File: /main.tf:32-47
Calling File: /tests/defaults/main.tf:14-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
32 | resource "aws_eks_cluster" "cp" {
33 | name = format("%s", local.name)
34 | role_arn = aws_iam_role.cp.arn
35 | version = var.kubernetes_version
36 | tags = merge(local.default-tags, var.tags)
37 |
38 | enabled_cluster_log_types = var.enabled_cluster_log_types
39 |
40 | vpc_config {
41 | subnet_ids = var.subnets
42 | }
43 |
44 | depends_on = [
45 | aws_iam_role_policy_attachment.eks-cluster,
46 | ]
47 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: module.main.aws_eks_cluster.cp
File: /main.tf:32-47
Calling File: /tests/defaults/main.tf:14-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
32 | resource "aws_eks_cluster" "cp" {
33 | name = format("%s", local.name)
34 | role_arn = aws_iam_role.cp.arn
35 | version = var.kubernetes_version
36 | tags = merge(local.default-tags, var.tags)
37 |
38 | enabled_cluster_log_types = var.enabled_cluster_log_types
39 |
40 | vpc_config {
41 | subnet_ids = var.subnets
42 | }
43 |
44 | depends_on = [
45 | aws_iam_role_policy_attachment.eks-cluster,
46 | ]
47 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.main.aws_launch_template.ng["bros-arm64"]
File: /main.tf:161-202
Calling File: /tests/bottlerocket-os/main.tf:14-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
161 | resource "aws_launch_template" "ng" {
162 | for_each = { for ng in var.node_groups : ng.name => ng }
163 | name = format("eks-%s", uuid())
164 | tags = merge(local.default-tags, local.eks-tag, var.tags, lookup(each.value, "tags", {}))
165 | image_id = data.aws_ami.eks[each.key].id
166 | instance_type = lookup(each.value, "instance_type", local.default_eks_config.instance_type)
167 | user_data = (
168 | length(regexall("^AL2", lookup(each.value, "ami_type", local.default_eks_config.ami_type))) > 0 ?
169 | data.template_cloudinit_config.ng[each.key].rendered :
170 | length(regexall("^BOTTLEROCKET", lookup(each.value, "ami_type", local.default_eks_config.ami_type))) > 0 ?
171 | base64encode(local.bottlerocket_userdata) :
172 | data.template_cloudinit_config.ng[each.key].rendered
173 | )
174 |
175 | iam_instance_profile {
176 | arn = aws_iam_instance_profile.ng.0.arn
177 | }
178 |
179 | block_device_mappings {
180 | device_name = "/dev/xvda"
181 | ebs {
182 | volume_size = lookup(each.value, "disk_size", "20")
183 | volume_type = "gp2"
184 | delete_on_termination = true
185 | }
186 | }
187 |
188 | network_interfaces {
189 | security_groups = [aws_eks_cluster.cp.vpc_config.0.cluster_security_group_id]
190 | delete_on_termination = true
191 | }
192 |
193 | tag_specifications {
194 | resource_type = "instance"
195 | tags = merge(local.default-tags, local.eks-tag, var.tags, lookup(each.value, "tags", {}))
196 | }
197 |
198 | lifecycle {
199 | create_before_destroy = true
200 | ignore_changes = [name]
201 | }
202 | }
Check: CKV_AWS_315: "Ensure EC2 Auto Scaling groups use EC2 launch templates"
FAILED for resource: module.main.aws_autoscaling_group.ng["bros-arm64"]
File: /main.tf:204-279
Calling File: /tests/bottlerocket-os/main.tf:14-31
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.main.aws_launch_template.mng["bros"]
File: /main.tf:300-330
Calling File: /tests/bottlerocket-os/main.tf:14-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
300 | resource "aws_launch_template" "mng" {
301 | for_each = { for ng in var.managed_node_groups : ng.name => ng }
302 | name = format("eks-%s", uuid())
303 | tags = merge(local.default-tags, local.eks-tag, var.tags, lookup(each.value, "tags", {}))
304 | user_data = (
305 | length(regexall("^AL2", lookup(each.value, "ami_type", local.default_eks_config.ami_type))) > 0 ?
306 | data.template_cloudinit_config.mng[each.key].rendered :
307 | length(regexall("^BOTTLEROCKET", lookup(each.value, "ami_type", local.default_eks_config.ami_type))) > 0 ?
308 | base64encode(local.bottlerocket_userdata) :
309 | data.template_cloudinit_config.mng[each.key].rendered
310 | )
311 |
312 | block_device_mappings {
313 | device_name = "/dev/xvda"
314 | ebs {
315 | volume_size = lookup(each.value, "disk_size", "20")
316 | volume_type = "gp2"
317 | delete_on_termination = true
318 | }
319 | }
320 |
321 | tag_specifications {
322 | resource_type = "instance"
323 | tags = merge(local.default-tags, local.eks-tag, var.tags, lookup(each.value, "tags", {}))
324 | }
325 |
326 | lifecycle {
327 | create_before_destroy = true
328 | ignore_changes = [name]
329 | }
330 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.main.aws_launch_template.ng
File: /main.tf:161-202
Calling File: /tests/defaults/main.tf:14-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
161 | resource "aws_launch_template" "ng" {
162 | for_each = { for ng in var.node_groups : ng.name => ng }
163 | name = format("eks-%s", uuid())
164 | tags = merge(local.default-tags, local.eks-tag, var.tags, lookup(each.value, "tags", {}))
165 | image_id = data.aws_ami.eks[each.key].id
166 | instance_type = lookup(each.value, "instance_type", local.default_eks_config.instance_type)
167 | user_data = (
168 | length(regexall("^AL2", lookup(each.value, "ami_type", local.default_eks_config.ami_type))) > 0 ?
169 | data.template_cloudinit_config.ng[each.key].rendered :
170 | length(regexall("^BOTTLEROCKET", lookup(each.value, "ami_type", local.default_eks_config.ami_type))) > 0 ?
171 | base64encode(local.bottlerocket_userdata) :
172 | data.template_cloudinit_config.ng[each.key].rendered
173 | )
174 |
175 | iam_instance_profile {
176 | arn = aws_iam_instance_profile.ng.0.arn
177 | }
178 |
179 | block_device_mappings {
180 | device_name = "/dev/xvda"
181 | ebs {
182 | volume_size = lookup(each.value, "disk_size", "20")
183 | volume_type = "gp2"
184 | delete_on_termination = true
185 | }
186 | }
187 |
188 | network_interfaces {
189 | security_groups = [aws_eks_cluster.cp.vpc_config.0.cluster_security_group_id]
190 | delete_on_termination = true
191 | }
192 |
193 | tag_specifications {
194 | resource_type = "instance"
195 | tags = merge(local.default-tags, local.eks-tag, var.tags, lookup(each.value, "tags", {}))
196 | }
197 |
198 | lifecycle {
199 | create_before_destroy = true
200 | ignore_changes = [name]
201 | }
202 | }
Check: CKV_AWS_315: "Ensure EC2 Auto Scaling groups use EC2 launch templates"
FAILED for resource: module.main.aws_autoscaling_group.ng
File: /main.tf:204-279
Calling File: /tests/defaults/main.tf:14-17
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.main.aws_launch_template.mng
File: /main.tf:300-330
Calling File: /tests/defaults/main.tf:14-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
300 | resource "aws_launch_template" "mng" {
301 | for_each = { for ng in var.managed_node_groups : ng.name => ng }
302 | name = format("eks-%s", uuid())
303 | tags = merge(local.default-tags, local.eks-tag, var.tags, lookup(each.value, "tags", {}))
304 | user_data = (
305 | length(regexall("^AL2", lookup(each.value, "ami_type", local.default_eks_config.ami_type))) > 0 ?
306 | data.template_cloudinit_config.mng[each.key].rendered :
307 | length(regexall("^BOTTLEROCKET", lookup(each.value, "ami_type", local.default_eks_config.ami_type))) > 0 ?
308 | base64encode(local.bottlerocket_userdata) :
309 | data.template_cloudinit_config.mng[each.key].rendered
310 | )
311 |
312 | block_device_mappings {
313 | device_name = "/dev/xvda"
314 | ebs {
315 | volume_size = lookup(each.value, "disk_size", "20")
316 | volume_type = "gp2"
317 | delete_on_termination = true
318 | }
319 | }
320 |
321 | tag_specifications {
322 | resource_type = "instance"
323 | tags = merge(local.default-tags, local.eks-tag, var.tags, lookup(each.value, "tags", {}))
324 | }
325 |
326 | lifecycle {
327 | create_before_destroy = true
328 | ignore_changes = [name]
329 | }
330 | }
Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
FAILED for resource: module.main["corp"].aws_ecr_repository.repo
File: /modules/ecr/main.tf:80-88
Calling File: /modules/ecr/tests/namespace/main.tf:9-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-8.html
80 | resource "aws_ecr_repository" "repo" {
81 | name = local.repo
82 | tags = merge(var.tags, local.default-tags)
83 |
84 | image_tag_mutability = var.image_tag_mutability
85 | image_scanning_configuration {
86 | scan_on_push = var.scan_on_push
87 | }
88 | }
Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
FAILED for resource: module.main["corp"].aws_ecr_repository.repo
File: /modules/ecr/main.tf:80-88
Calling File: /modules/ecr/tests/namespace/main.tf:9-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-24.html
80 | resource "aws_ecr_repository" "repo" {
81 | name = local.repo
82 | tags = merge(var.tags, local.default-tags)
83 |
84 | image_tag_mutability = var.image_tag_mutability
85 | image_scanning_configuration {
86 | scan_on_push = var.scan_on_push
87 | }
88 | }
Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
FAILED for resource: module.main["corp"].aws_ecr_repository.repo
File: /modules/ecr/main.tf:80-88
Calling File: /modules/ecr/tests/namespace/main.tf:9-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted.html
80 | resource "aws_ecr_repository" "repo" {
81 | name = local.repo
82 | tags = merge(var.tags, local.default-tags)
83 |
84 | image_tag_mutability = var.image_tag_mutability
85 | image_scanning_configuration {
86 | scan_on_push = var.scan_on_push
87 | }
88 | }
dockerfile scan results:
Passed checks: 145, Failed checks: 6, Skipped checks: 0
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /examples/blueprint/apps/hellojs/Dockerfile.
File: /examples/blueprint/apps/hellojs/Dockerfile:1-6
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM node:14
2 | WORKDIR /usr/src/app
3 | COPY package*.json app.js ./
4 | RUN npm install
5 | EXPOSE 3000
6 | CMD ["node", "app.js"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /examples/blueprint/apps/hellojs/Dockerfile.
File: /examples/blueprint/apps/hellojs/Dockerfile:1-6
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM node:14
2 | WORKDIR /usr/src/app
3 | COPY package*.json app.js ./
4 | RUN npm install
5 | EXPOSE 3000
6 | CMD ["node", "app.js"]
Check: CKV_DOCKER_4: "Ensure that COPY is used instead of ADD in Dockerfiles"
FAILED for resource: /examples/blueprint/apps/yelb/Dockerfile.ADD
File: /examples/blueprint/apps/yelb/Dockerfile:28-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-copy-is-used-instead-of-add-in-dockerfiles.html
28 | ADD startup.sh startup.sh
Check: CKV_DOCKER_6: "Ensure that LABEL maintainer is used instead of MAINTAINER (deprecated)"
FAILED for resource: /examples/blueprint/apps/yelb/Dockerfile.MAINTAINER
File: /examples/blueprint/apps/yelb/Dockerfile:2-2
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-label-maintainer-is-used-instead-of-maintainer-deprecated.html
2 | MAINTAINER [email protected]
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /examples/blueprint/apps/yelb/Dockerfile.
File: /examples/blueprint/apps/yelb/Dockerfile:1-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM bitnami/ruby:2.4.2-r1
2 | MAINTAINER [email protected]
3 |
4 | ################## BEGIN INSTALLATION ######################
5 |
6 | # Set the working directory to /app
7 | WORKDIR /app
8 |
9 | COPY yelb-appserver.rb yelb-appserver.rb
10 | COPY Gemfile Gemfile
11 | COPY modules modules
12 |
13 | ENV LANG=en_us.UTF-8
14 | ENV LC_ALL=C.UTF-8
15 | ENV RACK_ENV=production
16 |
17 | RUN gem install sinatra --no-ri --no-rdoc
18 | RUN gem install redis --no-ri --no-rdoc
19 | ### hack to allow the setup of the pg gem (which would fail otherwise)
20 | RUN apt-get update
21 | RUN apt-get install libpq-dev -y
22 | ### end of hack (this would require additional research and optimization)
23 | RUN gem install pg --no-ri --no-rdoc
24 | ### this installs the AWS SDK for DynamoDB (so that appserver can talk to DDB Vs the default Postgres/Redis)
25 | RUN gem install aws-sdk-dynamodb pg --no-ri --no-rdoc
26 | # Set the working directory to /
27 | WORKDIR /
28 | ADD startup.sh startup.sh
29 |
30 | ##################### INSTALLATION END #####################
31 |
32 | CMD ["./startup.sh"]
33 |
34 |
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /examples/blueprint/apps/yelb/Dockerfile.
File: /examples/blueprint/apps/yelb/Dockerfile:1-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM bitnami/ruby:2.4.2-r1
2 | MAINTAINER [email protected]
3 |
4 | ################## BEGIN INSTALLATION ######################
5 |
6 | # Set the working directory to /app
7 | WORKDIR /app
8 |
9 | COPY yelb-appserver.rb yelb-appserver.rb
10 | COPY Gemfile Gemfile
11 | COPY modules modules
12 |
13 | ENV LANG=en_us.UTF-8
14 | ENV LC_ALL=C.UTF-8
15 | ENV RACK_ENV=production
16 |
17 | RUN gem install sinatra --no-ri --no-rdoc
18 | RUN gem install redis --no-ri --no-rdoc
19 | ### hack to allow the setup of the pg gem (which would fail otherwise)
20 | RUN apt-get update
21 | RUN apt-get install libpq-dev -y
22 | ### end of hack (this would require additional research and optimization)
23 | RUN gem install pg --no-ri --no-rdoc
24 | ### this installs the AWS SDK for DynamoDB (so that appserver can talk to DDB Vs the default Postgres/Redis)
25 | RUN gem install aws-sdk-dynamodb pg --no-ri --no-rdoc
26 | # Set the working directory to /
27 | WORKDIR /
28 | ADD startup.sh startup.sh
29 |
30 | ##################### INSTALLATION END #####################
31 |
32 | CMD ["./startup.sh"]
33 |
34 |
secrets scan results:
Passed checks: 0, Failed checks: 2, Skipped checks: 0
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 4609b59cabede2db04065fd0e55218eb252a3cac
File: /examples/blueprint/modules/kubernetes-addons/charts/spinnaker/values.yaml:244-245
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
244 | secretKey: spi***********
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 4609b59cabede2db04065fd0e55218eb252a3cac
File: /examples/blueprint/modules/kubernetes-addons/main.tf:192-193
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
192 | "minio.rootPassword" = "spi***********"
github_actions scan results:
Passed checks: 11, Failed checks: 1, Skipped checks: 0
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Close stale issues and PRs)
File: /.github/workflows/stale.yaml:0-1
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools