[BLAZ-886] Added semgrep rules for aws data

iriusrisk · Nov 27, 2024 · ead4568 · ead4568
1 parent 3b08a81
commit ead4568
Show file tree

Hide file tree

Showing 13 changed files with 87 additions and 33 deletions.
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
@@ -17,7 +17,15 @@ jobs:
       - uses: actions/checkout@v3
 
       - id: semgrep
-        run: semgrep ci --config=p/owasp-top-ten --config=p/cwe-top-25 --config=p/gitleaks -q --exclude="tests" --exclude="*/tests" --skip-unknown-extensions --suppress-errors
+        run: |-
+          semgrep ci 
+          --config=p/owasp-top-ten 
+          --config=p/cwe-top-25 
+          --config=p/gitleaks
+          --config .semgrep/rules/detected-aws-account-id-in-arn.yaml  
+          --config r/generic.secrets.security.detected-aws-account-id.detected-aws-account-id 
+          --config r/generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key 
+          -q --skip-unknown-extensions --suppress-errors
         continue-on-error: true
 
       - name: Get branch name (pull request)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,18 +1,24 @@
 repos:
 - repo: https://github.com/returntocorp/semgrep
-  rev: 'v1.14.0'
+  rev: 'v1.89.0'
   hooks:
     - id: semgrep
-      exclude: "(.)*/tests|tests"
       args: [
+        '--metrics=off',
         '--config',
         'p/owasp-top-ten',
         '--config',
         'p/cwe-top-25',
         '--config',
         'p/gitleaks',
+        '--config',
+        'r/generic.secrets.security.detected-aws-account-id.detected-aws-account-id',
+        '--config',
+        '.semgrep/rules/detected-aws-account-id-in-arn.yaml',
+        '--config',
+        'r/generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key',
         '--error',
         '--skip-unknown-extensions',
         '--exclude-rule=python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text'
       ]
-      stages: [commit]
+      stages: [pre-commit]
diff --git a/.semgrep/rules/detected-aws-account-id-in-arn.yaml b/.semgrep/rules/detected-aws-account-id-in-arn.yaml
@@ -0,0 +1,28 @@
+rules:
+  - id: detected-aws-account-id-in-arn
+    patterns:
+      - pattern-regex: ((?i:aws|arn)[^\d]+\d{12}[^\d]+)
+      - pattern-not-regex: 12345|00000
+    languages:
+      - regex
+    message: AWS Account ID detected in arn.
+    severity: ERROR
+    metadata:
+      cwe:
+        - "CWE-798: Use of Hard-coded Credentials"
+      source-rule-url: https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go
+      category: security
+      technology:
+        - secrets
+        - aws
+      confidence: LOW
+      owasp:
+        - A07:2021 - Identification and Authentication Failures
+      references:
+        - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
+      cwe2022-top25: true
+      cwe2021-top25: true
+      subcategory:
+        - audit
+      likelihood: LOW
+      impact: HIGH
diff --git a/docs/startleft-processors/iac/tf/Terraform-Quickstart.md b/docs/startleft-processors/iac/tf/Terraform-Quickstart.md
@@ -47,7 +47,7 @@ data "aws_ami" "ubuntu" {
     values = ["hvm"]
   }
 
-  owners = ["099720109477"] # Canonical
+  owners = ["123456789012"] # Canonical
 }
 
 resource "aws_instance" "web" {

diff --git a/examples/tfplan/aws-ingesting-click-logs-using-terraform.json b/examples/tfplan/aws-ingesting-click-logs-using-terraform.json
@@ -927,7 +927,7 @@
         "schema_version": 0,
         "values": {
           "acl": "private",
-          "bucket": "clicklogger-dev-firehose-delivery-bucket-154977180039",
+          "bucket": "clicklogger-dev-firehose-delivery-bucket-123456789012",
           "bucket_prefix": null,
           "force_destroy": false,
           "tags": {
@@ -2319,7 +2319,7 @@
       "before": null,
       "after": {
         "acl": "private",
-        "bucket": "clicklogger-dev-firehose-delivery-bucket-154977180039",
+        "bucket": "clicklogger-dev-firehose-delivery-bucket-123456789012",
         "bucket_prefix": null,
         "force_destroy": false,
         "tags": {
@@ -2379,7 +2379,7 @@
       "before": null,
       "after": {
         "acl": "private",
-        "bucket": "clicklogger-dev-firehose-delivery-bucket-154977180039",
+        "bucket": "clicklogger-dev-firehose-delivery-bucket-123456789012",
         "bucket_prefix": null,
         "force_destroy": false,
         "tags": {
@@ -2571,9 +2571,9 @@
           "provider_name": "registry.terraform.io/hashicorp/aws",
           "schema_version": 0,
           "values": {
-            "account_id": "154977180039",
-            "arn": "arn:aws:iam::656177851052:user/someuser",
-            "id": "194477180039",
+            "account_id": "123456789012",
+            "arn": "arn:aws:iam::123456789015:user/someuser",
+            "id": "123456789014",
             "user_id": "ANYUSERID"
           },
           "sensitive_values": {}}, {

diff --git a/slp_cft/tests/resources/otm/otm_expected_result.otm b/slp_cft/tests/resources/otm/otm_expected_result.otm
@@ -368,7 +368,7 @@
             ]
         },
         {
-            "id": "c3b000fd-6108-403c-adee-282422171840",
+            "id": "c3b000fd-6108-403c-adee-123456789012",
             "name": "VPCmonitoringSecurityGroup -> VPCmonitoring",
             "source": "b61d6911-338d-46a8-9f39-8dcd24abfe91.customvpc",
             "destination": "b61d6911-338d-46a8-9f39-8dcd24abfe91.customvpc.privatesubnet1.vpcmonitoring",

diff --git a/slp_tf/tests/resources/tf/calculate_modules/terraform_extra_modules_sample.tf b/slp_tf/tests/resources/tf/calculate_modules/terraform_extra_modules_sample.tf
@@ -150,7 +150,7 @@ module "db" {
 
 data "aws_ami" "iriusrisk_ha" {
   most_recent = true
-  owners      = ["154977180039"]
+  owners      = ["123456789012"]
 
   filter {
     name   = "name"

diff --git a/slp_tf/tests/resources/tf/mapping_functions/aws_singleton_components_unix_line_breaks.tf b/slp_tf/tests/resources/tf/mapping_functions/aws_singleton_components_unix_line_breaks.tf
@@ -40,20 +40,22 @@ resource "aws_acm_certificate" "acm_certificate" {
 resource "aws_kms_key" "kms_key" {
   description             = "KMS key 1"
   deletion_window_in_days = 10
+  enable_key_rotation     = true
 }
 
 resource "aws_cloudwatch_log_group" "cloudwatch_log_group_1" {
   name = "Yada"
-
+  retention_in_days = 14
   tags = {
     Environment = "production"
     Application = "serviceA"
   }
+
 }
 
 resource "aws_cloudwatch_log_group" "cloudwatch_log_group_2" {
   name = "Yada"
-
+  retention_in_days = 14
   tags = {
     Environment = "production"
     Application = "serviceA"
@@ -140,7 +142,7 @@ resource "aws_mq_broker" "mq_broker" {
 
   user {
     username = "ExampleUser"
-    password = "MindTheGap"
+    password = "******"
   }
 }
 
@@ -190,6 +192,7 @@ resource "aws_config_configuration_recorder" "config_configuration_recorder" {
 
 resource "aws_ecr_repository" "ecr_repository" {
   name = "bar"
+  image_tag_mutability = "IMMUTABLE"
 }
 
 resource "aws_ecr_lifecycle_policy" "ecr_lifecycle_policy" {
@@ -293,9 +296,9 @@ resource "aws_sns_topic" "sns_topic" {
 }
 
 resource "aws_sns_topic_subscription" "sns_topic_subscription" {
-  topic_arn = "arn:aws:sns:us-west-2:432981146916:user-updates-topic"
+  topic_arn = "arn:aws:sns:us-west-2:123456789012:user-updates-topic"
   protocol  = "sqs"
-  endpoint  = "arn:aws:sqs:us-west-2:432981146916:terraform-queue-too"
+  endpoint  = "arn:aws:sqs:us-west-2:123456789012:terraform-queue-too"
 }
 
 resource "aws_waf_ipset" "waf_ipset" {
@@ -392,6 +395,9 @@ resource "aws_kinesis_analytics_application" "kinesis_analytics_application_2" {
 resource "aws_kinesis_stream" "kinesis_stream" {
   name        = "example-stream"
   shard_count = 1
+  encryption_type = "KMS"
+  kms_key_id      = "example-kms-key-id"
+
 }
 
 resource "aws_kinesis_stream_consumer" "kinesis_stream_consumer" {

diff --git a/slp_tf/tests/resources/tf/terraform_main_referenced_variables.tf b/slp_tf/tests/resources/tf/terraform_main_referenced_variables.tf
@@ -259,7 +259,7 @@ resource "aws_security_group" "webserver" {
 
 data "aws_ami" "iriusrisk_ha" {
   most_recent = true
-  owners      = ["154977180039"]
+  owners      = ["123456789012"]
 
   filter {
     name   = "name"

diff --git a/slp_tf/tests/resources/tf/terraform_variables_files_referenced_variables.tfvars b/slp_tf/tests/resources/tf/terraform_variables_files_referenced_variables.tfvars
@@ -10,8 +10,8 @@ iriusrisk_version        = "4.5.1"
 startleft_version        = "startleft"
 type                     = "internal"
 bastion_host_cidrs       = ["52.30.97.44/32"]
-certificate_arn          = "arn:aws:iam::154977180039:server-certificate/wildcard-iriusrisk-com-until-25-oct-2022"
-iam_instance_profile_arn = "arn:aws:iam::154977180039:instance-profile/myManagedInstanceRoleforSSM"
+certificate_arn          = "arn:aws:iam::123456789012:server-certificate/example-certificate"
+iam_instance_profile_arn = "arn:aws:iam::123456789012:instance-profile/myManagedInstanceRoleforSSM"
 
 ## vpc
 vpc_cidr              = "10.0.0.0/16"

diff --git a/slp_tfplan/tests/resources/tfplan/official-tfplan.json b/slp_tfplan/tests/resources/tfplan/official-tfplan.json
@@ -927,7 +927,7 @@
         "schema_version": 0,
         "values": {
           "acl": "private",
-          "bucket": "clicklogger-dev-firehose-delivery-bucket-154977180039",
+          "bucket": "clicklogger-dev-firehose-delivery-bucket-123456789012",
           "bucket_prefix": null,
           "force_destroy": false,
           "tags": {
@@ -2319,7 +2319,7 @@
       "before": null,
       "after": {
         "acl": "private",
-        "bucket": "clicklogger-dev-firehose-delivery-bucket-154977180039",
+        "bucket": "clicklogger-dev-firehose-delivery-bucket-123456789012",
         "bucket_prefix": null,
         "force_destroy": false,
         "tags": {
@@ -2379,7 +2379,7 @@
       "before": null,
       "after": {
         "acl": "private",
-        "bucket": "clicklogger-dev-firehose-delivery-bucket-154977180039",
+        "bucket": "clicklogger-dev-firehose-delivery-bucket-123456789012",
         "bucket_prefix": null,
         "force_destroy": false,
         "tags": {
@@ -2571,9 +2571,9 @@
           "provider_name": "registry.terraform.io/hashicorp/aws",
           "schema_version": 0,
           "values": {
-            "account_id": "154977180039",
-            "arn": "arn:aws:iam::656177851052:user/someuser",
-            "id": "194477180039",
+            "account_id": "123456789012",
+            "arn": "arn:aws:iam::123456789012:user/someuser",
+            "id": "123456789012",
             "user_id": "ANYUSERID"
           },
           "sensitive_values": {}}, {

diff --git a/tests/resources/terraform/aws_singleton_components_unix_line_breaks.tf b/tests/resources/terraform/aws_singleton_components_unix_line_breaks.tf
@@ -40,20 +40,22 @@ resource "aws_acm_certificate" "acm_certificate" {
 resource "aws_kms_key" "kms_key" {
   description             = "KMS key 1"
   deletion_window_in_days = 10
+  enable_key_rotation     = true
 }
 
 resource "aws_cloudwatch_log_group" "cloudwatch_log_group_1" {
   name = "Yada"
-
+  retention_in_days = 14
   tags = {
     Environment = "production"
     Application = "serviceA"
   }
+
 }
 
 resource "aws_cloudwatch_log_group" "cloudwatch_log_group_2" {
   name = "Yada"
-
+  retention_in_days = 14
   tags = {
     Environment = "production"
     Application = "serviceA"
@@ -140,7 +142,7 @@ resource "aws_mq_broker" "mq_broker" {
 
   user {
     username = "ExampleUser"
-    password = "MindTheGap"
+    password = "******"
   }
 }
 
@@ -190,6 +192,7 @@ resource "aws_config_configuration_recorder" "config_configuration_recorder" {
 
 resource "aws_ecr_repository" "ecr_repository" {
   name = "bar"
+  image_tag_mutability = "IMMUTABLE"
 }
 
 resource "aws_ecr_lifecycle_policy" "ecr_lifecycle_policy" {
@@ -293,9 +296,9 @@ resource "aws_sns_topic" "sns_topic" {
 }
 
 resource "aws_sns_topic_subscription" "sns_topic_subscription" {
-  topic_arn = "arn:aws:sns:us-west-2:432981146916:user-updates-topic"
+  topic_arn = "arn:aws:sns:us-west-2:123456789012:user-updates-topic"
   protocol  = "sqs"
-  endpoint  = "arn:aws:sqs:us-west-2:432981146916:terraform-queue-too"
+  endpoint  = "arn:aws:sqs:us-west-2:123456789012:terraform-queue-too"
 }
 
 resource "aws_waf_ipset" "waf_ipset" {
@@ -392,6 +395,9 @@ resource "aws_kinesis_analytics_application" "kinesis_analytics_application_2" {
 resource "aws_kinesis_stream" "kinesis_stream" {
   name        = "example-stream"
   shard_count = 1
+  encryption_type = "KMS"
+  kms_key_id      = "example-kms-key-id"
+
 }
 
 resource "aws_kinesis_stream_consumer" "kinesis_stream_consumer" {

diff --git a/tests/resources/terraform/terraform_extra_modules_sample.tf b/tests/resources/terraform/terraform_extra_modules_sample.tf
@@ -150,7 +150,7 @@ module "db" {
 
 data "aws_ami" "iriusrisk_ha" {
   most_recent = true
-  owners      = ["154977180039"]
+  owners      = ["123456789012"]
 
   filter {
     name   = "name"