diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 4296b663..917d4328 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -17,7 +17,7 @@ jobs: - uses: actions/checkout@v3 - id: semgrep - run: semgrep ci --config=p/owasp-top-ten --config=p/cwe-top-25 --config=p/gitleaks -q --exclude="tests" --exclude="*/tests" --skip-unknown-extensions --suppress-errors + run: semgrep ci --metrics=off --config=p/owasp-top-ten --config=p/cwe-top-25 --config=p/gitleaks --config .semgrep/rules/detected-aws-account-id-in-arn.yaml --config r/generic.secrets.security.detected-aws-account-id.detected-aws-account-id --config r/generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key -q --skip-unknown-extensions --suppress-errors continue-on-error: true - name: Get branch name (pull request) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index da8dbc21..7a6969de 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,18 +1,24 @@ repos: - repo: https://github.com/returntocorp/semgrep - rev: 'v1.14.0' + rev: 'v1.89.0' hooks: - id: semgrep - exclude: "(.)*/tests|tests" args: [ + '--metrics=off', '--config', 'p/owasp-top-ten', '--config', 'p/cwe-top-25', '--config', 'p/gitleaks', + '--config', + 'r/generic.secrets.security.detected-aws-account-id.detected-aws-account-id', + '--config', + '.semgrep/rules/detected-aws-account-id-in-arn.yaml', + '--config', + 'r/generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key', '--error', '--skip-unknown-extensions', '--exclude-rule=python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text' ] - stages: [commit] + stages: [pre-commit] diff --git a/.semgrep/rules/detected-aws-account-id-in-arn.yaml b/.semgrep/rules/detected-aws-account-id-in-arn.yaml new file mode 100644 index 00000000..6d3b2a0d --- /dev/null +++ b/.semgrep/rules/detected-aws-account-id-in-arn.yaml @@ -0,0 +1,28 @@ +rules: + - id: detected-aws-account-id-in-arn + patterns: + - pattern-regex: ((?i:aws|arn)[^\d]+\d{12}[^\d]+) + - pattern-not-regex: 12345|00000 + languages: + - regex + message: AWS Account ID detected in arn. + severity: ERROR + metadata: + cwe: + - "CWE-798: Use of Hard-coded Credentials" + source-rule-url: https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go + category: security + technology: + - secrets + - aws + confidence: LOW + owasp: + - A07:2021 - Identification and Authentication Failures + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH \ No newline at end of file diff --git a/docs/startleft-processors/iac/tf/Terraform-Quickstart.md b/docs/startleft-processors/iac/tf/Terraform-Quickstart.md index fc792b7c..f96c68b0 100644 --- a/docs/startleft-processors/iac/tf/Terraform-Quickstart.md +++ b/docs/startleft-processors/iac/tf/Terraform-Quickstart.md @@ -47,7 +47,7 @@ data "aws_ami" "ubuntu" { values = ["hvm"] } - owners = ["099720109477"] # Canonical + owners = ["123456789012"] # Canonical } resource "aws_instance" "web" { diff --git a/examples/tfplan/aws-ingesting-click-logs-using-terraform.json b/examples/tfplan/aws-ingesting-click-logs-using-terraform.json index ac3dcc73..355648cf 100644 --- a/examples/tfplan/aws-ingesting-click-logs-using-terraform.json +++ b/examples/tfplan/aws-ingesting-click-logs-using-terraform.json @@ -927,7 +927,7 @@ "schema_version": 0, "values": { "acl": "private", - "bucket": "clicklogger-dev-firehose-delivery-bucket-154977180039", + "bucket": "clicklogger-dev-firehose-delivery-bucket-123456789012", "bucket_prefix": null, "force_destroy": false, "tags": { @@ -2319,7 +2319,7 @@ "before": null, "after": { "acl": "private", - "bucket": "clicklogger-dev-firehose-delivery-bucket-154977180039", + "bucket": "clicklogger-dev-firehose-delivery-bucket-123456789012", "bucket_prefix": null, "force_destroy": false, "tags": { @@ -2379,7 +2379,7 @@ "before": null, "after": { "acl": "private", - "bucket": "clicklogger-dev-firehose-delivery-bucket-154977180039", + "bucket": "clicklogger-dev-firehose-delivery-bucket-123456789012", "bucket_prefix": null, "force_destroy": false, "tags": { @@ -2571,9 +2571,9 @@ "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, "values": { - "account_id": "154977180039", - "arn": "arn:aws:iam::656177851052:user/someuser", - "id": "194477180039", + "account_id": "123456789012", + "arn": "arn:aws:iam::123456789015:user/someuser", + "id": "123456789014", "user_id": "ANYUSERID" }, "sensitive_values": {}}, { diff --git a/slp_cft/tests/resources/otm/otm_expected_result.otm b/slp_cft/tests/resources/otm/otm_expected_result.otm index ddda7944..24f63367 100644 --- a/slp_cft/tests/resources/otm/otm_expected_result.otm +++ b/slp_cft/tests/resources/otm/otm_expected_result.otm @@ -368,7 +368,7 @@ ] }, { - "id": "c3b000fd-6108-403c-adee-282422171840", + "id": "c3b000fd-6108-403c-adee-123456789012", "name": "VPCmonitoringSecurityGroup -> VPCmonitoring", "source": "b61d6911-338d-46a8-9f39-8dcd24abfe91.customvpc", "destination": "b61d6911-338d-46a8-9f39-8dcd24abfe91.customvpc.privatesubnet1.vpcmonitoring", diff --git a/slp_tf/tests/resources/tf/calculate_modules/terraform_extra_modules_sample.tf b/slp_tf/tests/resources/tf/calculate_modules/terraform_extra_modules_sample.tf index a827a451..477c979b 100644 --- a/slp_tf/tests/resources/tf/calculate_modules/terraform_extra_modules_sample.tf +++ b/slp_tf/tests/resources/tf/calculate_modules/terraform_extra_modules_sample.tf @@ -150,7 +150,7 @@ module "db" { data "aws_ami" "iriusrisk_ha" { most_recent = true - owners = ["154977180039"] + owners = ["123456789012"] filter { name = "name" diff --git a/slp_tf/tests/resources/tf/mapping_functions/aws_singleton_components_unix_line_breaks.tf b/slp_tf/tests/resources/tf/mapping_functions/aws_singleton_components_unix_line_breaks.tf index 6c7b07b1..895955f6 100644 --- a/slp_tf/tests/resources/tf/mapping_functions/aws_singleton_components_unix_line_breaks.tf +++ b/slp_tf/tests/resources/tf/mapping_functions/aws_singleton_components_unix_line_breaks.tf @@ -40,20 +40,22 @@ resource "aws_acm_certificate" "acm_certificate" { resource "aws_kms_key" "kms_key" { description = "KMS key 1" deletion_window_in_days = 10 + enable_key_rotation = true } resource "aws_cloudwatch_log_group" "cloudwatch_log_group_1" { name = "Yada" - + retention_in_days = 14 tags = { Environment = "production" Application = "serviceA" } + } resource "aws_cloudwatch_log_group" "cloudwatch_log_group_2" { name = "Yada" - + retention_in_days = 14 tags = { Environment = "production" Application = "serviceA" @@ -140,7 +142,7 @@ resource "aws_mq_broker" "mq_broker" { user { username = "ExampleUser" - password = "MindTheGap" + password = "******" } } @@ -190,6 +192,7 @@ resource "aws_config_configuration_recorder" "config_configuration_recorder" { resource "aws_ecr_repository" "ecr_repository" { name = "bar" + image_tag_mutability = "IMMUTABLE" } resource "aws_ecr_lifecycle_policy" "ecr_lifecycle_policy" { @@ -293,9 +296,9 @@ resource "aws_sns_topic" "sns_topic" { } resource "aws_sns_topic_subscription" "sns_topic_subscription" { - topic_arn = "arn:aws:sns:us-west-2:432981146916:user-updates-topic" + topic_arn = "arn:aws:sns:us-west-2:123456789012:user-updates-topic" protocol = "sqs" - endpoint = "arn:aws:sqs:us-west-2:432981146916:terraform-queue-too" + endpoint = "arn:aws:sqs:us-west-2:123456789012:terraform-queue-too" } resource "aws_waf_ipset" "waf_ipset" { @@ -392,6 +395,9 @@ resource "aws_kinesis_analytics_application" "kinesis_analytics_application_2" { resource "aws_kinesis_stream" "kinesis_stream" { name = "example-stream" shard_count = 1 + encryption_type = "KMS" + kms_key_id = "example-kms-key-id" + } resource "aws_kinesis_stream_consumer" "kinesis_stream_consumer" { diff --git a/slp_tf/tests/resources/tf/terraform_main_referenced_variables.tf b/slp_tf/tests/resources/tf/terraform_main_referenced_variables.tf index 010a7451..3b90b0f9 100644 --- a/slp_tf/tests/resources/tf/terraform_main_referenced_variables.tf +++ b/slp_tf/tests/resources/tf/terraform_main_referenced_variables.tf @@ -259,7 +259,7 @@ resource "aws_security_group" "webserver" { data "aws_ami" "iriusrisk_ha" { most_recent = true - owners = ["154977180039"] + owners = ["123456789012"] filter { name = "name" diff --git a/slp_tf/tests/resources/tf/terraform_variables_files_referenced_variables.tfvars b/slp_tf/tests/resources/tf/terraform_variables_files_referenced_variables.tfvars index 83c3caf6..c1824723 100644 --- a/slp_tf/tests/resources/tf/terraform_variables_files_referenced_variables.tfvars +++ b/slp_tf/tests/resources/tf/terraform_variables_files_referenced_variables.tfvars @@ -10,8 +10,8 @@ iriusrisk_version = "4.5.1" startleft_version = "startleft" type = "internal" bastion_host_cidrs = ["52.30.97.44/32"] -certificate_arn = "arn:aws:iam::154977180039:server-certificate/wildcard-iriusrisk-com-until-25-oct-2022" -iam_instance_profile_arn = "arn:aws:iam::154977180039:instance-profile/myManagedInstanceRoleforSSM" +certificate_arn = "arn:aws:iam::123456789012:server-certificate/example-certificate" +iam_instance_profile_arn = "arn:aws:iam::123456789012:instance-profile/myManagedInstanceRoleforSSM" ## vpc vpc_cidr = "10.0.0.0/16" diff --git a/slp_tfplan/tests/resources/tfplan/official-tfplan.json b/slp_tfplan/tests/resources/tfplan/official-tfplan.json index ac3dcc73..c00e7809 100644 --- a/slp_tfplan/tests/resources/tfplan/official-tfplan.json +++ b/slp_tfplan/tests/resources/tfplan/official-tfplan.json @@ -927,7 +927,7 @@ "schema_version": 0, "values": { "acl": "private", - "bucket": "clicklogger-dev-firehose-delivery-bucket-154977180039", + "bucket": "clicklogger-dev-firehose-delivery-bucket-123456789012", "bucket_prefix": null, "force_destroy": false, "tags": { @@ -2319,7 +2319,7 @@ "before": null, "after": { "acl": "private", - "bucket": "clicklogger-dev-firehose-delivery-bucket-154977180039", + "bucket": "clicklogger-dev-firehose-delivery-bucket-123456789012", "bucket_prefix": null, "force_destroy": false, "tags": { @@ -2379,7 +2379,7 @@ "before": null, "after": { "acl": "private", - "bucket": "clicklogger-dev-firehose-delivery-bucket-154977180039", + "bucket": "clicklogger-dev-firehose-delivery-bucket-123456789012", "bucket_prefix": null, "force_destroy": false, "tags": { @@ -2571,9 +2571,9 @@ "provider_name": "registry.terraform.io/hashicorp/aws", "schema_version": 0, "values": { - "account_id": "154977180039", - "arn": "arn:aws:iam::656177851052:user/someuser", - "id": "194477180039", + "account_id": "123456789012", + "arn": "arn:aws:iam::123456789012:user/someuser", + "id": "123456789012", "user_id": "ANYUSERID" }, "sensitive_values": {}}, { diff --git a/tests/resources/terraform/aws_singleton_components_unix_line_breaks.tf b/tests/resources/terraform/aws_singleton_components_unix_line_breaks.tf index 6c7b07b1..895955f6 100644 --- a/tests/resources/terraform/aws_singleton_components_unix_line_breaks.tf +++ b/tests/resources/terraform/aws_singleton_components_unix_line_breaks.tf @@ -40,20 +40,22 @@ resource "aws_acm_certificate" "acm_certificate" { resource "aws_kms_key" "kms_key" { description = "KMS key 1" deletion_window_in_days = 10 + enable_key_rotation = true } resource "aws_cloudwatch_log_group" "cloudwatch_log_group_1" { name = "Yada" - + retention_in_days = 14 tags = { Environment = "production" Application = "serviceA" } + } resource "aws_cloudwatch_log_group" "cloudwatch_log_group_2" { name = "Yada" - + retention_in_days = 14 tags = { Environment = "production" Application = "serviceA" @@ -140,7 +142,7 @@ resource "aws_mq_broker" "mq_broker" { user { username = "ExampleUser" - password = "MindTheGap" + password = "******" } } @@ -190,6 +192,7 @@ resource "aws_config_configuration_recorder" "config_configuration_recorder" { resource "aws_ecr_repository" "ecr_repository" { name = "bar" + image_tag_mutability = "IMMUTABLE" } resource "aws_ecr_lifecycle_policy" "ecr_lifecycle_policy" { @@ -293,9 +296,9 @@ resource "aws_sns_topic" "sns_topic" { } resource "aws_sns_topic_subscription" "sns_topic_subscription" { - topic_arn = "arn:aws:sns:us-west-2:432981146916:user-updates-topic" + topic_arn = "arn:aws:sns:us-west-2:123456789012:user-updates-topic" protocol = "sqs" - endpoint = "arn:aws:sqs:us-west-2:432981146916:terraform-queue-too" + endpoint = "arn:aws:sqs:us-west-2:123456789012:terraform-queue-too" } resource "aws_waf_ipset" "waf_ipset" { @@ -392,6 +395,9 @@ resource "aws_kinesis_analytics_application" "kinesis_analytics_application_2" { resource "aws_kinesis_stream" "kinesis_stream" { name = "example-stream" shard_count = 1 + encryption_type = "KMS" + kms_key_id = "example-kms-key-id" + } resource "aws_kinesis_stream_consumer" "kinesis_stream_consumer" { diff --git a/tests/resources/terraform/terraform_extra_modules_sample.tf b/tests/resources/terraform/terraform_extra_modules_sample.tf index a827a451..477c979b 100644 --- a/tests/resources/terraform/terraform_extra_modules_sample.tf +++ b/tests/resources/terraform/terraform_extra_modules_sample.tf @@ -150,7 +150,7 @@ module "db" { data "aws_ami" "iriusrisk_ha" { most_recent = true - owners = ["154977180039"] + owners = ["123456789012"] filter { name = "name"