Merge branch 'main' into patch-1

aquasecurity · Oct 20, 2024 · 225ea09 · 225ea09
2 parents 38258f1 + e9a668e
commit 225ea09
Show file tree

Hide file tree

Showing 105 changed files with 977 additions and 282 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -6,14 +6,14 @@ updates:
     schedule:
       interval: "weekly"
     ignore:
-      - dependency-name: "github.com/aquasecurity/trivy-*" ## `trivy-*` dependencies are updated manually
+      - dependency-name: "github.com/aquasecurity/trivy" ## `trivy` are updated manually
     groups:
       docker:
         patterns:
           - "github.com/docker/*"
       common:
         exclude-patterns:
-          - "github.com/aquasecurity/trivy-*"
+          - "github.com/aquasecurity/trivy"
         patterns:
           - "*"
   - package-ecosystem: github-actions

diff --git a/avd_docs/dockerfile/general/AVD-DS-0031/docs.md b/avd_docs/dockerfile/general/AVD-DS-0031/docs.md
@@ -0,0 +1,13 @@
+
+Passing secrets via `build-args` or envs or copying secret files can leak them out
+
+### Impact
+<!-- Add Impact here -->
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- https://docs.docker.com/build/building/secrets/
+
+
diff --git a/avd_docs/kubernetes/general/AVD-KSV-0117/docs.md b/avd_docs/kubernetes/general/AVD-KSV-0117/docs.md
@@ -10,4 +10,6 @@ The ports which are lower than 1024 receive and transmit various sensitive and p
 ### Links
 - https://kubernetes.io/docs/concepts/security/pod-security-standards/
 
+- https://www.stigviewer.com/stig/kubernetes/2022-12-02/finding/V-242414
+
 
diff --git a/checks/cloud/aws/apigateway/enable_access_logging.rego b/checks/cloud/aws/apigateway/enable_access_logging.rego
@@ -33,16 +33,24 @@ package builtin.aws.apigateway.aws0001
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
 	some stage in input.aws.apigateway.v1.apis[_].stages
 	not logging_is_configured(stage)
-	res := result.new("Access logging is not configured.", stage.accesslogging.cloudwatchloggrouparn)
+	res := result.new(
+		"Access logging is not configured.",
+		metadata.obj_by_path(stage, ["accesslogging", "cloudwatchloggrouparn"]),
+	)
 }
 
 deny contains res if {
 	some stage in input.aws.apigateway.v2.apis[_].stages
 	not logging_is_configured(stage)
-	res := result.new("Access logging is not configured.", stage.accesslogging.cloudwatchloggrouparn)
+	res := result.new(
+		"Access logging is not configured.",
+		metadata.obj_by_path(stage, ["accesslogging", "cloudwatchloggrouparn"]),
+	)
 }
 
 logging_is_configured(stage) if {

diff --git a/checks/cloud/aws/apigateway/enable_cache.rego b/checks/cloud/aws/apigateway/enable_cache.rego
@@ -30,6 +30,8 @@ package builtin.aws.apigateway.aws0190
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
 	some api in input.aws.apigateway.v1.apis
 	isManaged(api)
@@ -40,6 +42,6 @@ deny contains res if {
 	not settings.cacheenabled.value
 	res := result.new(
 		"Cache data is not enabled.",
-		object.get(settings, "cacheenabled", settings),
+		metadata.obj_by_path(settings, ["cacheenabled"]),
 	)
 }
diff --git a/checks/cloud/aws/apigateway/enable_cache_encryption.rego b/checks/cloud/aws/apigateway/enable_cache_encryption.rego
@@ -28,6 +28,8 @@ package builtin.aws.apigateway.aws0002
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
 	some api in input.aws.apigateway.v1.apis
 	isManaged(api)
@@ -37,8 +39,9 @@ deny contains res if {
 	isManaged(settings)
 	settings.cacheenabled.value
 	not settings.cachedataencrypted.value
+
 	res := result.new(
 		"Cache data is not encrypted.",
-		object.get(settings, "cachedataencrypted", settings),
+		metadata.obj_by_path(settings, ["cachedataencrypted"]),
 	)
 }
diff --git a/checks/cloud/aws/apigateway/enable_tracing.rego b/checks/cloud/aws/apigateway/enable_tracing.rego
@@ -28,6 +28,8 @@ package builtin.aws.apigateway.aws0003
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
 	some api in input.aws.apigateway.v1.apis
 	isManaged(api)
@@ -36,6 +38,6 @@ deny contains res if {
 	not stage.xraytracingenabled.value
 	res := result.new(
 		"X-Ray tracing is not enabled.",
-		object.get(stage, "xraytracingenabled", stage),
+		metadata.obj_by_path(stage, ["xraytracingenabled"]),
 	)
 }
diff --git a/checks/cloud/aws/apigateway/use_secure_tls_policy.rego b/checks/cloud/aws/apigateway/use_secure_tls_policy.rego
@@ -30,12 +30,14 @@ package builtin.aws.apigateway.aws0005
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
 	some domain in input.aws.apigateway.v1.domainnames
 	not is_tls_1_2(domain)
 	res := result.new(
 		"Domain name is configured with an outdated TLS policy.",
-		object.get(domain, "securitypolicy", domain),
+		metadata.obj_by_path(domain, "securitypolicy"),
 	)
 }
 
@@ -44,7 +46,7 @@ deny contains res if {
 	not is_tls_1_2(domain)
 	res := result.new(
 		"Domain name is configured with an outdated TLS policy.",
-		object.get(domain, "securitypolicy", domain),
+		metadata.obj_by_path(domain, "securitypolicy"),
 	)
 }
 

diff --git a/checks/cloud/aws/athena/enable_at_rest_encryption.rego b/checks/cloud/aws/athena/enable_at_rest_encryption.rego
@@ -34,20 +34,28 @@ package builtin.aws.athena.aws0006
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 encryption_type_none := ""
 
 deny contains res if {
 	some workgroup in input.aws.athena.workgroups
-	is_encryption_type_none(workgroup.encryption)
-	res := result.new("Workgroup does not have encryption configured.", workgroup)
+	not is_encrypted(workgroup)
+	res := result.new(
+		"Workgroup does not have encryption configured.",
+		metadata.obj_by_path(workgroup, ["encryption", "type"]),
+	)
 }
 
 deny contains res if {
 	some database in input.aws.athena.databases
-	is_encryption_type_none(database.encryption)
-	res := result.new("Database does not have encryption configured.", database)
+	not is_encrypted(database)
+	res := result.new(
+		"Database does not have encryption configured.",
+		metadata.obj_by_path(database, ["encryption", "type"]),
+	)
 }
 
-is_encryption_type_none(encryption) if {
-	encryption.type.value == encryption_type_none
+is_encrypted(obj) if {
+	obj.encryption.type.value != encryption_type_none
 }
diff --git a/checks/cloud/aws/athena/no_encryption_override.rego b/checks/cloud/aws/athena/no_encryption_override.rego
@@ -33,8 +33,13 @@ package builtin.aws.athena.aws0007
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
 	some workgroup in input.aws.athena.workgroups
 	not workgroup.enforceconfiguration.value
-	res := result.new("The workgroup configuration is not enforced.", workgroup.enforceconfiguration)
+	res := result.new(
+		"The workgroup configuration is not enforced.",
+		metadata.obj_by_path(workgroup, ["enforceconfiguration"]),
+	)
 }
diff --git a/checks/cloud/aws/cloudfront/enable_logging.rego b/checks/cloud/aws/cloudfront/enable_logging.rego
@@ -33,12 +33,14 @@ package builtin.aws.cloudfront.aws0010
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
 	some dist in input.aws.cloudfront.distributions
 	not has_logging_bucket(dist)
 	res := result.new(
 		"Distribution does not have logging enabled",
-		object.get(dist, ["logging", "bucket"], dist),
+		metadata.obj_by_path(dist, ["logging", "bucket"]),
 	)
 }
 

diff --git a/checks/cloud/aws/cloudfront/use_secure_tls_policy.rego b/checks/cloud/aws/cloudfront/use_secure_tls_policy.rego
@@ -39,13 +39,15 @@ import rego.v1
 
 protocol_version_tls1_2_2021 = "TLSv1.2_2021"
 
+import data.lib.cloud.metadata
+
 deny contains res if {
 	some dist in input.aws.cloudfront.distributions
 	not dist.viewercertificate.cloudfrontdefaultcertificate.value
 	not is_tls_1_2(dist)
 	res := result.new(
 		"Distribution allows unencrypted communications.",
-		object.get(dist, ["viewercertificate", "minimumprotocolversion"], dist),
+		metadata.obj_by_path(dist, ["viewercertificate", "minimumprotocolversion"]),
 	)
 }
 

diff --git a/checks/cloud/aws/cloudtrail/enable_all_regions.rego b/checks/cloud/aws/cloudtrail/enable_all_regions.rego
@@ -38,8 +38,13 @@ package builtin.aws.cloudtrail.aws0014
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
 	some trail in input.aws.cloudtrail.trails
 	not trail.ismultiregion.value
-	res := result.new("Trail is not enabled across all regions.", trail.ismultiregion)
+	res := result.new(
+		"Trail is not enabled across all regions.",
+		metadata.obj_by_path(trail, ["ismultiregion"]),
+	)
 }
diff --git a/checks/cloud/aws/cloudtrail/enable_log_validation.rego b/checks/cloud/aws/cloudtrail/enable_log_validation.rego
@@ -33,8 +33,13 @@ package builtin.aws.cloudtrail.aws0016
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
 	some trail in input.aws.cloudtrail.trails
 	not trail.enablelogfilevalidation.value
-	res := result.new("Trail does not have log validation enabled.", trail.enablelogfilevalidation)
+	res := result.new(
+		"Trail does not have log validation enabled.",
+		metadata.obj_by_path(trail, ["enablelogfilevalidation"]),
+	)
 }
diff --git a/checks/cloud/aws/cloudtrail/encryption_customer_key.rego b/checks/cloud/aws/cloudtrail/encryption_customer_key.rego
@@ -36,8 +36,15 @@ package builtin.aws.cloudtrail.aws0015
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
 	some trail in input.aws.cloudtrail.trails
-	trail.kmskeyid.value == ""
-	res := result.new("CloudTrail does not use a customer managed key to encrypt the logs.", trail.kmskeyid)
+	not use_cms(trail)
+	res := result.new(
+		"CloudTrail does not use a customer managed key to encrypt the logs.",
+		metadata.obj_by_path(trail, ["kmskeyid"]),
+	)
 }
+
+use_cms(trail) if trail.kmskeyid.value != ""
diff --git a/checks/cloud/aws/cloudtrail/ensure_cloudwatch_integration.rego b/checks/cloud/aws/cloudtrail/ensure_cloudwatch_integration.rego
@@ -46,8 +46,15 @@ package builtin.aws.cloudtrail.aws0162
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
 	some trail in input.aws.cloudtrail.trails
-	trail.cloudwatchlogsloggrouparn.value == ""
-	res := result.new("Trail does not have CloudWatch logging configured", trail)
+	not is_logging_configured(trail)
+	res := result.new(
+		"Trail does not have CloudWatch logging configured",
+		metadata.obj_by_path(trail, ["cloudwatchlogsloggrouparn"]),
+	)
 }
+
+is_logging_configured(trail) if trail.cloudwatchlogsloggrouparn.value != ""
diff --git a/checks/cloud/aws/cloudtrail/require_bucket_access_logging.rego b/checks/cloud/aws/cloudtrail/require_bucket_access_logging.rego
@@ -42,6 +42,8 @@ package builtin.aws.cloudtrail.aws0163
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
 	some trail in input.aws.cloudtrail.trails
 	trail.bucketname.value != ""
@@ -50,5 +52,8 @@ deny contains res if {
 	bucket.name.value == trail.bucketname.value
 	not bucket.logging.enabled.value
 
-	res := result.new("Trail S3 bucket does not have logging enabled", bucket)
+	res := result.new(
+		"Trail S3 bucket does not have logging enabled",
+		metadata.obj_by_path(bucket, ["name"]),
+	)
 }
diff --git a/checks/cloud/aws/cloudwatch/log_group_customer_key.rego b/checks/cloud/aws/cloudwatch/log_group_customer_key.rego
@@ -33,8 +33,15 @@ package builtin.aws.cloudwatch.aws0017
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
 	some group in input.aws.cloudwatch.loggroups
-	group.kmskeyid.value == ""
-	res := result.new("Log group is not encrypted.", group)
+	not has_cms(group)
+	res := result.new(
+		"Log group is not encrypted.",
+		metadata.obj_by_path(group, ["kmskeyid"]),
+	)
 }
+
+has_cms(group) if group.kmskeyid.value != ""
diff --git a/checks/cloud/aws/codebuild/enable_encryption.rego b/checks/cloud/aws/codebuild/enable_encryption.rego
@@ -34,16 +34,25 @@ package builtin.aws.codebuild.aws0018
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
 	some project in input.aws.codebuild.projects
-	encryptionenabled := project.artifactsettings.encryptionenabled
-	not encryptionenabled.value
-	res := result.new("Encryption is not enabled for project artifacts.", encryptionenabled)
+	not is_encryption_enabled(project.artifactsettings)
+	res := result.new(
+		"Encryption is not enabled for project artifacts.",
+		metadata.obj_by_path(project, ["artifactsettings", "encryptionenabled"]),
+	)
 }
 
+is_encryption_enabled(settings) if settings.encryptionenabled.value
+
 deny contains res if {
 	some project in input.aws.codebuild.projects
 	some setting in project.secondaryartifactsettings
-	not setting.encryptionenabled.value
-	res := result.new("Encryption is not enabled for secondary project artifacts.", setting.encryptionenabled)
+	not is_encryption_enabled(setting)
+	res := result.new(
+		"Encryption is not enabled for secondary project artifacts.",
+		metadata.obj_by_path(setting, ["encryptionenabled"]),
+	)
 }
diff --git a/checks/cloud/aws/config/aggregate_all_regions.rego b/checks/cloud/aws/config/aggregate_all_regions.rego
@@ -34,9 +34,14 @@ package builtin.aws.config.aws0019
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
 	cfg_aggregator := input.aws.config.configurationaggregrator
-	cfg_aggregator.__defsec_metadata.managed
+	isManaged(cfg_aggregator)
 	not cfg_aggregator.sourceallregions.value
-	res := result.new("Configuration aggregation is not set to source from all regions.", cfg_aggregator.sourceallregions)
+	res := result.new(
+		"Configuration aggregation is not set to source from all regions.",
+		metadata.obj_by_path(cfg_aggregator, ["sourceallregions"]),
+	)
 }
diff --git a/checks/cloud/aws/config/aggregate_all_regions_test.rego b/checks/cloud/aws/config/aggregate_all_regions_test.rego
@@ -6,15 +6,9 @@ import data.builtin.aws.config.aws0019 as check
 import data.lib.test
 
 test_allow_all_regions if {
-	test.assert_empty(check.deny) with input as {"aws": {"config": {"configurationaggregrator": {
-		"__defsec_metadata": {"managed": true},
-		"sourceallregions": {"value": true},
-	}}}}
+	test.assert_empty(check.deny) with input as {"aws": {"config": {"configurationaggregrator": {"sourceallregions": {"value": true}}}}}
 }
 
 test_disallow_all_regions if {
-	test.assert_equal_message("Configuration aggregation is not set to source from all regions.", check.deny) with input as {"aws": {"config": {"configurationaggregrator": {
-		"__defsec_metadata": {"managed": true},
-		"sourceallregions": {"value": false},
-	}}}}
+	test.assert_equal_message("Configuration aggregation is not set to source from all regions.", check.deny) with input as {"aws": {"config": {"configurationaggregrator": {"sourceallregions": {"value": false}}}}}
 }