feat(misconf): Add support for aws_ami

Signed-off-by: Simar <[email protected]>
aquasecurity · Mar 6, 2025 · 9383d99 · 9383d99
1 parent 453c66d
commit 9383d99
Show file tree

Hide file tree

Showing 9 changed files with 208 additions and 2 deletions.
diff --git a/pkg/iac/adapters/cloudformation/aws/adapt.go b/pkg/iac/adapters/cloudformation/aws/adapt.go
@@ -1,6 +1,7 @@
 package aws
 
 import (
+	"github.com/aquasecurity/trivy/pkg/iac/adapters/cloudformation/aws/ami"
 	"github.com/aquasecurity/trivy/pkg/iac/adapters/cloudformation/aws/apigateway"
 	"github.com/aquasecurity/trivy/pkg/iac/adapters/cloudformation/aws/athena"
 	"github.com/aquasecurity/trivy/pkg/iac/adapters/cloudformation/aws/cloudfront"
@@ -39,6 +40,7 @@ import (
 // Adapt adapts a Cloudformation AWS instance
 func Adapt(cfFile parser.FileContext) aws.AWS {
 	return aws.AWS{
+		AMI:           ami.Adapt(cfFile),
 		APIGateway:    apigateway.Adapt(cfFile),
 		Athena:        athena.Adapt(cfFile),
 		Cloudfront:    cloudfront.Adapt(cfFile),

diff --git a/pkg/iac/adapters/cloudformation/aws/ami/amianalyzer.go b/pkg/iac/adapters/cloudformation/aws/ami/amianalyzer.go
@@ -0,0 +1,25 @@
+package ami
+
+import (
+	"github.com/aquasecurity/trivy/pkg/iac/providers/aws/ami"
+	"github.com/aquasecurity/trivy/pkg/iac/scanners/cloudformation/parser"
+	iacTypes "github.com/aquasecurity/trivy/pkg/iac/types"
+)
+
+func Adapt(cfFile parser.FileContext) ami.AMI {
+	return ami.AMI{
+		Metadata: cfFile.Metadata(),
+		Owners:   adaptAMIs(cfFile),
+	}
+}
+
+func adaptAMIs(cfFile parser.FileContext) iacTypes.StringValueList {
+	var owners iacTypes.StringValueList
+
+	amis := cfFile.GetResourcesByType("AWS::EC2::Image")
+	for _, resource := range amis {
+		owners = append(owners, resource.GetStringProperty("Owners"))
+	}
+
+	return owners
+}
diff --git a/pkg/iac/adapters/cloudformation/aws/ami/amianalyzer_test.go b/pkg/iac/adapters/cloudformation/aws/ami/amianalyzer_test.go
@@ -0,0 +1,52 @@
+package ami
+
+import (
+	"testing"
+
+	"github.com/aquasecurity/trivy/pkg/iac/adapters/cloudformation/testutil"
+	"github.com/aquasecurity/trivy/pkg/iac/providers/aws/ami"
+	iacTypes "github.com/aquasecurity/trivy/pkg/iac/types"
+)
+
+func TestAMI(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected ami.AMI
+	}{
+		{
+			name: "AMI with owner",
+			input: `
+Resources:
+ MyAMI:
+   Type: 'AWS::EC2::Image'
+   Properties:
+     Owners: amazon`,
+			expected: ami.AMI{
+				Metadata: iacTypes.NewTestMetadata(),
+				Owners: iacTypes.StringValueList{
+					iacTypes.StringTest("amazon"),
+				},
+			},
+		},
+		{
+			name: "AMI without owner",
+			input: `
+Resources:
+ MyAMI:
+   Type: 'AWS::EC2::Image'
+   Properties:
+     Name: test-ami`,
+			expected: ami.AMI{
+				Metadata: iacTypes.NewTestMetadata(),
+				Owners:   iacTypes.StringValueList{iacTypes.StringTest("")},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			testutil.AdaptAndCompare(t, tt.input, tt.expected, Adapt)
+		})
+	}
+}
diff --git a/pkg/iac/adapters/terraform/aws/adapt.go b/pkg/iac/adapters/terraform/aws/adapt.go
@@ -1,6 +1,7 @@
 package aws
 
 import (
+	"github.com/aquasecurity/trivy/pkg/iac/adapters/terraform/aws/ami"
 	"github.com/aquasecurity/trivy/pkg/iac/adapters/terraform/aws/apigateway"
 	"github.com/aquasecurity/trivy/pkg/iac/adapters/terraform/aws/athena"
 	"github.com/aquasecurity/trivy/pkg/iac/adapters/terraform/aws/cloudfront"
@@ -43,6 +44,7 @@ func Adapt(modules terraform.Modules) aws.AWS {
 		Meta: aws.Meta{
 			TFProviders: provider.Adapt(modules),
 		},
+		AMI:           ami.Adapt(modules),
 		APIGateway:    apigateway.Adapt(modules),
 		Athena:        athena.Adapt(modules),
 		Cloudfront:    cloudfront.Adapt(modules),

diff --git a/pkg/iac/adapters/terraform/aws/ami/amianalyzer.go b/pkg/iac/adapters/terraform/aws/ami/amianalyzer.go
@@ -0,0 +1,29 @@
+package ami
+
+import (
+	"github.com/aquasecurity/trivy/pkg/iac/providers/aws/ami"
+	"github.com/aquasecurity/trivy/pkg/iac/terraform"
+	iacTypes "github.com/aquasecurity/trivy/pkg/iac/types"
+)
+
+func Adapt(modules terraform.Modules) ami.AMI {
+	return ami.AMI{
+		Owners: adaptAMIs(modules),
+	}
+}
+
+func adaptAMIs(modules terraform.Modules) iacTypes.StringValueList {
+	var owners iacTypes.StringValueList
+
+	for _, module := range modules {
+		for _, resource := range module.GetResourcesByType("aws_ami") {
+			owners = append(owners, adaptOwners(resource)...)
+		}
+	}
+	return owners
+}
+
+func adaptOwners(resource *terraform.Block) iacTypes.StringValueList {
+	ownersAttr := resource.GetAttribute("owners")
+	return ownersAttr.AsStringValueSliceOrEmpty()
+}
diff --git a/pkg/iac/adapters/terraform/aws/ami/amianalyzer_test.go b/pkg/iac/adapters/terraform/aws/ami/amianalyzer_test.go
@@ -0,0 +1,64 @@
+package ami
+
+import (
+	"testing"
+
+	"github.com/aquasecurity/trivy/internal/testutil"
+	"github.com/aquasecurity/trivy/pkg/iac/adapters/terraform/tftestutil"
+	"github.com/aquasecurity/trivy/pkg/iac/providers/aws/ami"
+	iacTypes "github.com/aquasecurity/trivy/pkg/iac/types"
+)
+
+func Test_AMI(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected ami.AMI
+	}{
+		{
+			name: "AMI with single owner",
+			input: `
+resource "aws_ami" "example" {
+    owners = ["amazon"]
+}`,
+			expected: ami.AMI{
+				Metadata: iacTypes.NewTestMetadata(),
+				Owners: iacTypes.StringValueList{
+					iacTypes.StringTest("amazon"),
+				}},
+		},
+		{
+			name: "AMI with multiple owners",
+			input: `
+resource "aws_ami" "example" {
+    owners = ["amazon", "badguys"]
+}`,
+			expected: ami.AMI{
+				Metadata: iacTypes.NewTestMetadata(),
+				Owners: iacTypes.StringValueList{
+					iacTypes.StringTest("amazon"),
+					iacTypes.StringTest("badguys"),
+				},
+			},
+		},
+		{
+			name: "AMI without owner",
+			input: `
+resource "aws_ami" "example" {
+    name = "test-ami"
+}`,
+			expected: ami.AMI{
+				Metadata: iacTypes.NewTestMetadata(),
+				Owners:   nil,
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			modules := tftestutil.CreateModulesFromSource(t, tt.input, ".tf")
+			adapted := Adapt(modules)
+			testutil.AssertDefsecEqual(t, tt.expected, adapted)
+		})
+	}
+}
diff --git a/pkg/iac/providers/aws/ami/ami.go b/pkg/iac/providers/aws/ami/ami.go
@@ -0,0 +1,8 @@
+package ami
+
+import iacTypes "github.com/aquasecurity/trivy/pkg/iac/types"
+
+type AMI struct {
+	Metadata iacTypes.Metadata
+	Owners   iacTypes.StringValueList
+}
diff --git a/pkg/iac/providers/aws/aws.go b/pkg/iac/providers/aws/aws.go
@@ -2,6 +2,7 @@ package aws
 
 import (
 	"github.com/aquasecurity/trivy/pkg/iac/providers/aws/accessanalyzer"
+	"github.com/aquasecurity/trivy/pkg/iac/providers/aws/ami"
 	"github.com/aquasecurity/trivy/pkg/iac/providers/aws/apigateway"
 	"github.com/aquasecurity/trivy/pkg/iac/providers/aws/athena"
 	"github.com/aquasecurity/trivy/pkg/iac/providers/aws/cloudfront"
@@ -39,6 +40,7 @@ import (
 
 type AWS struct {
 	Meta           Meta
+	AMI            ami.AMI
 	AccessAnalyzer accessanalyzer.AccessAnalyzer
 	APIGateway     apigateway.APIGateway
 	Athena         athena.Athena

diff --git a/pkg/iac/rego/schemas/cloud.json b/pkg/iac/rego/schemas/cloud.json
@@ -50,6 +50,10 @@
           "type": "object",
           "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.providers.aws.accessanalyzer.AccessAnalyzer"
         },
+        "ami": {
+          "type": "object",
+          "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.providers.aws.ami.AMI"
+        },
         "apigateway": {
           "type": "object",
           "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.providers.aws.apigateway.APIGateway"
@@ -525,6 +529,22 @@
         }
       }
     },
+    "github.com.aquasecurity.trivy.pkg.iac.providers.aws.ami.AMI": {
+      "type": "object",
+      "properties": {
+        "__defsec_metadata": {
+          "type": "object",
+          "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.Metadata"
+        },
+        "owners": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.StringValue"
+          }
+        }
+      }
+    },
     "github.com.aquasecurity.trivy.pkg.iac.providers.aws.apigateway.APIGateway": {
       "type": "object",
       "properties": {
@@ -1933,10 +1953,12 @@
       "type": "object",
       "properties": {
         "name": {
-          "type": "string"
+          "type": "object",
+          "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.StringValue"
         },
         "value": {
-          "type": "string"
+          "type": "object",
+          "$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.StringValue"
         }
       }
     },