Merge branch 'main' into go2rego-digitalocean-1

aquasecurity · Aug 22, 2024 · f9256c9 · f9256c9
2 parents a42b5cb + cea826d
commit f9256c9
Show file tree

Hide file tree

Showing 81 changed files with 2,294 additions and 2,247 deletions.
diff --git a/.github/actions/setup-opa/action.yaml b/.github/actions/setup-opa/action.yaml
@@ -6,8 +6,5 @@ runs:
     - name: Setup OPA
       shell: bash
       run: |
-        curl --retry 3 -L -o opa_linux_amd64_static https://github.com/open-policy-agent/opa/releases/download/v0.65.0/opa_linux_amd64_static
-        curl -L -o checksum https://github.com/open-policy-agent/opa/releases/download/v0.65.0/opa_linux_amd64_static.sha256
-        sha256sum -c checksum
-        chmod 755 ./opa_linux_amd64_static
-        sudo mv ./opa_linux_amd64_static /usr/local/bin/opa
+        make build-opa
+        sudo mv ./opa /usr/local/bin/opa
diff --git a/.github/workflows/outdated-api-update.yaml b/.github/workflows/outdated-api-update.yaml
@@ -6,6 +6,9 @@ on:
 permissions:
   contents: write
 
+env:
+  GO_VERSION: '1.22'
+
 jobs:
   outdated:
     runs-on: ubuntu-latest
@@ -14,6 +17,11 @@ jobs:
         uses: actions/checkout@v4
         with:
           token: ${{ secrets.AUTO_COMMIT_TOKEN }}
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
       - name: Fetch outdated API data from trivy-db-data repo
         id: outdatedapi
         uses: fjogeleit/http-request-action@v1
@@ -25,8 +33,10 @@ jobs:
           OUTDATE_API_DATA: ${{ toJson(steps.outdatedapi.outputs.response) }}
         run: |
           make outdated-api-updated
+      
       - name: Setup OPA
         uses: ./.github/actions/setup-opa
+
       - name: OPA Format
         run: |
           opa fmt -w . | grep -v vendor || true

diff --git a/.github/workflows/test-rego.yaml b/.github/workflows/test-rego.yaml
@@ -11,6 +11,7 @@ on:
       - "**/*.md"
       - "LICENSE"
   merge_group:
+  workflow_dispatch:
 
 env:
   GO_VERSION: "1.22"
@@ -23,6 +24,10 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
+      - uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
       - name: Setup OPA
         uses: ./.github/actions/setup-opa
 
@@ -35,9 +40,5 @@ jobs:
             exit 1
           fi
 
-      - uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
       - name: Test Rego checks
         run: make test-rego
diff --git a/Makefile b/Makefile
@@ -45,5 +45,8 @@ create-bundle:
 .PHONY: verify-bundle
 verify-bundle:
 	cp bundle.tar.gz scripts/bundle.tar.gz
-	go run ./scripts/verify-bundle.go
+	cd scripts && go run verify-bundle.go
 	rm scripts/bundle.tar.gz
+
+build-opa:
+	go build ./cmd/opa
diff --git a/avd_docs/aws/s3/AVD-AWS-0086/docs.md b/avd_docs/aws/s3/AVD-AWS-0086/docs.md
@@ -1,10 +1,9 @@
 
-
 S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.
 
 
 ### Impact
-PUT calls with public ACLs specified can make objects public
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/aws/s3/AVD-AWS-0087/docs.md b/avd_docs/aws/s3/AVD-AWS-0087/docs.md
@@ -1,10 +1,9 @@
 
-
 S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
 
 
 ### Impact
-Users could put a policy that allows public access
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/aws/s3/AVD-AWS-0088/docs.md b/avd_docs/aws/s3/AVD-AWS-0088/docs.md
@@ -1,8 +1,9 @@
 
 S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.
 
+
 ### Impact
-The bucket objects could be read if compromised
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/aws/s3/AVD-AWS-0090/docs.md b/avd_docs/aws/s3/AVD-AWS-0090/docs.md
@@ -1,12 +1,13 @@
 
+Versioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket.
+
+You can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets.
 
-Versioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. 
-You can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. 
 With versioning you can recover more easily from both unintended user actions and application failures.
 
 
 ### Impact
-Deleted or modified data would not be recoverable
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/aws/s3/AVD-AWS-0091/docs.md b/avd_docs/aws/s3/AVD-AWS-0091/docs.md
@@ -1,10 +1,9 @@
 
-
 S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
 
 
 ### Impact
-PUT calls with public ACLs specified can make objects public
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/aws/s3/AVD-AWS-0092/docs.md b/avd_docs/aws/s3/AVD-AWS-0092/docs.md
@@ -1,10 +1,9 @@
 
-
 Buckets should not have ACLs that allow public access
 
 
 ### Impact
-Public access to the bucket can lead to data leakage
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/aws/s3/AVD-AWS-0093/docs.md b/avd_docs/aws/s3/AVD-AWS-0093/docs.md
@@ -1,8 +1,9 @@
 
 S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.
 
+
 ### Impact
-Public buckets can be accessed by anyone
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/aws/s3/AVD-AWS-0094/docs.md b/avd_docs/aws/s3/AVD-AWS-0094/docs.md
@@ -1,8 +1,9 @@
 
 The "block public access" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.
 
+
 ### Impact
-Public access policies may be applied to sensitive data buckets
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/aws/s3/AVD-AWS-0132/docs.md b/avd_docs/aws/s3/AVD-AWS-0132/docs.md
@@ -1,8 +1,9 @@
 
 Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
 
+
 ### Impact
-Using AWS managed keys does not allow for fine grained control
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/aws/s3/AVD-AWS-0170/docs.md b/avd_docs/aws/s3/AVD-AWS-0170/docs.md
@@ -1,10 +1,9 @@
 
-
 Adding MFA delete to an S3 bucket, requires additional authentication when you change the version state of your bucket or you delete an object version, adding another layer of security in the event your security credentials are compromised or unauthorized access is obtained.
 
 
 ### Impact
-Lessened protection against accidental/malicious deletion of data
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/aws/s3/AVD-AWS-0171/docs.md b/avd_docs/aws/s3/AVD-AWS-0171/docs.md
@@ -1,10 +1,9 @@
 
-
 Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity within your S3 Buckets using Amazon CloudWatch Events.
 
 
 ### Impact
-Difficult/impossible to audit bucket object/data changes.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/aws/s3/AVD-AWS-0172/docs.md b/avd_docs/aws/s3/AVD-AWS-0172/docs.md
@@ -1,10 +1,9 @@
 
-
 Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity within your S3 Buckets using Amazon CloudWatch Events.
 
 
 ### Impact
-Difficult/impossible to audit bucket object/data changes.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/oracle/compute/AVD-OCI-0001/docs.md b/avd_docs/oracle/compute/AVD-OCI-0001/docs.md
@@ -3,8 +3,9 @@ Compute instance requests an IP reservation from a public pool
 
 The compute instance has the ability to be reached from outside, you might want to sonder the use of a non public IP.
 
+
 ### Impact
-The compute instance has the ability to be reached from outside
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/checks/cloud/aws/s3/block_public_acls.go b/checks/cloud/aws/s3/block_public_acls.go
@@ -35,7 +35,8 @@ S3 buckets should block public ACLs on buckets and any objects they contain. By
 			Links:               cloudFormationBlockPublicAclsLinks,
 			RemediationMarkdown: cloudFormationBlockPublicAclsRemediationMarkdown,
 		},
-		Severity: severity.High,
+		Severity:   severity.High,
+		Deprecated: true,
 	},
 	func(s *state.State) (results scan.Results) {
 		for _, bucket := range s.AWS.S3.Buckets {

diff --git a/checks/cloud/aws/s3/block_public_acls.rego b/checks/cloud/aws/s3/block_public_acls.rego
@@ -0,0 +1,57 @@
+# METADATA
+# title: S3 Access block should block public ACL
+# description: |
+#   S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.
+# scope: package
+# schemas:
+#   - input: schema["cloud"]
+# related_resources:
+#   - https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html
+# custom:
+#   id: AVD-AWS-0086
+#   avd_id: AVD-AWS-0086
+#   provider: aws
+#   service: s3
+#   severity: HIGH
+#   short_code: block-public-acls
+#   recommended_action: Enable blocking any PUT calls with a public ACL specified
+#   input:
+#     selector:
+#       - type: cloud
+#         subtypes:
+#           - service: s3
+#             provider: aws
+#   terraform:
+#     links:
+#       - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_acls
+#     good_examples: checks/cloud/aws/s3/block_public_acls.tf.go
+#     bad_examples: checks/cloud/aws/s3/block_public_acls.tf.go
+#   cloudformation:
+#     good_examples: checks/cloud/aws/s3/block_public_acls.cf.go
+#     bad_examples: checks/cloud/aws/s3/block_public_acls.cf.go
+package builtin.aws.s3.aws0086
+
+import rego.v1
+
+deny contains res if {
+	some bucket in input.aws.s3.buckets
+	not bucket.publicaccessblock
+	res := result.new(
+		"No public access block so not blocking public acls",
+		bucket,
+	)
+}
+
+deny contains res if {
+	some bucket in input.aws.s3.buckets
+	bucket.publicaccessblock
+	not bucket.publicaccessblock.blockpublicacls.value
+	res := result.new(
+		"Public access block does not block public ACLs",
+		object.get(
+			bucket.publicaccessblock,
+			"blockpublicacls",
+			bucket.publicaccessblock,
+		),
+	)
+}
diff --git a/checks/cloud/aws/s3/block_public_acls_test.go b/checks/cloud/aws/s3/block_public_acls_test.go