Merge branch 'main' into do-redirect

.github/workflows/lint.yml

@@ -17,7 +17,7 @@ jobs:
  runs-on: ubuntu-latest
  steps:
  - uses: actions/checkout@v4
- - uses: actions/setup-go@v4
+ - uses: actions/setup-go@v5
  with:
  go-version-file: go.mod
  cache: true

.github/workflows/stale.yml

@@ -9,7 +9,7 @@ jobs:
  stale:
  runs-on: ubuntu-latest
  steps:
- - uses: actions/stale@v8
+ - uses: actions/stale@v9
  with:
  stale-issue-message: 'This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.'
  stale-pr-message: 'This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 10 days.'

.github/workflows/test-go.yml

@@ -9,7 +9,7 @@ jobs:
 
  steps:
  - uses: actions/checkout@v4
- - uses: actions/setup-go@v4
+ - uses: actions/setup-go@v5
  with:
  go-version-file: go.mod
 

.github/workflows/verify-schema.yml

@@ -10,7 +10,7 @@ jobs:
  steps:
  - uses: actions/checkout@v4
 
- - uses: actions/setup-go@v4
+ - uses: actions/setup-go@v5
  with:
  go-version-file: go.mod
  cache: true

avd_docs/kubernetes/general/AVD-KSV-0004/docs.md

@@ -0,0 +1,13 @@
+
+Security best practices require containers to run with minimal required capabilities.
+
+### Impact
+<!-- Add Impact here -->
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/
+
+

avd_docs/kubernetes/general/AVD-KSV-0034/docs.md

@@ -0,0 +1,10 @@
+
+Container images must not start with an empty prefix or a defined public registry domain.
+
+### Impact
+<!-- Add Impact here -->
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+

avd_docs/kubernetes/general/AVD-KSV-0040/docs.md

@@ -0,0 +1,13 @@
+
+ensure resource quota policy has configure in order to limit aggregate resource usage within namespace
+
+### Impact
+<!-- Add Impact here -->
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- https://kubernetes.io/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/
+
+

cmd/avd_generator/main.go

@@ -12,7 +12,7 @@ import (
  "text/template"
 
  "github.com/aquasecurity/defsec/pkg/framework"
- "github.com/aquasecurity/trivy-policies/rules"
+ policies "github.com/aquasecurity/trivy-policies"
 
  _ "github.com/aquasecurity/trivy-iac/pkg/rego"
  registered "github.com/aquasecurity/trivy-iac/pkg/rules"
@@ -120,7 +120,7 @@ func fail(msg string, args ...interface{}) {
 
 func readFileFromPolicyFS(path string) (io.Reader, error) {
  path = strings.TrimPrefix(path, "rules/")
- return rules.EmbeddedPolicyFileSystem.Open(path)
+ return policies.EmbeddedPolicyFileSystem.Open(path)
 
 }
 

go.mod

@@ -6,12 +6,12 @@ require (
  github.com/BurntSushi/toml v1.3.2
  github.com/Masterminds/semver v1.5.0
  github.com/apparentlymart/go-cidr v1.1.0
- github.com/aquasecurity/defsec v0.93.2-0.20231120220217-6818261529c8
- github.com/aquasecurity/trivy-policies v0.6.1-0.20231120231532-f6f2330bf842
- github.com/aws/smithy-go v1.14.2
+ github.com/aquasecurity/defsec v0.93.2-0.20240104002958-968b8f115bc0
+ github.com/aquasecurity/trivy-policies v0.8.0
+ github.com/aws/smithy-go v1.19.0
  github.com/bmatcuk/doublestar/v4 v4.6.0
- github.com/google/uuid v1.4.0
- github.com/hashicorp/go-getter v1.7.2
+ github.com/google/uuid v1.5.0
+ github.com/hashicorp/go-getter v1.7.3
  github.com/hashicorp/go-uuid v1.0.3
  github.com/hashicorp/hcl/v2 v2.19.1
  github.com/liamg/iamgo v0.0.9
@@ -21,24 +21,24 @@ require (
  github.com/mitchellh/mapstructure v1.5.0
  github.com/moby/buildkit v0.11.6
  github.com/olekukonko/tablewriter v0.0.5
- github.com/open-policy-agent/opa v0.58.0
- github.com/spf13/cobra v1.7.0
+ github.com/open-policy-agent/opa v0.60.0
+ github.com/spf13/cobra v1.8.0
  github.com/stretchr/testify v1.8.4
  github.com/zclconf/go-cty v1.13.0
  github.com/zclconf/go-cty-yaml v1.0.3
- golang.org/x/crypto v0.14.0
- golang.org/x/exp v0.0.0-20230510235704-dd950f8aeaea
+ golang.org/x/crypto v0.18.0
+ golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1
  golang.org/x/text v0.14.0
  gopkg.in/yaml.v3 v3.0.1
- helm.sh/helm/v3 v3.13.0
+ helm.sh/helm/v3 v3.13.3
  k8s.io/utils v0.0.0-20230406110748-d93618cff8a2
 )
 
 require (
- cloud.google.com/go v0.110.7 // indirect
+ cloud.google.com/go v0.110.8 // indirect
  cloud.google.com/go/compute v1.23.0 // indirect
  cloud.google.com/go/compute/metadata v0.2.3 // indirect
- cloud.google.com/go/iam v1.1.1 // indirect
+ cloud.google.com/go/iam v1.1.2 // indirect
  cloud.google.com/go/storage v1.30.1 // indirect
  dario.cat/mergo v1.0.0 // indirect
  github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
@@ -49,10 +49,9 @@ require (
  github.com/Masterminds/sprig/v3 v3.2.3 // indirect
  github.com/Masterminds/squirrel v1.5.4 // indirect
  github.com/Microsoft/go-winio v0.6.1 // indirect
- github.com/Microsoft/hcsshim v0.11.1 // indirect
+ github.com/Microsoft/hcsshim v0.11.4 // indirect
  github.com/OneOfOne/xxhash v1.2.8 // indirect
- github.com/ProtonMail/go-crypto v0.0.0-20230717121422-5aa5874ade95 // indirect
- github.com/acomagu/bufpipe v1.0.4 // indirect
+ github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 // indirect
  github.com/agext/levenshtein v1.2.3 // indirect
  github.com/agnivade/levenshtein v1.1.1 // indirect
  github.com/alecthomas/chroma v0.10.0 // indirect
@@ -64,14 +63,14 @@ require (
  github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
  github.com/cespare/xxhash/v2 v2.2.0 // indirect
  github.com/chai2010/gettext-go v1.0.2 // indirect
- github.com/cloudflare/circl v1.3.3 // indirect
- github.com/containerd/containerd v1.7.7 // indirect
+ github.com/cloudflare/circl v1.3.7 // indirect
+ github.com/containerd/containerd v1.7.11 // indirect
  github.com/containerd/log v0.1.0 // indirect
  github.com/containerd/typeurl v1.0.2 // indirect
  github.com/cyphar/filepath-securejoin v0.2.4 // indirect
  github.com/davecgh/go-spew v1.1.1 // indirect
  github.com/dlclark/regexp2 v1.4.0 // indirect
- github.com/docker/cli v24.0.5+incompatible // indirect
+ github.com/docker/cli v24.0.6+incompatible // indirect
  github.com/docker/distribution v2.8.2+incompatible // indirect
  github.com/docker/docker v24.0.7+incompatible // indirect
  github.com/docker/docker-credential-helpers v0.7.0 // indirect
@@ -83,13 +82,14 @@ require (
  github.com/evanphx/json-patch v5.6.0+incompatible // indirect
  github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect
  github.com/fatih/color v1.13.0 // indirect
+ github.com/felixge/httpsnoop v1.0.4 // indirect
  github.com/go-errors/errors v1.4.2 // indirect
  github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
- github.com/go-git/go-billy/v5 v5.4.1 // indirect
- github.com/go-git/go-git/v5 v5.8.1 // indirect
+ github.com/go-git/go-billy/v5 v5.5.0 // indirect
+ github.com/go-git/go-git/v5 v5.11.0 // indirect
  github.com/go-gorp/gorp/v3 v3.1.0 // indirect
  github.com/go-ini/ini v1.67.0 // indirect
- github.com/go-logr/logr v1.2.4 // indirect
+ github.com/go-logr/logr v1.3.0 // indirect
  github.com/go-logr/stdr v1.2.2 // indirect
  github.com/go-openapi/jsonpointer v0.19.6 // indirect
  github.com/go-openapi/jsonreference v0.20.2 // indirect
@@ -104,9 +104,9 @@ require (
  github.com/google/gofuzz v1.2.0 // indirect
  github.com/google/s2a-go v0.1.4 // indirect
  github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
- github.com/googleapis/enterprise-certificate-proxy v0.2.3 // indirect
- github.com/googleapis/gax-go/v2 v2.11.0 // indirect
- github.com/gorilla/mux v1.8.0 // indirect
+ github.com/googleapis/enterprise-certificate-proxy v0.2.4 // indirect
+ github.com/googleapis/gax-go/v2 v2.12.0 // indirect
+ github.com/gorilla/mux v1.8.1 // indirect
  github.com/gosuri/uitable v0.0.4 // indirect
  github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect
  github.com/hashicorp/errwrap v1.1.0 // indirect
@@ -123,7 +123,7 @@ require (
  github.com/josharian/intern v1.0.0 // indirect
  github.com/json-iterator/go v1.1.12 // indirect
  github.com/kevinburke/ssh_config v1.2.0 // indirect
- github.com/klauspost/compress v1.16.0 // indirect
+ github.com/klauspost/compress v1.16.6 // indirect
  github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
  github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
  github.com/lib/pq v1.10.9 // indirect
@@ -156,14 +156,14 @@ require (
  github.com/prometheus/client_model v0.4.0 // indirect
  github.com/prometheus/common v0.44.0 // indirect
  github.com/prometheus/procfs v0.10.1 // indirect
- github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 // indirect
+ github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
  github.com/rivo/uniseg v0.2.0 // indirect
  github.com/rubenv/sql-migrate v1.5.2 // indirect
  github.com/russross/blackfriday/v2 v2.1.0 // indirect
- github.com/sergi/go-diff v1.1.0 // indirect
+ github.com/sergi/go-diff v1.3.1 // indirect
  github.com/shopspring/decimal v1.3.1 // indirect
  github.com/sirupsen/logrus v1.9.3 // indirect
- github.com/skeema/knownhosts v1.2.0 // indirect
+ github.com/skeema/knownhosts v1.2.1 // indirect
  github.com/spf13/cast v1.5.0 // indirect
  github.com/spf13/pflag v1.0.5 // indirect
  github.com/tchap/go-patricia/v2 v2.3.1 // indirect
@@ -175,42 +175,43 @@ require (
  github.com/xlab/treeprint v1.2.0 // indirect
  github.com/yashtewari/glob-intersection v0.2.0 // indirect
  go.opencensus.io v0.24.0 // indirect
- go.opentelemetry.io/otel v1.19.0 // indirect
- go.opentelemetry.io/otel/metric v1.19.0 // indirect
- go.opentelemetry.io/otel/sdk v1.19.0 // indirect
- go.opentelemetry.io/otel/trace v1.19.0 // indirect
+ go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 // indirect
+ go.opentelemetry.io/otel v1.21.0 // indirect
+ go.opentelemetry.io/otel/metric v1.21.0 // indirect
+ go.opentelemetry.io/otel/sdk v1.21.0 // indirect
+ go.opentelemetry.io/otel/trace v1.21.0 // indirect
  go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect
- golang.org/x/mod v0.10.0 // indirect
- golang.org/x/net v0.17.0 // indirect
- golang.org/x/oauth2 v0.11.0 // indirect
- golang.org/x/sync v0.4.0 // indirect
- golang.org/x/sys v0.13.0 // indirect
- golang.org/x/term v0.13.0 // indirect
- golang.org/x/time v0.3.0 // indirect
- golang.org/x/tools v0.8.0 // indirect
+ golang.org/x/mod v0.13.0 // indirect
+ golang.org/x/net v0.20.0 // indirect
+ golang.org/x/oauth2 v0.13.0 // indirect
+ golang.org/x/sync v0.6.0 // indirect
+ golang.org/x/sys v0.16.0 // indirect
+ golang.org/x/term v0.16.0 // indirect
+ golang.org/x/time v0.5.0 // indirect
+ golang.org/x/tools v0.13.0 // indirect
  golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
- google.golang.org/api v0.126.0 // indirect
- google.golang.org/appengine v1.6.7 // indirect
- google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d // indirect
- google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d // indirect
- google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d // indirect
- google.golang.org/grpc v1.59.0 // indirect
+ google.golang.org/api v0.128.0 // indirect
+ google.golang.org/appengine v1.6.8 // indirect
+ google.golang.org/genproto v0.0.0-20231002182017-d307bd883b97 // indirect
+ google.golang.org/genproto/googleapis/api v0.0.0-20231002182017-d307bd883b97 // indirect
+ google.golang.org/genproto/googleapis/rpc v0.0.0-20231002182017-d307bd883b97 // indirect
+ google.golang.org/grpc v1.60.1 // indirect
  google.golang.org/protobuf v1.31.0 // indirect
  gopkg.in/inf.v0 v0.9.1 // indirect
  gopkg.in/warnings.v0 v0.1.2 // indirect
  gopkg.in/yaml.v2 v2.4.0 // indirect
  gotest.tools/v3 v3.5.0 // indirect
- k8s.io/api v0.28.2 // indirect
- k8s.io/apiextensions-apiserver v0.28.2 // indirect
- k8s.io/apimachinery v0.28.2 // indirect
- k8s.io/apiserver v0.28.2 // indirect
- k8s.io/cli-runtime v0.28.2 // indirect
- k8s.io/client-go v0.28.2 // indirect
- k8s.io/component-base v0.28.2 // indirect
+ k8s.io/api v0.28.4 // indirect
+ k8s.io/apiextensions-apiserver v0.28.4 // indirect
+ k8s.io/apimachinery v0.28.4 // indirect
+ k8s.io/apiserver v0.28.4 // indirect
+ k8s.io/cli-runtime v0.28.4 // indirect
+ k8s.io/client-go v0.28.4 // indirect
+ k8s.io/component-base v0.28.4 // indirect
  k8s.io/klog/v2 v2.100.1 // indirect
  k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect
- k8s.io/kubectl v0.28.2 // indirect
- oras.land/oras-go v1.2.3 // indirect
+ k8s.io/kubectl v0.28.4 // indirect
+ oras.land/oras-go v1.2.4 // indirect
  sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
  sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 // indirect
  sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 // indirect
@@ -219,5 +220,3 @@ require (
 )
 
 replace oras.land/oras-go => oras.land/oras-go v1.2.4-0.20230801060855-932dd06d38af
-
-replace github.com/aquasecurity/defsec => /Users/nikita/projects/defsec