Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(misconf): Support inline ignores for CloudFormation Templates #6237

Closed
1 of 2 tasks
simar7 opened this issue Feb 29, 2024 Discussed in #6212 · 0 comments · Fixed by #6358
Closed
1 of 2 tasks

feat(misconf): Support inline ignores for CloudFormation Templates #6237

simar7 opened this issue Feb 29, 2024 Discussed in #6212 · 0 comments · Fixed by #6358
Labels
kind/feature Categorizes issue or PR as related to a new feature. scan/misconfiguration Issues relating to misconfiguration scanning
Milestone
v0.51.0

Comments

@simar7
Copy link
Member

simar7 commented Feb 29, 2024

Today Trivy does not support inline ignores for CloudFormation Templates.

Discussed in #6212

Originally posted by Cumming5412 February 27, 2024

Description

When scanning Terraform, I can add an inline comment e.g.
#trivy:ignore:AVD-GCP-0051 trivy:ignore:AVD-GCP-0053

to ignore a specific block of HCL.

Trying to do the same thing in CloudFormation it seems the inline comment is ignored/not supported.

I have a bucket created via CloudFormation that uses AES256:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256

The scanner reports the below:

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132

Desired Behavior

When I add
#trivy:ignore:AVD-AWS-0132

I expect the warning to be ignored.

e.g.
#trivy:ignore:AVD-AWS-0132
S3Bucket:
Type: AWS::S3::Bucket
DeletionPolicy: Retain
Properties:

Actual Behavior

The warning is repeated. I have tried adding the inline comment directly above and alongside the AES256 entry but there is no difference.

Reproduction Steps

1. Create an S3 bucket with AES256 via CloudFormation, e.g.:
AWSTemplateFormatVersion: '2010-09-09'
Resources:
  S3Bucket:
    Type: AWS::S3::Bucket
    Properties: 
      AccessControl: BucketOwnerFullControl
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
      BucketName: some-bucket
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
2. Run trivy config --debug --severity HIGH,CRITICAL --exit-code 0 template.yaml
3. Observe filtered issue still being reported.
...

Target

AWS

Scanner

Misconfiguration

Output Format

Table

Mode

Standalone

Debug Output

trivy config --debug --severity HIGH,CRITICAL --exit-code 0 cfn.yaml
========================== Starting Command Output ===========================
/usr/bin/bash --noprofile --norc /home/vsts/work/_temp/db534a3e-94de-4063-9a98-e83fe4d8e267.sh
2024-02-27T10:31:05.067Z	DEBUG	Severities: ["HIGH" "CRITICAL"]
2024-02-27T10:31:05.068Z	DEBUG	cache dir:  /home/vsts/.cache/trivy
2024-02-27T10:31:05.068Z	INFO	Misconfiguration scanning is enabled
2024-02-27T10:31:05.068Z	DEBUG	Policies successfully loaded from disk
2024-02-27T10:31:05.068Z	DEBUG	Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
2024-02-27T10:31:05.075Z	DEBUG	The nuget packages directory couldn't be found. License search disabled
2024-02-27T10:31:05.092Z	DEBUG	Walk the file tree rooted at 'cfn.yaml' in series
2024-02-27T10:31:05.092Z	DEBUG	Scanning Helm files for misconfigurations...
2024-02-27T10:31:05.097Z	DEBUG	Scanning CloudFormation files for misconfigurations...
2024-02-27T10:31:05.103Z	DEBUG	[misconf] 31:05.103171841 cloudformation.scanner.rego      Overriding filesystem for policies!
2024-02-27T10:31:05.169Z	DEBUG	[misconf] 31:05.169723030 cloudformation.scanner.rego      Loaded 190 policies from disk.
2024-02-27T10:31:05.170Z	DEBUG	[misconf] 31:05.170301128 cloudformation.scanner.rego      Overriding filesystem for data!
2024-02-27T10:31:05.833Z	DEBUG	[misconf] 31:05.833971131 cloudformation.scanner           Found 18 results for AVD-AWS-0057
2024-02-27T10:31:05.834Z	DEBUG	[misconf] 31:05.834051531 cloudformation.scanner           Found 1 results for AVD-AWS-0086
2024-02-27T10:31:05.834Z	DEBUG	[misconf] 31:05.834061731 cloudformation.scanner           Found 1 results for AVD-AWS-0087
2024-02-27T10:31:05.834Z	DEBUG	[misconf] 31:05.834070331 cloudformation.scanner           Found 1 results for AVD-AWS-0088
2024-02-27T10:31:05.834Z	DEBUG	[misconf] 31:05.834077431 cloudformation.scanner           Found 1 results for AVD-AWS-0090
2024-02-27T10:31:05.834Z	DEBUG	[misconf] 31:05.834085831 cloudformation.scanner           Found 1 results for AVD-AWS-0132
2024-02-27T10:31:05.834Z	DEBUG	[misconf] 31:05.834091831 cloudformation.scanner           Found 1 results for AVD-AWS-0091
2024-02-27T10:31:05.834Z	DEBUG	[misconf] 31:05.834098431 cloudformation.scanner           Found 1 results for AVD-AWS-0092
2024-02-27T10:31:05.834Z	DEBUG	[misconf] 31:05.834104631 cloudformation.scanner           Found 1 results for AVD-AWS-0093
2024-02-27T10:31:05.834Z	DEBUG	[misconf] 31:05.834110731 cloudformation.scanner           Found 1 results for AVD-AWS-0094
2024-02-27T10:31:05.834Z	DEBUG	[misconf] 31:05.834122431 cloudformation.scanner           Found 2 results for AVD-AWS-0095
2024-02-27T10:31:05.834Z	DEBUG	[misconf] 31:05.834130231 cloudformation.scanner           Found 2 results for AVD-AWS-0136
2024-02-27T10:31:05.835Z	DEBUG	[misconf] 31:05.835764125 cloudformation.scanner.rego      Scanning 1 inputs...
2024-02-27T10:31:05.896Z	DEBUG	OS is not detected.
2024-02-27T10:31:05.897Z	INFO	Detected config files: 1
2024-02-27T10:31:05.897Z	DEBUG	Scanned config file: cfn.yaml

cfn.yaml (cloudformation)
===================================================
Tests: 18 (SUCCESSES: 14, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 cfn.yaml:184-226
────────────────────────────────────────
 184 ┌   TFStateS3Bucket:
 185 │     Type: AWS::S3::Bucket
 186 │     DeletionPolicy: Retain
 187 │     Properties: 
 188 │       AccessControl: BucketOwnerFullControl #BucketOwnerFullControl | Private | PublicRead | PublicReadWrite | AuthenticatedRead | LogDeliveryWrite | BucketOwnerRead | 
 189 │       PublicAccessBlockConfiguration:
 190 │         BlockPublicAcls: true
 191 │         BlockPublicPolicy: true
 192 └         IgnorePublicAcls: true
 ...   
────────────────────────────────────────

Operating System

Ubuntu

Version

Version: 0.49.1

Checklist
@simar7 simar7 added kind/feature Categorizes issue or PR as related to a new feature. scan/misconfiguration Issues relating to misconfiguration scanning labels Feb 29, 2024
@nikpivkin nikpivkin mentioned this issue Mar 20, 2024
Merged
6 tasks
@simar7 simar7 added this to the v0.51.0 milestone Mar 29, 2024
@itaysk itaysk changed the title feat(misconf): Support inline comments for CloudFormation Templates feat(misconf): Support inline ignores for CloudFormation Templates Apr 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature. scan/misconfiguration Issues relating to misconfiguration scanning
Projects
Trivy Roadmap
Archived in project
Milestone
v0.51.0
Development

Successfully merging a pull request may close this issue.

feat(cloudformation): inline ignore support for YAML templates nikpivkin/trivy
1 participant
@simar7