Skip to content

Commit

Permalink
Merge pull request #18 from austimkelly/iac
Browse files Browse the repository at this point in the history
add in terraform misconfigurations and tfsec action config
  • Loading branch information
austimkelly authored Jan 10, 2024
2 parents 8b1c5ad + 383f6c4 commit dc8cc6c
Show file tree
Hide file tree
Showing 3 changed files with 108 additions and 2 deletions.
38 changes: 38 additions & 0 deletions .github/workflows/tfsec.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.

name: tfsec

on:
push:
branches: [ "main", "develop" ]
pull_request:
branches: [ "main", "develop" ]
schedule:
- cron: '18 22 * * 3'

jobs:
tfsec:
name: Run tfsec sarif report
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write

steps:
- name: Clone repo
uses: actions/checkout@v3

- name: Run tfsec
uses: aquasecurity/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f
with:
sarif_file: tfsec.sarif

- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
with:
# Path to SARIF file relative to the root of the repository
sarif_file: tfsec.sarif
4 changes: 2 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,9 @@
🧀🧀 A demo repository of simple OWASP Top 10 type of vulnerabilities in Python. Like swiss-cheese, this code is full of holes 🧀🧀

![License](https://img.shields.io/github/license/austimkelly/swiss-cheese.svg)
![GitHub Actions](https://github.com/austimkelly/swiss-cheese/workflows/CodeQL/badge.svg)
![Python 3](https://img.shields.io/badge/python-3-blue.svg)

[![CodeQL](https://github.com/austimkelly/swiss-cheese/actions/workflows/codeql.yml/badge.svg)](https://github.com/austimkelly/swiss-cheese/actions/workflows/codeql.yml)
[![tfsec](https://github.com/austimkelly/swiss-cheese/actions/workflows/tfsec.yml/badge.svg)](https://github.com/austimkelly/swiss-cheese/actions/workflows/tfsec.yml)

# Purpose

Expand Down
68 changes: 68 additions & 0 deletions iac-misconfiguration/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@

resource "aws_security_group_rule" "my-rule" {
type = "ingress"
cidr_blocks = ["0.0.0.0/0"]
}

resource "aws_alb_listener" "my-alb-listener" {
port = "80"
protocol = "HTTP"
}

resource "aws_db_security_group" "my-group" {

}

resource "aws_instance" "bad_user_data" {
user_data = <<EOF
DB_PASSWORD = "Some passwprkd"
EOF
}

variable "enableEncryption" {
default = false
}

#tfsec:ignore:azure-compute-enable-disk-encryption
resource "azurerm_managed_disk" "source" {
encryption_settings {
enabled = var.enableEncryption
}
}

resource "aws_api_gateway_domain_name" "missing_security_policy" {
}

resource "aws_api_gateway_domain_name" "empty_security_policy" {
security_policy = ""
}

resource "aws_api_gateway_domain_name" "outdated_security_policy" {
security_policy = "TLS_1_0"
}

resource "aws_api_gateway_domain_name" "valid_security_policy" {
security_policy = "TLS_1_2"
}

#tfsec:ignore:AWS092
resource "aws_dynamodb_table" "bad_example" {
name = "example"
hash_key = "TestTableHashKey"
billing_mode = "PAY_PER_REQUEST"
stream_enabled = true
stream_view_type = "NEW_AND_OLD_IMAGES"

attribute {
name = "TestTableHashKey"
type = "S"
}

point_in_time_recovery {
enabled = true
}
}

resource "aws_instance" "my_project" {

}

0 comments on commit dc8cc6c

Please sign in to comment.