From bd5a674a048b35bff4d779629970a5ae941ef2a3 Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 09:06:13 -0500 Subject: [PATCH 001/107] Delete .github/workflows directory --- .github/workflows/build.yaml | 37 ----------------------------- .github/workflows/pull_request.yaml | 16 ------------- .github/workflows/semgrep.yml | 16 ------------- 3 files changed, 69 deletions(-) delete mode 100644 .github/workflows/build.yaml delete mode 100644 .github/workflows/pull_request.yaml delete mode 100644 .github/workflows/semgrep.yml diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml deleted file mode 100644 index d49ee21412..0000000000 --- a/.github/workflows/build.yaml +++ /dev/null @@ -1,37 +0,0 @@ -name: build -on: - push: - branches: - - master -jobs: - build: - runs-on: [self-hosted, public, linux, x64] - steps: - - uses: actions/checkout@v2 - name: Checkout repo - with: - fetch-depth: 0 - - name: Run yor action - uses: bridgecrewio/yor-action@main - - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v1 - with: - python-version: 3.7 - - name: Update documentation - run: | - git config --local user.email "action@github.com" - git config --local user.name "GitHub Action" - git fetch --tags - git pull - latest_tag=$(git describe --tags `git rev-list --tags --max-count=1`) - echo "latest tag: $latest_tag" - new_tag=$(echo $latest_tag | awk -F. -v a="$1" -v b="$2" -v c="$3" '{printf("%d.%d.%d", $1+a, $2+b , $3+1)}') - echo "new tag: $new_tag" - - pip install -U checkov - cat .github/template.md > README.md && checkov -d terraform -o github_failed_only -s >> README.md - git add README.md || echo "No changes to commit" - git commit -m "update resource scan result doc" README.md || echo "No changes to commit" - git push origin - git tag $new_tag - git push origin $new_tag diff --git a/.github/workflows/pull_request.yaml b/.github/workflows/pull_request.yaml deleted file mode 100644 index f3c271a117..0000000000 --- a/.github/workflows/pull_request.yaml +++ /dev/null @@ -1,16 +0,0 @@ -name: build -on: - pull_request -jobs: - checkov-job: - runs-on: ubuntu-latest - name: checkov-action - steps: - - name: Checkout repo - uses: actions/checkout@v2 - - - name: Run Checkov action - id: checkov - uses: bridgecrewio/checkov-action@master - with: - directory: terraform/ diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml deleted file mode 100644 index ca54ccb98e..0000000000 --- a/.github/workflows/semgrep.yml +++ /dev/null @@ -1,16 +0,0 @@ -on: - pull_request: {} - push: - branches: - - main - - master -name: Semgrep -jobs: - semgrep: - name: Scan - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - uses: returntocorp/semgrep-action@v1 - with: - publishToken: ${{ secrets.SEMGREP_APP_TOKEN }} From 909a3a3adba6e89affa15db951474b2764f808c5 Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 09:20:29 -0500 Subject: [PATCH 002/107] Create main.yml --- .github/workflows/main.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 .github/workflows/main.yml diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 0000000000..f0aa76a3cd --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,11 @@ +steps: + - name: Checkout repo + uses: actions/checkout@v2 + + - name: Run Bridgecrew + id: Bridgecrew + uses: bridgecrewio/bridgecrew-action@master + env: + PRISMA_API_URL: https://api4.prismacloud.io + with: + api-key: ${{ secrets.BC_API_KEY }} From 2e607ca1ae2ecd918500847805bd3f5765aa8ced Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Tue, 7 Mar 2023 09:26:55 -0500 Subject: [PATCH 003/107] test change to s3 file --- terraform/aws/s3.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/aws/s3.tf b/terraform/aws/s3.tf index a2a2ed78fe..40cce2783f 100644 --- a/terraform/aws/s3.tf +++ b/terraform/aws/s3.tf @@ -3,6 +3,7 @@ resource "aws_s3_bucket" "data" { # bucket is not encrypted # bucket does not have access logs # bucket does not have versioning + # this is a change bucket = "${local.resource_prefix.value}-data" force_destroy = true tags = merge({ From b61dabf409797e37d4040c5468a6894436bfb61b Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Tue, 7 Mar 2023 09:34:36 -0500 Subject: [PATCH 004/107] test change to s3 file --- terraform/aws/s3.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform/aws/s3.tf b/terraform/aws/s3.tf index 40cce2783f..a2a2ed78fe 100644 --- a/terraform/aws/s3.tf +++ b/terraform/aws/s3.tf @@ -3,7 +3,6 @@ resource "aws_s3_bucket" "data" { # bucket is not encrypted # bucket does not have access logs # bucket does not have versioning - # this is a change bucket = "${local.resource_prefix.value}-data" force_destroy = true tags = merge({ From 796a1f0e83abc7b2e9fee3742752d81d6003e238 Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 09:40:22 -0500 Subject: [PATCH 005/107] Update main.yml --- .github/workflows/main.yml | 33 ++++++++++++++++++++++----------- 1 file changed, 22 insertions(+), 11 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index f0aa76a3cd..cb67aff16d 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,11 +1,22 @@ -steps: - - name: Checkout repo - uses: actions/checkout@v2 - - - name: Run Bridgecrew - id: Bridgecrew - uses: bridgecrewio/bridgecrew-action@master - env: - PRISMA_API_URL: https://api4.prismacloud.io - with: - api-key: ${{ secrets.BC_API_KEY }} +name: Prisma Cloud IaC Scan +on: + pull_request: + push: + branches: + - master +jobs: + scan: + runs-on: ubuntu-latest + strategy: + matrix: + python-version: [3.8] + steps: + - name: Checkout repo + uses: actions/checkout@v2 + - name: Run Bridgecrew + id: Bridgecrew + uses: bridgecrewio/bridgecrew-action@master + env: + PRISMA_API_URL: https://api4.prismacloud.io + with: + api-key: ${{ secrets.BC_API_KEY }} From 10594f376d4a40349fbf1ed7ce9272246f22d375 Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 09:46:25 -0500 Subject: [PATCH 006/107] Update main.yml --- .github/workflows/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index cb67aff16d..4177838654 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -10,9 +10,8 @@ jobs: strategy: matrix: python-version: [3.8] - steps: - - name: Checkout repo - uses: actions/checkout@v2 + steps: + - uses: actions/checkout@v2 - name: Run Bridgecrew id: Bridgecrew uses: bridgecrewio/bridgecrew-action@master @@ -20,3 +19,4 @@ jobs: PRISMA_API_URL: https://api4.prismacloud.io with: api-key: ${{ secrets.BC_API_KEY }} + directory: terraform/ From 239cdb166f3c91dddaefae5e16afd9744b034469 Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Tue, 7 Mar 2023 09:46:44 -0500 Subject: [PATCH 007/107] one more change --- terraform/aws/s3.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/aws/s3.tf b/terraform/aws/s3.tf index a2a2ed78fe..40cce2783f 100644 --- a/terraform/aws/s3.tf +++ b/terraform/aws/s3.tf @@ -3,6 +3,7 @@ resource "aws_s3_bucket" "data" { # bucket is not encrypted # bucket does not have access logs # bucket does not have versioning + # this is a change bucket = "${local.resource_prefix.value}-data" force_destroy = true tags = merge({ From 9748019488de29e9585a7df38d53f26b536e9dac Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 09:57:52 -0500 Subject: [PATCH 008/107] Update main.yml --- .github/workflows/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 4177838654..f4ffcd940f 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -20,3 +20,4 @@ jobs: with: api-key: ${{ secrets.BC_API_KEY }} directory: terraform/ + soft_fail: true From b7fcf4b2c242ae7992c2d70c57e868fd021503c4 Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 10:12:58 -0500 Subject: [PATCH 009/107] Update main.yml --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index f4ffcd940f..ed35bfc84d 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -20,4 +20,4 @@ jobs: with: api-key: ${{ secrets.BC_API_KEY }} directory: terraform/ - soft_fail: true + soft_fail: 'true' From cf6d559116ccc599e245e5c8484f6aceb95d9d20 Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 10:24:13 -0500 Subject: [PATCH 010/107] Update main.yml --- .github/workflows/main.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index ed35bfc84d..bd304dde9d 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -11,7 +11,8 @@ jobs: matrix: python-version: [3.8] steps: - - uses: actions/checkout@v2 + - name: Checkout repo + uses: actions/checkout@v2 - name: Run Bridgecrew id: Bridgecrew uses: bridgecrewio/bridgecrew-action@master @@ -20,4 +21,4 @@ jobs: with: api-key: ${{ secrets.BC_API_KEY }} directory: terraform/ - soft_fail: 'true' + soft_fail: true From 012a8e0a1cb8ffb39f9cc0ba4a1d0ad061650e78 Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Tue, 7 Mar 2023 10:24:29 -0500 Subject: [PATCH 011/107] one more change --- terraform/aws/s3.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform/aws/s3.tf b/terraform/aws/s3.tf index 40cce2783f..a2a2ed78fe 100644 --- a/terraform/aws/s3.tf +++ b/terraform/aws/s3.tf @@ -3,7 +3,6 @@ resource "aws_s3_bucket" "data" { # bucket is not encrypted # bucket does not have access logs # bucket does not have versioning - # this is a change bucket = "${local.resource_prefix.value}-data" force_destroy = true tags = merge({ From ea6be7302e0f49ddec43d3f502a2ecfd3511a0e3 Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Tue, 7 Mar 2023 10:26:58 -0500 Subject: [PATCH 012/107] lets see what happens --- terraform/aws/s3.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/aws/s3.tf b/terraform/aws/s3.tf index a2a2ed78fe..40cce2783f 100644 --- a/terraform/aws/s3.tf +++ b/terraform/aws/s3.tf @@ -3,6 +3,7 @@ resource "aws_s3_bucket" "data" { # bucket is not encrypted # bucket does not have access logs # bucket does not have versioning + # this is a change bucket = "${local.resource_prefix.value}-data" force_destroy = true tags = merge({ From 9aa9eeb91076bdfb5989a1e03960430b652c694b Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 10:33:22 -0500 Subject: [PATCH 013/107] Update main.yml --- .github/workflows/main.yml | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index bd304dde9d..c3b1658aaa 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,10 +1,18 @@ name: Prisma Cloud IaC Scan on: pull_request: - push: - branches: - - master + types: + - closed +# push: +# branches: +# - master jobs: + if_merged: + if: github.event.pull_request.merged == true + runs-on: ubuntu-latest + steps: + - run: | + echo The PR was merged scan: runs-on: ubuntu-latest strategy: @@ -21,4 +29,4 @@ jobs: with: api-key: ${{ secrets.BC_API_KEY }} directory: terraform/ - soft_fail: true +# soft_fail: true From 4fe3460c170b3bc342eafc109acf2fa909d87bf9 Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Tue, 7 Mar 2023 10:33:44 -0500 Subject: [PATCH 014/107] another one --- terraform/aws/s3.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform/aws/s3.tf b/terraform/aws/s3.tf index 40cce2783f..a2a2ed78fe 100644 --- a/terraform/aws/s3.tf +++ b/terraform/aws/s3.tf @@ -3,7 +3,6 @@ resource "aws_s3_bucket" "data" { # bucket is not encrypted # bucket does not have access logs # bucket does not have versioning - # this is a change bucket = "${local.resource_prefix.value}-data" force_destroy = true tags = merge({ From a895398b76ba73b5e455ac6da7d85f20450d4139 Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 10:58:45 -0500 Subject: [PATCH 015/107] Update main.yml --- .github/workflows/main.yml | 55 +++++++++++++++++++++++++++----------- 1 file changed, 40 insertions(+), 15 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index c3b1658aaa..ab940c9613 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,11 +1,42 @@ -name: Prisma Cloud IaC Scan +# name: Prisma Cloud IaC Scan +# on: +# pull_request: +# types: +# - closed +# push: +# branches: +# - master +# jobs: +# if_merged: +# if: github.event.pull_request.merged == true +# runs-on: ubuntu-latest +# steps: +# - run: | +# echo The PR was merged +# scan: +# runs-on: ubuntu-latest +# strategy: +# matrix: +# python-version: [3.8] +# steps: +# - name: Checkout repo +# uses: actions/checkout@v2 +# - name: Run Bridgecrew +# id: Bridgecrew +# uses: bridgecrewio/bridgecrew-action@master +# env: +# PRISMA_API_URL: https://api4.prismacloud.io +# with: +# api-key: ${{ secrets.BC_API_KEY }} +# directory: terraform/ +# soft_fail: true + + +name: Prisma Cloud IaC Scan with checkov on: pull_request: types: - closed -# push: -# branches: -# - master jobs: if_merged: if: github.event.pull_request.merged == true @@ -19,14 +50,8 @@ jobs: matrix: python-version: [3.8] steps: - - name: Checkout repo - uses: actions/checkout@v2 - - name: Run Bridgecrew - id: Bridgecrew - uses: bridgecrewio/bridgecrew-action@master - env: - PRISMA_API_URL: https://api4.prismacloud.io - with: - api-key: ${{ secrets.BC_API_KEY }} - directory: terraform/ -# soft_fail: true + - name: Install checkov + run: pip3 install checkov + - name: Run checkov + run: | + export PRISMA_API_URL=https://api4.prismacloud.io checkov -d terraform/ --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master From aaeae28e8845de7229d5d47c0cafc6fb8eb1f3f9 Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Tue, 7 Mar 2023 10:59:14 -0500 Subject: [PATCH 016/107] another onev2 --- terraform/aws/s3.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/aws/s3.tf b/terraform/aws/s3.tf index a2a2ed78fe..40cce2783f 100644 --- a/terraform/aws/s3.tf +++ b/terraform/aws/s3.tf @@ -3,6 +3,7 @@ resource "aws_s3_bucket" "data" { # bucket is not encrypted # bucket does not have access logs # bucket does not have versioning + # this is a change bucket = "${local.resource_prefix.value}-data" force_destroy = true tags = merge({ From ac7aaa8837e09ddb4bdd98847ff68774f660f5a3 Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 11:06:13 -0500 Subject: [PATCH 017/107] Update main.yml --- .github/workflows/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index ab940c9613..6778ed8bbd 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -54,4 +54,5 @@ jobs: run: pip3 install checkov - name: Run checkov run: | - export PRISMA_API_URL=https://api4.prismacloud.io checkov -d terraform/ --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master + export PRISMA_API_URL=https://api4.prismacloud.io + checkov -d ./terraform/ --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master From 4ccaefdaba28a97aa25b629e96625d5d8d6defae Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Tue, 7 Mar 2023 11:06:38 -0500 Subject: [PATCH 018/107] another onev3 --- terraform/aws/s3.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform/aws/s3.tf b/terraform/aws/s3.tf index 40cce2783f..a2a2ed78fe 100644 --- a/terraform/aws/s3.tf +++ b/terraform/aws/s3.tf @@ -3,7 +3,6 @@ resource "aws_s3_bucket" "data" { # bucket is not encrypted # bucket does not have access logs # bucket does not have versioning - # this is a change bucket = "${local.resource_prefix.value}-data" force_destroy = true tags = merge({ From 476103a64c4f02bbe6d4070183e829e3974e0f57 Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 11:09:46 -0500 Subject: [PATCH 019/107] Update main.yml --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 6778ed8bbd..33c13bc104 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -55,4 +55,4 @@ jobs: - name: Run checkov run: | export PRISMA_API_URL=https://api4.prismacloud.io - checkov -d ./terraform/ --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master + checkov -d terraform/ --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master From 9f2f162651a47ee416515e93e98ed26d170d51dd Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Tue, 7 Mar 2023 11:10:06 -0500 Subject: [PATCH 020/107] another onev4 --- terraform/aws/s3.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/aws/s3.tf b/terraform/aws/s3.tf index a2a2ed78fe..40cce2783f 100644 --- a/terraform/aws/s3.tf +++ b/terraform/aws/s3.tf @@ -3,6 +3,7 @@ resource "aws_s3_bucket" "data" { # bucket is not encrypted # bucket does not have access logs # bucket does not have versioning + # this is a change bucket = "${local.resource_prefix.value}-data" force_destroy = true tags = merge({ From 0ea8ab7e3e1f4108f53376b648196d20e8a9c0b2 Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 11:15:50 -0500 Subject: [PATCH 021/107] Update main.yml --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 33c13bc104..f00b5c9fae 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -55,4 +55,4 @@ jobs: - name: Run checkov run: | export PRISMA_API_URL=https://api4.prismacloud.io - checkov -d terraform/ --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master + checkov -d ./terraform/ --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules From 7ce7d10e7c84e8837631fd73f6c2b1f052055a31 Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Tue, 7 Mar 2023 11:16:45 -0500 Subject: [PATCH 022/107] another onev4 --- terraform/aws/s3.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform/aws/s3.tf b/terraform/aws/s3.tf index 40cce2783f..a2a2ed78fe 100644 --- a/terraform/aws/s3.tf +++ b/terraform/aws/s3.tf @@ -3,7 +3,6 @@ resource "aws_s3_bucket" "data" { # bucket is not encrypted # bucket does not have access logs # bucket does not have versioning - # this is a change bucket = "${local.resource_prefix.value}-data" force_destroy = true tags = merge({ From 6d3ab8a7b2bc99bb222da6539a017850d61b8280 Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 11:19:38 -0500 Subject: [PATCH 023/107] Update main.yml --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index f00b5c9fae..385f5c0309 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -55,4 +55,4 @@ jobs: - name: Run checkov run: | export PRISMA_API_URL=https://api4.prismacloud.io - checkov -d ./terraform/ --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules + checkov -d ./terraform --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules From 6dfc5c5ea3e9377979ef32df363038dd9a023436 Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Tue, 7 Mar 2023 11:19:52 -0500 Subject: [PATCH 024/107] another onev5 --- terraform/aws/s3.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/aws/s3.tf b/terraform/aws/s3.tf index a2a2ed78fe..40cce2783f 100644 --- a/terraform/aws/s3.tf +++ b/terraform/aws/s3.tf @@ -3,6 +3,7 @@ resource "aws_s3_bucket" "data" { # bucket is not encrypted # bucket does not have access logs # bucket does not have versioning + # this is a change bucket = "${local.resource_prefix.value}-data" force_destroy = true tags = merge({ From 5f877316628f35c7952010ff7e8f7050574108a7 Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 11:25:55 -0500 Subject: [PATCH 025/107] Update main.yml --- .github/workflows/main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 385f5c0309..d141c35c85 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -52,7 +52,9 @@ jobs: steps: - name: Install checkov run: pip3 install checkov + - name: Set Working Directory + working-directory: ./terraform - name: Run checkov run: | export PRISMA_API_URL=https://api4.prismacloud.io - checkov -d ./terraform --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules + checkov -d . --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules From d7850af656df28f8a2627c4a905244f23a9aaaa7 Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Tue, 7 Mar 2023 11:26:28 -0500 Subject: [PATCH 026/107] another onev6 --- terraform/aws/s3.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform/aws/s3.tf b/terraform/aws/s3.tf index 40cce2783f..a2a2ed78fe 100644 --- a/terraform/aws/s3.tf +++ b/terraform/aws/s3.tf @@ -3,7 +3,6 @@ resource "aws_s3_bucket" "data" { # bucket is not encrypted # bucket does not have access logs # bucket does not have versioning - # this is a change bucket = "${local.resource_prefix.value}-data" force_destroy = true tags = merge({ From 682603615391cf95687f2fa62994b8f5785bbe89 Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 11:29:17 -0500 Subject: [PATCH 027/107] Update main.yml --- .github/workflows/main.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index d141c35c85..6950dbc660 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -52,9 +52,8 @@ jobs: steps: - name: Install checkov run: pip3 install checkov - - name: Set Working Directory - working-directory: ./terraform - name: Run checkov + working-directory: ./terraform run: | export PRISMA_API_URL=https://api4.prismacloud.io checkov -d . --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules From 7e90771383678cad0bc26e9b635e08c11e7c10d3 Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Tue, 7 Mar 2023 11:31:01 -0500 Subject: [PATCH 028/107] another onev7 --- terraform/aws/s3.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/aws/s3.tf b/terraform/aws/s3.tf index a2a2ed78fe..40cce2783f 100644 --- a/terraform/aws/s3.tf +++ b/terraform/aws/s3.tf @@ -3,6 +3,7 @@ resource "aws_s3_bucket" "data" { # bucket is not encrypted # bucket does not have access logs # bucket does not have versioning + # this is a change bucket = "${local.resource_prefix.value}-data" force_destroy = true tags = merge({ From e8fc457d78bf1c8df658983f8b8e9e9ea569e20d Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 11:38:46 -0500 Subject: [PATCH 029/107] Update main.yml --- .github/workflows/main.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 6950dbc660..5055662f8b 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -38,12 +38,12 @@ on: types: - closed jobs: - if_merged: - if: github.event.pull_request.merged == true - runs-on: ubuntu-latest - steps: - - run: | - echo The PR was merged +# if_merged: +# if: github.event.pull_request.merged == true +# runs-on: ubuntu-latest +# steps: +# - run: | +# echo The PR was merged scan: runs-on: ubuntu-latest strategy: @@ -53,7 +53,7 @@ jobs: - name: Install checkov run: pip3 install checkov - name: Run checkov - working-directory: ./terraform run: | export PRISMA_API_URL=https://api4.prismacloud.io checkov -d . --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules + working-directory: ./terraform From 37a6c0aea814db1c81dff81256448ae9f2bc2bd8 Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Tue, 7 Mar 2023 11:39:02 -0500 Subject: [PATCH 030/107] another onev8 --- terraform/aws/s3.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform/aws/s3.tf b/terraform/aws/s3.tf index 40cce2783f..a2a2ed78fe 100644 --- a/terraform/aws/s3.tf +++ b/terraform/aws/s3.tf @@ -3,7 +3,6 @@ resource "aws_s3_bucket" "data" { # bucket is not encrypted # bucket does not have access logs # bucket does not have versioning - # this is a change bucket = "${local.resource_prefix.value}-data" force_destroy = true tags = merge({ From 52bdb50dd689d494f72717e8979a727f7b63e50b Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 11:43:02 -0500 Subject: [PATCH 031/107] Update main.yml --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 5055662f8b..44214e853b 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -56,4 +56,4 @@ jobs: run: | export PRISMA_API_URL=https://api4.prismacloud.io checkov -d . --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules - working-directory: ./terraform + working-directory: terraform From fd9ffbcc179b84e618dc360813095d0e7b931cda Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Tue, 7 Mar 2023 11:43:19 -0500 Subject: [PATCH 032/107] another onev8 --- terraform/aws/s3.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/aws/s3.tf b/terraform/aws/s3.tf index a2a2ed78fe..40cce2783f 100644 --- a/terraform/aws/s3.tf +++ b/terraform/aws/s3.tf @@ -3,6 +3,7 @@ resource "aws_s3_bucket" "data" { # bucket is not encrypted # bucket does not have access logs # bucket does not have versioning + # this is a change bucket = "${local.resource_prefix.value}-data" force_destroy = true tags = merge({ From 8d5afb1fcb7bea56a72e2e745f7a7393cf9b9d6d Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 11:46:54 -0500 Subject: [PATCH 033/107] Update main.yml --- .github/workflows/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 44214e853b..5a380f1377 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -56,4 +56,3 @@ jobs: run: | export PRISMA_API_URL=https://api4.prismacloud.io checkov -d . --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules - working-directory: terraform From 279eab2a7f347d0d802c3488715d9cc5cff78fef Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Tue, 7 Mar 2023 11:47:07 -0500 Subject: [PATCH 034/107] another onev8 --- terraform/aws/s3.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform/aws/s3.tf b/terraform/aws/s3.tf index 40cce2783f..a2a2ed78fe 100644 --- a/terraform/aws/s3.tf +++ b/terraform/aws/s3.tf @@ -3,7 +3,6 @@ resource "aws_s3_bucket" "data" { # bucket is not encrypted # bucket does not have access logs # bucket does not have versioning - # this is a change bucket = "${local.resource_prefix.value}-data" force_destroy = true tags = merge({ From 753f96e14fb2c1b45da512ad872e7f9e365bb3b1 Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 11:58:04 -0500 Subject: [PATCH 035/107] Update main.yml --- .github/workflows/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 5a380f1377..78b86ff448 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -49,6 +49,9 @@ jobs: strategy: matrix: python-version: [3.8] + defaults: + run: + working-directory: ./terraform steps: - name: Install checkov run: pip3 install checkov From b60dfd55067d079a5245b0502aa15a89cb82421b Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Tue, 7 Mar 2023 11:58:25 -0500 Subject: [PATCH 036/107] another onev9 --- terraform/aws/s3.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/aws/s3.tf b/terraform/aws/s3.tf index a2a2ed78fe..40cce2783f 100644 --- a/terraform/aws/s3.tf +++ b/terraform/aws/s3.tf @@ -3,6 +3,7 @@ resource "aws_s3_bucket" "data" { # bucket is not encrypted # bucket does not have access logs # bucket does not have versioning + # this is a change bucket = "${local.resource_prefix.value}-data" force_destroy = true tags = merge({ From bb6ab550ba0990ba9a03db837fec081361910962 Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 12:09:26 -0500 Subject: [PATCH 037/107] Update main.yml --- .github/workflows/main.yml | 100 ++++++++++++++++++------------------- 1 file changed, 50 insertions(+), 50 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 78b86ff448..e5829d0027 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,61 +1,61 @@ -# name: Prisma Cloud IaC Scan -# on: -# pull_request: -# types: -# - closed -# push: -# branches: -# - master -# jobs: -# if_merged: -# if: github.event.pull_request.merged == true -# runs-on: ubuntu-latest -# steps: -# - run: | -# echo The PR was merged -# scan: -# runs-on: ubuntu-latest -# strategy: -# matrix: -# python-version: [3.8] -# steps: -# - name: Checkout repo -# uses: actions/checkout@v2 -# - name: Run Bridgecrew -# id: Bridgecrew -# uses: bridgecrewio/bridgecrew-action@master -# env: -# PRISMA_API_URL: https://api4.prismacloud.io -# with: -# api-key: ${{ secrets.BC_API_KEY }} -# directory: terraform/ -# soft_fail: true - - -name: Prisma Cloud IaC Scan with checkov +name: Prisma Cloud IaC Scan on: pull_request: types: - closed + push: + branches: + - master jobs: -# if_merged: -# if: github.event.pull_request.merged == true -# runs-on: ubuntu-latest -# steps: -# - run: | -# echo The PR was merged + if_merged: + if: github.event.pull_request.merged == true + runs-on: ubuntu-latest + steps: + - run: | + echo The PR was merged scan: runs-on: ubuntu-latest strategy: matrix: python-version: [3.8] - defaults: - run: - working-directory: ./terraform steps: - - name: Install checkov - run: pip3 install checkov - - name: Run checkov - run: | - export PRISMA_API_URL=https://api4.prismacloud.io - checkov -d . --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules + - name: Checkout repo + uses: actions/checkout@v2 + - name: Run Bridgecrew + id: Bridgecrew + uses: bridgecrewio/bridgecrew-action@master + env: + PRISMA_API_URL: https://api4.prismacloud.io + with: + api-key: ${{ secrets.BC_API_KEY }} + directory: terraform/ + use_enforcement_rules: true + + +# name: Prisma Cloud IaC Scan with checkov +# on: +# pull_request: +# types: +# - closed +# jobs: +# # if_merged: +# # if: github.event.pull_request.merged == true +# # runs-on: ubuntu-latest +# # steps: +# # - run: | +# # echo The PR was merged +# scan: +# runs-on: ubuntu-latest +# strategy: +# matrix: +# python-version: [3.8] +# defaults: +# run: +# working-directory: ./terraform +# steps: +# - name: Install checkov +# run: pip3 install checkov +# - name: Run checkov +# run: | +# export PRISMA_API_URL=https://api4.prismacloud.io +# checkov -d . --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules From 538a8e2ba07d993c1f0b8964a25f17c1855efd6d Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Tue, 7 Mar 2023 12:09:43 -0500 Subject: [PATCH 038/107] another onev9 --- terraform/aws/s3.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform/aws/s3.tf b/terraform/aws/s3.tf index 40cce2783f..a2a2ed78fe 100644 --- a/terraform/aws/s3.tf +++ b/terraform/aws/s3.tf @@ -3,7 +3,6 @@ resource "aws_s3_bucket" "data" { # bucket is not encrypted # bucket does not have access logs # bucket does not have versioning - # this is a change bucket = "${local.resource_prefix.value}-data" force_destroy = true tags = merge({ From 2b24ea54fb80d82f01233ea573d106b603d7e33e Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 12:12:16 -0500 Subject: [PATCH 039/107] Update main.yml --- .github/workflows/main.yml | 100 ++++++++++++++++++------------------- 1 file changed, 50 insertions(+), 50 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index e5829d0027..e56eb62160 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,61 +1,61 @@ -name: Prisma Cloud IaC Scan -on: - pull_request: - types: - - closed - push: - branches: - - master -jobs: - if_merged: - if: github.event.pull_request.merged == true - runs-on: ubuntu-latest - steps: - - run: | - echo The PR was merged - scan: - runs-on: ubuntu-latest - strategy: - matrix: - python-version: [3.8] - steps: - - name: Checkout repo - uses: actions/checkout@v2 - - name: Run Bridgecrew - id: Bridgecrew - uses: bridgecrewio/bridgecrew-action@master - env: - PRISMA_API_URL: https://api4.prismacloud.io - with: - api-key: ${{ secrets.BC_API_KEY }} - directory: terraform/ - use_enforcement_rules: true - - -# name: Prisma Cloud IaC Scan with checkov +# name: Prisma Cloud IaC Scan # on: # pull_request: # types: # - closed +# push: +# branches: +# - master # jobs: -# # if_merged: -# # if: github.event.pull_request.merged == true -# # runs-on: ubuntu-latest -# # steps: -# # - run: | -# # echo The PR was merged +# if_merged: +# if: github.event.pull_request.merged == true +# runs-on: ubuntu-latest +# steps: +# - run: | +# echo The PR was merged # scan: # runs-on: ubuntu-latest # strategy: # matrix: # python-version: [3.8] -# defaults: -# run: -# working-directory: ./terraform # steps: -# - name: Install checkov -# run: pip3 install checkov -# - name: Run checkov -# run: | -# export PRISMA_API_URL=https://api4.prismacloud.io -# checkov -d . --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules +# - name: Checkout repo +# uses: actions/checkout@v2 +# - name: Run Bridgecrew +# id: Bridgecrew +# uses: bridgecrewio/bridgecrew-action@master +# env: +# PRISMA_API_URL: https://api4.prismacloud.io +# with: +# api-key: ${{ secrets.BC_API_KEY }} +# directory: terraform/ +# use_enforcement_rules: true + + +name: Prisma Cloud IaC Scan with checkov +on: + pull_request: + types: + - closed +jobs: +# if_merged: +# if: github.event.pull_request.merged == true +# runs-on: ubuntu-latest +# steps: +# - run: | +# echo The PR was merged + scan: + runs-on: ubuntu-latest + strategy: + matrix: + python-version: [3.8] + defaults: + run: + working-directory: ./terraform + steps: + - name: Install checkov + run: pip3 install checkov + - name: Run checkov + run: | + export PRISMA_API_URL=https://api4.prismacloud.io + checkov -d . --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules From 57120ff166311e71a76f81b710a0d88fe0c056d6 Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 12:13:50 -0500 Subject: [PATCH 040/107] Update main.yml --- .github/workflows/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index e56eb62160..7940397983 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -53,6 +53,8 @@ jobs: run: working-directory: ./terraform steps: + - name: Checkout repo + uses: actions/checkout@v2 - name: Install checkov run: pip3 install checkov - name: Run checkov From c5def5d076c07b1fe9b94155784cbcf112040fe0 Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Tue, 7 Mar 2023 12:14:05 -0500 Subject: [PATCH 041/107] another onev10 --- terraform/aws/s3.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/aws/s3.tf b/terraform/aws/s3.tf index a2a2ed78fe..40cce2783f 100644 --- a/terraform/aws/s3.tf +++ b/terraform/aws/s3.tf @@ -3,6 +3,7 @@ resource "aws_s3_bucket" "data" { # bucket is not encrypted # bucket does not have access logs # bucket does not have versioning + # this is a change bucket = "${local.resource_prefix.value}-data" force_destroy = true tags = merge({ From bca92103350bafe226621da2c6c10287dc3546ab Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Tue, 7 Mar 2023 12:17:40 -0500 Subject: [PATCH 042/107] another onev11 --- terraform/aws/s3.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform/aws/s3.tf b/terraform/aws/s3.tf index 40cce2783f..a2a2ed78fe 100644 --- a/terraform/aws/s3.tf +++ b/terraform/aws/s3.tf @@ -3,7 +3,6 @@ resource "aws_s3_bucket" "data" { # bucket is not encrypted # bucket does not have access logs # bucket does not have versioning - # this is a change bucket = "${local.resource_prefix.value}-data" force_destroy = true tags = merge({ From 17af1ed4e5cc7b73dc8c92a27811418fc11cccd9 Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 12:31:57 -0500 Subject: [PATCH 043/107] Update main.yml --- .github/workflows/main.yml | 103 ++++++++++++++++++------------------- 1 file changed, 51 insertions(+), 52 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 7940397983..27fde3af26 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,63 +1,62 @@ -# name: Prisma Cloud IaC Scan -# on: -# pull_request: -# types: -# - closed -# push: -# branches: -# - master -# jobs: -# if_merged: -# if: github.event.pull_request.merged == true -# runs-on: ubuntu-latest -# steps: -# - run: | -# echo The PR was merged -# scan: -# runs-on: ubuntu-latest -# strategy: -# matrix: -# python-version: [3.8] -# steps: -# - name: Checkout repo -# uses: actions/checkout@v2 -# - name: Run Bridgecrew -# id: Bridgecrew -# uses: bridgecrewio/bridgecrew-action@master -# env: -# PRISMA_API_URL: https://api4.prismacloud.io -# with: -# api-key: ${{ secrets.BC_API_KEY }} -# directory: terraform/ -# use_enforcement_rules: true - - -name: Prisma Cloud IaC Scan with checkov +name: Prisma Cloud IaC Scan on: pull_request: types: - closed + push: + branches: + - master jobs: -# if_merged: -# if: github.event.pull_request.merged == true -# runs-on: ubuntu-latest -# steps: -# - run: | -# echo The PR was merged + if_merged: + if: github.event.pull_request.merged == true + runs-on: ubuntu-latest + steps: + - run: | + echo The PR was merged scan: runs-on: ubuntu-latest strategy: matrix: python-version: [3.8] - defaults: - run: - working-directory: ./terraform steps: - - name: Checkout repo - uses: actions/checkout@v2 - - name: Install checkov - run: pip3 install checkov - - name: Run checkov - run: | - export PRISMA_API_URL=https://api4.prismacloud.io - checkov -d . --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules + - name: Checkout repo + uses: actions/checkout@v2 + - name: Run Bridgecrew + id: Bridgecrew + uses: bridgecrewio/bridgecrew-action@master + env: + PRISMA_API_URL: https://api4.prismacloud.io + with: + api-key: ${{ secrets.BC_API_KEY }} + directory: terraform/ + + +# name: Prisma Cloud IaC Scan with checkov +# on: +# pull_request: +# types: +# - closed +# jobs: +# # if_merged: +# # if: github.event.pull_request.merged == true +# # runs-on: ubuntu-latest +# # steps: +# # - run: | +# # echo The PR was merged +# scan: +# runs-on: ubuntu-latest +# strategy: +# matrix: +# python-version: [3.8] +# defaults: +# run: +# working-directory: ./terraform +# steps: +# - name: Checkout repo +# uses: actions/checkout@v2 +# - name: Install checkov +# run: pip3 install checkov +# - name: Run checkov +# run: | +# export PRISMA_API_URL=https://api4.prismacloud.io +# checkov -d . --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules From a211bf215cfd981f60ec149a7aba972b80b9ca38 Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Tue, 7 Mar 2023 12:32:10 -0500 Subject: [PATCH 044/107] another onev12 --- terraform/aws/s3.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/aws/s3.tf b/terraform/aws/s3.tf index a2a2ed78fe..40cce2783f 100644 --- a/terraform/aws/s3.tf +++ b/terraform/aws/s3.tf @@ -3,6 +3,7 @@ resource "aws_s3_bucket" "data" { # bucket is not encrypted # bucket does not have access logs # bucket does not have versioning + # this is a change bucket = "${local.resource_prefix.value}-data" force_destroy = true tags = merge({ From 9553e82082fb3c7f643ad7fe61db6ef0fdfa756c Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Tue, 7 Mar 2023 12:35:34 -0500 Subject: [PATCH 045/107] another onev13 --- terraform/aws/s3.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform/aws/s3.tf b/terraform/aws/s3.tf index 40cce2783f..a2a2ed78fe 100644 --- a/terraform/aws/s3.tf +++ b/terraform/aws/s3.tf @@ -3,7 +3,6 @@ resource "aws_s3_bucket" "data" { # bucket is not encrypted # bucket does not have access logs # bucket does not have versioning - # this is a change bucket = "${local.resource_prefix.value}-data" force_destroy = true tags = merge({ From 41a014d5458e758e2fd1dc217ba47ef23053c9f5 Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 12:38:49 -0500 Subject: [PATCH 046/107] Update main.yml --- .github/workflows/main.yml | 102 ++++++++++++++++++------------------- 1 file changed, 51 insertions(+), 51 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 27fde3af26..98994f5931 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,62 +1,62 @@ -name: Prisma Cloud IaC Scan -on: - pull_request: - types: - - closed - push: - branches: - - master -jobs: - if_merged: - if: github.event.pull_request.merged == true - runs-on: ubuntu-latest - steps: - - run: | - echo The PR was merged - scan: - runs-on: ubuntu-latest - strategy: - matrix: - python-version: [3.8] - steps: - - name: Checkout repo - uses: actions/checkout@v2 - - name: Run Bridgecrew - id: Bridgecrew - uses: bridgecrewio/bridgecrew-action@master - env: - PRISMA_API_URL: https://api4.prismacloud.io - with: - api-key: ${{ secrets.BC_API_KEY }} - directory: terraform/ - - -# name: Prisma Cloud IaC Scan with checkov +# name: Prisma Cloud IaC Scan # on: # pull_request: # types: # - closed +# push: +# branches: +# - master # jobs: -# # if_merged: -# # if: github.event.pull_request.merged == true -# # runs-on: ubuntu-latest -# # steps: -# # - run: | -# # echo The PR was merged +# if_merged: +# if: github.event.pull_request.merged == true +# runs-on: ubuntu-latest +# steps: +# - run: | +# echo The PR was merged # scan: # runs-on: ubuntu-latest # strategy: # matrix: # python-version: [3.8] -# defaults: -# run: -# working-directory: ./terraform # steps: -# - name: Checkout repo -# uses: actions/checkout@v2 -# - name: Install checkov -# run: pip3 install checkov -# - name: Run checkov -# run: | -# export PRISMA_API_URL=https://api4.prismacloud.io -# checkov -d . --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules +# - name: Checkout repo +# uses: actions/checkout@v2 +# - name: Run Bridgecrew +# id: Bridgecrew +# uses: bridgecrewio/bridgecrew-action@master +# env: +# PRISMA_API_URL: https://api4.prismacloud.io +# with: +# api-key: ${{ secrets.BC_API_KEY }} +# directory: terraform/ + + +name: Prisma Cloud IaC Scan with checkov +on: + pull_request: + types: + - closed +jobs: +# if_merged: +# if: github.event.pull_request.merged == true +# runs-on: ubuntu-latest +# steps: +# - run: | +# echo The PR was merged + scan: + runs-on: ubuntu-latest + strategy: + matrix: + python-version: [3.8] + defaults: + run: + working-directory: ./terraform + steps: + - name: Checkout repo + uses: actions/checkout@v2 + - name: Install checkov + run: pip3 install checkov + - name: Run checkov + run: | + export PRISMA_API_URL=https://api4.prismacloud.io + checkov -d . --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules From c6b214484582347a9f7fbe37b2cf24e7cc162779 Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Tue, 7 Mar 2023 12:39:09 -0500 Subject: [PATCH 047/107] another onev14 --- terraform/aws/s3.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/aws/s3.tf b/terraform/aws/s3.tf index a2a2ed78fe..40cce2783f 100644 --- a/terraform/aws/s3.tf +++ b/terraform/aws/s3.tf @@ -3,6 +3,7 @@ resource "aws_s3_bucket" "data" { # bucket is not encrypted # bucket does not have access logs # bucket does not have versioning + # this is a change bucket = "${local.resource_prefix.value}-data" force_destroy = true tags = merge({ From 589bca28183877b12ab52de3e83b9e1489903bc2 Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Tue, 7 Mar 2023 12:42:13 -0500 Subject: [PATCH 048/107] soft fail high --- terraform/aws/s3.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform/aws/s3.tf b/terraform/aws/s3.tf index 40cce2783f..a2a2ed78fe 100644 --- a/terraform/aws/s3.tf +++ b/terraform/aws/s3.tf @@ -3,7 +3,6 @@ resource "aws_s3_bucket" "data" { # bucket is not encrypted # bucket does not have access logs # bucket does not have versioning - # this is a change bucket = "${local.resource_prefix.value}-data" force_destroy = true tags = merge({ From 1ef7c68c663d8c0861223b151d0240a1a396bdba Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Tue, 7 Mar 2023 12:45:11 -0500 Subject: [PATCH 049/107] hard fail high --- terraform/aws/s3.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/aws/s3.tf b/terraform/aws/s3.tf index a2a2ed78fe..40cce2783f 100644 --- a/terraform/aws/s3.tf +++ b/terraform/aws/s3.tf @@ -3,6 +3,7 @@ resource "aws_s3_bucket" "data" { # bucket is not encrypted # bucket does not have access logs # bucket does not have versioning + # this is a change bucket = "${local.resource_prefix.value}-data" force_destroy = true tags = merge({ From 8d05710de237caa1385858c10dd7340b1296e723 Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Tue, 7 Mar 2023 12:48:27 -0500 Subject: [PATCH 050/107] info only --- terraform/aws/s3.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform/aws/s3.tf b/terraform/aws/s3.tf index 40cce2783f..a2a2ed78fe 100644 --- a/terraform/aws/s3.tf +++ b/terraform/aws/s3.tf @@ -3,7 +3,6 @@ resource "aws_s3_bucket" "data" { # bucket is not encrypted # bucket does not have access logs # bucket does not have versioning - # this is a change bucket = "${local.resource_prefix.value}-data" force_destroy = true tags = merge({ From 5887e14132c18e53d82c1cec7da672259fcb4cee Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Tue, 7 Mar 2023 12:50:50 -0500 Subject: [PATCH 051/107] info only --- terraform/aws/s3.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/aws/s3.tf b/terraform/aws/s3.tf index a2a2ed78fe..40cce2783f 100644 --- a/terraform/aws/s3.tf +++ b/terraform/aws/s3.tf @@ -3,6 +3,7 @@ resource "aws_s3_bucket" "data" { # bucket is not encrypted # bucket does not have access logs # bucket does not have versioning + # this is a change bucket = "${local.resource_prefix.value}-data" force_destroy = true tags = merge({ From c27d0e49e8417140e8c9cafe17462fa2d79bd43e Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Tue, 7 Mar 2023 12:52:43 -0500 Subject: [PATCH 052/107] soft fail high --- terraform/aws/s3.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform/aws/s3.tf b/terraform/aws/s3.tf index 40cce2783f..a2a2ed78fe 100644 --- a/terraform/aws/s3.tf +++ b/terraform/aws/s3.tf @@ -3,7 +3,6 @@ resource "aws_s3_bucket" "data" { # bucket is not encrypted # bucket does not have access logs # bucket does not have versioning - # this is a change bucket = "${local.resource_prefix.value}-data" force_destroy = true tags = merge({ From 31c9ad96d05e0ba0ec90a1514df832d197be4a78 Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Tue, 7 Mar 2023 12:55:01 -0500 Subject: [PATCH 053/107] hard fail high --- terraform/aws/s3.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/aws/s3.tf b/terraform/aws/s3.tf index a2a2ed78fe..40cce2783f 100644 --- a/terraform/aws/s3.tf +++ b/terraform/aws/s3.tf @@ -3,6 +3,7 @@ resource "aws_s3_bucket" "data" { # bucket is not encrypted # bucket does not have access logs # bucket does not have versioning + # this is a change bucket = "${local.resource_prefix.value}-data" force_destroy = true tags = merge({ From 6d125f33c92786c69ef5f7d0cff1c68124ada059 Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Tue, 7 Mar 2023 13:02:15 -0500 Subject: [PATCH 054/107] hard fail high --- terraform/aws/s3.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform/aws/s3.tf b/terraform/aws/s3.tf index 40cce2783f..a2a2ed78fe 100644 --- a/terraform/aws/s3.tf +++ b/terraform/aws/s3.tf @@ -3,7 +3,6 @@ resource "aws_s3_bucket" "data" { # bucket is not encrypted # bucket does not have access logs # bucket does not have versioning - # this is a change bucket = "${local.resource_prefix.value}-data" force_destroy = true tags = merge({ From 45021addc433c0991fd253fb0a7341f0d545a857 Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Tue, 7 Mar 2023 14:10:34 -0500 Subject: [PATCH 055/107] this is a change --- terraform/aws/s3.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/aws/s3.tf b/terraform/aws/s3.tf index a2a2ed78fe..40cce2783f 100644 --- a/terraform/aws/s3.tf +++ b/terraform/aws/s3.tf @@ -3,6 +3,7 @@ resource "aws_s3_bucket" "data" { # bucket is not encrypted # bucket does not have access logs # bucket does not have versioning + # this is a change bucket = "${local.resource_prefix.value}-data" force_destroy = true tags = merge({ From 6ad5390834a4201db5ce2980138e43e9ec68d7c1 Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Wed, 8 Mar 2023 11:38:06 -0500 Subject: [PATCH 056/107] Update main.yml --- .github/workflows/main.yml | 103 +++++++++++++++++++------------------ 1 file changed, 52 insertions(+), 51 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 98994f5931..dd06806611 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,62 +1,63 @@ -# name: Prisma Cloud IaC Scan -# on: -# pull_request: -# types: -# - closed -# push: -# branches: -# - master -# jobs: -# if_merged: -# if: github.event.pull_request.merged == true -# runs-on: ubuntu-latest -# steps: -# - run: | -# echo The PR was merged -# scan: -# runs-on: ubuntu-latest -# strategy: -# matrix: -# python-version: [3.8] -# steps: -# - name: Checkout repo -# uses: actions/checkout@v2 -# - name: Run Bridgecrew -# id: Bridgecrew -# uses: bridgecrewio/bridgecrew-action@master -# env: -# PRISMA_API_URL: https://api4.prismacloud.io -# with: -# api-key: ${{ secrets.BC_API_KEY }} -# directory: terraform/ - - -name: Prisma Cloud IaC Scan with checkov +name: Prisma Cloud IaC Scan on: pull_request: types: - closed + push: + branches: + - master jobs: -# if_merged: -# if: github.event.pull_request.merged == true -# runs-on: ubuntu-latest -# steps: -# - run: | -# echo The PR was merged + if_merged: + if: github.event.pull_request.merged == true + runs-on: ubuntu-latest + steps: + - run: | + echo The PR was merged scan: runs-on: ubuntu-latest strategy: matrix: python-version: [3.8] - defaults: - run: - working-directory: ./terraform steps: - - name: Checkout repo - uses: actions/checkout@v2 - - name: Install checkov - run: pip3 install checkov - - name: Run checkov - run: | - export PRISMA_API_URL=https://api4.prismacloud.io - checkov -d . --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules + - name: Checkout repo + uses: actions/checkout@v2 + - name: Run Bridgecrew + id: Bridgecrew + uses: bridgecrewio/bridgecrew-action@master + env: + PRISMA_API_URL: https://api4.prismacloud.io + with: + api-key: ${{ secrets.BC_API_KEY }} + directory: terraform/ + use_enforcement_rules: true + + +# name: Prisma Cloud IaC Scan with checkov +# on: +# pull_request: +# types: +# - closed +# jobs: +# # if_merged: +# # if: github.event.pull_request.merged == true +# # runs-on: ubuntu-latest +# # steps: +# # - run: | +# # echo The PR was merged +# scan: +# runs-on: ubuntu-latest +# strategy: +# matrix: +# python-version: [3.8] +# defaults: +# run: +# working-directory: ./terraform +# steps: +# - name: Checkout repo +# uses: actions/checkout@v2 +# - name: Install checkov +# run: pip3 install checkov +# - name: Run checkov +# run: | +# export PRISMA_API_URL=https://api4.prismacloud.io +# checkov -d . --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules From 831e865ac774405c03a0915b77c89317e17fe9fa Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Wed, 8 Mar 2023 12:12:33 -0500 Subject: [PATCH 057/107] Update main.yml --- .github/workflows/main.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index dd06806611..3530674282 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -3,9 +3,6 @@ on: pull_request: types: - closed - push: - branches: - - master jobs: if_merged: if: github.event.pull_request.merged == true From 883cede45b0972b5977255f4f3c34c9c9b618cf0 Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Wed, 8 Mar 2023 12:13:22 -0500 Subject: [PATCH 058/107] this is a change --- terraform/aws/s3.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform/aws/s3.tf b/terraform/aws/s3.tf index 40cce2783f..a2a2ed78fe 100644 --- a/terraform/aws/s3.tf +++ b/terraform/aws/s3.tf @@ -3,7 +3,6 @@ resource "aws_s3_bucket" "data" { # bucket is not encrypted # bucket does not have access logs # bucket does not have versioning - # this is a change bucket = "${local.resource_prefix.value}-data" force_destroy = true tags = merge({ From b8bf6c0db86238ef4af1f0073cf0c543249f9576 Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Wed, 8 Mar 2023 16:03:57 -0500 Subject: [PATCH 059/107] Update main.yml --- .github/workflows/main.yml | 98 +++++++++++++++++++------------------- 1 file changed, 49 insertions(+), 49 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 3530674282..d878d0ac08 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,60 +1,60 @@ -name: Prisma Cloud IaC Scan -on: - pull_request: - types: - - closed -jobs: - if_merged: - if: github.event.pull_request.merged == true - runs-on: ubuntu-latest - steps: - - run: | - echo The PR was merged - scan: - runs-on: ubuntu-latest - strategy: - matrix: - python-version: [3.8] - steps: - - name: Checkout repo - uses: actions/checkout@v2 - - name: Run Bridgecrew - id: Bridgecrew - uses: bridgecrewio/bridgecrew-action@master - env: - PRISMA_API_URL: https://api4.prismacloud.io - with: - api-key: ${{ secrets.BC_API_KEY }} - directory: terraform/ - use_enforcement_rules: true - - -# name: Prisma Cloud IaC Scan with checkov +# name: Prisma Cloud IaC Scan # on: # pull_request: # types: # - closed # jobs: -# # if_merged: -# # if: github.event.pull_request.merged == true -# # runs-on: ubuntu-latest -# # steps: -# # - run: | -# # echo The PR was merged +# if_merged: +# if: github.event.pull_request.merged == true +# runs-on: ubuntu-latest +# steps: +# - run: | +# echo The PR was merged # scan: # runs-on: ubuntu-latest # strategy: # matrix: # python-version: [3.8] -# defaults: -# run: -# working-directory: ./terraform # steps: -# - name: Checkout repo -# uses: actions/checkout@v2 -# - name: Install checkov -# run: pip3 install checkov -# - name: Run checkov -# run: | -# export PRISMA_API_URL=https://api4.prismacloud.io -# checkov -d . --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules +# - name: Checkout repo +# uses: actions/checkout@v2 +# - name: Run Bridgecrew +# id: Bridgecrew +# uses: bridgecrewio/bridgecrew-action@master +# env: +# PRISMA_API_URL: https://api4.prismacloud.io +# with: +# api-key: ${{ secrets.BC_API_KEY }} +# directory: terraform/ +# use_enforcement_rules: true + + +name: Prisma Cloud IaC Scan with checkov +on: + pull_request: + types: + - closed +jobs: +# if_merged: +# if: github.event.pull_request.merged == true +# runs-on: ubuntu-latest +# steps: +# - run: | +# echo The PR was merged + scan: + runs-on: ubuntu-latest + strategy: + matrix: + python-version: [3.8] + defaults: + run: + working-directory: ./terraform + steps: + - name: Checkout repo + uses: actions/checkout@v2 + - name: Install checkov + run: pip3 install checkov + - name: Run checkov + run: | + export PRISMA_API_URL=https://api4.prismacloud.io + checkov -d . --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules From 2ff84b34f0c942db871b1b51ec0de5590aff2411 Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Wed, 8 Mar 2023 16:06:54 -0500 Subject: [PATCH 060/107] this is a change2 --- terraform/aws/s3.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/aws/s3.tf b/terraform/aws/s3.tf index a2a2ed78fe..40cce2783f 100644 --- a/terraform/aws/s3.tf +++ b/terraform/aws/s3.tf @@ -3,6 +3,7 @@ resource "aws_s3_bucket" "data" { # bucket is not encrypted # bucket does not have access logs # bucket does not have versioning + # this is a change bucket = "${local.resource_prefix.value}-data" force_destroy = true tags = merge({ From d55e2c9aef7ae38258fb1c369c3495ed7ae59571 Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Thu, 9 Mar 2023 18:16:49 -0500 Subject: [PATCH 061/107] Update main.yml --- .github/workflows/main.yml | 92 ++++++++++++++++++-------------------- 1 file changed, 43 insertions(+), 49 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index d878d0ac08..1c96884abc 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,60 +1,54 @@ -# name: Prisma Cloud IaC Scan -# on: -# pull_request: -# types: -# - closed -# jobs: -# if_merged: -# if: github.event.pull_request.merged == true -# runs-on: ubuntu-latest -# steps: -# - run: | -# echo The PR was merged -# scan: -# runs-on: ubuntu-latest -# strategy: -# matrix: -# python-version: [3.8] -# steps: -# - name: Checkout repo -# uses: actions/checkout@v2 -# - name: Run Bridgecrew -# id: Bridgecrew -# uses: bridgecrewio/bridgecrew-action@master -# env: -# PRISMA_API_URL: https://api4.prismacloud.io -# with: -# api-key: ${{ secrets.BC_API_KEY }} -# directory: terraform/ -# use_enforcement_rules: true - - -name: Prisma Cloud IaC Scan with checkov +name: Prisma Cloud IaC Scan on: pull_request: types: - closed jobs: -# if_merged: -# if: github.event.pull_request.merged == true -# runs-on: ubuntu-latest -# steps: -# - run: | -# echo The PR was merged scan: runs-on: ubuntu-latest strategy: matrix: python-version: [3.8] - defaults: - run: - working-directory: ./terraform steps: - - name: Checkout repo - uses: actions/checkout@v2 - - name: Install checkov - run: pip3 install checkov - - name: Run checkov - run: | - export PRISMA_API_URL=https://api4.prismacloud.io - checkov -d . --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules + - name: Checkout repo + uses: actions/checkout@v2 + - name: Run Bridgecrew + id: Bridgecrew + uses: bridgecrewio/bridgecrew-action@master + env: + PRISMA_API_URL: https://api4.prismacloud.io + with: + api-key: ${{ secrets.BC_API_KEY }} + directory: terraform/ + use_enforcement_rules: true + + +# name: Prisma Cloud IaC Scan with checkov +# on: +# pull_request: +# types: +# - closed +# jobs: +# # if_merged: +# # if: github.event.pull_request.merged == true +# # runs-on: ubuntu-latest +# # steps: +# # - run: | +# # echo The PR was merged +# scan: +# runs-on: ubuntu-latest +# strategy: +# matrix: +# python-version: [3.8] +# defaults: +# run: +# working-directory: ./terraform +# steps: +# - name: Checkout repo +# uses: actions/checkout@v2 +# - name: Install checkov +# run: pip3 install checkov +# - name: Run checkov +# run: | +# export PRISMA_API_URL=https://api4.prismacloud.io +# checkov -d . --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules From 68086b2615e39a997403b1e9e1204b0aadf469a4 Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Thu, 9 Mar 2023 18:17:33 -0500 Subject: [PATCH 062/107] this is a change3 --- terraform/aws/s3.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform/aws/s3.tf b/terraform/aws/s3.tf index 40cce2783f..a2a2ed78fe 100644 --- a/terraform/aws/s3.tf +++ b/terraform/aws/s3.tf @@ -3,7 +3,6 @@ resource "aws_s3_bucket" "data" { # bucket is not encrypted # bucket does not have access logs # bucket does not have versioning - # this is a change bucket = "${local.resource_prefix.value}-data" force_destroy = true tags = merge({ From b651d04826b8511550bff8d79d972a344c5f0d9b Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Thu, 9 Mar 2023 18:20:18 -0500 Subject: [PATCH 063/107] this is a change4 --- terraform/aws/s3.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/aws/s3.tf b/terraform/aws/s3.tf index a2a2ed78fe..592608ce26 100644 --- a/terraform/aws/s3.tf +++ b/terraform/aws/s3.tf @@ -3,6 +3,7 @@ resource "aws_s3_bucket" "data" { # bucket is not encrypted # bucket does not have access logs # bucket does not have versioning + # this is also a change bucket = "${local.resource_prefix.value}-data" force_destroy = true tags = merge({ From e7042fbdc82e12f3f2d0bcf8c60681723aa1ff46 Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Thu, 9 Mar 2023 20:57:36 -0500 Subject: [PATCH 064/107] this is a change4 --- terraform/aws/s3.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform/aws/s3.tf b/terraform/aws/s3.tf index 592608ce26..a2a2ed78fe 100644 --- a/terraform/aws/s3.tf +++ b/terraform/aws/s3.tf @@ -3,7 +3,6 @@ resource "aws_s3_bucket" "data" { # bucket is not encrypted # bucket does not have access logs # bucket does not have versioning - # this is also a change bucket = "${local.resource_prefix.value}-data" force_destroy = true tags = merge({ From eaf19481173f677484678f2dfecffedb7e666aab Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Thu, 6 Apr 2023 11:30:22 -0400 Subject: [PATCH 065/107] test --- terraform/aws/s3.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/aws/s3.tf b/terraform/aws/s3.tf index a2a2ed78fe..40cce2783f 100644 --- a/terraform/aws/s3.tf +++ b/terraform/aws/s3.tf @@ -3,6 +3,7 @@ resource "aws_s3_bucket" "data" { # bucket is not encrypted # bucket does not have access logs # bucket does not have versioning + # this is a change bucket = "${local.resource_prefix.value}-data" force_destroy = true tags = merge({ From 1070cdc7391234ec3af0aa888a3d5e7541ff911b Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 09:20:29 -0500 Subject: [PATCH 066/107] Create main.yml --- .github/workflows/main.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 .github/workflows/main.yml diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 0000000000..f0aa76a3cd --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,11 @@ +steps: + - name: Checkout repo + uses: actions/checkout@v2 + + - name: Run Bridgecrew + id: Bridgecrew + uses: bridgecrewio/bridgecrew-action@master + env: + PRISMA_API_URL: https://api4.prismacloud.io + with: + api-key: ${{ secrets.BC_API_KEY }} From cf5f385432180570b913b028c66fd0e84e5d945e Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 09:40:22 -0500 Subject: [PATCH 067/107] Update main.yml --- .github/workflows/main.yml | 33 ++++++++++++++++++++++----------- 1 file changed, 22 insertions(+), 11 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index f0aa76a3cd..cb67aff16d 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,11 +1,22 @@ -steps: - - name: Checkout repo - uses: actions/checkout@v2 - - - name: Run Bridgecrew - id: Bridgecrew - uses: bridgecrewio/bridgecrew-action@master - env: - PRISMA_API_URL: https://api4.prismacloud.io - with: - api-key: ${{ secrets.BC_API_KEY }} +name: Prisma Cloud IaC Scan +on: + pull_request: + push: + branches: + - master +jobs: + scan: + runs-on: ubuntu-latest + strategy: + matrix: + python-version: [3.8] + steps: + - name: Checkout repo + uses: actions/checkout@v2 + - name: Run Bridgecrew + id: Bridgecrew + uses: bridgecrewio/bridgecrew-action@master + env: + PRISMA_API_URL: https://api4.prismacloud.io + with: + api-key: ${{ secrets.BC_API_KEY }} From edf87d98f3543596579d91e43583882f7e43b0c0 Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 09:46:25 -0500 Subject: [PATCH 068/107] Update main.yml --- .github/workflows/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index cb67aff16d..4177838654 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -10,9 +10,8 @@ jobs: strategy: matrix: python-version: [3.8] - steps: - - name: Checkout repo - uses: actions/checkout@v2 + steps: + - uses: actions/checkout@v2 - name: Run Bridgecrew id: Bridgecrew uses: bridgecrewio/bridgecrew-action@master @@ -20,3 +19,4 @@ jobs: PRISMA_API_URL: https://api4.prismacloud.io with: api-key: ${{ secrets.BC_API_KEY }} + directory: terraform/ From 0b9dea6be8f0d52fab950c9ef959c048806ec34b Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 09:57:52 -0500 Subject: [PATCH 069/107] Update main.yml --- .github/workflows/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 4177838654..f4ffcd940f 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -20,3 +20,4 @@ jobs: with: api-key: ${{ secrets.BC_API_KEY }} directory: terraform/ + soft_fail: true From 838511e15177b4620055b7f56e77f766a8a0a4f4 Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 10:12:58 -0500 Subject: [PATCH 070/107] Update main.yml --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index f4ffcd940f..ed35bfc84d 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -20,4 +20,4 @@ jobs: with: api-key: ${{ secrets.BC_API_KEY }} directory: terraform/ - soft_fail: true + soft_fail: 'true' From 97d7c1eb5dbeb76a17022b34be9667188a7ed256 Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 10:24:13 -0500 Subject: [PATCH 071/107] Update main.yml --- .github/workflows/main.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index ed35bfc84d..bd304dde9d 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -11,7 +11,8 @@ jobs: matrix: python-version: [3.8] steps: - - uses: actions/checkout@v2 + - name: Checkout repo + uses: actions/checkout@v2 - name: Run Bridgecrew id: Bridgecrew uses: bridgecrewio/bridgecrew-action@master @@ -20,4 +21,4 @@ jobs: with: api-key: ${{ secrets.BC_API_KEY }} directory: terraform/ - soft_fail: 'true' + soft_fail: true From 2a5fa9b4658fa6bbc417373654f444bd2743af16 Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 10:33:22 -0500 Subject: [PATCH 072/107] Update main.yml --- .github/workflows/main.yml | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index bd304dde9d..c3b1658aaa 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,10 +1,18 @@ name: Prisma Cloud IaC Scan on: pull_request: - push: - branches: - - master + types: + - closed +# push: +# branches: +# - master jobs: + if_merged: + if: github.event.pull_request.merged == true + runs-on: ubuntu-latest + steps: + - run: | + echo The PR was merged scan: runs-on: ubuntu-latest strategy: @@ -21,4 +29,4 @@ jobs: with: api-key: ${{ secrets.BC_API_KEY }} directory: terraform/ - soft_fail: true +# soft_fail: true From 146ad592ddebdc06e4f0e5b6ab1e364f9500130b Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 10:58:45 -0500 Subject: [PATCH 073/107] Update main.yml --- .github/workflows/main.yml | 55 +++++++++++++++++++++++++++----------- 1 file changed, 40 insertions(+), 15 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index c3b1658aaa..ab940c9613 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,11 +1,42 @@ -name: Prisma Cloud IaC Scan +# name: Prisma Cloud IaC Scan +# on: +# pull_request: +# types: +# - closed +# push: +# branches: +# - master +# jobs: +# if_merged: +# if: github.event.pull_request.merged == true +# runs-on: ubuntu-latest +# steps: +# - run: | +# echo The PR was merged +# scan: +# runs-on: ubuntu-latest +# strategy: +# matrix: +# python-version: [3.8] +# steps: +# - name: Checkout repo +# uses: actions/checkout@v2 +# - name: Run Bridgecrew +# id: Bridgecrew +# uses: bridgecrewio/bridgecrew-action@master +# env: +# PRISMA_API_URL: https://api4.prismacloud.io +# with: +# api-key: ${{ secrets.BC_API_KEY }} +# directory: terraform/ +# soft_fail: true + + +name: Prisma Cloud IaC Scan with checkov on: pull_request: types: - closed -# push: -# branches: -# - master jobs: if_merged: if: github.event.pull_request.merged == true @@ -19,14 +50,8 @@ jobs: matrix: python-version: [3.8] steps: - - name: Checkout repo - uses: actions/checkout@v2 - - name: Run Bridgecrew - id: Bridgecrew - uses: bridgecrewio/bridgecrew-action@master - env: - PRISMA_API_URL: https://api4.prismacloud.io - with: - api-key: ${{ secrets.BC_API_KEY }} - directory: terraform/ -# soft_fail: true + - name: Install checkov + run: pip3 install checkov + - name: Run checkov + run: | + export PRISMA_API_URL=https://api4.prismacloud.io checkov -d terraform/ --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master From e6dad9766e2ae2f85b4ec53dc6fd540a14f3f30e Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 11:06:13 -0500 Subject: [PATCH 074/107] Update main.yml --- .github/workflows/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index ab940c9613..6778ed8bbd 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -54,4 +54,5 @@ jobs: run: pip3 install checkov - name: Run checkov run: | - export PRISMA_API_URL=https://api4.prismacloud.io checkov -d terraform/ --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master + export PRISMA_API_URL=https://api4.prismacloud.io + checkov -d ./terraform/ --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master From 9277486587c8360ebea951e393de12709389abcd Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 11:09:46 -0500 Subject: [PATCH 075/107] Update main.yml --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 6778ed8bbd..33c13bc104 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -55,4 +55,4 @@ jobs: - name: Run checkov run: | export PRISMA_API_URL=https://api4.prismacloud.io - checkov -d ./terraform/ --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master + checkov -d terraform/ --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master From f40e1f3af0861d1574bfa672e71fc1bdc5f25957 Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 11:15:50 -0500 Subject: [PATCH 076/107] Update main.yml --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 33c13bc104..f00b5c9fae 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -55,4 +55,4 @@ jobs: - name: Run checkov run: | export PRISMA_API_URL=https://api4.prismacloud.io - checkov -d terraform/ --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master + checkov -d ./terraform/ --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules From 944f8a8ba17b4d51da97e193ca5cdd5a1a45c306 Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 11:19:38 -0500 Subject: [PATCH 077/107] Update main.yml --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index f00b5c9fae..385f5c0309 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -55,4 +55,4 @@ jobs: - name: Run checkov run: | export PRISMA_API_URL=https://api4.prismacloud.io - checkov -d ./terraform/ --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules + checkov -d ./terraform --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules From 149287d90ab589d0ddf5fb60c1052091487f5091 Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 11:25:55 -0500 Subject: [PATCH 078/107] Update main.yml --- .github/workflows/main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 385f5c0309..d141c35c85 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -52,7 +52,9 @@ jobs: steps: - name: Install checkov run: pip3 install checkov + - name: Set Working Directory + working-directory: ./terraform - name: Run checkov run: | export PRISMA_API_URL=https://api4.prismacloud.io - checkov -d ./terraform --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules + checkov -d . --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules From 2887f0ecd751776269ca08747e5bff480985aae4 Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 11:29:17 -0500 Subject: [PATCH 079/107] Update main.yml --- .github/workflows/main.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index d141c35c85..6950dbc660 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -52,9 +52,8 @@ jobs: steps: - name: Install checkov run: pip3 install checkov - - name: Set Working Directory - working-directory: ./terraform - name: Run checkov + working-directory: ./terraform run: | export PRISMA_API_URL=https://api4.prismacloud.io checkov -d . --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules From fc6fff7e5e3ae878e3be9d9b0d46b890030d38b2 Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 11:38:46 -0500 Subject: [PATCH 080/107] Update main.yml --- .github/workflows/main.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 6950dbc660..5055662f8b 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -38,12 +38,12 @@ on: types: - closed jobs: - if_merged: - if: github.event.pull_request.merged == true - runs-on: ubuntu-latest - steps: - - run: | - echo The PR was merged +# if_merged: +# if: github.event.pull_request.merged == true +# runs-on: ubuntu-latest +# steps: +# - run: | +# echo The PR was merged scan: runs-on: ubuntu-latest strategy: @@ -53,7 +53,7 @@ jobs: - name: Install checkov run: pip3 install checkov - name: Run checkov - working-directory: ./terraform run: | export PRISMA_API_URL=https://api4.prismacloud.io checkov -d . --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules + working-directory: ./terraform From 6da4974ebf8a57dae5e4137a425917a6b8524293 Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 11:43:02 -0500 Subject: [PATCH 081/107] Update main.yml --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 5055662f8b..44214e853b 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -56,4 +56,4 @@ jobs: run: | export PRISMA_API_URL=https://api4.prismacloud.io checkov -d . --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules - working-directory: ./terraform + working-directory: terraform From 9605df6908388d46daf962da899761c765683264 Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 11:46:54 -0500 Subject: [PATCH 082/107] Update main.yml --- .github/workflows/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 44214e853b..5a380f1377 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -56,4 +56,3 @@ jobs: run: | export PRISMA_API_URL=https://api4.prismacloud.io checkov -d . --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules - working-directory: terraform From 89d0e053e38f91d845cc98db05306f9a74c36523 Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 11:58:04 -0500 Subject: [PATCH 083/107] Update main.yml --- .github/workflows/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 5a380f1377..78b86ff448 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -49,6 +49,9 @@ jobs: strategy: matrix: python-version: [3.8] + defaults: + run: + working-directory: ./terraform steps: - name: Install checkov run: pip3 install checkov From 53a41c9db42b315a25860aa17101ca9c963da4f8 Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 12:09:26 -0500 Subject: [PATCH 084/107] Update main.yml --- .github/workflows/main.yml | 100 ++++++++++++++++++------------------- 1 file changed, 50 insertions(+), 50 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 78b86ff448..e5829d0027 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,61 +1,61 @@ -# name: Prisma Cloud IaC Scan -# on: -# pull_request: -# types: -# - closed -# push: -# branches: -# - master -# jobs: -# if_merged: -# if: github.event.pull_request.merged == true -# runs-on: ubuntu-latest -# steps: -# - run: | -# echo The PR was merged -# scan: -# runs-on: ubuntu-latest -# strategy: -# matrix: -# python-version: [3.8] -# steps: -# - name: Checkout repo -# uses: actions/checkout@v2 -# - name: Run Bridgecrew -# id: Bridgecrew -# uses: bridgecrewio/bridgecrew-action@master -# env: -# PRISMA_API_URL: https://api4.prismacloud.io -# with: -# api-key: ${{ secrets.BC_API_KEY }} -# directory: terraform/ -# soft_fail: true - - -name: Prisma Cloud IaC Scan with checkov +name: Prisma Cloud IaC Scan on: pull_request: types: - closed + push: + branches: + - master jobs: -# if_merged: -# if: github.event.pull_request.merged == true -# runs-on: ubuntu-latest -# steps: -# - run: | -# echo The PR was merged + if_merged: + if: github.event.pull_request.merged == true + runs-on: ubuntu-latest + steps: + - run: | + echo The PR was merged scan: runs-on: ubuntu-latest strategy: matrix: python-version: [3.8] - defaults: - run: - working-directory: ./terraform steps: - - name: Install checkov - run: pip3 install checkov - - name: Run checkov - run: | - export PRISMA_API_URL=https://api4.prismacloud.io - checkov -d . --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules + - name: Checkout repo + uses: actions/checkout@v2 + - name: Run Bridgecrew + id: Bridgecrew + uses: bridgecrewio/bridgecrew-action@master + env: + PRISMA_API_URL: https://api4.prismacloud.io + with: + api-key: ${{ secrets.BC_API_KEY }} + directory: terraform/ + use_enforcement_rules: true + + +# name: Prisma Cloud IaC Scan with checkov +# on: +# pull_request: +# types: +# - closed +# jobs: +# # if_merged: +# # if: github.event.pull_request.merged == true +# # runs-on: ubuntu-latest +# # steps: +# # - run: | +# # echo The PR was merged +# scan: +# runs-on: ubuntu-latest +# strategy: +# matrix: +# python-version: [3.8] +# defaults: +# run: +# working-directory: ./terraform +# steps: +# - name: Install checkov +# run: pip3 install checkov +# - name: Run checkov +# run: | +# export PRISMA_API_URL=https://api4.prismacloud.io +# checkov -d . --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules From 8a5982aa43ca363dcfdb80422bd29dd3e6539ee9 Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 12:12:16 -0500 Subject: [PATCH 085/107] Update main.yml --- .github/workflows/main.yml | 100 ++++++++++++++++++------------------- 1 file changed, 50 insertions(+), 50 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index e5829d0027..e56eb62160 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,61 +1,61 @@ -name: Prisma Cloud IaC Scan -on: - pull_request: - types: - - closed - push: - branches: - - master -jobs: - if_merged: - if: github.event.pull_request.merged == true - runs-on: ubuntu-latest - steps: - - run: | - echo The PR was merged - scan: - runs-on: ubuntu-latest - strategy: - matrix: - python-version: [3.8] - steps: - - name: Checkout repo - uses: actions/checkout@v2 - - name: Run Bridgecrew - id: Bridgecrew - uses: bridgecrewio/bridgecrew-action@master - env: - PRISMA_API_URL: https://api4.prismacloud.io - with: - api-key: ${{ secrets.BC_API_KEY }} - directory: terraform/ - use_enforcement_rules: true - - -# name: Prisma Cloud IaC Scan with checkov +# name: Prisma Cloud IaC Scan # on: # pull_request: # types: # - closed +# push: +# branches: +# - master # jobs: -# # if_merged: -# # if: github.event.pull_request.merged == true -# # runs-on: ubuntu-latest -# # steps: -# # - run: | -# # echo The PR was merged +# if_merged: +# if: github.event.pull_request.merged == true +# runs-on: ubuntu-latest +# steps: +# - run: | +# echo The PR was merged # scan: # runs-on: ubuntu-latest # strategy: # matrix: # python-version: [3.8] -# defaults: -# run: -# working-directory: ./terraform # steps: -# - name: Install checkov -# run: pip3 install checkov -# - name: Run checkov -# run: | -# export PRISMA_API_URL=https://api4.prismacloud.io -# checkov -d . --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules +# - name: Checkout repo +# uses: actions/checkout@v2 +# - name: Run Bridgecrew +# id: Bridgecrew +# uses: bridgecrewio/bridgecrew-action@master +# env: +# PRISMA_API_URL: https://api4.prismacloud.io +# with: +# api-key: ${{ secrets.BC_API_KEY }} +# directory: terraform/ +# use_enforcement_rules: true + + +name: Prisma Cloud IaC Scan with checkov +on: + pull_request: + types: + - closed +jobs: +# if_merged: +# if: github.event.pull_request.merged == true +# runs-on: ubuntu-latest +# steps: +# - run: | +# echo The PR was merged + scan: + runs-on: ubuntu-latest + strategy: + matrix: + python-version: [3.8] + defaults: + run: + working-directory: ./terraform + steps: + - name: Install checkov + run: pip3 install checkov + - name: Run checkov + run: | + export PRISMA_API_URL=https://api4.prismacloud.io + checkov -d . --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules From 270ee738e964878807892333cf545812b22bcf72 Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 12:13:50 -0500 Subject: [PATCH 086/107] Update main.yml --- .github/workflows/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index e56eb62160..7940397983 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -53,6 +53,8 @@ jobs: run: working-directory: ./terraform steps: + - name: Checkout repo + uses: actions/checkout@v2 - name: Install checkov run: pip3 install checkov - name: Run checkov From d2a8a2460da2e256bfcc5117f51402ada65b196f Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 12:31:57 -0500 Subject: [PATCH 087/107] Update main.yml --- .github/workflows/main.yml | 103 ++++++++++++++++++------------------- 1 file changed, 51 insertions(+), 52 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 7940397983..27fde3af26 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,63 +1,62 @@ -# name: Prisma Cloud IaC Scan -# on: -# pull_request: -# types: -# - closed -# push: -# branches: -# - master -# jobs: -# if_merged: -# if: github.event.pull_request.merged == true -# runs-on: ubuntu-latest -# steps: -# - run: | -# echo The PR was merged -# scan: -# runs-on: ubuntu-latest -# strategy: -# matrix: -# python-version: [3.8] -# steps: -# - name: Checkout repo -# uses: actions/checkout@v2 -# - name: Run Bridgecrew -# id: Bridgecrew -# uses: bridgecrewio/bridgecrew-action@master -# env: -# PRISMA_API_URL: https://api4.prismacloud.io -# with: -# api-key: ${{ secrets.BC_API_KEY }} -# directory: terraform/ -# use_enforcement_rules: true - - -name: Prisma Cloud IaC Scan with checkov +name: Prisma Cloud IaC Scan on: pull_request: types: - closed + push: + branches: + - master jobs: -# if_merged: -# if: github.event.pull_request.merged == true -# runs-on: ubuntu-latest -# steps: -# - run: | -# echo The PR was merged + if_merged: + if: github.event.pull_request.merged == true + runs-on: ubuntu-latest + steps: + - run: | + echo The PR was merged scan: runs-on: ubuntu-latest strategy: matrix: python-version: [3.8] - defaults: - run: - working-directory: ./terraform steps: - - name: Checkout repo - uses: actions/checkout@v2 - - name: Install checkov - run: pip3 install checkov - - name: Run checkov - run: | - export PRISMA_API_URL=https://api4.prismacloud.io - checkov -d . --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules + - name: Checkout repo + uses: actions/checkout@v2 + - name: Run Bridgecrew + id: Bridgecrew + uses: bridgecrewio/bridgecrew-action@master + env: + PRISMA_API_URL: https://api4.prismacloud.io + with: + api-key: ${{ secrets.BC_API_KEY }} + directory: terraform/ + + +# name: Prisma Cloud IaC Scan with checkov +# on: +# pull_request: +# types: +# - closed +# jobs: +# # if_merged: +# # if: github.event.pull_request.merged == true +# # runs-on: ubuntu-latest +# # steps: +# # - run: | +# # echo The PR was merged +# scan: +# runs-on: ubuntu-latest +# strategy: +# matrix: +# python-version: [3.8] +# defaults: +# run: +# working-directory: ./terraform +# steps: +# - name: Checkout repo +# uses: actions/checkout@v2 +# - name: Install checkov +# run: pip3 install checkov +# - name: Run checkov +# run: | +# export PRISMA_API_URL=https://api4.prismacloud.io +# checkov -d . --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules From ec6305c39c696291badedddd40f71153e8296cda Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Tue, 7 Mar 2023 12:38:49 -0500 Subject: [PATCH 088/107] Update main.yml --- .github/workflows/main.yml | 102 ++++++++++++++++++------------------- 1 file changed, 51 insertions(+), 51 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 27fde3af26..98994f5931 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,62 +1,62 @@ -name: Prisma Cloud IaC Scan -on: - pull_request: - types: - - closed - push: - branches: - - master -jobs: - if_merged: - if: github.event.pull_request.merged == true - runs-on: ubuntu-latest - steps: - - run: | - echo The PR was merged - scan: - runs-on: ubuntu-latest - strategy: - matrix: - python-version: [3.8] - steps: - - name: Checkout repo - uses: actions/checkout@v2 - - name: Run Bridgecrew - id: Bridgecrew - uses: bridgecrewio/bridgecrew-action@master - env: - PRISMA_API_URL: https://api4.prismacloud.io - with: - api-key: ${{ secrets.BC_API_KEY }} - directory: terraform/ - - -# name: Prisma Cloud IaC Scan with checkov +# name: Prisma Cloud IaC Scan # on: # pull_request: # types: # - closed +# push: +# branches: +# - master # jobs: -# # if_merged: -# # if: github.event.pull_request.merged == true -# # runs-on: ubuntu-latest -# # steps: -# # - run: | -# # echo The PR was merged +# if_merged: +# if: github.event.pull_request.merged == true +# runs-on: ubuntu-latest +# steps: +# - run: | +# echo The PR was merged # scan: # runs-on: ubuntu-latest # strategy: # matrix: # python-version: [3.8] -# defaults: -# run: -# working-directory: ./terraform # steps: -# - name: Checkout repo -# uses: actions/checkout@v2 -# - name: Install checkov -# run: pip3 install checkov -# - name: Run checkov -# run: | -# export PRISMA_API_URL=https://api4.prismacloud.io -# checkov -d . --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules +# - name: Checkout repo +# uses: actions/checkout@v2 +# - name: Run Bridgecrew +# id: Bridgecrew +# uses: bridgecrewio/bridgecrew-action@master +# env: +# PRISMA_API_URL: https://api4.prismacloud.io +# with: +# api-key: ${{ secrets.BC_API_KEY }} +# directory: terraform/ + + +name: Prisma Cloud IaC Scan with checkov +on: + pull_request: + types: + - closed +jobs: +# if_merged: +# if: github.event.pull_request.merged == true +# runs-on: ubuntu-latest +# steps: +# - run: | +# echo The PR was merged + scan: + runs-on: ubuntu-latest + strategy: + matrix: + python-version: [3.8] + defaults: + run: + working-directory: ./terraform + steps: + - name: Checkout repo + uses: actions/checkout@v2 + - name: Install checkov + run: pip3 install checkov + - name: Run checkov + run: | + export PRISMA_API_URL=https://api4.prismacloud.io + checkov -d . --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules From 1b87ad4457e0f8bb9e5ef7a4bbd63f04d54a8228 Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Wed, 8 Mar 2023 11:38:06 -0500 Subject: [PATCH 089/107] Update main.yml --- .github/workflows/main.yml | 103 +++++++++++++++++++------------------ 1 file changed, 52 insertions(+), 51 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 98994f5931..dd06806611 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,62 +1,63 @@ -# name: Prisma Cloud IaC Scan -# on: -# pull_request: -# types: -# - closed -# push: -# branches: -# - master -# jobs: -# if_merged: -# if: github.event.pull_request.merged == true -# runs-on: ubuntu-latest -# steps: -# - run: | -# echo The PR was merged -# scan: -# runs-on: ubuntu-latest -# strategy: -# matrix: -# python-version: [3.8] -# steps: -# - name: Checkout repo -# uses: actions/checkout@v2 -# - name: Run Bridgecrew -# id: Bridgecrew -# uses: bridgecrewio/bridgecrew-action@master -# env: -# PRISMA_API_URL: https://api4.prismacloud.io -# with: -# api-key: ${{ secrets.BC_API_KEY }} -# directory: terraform/ - - -name: Prisma Cloud IaC Scan with checkov +name: Prisma Cloud IaC Scan on: pull_request: types: - closed + push: + branches: + - master jobs: -# if_merged: -# if: github.event.pull_request.merged == true -# runs-on: ubuntu-latest -# steps: -# - run: | -# echo The PR was merged + if_merged: + if: github.event.pull_request.merged == true + runs-on: ubuntu-latest + steps: + - run: | + echo The PR was merged scan: runs-on: ubuntu-latest strategy: matrix: python-version: [3.8] - defaults: - run: - working-directory: ./terraform steps: - - name: Checkout repo - uses: actions/checkout@v2 - - name: Install checkov - run: pip3 install checkov - - name: Run checkov - run: | - export PRISMA_API_URL=https://api4.prismacloud.io - checkov -d . --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules + - name: Checkout repo + uses: actions/checkout@v2 + - name: Run Bridgecrew + id: Bridgecrew + uses: bridgecrewio/bridgecrew-action@master + env: + PRISMA_API_URL: https://api4.prismacloud.io + with: + api-key: ${{ secrets.BC_API_KEY }} + directory: terraform/ + use_enforcement_rules: true + + +# name: Prisma Cloud IaC Scan with checkov +# on: +# pull_request: +# types: +# - closed +# jobs: +# # if_merged: +# # if: github.event.pull_request.merged == true +# # runs-on: ubuntu-latest +# # steps: +# # - run: | +# # echo The PR was merged +# scan: +# runs-on: ubuntu-latest +# strategy: +# matrix: +# python-version: [3.8] +# defaults: +# run: +# working-directory: ./terraform +# steps: +# - name: Checkout repo +# uses: actions/checkout@v2 +# - name: Install checkov +# run: pip3 install checkov +# - name: Run checkov +# run: | +# export PRISMA_API_URL=https://api4.prismacloud.io +# checkov -d . --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules From 00c3f1266e784966976c641bad751c1a427a5573 Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Wed, 8 Mar 2023 12:12:33 -0500 Subject: [PATCH 090/107] Update main.yml --- .github/workflows/main.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index dd06806611..3530674282 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -3,9 +3,6 @@ on: pull_request: types: - closed - push: - branches: - - master jobs: if_merged: if: github.event.pull_request.merged == true From 73c5528c9767542f3da35d20e66ecba3c68b4e4d Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Wed, 8 Mar 2023 16:03:57 -0500 Subject: [PATCH 091/107] Update main.yml --- .github/workflows/main.yml | 98 +++++++++++++++++++------------------- 1 file changed, 49 insertions(+), 49 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 3530674282..d878d0ac08 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,60 +1,60 @@ -name: Prisma Cloud IaC Scan -on: - pull_request: - types: - - closed -jobs: - if_merged: - if: github.event.pull_request.merged == true - runs-on: ubuntu-latest - steps: - - run: | - echo The PR was merged - scan: - runs-on: ubuntu-latest - strategy: - matrix: - python-version: [3.8] - steps: - - name: Checkout repo - uses: actions/checkout@v2 - - name: Run Bridgecrew - id: Bridgecrew - uses: bridgecrewio/bridgecrew-action@master - env: - PRISMA_API_URL: https://api4.prismacloud.io - with: - api-key: ${{ secrets.BC_API_KEY }} - directory: terraform/ - use_enforcement_rules: true - - -# name: Prisma Cloud IaC Scan with checkov +# name: Prisma Cloud IaC Scan # on: # pull_request: # types: # - closed # jobs: -# # if_merged: -# # if: github.event.pull_request.merged == true -# # runs-on: ubuntu-latest -# # steps: -# # - run: | -# # echo The PR was merged +# if_merged: +# if: github.event.pull_request.merged == true +# runs-on: ubuntu-latest +# steps: +# - run: | +# echo The PR was merged # scan: # runs-on: ubuntu-latest # strategy: # matrix: # python-version: [3.8] -# defaults: -# run: -# working-directory: ./terraform # steps: -# - name: Checkout repo -# uses: actions/checkout@v2 -# - name: Install checkov -# run: pip3 install checkov -# - name: Run checkov -# run: | -# export PRISMA_API_URL=https://api4.prismacloud.io -# checkov -d . --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules +# - name: Checkout repo +# uses: actions/checkout@v2 +# - name: Run Bridgecrew +# id: Bridgecrew +# uses: bridgecrewio/bridgecrew-action@master +# env: +# PRISMA_API_URL: https://api4.prismacloud.io +# with: +# api-key: ${{ secrets.BC_API_KEY }} +# directory: terraform/ +# use_enforcement_rules: true + + +name: Prisma Cloud IaC Scan with checkov +on: + pull_request: + types: + - closed +jobs: +# if_merged: +# if: github.event.pull_request.merged == true +# runs-on: ubuntu-latest +# steps: +# - run: | +# echo The PR was merged + scan: + runs-on: ubuntu-latest + strategy: + matrix: + python-version: [3.8] + defaults: + run: + working-directory: ./terraform + steps: + - name: Checkout repo + uses: actions/checkout@v2 + - name: Install checkov + run: pip3 install checkov + - name: Run checkov + run: | + export PRISMA_API_URL=https://api4.prismacloud.io + checkov -d . --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules From 8b1328e8d356e778636224abd2e7b64809451107 Mon Sep 17 00:00:00 2001 From: jluevan13 <97073150+jluevan13@users.noreply.github.com> Date: Thu, 9 Mar 2023 18:16:49 -0500 Subject: [PATCH 092/107] Update main.yml --- .github/workflows/main.yml | 92 ++++++++++++++++++-------------------- 1 file changed, 43 insertions(+), 49 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index d878d0ac08..1c96884abc 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,60 +1,54 @@ -# name: Prisma Cloud IaC Scan -# on: -# pull_request: -# types: -# - closed -# jobs: -# if_merged: -# if: github.event.pull_request.merged == true -# runs-on: ubuntu-latest -# steps: -# - run: | -# echo The PR was merged -# scan: -# runs-on: ubuntu-latest -# strategy: -# matrix: -# python-version: [3.8] -# steps: -# - name: Checkout repo -# uses: actions/checkout@v2 -# - name: Run Bridgecrew -# id: Bridgecrew -# uses: bridgecrewio/bridgecrew-action@master -# env: -# PRISMA_API_URL: https://api4.prismacloud.io -# with: -# api-key: ${{ secrets.BC_API_KEY }} -# directory: terraform/ -# use_enforcement_rules: true - - -name: Prisma Cloud IaC Scan with checkov +name: Prisma Cloud IaC Scan on: pull_request: types: - closed jobs: -# if_merged: -# if: github.event.pull_request.merged == true -# runs-on: ubuntu-latest -# steps: -# - run: | -# echo The PR was merged scan: runs-on: ubuntu-latest strategy: matrix: python-version: [3.8] - defaults: - run: - working-directory: ./terraform steps: - - name: Checkout repo - uses: actions/checkout@v2 - - name: Install checkov - run: pip3 install checkov - - name: Run checkov - run: | - export PRISMA_API_URL=https://api4.prismacloud.io - checkov -d . --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules + - name: Checkout repo + uses: actions/checkout@v2 + - name: Run Bridgecrew + id: Bridgecrew + uses: bridgecrewio/bridgecrew-action@master + env: + PRISMA_API_URL: https://api4.prismacloud.io + with: + api-key: ${{ secrets.BC_API_KEY }} + directory: terraform/ + use_enforcement_rules: true + + +# name: Prisma Cloud IaC Scan with checkov +# on: +# pull_request: +# types: +# - closed +# jobs: +# # if_merged: +# # if: github.event.pull_request.merged == true +# # runs-on: ubuntu-latest +# # steps: +# # - run: | +# # echo The PR was merged +# scan: +# runs-on: ubuntu-latest +# strategy: +# matrix: +# python-version: [3.8] +# defaults: +# run: +# working-directory: ./terraform +# steps: +# - name: Checkout repo +# uses: actions/checkout@v2 +# - name: Install checkov +# run: pip3 install checkov +# - name: Run checkov +# run: | +# export PRISMA_API_URL=https://api4.prismacloud.io +# checkov -d . --bc-api-key ${{secrets.BC_API_KEY }} --repo-id jluevan13/terragoat-forked --branch master --use-enforcement-rules From 3bf8da046393e3b8e034685cf60eb3896856c819 Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Thu, 6 Apr 2023 11:35:01 -0400 Subject: [PATCH 093/107] update --- terraform/aws/s3.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform/aws/s3.tf b/terraform/aws/s3.tf index 40cce2783f..a2a2ed78fe 100644 --- a/terraform/aws/s3.tf +++ b/terraform/aws/s3.tf @@ -3,7 +3,6 @@ resource "aws_s3_bucket" "data" { # bucket is not encrypted # bucket does not have access logs # bucket does not have versioning - # this is a change bucket = "${local.resource_prefix.value}-data" force_destroy = true tags = merge({ From d0291d7b029e021006cf7889bda8282010b805b1 Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Thu, 6 Apr 2023 11:36:30 -0400 Subject: [PATCH 094/107] test --- terraform/aws/s3.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/aws/s3.tf b/terraform/aws/s3.tf index a2a2ed78fe..55e2adc587 100644 --- a/terraform/aws/s3.tf +++ b/terraform/aws/s3.tf @@ -3,6 +3,7 @@ resource "aws_s3_bucket" "data" { # bucket is not encrypted # bucket does not have access logs # bucket does not have versioning + # test bucket = "${local.resource_prefix.value}-data" force_destroy = true tags = merge({ From 00e1cf825545680e6daf8f8bdd22f4081577829d Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Thu, 6 Apr 2023 11:42:15 -0400 Subject: [PATCH 095/107] test --- terraform/aws/s3.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/aws/s3.tf b/terraform/aws/s3.tf index 55e2adc587..67bc7c3d77 100644 --- a/terraform/aws/s3.tf +++ b/terraform/aws/s3.tf @@ -3,7 +3,7 @@ resource "aws_s3_bucket" "data" { # bucket is not encrypted # bucket does not have access logs # bucket does not have versioning - # test + # test update bucket = "${local.resource_prefix.value}-data" force_destroy = true tags = merge({ From e3e9f4d6313179d3cdca94618c30155bb081df47 Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Tue, 16 May 2023 08:29:42 -0400 Subject: [PATCH 096/107] update webhost --- terraform/aws/ec2.tf | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/terraform/aws/ec2.tf b/terraform/aws/ec2.tf index 00e0ba940f..03134af51e 100644 --- a/terraform/aws/ec2.tf +++ b/terraform/aws/ec2.tf @@ -1,11 +1,12 @@ resource "aws_instance" "web_host" { # ec2 have plain text secrets in user data - ami = "${var.ami}" + # test change + ami = var.ami instance_type = "t2.nano" vpc_security_group_ids = [ "${aws_security_group.web-node.id}"] - subnet_id = "${aws_subnet.web_subnet.id}" + subnet_id = aws_subnet.web_subnet.id user_data = < Date: Tue, 16 May 2023 09:10:18 -0400 Subject: [PATCH 097/107] update webhost --- terraform/aws/ec2.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/aws/ec2.tf b/terraform/aws/ec2.tf index 03134af51e..c5e28ffe96 100644 --- a/terraform/aws/ec2.tf +++ b/terraform/aws/ec2.tf @@ -1,6 +1,6 @@ resource "aws_instance" "web_host" { # ec2 have plain text secrets in user data - # test change + # test change2 ami = var.ami instance_type = "t2.nano" From 040f4e7b6cb422285ee51f78362edacff82dfc9a Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Mon, 29 May 2023 20:11:13 -0400 Subject: [PATCH 098/107] add bucket policy --- terraform/aws/s3.tf | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/terraform/aws/s3.tf b/terraform/aws/s3.tf index 67bc7c3d77..e33b4352cf 100644 --- a/terraform/aws/s3.tf +++ b/terraform/aws/s3.tf @@ -140,3 +140,27 @@ resource "aws_s3_bucket" "logs" { yor_trace = "01946fe9-aae2-4c99-a975-e9b0d3a4696c" }) } + +resource "aws_s3_bucket_policy" "allow_access_from_another_account" { + bucket = aws_s3_bucket.logs.id + policy = data.aws_iam_policy_document.allow_access_from_another_account.json +} + +data "aws_iam_policy_document" "allow_access_from_another_account" { + statement { + principals { + type = "AWS" + identifiers = ["123456789012"] + } + + actions = [ + "s3:GetObject", + "s3:ListBucket", + ] + + resources = [ + aws_s3_bucket.example.arn, + "${aws_s3_bucket.example.arn}/*", + ] + } +} \ No newline at end of file From 96d1d0afc489ca86ac425c2381d123ef23e63e34 Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Mon, 5 Jun 2023 19:15:50 -0400 Subject: [PATCH 099/107] create public storage container --- terraform/azure/storage.tf | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/terraform/azure/storage.tf b/terraform/azure/storage.tf index 8d6886286d..836a725e6d 100644 --- a/terraform/azure/storage.tf +++ b/terraform/azure/storage.tf @@ -67,3 +67,30 @@ resource "azurerm_storage_account_network_rules" "test" { ip_rules = ["127.0.0.1"] bypass = ["Metrics"] } + +resource "azurerm_resource_group" "example" { + name = "example-resources" + location = "West Europe" +} + +resource "azurerm_storage_account" "example" { + name = "examplestoracc" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + account_tier = "Standard" + account_replication_type = "LRS" +} + +resource "azurerm_storage_container" "example" { + name = "content" + storage_account_name = azurerm_storage_account.example.name + container_access_type = "public" +} + +resource "azurerm_storage_blob" "example" { + name = "my-awesome-content.zip" + storage_account_name = azurerm_storage_account.example.name + storage_container_name = azurerm_storage_container.example.name + type = "Block" + source = "some-local-file.zip" +} \ No newline at end of file From 3b328c2c754253d9a18eadb70d3b9f17bd450cc3 Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Tue, 6 Jun 2023 11:51:42 -0400 Subject: [PATCH 100/107] comment public blob container --- terraform/azure/storage.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/azure/storage.tf b/terraform/azure/storage.tf index 836a725e6d..2a7404a1d6 100644 --- a/terraform/azure/storage.tf +++ b/terraform/azure/storage.tf @@ -82,6 +82,7 @@ resource "azurerm_storage_account" "example" { } resource "azurerm_storage_container" "example" { + # this blob container is public name = "content" storage_account_name = azurerm_storage_account.example.name container_access_type = "public" From 1226bd1787ef96460511a4d50583f3e57ed3ebd1 Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Wed, 13 Dec 2023 08:54:38 -0500 Subject: [PATCH 101/107] update ebs volume --- terraform/aws/ec2.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/terraform/aws/ec2.tf b/terraform/aws/ec2.tf index c5e28ffe96..d7f88309c7 100644 --- a/terraform/aws/ec2.tf +++ b/terraform/aws/ec2.tf @@ -32,6 +32,7 @@ EOF }) } + resource "aws_ebs_volume" "web_host_storage" { # unencrypted volume availability_zone = "${var.region}a" @@ -49,8 +50,12 @@ resource "aws_ebs_volume" "web_host_storage" { git_repo = "terragoat" yor_trace = "c5509daf-10f0-46af-9e03-41989212521d" }) + + } + + resource "aws_ebs_snapshot" "example_snapshot" { # ebs snapshot without encryption volume_id = aws_ebs_volume.web_host_storage.id From 2ac22541bc034c7d84246661fbed417d1ca796a8 Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Wed, 13 Dec 2023 09:21:39 -0500 Subject: [PATCH 102/107] skip web_host_storage encryption check --- terraform/aws/ec2.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/aws/ec2.tf b/terraform/aws/ec2.tf index d7f88309c7..56f8290b67 100644 --- a/terraform/aws/ec2.tf +++ b/terraform/aws/ec2.tf @@ -35,6 +35,7 @@ EOF resource "aws_ebs_volume" "web_host_storage" { # unencrypted volume + #checkov:skip=CKV_AWS_3:The volume needs to be unencrypted availability_zone = "${var.region}a" #encrypted = false # Setting this causes the volume to be recreated on apply size = 1 From 714a4b4ebda135ef1eb2fb2de6bbe5049d472b21 Mon Sep 17 00:00:00 2001 From: jluevan13 Date: Wed, 13 Dec 2023 13:18:53 -0500 Subject: [PATCH 103/107] add unneeded comment --- terraform/aws/ec2.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/aws/ec2.tf b/terraform/aws/ec2.tf index 56f8290b67..f1161b9fbf 100644 --- a/terraform/aws/ec2.tf +++ b/terraform/aws/ec2.tf @@ -35,6 +35,7 @@ EOF resource "aws_ebs_volume" "web_host_storage" { # unencrypted volume + # delete this #checkov:skip=CKV_AWS_3:The volume needs to be unencrypted availability_zone = "${var.region}a" #encrypted = false # Setting this causes the volume to be recreated on apply From 60ea30f58f3a10047ec9ae89acce3cf3e029e4b9 Mon Sep 17 00:00:00 2001 From: Your Name Date: Tue, 13 Feb 2024 19:46:43 -0500 Subject: [PATCH 104/107] update ec2 web host --- terraform/aws/ec2.tf | 2 +- terraform/azure/storage.tf | 15 ++++++++++++++- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/terraform/aws/ec2.tf b/terraform/aws/ec2.tf index f1161b9fbf..bdb16c319a 100644 --- a/terraform/aws/ec2.tf +++ b/terraform/aws/ec2.tf @@ -1,6 +1,6 @@ resource "aws_instance" "web_host" { # ec2 have plain text secrets in user data - # test change2 + # test change ami = var.ami instance_type = "t2.nano" diff --git a/terraform/azure/storage.tf b/terraform/azure/storage.tf index 2a7404a1d6..33b8d2597a 100644 --- a/terraform/azure/storage.tf +++ b/terraform/azure/storage.tf @@ -55,7 +55,7 @@ resource "azurerm_storage_account" "example" { git_modifiers = "Adin.Ermie/nimrodkor" git_org = "bridgecrewio" git_repo = "terragoat" - yor_trace = "23861ff4-c42d-495e-80ac-776c74035f43" + yor_trace = "a0ac11af-a429-4d9f-b706-cfcc13d082a9" } } @@ -71,6 +71,9 @@ resource "azurerm_storage_account_network_rules" "test" { resource "azurerm_resource_group" "example" { name = "example-resources" location = "West Europe" + tags = { + yor_trace = "a5ed0240-5652-4df8-a146-29e6f0bb6283" + } } resource "azurerm_storage_account" "example" { @@ -79,6 +82,16 @@ resource "azurerm_storage_account" "example" { location = azurerm_resource_group.example.location account_tier = "Standard" account_replication_type = "LRS" + tags = { + git_commit = "5c6b5d60a8aa63a5d37e60f15185d13a967f0542" + git_file = "terraform/azure/storage.tf" + git_last_modified_at = "2021-05-02 10:06:10" + git_last_modified_by = "nimrodkor@users.noreply.github.com" + git_modifiers = "Adin.Ermie/nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "a0ac11af-a429-4d9f-b706-cfcc13d082a9" + } } resource "azurerm_storage_container" "example" { From 4af11b3b9f3c85092e48f54322a19be85207246d Mon Sep 17 00:00:00 2001 From: Jesus Luevano Date: Sun, 2 Jun 2024 17:51:58 -0400 Subject: [PATCH 105/107] update --- terraform/aws/ec2.tf | 2 +- terraform/aws/eks.tf | 22 +++++++++++----------- terraform/azure/aks.tf | 4 ++-- terraform/azure/app_service.tf | 6 +++--- terraform/azure/networking.tf | 11 +++++++---- terraform/azure/storage.tf | 20 +++++++++++++++++++- 6 files changed, 43 insertions(+), 22 deletions(-) diff --git a/terraform/aws/ec2.tf b/terraform/aws/ec2.tf index bdb16c319a..21aea0d712 100644 --- a/terraform/aws/ec2.tf +++ b/terraform/aws/ec2.tf @@ -17,6 +17,7 @@ export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMAAA export AWS_SECRET_ACCESS_KEY=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 export AWS_DEFAULT_REGION=us-west-2 echo "

Deployed via Terraform

" | sudo tee /var/www/html/index.html +d EOF tags = merge({ Name = "${local.resource_prefix.value}-ec2" @@ -36,7 +37,6 @@ EOF resource "aws_ebs_volume" "web_host_storage" { # unencrypted volume # delete this - #checkov:skip=CKV_AWS_3:The volume needs to be unencrypted availability_zone = "${var.region}a" #encrypted = false # Setting this causes the volume to be recreated on apply size = 1 diff --git a/terraform/aws/eks.tf b/terraform/aws/eks.tf index 53707039d8..64d718c28e 100644 --- a/terraform/aws/eks.tf +++ b/terraform/aws/eks.tf @@ -4,7 +4,7 @@ locals { } } -data aws_iam_policy_document "iam_policy_eks" { +data "aws_iam_policy_document" "iam_policy_eks" { statement { effect = "Allow" actions = ["sts:AssumeRole"] @@ -15,7 +15,7 @@ data aws_iam_policy_document "iam_policy_eks" { } } -resource aws_iam_role "iam_for_eks" { +resource "aws_iam_role" "iam_for_eks" { name = "${local.resource_prefix.value}-iam-for-eks" assume_role_policy = data.aws_iam_policy_document.iam_policy_eks.json tags = { @@ -30,17 +30,17 @@ resource aws_iam_role "iam_for_eks" { } } -resource aws_iam_role_policy_attachment "policy_attachment-AmazonEKSClusterPolicy" { +resource "aws_iam_role_policy_attachment" "policy_attachment-AmazonEKSClusterPolicy" { policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy" role = aws_iam_role.iam_for_eks.name } -resource aws_iam_role_policy_attachment "policy_attachment-AmazonEKSServicePolicy" { +resource "aws_iam_role_policy_attachment" "policy_attachment-AmazonEKSServicePolicy" { policy_arn = "arn:aws:iam::aws:policy/AmazonEKSServicePolicy" role = aws_iam_role.iam_for_eks.name } -resource aws_vpc "eks_vpc" { +resource "aws_vpc" "eks_vpc" { cidr_block = "10.10.0.0/16" enable_dns_hostnames = true enable_dns_support = true @@ -58,7 +58,7 @@ resource aws_vpc "eks_vpc" { }) } -resource aws_subnet "eks_subnet1" { +resource "aws_subnet" "eks_subnet1" { vpc_id = aws_vpc.eks_vpc.id cidr_block = "10.10.10.0/24" availability_zone = "${var.region}a" @@ -86,7 +86,7 @@ resource aws_subnet "eks_subnet1" { }) } -resource aws_subnet "eks_subnet2" { +resource "aws_subnet" "eks_subnet2" { vpc_id = aws_vpc.eks_vpc.id cidr_block = "10.10.11.0/24" availability_zone = "${var.region}b" @@ -114,9 +114,9 @@ resource aws_subnet "eks_subnet2" { }) } -resource aws_eks_cluster "eks_cluster" { +resource "aws_eks_cluster" "eks_cluster" { name = local.eks_name.value - role_arn = "${aws_iam_role.iam_for_eks.arn}" + role_arn = aws_iam_role.iam_for_eks.arn vpc_config { endpoint_private_access = true @@ -140,9 +140,9 @@ resource aws_eks_cluster "eks_cluster" { } output "endpoint" { - value = "${aws_eks_cluster.eks_cluster.endpoint}" + value = aws_eks_cluster.eks_cluster.endpoint } output "kubeconfig-certificate-authority-data" { - value = "${aws_eks_cluster.eks_cluster.certificate_authority.0.data}" + value = aws_eks_cluster.eks_cluster.certificate_authority.0.data } diff --git a/terraform/azure/aks.tf b/terraform/azure/aks.tf index ebb613bdf0..6bd5a2eeef 100644 --- a/terraform/azure/aks.tf +++ b/terraform/azure/aks.tf @@ -1,4 +1,4 @@ -resource azurerm_kubernetes_cluster "k8s_cluster" { +resource "azurerm_kubernetes_cluster" "k8s_cluster" { dns_prefix = "terragoat-${var.environment}" location = var.location name = "terragoat-aks-${var.environment}" @@ -32,4 +32,4 @@ resource azurerm_kubernetes_cluster "k8s_cluster" { git_repo = "terragoat" yor_trace = "6103d111-864e-42e5-899c-1864de281fd1" } -} \ No newline at end of file +} diff --git a/terraform/azure/app_service.tf b/terraform/azure/app_service.tf index fa4f23edff..5a5e0c3655 100644 --- a/terraform/azure/app_service.tf +++ b/terraform/azure/app_service.tf @@ -1,4 +1,4 @@ -resource azurerm_app_service_plan "example" { +resource "azurerm_app_service_plan" "example" { name = "terragoat-app-service-plan-${var.environment}" location = azurerm_resource_group.example.location resource_group_name = azurerm_resource_group.example.name @@ -19,7 +19,7 @@ resource azurerm_app_service_plan "example" { } } -resource azurerm_app_service "app-service1" { +resource "azurerm_app_service" "app-service1" { app_service_plan_id = azurerm_app_service_plan.example.id location = var.location name = "terragoat-app-service-${var.environment}${random_integer.rnd_int.result}" @@ -40,7 +40,7 @@ resource azurerm_app_service "app-service1" { } } -resource azurerm_app_service "app-service2" { +resource "azurerm_app_service" "app-service2" { app_service_plan_id = azurerm_app_service_plan.example.id location = var.location name = "terragoat-app-service-${var.environment}${random_integer.rnd_int.result}" diff --git a/terraform/azure/networking.tf b/terraform/azure/networking.tf index ab01c60d07..8543e72afb 100644 --- a/terraform/azure/networking.tf +++ b/terraform/azure/networking.tf @@ -1,4 +1,6 @@ resource "azurerm_virtual_network" "example" { + # commentzz + # new comment name = "terragoat-vn-${var.environment}" address_space = ["10.0.0.0/16"] location = azurerm_resource_group.example.location @@ -66,7 +68,7 @@ resource "azurerm_network_interface" "ni_win" { } } -resource azurerm_network_security_group "bad_sg" { +resource "azurerm_network_security_group" "bad_sg" { location = var.location name = "terragoat-${var.environment}" resource_group_name = azurerm_resource_group.example.name @@ -106,7 +108,7 @@ resource azurerm_network_security_group "bad_sg" { } } -resource azurerm_network_watcher "network_watcher" { +resource "azurerm_network_watcher" "network_watcher" { location = var.location name = "terragoat-network-watcher-${var.environment}" resource_group_name = azurerm_resource_group.example.name @@ -122,7 +124,8 @@ resource azurerm_network_watcher "network_watcher" { } } -resource azurerm_network_watcher_flow_log "flow_log" { +resource "azurerm_network_watcher_flow_log" "flow_log" { + name = "test-flow-log-name" enabled = false network_security_group_id = azurerm_network_security_group.bad_sg.id network_watcher_name = azurerm_network_watcher.network_watcher.name @@ -142,4 +145,4 @@ resource azurerm_network_watcher_flow_log "flow_log" { git_repo = "terragoat" yor_trace = "33a7212e-7f1a-49fc-af73-8e525c5546ec" } -} \ No newline at end of file +} diff --git a/terraform/azure/storage.tf b/terraform/azure/storage.tf index 33b8d2597a..64ecea9924 100644 --- a/terraform/azure/storage.tf +++ b/terraform/azure/storage.tf @@ -94,6 +94,24 @@ resource "azurerm_storage_account" "example" { } } +resource "azurerm_storage_account" "example2" { + name = "examplestoracc" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + account_tier = "Standard" + account_replication_type = "LRS" + tags = { + git_commit = "5c6b5d60a8aa63a5d37e60f15185d13a967f0542" + git_file = "terraform/azure/storage.tf" + git_last_modified_at = "2021-05-02 10:06:10" + git_last_modified_by = "nimrodkor@users.noreply.github.com" + git_modifiers = "Adin.Ermie/nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "a0ac11af-a429-4d9f-b706-cfcc13d082a9" + } +} + resource "azurerm_storage_container" "example" { # this blob container is public name = "content" @@ -107,4 +125,4 @@ resource "azurerm_storage_blob" "example" { storage_container_name = azurerm_storage_container.example.name type = "Block" source = "some-local-file.zip" -} \ No newline at end of file +} From 533d163bc4ba450aefa68ac76acd8110fd999904 Mon Sep 17 00:00:00 2001 From: Jesus Luevano Date: Mon, 3 Jun 2024 19:31:32 -0400 Subject: [PATCH 106/107] ask why is this public --- terraform/azure/storage.tf | 19 +------------------ 1 file changed, 1 insertion(+), 18 deletions(-) diff --git a/terraform/azure/storage.tf b/terraform/azure/storage.tf index 64ecea9924..966b9f4fe2 100644 --- a/terraform/azure/storage.tf +++ b/terraform/azure/storage.tf @@ -94,26 +94,9 @@ resource "azurerm_storage_account" "example" { } } -resource "azurerm_storage_account" "example2" { - name = "examplestoracc" - resource_group_name = azurerm_resource_group.example.name - location = azurerm_resource_group.example.location - account_tier = "Standard" - account_replication_type = "LRS" - tags = { - git_commit = "5c6b5d60a8aa63a5d37e60f15185d13a967f0542" - git_file = "terraform/azure/storage.tf" - git_last_modified_at = "2021-05-02 10:06:10" - git_last_modified_by = "nimrodkor@users.noreply.github.com" - git_modifiers = "Adin.Ermie/nimrodkor" - git_org = "bridgecrewio" - git_repo = "terragoat" - yor_trace = "a0ac11af-a429-4d9f-b706-cfcc13d082a9" - } -} resource "azurerm_storage_container" "example" { - # this blob container is public + # this blob container shouldn't be public name = "content" storage_account_name = azurerm_storage_account.example.name container_access_type = "public" From de54072a3e425fe139fbe1159c00ad506160a526 Mon Sep 17 00:00:00 2001 From: Jesus Luevano Date: Mon, 3 Jun 2024 19:46:07 -0400 Subject: [PATCH 107/107] update actions --- .github/workflows/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 1c96884abc..b27af55241 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -16,10 +16,10 @@ jobs: id: Bridgecrew uses: bridgecrewio/bridgecrew-action@master env: - PRISMA_API_URL: https://api4.prismacloud.io + PRISMA_API_URL: https://api0.prismacloud.io with: api-key: ${{ secrets.BC_API_KEY }} - directory: terraform/ + directory: terraform/azure/ use_enforcement_rules: true