diff --git a/README.md b/README.md index 5bac24e28..56690926b 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,7 @@ Detect compliance and security violations across Infrastructure as Code to mitig * 500+ Policies for security best practices * Scanning of Terraform 12+ (HCL2) * Scanning of Kubernetes YAML/JSON -* Support for AWS, Azure, GCP, and Kubernetes +* Support for AWS, Azure, GCP, Kubernetes and GitHub ## Installing Terrascan's binary for your architecture can be found on the [releases](https://github.com/accurics/terrascan/releases) page. Here's an example of how to install it: diff --git a/docs/getting-started.md b/docs/getting-started.md index 759aa7c56..40888c6a3 100644 --- a/docs/getting-started.md +++ b/docs/getting-started.md @@ -109,7 +109,7 @@ Flags: -i, --iac-type string iac type (terraform, k8s) --iac-version string iac version terraform:(v12) k8s:(v1) -p, --policy-path string policy path directory - -t, --policy-type string policy type (aws, azure, gcp, k8s) + -t, --policy-type string policy type (aws, azure, gcp, k8s, github) Global Flags: -c, --config-path string config file path diff --git a/docs/policies.md b/docs/policies.md index 68e2508ed..2ac237d68 100644 --- a/docs/policies.md +++ b/docs/policies.md @@ -41,3 +41,5 @@ Here's an example of the contents of a rule file: --8<-- "docs/policies/gcp.md" --8<-- "docs/policies/k8s.md" + +--8<-- "docs/policies/github.md" diff --git a/docs/policies/github.md b/docs/policies/github.md new file mode 100644 index 000000000..0077df787 --- /dev/null +++ b/docs/policies/github.md @@ -0,0 +1,6 @@ + +### github_repository +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Identity & Access Management | github | MEDIUM | Repository is Not Private. | accurics.github.IAM.1 | + diff --git a/go.mod b/go.mod index 31b333b7e..499c94dce 100644 --- a/go.mod +++ b/go.mod @@ -20,7 +20,7 @@ require ( go.uber.org/zap v1.10.0 golang.org/x/net v0.0.0-20200822124328-c89045814202 // indirect golang.org/x/sys v0.0.0-20200814200057-3d37ad5750ed // indirect - golang.org/x/tools v0.0.0-20200917192154-75ebdcb73b49 // indirect + golang.org/x/tools v0.0.0-20200917221617-d56e4e40bc9d // indirect gopkg.in/src-d/go-git.v4 v4.13.1 gopkg.in/yaml.v2 v2.3.0 gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 diff --git a/go.sum b/go.sum index b5110b26c..69a15dfe4 100644 --- a/go.sum +++ b/go.sum @@ -536,6 +536,8 @@ golang.org/x/tools v0.0.0-20200916195026-c9a70fc28ce3 h1:DywqrEscRX7O2phNjkT0L6l golang.org/x/tools v0.0.0-20200916195026-c9a70fc28ce3/go.mod h1:z6u4i615ZeAfBE4XtMziQW1fSVJXACjjbWkB/mvPzlU= golang.org/x/tools v0.0.0-20200917192154-75ebdcb73b49 h1:cSlTPh0jd/6I6bv6XnLSqQCCHUP6CIprgjNz7KlrK6c= golang.org/x/tools v0.0.0-20200917192154-75ebdcb73b49/go.mod h1:z6u4i615ZeAfBE4XtMziQW1fSVJXACjjbWkB/mvPzlU= +golang.org/x/tools v0.0.0-20200917221617-d56e4e40bc9d h1:y39d97JVttj+rkTXITl1nf9Vsk+VoRuNzIDLFldUSB4= +golang.org/x/tools v0.0.0-20200917221617-d56e4e40bc9d/go.mod h1:z6u4i615ZeAfBE4XtMziQW1fSVJXACjjbWkB/mvPzlU= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE= diff --git a/mkdocs.yml b/mkdocs.yml index cea7b3d11..e3be3a1a4 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -45,6 +45,7 @@ nav: - AWS: policies/aws.md - GCP: policies/gcp.md - Azure: policies/azure.md + - GitHub: policies/github.md # - Educational Resources: learning.md - Contributing: contributing.md - Changelog: changelog.md diff --git a/pkg/cli/scan.go b/pkg/cli/scan.go index 257fe9afb..3177fafdf 100644 --- a/pkg/cli/scan.go +++ b/pkg/cli/scan.go @@ -29,7 +29,7 @@ import ( var ( // PolicyPath Policy path directory PolicyPath string - // PolicyType Cloud type (aws, azure, gcp) + // PolicyType Cloud type (aws, azure, gcp, github) PolicyType string // IacType IaC type (terraform) IacType string diff --git a/pkg/policies/opa/rego/github/github_repository/accurics.github.IAM.1.json b/pkg/policies/opa/rego/github/github_repository/accurics.github.IAM.1.json new file mode 100755 index 000000000..6843f3d9b --- /dev/null +++ b/pkg/policies/opa/rego/github/github_repository/accurics.github.IAM.1.json @@ -0,0 +1,10 @@ +{ + "name": "privateRepoEnabled", + "file": "privateRepoEnabled.rego", + "template_args": null, + "severity": "MEDIUM", + "description": "Repository is Not Private.", + "reference_id": "accurics.github.IAM.1", + "category": "Identity \u0026 Access Management", + "version": 1 +} diff --git a/pkg/policies/opa/rego/github/github_repository/privateRepoEnabled.rego b/pkg/policies/opa/rego/github/github_repository/privateRepoEnabled.rego new file mode 100755 index 000000000..919dd70b7 --- /dev/null +++ b/pkg/policies/opa/rego/github/github_repository/privateRepoEnabled.rego @@ -0,0 +1,7 @@ +package accurics + +privateRepoEnabled[api.id] { + api := input.github_repository[_] + not api.config.private == true + not api.config.visibility == "private" +} diff --git a/pkg/policy/github.go b/pkg/policy/github.go new file mode 100644 index 000000000..94330db46 --- /dev/null +++ b/pkg/policy/github.go @@ -0,0 +1,28 @@ +/* + Copyright (C) 2020 Accurics, Inc. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package policy + +const ( + github supportedCloudType = "github" + defaultGithubIacType supportedIacType = "terraform" + defaultGithubIacVersion supportedIacVersion = "v12" +) + +func init() { + // Register github as a cloud provider with terrascan + RegisterCloudProvider(github, defaultGithubIacType, defaultGithubIacVersion) +}