From 1b56749ce21c8746fb611dfd67fea9a9cfa84f89 Mon Sep 17 00:00:00 2001 From: Cesar Rodriguez Date: Thu, 14 Jan 2021 21:56:37 -0500 Subject: [PATCH 01/22] updates changelog for next release --- CHANGELOG.md | 85 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 85 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index be6884492..f070d3074 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,90 @@ # Changelog +## [v1.3.0](https://github.com/accurics/terrascan/tree/v1.3.0) (2021-01-15) + +[Full Changelog](https://github.com/accurics/terrascan/compare/v1.2.0...v1.3.0) + +**Implemented enhancements:** + +- Tag released Docker images [\#398](https://github.com/accurics/terrascan/issues/398) +- Add policy for checking insecure\_ssl configuration for github\_repository\_webhook in GitHub provider [\#355](https://github.com/accurics/terrascan/issues/355) +- Prints output in human friendly format [\#168](https://github.com/accurics/terrascan/issues/168) + +**Fixed bugs:** + +- Fixes resource lock [\#432](https://github.com/accurics/terrascan/issues/432) +- Fixes Issue where Terrascan paniced with list variables [\#412](https://github.com/accurics/terrascan/issues/412) +- Resolves false positive for AWS rule vpcFlowLogsNotEnabled [\#408](https://github.com/accurics/terrascan/issues/408) +- Resolves s3EnforceUserACL False Positive [\#359](https://github.com/accurics/terrascan/issues/359) +- Resolves accurics.gcp.IAM.104 suggests enabling a client certificate [\#330](https://github.com/accurics/terrascan/issues/330) + +**Closed issues:** + +- Terraform can't detect violations in terraform modules [\#468](https://github.com/accurics/terrascan/issues/468) +- uniformBucketEnabled.rego referencing deprecated config [\#453](https://github.com/accurics/terrascan/issues/453) +- Unable to run terrascan scan [\#446](https://github.com/accurics/terrascan/issues/446) +- Terrascan doesn't exit with error on CLI or Parsing errors. [\#442](https://github.com/accurics/terrascan/issues/442) +- Terrascan Failure When Using Terraform 13 + Variable Validation [\#426](https://github.com/accurics/terrascan/issues/426) +- Update policy example in documentation to use latest GitHub implementation [\#422](https://github.com/accurics/terrascan/issues/422) +- Fix link to repo playground in policies documentation [\#421](https://github.com/accurics/terrascan/issues/421) +- terrascan scan crashes with runtime: goroutine stack exceeds 1000000000-byte limit [\#406](https://github.com/accurics/terrascan/issues/406) +- Typo error in the terrascan Architecture page [\#403](https://github.com/accurics/terrascan/issues/403) +- accurics.gcp.OPS.114 should also check for cos\_containerd image [\#395](https://github.com/accurics/terrascan/issues/395) +- accurics.gcp.NS.112 suggest basic auth is enabled when is not [\#394](https://github.com/accurics/terrascan/issues/394) +- Test coverage missing for kustomize iac-provider [\#379](https://github.com/accurics/terrascan/issues/379) +- Why is vpcFlowLogsNotEnabled determined to be a violation? [\#352](https://github.com/accurics/terrascan/issues/352) + +**Merged pull requests:** + +- Bump github.com/iancoleman/strcase from 0.1.1 to 0.1.3 [\#484](https://github.com/accurics/terrascan/pull/484) ([dependabot[bot]](https://github.com/apps/dependabot)) +- Bump github.com/pelletier/go-toml from 1.8.0 to 1.8.1 [\#481](https://github.com/accurics/terrascan/pull/481) ([dependabot[bot]](https://github.com/apps/dependabot)) +- Policy update 2021 01 14 [\#480](https://github.com/accurics/terrascan/pull/480) ([williepaul](https://github.com/williepaul)) +- fix panic for list variables [\#479](https://github.com/accurics/terrascan/pull/479) ([patilpankaj212](https://github.com/patilpankaj212)) +- adding an else condition to relate management lock with resource group [\#476](https://github.com/accurics/terrascan/pull/476) ([harkirat22](https://github.com/harkirat22)) +- adding an else condition to relate the flow log with vpc [\#475](https://github.com/accurics/terrascan/pull/475) ([harkirat22](https://github.com/harkirat22)) +- including a check for verifying in-line policy is included [\#474](https://github.com/accurics/terrascan/pull/474) ([harkirat22](https://github.com/harkirat22)) +- adding rule to check if waf is enabled at cloud front distribution [\#473](https://github.com/accurics/terrascan/pull/473) ([harkirat22](https://github.com/harkirat22)) +- recognize metadata.generateName [\#465](https://github.com/accurics/terrascan/pull/465) ([acc-jon](https://github.com/acc-jon)) +- Update mkdocs-material to 6.2.4 [\#464](https://github.com/accurics/terrascan/pull/464) ([pyup-bot](https://github.com/pyup-bot)) +- Update README.md [\#463](https://github.com/accurics/terrascan/pull/463) ([amirbenv](https://github.com/amirbenv)) +- Deprecated gcs bucket [\#462](https://github.com/accurics/terrascan/pull/462) ([jdyke](https://github.com/jdyke)) +- changed the description to include the vulnerable versions [\#460](https://github.com/accurics/terrascan/pull/460) ([harkirat22](https://github.com/harkirat22)) +- Fix exit code on error [\#458](https://github.com/accurics/terrascan/pull/458) ([patilpankaj212](https://github.com/patilpankaj212)) +- policy for CVE-2020-8555 [\#457](https://github.com/accurics/terrascan/pull/457) ([harkirat22](https://github.com/harkirat22)) +- Update README.md [\#456](https://github.com/accurics/terrascan/pull/456) ([amirbenv](https://github.com/amirbenv)) +- rule skipping for resources in k8s [\#455](https://github.com/accurics/terrascan/pull/455) ([patilpankaj212](https://github.com/patilpankaj212)) +- terrascan argo-cd instructions [\#454](https://github.com/accurics/terrascan/pull/454) ([storebot](https://github.com/storebot)) +- Adds CI/CD integration docs [\#452](https://github.com/accurics/terrascan/pull/452) ([cesar-rodriguez](https://github.com/cesar-rodriguez)) +- Bump github.com/zclconf/go-cty from 1.2.1 to 1.7.1 [\#449](https://github.com/accurics/terrascan/pull/449) ([dependabot[bot]](https://github.com/apps/dependabot)) +- Bump github.com/gorilla/mux from 1.7.4 to 1.8.0 [\#447](https://github.com/accurics/terrascan/pull/447) ([dependabot[bot]](https://github.com/apps/dependabot)) +- Update mkdocs-material to 6.2.3 [\#445](https://github.com/accurics/terrascan/pull/445) ([pyup-bot](https://github.com/pyup-bot)) +- deps: add dependabot support [\#444](https://github.com/accurics/terrascan/pull/444) ([chenrui333](https://github.com/chenrui333)) +- bump go to 1.15 [\#443](https://github.com/accurics/terrascan/pull/443) ([chenrui333](https://github.com/chenrui333)) +- implement scan and skip rules [\#441](https://github.com/accurics/terrascan/pull/441) ([patilpankaj212](https://github.com/patilpankaj212)) +- scan command refactor [\#436](https://github.com/accurics/terrascan/pull/436) ([patilpankaj212](https://github.com/patilpankaj212)) +- Fixes dead link to old getting started page [\#435](https://github.com/accurics/terrascan/pull/435) ([cesar-rodriguez](https://github.com/cesar-rodriguez)) +- Add support to extract rules to skip from terraform comments [\#434](https://github.com/accurics/terrascan/pull/434) ([kanchwala-yusuf](https://github.com/kanchwala-yusuf)) +- bash output improvements [\#431](https://github.com/accurics/terrascan/pull/431) ([patilpankaj212](https://github.com/patilpankaj212)) +- APE-1319: Revamped Getting Started Section [\#430](https://github.com/accurics/terrascan/pull/430) ([acc-jon](https://github.com/acc-jon)) +- Add policy AC-K8-NS-SE-M-0188 for CVE-2020-8554 [\#428](https://github.com/accurics/terrascan/pull/428) ([gauravgogia-accurics](https://github.com/gauravgogia-accurics)) +- set console mode on windows so colors render [\#427](https://github.com/accurics/terrascan/pull/427) ([acc-jon](https://github.com/acc-jon)) +- Update mkdocs-material to 6.1.7 [\#425](https://github.com/accurics/terrascan/pull/425) ([pyup-bot](https://github.com/pyup-bot)) +- Update policy example in the documentation [\#424](https://github.com/accurics/terrascan/pull/424) ([HorizonNet](https://github.com/HorizonNet)) +- Fix link to rego playground in policies documentation [\#423](https://github.com/accurics/terrascan/pull/423) ([HorizonNet](https://github.com/HorizonNet)) +- hopefully remove test failures due to non-deterministic comparisons [\#420](https://github.com/accurics/terrascan/pull/420) ([acc-jon](https://github.com/acc-jon)) +- IMDSv1 policy: update category, description [\#419](https://github.com/accurics/terrascan/pull/419) ([acc-jon](https://github.com/acc-jon)) +- IMDSv1 check policy [\#417](https://github.com/accurics/terrascan/pull/417) ([harkirat22](https://github.com/harkirat22)) +- Add Docker image release tagging on release [\#410](https://github.com/accurics/terrascan/pull/410) ([HorizonNet](https://github.com/HorizonNet)) +- Fix typo in architecture documentation [\#409](https://github.com/accurics/terrascan/pull/409) ([HorizonNet](https://github.com/HorizonNet)) +- accurics.gcp.IAM.104 Fire rule when client certificate is enabled [\#402](https://github.com/accurics/terrascan/pull/402) ([lucas-giaco](https://github.com/lucas-giaco)) +- Update mkdocs-material to 6.1.6 [\#401](https://github.com/accurics/terrascan/pull/401) ([pyup-bot](https://github.com/pyup-bot)) +- Added Unit test coverage for Kustomize V3 Iac-provider [\#399](https://github.com/accurics/terrascan/pull/399) ([dev-gaur](https://github.com/dev-gaur)) +- Fixes GCP cos node image policy [\#397](https://github.com/accurics/terrascan/pull/397) ([cesar-rodriguez](https://github.com/cesar-rodriguez)) +- \#394: recognize that empty values for username and password in master… [\#396](https://github.com/accurics/terrascan/pull/396) ([acc-jon](https://github.com/acc-jon)) +- Fix infinite loop on variable resolution [\#393](https://github.com/accurics/terrascan/pull/393) ([dinedal](https://github.com/dinedal)) +- Update mkdocs-material to 6.1.5 [\#387](https://github.com/accurics/terrascan/pull/387) ([pyup-bot](https://github.com/pyup-bot)) +- Add new policy for checking insecure\_ssl on github\_repository\_webhook [\#386](https://github.com/accurics/terrascan/pull/386) ([HorizonNet](https://github.com/HorizonNet)) + ## [v1.2.0](https://github.com/accurics/terrascan/tree/v1.2.0) (2020-11-16) [Full Changelog](https://github.com/accurics/terrascan/compare/v1.1.0...v1.2.0) From 12f6439662225bd3f17557664b6cad6fb95b69dc Mon Sep 17 00:00:00 2001 From: Cesar Rodriguez Date: Thu, 14 Jan 2021 22:00:59 -0500 Subject: [PATCH 02/22] adds logo --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 1a554257f..29f6393a1 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# Terrascan +![Terrascan](https://raw.githubusercontent.com/accurics/terrascan/master/docs/img/Terrascan_By_Accurics_Logo_38B34A-333F48.svg) [![GitHub release](https://img.shields.io/github/release/accurics/terrascan)](https://github.com/accurics/terrascan/releases/latest) [![License: Apache 2.0](https://img.shields.io/badge/license-Apache%202-blue)](https://github.com/accurics/terrascan/blob/master/LICENSE) @@ -8,7 +8,7 @@ [![community](https://img.shields.io/discourse/status?server=https%3A%2F%2Fcommunity.accurics.com)](https://community.accurics.com) [![Documentation Status](https://readthedocs.com/projects/accurics-terrascan/badge/?version=latest)](https://docs.accurics.com/projects/accurics-terrascan/en/latest/?badge=latest) -Detect security vulnerabilities and compliance violations across your Infrastructure as Code. Mitigate risks before provisioning cloud native infrastructure. Run locally or integrate with your CI\CD. +Terrascan detect security vulnerabilities and compliance violations across your Infrastructure as Code. Mitigate risks before provisioning cloud native infrastructure. Run locally or integrate with your CI\CD. * Documentation: https://docs.accurics.com/projects/accurics-terrascan @@ -21,7 +21,7 @@ Detect security vulnerabilities and compliance violations across your Infrastruc * Support for AWS, Azure, GCP, Kubernetes and GitHub -## Quick Start +## Quick Start ### Step 1: Install Terrascan's supports multiple ways to install, including [brew](https://github.com/accurics/terrascan#install-via-brew). Here, we will download the terrascan binary directly from the [releases](https://github.com/accurics/terrascan/releases) page. Make sure to select the right binary for your machine. Here's an example of how to install it: From 522abb9b0e006d29c12985c2362c42ca51f9690e Mon Sep 17 00:00:00 2001 From: Cesar Rodriguez Date: Thu, 14 Jan 2021 22:14:10 -0500 Subject: [PATCH 03/22] updates relevant to v1.3.0 and latest features --- README.md | 19 +++-- docs/getting-started/quickstart.md | 109 ++++++++++++++++++++--------- docs/getting-started/usage.md | 17 +++-- 3 files changed, 93 insertions(+), 52 deletions(-) diff --git a/README.md b/README.md index 29f6393a1..f2574ed10 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ Terrascan detect security vulnerabilities and compliance violations across your ## Features * 500+ Policies for security best practices -* Scanning of Terraform 12+ (HCL2) +* Scanning of Terraform (HCL2) * Scanning of Kubernetes (JSON/YAML), Helm v3, and Kustomize v3 * Support for AWS, Azure, GCP, Kubernetes and GitHub @@ -27,7 +27,7 @@ Terrascan's supports multiple ways to install, including [brew](https://github.c Here, we will download the terrascan binary directly from the [releases](https://github.com/accurics/terrascan/releases) page. Make sure to select the right binary for your machine. Here's an example of how to install it: ```sh -$ curl --location https://github.com/accurics/terrascan/releases/download/v1.2.0/terrascan_1.2.0_Darwin_x86_64.tar.gz --output terrascan.tar.gz +$ curl --location https://github.com/accurics/terrascan/releases/download/v1.3.0/terrascan_1.3.0_Darwin_x86_64.tar.gz --output terrascan.tar.gz $ tar -xvf terrascan.tar.gz x CHANGELOG.md x LICENSE @@ -50,9 +50,8 @@ The following commands are available: $ terrascan Terrascan -An advanced IaC (Infrastructure-as-Code) file scanner written in Go. -Secure your cloud deployments at design time. -For more information, please visit https://www.accurics.com +Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure. +For more information, please visit https://docs.accurics.com Usage: terrascan [command] @@ -60,16 +59,16 @@ Usage: Available Commands: help Help about any command init Initialize Terrascan - scan Scan IaC (Infrastructure-as-Code) files for vulnerabilities. + scan Detect compliance and security violations across Infrastructure as Code. server Run Terrascan as an API server + version Terrascan version Flags: -c, --config-path string config file path -h, --help help for terrascan -l, --log-level string log level (debug, info, warn, error, panic, fatal) (default "info") -x, --log-type string log output type (console, json) (default "console") - -o, --output-type string output type (json, yaml, xml) (default "yaml") - -v, --version version for terrascan + -o, --output string output type (human, json, yaml, xml) (default "human") Use "terrascan [command] --help" for more information about a command. ``` @@ -100,8 +99,8 @@ $ docker run accurics/terrascan ``` $ export GO111MODULE=on $ go get -u github.com/accurics/terrascan/cmd/terrascan - go: downloading github.com/accurics/terrascan v1.2.0 - go: found github.com/accurics/terrascan/cmd/terrascan in github.com/accurics/terrascan v1.2.0 + go: downloading github.com/accurics/terrascan v1.3.0 + go: found github.com/accurics/terrascan/cmd/terrascan in github.com/accurics/terrascan v1.3.0 ... $ terrascan ``` diff --git a/docs/getting-started/quickstart.md b/docs/getting-started/quickstart.md index e5ba5d772..3f4bde496 100644 --- a/docs/getting-started/quickstart.md +++ b/docs/getting-started/quickstart.md @@ -11,10 +11,10 @@ Terrascan is a portable executable that does not strictly require installation, Terrascan's [release page](https://github.com/accurics/terrascan/releases) includes builds for common platforms. Just download and extract the package for your platform. For example, if you use a Mac you might do this: ``` Bash -$ curl --location https://github.com/accurics/terrascan/releases/download/v1.2.0/terrascan_1.2.0_Darwin_x86_64.tar.gz --output terrascan.tar.gz +$ curl --location https://github.com/accurics/terrascan/releases/download/v1.3.0/terrascan_1.3.0_Darwin_x86_64.tar.gz --output terrascan.tar.gz $ tar xzf terrascan.tar.gz $ ./terrascan version -version: v1.2.0 +version: v1.3.0 ``` If you want to use this executable for the rest of this quickstart, it will help to create an alias or install the executable onto your path. For example with bash you could do something like this: @@ -34,7 +34,7 @@ Terrascan is also available as a Docker image in Docker Hub and can be used as f ``` Bash $ docker run --rm accurics/terrascan version -version: v1.2.0 +version: v1.3.0 ``` If you want to use the Docker image for the rest of this quickstart, it will help to create an alias, script or batch file that reduces the typing necessary. For example with bash you could do something like this: @@ -58,35 +58,76 @@ $ cd KaiMonkey/terraform/aws $ terrascan scan ``` -By default Terrascan will output its findings in YAML format: - -``` YAML -results: - violations: - - rule_name: s3Versioning - description: Enabling S3 versioning will enable easy recovery from both unintended user actions, like deletes and overwrites - rule_id: AWS.S3Bucket.IAM.High.0370 - severity: HIGH - category: IAM - resource_name: km_public_blob - resource_type: aws_s3_bucket - file: modules/storage/main.tf - line: 112 -#... lines elided ... - - rule_name: ec2UsingIMDSv1 - description: EC2 instances should disable IMDS or require IMDSv2 - rule_id: AC-AWS-NS-IN-M-1172 - severity: MEDIUM - category: Network Security - resource_name: km_vm - resource_type: aws_instance - file: modules/compute/main.tf - line: 124 - count: - low: 0 - medium: 2 - high: 7 - total: 9 +By default Terrascan will output its findings in human friendy format: + +``` sh +Violation Details - + + Description : S3 bucket Access is allowed to all AWS Account Users. + File : modules/storage/main.tf + Line : 104 + Severity : HIGH + ----------------------------------------------------------------------- + + Description : S3 bucket Access is allowed to all AWS Account Users. + File : modules/storage/main.tf + Line : 112 + Severity : HIGH + ----------------------------------------------------------------------- + + Description : Ensure that your RDS database has IAM Authentication enabled. + File : modules/storage/main.tf + Line : 45 + Severity : HIGH + ----------------------------------------------------------------------- + + Description : Ensure VPC flow logging is enabled in all VPCs + File : modules/network/main.tf + Line : 4 + Severity : MEDIUM + ----------------------------------------------------------------------- + + Description : EC2 instances should disable IMDS or require IMDSv2 + File : modules/compute/main.tf + Line : 124 + Severity : MEDIUM + ----------------------------------------------------------------------- + + Description : http port open to internet + File : modules/network/main.tf + Line : 102 + Severity : HIGH + ----------------------------------------------------------------------- + + Description : Enabling S3 versioning will enable easy recovery from both unintended user actions, like deletes and overwrites + File : modules/storage/main.tf + Line : 104 + Severity : HIGH + ----------------------------------------------------------------------- + + Description : Enabling S3 versioning will enable easy recovery from both unintended user actions, like deletes and overwrites + File : modules/storage/main.tf + Line : 112 + Severity : HIGH + ----------------------------------------------------------------------- + + Description : AWS CloudWatch log group is not encrypted with a KMS CMK + File : modules/compute/main.tf + Line : 115 + Severity : HIGH + ----------------------------------------------------------------------- + + +Scan Summary - + + File/Folder : /var/folders/2g/9lkfm6ld2lv350svwr15fdgc0000gn/T/x9wqg4/terraform/aws + IaC Type : terraform + Scanned At : 2021-01-15 03:11:31.869816 +0000 UTC + Policies Validated : 571 + Violated Policies : 9 + Low : 0 + Medium : 2 + High : 7 ``` You should see a total of 9 violations, which are detailed in the output. @@ -97,6 +138,4 @@ Now that you understand how to run Terrascan, explore the other options availabl * [Terrascan Policy Reference](../policies.md) * The [usage guide](./usage.md) explains general usage and how to scan other types of IaC, such as Kubernetes, Helm, and Kustomize. - -[//]: # (TODO: add info about CI/CD integrations * CI/CD integration ) - +* The [CI/CD](../cicd.md) page explains how to integrate Terrascan on CI/CD pipelines. diff --git a/docs/getting-started/usage.md b/docs/getting-started/usage.md index 032abde1e..56b2e26cc 100644 --- a/docs/getting-started/usage.md +++ b/docs/getting-started/usage.md @@ -5,7 +5,7 @@ Terrascan is a static code analyzer for Infrastructure as Code tooling. It can e Terrascan's binary can be found on the package for each [release](https://github.com/accurics/terrascan/releases). Here's an example of how to install it: ``` Bash -$ curl --location https://github.com/accurics/terrascan/releases/download/v1.1.0/terrascan_1.1.0_Darwin_x86_64.tar.gz --output terrascan.tar.gz +$ curl --location https://github.com/accurics/terrascan/releases/download/v1.3.0/terrascan_1.3.0_Darwin_x86_64.tar.gz --output terrascan.tar.gz $ tar -xvf terrascan.tar.gz x CHANGELOG.md x LICENSE @@ -19,8 +19,8 @@ If you have go installed, Terrascan can be installed with `go get` ``` $ export GO111MODULE=on $ go get -u github.com/accurics/terrascan/cmd/terrascan - go: downloading github.com/accurics/terrascan v1.1.0 - go: found github.com/accurics/terrascan/cmd/terrascan in github.com/accurics/terrascan v1.1.0 + go: downloading github.com/accurics/terrascan v1.3.0 + go: found github.com/accurics/terrascan/cmd/terrascan in github.com/accurics/terrascan v1.3.0 ... $ terrascan ``` @@ -67,14 +67,14 @@ Available Commands: init Initialize Terrascan scan Detect compliance and security violations across Infrastructure as Code. server Run Terrascan as an API server + version Terrascan version Flags: -c, --config-path string config file path -h, --help help for terrascan -l, --log-level string log level (debug, info, warn, error, panic, fatal) (default "info") -x, --log-type string log output type (console, json) (default "console") - -o, --output string output type (json, yaml, xml) (default "yaml") - -v, --version version for terrascan + -o, --output string output type (human, json, yaml, xml) (default "human") Use "terrascan [command] --help" for more information about a command. ``` @@ -123,16 +123,19 @@ Flags: -t, --policy-type strings policy type (all, aws, azure, gcp, github, k8s) (default [all]) -r, --remote-type string type of remote backend (git, s3, gcs, http) -u, --remote-url string url pointing to remote IaC repository + --scan-rules strings one or more rules to scan (example: --scan-rules="ruleID1,ruleID2") + --skip-rules strings one or more rules to skip while scanning (example: --skip-rules="ruleID1,ruleID2") --use-colors string color output (auto, t, f) (default "auto") + -v, --verbose will show violations with details (applicable for default output) Global Flags: -c, --config-path string config file path -l, --log-level string log level (debug, info, warn, error, panic, fatal) (default "info") -x, --log-type string log output type (console, json) (default "console") - -o, --output string output type (json, yaml, xml) (default "yaml") + -o, --output string output type (human, json, yaml, xml) (default "human") ``` -By default Terrascan will output YAML. This can be changed to JSON or XML by using the `-o` flag. +By default Terrascan will output human friendly format. This can be changed to YAML, JSON, or XML by using the `-o` flag. Terrascan will exit 3 if any issues are found. From 3fff7b997a45502b16b573bf5b9d704787e937ef Mon Sep 17 00:00:00 2001 From: Cesar Rodriguez Date: Thu, 14 Jan 2021 22:17:03 -0500 Subject: [PATCH 04/22] fixes typo --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f2574ed10..5d2628f9c 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,7 @@ [![community](https://img.shields.io/discourse/status?server=https%3A%2F%2Fcommunity.accurics.com)](https://community.accurics.com) [![Documentation Status](https://readthedocs.com/projects/accurics-terrascan/badge/?version=latest)](https://docs.accurics.com/projects/accurics-terrascan/en/latest/?badge=latest) -Terrascan detect security vulnerabilities and compliance violations across your Infrastructure as Code. Mitigate risks before provisioning cloud native infrastructure. Run locally or integrate with your CI\CD. +Terrascan detects security vulnerabilities and compliance violations across your Infrastructure as Code. Mitigate risks before provisioning cloud native infrastructure. Run locally or integrate with your CI\CD. * Documentation: https://docs.accurics.com/projects/accurics-terrascan From c7277672ae66fa04a23c8c4069a0fb0e6f7bef73 Mon Sep 17 00:00:00 2001 From: Devang Gaur Date: Sat, 16 Jan 2021 13:11:04 +0530 Subject: [PATCH 05/22] add warning message for terraform v12 users --- go.mod | 2 +- go.sum | 2 ++ pkg/iac-providers/terraform/v12/load-dir.go | 2 ++ pkg/iac-providers/terraform/v12/load-file.go | 2 ++ 4 files changed, 7 insertions(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 87d94fe73..fbe752e1b 100644 --- a/go.mod +++ b/go.mod @@ -28,7 +28,7 @@ require ( go.uber.org/zap v1.16.0 golang.org/x/mod v0.4.1 // indirect golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f - golang.org/x/tools v0.0.0-20210114065538-d78b04bdf963 // indirect + golang.org/x/tools v0.0.0-20210115202250-e0d201561e39 // indirect gopkg.in/src-d/go-git.v4 v4.13.1 gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 helm.sh/helm/v3 v3.4.0 diff --git a/go.sum b/go.sum index b868cbc7a..8b66c9d85 100644 --- a/go.sum +++ b/go.sum @@ -1295,6 +1295,8 @@ golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82u golang.org/x/tools v0.0.0-20201028111035-eafbe7b904eb/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210114065538-d78b04bdf963 h1:K+NlvTLy0oONtRtkl1jRD9xIhnItbG2PiE7YOdjPb+k= golang.org/x/tools v0.0.0-20210114065538-d78b04bdf963/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20210115202250-e0d201561e39 h1:BTs2GMGSMWpgtCpv1CE7vkJTv7XcHdcLLnAMu7UbgTY= +golang.org/x/tools v0.0.0-20210115202250-e0d201561e39/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= diff --git a/pkg/iac-providers/terraform/v12/load-dir.go b/pkg/iac-providers/terraform/v12/load-dir.go index adb44fe76..654f0376d 100644 --- a/pkg/iac-providers/terraform/v12/load-dir.go +++ b/pkg/iac-providers/terraform/v12/load-dir.go @@ -19,11 +19,13 @@ package tfv12 import ( "github.com/accurics/terrascan/pkg/iac-providers/output" commons "github.com/accurics/terrascan/pkg/iac-providers/terraform/commons" + "go.uber.org/zap" ) // LoadIacDir starts traversing from the given rootDir and traverses through // all the descendant modules present to create an output list of all the // resources present in rootDir and descendant modules func (*TfV12) LoadIacDir(absRootDir string) (allResourcesConfig output.AllResourceConfigs, err error) { + zap.S().Warn("There may be a few breaking changes while working with terraform v0.12 files. For further information, refer to https://github.com/accurics/terrascan/releases/v1.3.0") return commons.LoadIacDir(absRootDir) } diff --git a/pkg/iac-providers/terraform/v12/load-file.go b/pkg/iac-providers/terraform/v12/load-file.go index 031b91a35..c55f4d0db 100644 --- a/pkg/iac-providers/terraform/v12/load-file.go +++ b/pkg/iac-providers/terraform/v12/load-file.go @@ -19,9 +19,11 @@ package tfv12 import ( "github.com/accurics/terrascan/pkg/iac-providers/output" commons "github.com/accurics/terrascan/pkg/iac-providers/terraform/commons" + "go.uber.org/zap" ) // LoadIacFile parses the given terraform file from the given file path func (*TfV12) LoadIacFile(absFilePath string) (allResourcesConfig output.AllResourceConfigs, err error) { + zap.S().Warn("There may be a few breaking changes while working with terraform v0.12 files. For further information, refer to https://github.com/accurics/terrascan/releases/v1.3.0") return commons.LoadIacFile(absFilePath) } From 0ddc68828e4044592c04106b96c7af665c3588c9 Mon Sep 17 00:00:00 2001 From: Cesar Rodriguez Date: Sat, 16 Jan 2021 16:26:31 -0500 Subject: [PATCH 06/22] updates changelog --- CHANGELOG.md | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f070d3074..bd7b18699 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,22 +1,28 @@ # Changelog -## [v1.3.0](https://github.com/accurics/terrascan/tree/v1.3.0) (2021-01-15) +## [v1.3.0](https://github.com/accurics/terrascan/tree/v1.3.0) (2021-01-16) [Full Changelog](https://github.com/accurics/terrascan/compare/v1.2.0...v1.3.0) **Implemented enhancements:** +- Improved bash output [\#415](https://github.com/accurics/terrascan/issues/415) +- Scanning profiles [\#414](https://github.com/accurics/terrascan/issues/414) - Tag released Docker images [\#398](https://github.com/accurics/terrascan/issues/398) +- How to ignore a rule? [\#367](https://github.com/accurics/terrascan/issues/367) - Add policy for checking insecure\_ssl configuration for github\_repository\_webhook in GitHub provider [\#355](https://github.com/accurics/terrascan/issues/355) +- Support for Terraform v0.13 [\#324](https://github.com/accurics/terrascan/issues/324) +- Ability to add ignore findings through comments in code [\#310](https://github.com/accurics/terrascan/issues/310) - Prints output in human friendly format [\#168](https://github.com/accurics/terrascan/issues/168) **Fixed bugs:** -- Fixes resource lock [\#432](https://github.com/accurics/terrascan/issues/432) -- Fixes Issue where Terrascan paniced with list variables [\#412](https://github.com/accurics/terrascan/issues/412) -- Resolves false positive for AWS rule vpcFlowLogsNotEnabled [\#408](https://github.com/accurics/terrascan/issues/408) -- Resolves s3EnforceUserACL False Positive [\#359](https://github.com/accurics/terrascan/issues/359) -- Resolves accurics.gcp.IAM.104 suggests enabling a client certificate [\#330](https://github.com/accurics/terrascan/issues/330) +- Terrascan doesn't allow registering multiple versions for an iac-type [\#471](https://github.com/accurics/terrascan/issues/471) +- Resource lock issue [\#432](https://github.com/accurics/terrascan/issues/432) +- Issue where Terrascan paniced with list variables [\#412](https://github.com/accurics/terrascan/issues/412) +- False positive for aws rule vpcFlowLogsNotEnabled [\#408](https://github.com/accurics/terrascan/issues/408) +- s3EnforceUserACL - False Positive [\#359](https://github.com/accurics/terrascan/issues/359) +- Why accurics.gcp.IAM.104 suggests enabling a client certificate? [\#330](https://github.com/accurics/terrascan/issues/330) **Closed issues:** @@ -36,6 +42,8 @@ **Merged pull requests:** +- Bump go.uber.org/zap from 1.13.0 to 1.16.0 [\#486](https://github.com/accurics/terrascan/pull/486) ([dependabot[bot]](https://github.com/apps/dependabot)) +- Bump github.com/spf13/afero from 1.3.4 to 1.5.1 [\#485](https://github.com/accurics/terrascan/pull/485) ([dependabot[bot]](https://github.com/apps/dependabot)) - Bump github.com/iancoleman/strcase from 0.1.1 to 0.1.3 [\#484](https://github.com/accurics/terrascan/pull/484) ([dependabot[bot]](https://github.com/apps/dependabot)) - Bump github.com/pelletier/go-toml from 1.8.0 to 1.8.1 [\#481](https://github.com/accurics/terrascan/pull/481) ([dependabot[bot]](https://github.com/apps/dependabot)) - Policy update 2021 01 14 [\#480](https://github.com/accurics/terrascan/pull/480) ([williepaul](https://github.com/williepaul)) @@ -44,6 +52,8 @@ - adding an else condition to relate the flow log with vpc [\#475](https://github.com/accurics/terrascan/pull/475) ([harkirat22](https://github.com/harkirat22)) - including a check for verifying in-line policy is included [\#474](https://github.com/accurics/terrascan/pull/474) ([harkirat22](https://github.com/harkirat22)) - adding rule to check if waf is enabled at cloud front distribution [\#473](https://github.com/accurics/terrascan/pull/473) ([harkirat22](https://github.com/harkirat22)) +- Added terraform v14 support besides v12. [\#470](https://github.com/accurics/terrascan/pull/470) ([dev-gaur](https://github.com/dev-gaur)) +- support comment with rule skipping for resource and scan summary modifications [\#466](https://github.com/accurics/terrascan/pull/466) ([patilpankaj212](https://github.com/patilpankaj212)) - recognize metadata.generateName [\#465](https://github.com/accurics/terrascan/pull/465) ([acc-jon](https://github.com/acc-jon)) - Update mkdocs-material to 6.2.4 [\#464](https://github.com/accurics/terrascan/pull/464) ([pyup-bot](https://github.com/pyup-bot)) - Update README.md [\#463](https://github.com/accurics/terrascan/pull/463) ([amirbenv](https://github.com/amirbenv)) @@ -56,6 +66,7 @@ - terrascan argo-cd instructions [\#454](https://github.com/accurics/terrascan/pull/454) ([storebot](https://github.com/storebot)) - Adds CI/CD integration docs [\#452](https://github.com/accurics/terrascan/pull/452) ([cesar-rodriguez](https://github.com/cesar-rodriguez)) - Bump github.com/zclconf/go-cty from 1.2.1 to 1.7.1 [\#449](https://github.com/accurics/terrascan/pull/449) ([dependabot[bot]](https://github.com/apps/dependabot)) +- Bump sigs.k8s.io/kustomize/api from 0.6.5 to 0.7.1 [\#448](https://github.com/accurics/terrascan/pull/448) ([dependabot[bot]](https://github.com/apps/dependabot)) - Bump github.com/gorilla/mux from 1.7.4 to 1.8.0 [\#447](https://github.com/accurics/terrascan/pull/447) ([dependabot[bot]](https://github.com/apps/dependabot)) - Update mkdocs-material to 6.2.3 [\#445](https://github.com/accurics/terrascan/pull/445) ([pyup-bot](https://github.com/pyup-bot)) - deps: add dependabot support [\#444](https://github.com/accurics/terrascan/pull/444) ([chenrui333](https://github.com/chenrui333)) From 34979da6b9b59548d79a4c9585b687dd481c58c4 Mon Sep 17 00:00:00 2001 From: amirbenv <74685902+amirbenv@users.noreply.github.com> Date: Sat, 16 Jan 2021 14:03:02 -0800 Subject: [PATCH 07/22] Update CHANGELOG.md --- CHANGELOG.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bd7b18699..d33e47486 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,14 +6,14 @@ **Implemented enhancements:** -- Improved bash output [\#415](https://github.com/accurics/terrascan/issues/415) -- Scanning profiles [\#414](https://github.com/accurics/terrascan/issues/414) +**Implemented enhancements:** +- Prints output in human friendly format [\#168](https://github.com/accurics/terrascan/issues/168) +- Support for rule suppression using terraform comments,kubernetes annotations, cli arguments, and config file. +- New Policies for Kubernetes [\#480] https://github.com/accurics/terrascan/pull/480 - Tag released Docker images [\#398](https://github.com/accurics/terrascan/issues/398) -- How to ignore a rule? [\#367](https://github.com/accurics/terrascan/issues/367) - Add policy for checking insecure\_ssl configuration for github\_repository\_webhook in GitHub provider [\#355](https://github.com/accurics/terrascan/issues/355) -- Support for Terraform v0.13 [\#324](https://github.com/accurics/terrascan/issues/324) -- Ability to add ignore findings through comments in code [\#310](https://github.com/accurics/terrascan/issues/310) -- Prints output in human friendly format [\#168](https://github.com/accurics/terrascan/issues/168) +- Introduced support for terraform .14 and .13. Note: This will introduce some breaking changes for terraform v.12 files, even if using --iac-version v.12 flag. Notably we will no longer support multiple providers blocks, and certain references inside provisioner blocks (objects other than self, count or each, where when = destroy) . For more details see: https://github.com/hashicorp/terraform/releases/tag/v0.13.0 + **Fixed bugs:** From 01e26c4b881296ee26353db549a020db99678161 Mon Sep 17 00:00:00 2001 From: amirbenv <74685902+amirbenv@users.noreply.github.com> Date: Sat, 16 Jan 2021 14:11:18 -0800 Subject: [PATCH 08/22] Update CHANGELOG.md --- CHANGELOG.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d33e47486..01dda61bc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,8 +4,6 @@ [Full Changelog](https://github.com/accurics/terrascan/compare/v1.2.0...v1.3.0) -**Implemented enhancements:** - **Implemented enhancements:** - Prints output in human friendly format [\#168](https://github.com/accurics/terrascan/issues/168) - Support for rule suppression using terraform comments,kubernetes annotations, cli arguments, and config file. From e336ad67dde8a47179ea6d3e2827948176a5d779 Mon Sep 17 00:00:00 2001 From: amirbenv <74685902+amirbenv@users.noreply.github.com> Date: Sat, 16 Jan 2021 14:11:39 -0800 Subject: [PATCH 09/22] Update CHANGELOG.md --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 01dda61bc..d0debef36 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,7 +7,7 @@ **Implemented enhancements:** - Prints output in human friendly format [\#168](https://github.com/accurics/terrascan/issues/168) - Support for rule suppression using terraform comments,kubernetes annotations, cli arguments, and config file. -- New Policies for Kubernetes [\#480] https://github.com/accurics/terrascan/pull/480 +- New Policies for Kubernetes [\#480](https://github.com/accurics/terrascan/pull/480) - Tag released Docker images [\#398](https://github.com/accurics/terrascan/issues/398) - Add policy for checking insecure\_ssl configuration for github\_repository\_webhook in GitHub provider [\#355](https://github.com/accurics/terrascan/issues/355) - Introduced support for terraform .14 and .13. Note: This will introduce some breaking changes for terraform v.12 files, even if using --iac-version v.12 flag. Notably we will no longer support multiple providers blocks, and certain references inside provisioner blocks (objects other than self, count or each, where when = destroy) . For more details see: https://github.com/hashicorp/terraform/releases/tag/v0.13.0 From a1e3947cb114b5477ded57b57b56e5d1b89525a5 Mon Sep 17 00:00:00 2001 From: Cesar Rodriguez Date: Sun, 17 Jan 2021 22:23:52 -0500 Subject: [PATCH 10/22] adds link to k8s policy docs --- mkdocs.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/mkdocs.yml b/mkdocs.yml index caf8413cd..f0e48a7a1 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -45,9 +45,10 @@ nav: - Policies: - Policy Reference: policies.md - AWS: policies/aws.md - - GCP: policies/gcp.md - Azure: policies/azure.md + - GCP: policies/gcp.md - GitHub: policies/github.md + - Kubernetes: policies/k8s.md # - Educational Resources: learning.md - CI/CD Integration: cicd.md - Contributing: contributing.md From 1fd99c3a71d4ef540b4f247942b421c27375479e Mon Sep 17 00:00:00 2001 From: pyup-bot Date: Sun, 17 Jan 2021 05:18:33 -0500 Subject: [PATCH 11/22] Update mkdocs-material from 6.2.4 to 6.2.5 --- docs/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/requirements.txt b/docs/requirements.txt index e32d3d28b..a251d7e94 100644 --- a/docs/requirements.txt +++ b/docs/requirements.txt @@ -1,3 +1,3 @@ mkdocs==1.1.2 -mkdocs-material==6.2.4 +mkdocs-material==6.2.5 mkdocs-diagrams==1.0.0 From 8fbe2271695f16f614db3ce4d804b206b2117ed2 Mon Sep 17 00:00:00 2001 From: harkirat22 Date: Sun, 17 Jan 2021 20:43:06 -0500 Subject: [PATCH 12/22] solves issue #382, and improved policy to relate disk with the instance --- .../vmEncryptedwithCsek.rego | 8 ++++- .../accurics.gcp.EKM.132.json | 2 +- .../encryptedwithCsek.rego | 32 +++++++++++++++++-- 3 files changed, 37 insertions(+), 5 deletions(-) diff --git a/pkg/policies/opa/rego/gcp/google_compute_disk/vmEncryptedwithCsek.rego b/pkg/policies/opa/rego/gcp/google_compute_disk/vmEncryptedwithCsek.rego index c59a04e62..f735f6ba7 100755 --- a/pkg/policies/opa/rego/gcp/google_compute_disk/vmEncryptedwithCsek.rego +++ b/pkg/policies/opa/rego/gcp/google_compute_disk/vmEncryptedwithCsek.rego @@ -3,5 +3,11 @@ package accurics vmEncryptedwithCsek[api.id] { api := input.google_compute_disk[_] - not api.config.disk_encryption_key == null + not api.config.disk_encryption_key } + +vmEncryptedwithCsek[api.id] +{ + api := input.google_compute_disk[_] + api.config.disk_encryption_key == null +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/gcp/google_compute_instance/accurics.gcp.EKM.132.json b/pkg/policies/opa/rego/gcp/google_compute_instance/accurics.gcp.EKM.132.json index 11b10f41c..19817f097 100755 --- a/pkg/policies/opa/rego/gcp/google_compute_instance/accurics.gcp.EKM.132.json +++ b/pkg/policies/opa/rego/gcp/google_compute_instance/accurics.gcp.EKM.132.json @@ -3,7 +3,7 @@ "file": "encryptedwithCsek.rego", "template_args": null, "severity": "MEDIUM", - "description": "Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) .", + "description": "VM disks attached to a compute instance should be encrypted with Customer Supplied Encryption Keys (CSEK) .", "reference_id": "accurics.gcp.EKM.132", "category": "Encryption \u0026 Key Management", "version": 1 diff --git a/pkg/policies/opa/rego/gcp/google_compute_instance/encryptedwithCsek.rego b/pkg/policies/opa/rego/gcp/google_compute_instance/encryptedwithCsek.rego index 99774c09f..02cf0b6fd 100755 --- a/pkg/policies/opa/rego/gcp/google_compute_instance/encryptedwithCsek.rego +++ b/pkg/policies/opa/rego/gcp/google_compute_instance/encryptedwithCsek.rego @@ -1,7 +1,33 @@ package accurics -encryptedwithCsek[api.id] +encryptedwithCsek[retVal] { - api := input.google_compute_disk[_] - not api.config.disk_encryption_key == null + api := input.google_compute_disk[_] + not api.config.disk_encryption_key + + association := input.google_compute_attached_disk[_] + diskName := split(association.config.disk, ".")[1] + + api.name == diskName + instanceName := split(association.config.instance, ".")[1] + + instance := input.google_compute_instance[_] + instanceName == instance.name + retVal := instance.id } + +encryptedwithCsek[retVal] +{ + api := input.google_compute_disk[_] + api.config.disk_encryption_key == null + + association := input.google_compute_attached_disk[_] + diskName := split(association.config.disk, ".")[1] + + api.name == diskName + instanceName := split(association.config.instance, ".")[1] + + instance := input.google_compute_instance[_] + instanceName == instance.name + retVal := instance.id +} \ No newline at end of file From 1801ce97ca742ce5fba428b89784ef9cffed7d78 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Jan 2021 07:07:12 +0000 Subject: [PATCH 13/22] Bump sigs.k8s.io/kustomize/api from 0.7.1 to 0.7.2 Bumps [sigs.k8s.io/kustomize/api](https://github.com/kubernetes-sigs/kustomize) from 0.7.1 to 0.7.2. - [Release notes](https://github.com/kubernetes-sigs/kustomize/releases) - [Changelog](https://github.com/kubernetes-sigs/kustomize/blob/master/docs/v2.1.0_changelog.md) - [Commits](https://github.com/kubernetes-sigs/kustomize/compare/api/v0.7.1...api/v0.7.2) Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/go.mod b/go.mod index fbe752e1b..309114c33 100644 --- a/go.mod +++ b/go.mod @@ -33,5 +33,5 @@ require ( gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 helm.sh/helm/v3 v3.4.0 honnef.co/go/tools v0.1.0 // indirect - sigs.k8s.io/kustomize/api v0.7.1 + sigs.k8s.io/kustomize/api v0.7.2 ) diff --git a/go.sum b/go.sum index 8b66c9d85..331736e4d 100644 --- a/go.sum +++ b/go.sum @@ -1495,8 +1495,10 @@ sigs.k8s.io/kustomize v2.0.3+incompatible h1:JUufWFNlI44MdtnjUqVnvh29rR37PQFzPbL sigs.k8s.io/kustomize v2.0.3+incompatible/go.mod h1:MkjgH3RdOWrievjo6c9T245dYlB5QeXV4WCbnt/PEpU= sigs.k8s.io/kustomize/api v0.7.1 h1:/cjDi4Pk/hqRSeCCj/Xum66rYrEtc7osM2/O+lvYKkM= sigs.k8s.io/kustomize/api v0.7.1/go.mod h1:XOt24UrCkv0x63eT5JVaph4Kqf5EVU2UBAXo6SPBaAY= +sigs.k8s.io/kustomize/api v0.7.2/go.mod h1:50/vLATrjhRmMr3spZsI1GcpoZJ8IARy9QstPbA9lGE= sigs.k8s.io/kustomize/kyaml v0.10.5 h1:PbJcsZsEM7O3hHtUWTR+4WkHVbQRW9crSy75or1gRbI= sigs.k8s.io/kustomize/kyaml v0.10.5/go.mod h1:P6Oy/ah/GZMKzJMIJA2a3/bc8YrBkuL5kJji13PSIzY= +sigs.k8s.io/kustomize/kyaml v0.10.6/go.mod h1:K9yg1k/HB/6xNOf5VH3LhTo1DK9/5ykSZO5uIv+Y/1k= sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e h1:4Z09Hglb792X0kfOBBJUPFEyvVfQWrYT/l8h5EKA6JQ= sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI= sigs.k8s.io/structured-merge-diff/v4 v4.0.1 h1:YXTMot5Qz/X1iBRJhAt+vI+HVttY0WkSqqhKxQ0xVbA= From 2330164c613758c7012984955e6eff028af7f7ab Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Jan 2021 07:06:54 +0000 Subject: [PATCH 14/22] Bump github.com/mattn/go-isatty from 0.0.8 to 0.0.12 Bumps [github.com/mattn/go-isatty](https://github.com/mattn/go-isatty) from 0.0.8 to 0.0.12. - [Release notes](https://github.com/mattn/go-isatty/releases) - [Commits](https://github.com/mattn/go-isatty/compare/v0.0.8...v0.0.12) Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 309114c33..f1119409b 100644 --- a/go.mod +++ b/go.mod @@ -18,7 +18,7 @@ require ( github.com/hashicorp/hcl/v2 v2.8.2 github.com/hashicorp/terraform v0.14.4 github.com/iancoleman/strcase v0.1.3 - github.com/mattn/go-isatty v0.0.8 + github.com/mattn/go-isatty v0.0.12 github.com/open-policy-agent/opa v0.22.0 github.com/pelletier/go-toml v1.8.1 github.com/pkg/errors v0.9.1 diff --git a/go.sum b/go.sum index 331736e4d..69c8cecc8 100644 --- a/go.sum +++ b/go.sum @@ -682,6 +682,7 @@ github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNx github.com/mattn/go-isatty v0.0.5/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= github.com/mattn/go-isatty v0.0.8 h1:HLtExJ+uU2HOZ+wI0Tt5DtUDrx8yhUqDcp7fYERX4CE= github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= +github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= github.com/mattn/go-oci8 v0.0.7/go.mod h1:wjDx6Xm9q7dFtHJvIlrI99JytznLw5wQ4R+9mNXJwGI= github.com/mattn/go-runewidth v0.0.0-20181025052659-b20a3daf6a39/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= @@ -1194,6 +1195,7 @@ golang.org/x/sys v0.0.0-20191220142924-d4481acd189f/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= From 4d740932a34053f60322dd4d43b06f811307df1b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 15 Jan 2021 17:34:05 +0000 Subject: [PATCH 15/22] Bump github.com/hashicorp/go-version from 1.2.0 to 1.2.1 Bumps [github.com/hashicorp/go-version](https://github.com/hashicorp/go-version) from 1.2.0 to 1.2.1. - [Release notes](https://github.com/hashicorp/go-version/releases) - [Commits](https://github.com/hashicorp/go-version/compare/v1.2.0...v1.2.1) Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/go.mod b/go.mod index f1119409b..b2403e330 100644 --- a/go.mod +++ b/go.mod @@ -14,7 +14,7 @@ require ( github.com/hashicorp/go-cleanhttp v0.5.1 github.com/hashicorp/go-getter v1.5.1 github.com/hashicorp/go-retryablehttp v0.6.6 - github.com/hashicorp/go-version v1.2.0 + github.com/hashicorp/go-version v1.2.1 github.com/hashicorp/hcl/v2 v2.8.2 github.com/hashicorp/terraform v0.14.4 github.com/iancoleman/strcase v0.1.3 diff --git a/go.sum b/go.sum index 69c8cecc8..ebc4f35b3 100644 --- a/go.sum +++ b/go.sum @@ -553,6 +553,7 @@ github.com/hashicorp/go-version v1.0.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09 github.com/hashicorp/go-version v1.1.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= github.com/hashicorp/go-version v1.2.0 h1:3vNe/fWF5CBgRIguda1meWhsZHy3m8gCJ5wx+dIzX/E= github.com/hashicorp/go-version v1.2.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= +github.com/hashicorp/go-version v1.2.1/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90= github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= From 2536a09fc974c69f69c41de2c4e8c2ac882c283c Mon Sep 17 00:00:00 2001 From: Devang Gaur Date: Mon, 18 Jan 2021 15:03:59 +0530 Subject: [PATCH 16/22] Fix: potential bug added in PR #470 --- pkg/policy/all.go | 2 +- pkg/policy/azure.go | 2 +- pkg/policy/gcp.go | 2 +- pkg/policy/github.go | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/pkg/policy/all.go b/pkg/policy/all.go index 959f54639..d88d2635d 100644 --- a/pkg/policy/all.go +++ b/pkg/policy/all.go @@ -18,7 +18,7 @@ package policy const ( defaultAllIacType supportedIacType = "terraform" - defaultAllIacVersion supportedIacVersion = "v14" + defaultAllIacVersion supportedIacVersion = "v12" ) func init() { diff --git a/pkg/policy/azure.go b/pkg/policy/azure.go index 9056eab06..d2e57d773 100644 --- a/pkg/policy/azure.go +++ b/pkg/policy/azure.go @@ -19,7 +19,7 @@ package policy const ( azure supportedCloudType = "azure" defaultAzureIacType supportedIacType = "terraform" - defaultAzureIacVersion supportedIacVersion = "v14" + defaultAzureIacVersion supportedIacVersion = "v12" ) func init() { diff --git a/pkg/policy/gcp.go b/pkg/policy/gcp.go index 545b3c0fa..f49dfe606 100644 --- a/pkg/policy/gcp.go +++ b/pkg/policy/gcp.go @@ -19,7 +19,7 @@ package policy const ( gcp supportedCloudType = "gcp" defaultGCPIacType supportedIacType = "terraform" - defaultGCPIacVersion supportedIacVersion = "v14" + defaultGCPIacVersion supportedIacVersion = "v12" ) func init() { diff --git a/pkg/policy/github.go b/pkg/policy/github.go index 76fb1c930..94330db46 100644 --- a/pkg/policy/github.go +++ b/pkg/policy/github.go @@ -19,7 +19,7 @@ package policy const ( github supportedCloudType = "github" defaultGithubIacType supportedIacType = "terraform" - defaultGithubIacVersion supportedIacVersion = "v14" + defaultGithubIacVersion supportedIacVersion = "v12" ) func init() { From be9c502fe6869fd7c3e1b7dee53893900fb7f678 Mon Sep 17 00:00:00 2001 From: Devang Gaur Date: Mon, 18 Jan 2021 15:47:14 +0530 Subject: [PATCH 17/22] Using constants --- pkg/policy/all.go | 2 +- pkg/policy/aws.go | 2 +- pkg/policy/azure.go | 2 +- pkg/policy/gcp.go | 2 +- pkg/policy/github.go | 2 +- pkg/policy/helm.go | 2 +- pkg/policy/kubernetes.go | 2 +- pkg/policy/kustomize.go | 2 +- pkg/policy/types.go | 6 ++++++ 9 files changed, 14 insertions(+), 8 deletions(-) diff --git a/pkg/policy/all.go b/pkg/policy/all.go index d88d2635d..eaf00a4d4 100644 --- a/pkg/policy/all.go +++ b/pkg/policy/all.go @@ -18,7 +18,7 @@ package policy const ( defaultAllIacType supportedIacType = "terraform" - defaultAllIacVersion supportedIacVersion = "v12" + defaultAllIacVersion supportedIacVersion = version12 ) func init() { diff --git a/pkg/policy/aws.go b/pkg/policy/aws.go index 937e2c3c6..63541f1e1 100644 --- a/pkg/policy/aws.go +++ b/pkg/policy/aws.go @@ -19,7 +19,7 @@ package policy const ( aws supportedCloudType = "aws" defaultAWSIacType supportedIacType = "terraform" - defaultAWSIacVersion supportedIacVersion = "v14" + defaultAWSIacVersion supportedIacVersion = version12 ) func init() { diff --git a/pkg/policy/azure.go b/pkg/policy/azure.go index d2e57d773..9cf26e2e5 100644 --- a/pkg/policy/azure.go +++ b/pkg/policy/azure.go @@ -19,7 +19,7 @@ package policy const ( azure supportedCloudType = "azure" defaultAzureIacType supportedIacType = "terraform" - defaultAzureIacVersion supportedIacVersion = "v12" + defaultAzureIacVersion supportedIacVersion = version12 ) func init() { diff --git a/pkg/policy/gcp.go b/pkg/policy/gcp.go index f49dfe606..62624f008 100644 --- a/pkg/policy/gcp.go +++ b/pkg/policy/gcp.go @@ -19,7 +19,7 @@ package policy const ( gcp supportedCloudType = "gcp" defaultGCPIacType supportedIacType = "terraform" - defaultGCPIacVersion supportedIacVersion = "v12" + defaultGCPIacVersion supportedIacVersion = version12 ) func init() { diff --git a/pkg/policy/github.go b/pkg/policy/github.go index 94330db46..951bac6e2 100644 --- a/pkg/policy/github.go +++ b/pkg/policy/github.go @@ -19,7 +19,7 @@ package policy const ( github supportedCloudType = "github" defaultGithubIacType supportedIacType = "terraform" - defaultGithubIacVersion supportedIacVersion = "v12" + defaultGithubIacVersion supportedIacVersion = version12 ) func init() { diff --git a/pkg/policy/helm.go b/pkg/policy/helm.go index 91684a8f5..7728b3965 100644 --- a/pkg/policy/helm.go +++ b/pkg/policy/helm.go @@ -19,7 +19,7 @@ package policy const ( helm supportedCloudType = "k8s" defaultHelmIacType supportedIacType = "helm" - defaultHelmIacVersion supportedIacVersion = "3" + defaultHelmIacVersion supportedIacVersion = version3 ) func init() { diff --git a/pkg/policy/kubernetes.go b/pkg/policy/kubernetes.go index f845efbbc..02463fe7a 100644 --- a/pkg/policy/kubernetes.go +++ b/pkg/policy/kubernetes.go @@ -19,7 +19,7 @@ package policy const ( kubernetes supportedCloudType = "k8s" defaultKubernetesIacType supportedIacType = "k8s" - defaultKubernetesIacVersion supportedIacVersion = "v1" + defaultKubernetesIacVersion supportedIacVersion = version1 ) func init() { diff --git a/pkg/policy/kustomize.go b/pkg/policy/kustomize.go index 45d011e6f..6057149ae 100644 --- a/pkg/policy/kustomize.go +++ b/pkg/policy/kustomize.go @@ -2,7 +2,7 @@ package policy const ( defaultKustomizeIacType supportedIacType = "kustomize" - defaultKustomizeIacVersion supportedIacVersion = "v3" + defaultKustomizeIacVersion supportedIacVersion = version3 ) func init() { diff --git a/pkg/policy/types.go b/pkg/policy/types.go index 33b192344..a220a1f42 100644 --- a/pkg/policy/types.go +++ b/pkg/policy/types.go @@ -7,6 +7,12 @@ import ( "github.com/accurics/terrascan/pkg/results" ) +const ( + version12 = "v12" + version1 = "v1" + version3 = "v3" +) + // EngineInput Contains data used as input to the engine type EngineInput struct { InputData *output.AllResourceConfigs From 91790db1537196b4ac5492f87331fd4c39ccaac7 Mon Sep 17 00:00:00 2001 From: harkirat22 Date: Sun, 17 Jan 2021 20:23:03 -0500 Subject: [PATCH 18/22] solves issue #331 --- .../azure/azurerm_key_vault/keyVaultAuditLoggingEnabled.rego | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkg/policies/opa/rego/azure/azurerm_key_vault/keyVaultAuditLoggingEnabled.rego b/pkg/policies/opa/rego/azure/azurerm_key_vault/keyVaultAuditLoggingEnabled.rego index f8e2aa63e..320935332 100755 --- a/pkg/policies/opa/rego/azure/azurerm_key_vault/keyVaultAuditLoggingEnabled.rego +++ b/pkg/policies/opa/rego/azure/azurerm_key_vault/keyVaultAuditLoggingEnabled.rego @@ -20,4 +20,8 @@ loggingExist(key_vault) = exists { log_name := sprintf("azurerm_key_vault.%s.log", [key_vault.name]) log_set[log_name] exists = true +} else = exists { + log_set := { key_vault_id | key_vault_id := split(input.azurerm_monitor_diagnostic_setting[i].config.target_resource_id, ".")[1] } + log_set[key_vault.name] + exists = true } \ No newline at end of file From 6da5e88b43f48bdddd8a3699919649415166a6d3 Mon Sep 17 00:00:00 2001 From: Devang Gaur Date: Mon, 18 Jan 2021 17:00:30 +0530 Subject: [PATCH 19/22] Add v13 flag option for terraform iac --- pkg/iac-providers/terraform.go | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/pkg/iac-providers/terraform.go b/pkg/iac-providers/terraform.go index 73e207a60..1e6d6e01a 100644 --- a/pkg/iac-providers/terraform.go +++ b/pkg/iac-providers/terraform.go @@ -9,16 +9,17 @@ import ( // terraform specific constants const ( - terraform supportedIacType = "terraform" - terraformV14 supportedIacVersion = "v14" - terraformV12 supportedIacVersion = "v12" - - terraformDefaultVersion = terraformV12 + terraform supportedIacType = "terraform" + terraformV12 supportedIacVersion = "v12" + terraformV13 supportedIacVersion = "v13" + terraformV14 supportedIacVersion = "v14" + terraformDefaultVersion = terraformV12 ) // register terraform as an IaC provider with terrascan func init() { // register iac provider RegisterIacProvider(terraform, terraformV12, terraformDefaultVersion, reflect.TypeOf(tfv12.TfV12{})) + RegisterIacProvider(terraform, terraformV13, terraformDefaultVersion, reflect.TypeOf(tfv14.TfV14{})) RegisterIacProvider(terraform, terraformV14, terraformDefaultVersion, reflect.TypeOf(tfv14.TfV14{})) } From 88481ceaa9fa020bb58fdaf4f8ac2a48bc5b521a Mon Sep 17 00:00:00 2001 From: Yusuf Kanchwala Date: Tue, 19 Jan 2021 18:09:05 +0530 Subject: [PATCH 20/22] update version to v1.3.0 --- pkg/version/version.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/version/version.go b/pkg/version/version.go index 55ab48abc..01633e53c 100644 --- a/pkg/version/version.go +++ b/pkg/version/version.go @@ -17,7 +17,7 @@ package version // Terrascan The Terrascan version -const Terrascan = "v1.2.0" +const Terrascan = "v1.3.0" // Get returns the terrascan version func Get() string { From 349d5c9e73ac471ca17654bce0f9b825f5542256 Mon Sep 17 00:00:00 2001 From: Cesar Rodriguez Date: Tue, 19 Jan 2021 11:50:06 -0500 Subject: [PATCH 21/22] updates changelog --- CHANGELOG.md | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d0debef36..c25a2bc5b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,30 +1,31 @@ # Changelog -## [v1.3.0](https://github.com/accurics/terrascan/tree/v1.3.0) (2021-01-16) +## [v1.3.0](https://github.com/accurics/terrascan/tree/v1.3.0) (2021-01-19) [Full Changelog](https://github.com/accurics/terrascan/compare/v1.2.0...v1.3.0) **Implemented enhancements:** - Prints output in human friendly format [\#168](https://github.com/accurics/terrascan/issues/168) -- Support for rule suppression using terraform comments,kubernetes annotations, cli arguments, and config file. +- Support for rule suppression using terraform comments,kubernetes annotations, cli arguments, and config file. - New Policies for Kubernetes [\#480](https://github.com/accurics/terrascan/pull/480) - Tag released Docker images [\#398](https://github.com/accurics/terrascan/issues/398) - Add policy for checking insecure\_ssl configuration for github\_repository\_webhook in GitHub provider [\#355](https://github.com/accurics/terrascan/issues/355) -- Introduced support for terraform .14 and .13. Note: This will introduce some breaking changes for terraform v.12 files, even if using --iac-version v.12 flag. Notably we will no longer support multiple providers blocks, and certain references inside provisioner blocks (objects other than self, count or each, where when = destroy) . For more details see: https://github.com/hashicorp/terraform/releases/tag/v0.13.0 - +- Introduced support for terraform .14 and .13. Note: This will introduce some breaking changes for terraform v.12 files, even if using --iac-version v.12 flag. Notably we will no longer support multiple providers blocks, and certain references inside provisioner blocks (objects other than self, count or each, where when = destroy) . For more details see: https://github.com/hashicorp/terraform/releases/tag/v0.13.0 **Fixed bugs:** -- Terrascan doesn't allow registering multiple versions for an iac-type [\#471](https://github.com/accurics/terrascan/issues/471) -- Resource lock issue [\#432](https://github.com/accurics/terrascan/issues/432) -- Issue where Terrascan paniced with list variables [\#412](https://github.com/accurics/terrascan/issues/412) +- terrascan doesn't allow registering multiple versions for an iac-type [\#471](https://github.com/accurics/terrascan/issues/471) +- Debug resource lock [\#432](https://github.com/accurics/terrascan/issues/432) +- terrascan panic: not a string [\#412](https://github.com/accurics/terrascan/issues/412) - False positive for aws rule vpcFlowLogsNotEnabled [\#408](https://github.com/accurics/terrascan/issues/408) +- accurics.GCP.EKM.132 and accurics.GCP.EKM.131 wrong violation using disk\_encryption\_key [\#382](https://github.com/accurics/terrascan/issues/382) - s3EnforceUserACL - False Positive [\#359](https://github.com/accurics/terrascan/issues/359) +- How to fix accurics.azure.EKM.20 [\#331](https://github.com/accurics/terrascan/issues/331) - Why accurics.gcp.IAM.104 suggests enabling a client certificate? [\#330](https://github.com/accurics/terrascan/issues/330) **Closed issues:** -- Terraform can't detect violations in terraform modules [\#468](https://github.com/accurics/terrascan/issues/468) +- terraform can't detect violations in terraform modules [\#468](https://github.com/accurics/terrascan/issues/468) - uniformBucketEnabled.rego referencing deprecated config [\#453](https://github.com/accurics/terrascan/issues/453) - Unable to run terrascan scan [\#446](https://github.com/accurics/terrascan/issues/446) - Terrascan doesn't exit with error on CLI or Parsing errors. [\#442](https://github.com/accurics/terrascan/issues/442) @@ -40,9 +41,18 @@ **Merged pull requests:** +- update version to v1.3.0 [\#502](https://github.com/accurics/terrascan/pull/502) ([kanchwala-yusuf](https://github.com/kanchwala-yusuf)) +- Add v13 flag option for terraform iac [\#499](https://github.com/accurics/terrascan/pull/499) ([dev-gaur](https://github.com/dev-gaur)) +- Fix: potential bug added in PR \#470 [\#497](https://github.com/accurics/terrascan/pull/497) ([dev-gaur](https://github.com/dev-gaur)) +- Bump sigs.k8s.io/kustomize/api from 0.7.1 to 0.7.2 [\#494](https://github.com/accurics/terrascan/pull/494) ([dependabot[bot]](https://github.com/apps/dependabot)) +- Bump github.com/mattn/go-isatty from 0.0.8 to 0.0.12 [\#492](https://github.com/accurics/terrascan/pull/492) ([dependabot[bot]](https://github.com/apps/dependabot)) +- solves issue \#382, and improved policy to relate disk with the instance [\#490](https://github.com/accurics/terrascan/pull/490) ([harkirat22](https://github.com/harkirat22)) +- solves issue \#331 [\#489](https://github.com/accurics/terrascan/pull/489) ([harkirat22](https://github.com/harkirat22)) +- Update mkdocs-material to 6.2.5 [\#488](https://github.com/accurics/terrascan/pull/488) ([pyup-bot](https://github.com/pyup-bot)) - Bump go.uber.org/zap from 1.13.0 to 1.16.0 [\#486](https://github.com/accurics/terrascan/pull/486) ([dependabot[bot]](https://github.com/apps/dependabot)) - Bump github.com/spf13/afero from 1.3.4 to 1.5.1 [\#485](https://github.com/accurics/terrascan/pull/485) ([dependabot[bot]](https://github.com/apps/dependabot)) - Bump github.com/iancoleman/strcase from 0.1.1 to 0.1.3 [\#484](https://github.com/accurics/terrascan/pull/484) ([dependabot[bot]](https://github.com/apps/dependabot)) +- Bump github.com/hashicorp/go-version from 1.2.0 to 1.2.1 [\#482](https://github.com/accurics/terrascan/pull/482) ([dependabot[bot]](https://github.com/apps/dependabot)) - Bump github.com/pelletier/go-toml from 1.8.0 to 1.8.1 [\#481](https://github.com/accurics/terrascan/pull/481) ([dependabot[bot]](https://github.com/apps/dependabot)) - Policy update 2021 01 14 [\#480](https://github.com/accurics/terrascan/pull/480) ([williepaul](https://github.com/williepaul)) - fix panic for list variables [\#479](https://github.com/accurics/terrascan/pull/479) ([patilpankaj212](https://github.com/patilpankaj212)) @@ -91,8 +101,8 @@ - Fixes GCP cos node image policy [\#397](https://github.com/accurics/terrascan/pull/397) ([cesar-rodriguez](https://github.com/cesar-rodriguez)) - \#394: recognize that empty values for username and password in master… [\#396](https://github.com/accurics/terrascan/pull/396) ([acc-jon](https://github.com/acc-jon)) - Fix infinite loop on variable resolution [\#393](https://github.com/accurics/terrascan/pull/393) ([dinedal](https://github.com/dinedal)) +- Remove demo badge [\#389](https://github.com/accurics/terrascan/pull/389) ([kklin](https://github.com/kklin)) - Update mkdocs-material to 6.1.5 [\#387](https://github.com/accurics/terrascan/pull/387) ([pyup-bot](https://github.com/pyup-bot)) -- Add new policy for checking insecure\_ssl on github\_repository\_webhook [\#386](https://github.com/accurics/terrascan/pull/386) ([HorizonNet](https://github.com/HorizonNet)) ## [v1.2.0](https://github.com/accurics/terrascan/tree/v1.2.0) (2020-11-16) From 210102203a33a7dbdad207aa3816325e8e7a963f Mon Sep 17 00:00:00 2001 From: Cesar Rodriguez Date: Tue, 19 Jan 2021 11:55:09 -0500 Subject: [PATCH 22/22] updates version flag on help --- docs/getting-started/usage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/getting-started/usage.md b/docs/getting-started/usage.md index 56b2e26cc..deaef3d85 100644 --- a/docs/getting-started/usage.md +++ b/docs/getting-started/usage.md @@ -118,7 +118,7 @@ Flags: -d, --iac-dir string path to a directory containing one or more IaC files (default ".") -f, --iac-file string path to a single IaC file -i, --iac-type string iac type (helm, k8s, kustomize, terraform) - --iac-version string iac version (helm: v3, k8s: v1, kustomize: v3, terraform: v12, v14) + --iac-version string iac version (helm: v3, k8s: v1, kustomize: v3, terraform: v12, v13, v14) -p, --policy-path stringArray policy path directory -t, --policy-type strings policy type (all, aws, azure, gcp, github, k8s) (default [all]) -r, --remote-type string type of remote backend (git, s3, gcs, http)