ecr

package

v0.2.2 Latest Latest Go to latest Published: Dec 16, 2021 License: MIT Imports: 6 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/aquasecurity/defsec

Links

Open Source Insights

Documentation ¶

Index ¶

Variables

Constants ¶

This section is empty.

Variables ¶

View Source

var CheckEnableImageScans = rules.Register(
	rules.Rule{
		AVDID:       "AVD-AWS-0030",
		Provider:    provider.AWSProvider,
		Service:     "ecr",
		ShortCode:   "enable-image-scans",
		Summary:     "ECR repository has image scans disabled.",
		Impact:      "The ability to scan images is not being used and vulnerabilities will not be highlighted",
		Resolution:  "Enable ECR image scanning",
		Explanation: `Repository image scans should be enabled to ensure vulnerable software can be discovered and remediated as soon as possible.`,
		Links: []string{
			"https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html",
		},
		Severity: severity.High,
	},
	func(s *state.State) (results rules.Results) {
		for _, repo := range s.AWS.ECR.Repositories {
			if repo.ImageScanning.ScanOnPush.IsFalse() {
				results.Add(
					"Image scanning is not enabled.",
					&repo,
					repo.ImageScanning.ScanOnPush,
				)
			} else {
				results.AddPassed(&repo)
			}
		}
		return
	},
)

View Source

var CheckEnforceImmutableRepository = rules.Register(
	rules.Rule{
		AVDID:      "AVD-AWS-0031",
		Provider:   provider.AWSProvider,
		Service:    "ecr",
		ShortCode:  "enforce-immutable-repository",
		Summary:    "ECR images tags shouldn't be mutable.",
		Impact:     "Image tags could be overwritten with compromised images",
		Resolution: "Only use immutable images in ECR",
		Explanation: `ECR images should be set to IMMUTABLE to prevent code injection through image mutation.

This can be done by setting <code>image_tab_mutability</code> to <code>IMMUTABLE</code>`,
		Links: []string{
			"https://sysdig.com/blog/toctou-tag-mutability/",
		},
		Severity: severity.High,
	},
	func(s *state.State) (results rules.Results) {
		for _, repo := range s.AWS.ECR.Repositories {
			if repo.ImageTagsImmutable.IsFalse() {
				results.Add(
					"Repository tags are mutable.",
					&repo,
					repo.ImageTagsImmutable,
				)
			} else {
				results.AddPassed(&repo)
			}
		}
		return
	},
)

View Source

var CheckNoPublicAccess = rules.Register(
	rules.Rule{
		AVDID:       "AVD-AWS-0032",
		Provider:    provider.AWSProvider,
		Service:     "ecr",
		ShortCode:   "no-public-access",
		Summary:     "ECR repository policy must block public access",
		Impact:      "Risk of potential data leakage of sensitive artifacts",
		Resolution:  "Do not allow public access in the policy",
		Explanation: `Allowing public access to the ECR repository risks leaking sensitive of abusable information`,
		Links: []string{
			"https://docs.aws.amazon.com/AmazonECR/latest/public/public-repository-policies.html",
		},
		Severity: severity.High,
	},
	func(s *state.State) (results rules.Results) {
		for _, repo := range s.AWS.ECR.Repositories {
			if !repo.IsManaged() {
				continue
			}
			for _, statement := range repo.Policy.Statements {
				var hasECRAction bool
				for _, action := range statement.Action {
					if strings.HasPrefix(action, "ecr:") {
						hasECRAction = true
						break
					}
				}
				if !hasECRAction {
					continue
				}
				var foundIssue bool
				for _, account := range statement.Principal.AWS {
					if account == "*" {
						foundIssue = true
						results.Add(
							"Policy provides public access to the ECR repository.",
							&repo,
							repo.Policy,
						)
					}
					continue
				}
				if foundIssue {
					results.AddPassed(&repo)
				}
			}
		}
		return
	},
)

View Source

var CheckRepositoryCustomerKey = rules.Register(
	rules.Rule{
		AVDID:       "AVD-AWS-0033",
		Provider:    provider.AWSProvider,
		Service:     "ecr",
		ShortCode:   "repository-customer-key",
		Summary:     "ECR Repository should use customer managed keys to allow more control",
		Impact:      "Using AWS managed keys does not allow for fine grained control",
		Resolution:  "Use customer managed keys",
		Explanation: `Images in the ECR repository are encrypted by default using AWS managed encryption keys. To increase control of the encryption and control the management of factors like key rotation, use a Customer Managed Key.`,
		Links: []string{
			"https://docs.aws.amazon.com/AmazonECR/latest/userguide/encryption-at-rest.html",
		},
		Severity: severity.Low,
	},
	func(s *state.State) (results rules.Results) {
		for _, repo := range s.AWS.ECR.Repositories {
			if repo.Encryption.Type.NotEqualTo(ecr.EncryptionTypeKMS) {
				results.Add(
					"Repository is not encrypted using KMS.",
					&repo,
					repo.Encryption.Type,
				)
			} else if repo.Encryption.KMSKeyID.IsEmpty() {
				results.Add(
					"Repository encryption does not use a customer managed KMS key.",
					&repo,
					repo.Encryption.KMSKeyID,
				)
			} else {
				results.AddPassed(&repo)
			}
		}
		return
	},
)

Functions ¶

This section is empty.

Types ¶

This section is empty.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL