Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CheckEnableImageScans = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0030", Provider: providers.AWSProvider, Service: "ecr", ShortCode: "enable-image-scans", Summary: "ECR repository has image scans disabled.", Impact: "The ability to scan images is not being used and vulnerabilities will not be highlighted", Resolution: "Enable ECR image scanning", Explanation: `Repository image scans should be enabled to ensure vulnerable software can be discovered and remediated as soon as possible.`, Links: []string{ "https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEnableImageScansGoodExamples, BadExamples: terraformEnableImageScansBadExamples, Links: terraformEnableImageScansLinks, RemediationMarkdown: terraformEnableImageScansRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationEnableImageScansGoodExamples, BadExamples: cloudFormationEnableImageScansBadExamples, Links: cloudFormationEnableImageScansLinks, RemediationMarkdown: cloudFormationEnableImageScansRemediationMarkdown, }, Severity: severity.High, }, func(s *state.State) (results scan.Results) { for _, repo := range s.AWS.ECR.Repositories { if repo.ImageScanning.ScanOnPush.IsFalse() { results.Add( "Image scanning is not enabled.", repo.ImageScanning.ScanOnPush, ) } else { results.AddPassed(&repo) } } return }, )
View Source
var CheckEnforceImmutableRepository = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0031", Provider: providers.AWSProvider, Service: "ecr", ShortCode: "enforce-immutable-repository", Summary: "ECR images tags shouldn't be mutable.", Impact: "Image tags could be overwritten with compromised images", Resolution: "Only use immutable images in ECR", Explanation: `ECR images should be set to IMMUTABLE to prevent code injection through image mutation. This can be done by setting <code>image_tab_mutability</code> to <code>IMMUTABLE</code>`, Links: []string{ "https://sysdig.com/blog/toctou-tag-mutability/", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEnforceImmutableRepositoryGoodExamples, BadExamples: terraformEnforceImmutableRepositoryBadExamples, Links: terraformEnforceImmutableRepositoryLinks, RemediationMarkdown: terraformEnforceImmutableRepositoryRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationEnforceImmutableRepositoryGoodExamples, BadExamples: cloudFormationEnforceImmutableRepositoryBadExamples, Links: cloudFormationEnforceImmutableRepositoryLinks, RemediationMarkdown: cloudFormationEnforceImmutableRepositoryRemediationMarkdown, }, Severity: severity.High, }, func(s *state.State) (results scan.Results) { for _, repo := range s.AWS.ECR.Repositories { if repo.ImageTagsImmutable.IsFalse() { results.Add( "Repository tags are mutable.", repo.ImageTagsImmutable, ) } else { results.AddPassed(&repo) } } return }, )
View Source
var CheckNoPublicAccess = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0032", Provider: providers.AWSProvider, Service: "ecr", ShortCode: "no-public-access", Summary: "ECR repository policy must block public access", Impact: "Risk of potential data leakage of sensitive artifacts", Resolution: "Do not allow public access in the policy", Explanation: `Allowing public access to the ECR repository risks leaking sensitive of abusable information`, Links: []string{ "https://docs.aws.amazon.com/AmazonECR/latest/public/public-repository-policies.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformNoPublicAccessGoodExamples, BadExamples: terraformNoPublicAccessBadExamples, Links: terraformNoPublicAccessLinks, RemediationMarkdown: terraformNoPublicAccessRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationNoPublicAccessGoodExamples, BadExamples: cloudFormationNoPublicAccessBadExamples, Links: cloudFormationNoPublicAccessLinks, RemediationMarkdown: cloudFormationNoPublicAccessRemediationMarkdown, }, Severity: severity.High, }, func(s *state.State) (results scan.Results) { for _, repo := range s.AWS.ECR.Repositories { if repo.Metadata.IsUnmanaged() { continue } for _, policyDocument := range repo.Policies { policy := policyDocument.Document.Parsed statements, _ := policy.Statements() for _, statement := range statements { var hasECRAction bool actions, _ := statement.Actions() for _, action := range actions { if strings.HasPrefix(action, "ecr:") { hasECRAction = true break } } if !hasECRAction { continue } var foundIssue bool principals, _ := statement.Principals() if all, r := principals.All(); all { foundIssue = true results.Add( "Policy provides public access to the ECR repository.", policyDocument.Document.MetadataFromIamGo(statement.Range(), r), ) } else { accounts, r := principals.AWS() for _, account := range accounts { if account == "*" { foundIssue = true results.Add( "Policy provides public access to the ECR repository.", policyDocument.Document.MetadataFromIamGo(statement.Range(), r), ) } continue } } if foundIssue { results.AddPassed(&repo) } } } } return }, )
View Source
var CheckRepositoryCustomerKey = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0033", Provider: providers.AWSProvider, Service: "ecr", ShortCode: "repository-customer-key", Summary: "ECR Repository should use customer managed keys to allow more control", Impact: "Using AWS managed keys does not allow for fine grained control", Resolution: "Use customer managed keys", Explanation: `Images in the ECR repository are encrypted by default using AWS managed encryption keys. To increase control of the encryption and control the management of factors like key rotation, use a Customer Managed Key.`, Links: []string{ "https://docs.aws.amazon.com/AmazonECR/latest/userguide/encryption-at-rest.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformRepositoryCustomerKeyGoodExamples, BadExamples: terraformRepositoryCustomerKeyBadExamples, Links: terraformRepositoryCustomerKeyLinks, RemediationMarkdown: terraformRepositoryCustomerKeyRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationRepositoryCustomerKeyGoodExamples, BadExamples: cloudFormationRepositoryCustomerKeyBadExamples, Links: cloudFormationRepositoryCustomerKeyLinks, RemediationMarkdown: cloudFormationRepositoryCustomerKeyRemediationMarkdown, }, Severity: severity.Low, }, func(s *state.State) (results scan.Results) { for _, repo := range s.AWS.ECR.Repositories { if repo.Encryption.Type.NotEqualTo(ecr.EncryptionTypeKMS) { results.Add( "Repository is not encrypted using KMS.", repo.Encryption.Type, ) } else if repo.Encryption.KMSKeyID.IsEmpty() { results.Add( "Repository encryption does not use a customer managed KMS key.", repo.Encryption.KMSKeyID, ) } else { results.AddPassed(&repo) } } return }, )
Functions ¶
This section is empty.
Types ¶
This section is empty.
Source Files ¶
- enable_image_scans.cf.go
- enable_image_scans.go
- enable_image_scans.tf.go
- enforce_immutable_repository.cf.go
- enforce_immutable_repository.go
- enforce_immutable_repository.tf.go
- no_public_access.cf.go
- no_public_access.go
- no_public_access.tf.go
- repository_customer_key.cf.go
- repository_customer_key.go
- repository_customer_key.tf.go
Click to show internal directories.
Click to hide internal directories.