Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix Checkov Security Findings #22

Open
1 of 3 tasks
juliangrueber opened this issue Feb 5, 2024 · 0 comments
Open
1 of 3 tasks

Fix Checkov Security Findings #22

juliangrueber opened this issue Feb 5, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@juliangrueber
Copy link

Describe the bug
Checkov is a tool which scans the code for security findings. Checkov findings should always be mitigated before releasing code. If there are valid exception, one can use ignore statements.

To Reproduce

  1. Install checkov
  2. Run checkov in the root directory of the code using
 checkov -d .

Expected behavior
Security findings such as the following:

Nice to have

  • Terminal output
  • Screenshots
  • OS and Terraform versions

Terminal Output

Click to expand/collapse terminal output Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash" FAILED for resource: module.vpc.vpc File: /examples/vpc-with-multiple-az/aws-vpc/main.tf:1-49 Calling File: /examples/vpc-with-multiple-az/main.tf:5-10 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision 
            1  | module "vpc" {
            2  |   source  = "terraform-aws-modules/vpc/aws"
            3  |   version = "~> 5.1.1"
            4  | 
            5  |   name                   = "${var.resource_name_prefix}-graphdb"
            6  |   cidr                   = var.vpc_cidr
            7  |   azs                    = var.azs
            8  |   enable_nat_gateway     = true
            9  |   enable_dns_hostnames   = true
            10 |   one_nat_gateway_per_az = true
            11 |   private_subnets        = var.private_subnet_cidrs
            12 |   public_subnets         = var.public_subnet_cidrs
            13 | 
            14 |   default_network_acl_name = "Default Network ACLs for ${var.resource_name_prefix}"
            15 |   default_network_acl_ingress = [
            16 |     {
            17 |       rule_no    = 10
            18 |       action     = "deny"
            19 |       from_port  = 22
            20 |       protocol   = "tcp"
            21 |       cidr_block = "0.0.0.0/0"
            22 |       to_port    = 22
            23 |       }, {
            24 |       rule_no    = 11
            25 |       action     = "deny"
            26 |       from_port  = 3389
            27 |       protocol   = "tcp"
            28 |       cidr_block = "0.0.0.0/0"
            29 |       to_port    = 3389
            30 |       }, {
            31 |       rule_no    = 100
            32 |       action     = "allow"
            33 |       from_port  = 0
            34 |       protocol   = -1
            35 |       cidr_block = "0.0.0.0/0"
            36 |       to_port    = 0
            37 |     }
            38 |   ]
            39 |   default_network_acl_egress = [
            40 |     {
            41 |       rule_no    = 100
            42 |       action     = "allow"
            43 |       from_port  = 0
            44 |       protocol   = -1
            45 |       cidr_block = "0.0.0.0/0"
            46 |       to_port    = 0
            47 |     }
            48 |   ]
            49 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: module.graphdb.module.config.aws_ssm_parameter.graphdb_admin_password
File: /modules/config/main.tf:1-6
Calling File: /main.tf:39-45
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

            1 | resource "aws_ssm_parameter" "graphdb_admin_password" {
            2 |   name        = "/${var.resource_name_prefix}/graphdb/admin_password"
            3 |   description = "Password for the 'admin' user in GraphDB."
            4 |   type        = "SecureString"
            5 |   value       = var.graphdb_admin_password
            6 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: module.graphdb.module.config.aws_ssm_parameter.graphdb_cluster_token
File: /modules/config/main.tf:8-13
Calling File: /main.tf:39-45
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

            8  | resource "aws_ssm_parameter" "graphdb_cluster_token" {
            9  |   name        = "/${var.resource_name_prefix}/graphdb/cluster_token"
            10 |   description = "Cluster token used for authenticating the communication between the nodes."
            11 |   type        = "SecureString"
            12 |   value       = var.graphdb_cluster_token
            13 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: module.graphdb.module.config.aws_ssm_parameter.graphdb_license
File: /modules/config/main.tf:15-20
Calling File: /main.tf:39-45
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

            15 | resource "aws_ssm_parameter" "graphdb_license" {
            16 |   name        = "/${var.resource_name_prefix}/graphdb/license"
            17 |   description = "GraphDB Enterprise license."
            18 |   type        = "SecureString"
            19 |   value       = filebase64(var.graphdb_license_path)
            20 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: module.graphdb.module.config.aws_ssm_parameter.graphdb_lb_dns_name
File: /modules/config/main.tf:22-27
Calling File: /main.tf:39-45
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

            22 | resource "aws_ssm_parameter" "graphdb_lb_dns_name" {
            23 |   name        = "/${var.resource_name_prefix}/graphdb/lb_dns_name"
            24 |   description = "The DNS name of the load balancer for the GraphDB nodes."
            25 |   type        = "String"
            26 |   value       = var.graphdb_lb_dns_name
            27 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
FAILED for resource: module.graphdb.module.load_balancer.aws_lb.graphdb
File: /modules/load_balancer/main.tf:6-13
Calling File: /main.tf:47-60
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled

            6  | resource "aws_lb" "graphdb" {
            7  |   name                       = local.lb_name
            8  |   internal                   = var.lb_internal
            9  |   load_balancer_type         = "network"
            10 |   subnets                    = var.lb_subnets
            11 |   enable_deletion_protection = var.lb_enable_deletion_protection
            12 |   security_groups            = var.lb_security_groups
            13 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: module.graphdb.module.load_balancer.aws_lb.graphdb
File: /modules/load_balancer/main.tf:6-13
Calling File: /main.tf:47-60
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

            6  | resource "aws_lb" "graphdb" {
            7  |   name                       = local.lb_name
            8  |   internal                   = var.lb_internal
            9  |   load_balancer_type         = "network"
            10 |   subnets                    = var.lb_subnets
            11 |   enable_deletion_protection = var.lb_enable_deletion_protection
            12 |   security_groups            = var.lb_security_groups
            13 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: module.graphdb.module.load_balancer.aws_lb.graphdb
File: /modules/load_balancer/main.tf:6-13
Calling File: /main.tf:47-60
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62

            6  | resource "aws_lb" "graphdb" {
            7  |   name                       = local.lb_name
            8  |   internal                   = var.lb_internal
            9  |   load_balancer_type         = "network"
            10 |   subnets                    = var.lb_subnets
            11 |   enable_deletion_protection = var.lb_enable_deletion_protection
            12 |   security_groups            = var.lb_security_groups
            13 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: module.graphdb.module.vm.aws_iam_policy_document.instance_volume
File: /modules/vm/iam.tf:18-30
Calling File: /main.tf:96-114
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

            18 | data "aws_iam_policy_document" "instance_volume" {
            19 |   statement {
            20 |     effect = "Allow"
            21 | 
            22 |     actions = [
            23 |       "ec2:CreateVolume",
            24 |       "ec2:AttachVolume",
            25 |       "ec2:DescribeVolumes"
            26 |     ]
            27 | 
            28 |     resources = ["*"]
            29 |   }
            30 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.graphdb.module.vm.aws_iam_policy_document.instance_volume
File: /modules/vm/iam.tf:18-30
Calling File: /main.tf:96-114

            18 | data "aws_iam_policy_document" "instance_volume" {
            19 |   statement {
            20 |     effect = "Allow"
            21 | 
            22 |     actions = [
            23 |       "ec2:CreateVolume",
            24 |       "ec2:AttachVolume",
            25 |       "ec2:DescribeVolumes"
            26 |     ]
            27 | 
            28 |     resources = ["*"]
            29 |   }
            30 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: module.graphdb.module.vm.aws_security_group_rule.graphdb_ssh_inbound[0]
File: /modules/vm/main.tf:96-105
Calling File: /main.tf:96-114
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

            96  | resource "aws_security_group_rule" "graphdb_ssh_inbound" {
            97  |   count             = var.allowed_inbound_cidrs_ssh != null ? 1 : 0
            98  |   description       = "Allow specified CIDRs SSH access to the GraphDB instances."
            99  |   security_group_id = aws_security_group.graphdb.id
            100 |   type              = "ingress"
            101 |   from_port         = 22
            102 |   to_port           = 22
            103 |   protocol          = "tcp"
            104 |   cidr_blocks       = var.allowed_inbound_cidrs_ssh
            105 | }
@juliangrueber juliangrueber added the bug Something isn't working label Feb 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@juliangrueber