-
Notifications
You must be signed in to change notification settings - Fork 532
/
snyk-iac-test-results.json
165 lines (165 loc) · 7.46 KB
/
snyk-iac-test-results.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
{
"results": {
"resources": [
{
"id": "aws_default_security_group.default",
"type": "aws_default_security_group",
"kind": "terraformconfig",
"file": "plan.json"
},
{
"id": "aws_vpc.mainvpc",
"type": "aws_vpc",
"kind": "terraformconfig",
"file": "plan.json"
},
{
"id": "aws_vpc.mainvpc",
"type": "aws_vpc",
"kind": "terraformconfig",
"file": "vpc_group.tf",
"line": 5,
"column": 1
},
{
"id": "aws_default_security_group.default",
"type": "aws_default_security_group",
"kind": "terraformconfig",
"file": "vpc_group.tf",
"line": 9,
"column": 1
}
],
"vulnerabilities": [
{
"rule": {
"id": "SNYK-CC-00151",
"title": "VPC flow logging should be enabled",
"description": "VPC flow logging should be enabled. AWS VPC Flow Logs provide visibility into network traffic that traverses the AWS VPC.\nUsers can use the flow logs to detect anomalous traffic or insight during security workflows.\n",
"references": "https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-cwl.html",
"labels": [
"logging"
],
"category": "logging",
"documentation": "https://snyk.io/security-rules/SNYK-CC-00151"
},
"message": "VPC flow logging should be enabled",
"remediation": "Reference the `aws_vpc` in an `aws_flog_log` `vpc_id` field.",
"severity": "medium",
"ignored": false,
"resource": {
"id": "aws_vpc.mainvpc",
"type": "aws_vpc",
"kind": "terraformconfig",
"formattedPath": "resource.aws_vpc[mainvpc]",
"file": "plan.json"
}
},
{
"rule": {
"id": "SNYK-CC-TF-5",
"title": "VPC default security group allows unrestricted ingress traffic",
"description": "Configuring all VPC default security groups to restrict all traffic encourages least privilege security\ngroup development and mindful placement of AWS resources into security groups which in turn reduces the exposure of those resources.\n",
"references": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html",
"labels": [
"best-practices",
"public-access"
],
"category": "network",
"documentation": "https://snyk.io/security-rules/SNYK-CC-TF-5"
},
"message": "Inbound traffic to VPC should be more restrictive",
"remediation": "Remove any invalid `ingress` block from the `aws_security_group` or `aws_default_security_group`.\n\nEnsure that an [aws_default_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group) or [aws_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) `ingress` block does NOT contain the value `0.0.0.0/0` in the `cidr_blocks` (`ipv6_cidr_blocks` for ipv6) field.\n\n# Example configuration\n```hcl\nresource \"aws_security_group\" \"example\" {\n ingress {\n cidr_blocks = [10.0.0.0/16]\n from_port = 5900\n to_port = 5900\n # other required fields here\n }\n}\n```\n",
"severity": "medium",
"ignored": false,
"resource": {
"id": "aws_default_security_group.default",
"type": "aws_default_security_group",
"kind": "terraformconfig",
"path": [
"ingress",
0,
"cidr_blocks",
0
],
"formattedPath": "input.resource.aws_default_security_group[default].ingress[0].cidr_blocks[0]",
"file": "plan.json"
}
},
{
"rule": {
"id": "SNYK-CC-00151",
"title": "VPC flow logging should be enabled",
"description": "VPC flow logging should be enabled. AWS VPC Flow Logs provide visibility into network traffic that traverses the AWS VPC.\nUsers can use the flow logs to detect anomalous traffic or insight during security workflows.\n",
"references": "https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-cwl.html",
"labels": [
"logging"
],
"category": "logging",
"documentation": "https://snyk.io/security-rules/SNYK-CC-00151"
},
"message": "VPC flow logging should be enabled",
"remediation": "Reference the `aws_vpc` in an `aws_flog_log` `vpc_id` field.\n\n# Example Configuration\n\n```hcl\nresource \"aws_vpc\" \"valid_vpc\" {\n# other required fields here\n}\n\nresource \"aws_flow_log\" \"test_flow_log\" {\nvpc_id = \"${aws_vpc.valid_vpc.id}\"\n# other required fields here\n}\n```\n",
"severity": "medium",
"ignored": false,
"resource": {
"id": "aws_vpc.mainvpc",
"type": "aws_vpc",
"kind": "terraformconfig",
"formattedPath": "resource.aws_vpc[mainvpc]",
"file": "vpc_group.tf",
"line": 5,
"column": 1
}
},
{
"rule": {
"id": "SNYK-CC-TF-5",
"title": "VPC default security group allows unrestricted ingress traffic",
"description": "Configuring all VPC default security groups to restrict all traffic encourages least privilege security\ngroup development and mindful placement of AWS resources into security groups which in turn reduces the exposure of those resources.\n",
"references": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html",
"labels": [
"best-practices",
"public-access"
],
"category": "network",
"documentation": "https://snyk.io/security-rules/SNYK-CC-TF-5"
},
"message": "Inbound traffic to VPC should be more restrictive",
"remediation": "Remove any invalid `ingress` block from the `aws_security_group` or `aws_default_security_group`.\n\nEnsure that an [aws_default_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group) or [aws_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) `ingress` block does NOT contain the value `0.0.0.0/0` in the `cidr_blocks` (`ipv6_cidr_blocks` for ipv6) field.\n\n# Example configuration\n```hcl\nresource \"aws_security_group\" \"example\" {\n ingress {\n cidr_blocks = [10.0.0.0/16]\n from_port = 5900\n to_port = 5900\n # other required fields here\n }\n}\n```\n",
"severity": "medium",
"ignored": false,
"resource": {
"id": "aws_default_security_group.default",
"type": "aws_default_security_group",
"kind": "terraformconfig",
"path": [
"ingress",
0,
"cidr_blocks",
0
],
"formattedPath": "input.resource.aws_default_security_group[default].ingress[0].cidr_blocks[0]",
"file": "vpc_group.tf",
"line": 16,
"column": 5
}
}
],
"metadata": {
"projectName": "input-files-for-json-v2",
"ignoredCount": 3
}
},
"errors": [
{
"name": "SnykIacTestError",
"code": 2114,
"strCode": "NO_LOADABLE_INPUT",
"userMessage": "The Snyk CLI couldn't find any valid IaC configuration files to scan",
"fields": {
"path": "invalid_file.txt"
}
}
]
}