Git Product home page Git Product logo

regula-action's Introduction

regula-action

Regula is a tool that evaluates CloudFormation and Terraform infrastructure-as-code for potential AWS, Azure, and Google Cloud security misconfigurations and compliance violations prior to deployment. This is a GitHub Action to run Regula against your repository.

Example

Here's an example workflow file. It checks three different IaC configurations: one Terraform directory and two CloudFormation templates:

on: [push]

jobs:
  regula_tf_job:
    runs-on: ubuntu-latest
    name: Regula Terraform
    steps:
    - uses: actions/checkout@master
    - uses: fugue/[email protected]
      with:
        input_path: infra_tf
        include: example_custom_rule

  regula_cfn_job:
    runs-on: ubuntu-latest
    name: Regula CloudFormation
    steps:
    - uses: actions/checkout@master
    - uses: fugue/[email protected]
      with:
        input_path: infra_cfn/cloudformation.yaml

  regula_valid_cfn_job:
    runs-on: ubuntu-latest
    name: Regula Valid CloudFormation
    steps:
    - uses: actions/checkout@master
    - uses: fugue/[email protected]
      with:
        input_path: infra_valid_cfn/cloudformation.yaml

  regula_multi_cfn_job:
    runs-on: ubuntu-latest
    name: Regula multiple CloudFormation templates
    steps:
    - uses: actions/checkout@master
    - uses: fugue/[email protected]
      with:
        input_path: '*/cloudformation.yaml'

  regula_input_list_job:
    runs-on: ubuntu-latest
    name: Regula on CloudFormation and Terraform
    steps:
    - uses: actions/checkout@master
    - uses: fugue/[email protected]
      with:
        input_path: |
          infra_cfn/cloudformation.yaml
          infra_valid_cfn/cloudformation.yaml
          infra_tf

  regula_tf_plan_job:
    runs-on: ubuntu-latest
    name: Regula on a Terraform plan JSON
    steps:
    - uses: actions/checkout@master
    - uses: hashicorp/setup-terraform@v1
      with:
        # See the note below for why this option is necessary.
        terraform_wrapper: false
        terraform_version: 1.0.8
    - run: |
        cd infra_tf
        terraform init
        terraform plan -refresh=false -out="plan.tfplan"
        terraform show -json plan.tfplan > plan.json
      env:
        AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
        AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
    - uses: fugue/[email protected]
      with:
        input_path: infra_tf/plan.json
        input_type: tf-plan
        include: example_custom_rule

You can see this example in action in the regula-ci-example.

Inputs

  • input_path: One or more Terraform directories, Terraform JSON plans, or CloudFormation templates. Accepts space-separated or newline-separated filenames and/or globbing expressions. This defaults to . (the root of your repository).
  • config: Path to .regula.yaml file. By default regula will look in the current working directory and its parents.
  • environment_id: Environment ID in Fugue.
  • exclude: Rule IDs or names to exclude. This can be a space or newline-separated list.
  • include: Custom rule and configuration paths passed in to the Regula interpreter. This can be a space or newline-separated list.
  • input_type: The input types that Regula will evaluate. Defaults to auto, which evaluates all supported types. Possible values are:
    • auto
    • tf-plan -- Terraform plan JSON files
    • cfn -- CloudFormation templates in YAML/JSON
    • tf -- Terraform directories or files
    • k8s -- Kubernetes manifest in YAML format
  • no_built_ins: Disable the built-in Regula rules. Set to "true" if you only want to run custom rules.
  • no_config: Do not look for or load a regula config file. Set to "true" to enable this option.
  • no_ignore: Disable use of .gitignore. Set to "true" to enable this option.
  • only: Rule IDs or names to run. All other rules will be excluded. This can be a space or newline-separated list.
  • severity: The minimum severity where Regula will produce a non-zero exit code for failing rules. Defaults to unknown. Use off to always produce a zero exit code. Possible values are:
    • unknown
    • informational
    • low
    • medium
    • high
    • critical
    • off
  • sync: Fetch rules and configuration from Fugue. Set to "true" to enable this option.
  • upload: Upload results to Fugue. Set to "true" to enable this. Requires sync to be set as well.
  • rego_paths: Custom rule and configuration paths passed in to the Regula interpreter
  • user_only: Disable the builtin Regula rules. Set to true if you only want to run custom rules.

Integration with Fugue

You can easily integrate this action with Fugue.

  1. Set sync and upload to true in the input values:

    - uses: fugue/[email protected]
  with:
    sync: "true"
    upload: "true"

    Note that setting upload will require you to set an environment ID as well. You can either specify that in the .regula.yaml or pass it in as an input value.

  2. Set up FUGUE_API_ID and FUGUE_API_SECRET environment variables for the action.

    You can find more info about these in the Fugue API Documentation.

Deprecated options

These options still function, but we encourage you to update your configurations before they are removed in a future release.

  • user_only is deprecated. Use no_built_ins instead.
  • rego_paths is deprecated. Use include instead.
  • terraform_directory is deprecated. Use input_path instead.

Links to additional information

How to use this GitHub Action

To use Regula to evaluate the infrastructure-as-code in your own repository via GitHub Actions, see the instructions in regula-ci-example. The example walks through how to use this GitHub Action in your own repo.

Compatibility with the hashicorp/setup-terraform action

The hashicorp/setup-terraform action can be used to generate a Terraform plan JSON file that Regula can evaluate. By default, the hashicorp/setup-terraform action wraps the terraform binary with a script that outputs some additional information for each command it executes. It's necessary to use the terraform_wrapper: false option, as we're doing in the example above, in order for the plan JSON file to be valid.

regula-action's People

Contributors

becki-at-luminal avatar jason-fugue avatar jaspervdj-luminal avatar matte-snyk avatar mbainter avatar szesch avatar wayne-luminal avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar

Forkers

leostolyarov dgomezny oflenake syllogy aidan-fugue georgef-dev thomasv314 mvbakker mbainter bstha matte-snyk szesch lee5i3

regula-action's Issues

Failed to parse Terraform plan JSON file with YAML error

I have a strange error when using this action to scan a Terraform plan output file in JSON format:

Run fugue/[email protected]
  with:
    input_path: infrastructure/terraform.plan.json
    input_type: tf-plan
    rego_paths: example_custom_rule
    user_only: false
    severity: unknown
...
level=fatal msg="Failed to parse JSON file infrastructure/terraform.plan.json: yaml: line 4: mapping values are not allowed in this context"

Here is my workflow step config:

      # Run PaC scan against terraform plan json so that interpolated values are utilized
      - uses: fugue/[email protected]
        with:
          input_path: infrastructure/terraform.plan.json
          input_type: tf-plan
          rego_paths: example_custom_rule

I've debugged and made sure the infrastructure/terraform.plan.json file is there. It starts with {"format_version":"0.2","terraform_version":"1.0.5",...

I've run regula via docker from my workstation and confirmed it works:

docker run --rm -t -v $(pwd):/workspace \
		fugue/regula:v1.6.0 run \
		-f json \
		-i example_custom_rule \
		-t tf-plan \
		infrastructure/terraform.plan.json
{
 ...
  "summary": {
    "filepaths": [
      "infrastructure/terraform.plan.json"
    ],
    "rule_results": {
      "FAIL": 0,
      "PASS": 5,
      "WAIVED": 0
    },
    ...
  }
}

Also strangely, when I run the above docker run... approach from a GitHub Action shell command, I get the same error as using the github-action:

level=fatal msg="Failed to parse JSON file infrastructure/terraform.plan.json: yaml: line 4: mapping values are not allowed in this context"

Is this an issue with the regula-action or regula itself? Why is regula attempting to parse my TF plan JSON file using YAML? I'm assuming it's executing this line: https://github.com/fugue/regula/blob/9d6ddbaf2fa6e1bfe8b4afb50fbe0548ce5f8013/pkg/loader/tfplan.go#L35

Output format support

Apologies if I am mistaken but I am unable to find an option in this action that maps to the CLI run command --format option. This would be useful for leveraging GitHub's SARIF built-in support.

Thank you.

action catching way more errors

Details

i have the following in a terraform file.

resource "aws_security_group" "shared" {
  name        = "redirect-shared"
  description = "Allow traffic for simple redirect (shared)"
  vpc_id      = data.aws_vpc.this.id

  ingress {
    description = "TF: ALLOW INCOMING 443"
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  ingress {
    description = "TF: ALLOW INCOMING 80"
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  tags = merge(
    {
      Name = "redirect-shared"
    },
    module.name.tags,
  )

}

when the action runs against this it spits out the following:

{
  "rule_results": [
    {
      "controls": [],
      "families": [],
      "filepath": "tf/redirects.tf",
      "input_type": "tf",
      "provider": "aws",
      "resource_id": "aws_lb.shared",
      "resource_type": "aws_lb",
      "resource_tags": {
        "Name": "redirect-shared"
      },
      "rule_description": "Load balancer access logging should be enabled. Load balancer access logging should be enabled. Access logs record information about every HTTP and TCP request a load balancer processes. Access logging should be enabled in order to analyze statistics, diagnose issues, and retain data for regulatory or legal purposes.",
      "rule_id": "FG_R00066",
      "rule_message": "",
      "rule_name": "tf_aws_elb_access_log_enabled",
      "rule_raw_result": false,
      "rule_remediation_doc": "https://docs.fugue.co/FG_R00066.html",
      "rule_result": "FAIL",
      "rule_severity": "Medium",
      "rule_summary": "Load balancer access logging should be enabled",
      "source_location": [
        {
          "path": "tf/redirects.tf",
          "line": 55,
          "column": 1
        }
      ]
    },
    {
      "controls": [],
      "families": [],
      "filepath": "tf/redirects.tf",
      "input_type": "tf",
      "provider": "aws",
      "resource_id": "aws_security_group.shared",
      "resource_type": "aws_security_group",
      "resource_tags": {
        "Name": "redirect-shared"
      },
      "rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' except to ports 80 and 443. VPC firewall rules should not permit unrestricted access from the internet, with the exception of port 80 (HTTP) and port 443 (HTTPS). Web applications or APIs generally need to be publicly accessible.",
      "rule_id": "FG_R00377",
      "rule_message": "",
      "rule_name": "tf_aws_security_group_ingress_anywhere",
      "rule_raw_result": true,
      "rule_remediation_doc": "https://docs.fugue.co/FG_R00377.html",
      "rule_result": "PASS",
      "rule_severity": "Medium",
      "rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' except to ports 80 and 443",
      "source_location": [
        {
          "path": "tf/redirects.tf",
          "line": 23,
          "column": 1
        }
      ]
    },
    {
      "controls": [],
      "families": [],
      "filepath": "tf/redirects.tf",
      "input_type": "tf",
      "provider": "aws",
      "resource_id": "aws_security_group.shared",
      "resource_type": "aws_security_group",
      "resource_tags": {
        "Name": "redirect-shared"
      },
      "rule_description": "VPC security group inbound rules should not permit ingress from a public address to all ports and protocols. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. AWS recommends that no security groups explicitly allow inbound ports.",
      "rule_id": "FG_R00044",
      "rule_message": "",
      "rule_name": "tf_aws_security_groups_inbound_all",
      "rule_raw_result": true,
      "rule_remediation_doc": "https://docs.fugue.co/FG_R00044.html",
      "rule_result": "PASS",
      "rule_severity": "High",
      "rule_summary": "VPC security group inbound rules should not permit ingress from a public address to all ports and protocols",
      "source_location": [
        {
          "path": "tf/redirects.tf",
          "line": 23,
          "column": 1
        }
      ]
    },
    {
      "controls": [],
      "families": [],
      "filepath": "tf/redirects.tf",
      "input_type": "tf",
      "provider": "aws",
      "resource_id": "aws_security_group.shared",
      "resource_type": "aws_security_group",
      "resource_tags": {
        "Name": "redirect-shared"
      },
      "rule_description": "VPC security group inbound rules should not permit ingress from any address to all ports and protocols. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. AWS recommends that no security groups explicitly allow inbound ports.",
      "rule_id": "FG_R00350",
      "rule_message": "",
      "rule_name": "tf_aws_security_groups_inbound_all_private",
      "rule_raw_result": true,
      "rule_remediation_doc": "https://docs.fugue.co/FG_R00350.html",
      "rule_result": "PASS",
      "rule_severity": "Medium",
      "rule_summary": "VPC security group inbound rules should not permit ingress from any address to all ports and protocols",
      "source_location": [
        {
          "path": "tf/redirects.tf",
          "line": 23,
          "column": 1
        }
      ]
    },
    {
      "controls": [],
      "families": [],
      "filepath": "tf/redirects.tf",
      "input_type": "tf",
      "provider": "aws",
      "resource_id": "aws_security_group.shared",
      "resource_type": "aws_security_group",
      "resource_tags": {
        "Name": "redirect-shared"
      },
      "rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 11214 (Memcached SSL). Removing unfettered connectivity to a Memcached SSL server reduces the chance of exposing critical data.",
      "rule_id": "FG_R00242",
      "rule_message": "",
      "rule_name": "tf_aws_security_groups_ingress_11214",
      "rule_raw_result": true,
      "rule_remediation_doc": "https://docs.fugue.co/FG_R00242.html",
      "rule_result": "PASS",
      "rule_severity": "High",
      "rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 11214 (Memcached SSL)",
      "source_location": [
        {
          "path": "tf/redirects.tf",
          "line": 23,
          "column": 1
        }
      ]
    },
    {
      "controls": [],
      "families": [],
      "filepath": "tf/redirects.tf",
      "input_type": "tf",
      "provider": "aws",
      "resource_id": "aws_security_group.shared",
      "resource_type": "aws_security_group",
      "resource_tags": {
        "Name": "redirect-shared"
      },
      "rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 11215 (Memcached SSL). Removing unfettered connectivity to a Memcached SSL server reduces the chance of exposing critical data.",
      "rule_id": "FG_R00243",
      "rule_message": "",
      "rule_name": "tf_aws_security_groups_ingress_11215",
      "rule_raw_result": true,
      "rule_remediation_doc": "https://docs.fugue.co/FG_R00243.html",
      "rule_result": "PASS",
      "rule_severity": "High",
      "rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 11215 (Memcached SSL)",
      "source_location": [
        {
          "path": "tf/redirects.tf",
          "line": 23,
          "column": 1
        }
      ]
    },
    {
      "controls": [],
      "families": [],
      "filepath": "tf/redirects.tf",
      "input_type": "tf",
      "provider": "aws",
      "resource_id": "aws_security_group.shared",
      "resource_type": "aws_security_group",
      "resource_tags": {
        "Name": "redirect-shared"
      },
      "rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 135 (MSSQL Debugger). Removing unfettered connectivity to a MSSQL Debugger server reduces the chance of exposing critical data.",
      "rule_id": "FG_R00244",
      "rule_message": "",
      "rule_name": "tf_aws_security_groups_ingress_135",
      "rule_raw_result": true,
      "rule_remediation_doc": "https://docs.fugue.co/FG_R00244.html",
      "rule_result": "PASS",
      "rule_severity": "High",
      "rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 135 (MSSQL Debugger)",
      "source_location": [
        {
          "path": "tf/redirects.tf",
          "line": 23,
          "column": 1
        }
      ]
    },
    {
      "controls": [],
      "families": [],
      "filepath": "tf/redirects.tf",
      "input_type": "tf",
      "provider": "aws",
      "resource_id": "aws_security_group.shared",
      "resource_type": "aws_security_group",
      "resource_tags": {
        "Name": "redirect-shared"
      },
      "rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 137 (NetBIOS Name Service). Removing unfettered connectivity to a NetBIOS Name Service server reduces the chance of exposing critical data.",
      "rule_id": "FG_R00245",
      "rule_message": "",
      "rule_name": "tf_aws_security_groups_ingress_137",
      "rule_raw_result": true,
      "rule_remediation_doc": "https://docs.fugue.co/FG_R00245.html",
      "rule_result": "PASS",
      "rule_severity": "High",
      "rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 137 (NetBIOS Name Service)",
      "source_location": [
        {
          "path": "tf/redirects.tf",
          "line": 23,
          "column": 1
        }
      ]
    },
    {
      "controls": [],
      "families": [],
      "filepath": "tf/redirects.tf",
      "input_type": "tf",
      "provider": "aws",
      "resource_id": "aws_security_group.shared",
      "resource_type": "aws_security_group",
      "resource_tags": {
        "Name": "redirect-shared"
      },
      "rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 138 (NetBios Datagram Service). Removing unfettered connectivity to a NetBios Datagram Service server reduces the chance of exposing critical data.",
      "rule_id": "FG_R00246",
      "rule_message": "",
      "rule_name": "tf_aws_security_groups_ingress_138",
      "rule_raw_result": true,
      "rule_remediation_doc": "https://docs.fugue.co/FG_R00246.html",
      "rule_result": "PASS",
      "rule_severity": "High",
      "rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 138 (NetBios Datagram Service)",
      "source_location": [
        {
          "path": "tf/redirects.tf",
          "line": 23,
          "column": 1
        }
      ]
    },
    {
      "controls": [],
      "families": [],
      "filepath": "tf/redirects.tf",
      "input_type": "tf",
      "provider": "aws",
      "resource_id": "aws_security_group.shared",
      "resource_type": "aws_security_group",
      "resource_tags": {
        "Name": "redirect-shared"
      },
      "rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 139 (NetBios Session Service). Removing unfettered connectivity to a NetBios Session Service server reduces the chance of exposing critical data.",
      "rule_id": "FG_R00247",
      "rule_message": "",
      "rule_name": "tf_aws_security_groups_ingress_139",
      "rule_raw_result": true,
      "rule_remediation_doc": "https://docs.fugue.co/FG_R00247.html",
      "rule_result": "PASS",
      "rule_severity": "High",
      "rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 139 (NetBios Session Service)",
      "source_location": [
        {
          "path": "tf/redirects.tf",
          "line": 23,
          "column": 1
        }
      ]
    },
    {
      "controls": [],
      "families": [],
      "filepath": "tf/redirects.tf",
      "input_type": "tf",
      "provider": "aws",
      "resource_id": "aws_security_group.shared",
      "resource_type": "aws_security_group",
      "resource_tags": {
        "Name": "redirect-shared"
      },
      "rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 1433 (MSSQL Server). Removing unfettered connectivity to a MSSQL Server server reduces the chance of exposing critical data.",
      "rule_id": "FG_R00248",
      "rule_message": "",
      "rule_name": "tf_aws_security_groups_ingress_1433",
      "rule_raw_result": true,
      "rule_remediation_doc": "https://docs.fugue.co/FG_R00248.html",
      "rule_result": "PASS",
      "rule_severity": "High",
      "rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 1433 (MSSQL Server)",
      "source_location": [
        {
          "path": "tf/redirects.tf",
          "line": 23,
          "column": 1
        }
      ]
    },
    {
      "controls": [],
      "families": [],
      "filepath": "tf/redirects.tf",
      "input_type": "tf",
      "provider": "aws",
      "resource_id": "aws_security_group.shared",
      "resource_type": "aws_security_group",
      "resource_tags": {
        "Name": "redirect-shared"
      },
      "rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 1434 (MSSQL Admin). Removing unfettered connectivity to a MSSQL Admin server reduces the chance of exposing critical data.",
      "rule_id": "FG_R00249",
      "rule_message": "",
      "rule_name": "tf_aws_security_groups_ingress_1434",
      "rule_raw_result": true,
      "rule_remediation_doc": "https://docs.fugue.co/FG_R00249.html",
      "rule_result": "PASS",
      "rule_severity": "High",
      "rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 1434 (MSSQL Admin)",
      "source_location": [
        {
          "path": "tf/redirects.tf",
          "line": 23,
          "column": 1
        }
      ]
    },
    {
      "controls": [
        "CIS-AWS_v1.2.0_4.1",
        "CIS-AWS_v1.3.0_5.2"
      ],
      "families": [
        "CIS-AWS_v1.2.0",
        "CIS-AWS_v1.3.0"
      ],
      "filepath": "tf/redirects.tf",
      "input_type": "tf",
      "provider": "aws",
      "resource_id": "aws_security_group.shared",
      "resource_type": "aws_security_group",
      "resource_tags": {
        "Name": "redirect-shared"
      },
      "rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 22 (SSH). VPC security groups should not permit unrestricted access from the internet to port 22 (SSH). Removing unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk.",
      "rule_id": "FG_R00085",
      "rule_message": "",
      "rule_name": "tf_aws_security_groups_ingress_22",
      "rule_raw_result": true,
      "rule_remediation_doc": "https://docs.fugue.co/FG_R00085.html",
      "rule_result": "PASS",
      "rule_severity": "High",
      "rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 22 (SSH)",
      "source_location": [
        {
          "path": "tf/redirects.tf",
          "line": 23,
          "column": 1
        }
      ]
    },
    {
      "controls": [],
      "families": [],
      "filepath": "tf/redirects.tf",
      "input_type": "tf",
      "provider": "aws",
      "resource_id": "aws_security_group.shared",
      "resource_type": "aws_security_group",
      "resource_tags": {
        "Name": "redirect-shared"
      },
      "rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 23 (Telnet). Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. AWS recommends that no security group allows unrestricted ingress access to port 23. Removing unfettered connectivity to remote console services reduces a server's exposure to risk.",
      "rule_id": "FG_R00040",
      "rule_message": "",
      "rule_name": "tf_aws_security_groups_ingress_23",
      "rule_raw_result": true,
      "rule_remediation_doc": "https://docs.fugue.co/FG_R00040.html",
      "rule_result": "PASS",
      "rule_severity": "High",
      "rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 23 (Telnet)",
      "source_location": [
        {
          "path": "tf/redirects.tf",
          "line": 23,
          "column": 1
        }
      ]
    },
    {
      "controls": [],
      "families": [],
      "filepath": "tf/redirects.tf",
      "input_type": "tf",
      "provider": "aws",
      "resource_id": "aws_security_group.shared",
      "resource_type": "aws_security_group",
      "resource_tags": {
        "Name": "redirect-shared"
      },
      "rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 2379 (etcd). Removing unfettered connectivity to an etcd server reduces the chance of exposing critical data.",
      "rule_id": "FG_R00214",
      "rule_message": "",
      "rule_name": "tf_aws_security_groups_ingress_2379",
      "rule_raw_result": true,
      "rule_remediation_doc": "https://docs.fugue.co/FG_R00214.html",
      "rule_result": "PASS",
      "rule_severity": "High",
      "rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 2379 (etcd)",
      "source_location": [
        {
          "path": "tf/redirects.tf",
          "line": 23,
          "column": 1
        }
      ]
    },
    {
      "controls": [],
      "families": [],
      "filepath": "tf/redirects.tf",
      "input_type": "tf",
      "provider": "aws",
      "resource_id": "aws_security_group.shared",
      "resource_type": "aws_security_group",
      "resource_tags": {
        "Name": "redirect-shared"
      },
      "rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 2382 (SQL Server Analysis Services browser). Removing unfettered connectivity to a SQL Server Analysis Services Browser server reduces the chance of exposing critical data.",
      "rule_id": "FG_R00256",
      "rule_message": "",
      "rule_name": "tf_aws_security_groups_ingress_2382",
      "rule_raw_result": true,
      "rule_remediation_doc": "https://docs.fugue.co/FG_R00256.html",
      "rule_result": "PASS",
      "rule_severity": "High",
      "rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 2382 (SQL Server Analysis Services browser)",
      "source_location": [
        {
          "path": "tf/redirects.tf",
          "line": 23,
          "column": 1
        }
      ]
    },
    {
      "controls": [],
      "families": [],
      "filepath": "tf/redirects.tf",
      "input_type": "tf",
      "provider": "aws",
      "resource_id": "aws_security_group.shared",
      "resource_type": "aws_security_group",
      "resource_tags": {
        "Name": "redirect-shared"
      },
      "rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 2383 (SQL Server Analysis Services). Removing unfettered connectivity to a SQL Server Analysis Services server reduces the chance of exposing critical data.",
      "rule_id": "FG_R00257",
      "rule_message": "",
      "rule_name": "tf_aws_security_groups_ingress_2383",
      "rule_raw_result": true,
      "rule_remediation_doc": "https://docs.fugue.co/FG_R00257.html",
      "rule_result": "PASS",
      "rule_severity": "High",
      "rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 2383 (SQL Server Analysis Services)",
      "source_location": [
        {
          "path": "tf/redirects.tf",
          "line": 23,
          "column": 1
        }
      ]
    },
    {
      "controls": [],
      "families": [],
      "filepath": "tf/redirects.tf",
      "input_type": "tf",
      "provider": "aws",
      "resource_id": "aws_security_group.shared",
      "resource_type": "aws_security_group",
      "resource_tags": {
        "Name": "redirect-shared"
      },
      "rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 2484 (Oracle DB SSL). Removing unfettered connectivity to an Oracle DB SSL server reduces the chance of exposing critical data.",
      "rule_id": "FG_R00258",
      "rule_message": "",
      "rule_name": "tf_aws_security_groups_ingress_2484",
      "rule_raw_result": true,
      "rule_remediation_doc": "https://docs.fugue.co/FG_R00258.html",
      "rule_result": "PASS",
      "rule_severity": "High",
      "rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 2484 (Oracle DB SSL)",
      "source_location": [
        {
          "path": "tf/redirects.tf",
          "line": 23,
          "column": 1
        }
      ]
    },
    {
      "controls": [],
      "families": [],
      "filepath": "tf/redirects.tf",
      "input_type": "tf",
      "provider": "aws",
      "resource_id": "aws_security_group.shared",
      "resource_type": "aws_security_group",
      "resource_tags": {
        "Name": "redirect-shared"
      },
      "rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 27017 (MongoDB). Removing unfettered connectivity to a MongoDB server reduces the chance of exposing critical data.",
      "rule_id": "FG_R00215",
      "rule_message": "",
      "rule_name": "tf_aws_security_groups_ingress_27017",
      "rule_raw_result": true,
      "rule_remediation_doc": "https://docs.fugue.co/FG_R00215.html",
      "rule_result": "PASS",
      "rule_severity": "High",
      "rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 27017 (MongoDB)",
      "source_location": [
        {
          "path": "tf/redirects.tf",
          "line": 23,
          "column": 1
        }
      ]
    },
    {
      "controls": [],
      "families": [],
      "filepath": "tf/redirects.tf",
      "input_type": "tf",
      "provider": "aws",
      "resource_id": "aws_security_group.shared",
      "resource_type": "aws_security_group",
      "resource_tags": {
        "Name": "redirect-shared"
      },
      "rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 27018 (MongoDB). Removing unfettered connectivity to a MongoDB server reduces the chance of exposing critical data.",
      "rule_id": "FG_R00216",
      "rule_message": "",
      "rule_name": "tf_aws_security_groups_ingress_27018",
      "rule_raw_result": true,
      "rule_remediation_doc": "https://docs.fugue.co/FG_R00216.html",
      "rule_result": "PASS",
      "rule_severity": "High",
      "rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 27018 (MongoDB)",
      "source_location": [
        {
          "path": "tf/redirects.tf",
          "line": 23,
          "column": 1
        }
      ]
    },
    {
      "controls": [],
      "families": [],
      "filepath": "tf/redirects.tf",
      "input_type": "tf",
      "provider": "aws",
      "resource_id": "aws_security_group.shared",
      "resource_type": "aws_security_group",
      "resource_tags": {
        "Name": "redirect-shared"
      },
      "rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 27019 (MongoDB). Removing unfettered connectivity to a MongoDB server reduces the chance of exposing critical data.",
      "rule_id": "FG_R00217",
      "rule_message": "",
      "rule_name": "tf_aws_security_groups_ingress_27019",
      "rule_raw_result": true,
      "rule_remediation_doc": "https://docs.fugue.co/FG_R00217.html",
      "rule_result": "PASS",
      "rule_severity": "High",
      "rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 27019 (MongoDB)",
      "source_location": [
        {
          "path": "tf/redirects.tf",
          "line": 23,
          "column": 1
        }
      ]
    },
    {
      "controls": [],
      "families": [],
      "filepath": "tf/redirects.tf",
      "input_type": "tf",
      "provider": "aws",
      "resource_id": "aws_security_group.shared",
      "resource_type": "aws_security_group",
      "resource_tags": {
        "Name": "redirect-shared"
      },
      "rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 3000 (Ruby on Rails web server). Removing unfettered connectivity to a Ruby on Rails web server reduces its exposure to risk.",
      "rule_id": "FG_R00259",
      "rule_message": "",
      "rule_name": "tf_aws_security_groups_ingress_3000",
      "rule_raw_result": true,
      "rule_remediation_doc": "https://docs.fugue.co/FG_R00259.html",
      "rule_result": "PASS",
      "rule_severity": "High",
      "rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 3000 (Ruby on Rails web server)",
      "source_location": [
        {
          "path": "tf/redirects.tf",
          "line": 23,
          "column": 1
        }
      ]
    },
    {
      "controls": [],
      "families": [],
      "filepath": "tf/redirects.tf",
      "input_type": "tf",
      "provider": "aws",
      "resource_id": "aws_security_group.shared",
      "resource_type": "aws_security_group",
      "resource_tags": {
        "Name": "redirect-shared"
      },
      "rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 3020 (CIFS / SMB). Removing unfettered connectivity to CIFS / SMB ports reduces a server's exposure to risk.",
      "rule_id": "FG_R00260",
      "rule_message": "",
      "rule_name": "tf_aws_security_groups_ingress_3020",
      "rule_raw_result": true,
      "rule_remediation_doc": "https://docs.fugue.co/FG_R00260.html",
      "rule_result": "PASS",
      "rule_severity": "High",
      "rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 3020 (CIFS / SMB)",
      "source_location": [
        {
          "path": "tf/redirects.tf",
          "line": 23,
          "column": 1
        }
      ]
    },
    {
      "controls": [],
      "families": [],
      "filepath": "tf/redirects.tf",
      "input_type": "tf",
      "provider": "aws",
      "resource_id": "aws_security_group.shared",
      "resource_type": "aws_security_group",
      "resource_tags": {
        "Name": "redirect-shared"
      },
      "rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 3306 (MySQL). Removing unfettered connectivity to MySQL ports reduces a server's exposure to risk.",
      "rule_id": "FG_R00261",
      "rule_message": "",
      "rule_name": "tf_aws_security_groups_ingress_3306",
      "rule_raw_result": true,
      "rule_remediation_doc": "https://docs.fugue.co/FG_R00261.html",
      "rule_result": "PASS",
      "rule_severity": "High",
      "rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 3306 (MySQL)",
      "source_location": [
        {
          "path": "tf/redirects.tf",
          "line": 23,
          "column": 1
        }
      ]
    },
    {
      "controls": [
        "CIS-AWS_v1.2.0_4.2",
        "CIS-AWS_v1.3.0_5.2",
        "CIS-AWS_v1.4.0_5.2"
      ],
      "families": [
        "CIS-AWS_v1.2.0",
        "CIS-AWS_v1.3.0",
        "CIS-AWS_v1.4.0"
      ],
      "filepath": "tf/redirects.tf",
      "input_type": "tf",
      "provider": "aws",
      "resource_id": "aws_security_group.shared",
      "resource_type": "aws_security_group",
      "resource_tags": {
        "Name": "redirect-shared"
      },
      "rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to port 3389 (Remote Desktop Protocol). Removing unfettered connectivity to remote console services, such as Remote Desktop Protocol, reduces a server's exposure to risk.",
      "rule_id": "FG_R00087",
      "rule_message": "",
      "rule_name": "tf_aws_security_groups_ingress_3389",
      "rule_raw_result": true,
      "rule_remediation_doc": "https://docs.fugue.co/FG_R00087.html",
      "rule_result": "PASS",
      "rule_severity": "High",
      "rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to port 3389 (Remote Desktop Protocol)",
      "source_location": [
        {
          "path": "tf/redirects.tf",
          "line": 23,
          "column": 1
        }
      ]
    },
    {
      "controls": [],
      "families": [],
      "filepath": "tf/redirects.tf",
      "input_type": "tf",
      "provider": "aws",
      "resource_id": "aws_security_group.shared",
      "resource_type": "aws_security_group",
      "resource_tags": {
        "Name": "redirect-shared"
      },
      "rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 4505 (SaltStack Master). Removing unfettered connectivity to a SaltStack Master server reduces its exposure to risk.",
      "rule_id": "FG_R00262",
      "rule_message": "",
      "rule_name": "tf_aws_security_groups_ingress_4505",
      "rule_raw_result": true,
      "rule_remediation_doc": "https://docs.fugue.co/FG_R00262.html",
      "rule_result": "PASS",
      "rule_severity": "High",
      "rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 4505 (SaltStack Master)",
      "source_location": [
        {
          "path": "tf/redirects.tf",
          "line": 23,
          "column": 1
        }
      ]
    },
    {
      "controls": [],
      "families": [],
      "filepath": "tf/redirects.tf",
      "input_type": "tf",
      "provider": "aws",
      "resource_id": "aws_security_group.shared",
      "resource_type": "aws_security_group",
      "resource_tags": {
        "Name": "redirect-shared"
      },
      "rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 4506 (SaltStack Master). Removing unfettered connectivity to a SaltStack Master server reduces its exposure to risk.",
      "rule_id": "FG_R00263",
      "rule_message": "",
      "rule_name": "tf_aws_security_groups_ingress_4506",
      "rule_raw_result": true,
      "rule_remediation_doc": "https://docs.fugue.co/FG_R00263.html",
      "rule_result": "PASS",
      "rule_severity": "High",
      "rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 4506 (SaltStack Master)",
      "source_location": [
        {
          "path": "tf/redirects.tf",
          "line": 23,
          "column": 1
        }
      ]
    },
    {
      "controls": [],
      "families": [],
      "filepath": "tf/redirects.tf",
      "input_type": "tf",
      "provider": "aws",
      "resource_id": "aws_security_group.shared",
      "resource_type": "aws_security_group",
      "resource_tags": {
        "Name": "redirect-shared"
      },
      "rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 5432 (PostgreSQL). Removing unfettered connectivity to a PostgreSQL server reduces its exposure to risk.",
      "rule_id": "FG_R00264",
      "rule_message": "",
      "rule_name": "tf_aws_security_groups_ingress_5432",
      "rule_raw_result": true,
      "rule_remediation_doc": "https://docs.fugue.co/FG_R00264.html",
      "rule_result": "PASS",
      "rule_severity": "High",
      "rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 5432 (PostgreSQL)",
      "source_location": [
        {
          "path": "tf/redirects.tf",
          "line": 23,
          "column": 1
        }
      ]
    },
    {
      "controls": [],
      "families": [],
      "filepath": "tf/redirects.tf",
      "input_type": "tf",
      "provider": "aws",
      "resource_id": "aws_security_group.shared",
      "resource_type": "aws_security_group",
      "resource_tags": {
        "Name": "redirect-shared"
      },
      "rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 5500 (Virtual Network Computing). Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. AWS recommends that no security group allows unrestricted ingress access to port 5500. Removing unfettered connectivity to remote console services reduces a server's exposure to risk.",
      "rule_id": "FG_R00039",
      "rule_message": "",
      "rule_name": "tf_aws_security_groups_ingress_5500",
      "rule_raw_result": true,
      "rule_remediation_doc": "https://docs.fugue.co/FG_R00039.html",
      "rule_result": "PASS",
      "rule_severity": "High",
      "rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 5500 (Virtual Network Computing)",
      "source_location": [
        {
          "path": "tf/redirects.tf",
          "line": 23,
          "column": 1
        }
      ]
    },
    {
      "controls": [],
      "families": [],
      "filepath": "tf/redirects.tf",
      "input_type": "tf",
      "provider": "aws",
      "resource_id": "aws_security_group.shared",
      "resource_type": "aws_security_group",
      "resource_tags": {
        "Name": "redirect-shared"
      },
      "rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 5800 (Virtual Network Computing), unless from ELBs. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. AWS recommends that no security group allows unrestricted ingress access to port 5800, unless it is from AWS Elastic Load Balancer. Removing unfettered connectivity to remote console services reduces a server's exposure to risk.",
      "rule_id": "FG_R00038",
      "rule_message": "",
      "rule_name": "tf_aws_security_groups_ingress_5800",
      "rule_raw_result": true,
      "rule_remediation_doc": "https://docs.fugue.co/FG_R00038.html",
      "rule_result": "PASS",
      "rule_severity": "High",
      "rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 5800 (Virtual Network Computing), unless from ELBs",
      "source_location": [
        {
          "path": "tf/redirects.tf",
          "line": 23,
          "column": 1
        }
      ]
    },
    {
      "controls": [],
      "families": [],
      "filepath": "tf/redirects.tf",
      "input_type": "tf",
      "provider": "aws",
      "resource_id": "aws_security_group.shared",
      "resource_type": "aws_security_group",
      "resource_tags": {
        "Name": "redirect-shared"
      },
      "rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 5900 (Virtual Network Computing). Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. AWS recommends that no security group allows unrestricted ingress access to port 5900. Removing unfettered connectivity to remote console services reduces a server's exposure to risk.",
      "rule_id": "FG_R00037",
      "rule_message": "",
      "rule_name": "tf_aws_security_groups_ingress_5900",
      "rule_raw_result": true,
      "rule_remediation_doc": "https://docs.fugue.co/FG_R00037.html",
      "rule_result": "PASS",
      "rule_severity": "High",
      "rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 5900 (Virtual Network Computing)",
      "source_location": [
        {
          "path": "tf/redirects.tf",
          "line": 23,
          "column": 1
        }
      ]
    },
    {
      "controls": [],
      "families": [],
      "filepath": "tf/redirects.tf",
      "input_type": "tf",
      "provider": "aws",
      "resource_id": "aws_security_group.shared",
      "resource_type": "aws_security_group",
      "resource_tags": {
        "Name": "redirect-shared"
      },
      "rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP port 61621 (Cassandra OpsCenter Agent). Removing unfettered connectivity to a Cassandra OpsCenter Agent server reduces its exposure to risk.",
      "rule_id": "FG_R00265",
      "rule_message": "",
      "rule_name": "tf_aws_security_groups_ingress_61621",
      "rule_raw_result": true,
      "rule_remediation_doc": "https://docs.fugue.co/FG_R00265.html",
      "rule_result": "PASS",
      "rule_severity": "High",
      "rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP port 61621 (Cassandra OpsCenter Agent)",
      "source_location": [
        {
          "path": "tf/redirects.tf",
          "line": 23,
          "column": 1
        }
      ]
    },
    {
      "controls": [],
      "families": [],
      "filepath": "tf/redirects.tf",
      "input_type": "tf",
      "provider": "aws",
      "resource_id": "aws_security_group.shared",
      "resource_type": "aws_security_group",
      "resource_tags": {
        "Name": "redirect-shared"
      },
      "rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP port 636 (LDAP SSL). Removing unfettered connectivity to a LDAP SSL server reduces its exposure to risk.",
      "rule_id": "FG_R00266",
      "rule_message": "",
      "rule_name": "tf_aws_security_groups_ingress_636",
      "rule_raw_result": true,
      "rule_remediation_doc": "https://docs.fugue.co/FG_R00266.html",
      "rule_result": "PASS",
      "rule_severity": "High",
      "rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP port 636 (LDAP SSL)",
      "source_location": [
        {
          "path": "tf/redirects.tf",
          "line": 23,
          "column": 1
        }
      ]
    },
    {
      "controls": [],
      "families": [],
      "filepath": "tf/redirects.tf",
      "input_type": "tf",
      "provider": "aws",
      "resource_id": "aws_security_group.shared",
      "resource_type": "aws_security_group",
      "resource_tags": {
        "Name": "redirect-shared"
      },
      "rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP port 7001 (Cassandra). Removing unfettered connectivity to a Cassandra server reduces its exposure to risk.",
      "rule_id": "FG_R00267",
      "rule_message": "",
      "rule_name": "tf_aws_security_groups_ingress_7001",
      "rule_raw_result": true,
      "rule_remediation_doc": "https://docs.fugue.co/FG_R00267.html",
      "rule_result": "PASS",
      "rule_severity": "High",
      "rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP port 7001 (Cassandra)",
      "source_location": [
        {
          "path": "tf/redirects.tf",
          "line": 23,
          "column": 1
        }
      ]
    },
    {
      "controls": [],
      "families": [],
      "filepath": "tf/redirects.tf",
      "input_type": "tf",
      "provider": "aws",
      "resource_id": "aws_security_group.shared",
      "resource_type": "aws_security_group",
      "resource_tags": {
        "Name": "redirect-shared"
      },
      "rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 80 (HTTP), unless from ELBs. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. AWS recommends that no security group allow unrestricted ingress access to port 80, unless it is from an AWS Elastic Load Balancer.",
      "rule_id": "FG_R00041",
      "rule_message": "This security group allows traffic from 0.0.0.0/0 to port 80",
      "rule_name": "tf_aws_security_groups_ingress_80",
      "rule_raw_result": false,
      "rule_remediation_doc": "https://docs.fugue.co/FG_R00041.html",
      "rule_result": "FAIL",
      "rule_severity": "High",
      "rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 80 (HTTP), unless from ELBs",
      "source_location": [
        {
          "path": "tf/redirects.tf",
          "line": 23,
          "column": 1
        }
      ]
    },
    {
      "controls": [],
      "families": [],
      "filepath": "tf/redirects.tf",
      "input_type": "tf",
      "provider": "aws",
      "resource_id": "aws_security_group.shared",
      "resource_type": "aws_security_group",
      "resource_tags": {
        "Name": "redirect-shared"
      },
      "rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 8000 (HTTP Alternate). Removing unfettered connectivity to an HTTP Alternate server reduces its exposure to risk.",
      "rule_id": "FG_R00268",
      "rule_message": "",
      "rule_name": "tf_aws_security_groups_ingress_8000",
      "rule_raw_result": true,
      "rule_remediation_doc": "https://docs.fugue.co/FG_R00268.html",
      "rule_result": "PASS",
      "rule_severity": "High",
      "rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 8000 (HTTP Alternate)",
      "source_location": [
        {
          "path": "tf/redirects.tf",
          "line": 23,
          "column": 1
        }
      ]
    },
    {
      "controls": [],
      "families": [],
      "filepath": "tf/redirects.tf",
      "input_type": "tf",
      "provider": "aws",
      "resource_id": "aws_security_group.shared",
      "resource_type": "aws_security_group",
      "resource_tags": {
        "Name": "redirect-shared"
      },
      "rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 9200 (Elasticsearch). Removing unfettered connectivity to an Elasticsearch server reduces the chance of exposing critical data.",
      "rule_id": "FG_R00212",
      "rule_message": "",
      "rule_name": "tf_aws_security_groups_ingress_9200",
      "rule_raw_result": true,
      "rule_remediation_doc": "https://docs.fugue.co/FG_R00212.html",
      "rule_result": "PASS",
      "rule_severity": "High",
      "rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 9200 (Elasticsearch)",
      "source_location": [
        {
          "path": "tf/redirects.tf",
          "line": 23,
          "column": 1
        }
      ]
    },
    {
      "controls": [],
      "families": [],
      "filepath": "tf/redirects.tf",
      "input_type": "tf",
      "provider": "aws",
      "resource_id": "aws_security_group.shared",
      "resource_type": "aws_security_group",
      "resource_tags": {
        "Name": "redirect-shared"
      },
      "rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 9300 (Elasticsearch). Removing unfettered connectivity to an Elasticsearch server reduces the chance of exposing critical data.",
      "rule_id": "FG_R00213",
      "rule_message": "",
      "rule_name": "tf_aws_security_groups_ingress_9300",
      "rule_raw_result": true,
      "rule_remediation_doc": "https://docs.fugue.co/FG_R00213.html",
      "rule_result": "PASS",
      "rule_severity": "High",
      "rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 9300 (Elasticsearch)",
      "source_location": [
        {
          "path": "tf/redirects.tf",
          "line": 23,
          "column": 1
        }
      ]
    },
    {
      "controls": [],
      "families": [],
      "filepath": "tf/redirects.tf",
      "input_type": "tf",
      "provider": "aws",
      "resource_id": "aws_security_group.shared",
      "resource_type": "aws_security_group",
      "resource_tags": {
        "Name": "redirect-shared"
      },
      "rule_description": "VPC security group inbound rules should not permit ingress from '0.0.0.0/0' to all ports and protocols. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. AWS recommends that no security group allows unrestricted ingress access from 0.0.0.0/0 to all ports. Removing unfettered connectivity to remote console services reduces a server's exposure to risk.",
      "rule_id": "FG_R00045",
      "rule_message": "",
      "rule_name": "tf_aws_security_groups_ingress_all",
      "rule_raw_result": true,
      "rule_remediation_doc": "https://docs.fugue.co/FG_R00045.html",
      "rule_result": "PASS",
      "rule_severity": "High",
      "rule_summary": "VPC security group inbound rules should not permit ingress from '0.0.0.0/0' to all ports and protocols",
      "source_location": [
        {
          "path": "tf/redirects.tf",
          "line": 23,
          "column": 1
        }
      ]
    }
  ],
  "summary": {
    "filepaths": [
      "tf/redirects.tf"
    ],
    "rule_results": {
      "FAIL": 2,
      "PASS": 37,
      "WAIVED": 0
    },
    "severities": {
      "Critical": 0,
      "High": 1,
      "Informational": 0,
      "Low": 0,
      "Medium": 1,
      "Unknown": 0
    }
  }
}

but when running regula on the cli myself i only get:

FG_R00041: VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 80 (HTTP), unless from ELBs [High]
           https://docs.fugue.co/FG_R00041.html

  [1]: aws_security_group.shared
       in redirects.tf:23:1
       This security group allows traffic from 0.0.0.0/0 to port 80

FG_R00066: Load balancer access logging should be enabled [Medium]
           https://docs.fugue.co/FG_R00066.html

  [1]: aws_lb.shared
       in redirects.tf:55:1

Found 2 problems.

Not sure why the action thinks i am opening so many ports.

set-output and save-state are deprecated

Since runner version 2.298.2 set-output and save-state are deprecated: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/

All my pipelines using regula scanning are producing these warning messages.

Theset-outputcommand is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.