fugue / regula-action Goto Github PK
View Code? Open in Web Editor NEWLicense: Apache License 2.0
regula-action's Issues
Support for newer terraform versions?
Hello,
Do you have any plans to support never terraform versions and keep up with the terraform releases?
Line 14 in e334326
Output format support
Apologies if I am mistaken but I am unable to find an option in this action that maps to the CLI run command --format option. This would be useful for leveraging GitHub's SARIF built-in support.
Thank you.
set-output and save-state are deprecated
Since runner version 2.298.2 set-output and save-state are deprecated: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/
All my pipelines using regula scanning are producing these warning messages.
Theset-outputcommand is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/
Failed to parse Terraform plan JSON file with YAML error
I have a strange error when using this action to scan a Terraform plan output file in JSON format:
Run fugue/[email protected]
with:
input_path: infrastructure/terraform.plan.json
input_type: tf-plan
rego_paths: example_custom_rule
user_only: false
severity: unknown
...
level=fatal msg="Failed to parse JSON file infrastructure/terraform.plan.json: yaml: line 4: mapping values are not allowed in this context"
Here is my workflow step config:
# Run PaC scan against terraform plan json so that interpolated values are utilized
- uses: fugue/[email protected]
with:
input_path: infrastructure/terraform.plan.json
input_type: tf-plan
rego_paths: example_custom_rule
I've debugged and made sure the infrastructure/terraform.plan.json file is there. It starts with {"format_version":"0.2","terraform_version":"1.0.5",...
I've run regula via docker from my workstation and confirmed it works:
docker run --rm -t -v $(pwd):/workspace \
fugue/regula:v1.6.0 run \
-f json \
-i example_custom_rule \
-t tf-plan \
infrastructure/terraform.plan.json
{
...
"summary": {
"filepaths": [
"infrastructure/terraform.plan.json"
],
"rule_results": {
"FAIL": 0,
"PASS": 5,
"WAIVED": 0
},
...
}
}
Also strangely, when I run the above docker run... approach from a GitHub Action shell command, I get the same error as using the github-action:
level=fatal msg="Failed to parse JSON file infrastructure/terraform.plan.json: yaml: line 4: mapping values are not allowed in this context"
Is this an issue with the regula-action or regula itself? Why is regula attempting to parse my TF plan JSON file using YAML? I'm assuming it's executing this line: https://github.com/fugue/regula/blob/9d6ddbaf2fa6e1bfe8b4afb50fbe0548ce5f8013/pkg/loader/tfplan.go#L35
action catching way more errors
Details
i have the following in a terraform file.
resource "aws_security_group" "shared" {
name = "redirect-shared"
description = "Allow traffic for simple redirect (shared)"
vpc_id = data.aws_vpc.this.id
ingress {
description = "TF: ALLOW INCOMING 443"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
description = "TF: ALLOW INCOMING 80"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
tags = merge(
{
Name = "redirect-shared"
},
module.name.tags,
)
}
when the action runs against this it spits out the following:
{
"rule_results": [
{
"controls": [],
"families": [],
"filepath": "tf/redirects.tf",
"input_type": "tf",
"provider": "aws",
"resource_id": "aws_lb.shared",
"resource_type": "aws_lb",
"resource_tags": {
"Name": "redirect-shared"
},
"rule_description": "Load balancer access logging should be enabled. Load balancer access logging should be enabled. Access logs record information about every HTTP and TCP request a load balancer processes. Access logging should be enabled in order to analyze statistics, diagnose issues, and retain data for regulatory or legal purposes.",
"rule_id": "FG_R00066",
"rule_message": "",
"rule_name": "tf_aws_elb_access_log_enabled",
"rule_raw_result": false,
"rule_remediation_doc": "https://docs.fugue.co/FG_R00066.html",
"rule_result": "FAIL",
"rule_severity": "Medium",
"rule_summary": "Load balancer access logging should be enabled",
"source_location": [
{
"path": "tf/redirects.tf",
"line": 55,
"column": 1
}
]
},
{
"controls": [],
"families": [],
"filepath": "tf/redirects.tf",
"input_type": "tf",
"provider": "aws",
"resource_id": "aws_security_group.shared",
"resource_type": "aws_security_group",
"resource_tags": {
"Name": "redirect-shared"
},
"rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' except to ports 80 and 443. VPC firewall rules should not permit unrestricted access from the internet, with the exception of port 80 (HTTP) and port 443 (HTTPS). Web applications or APIs generally need to be publicly accessible.",
"rule_id": "FG_R00377",
"rule_message": "",
"rule_name": "tf_aws_security_group_ingress_anywhere",
"rule_raw_result": true,
"rule_remediation_doc": "https://docs.fugue.co/FG_R00377.html",
"rule_result": "PASS",
"rule_severity": "Medium",
"rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' except to ports 80 and 443",
"source_location": [
{
"path": "tf/redirects.tf",
"line": 23,
"column": 1
}
]
},
{
"controls": [],
"families": [],
"filepath": "tf/redirects.tf",
"input_type": "tf",
"provider": "aws",
"resource_id": "aws_security_group.shared",
"resource_type": "aws_security_group",
"resource_tags": {
"Name": "redirect-shared"
},
"rule_description": "VPC security group inbound rules should not permit ingress from a public address to all ports and protocols. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. AWS recommends that no security groups explicitly allow inbound ports.",
"rule_id": "FG_R00044",
"rule_message": "",
"rule_name": "tf_aws_security_groups_inbound_all",
"rule_raw_result": true,
"rule_remediation_doc": "https://docs.fugue.co/FG_R00044.html",
"rule_result": "PASS",
"rule_severity": "High",
"rule_summary": "VPC security group inbound rules should not permit ingress from a public address to all ports and protocols",
"source_location": [
{
"path": "tf/redirects.tf",
"line": 23,
"column": 1
}
]
},
{
"controls": [],
"families": [],
"filepath": "tf/redirects.tf",
"input_type": "tf",
"provider": "aws",
"resource_id": "aws_security_group.shared",
"resource_type": "aws_security_group",
"resource_tags": {
"Name": "redirect-shared"
},
"rule_description": "VPC security group inbound rules should not permit ingress from any address to all ports and protocols. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. AWS recommends that no security groups explicitly allow inbound ports.",
"rule_id": "FG_R00350",
"rule_message": "",
"rule_name": "tf_aws_security_groups_inbound_all_private",
"rule_raw_result": true,
"rule_remediation_doc": "https://docs.fugue.co/FG_R00350.html",
"rule_result": "PASS",
"rule_severity": "Medium",
"rule_summary": "VPC security group inbound rules should not permit ingress from any address to all ports and protocols",
"source_location": [
{
"path": "tf/redirects.tf",
"line": 23,
"column": 1
}
]
},
{
"controls": [],
"families": [],
"filepath": "tf/redirects.tf",
"input_type": "tf",
"provider": "aws",
"resource_id": "aws_security_group.shared",
"resource_type": "aws_security_group",
"resource_tags": {
"Name": "redirect-shared"
},
"rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 11214 (Memcached SSL). Removing unfettered connectivity to a Memcached SSL server reduces the chance of exposing critical data.",
"rule_id": "FG_R00242",
"rule_message": "",
"rule_name": "tf_aws_security_groups_ingress_11214",
"rule_raw_result": true,
"rule_remediation_doc": "https://docs.fugue.co/FG_R00242.html",
"rule_result": "PASS",
"rule_severity": "High",
"rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 11214 (Memcached SSL)",
"source_location": [
{
"path": "tf/redirects.tf",
"line": 23,
"column": 1
}
]
},
{
"controls": [],
"families": [],
"filepath": "tf/redirects.tf",
"input_type": "tf",
"provider": "aws",
"resource_id": "aws_security_group.shared",
"resource_type": "aws_security_group",
"resource_tags": {
"Name": "redirect-shared"
},
"rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 11215 (Memcached SSL). Removing unfettered connectivity to a Memcached SSL server reduces the chance of exposing critical data.",
"rule_id": "FG_R00243",
"rule_message": "",
"rule_name": "tf_aws_security_groups_ingress_11215",
"rule_raw_result": true,
"rule_remediation_doc": "https://docs.fugue.co/FG_R00243.html",
"rule_result": "PASS",
"rule_severity": "High",
"rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 11215 (Memcached SSL)",
"source_location": [
{
"path": "tf/redirects.tf",
"line": 23,
"column": 1
}
]
},
{
"controls": [],
"families": [],
"filepath": "tf/redirects.tf",
"input_type": "tf",
"provider": "aws",
"resource_id": "aws_security_group.shared",
"resource_type": "aws_security_group",
"resource_tags": {
"Name": "redirect-shared"
},
"rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 135 (MSSQL Debugger). Removing unfettered connectivity to a MSSQL Debugger server reduces the chance of exposing critical data.",
"rule_id": "FG_R00244",
"rule_message": "",
"rule_name": "tf_aws_security_groups_ingress_135",
"rule_raw_result": true,
"rule_remediation_doc": "https://docs.fugue.co/FG_R00244.html",
"rule_result": "PASS",
"rule_severity": "High",
"rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 135 (MSSQL Debugger)",
"source_location": [
{
"path": "tf/redirects.tf",
"line": 23,
"column": 1
}
]
},
{
"controls": [],
"families": [],
"filepath": "tf/redirects.tf",
"input_type": "tf",
"provider": "aws",
"resource_id": "aws_security_group.shared",
"resource_type": "aws_security_group",
"resource_tags": {
"Name": "redirect-shared"
},
"rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 137 (NetBIOS Name Service). Removing unfettered connectivity to a NetBIOS Name Service server reduces the chance of exposing critical data.",
"rule_id": "FG_R00245",
"rule_message": "",
"rule_name": "tf_aws_security_groups_ingress_137",
"rule_raw_result": true,
"rule_remediation_doc": "https://docs.fugue.co/FG_R00245.html",
"rule_result": "PASS",
"rule_severity": "High",
"rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 137 (NetBIOS Name Service)",
"source_location": [
{
"path": "tf/redirects.tf",
"line": 23,
"column": 1
}
]
},
{
"controls": [],
"families": [],
"filepath": "tf/redirects.tf",
"input_type": "tf",
"provider": "aws",
"resource_id": "aws_security_group.shared",
"resource_type": "aws_security_group",
"resource_tags": {
"Name": "redirect-shared"
},
"rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 138 (NetBios Datagram Service). Removing unfettered connectivity to a NetBios Datagram Service server reduces the chance of exposing critical data.",
"rule_id": "FG_R00246",
"rule_message": "",
"rule_name": "tf_aws_security_groups_ingress_138",
"rule_raw_result": true,
"rule_remediation_doc": "https://docs.fugue.co/FG_R00246.html",
"rule_result": "PASS",
"rule_severity": "High",
"rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 138 (NetBios Datagram Service)",
"source_location": [
{
"path": "tf/redirects.tf",
"line": 23,
"column": 1
}
]
},
{
"controls": [],
"families": [],
"filepath": "tf/redirects.tf",
"input_type": "tf",
"provider": "aws",
"resource_id": "aws_security_group.shared",
"resource_type": "aws_security_group",
"resource_tags": {
"Name": "redirect-shared"
},
"rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 139 (NetBios Session Service). Removing unfettered connectivity to a NetBios Session Service server reduces the chance of exposing critical data.",
"rule_id": "FG_R00247",
"rule_message": "",
"rule_name": "tf_aws_security_groups_ingress_139",
"rule_raw_result": true,
"rule_remediation_doc": "https://docs.fugue.co/FG_R00247.html",
"rule_result": "PASS",
"rule_severity": "High",
"rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 139 (NetBios Session Service)",
"source_location": [
{
"path": "tf/redirects.tf",
"line": 23,
"column": 1
}
]
},
{
"controls": [],
"families": [],
"filepath": "tf/redirects.tf",
"input_type": "tf",
"provider": "aws",
"resource_id": "aws_security_group.shared",
"resource_type": "aws_security_group",
"resource_tags": {
"Name": "redirect-shared"
},
"rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 1433 (MSSQL Server). Removing unfettered connectivity to a MSSQL Server server reduces the chance of exposing critical data.",
"rule_id": "FG_R00248",
"rule_message": "",
"rule_name": "tf_aws_security_groups_ingress_1433",
"rule_raw_result": true,
"rule_remediation_doc": "https://docs.fugue.co/FG_R00248.html",
"rule_result": "PASS",
"rule_severity": "High",
"rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 1433 (MSSQL Server)",
"source_location": [
{
"path": "tf/redirects.tf",
"line": 23,
"column": 1
}
]
},
{
"controls": [],
"families": [],
"filepath": "tf/redirects.tf",
"input_type": "tf",
"provider": "aws",
"resource_id": "aws_security_group.shared",
"resource_type": "aws_security_group",
"resource_tags": {
"Name": "redirect-shared"
},
"rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 1434 (MSSQL Admin). Removing unfettered connectivity to a MSSQL Admin server reduces the chance of exposing critical data.",
"rule_id": "FG_R00249",
"rule_message": "",
"rule_name": "tf_aws_security_groups_ingress_1434",
"rule_raw_result": true,
"rule_remediation_doc": "https://docs.fugue.co/FG_R00249.html",
"rule_result": "PASS",
"rule_severity": "High",
"rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 1434 (MSSQL Admin)",
"source_location": [
{
"path": "tf/redirects.tf",
"line": 23,
"column": 1
}
]
},
{
"controls": [
"CIS-AWS_v1.2.0_4.1",
"CIS-AWS_v1.3.0_5.2"
],
"families": [
"CIS-AWS_v1.2.0",
"CIS-AWS_v1.3.0"
],
"filepath": "tf/redirects.tf",
"input_type": "tf",
"provider": "aws",
"resource_id": "aws_security_group.shared",
"resource_type": "aws_security_group",
"resource_tags": {
"Name": "redirect-shared"
},
"rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 22 (SSH). VPC security groups should not permit unrestricted access from the internet to port 22 (SSH). Removing unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk.",
"rule_id": "FG_R00085",
"rule_message": "",
"rule_name": "tf_aws_security_groups_ingress_22",
"rule_raw_result": true,
"rule_remediation_doc": "https://docs.fugue.co/FG_R00085.html",
"rule_result": "PASS",
"rule_severity": "High",
"rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 22 (SSH)",
"source_location": [
{
"path": "tf/redirects.tf",
"line": 23,
"column": 1
}
]
},
{
"controls": [],
"families": [],
"filepath": "tf/redirects.tf",
"input_type": "tf",
"provider": "aws",
"resource_id": "aws_security_group.shared",
"resource_type": "aws_security_group",
"resource_tags": {
"Name": "redirect-shared"
},
"rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 23 (Telnet). Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. AWS recommends that no security group allows unrestricted ingress access to port 23. Removing unfettered connectivity to remote console services reduces a server's exposure to risk.",
"rule_id": "FG_R00040",
"rule_message": "",
"rule_name": "tf_aws_security_groups_ingress_23",
"rule_raw_result": true,
"rule_remediation_doc": "https://docs.fugue.co/FG_R00040.html",
"rule_result": "PASS",
"rule_severity": "High",
"rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 23 (Telnet)",
"source_location": [
{
"path": "tf/redirects.tf",
"line": 23,
"column": 1
}
]
},
{
"controls": [],
"families": [],
"filepath": "tf/redirects.tf",
"input_type": "tf",
"provider": "aws",
"resource_id": "aws_security_group.shared",
"resource_type": "aws_security_group",
"resource_tags": {
"Name": "redirect-shared"
},
"rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 2379 (etcd). Removing unfettered connectivity to an etcd server reduces the chance of exposing critical data.",
"rule_id": "FG_R00214",
"rule_message": "",
"rule_name": "tf_aws_security_groups_ingress_2379",
"rule_raw_result": true,
"rule_remediation_doc": "https://docs.fugue.co/FG_R00214.html",
"rule_result": "PASS",
"rule_severity": "High",
"rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 2379 (etcd)",
"source_location": [
{
"path": "tf/redirects.tf",
"line": 23,
"column": 1
}
]
},
{
"controls": [],
"families": [],
"filepath": "tf/redirects.tf",
"input_type": "tf",
"provider": "aws",
"resource_id": "aws_security_group.shared",
"resource_type": "aws_security_group",
"resource_tags": {
"Name": "redirect-shared"
},
"rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 2382 (SQL Server Analysis Services browser). Removing unfettered connectivity to a SQL Server Analysis Services Browser server reduces the chance of exposing critical data.",
"rule_id": "FG_R00256",
"rule_message": "",
"rule_name": "tf_aws_security_groups_ingress_2382",
"rule_raw_result": true,
"rule_remediation_doc": "https://docs.fugue.co/FG_R00256.html",
"rule_result": "PASS",
"rule_severity": "High",
"rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 2382 (SQL Server Analysis Services browser)",
"source_location": [
{
"path": "tf/redirects.tf",
"line": 23,
"column": 1
}
]
},
{
"controls": [],
"families": [],
"filepath": "tf/redirects.tf",
"input_type": "tf",
"provider": "aws",
"resource_id": "aws_security_group.shared",
"resource_type": "aws_security_group",
"resource_tags": {
"Name": "redirect-shared"
},
"rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 2383 (SQL Server Analysis Services). Removing unfettered connectivity to a SQL Server Analysis Services server reduces the chance of exposing critical data.",
"rule_id": "FG_R00257",
"rule_message": "",
"rule_name": "tf_aws_security_groups_ingress_2383",
"rule_raw_result": true,
"rule_remediation_doc": "https://docs.fugue.co/FG_R00257.html",
"rule_result": "PASS",
"rule_severity": "High",
"rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 2383 (SQL Server Analysis Services)",
"source_location": [
{
"path": "tf/redirects.tf",
"line": 23,
"column": 1
}
]
},
{
"controls": [],
"families": [],
"filepath": "tf/redirects.tf",
"input_type": "tf",
"provider": "aws",
"resource_id": "aws_security_group.shared",
"resource_type": "aws_security_group",
"resource_tags": {
"Name": "redirect-shared"
},
"rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 2484 (Oracle DB SSL). Removing unfettered connectivity to an Oracle DB SSL server reduces the chance of exposing critical data.",
"rule_id": "FG_R00258",
"rule_message": "",
"rule_name": "tf_aws_security_groups_ingress_2484",
"rule_raw_result": true,
"rule_remediation_doc": "https://docs.fugue.co/FG_R00258.html",
"rule_result": "PASS",
"rule_severity": "High",
"rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 2484 (Oracle DB SSL)",
"source_location": [
{
"path": "tf/redirects.tf",
"line": 23,
"column": 1
}
]
},
{
"controls": [],
"families": [],
"filepath": "tf/redirects.tf",
"input_type": "tf",
"provider": "aws",
"resource_id": "aws_security_group.shared",
"resource_type": "aws_security_group",
"resource_tags": {
"Name": "redirect-shared"
},
"rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 27017 (MongoDB). Removing unfettered connectivity to a MongoDB server reduces the chance of exposing critical data.",
"rule_id": "FG_R00215",
"rule_message": "",
"rule_name": "tf_aws_security_groups_ingress_27017",
"rule_raw_result": true,
"rule_remediation_doc": "https://docs.fugue.co/FG_R00215.html",
"rule_result": "PASS",
"rule_severity": "High",
"rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 27017 (MongoDB)",
"source_location": [
{
"path": "tf/redirects.tf",
"line": 23,
"column": 1
}
]
},
{
"controls": [],
"families": [],
"filepath": "tf/redirects.tf",
"input_type": "tf",
"provider": "aws",
"resource_id": "aws_security_group.shared",
"resource_type": "aws_security_group",
"resource_tags": {
"Name": "redirect-shared"
},
"rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 27018 (MongoDB). Removing unfettered connectivity to a MongoDB server reduces the chance of exposing critical data.",
"rule_id": "FG_R00216",
"rule_message": "",
"rule_name": "tf_aws_security_groups_ingress_27018",
"rule_raw_result": true,
"rule_remediation_doc": "https://docs.fugue.co/FG_R00216.html",
"rule_result": "PASS",
"rule_severity": "High",
"rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 27018 (MongoDB)",
"source_location": [
{
"path": "tf/redirects.tf",
"line": 23,
"column": 1
}
]
},
{
"controls": [],
"families": [],
"filepath": "tf/redirects.tf",
"input_type": "tf",
"provider": "aws",
"resource_id": "aws_security_group.shared",
"resource_type": "aws_security_group",
"resource_tags": {
"Name": "redirect-shared"
},
"rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 27019 (MongoDB). Removing unfettered connectivity to a MongoDB server reduces the chance of exposing critical data.",
"rule_id": "FG_R00217",
"rule_message": "",
"rule_name": "tf_aws_security_groups_ingress_27019",
"rule_raw_result": true,
"rule_remediation_doc": "https://docs.fugue.co/FG_R00217.html",
"rule_result": "PASS",
"rule_severity": "High",
"rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 27019 (MongoDB)",
"source_location": [
{
"path": "tf/redirects.tf",
"line": 23,
"column": 1
}
]
},
{
"controls": [],
"families": [],
"filepath": "tf/redirects.tf",
"input_type": "tf",
"provider": "aws",
"resource_id": "aws_security_group.shared",
"resource_type": "aws_security_group",
"resource_tags": {
"Name": "redirect-shared"
},
"rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 3000 (Ruby on Rails web server). Removing unfettered connectivity to a Ruby on Rails web server reduces its exposure to risk.",
"rule_id": "FG_R00259",
"rule_message": "",
"rule_name": "tf_aws_security_groups_ingress_3000",
"rule_raw_result": true,
"rule_remediation_doc": "https://docs.fugue.co/FG_R00259.html",
"rule_result": "PASS",
"rule_severity": "High",
"rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 3000 (Ruby on Rails web server)",
"source_location": [
{
"path": "tf/redirects.tf",
"line": 23,
"column": 1
}
]
},
{
"controls": [],
"families": [],
"filepath": "tf/redirects.tf",
"input_type": "tf",
"provider": "aws",
"resource_id": "aws_security_group.shared",
"resource_type": "aws_security_group",
"resource_tags": {
"Name": "redirect-shared"
},
"rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 3020 (CIFS / SMB). Removing unfettered connectivity to CIFS / SMB ports reduces a server's exposure to risk.",
"rule_id": "FG_R00260",
"rule_message": "",
"rule_name": "tf_aws_security_groups_ingress_3020",
"rule_raw_result": true,
"rule_remediation_doc": "https://docs.fugue.co/FG_R00260.html",
"rule_result": "PASS",
"rule_severity": "High",
"rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 3020 (CIFS / SMB)",
"source_location": [
{
"path": "tf/redirects.tf",
"line": 23,
"column": 1
}
]
},
{
"controls": [],
"families": [],
"filepath": "tf/redirects.tf",
"input_type": "tf",
"provider": "aws",
"resource_id": "aws_security_group.shared",
"resource_type": "aws_security_group",
"resource_tags": {
"Name": "redirect-shared"
},
"rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 3306 (MySQL). Removing unfettered connectivity to MySQL ports reduces a server's exposure to risk.",
"rule_id": "FG_R00261",
"rule_message": "",
"rule_name": "tf_aws_security_groups_ingress_3306",
"rule_raw_result": true,
"rule_remediation_doc": "https://docs.fugue.co/FG_R00261.html",
"rule_result": "PASS",
"rule_severity": "High",
"rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 3306 (MySQL)",
"source_location": [
{
"path": "tf/redirects.tf",
"line": 23,
"column": 1
}
]
},
{
"controls": [
"CIS-AWS_v1.2.0_4.2",
"CIS-AWS_v1.3.0_5.2",
"CIS-AWS_v1.4.0_5.2"
],
"families": [
"CIS-AWS_v1.2.0",
"CIS-AWS_v1.3.0",
"CIS-AWS_v1.4.0"
],
"filepath": "tf/redirects.tf",
"input_type": "tf",
"provider": "aws",
"resource_id": "aws_security_group.shared",
"resource_type": "aws_security_group",
"resource_tags": {
"Name": "redirect-shared"
},
"rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to port 3389 (Remote Desktop Protocol). Removing unfettered connectivity to remote console services, such as Remote Desktop Protocol, reduces a server's exposure to risk.",
"rule_id": "FG_R00087",
"rule_message": "",
"rule_name": "tf_aws_security_groups_ingress_3389",
"rule_raw_result": true,
"rule_remediation_doc": "https://docs.fugue.co/FG_R00087.html",
"rule_result": "PASS",
"rule_severity": "High",
"rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to port 3389 (Remote Desktop Protocol)",
"source_location": [
{
"path": "tf/redirects.tf",
"line": 23,
"column": 1
}
]
},
{
"controls": [],
"families": [],
"filepath": "tf/redirects.tf",
"input_type": "tf",
"provider": "aws",
"resource_id": "aws_security_group.shared",
"resource_type": "aws_security_group",
"resource_tags": {
"Name": "redirect-shared"
},
"rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 4505 (SaltStack Master). Removing unfettered connectivity to a SaltStack Master server reduces its exposure to risk.",
"rule_id": "FG_R00262",
"rule_message": "",
"rule_name": "tf_aws_security_groups_ingress_4505",
"rule_raw_result": true,
"rule_remediation_doc": "https://docs.fugue.co/FG_R00262.html",
"rule_result": "PASS",
"rule_severity": "High",
"rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 4505 (SaltStack Master)",
"source_location": [
{
"path": "tf/redirects.tf",
"line": 23,
"column": 1
}
]
},
{
"controls": [],
"families": [],
"filepath": "tf/redirects.tf",
"input_type": "tf",
"provider": "aws",
"resource_id": "aws_security_group.shared",
"resource_type": "aws_security_group",
"resource_tags": {
"Name": "redirect-shared"
},
"rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 4506 (SaltStack Master). Removing unfettered connectivity to a SaltStack Master server reduces its exposure to risk.",
"rule_id": "FG_R00263",
"rule_message": "",
"rule_name": "tf_aws_security_groups_ingress_4506",
"rule_raw_result": true,
"rule_remediation_doc": "https://docs.fugue.co/FG_R00263.html",
"rule_result": "PASS",
"rule_severity": "High",
"rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 4506 (SaltStack Master)",
"source_location": [
{
"path": "tf/redirects.tf",
"line": 23,
"column": 1
}
]
},
{
"controls": [],
"families": [],
"filepath": "tf/redirects.tf",
"input_type": "tf",
"provider": "aws",
"resource_id": "aws_security_group.shared",
"resource_type": "aws_security_group",
"resource_tags": {
"Name": "redirect-shared"
},
"rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 5432 (PostgreSQL). Removing unfettered connectivity to a PostgreSQL server reduces its exposure to risk.",
"rule_id": "FG_R00264",
"rule_message": "",
"rule_name": "tf_aws_security_groups_ingress_5432",
"rule_raw_result": true,
"rule_remediation_doc": "https://docs.fugue.co/FG_R00264.html",
"rule_result": "PASS",
"rule_severity": "High",
"rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 5432 (PostgreSQL)",
"source_location": [
{
"path": "tf/redirects.tf",
"line": 23,
"column": 1
}
]
},
{
"controls": [],
"families": [],
"filepath": "tf/redirects.tf",
"input_type": "tf",
"provider": "aws",
"resource_id": "aws_security_group.shared",
"resource_type": "aws_security_group",
"resource_tags": {
"Name": "redirect-shared"
},
"rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 5500 (Virtual Network Computing). Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. AWS recommends that no security group allows unrestricted ingress access to port 5500. Removing unfettered connectivity to remote console services reduces a server's exposure to risk.",
"rule_id": "FG_R00039",
"rule_message": "",
"rule_name": "tf_aws_security_groups_ingress_5500",
"rule_raw_result": true,
"rule_remediation_doc": "https://docs.fugue.co/FG_R00039.html",
"rule_result": "PASS",
"rule_severity": "High",
"rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 5500 (Virtual Network Computing)",
"source_location": [
{
"path": "tf/redirects.tf",
"line": 23,
"column": 1
}
]
},
{
"controls": [],
"families": [],
"filepath": "tf/redirects.tf",
"input_type": "tf",
"provider": "aws",
"resource_id": "aws_security_group.shared",
"resource_type": "aws_security_group",
"resource_tags": {
"Name": "redirect-shared"
},
"rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 5800 (Virtual Network Computing), unless from ELBs. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. AWS recommends that no security group allows unrestricted ingress access to port 5800, unless it is from AWS Elastic Load Balancer. Removing unfettered connectivity to remote console services reduces a server's exposure to risk.",
"rule_id": "FG_R00038",
"rule_message": "",
"rule_name": "tf_aws_security_groups_ingress_5800",
"rule_raw_result": true,
"rule_remediation_doc": "https://docs.fugue.co/FG_R00038.html",
"rule_result": "PASS",
"rule_severity": "High",
"rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 5800 (Virtual Network Computing), unless from ELBs",
"source_location": [
{
"path": "tf/redirects.tf",
"line": 23,
"column": 1
}
]
},
{
"controls": [],
"families": [],
"filepath": "tf/redirects.tf",
"input_type": "tf",
"provider": "aws",
"resource_id": "aws_security_group.shared",
"resource_type": "aws_security_group",
"resource_tags": {
"Name": "redirect-shared"
},
"rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 5900 (Virtual Network Computing). Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. AWS recommends that no security group allows unrestricted ingress access to port 5900. Removing unfettered connectivity to remote console services reduces a server's exposure to risk.",
"rule_id": "FG_R00037",
"rule_message": "",
"rule_name": "tf_aws_security_groups_ingress_5900",
"rule_raw_result": true,
"rule_remediation_doc": "https://docs.fugue.co/FG_R00037.html",
"rule_result": "PASS",
"rule_severity": "High",
"rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 5900 (Virtual Network Computing)",
"source_location": [
{
"path": "tf/redirects.tf",
"line": 23,
"column": 1
}
]
},
{
"controls": [],
"families": [],
"filepath": "tf/redirects.tf",
"input_type": "tf",
"provider": "aws",
"resource_id": "aws_security_group.shared",
"resource_type": "aws_security_group",
"resource_tags": {
"Name": "redirect-shared"
},
"rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP port 61621 (Cassandra OpsCenter Agent). Removing unfettered connectivity to a Cassandra OpsCenter Agent server reduces its exposure to risk.",
"rule_id": "FG_R00265",
"rule_message": "",
"rule_name": "tf_aws_security_groups_ingress_61621",
"rule_raw_result": true,
"rule_remediation_doc": "https://docs.fugue.co/FG_R00265.html",
"rule_result": "PASS",
"rule_severity": "High",
"rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP port 61621 (Cassandra OpsCenter Agent)",
"source_location": [
{
"path": "tf/redirects.tf",
"line": 23,
"column": 1
}
]
},
{
"controls": [],
"families": [],
"filepath": "tf/redirects.tf",
"input_type": "tf",
"provider": "aws",
"resource_id": "aws_security_group.shared",
"resource_type": "aws_security_group",
"resource_tags": {
"Name": "redirect-shared"
},
"rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP port 636 (LDAP SSL). Removing unfettered connectivity to a LDAP SSL server reduces its exposure to risk.",
"rule_id": "FG_R00266",
"rule_message": "",
"rule_name": "tf_aws_security_groups_ingress_636",
"rule_raw_result": true,
"rule_remediation_doc": "https://docs.fugue.co/FG_R00266.html",
"rule_result": "PASS",
"rule_severity": "High",
"rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP port 636 (LDAP SSL)",
"source_location": [
{
"path": "tf/redirects.tf",
"line": 23,
"column": 1
}
]
},
{
"controls": [],
"families": [],
"filepath": "tf/redirects.tf",
"input_type": "tf",
"provider": "aws",
"resource_id": "aws_security_group.shared",
"resource_type": "aws_security_group",
"resource_tags": {
"Name": "redirect-shared"
},
"rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP port 7001 (Cassandra). Removing unfettered connectivity to a Cassandra server reduces its exposure to risk.",
"rule_id": "FG_R00267",
"rule_message": "",
"rule_name": "tf_aws_security_groups_ingress_7001",
"rule_raw_result": true,
"rule_remediation_doc": "https://docs.fugue.co/FG_R00267.html",
"rule_result": "PASS",
"rule_severity": "High",
"rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP port 7001 (Cassandra)",
"source_location": [
{
"path": "tf/redirects.tf",
"line": 23,
"column": 1
}
]
},
{
"controls": [],
"families": [],
"filepath": "tf/redirects.tf",
"input_type": "tf",
"provider": "aws",
"resource_id": "aws_security_group.shared",
"resource_type": "aws_security_group",
"resource_tags": {
"Name": "redirect-shared"
},
"rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 80 (HTTP), unless from ELBs. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. AWS recommends that no security group allow unrestricted ingress access to port 80, unless it is from an AWS Elastic Load Balancer.",
"rule_id": "FG_R00041",
"rule_message": "This security group allows traffic from 0.0.0.0/0 to port 80",
"rule_name": "tf_aws_security_groups_ingress_80",
"rule_raw_result": false,
"rule_remediation_doc": "https://docs.fugue.co/FG_R00041.html",
"rule_result": "FAIL",
"rule_severity": "High",
"rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 80 (HTTP), unless from ELBs",
"source_location": [
{
"path": "tf/redirects.tf",
"line": 23,
"column": 1
}
]
},
{
"controls": [],
"families": [],
"filepath": "tf/redirects.tf",
"input_type": "tf",
"provider": "aws",
"resource_id": "aws_security_group.shared",
"resource_type": "aws_security_group",
"resource_tags": {
"Name": "redirect-shared"
},
"rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 8000 (HTTP Alternate). Removing unfettered connectivity to an HTTP Alternate server reduces its exposure to risk.",
"rule_id": "FG_R00268",
"rule_message": "",
"rule_name": "tf_aws_security_groups_ingress_8000",
"rule_raw_result": true,
"rule_remediation_doc": "https://docs.fugue.co/FG_R00268.html",
"rule_result": "PASS",
"rule_severity": "High",
"rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 8000 (HTTP Alternate)",
"source_location": [
{
"path": "tf/redirects.tf",
"line": 23,
"column": 1
}
]
},
{
"controls": [],
"families": [],
"filepath": "tf/redirects.tf",
"input_type": "tf",
"provider": "aws",
"resource_id": "aws_security_group.shared",
"resource_type": "aws_security_group",
"resource_tags": {
"Name": "redirect-shared"
},
"rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 9200 (Elasticsearch). Removing unfettered connectivity to an Elasticsearch server reduces the chance of exposing critical data.",
"rule_id": "FG_R00212",
"rule_message": "",
"rule_name": "tf_aws_security_groups_ingress_9200",
"rule_raw_result": true,
"rule_remediation_doc": "https://docs.fugue.co/FG_R00212.html",
"rule_result": "PASS",
"rule_severity": "High",
"rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 9200 (Elasticsearch)",
"source_location": [
{
"path": "tf/redirects.tf",
"line": 23,
"column": 1
}
]
},
{
"controls": [],
"families": [],
"filepath": "tf/redirects.tf",
"input_type": "tf",
"provider": "aws",
"resource_id": "aws_security_group.shared",
"resource_type": "aws_security_group",
"resource_tags": {
"Name": "redirect-shared"
},
"rule_description": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 9300 (Elasticsearch). Removing unfettered connectivity to an Elasticsearch server reduces the chance of exposing critical data.",
"rule_id": "FG_R00213",
"rule_message": "",
"rule_name": "tf_aws_security_groups_ingress_9300",
"rule_raw_result": true,
"rule_remediation_doc": "https://docs.fugue.co/FG_R00213.html",
"rule_result": "PASS",
"rule_severity": "High",
"rule_summary": "VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 9300 (Elasticsearch)",
"source_location": [
{
"path": "tf/redirects.tf",
"line": 23,
"column": 1
}
]
},
{
"controls": [],
"families": [],
"filepath": "tf/redirects.tf",
"input_type": "tf",
"provider": "aws",
"resource_id": "aws_security_group.shared",
"resource_type": "aws_security_group",
"resource_tags": {
"Name": "redirect-shared"
},
"rule_description": "VPC security group inbound rules should not permit ingress from '0.0.0.0/0' to all ports and protocols. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. AWS recommends that no security group allows unrestricted ingress access from 0.0.0.0/0 to all ports. Removing unfettered connectivity to remote console services reduces a server's exposure to risk.",
"rule_id": "FG_R00045",
"rule_message": "",
"rule_name": "tf_aws_security_groups_ingress_all",
"rule_raw_result": true,
"rule_remediation_doc": "https://docs.fugue.co/FG_R00045.html",
"rule_result": "PASS",
"rule_severity": "High",
"rule_summary": "VPC security group inbound rules should not permit ingress from '0.0.0.0/0' to all ports and protocols",
"source_location": [
{
"path": "tf/redirects.tf",
"line": 23,
"column": 1
}
]
}
],
"summary": {
"filepaths": [
"tf/redirects.tf"
],
"rule_results": {
"FAIL": 2,
"PASS": 37,
"WAIVED": 0
},
"severities": {
"Critical": 0,
"High": 1,
"Informational": 0,
"Low": 0,
"Medium": 1,
"Unknown": 0
}
}
}
but when running regula on the cli myself i only get:
FG_R00041: VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 80 (HTTP), unless from ELBs [High]
https://docs.fugue.co/FG_R00041.html
[1]: aws_security_group.shared
in redirects.tf:23:1
This security group allows traffic from 0.0.0.0/0 to port 80
FG_R00066: Load balancer access logging should be enabled [Medium]
https://docs.fugue.co/FG_R00066.html
[1]: aws_lb.shared
in redirects.tf:55:1
Found 2 problems.
Not sure why the action thinks i am opening so many ports.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.