Skip to content

Commit

Permalink
pin to use trivy-checks for docs gen
Browse files Browse the repository at this point in the history
  • Loading branch information
@simar7
simar7 committed Apr 17, 2024
1 parent 6e96dfd commit 0282576
Show file tree
Hide file tree
Showing 8 changed files with 27 additions and 19 deletions.
4 changes: 3 additions & 1 deletion avd_docs/aws/cloudtrail/AVD-AWS-0015/CloudFormation.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@

Enable encryption at rest
Use Customer managed key

```yaml---
Resources:
Expand All @@ -15,4 +15,6 @@ Resources:
```

#### Remediation Links
- https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html#cfn-cloudtrail-trail-kmskeyid

2 changes: 1 addition & 1 deletion avd_docs/aws/cloudtrail/AVD-AWS-0015/Terraform.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@

Enable encryption at rest
Use Customer managed key

```hcl
resource "aws_cloudtrail" "good_example" {
Expand Down
6 changes: 4 additions & 2 deletions avd_docs/aws/cloudtrail/AVD-AWS-0015/docs.md
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,15 @@

Cloudtrail logs should be encrypted at rest to secure the sensitive data. Cloudtrail logs record all activity that occurs in the the account through API calls and would be one of the first places to look when reacting to a breach.
Using Customer managed keys provides comprehensive control over cryptographic keys, enabling management of policies, permissions, and rotation, thus enhancing security and compliance measures for sensitive data and systems.

### Impact
Data can be freely read if compromised
Using AWS managed keys does not allow for fine grained control

<!-- DO NOT CHANGE -->
{{ remediationActions }}

### Links
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html

- https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-mgmt


8 changes: 4 additions & 4 deletions avd_docs/aws/iam/AVD-AWS-0123/Terraform.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ Use terraform-module/enforce-mfa/aws to ensure that MFA is enforced
resource "aws_iam_group" "support" {
name = "support"
}
resource aws_iam_group_policy mfa {
resource "aws_iam_group_policy" "mfa" {
group = aws_iam_group.support.name
policy = <<EOF
Expand Down Expand Up @@ -33,7 +33,7 @@ EOF
resource "aws_iam_group" "support" {
name = "support"
}
resource aws_iam_policy mfa {
resource "aws_iam_policy" "mfa" {
name = "something"
policy = <<EOF
Expand All @@ -55,7 +55,7 @@ resource aws_iam_policy mfa {
}
EOF
}
resource aws_iam_group_policy_attachment attach {
resource "aws_iam_group_policy_attachment" "attach" {
group = aws_iam_group.support.name
policy_arn = aws_iam_policy.mfa.id
}
Expand All @@ -65,7 +65,7 @@ resource aws_iam_group_policy_attachment attach {
resource "aws_iam_group" "support" {
name = "support"
}
resource aws_iam_group_policy mfa {
resource "aws_iam_group_policy" "mfa" {
group = aws_iam_group.support.name
policy = data.aws_iam_policy_document.combined.json
}
Expand Down
17 changes: 9 additions & 8 deletions avd_docs/azure/database/AVD-AZU-0027/Terraform.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,17 +9,18 @@ Enable auditing on Azure SQL databases
version = "12.0"
administrator_login = "mradministrator"
administrator_login_password = "tfsecRocks"
extended_auditing_policy {
storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint
storage_account_access_key = azurerm_storage_account.example.primary_access_key
storage_account_access_key_is_secondary = true
retention_in_days = 6
}
}
resource "azurerm_mssql_server_extended_auditing_policy" "example" {
server_id = azurerm_sql_server.good_example.id
storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint
storage_account_access_key = azurerm_storage_account.example.primary_access_key
storage_account_access_key_is_secondary = true
retention_in_days = 6
}
```

#### Remediation Links
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_server#extended_auditing_policy
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_server_extended_auditing_policy

2 changes: 1 addition & 1 deletion avd_docs/dockerfile/general/AVD-DS-0017/docs.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,6 @@ The instruction 'RUN <package-manager> update' should always be followed by '<pa
{{ remediationActions }}

### Links
- https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run
- https://docs.docker.com/develop/develop-images/instructions/#run


3 changes: 3 additions & 0 deletions go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -189,3 +189,6 @@ require (
oras.land/oras-go/v2 v2.3.1 // indirect
sigs.k8s.io/yaml v1.4.0 // indirect
)

// needed until the new name is used everywhere
replace github.com/aquasecurity/trivy-policies v0.10.0 => github.com/aquasecurity/trivy-checks v0.10.2-0.20240417031955-932169bbd75f
4 changes: 2 additions & 2 deletions go.sum
View file
Original file line number Diff line number Diff line change
Expand Up @@ -220,8 +220,8 @@ github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492 h1:rcEG5HI
github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492/go.mod h1:9Beu8XsUNNfzml7WBf3QmyPToP1wm1Gj/Vc5UJKqTzU=
github.com/aquasecurity/trivy v0.50.2-0.20240412195250-183eaafb4e42 h1:fc6b0EHEC5KYX9BtkzcG+8gmL/aQNLhbEUC33SpaAEc=
github.com/aquasecurity/trivy v0.50.2-0.20240412195250-183eaafb4e42/go.mod h1:mIwSCXr6l6qTfBUGUYU5MNGZFy/OCeHbQtCqW+gWDU8=
github.com/aquasecurity/trivy-policies v0.10.0 h1:QONOsIFi6+WyB+7NGMBQeCgMFcRg6RV9dTBBpeOFDxU=
github.com/aquasecurity/trivy-policies v0.10.0/go.mod h1:7WU0GTUqtQxqQ+FV3JAy7lskQQZU6lp7Mz1i8GEapFw=
github.com/aquasecurity/trivy-checks v0.10.2-0.20240417031955-932169bbd75f h1:k+sc/w1byCHI6ru10Wrwi6PAFyrqsq2fG3iiC94sHIA=
github.com/aquasecurity/trivy-checks v0.10.2-0.20240417031955-932169bbd75f/go.mod h1:oTqV6F9QYlOp8zyF2Hv3X0K05Kqv5TxzSAYGJLiYQAc=
github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q=
github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE=
github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
Expand Down

0 comments on commit 0282576

Please sign in to comment.