Terrascan
Terrascan - это инструмент с открытым исходным кодом, который используется для обнаружения нарушений соответствия и безопасности в Infrastructure as Code (IaC) фреймворках.
Название задания в Auditor: Terrascan
Образ в Auditor: registry.cybercodereview.ru/cybercodereview/security-images/terrascan:1.18.11
Название импортера в Security Center: Terrascan Scan
Terrascan гарантирует, что определения IaC соответствуют лучшим практикам безопасности, и позволяет обнаружить проблемы, которые могут привести к нарушению безопасности, потере данных или сбоям в работе сервисов. Terrascan поддерживает несколько популярных IaC-фреймворков, включая Terraform, Kubernetes, Helm, AWS CloudFormation, Azure Resource Manager и Google Cloud Deployment Manager.
Инструмент использует набор предопределенных политик, которые можно настроить в соответствии с конкретными требованиями организации к безопасности и соответствию нормативным требованиям. Политики основаны на стандартных отраслевых системах безопасности, таких как NIST, CIS, PCI-DSS и GDPR.
Пример команды Curl
curl -X POST localhost/api/v1/scan/import/ -H "Authorization: Token a75bb26171cf391671e67b128bfc8ae1c779ff7b" -H "Content-Type: multipart/form-data" -F "file=@./terrascan.json" -F "product_name=Product1" -F "product_type=Application" -F "scanner_name=Terrascan Scan" -F "branch=dev" -F "repository=git@gitlab.cybercodereview.ru:cybercodereview/security-center.git"
В этой команде используются следующие параметры:
-X POST: задает используемый метод HTTP (в данном случае POST).-H "Authorization: Token <authorization_token>": задает токен авторизации, полученный от Security Center.-H "Content-Type: multipart/form-data": задает тип содержимого запроса.-F "file=@<report_file_path>": задает путь к файлу отчета, создаваемого сканером.-F "product_name=<product_name>": задает название сканируемого продукта.-F "product_type=<product_type>": задает тип сканируемого продукта.-F "scanner_name=<scanner_name>": задает имя сканера, используемого для создания отчета (Bandit Scan или GitLab Bandit)-F "branch=<branch_name>": (необязательно) указывает имя ветки в репозитории исходного кода (если применимо). Этот параметр особенно полезен, когда вы хотите связать результаты сканирования с определенной веткой в вашем репозитории. Если параметр не указан, сканирование будет связано с веткой по умолчанию
Информация об активах, если используется Auditor
-F "repository=<repository SSH URL>": Если ваш продукт хранится в репозитории, введите адрес репозитория в определенном формате, например: git@gitlab.cybercodereview.ru:cybercodereview/security-center.git-F "docker_image=<registry address>": Если ваш продукт является образом, введите адрес реестра, в котором находится ваш продукт, например: registry.cybercodereview.ru/cybercodereview/security-center/back/importer:latest-F "domain=<domain>": Если ваш продукт является веб-продуктом, введите доменное имя вашего продукта, например: cybercodereview.ru-F "host=<host>": Если ваш продукт является веб-продуктом, введите IP-адрес вашего продукта, например: 0.0.0.0
Пример отчета:
{ "results": { "scan_errors": [ { "iac_type": "terraform", "directory": "/builds/vulnerable-apps/vulnerable-java-app", "errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app' has no terraform config files" }, { "iac_type": "terraform", "directory": "/builds/vulnerable-apps/vulnerable-java-app/db", "errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/db' has no terraform config files" }, { "iac_type": "terraform", "directory": "/builds/vulnerable-apps/vulnerable-java-app/docs", "errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/docs' has no terraform config files" }, { "iac_type": "terraform", "directory": "/builds/vulnerable-apps/vulnerable-java-app/docs/assessment", "errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/docs/assessment' has no terraform config files" }, { "iac_type": "terraform", "directory": "/builds/vulnerable-apps/vulnerable-java-app/docs/assets", "errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/docs/assets' has no terraform config files" }, { "iac_type": "terraform", "directory": "/builds/vulnerable-apps/vulnerable-java-app/docs/development", "errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/docs/development' has no terraform config files" }, { "iac_type": "terraform", "directory": "/builds/vulnerable-apps/vulnerable-java-app/docs/solution", "errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/docs/solution' has no terraform config files" }, { "iac_type": "terraform", "directory": "/builds/vulnerable-apps/vulnerable-java-app/scripts", "errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/scripts' has no terraform config files" }, { "iac_type": "terraform", "directory": "/builds/vulnerable-apps/vulnerable-java-app/src", "errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src' has no terraform config files" }, { "iac_type": "terraform", "directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main", "errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main' has no terraform config files" }, { "iac_type": "terraform", "directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/java", "errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/java' has no terraform config files" }, { "iac_type": "terraform", "directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/java/com", "errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/java/com' has no terraform config files" }, { "iac_type": "terraform", "directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/java/com/appsecco", "errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/java/com/appsecco' has no terraform config files" }, { "iac_type": "terraform", "directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/java/com/appsecco/dvja", "errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/java/com/appsecco/dvja' has no terraform config files" }, { "iac_type": "terraform", "directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/java/com/appsecco/dvja/controllers", "errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/java/com/appsecco/dvja/controllers' has no terraform config files" }, { "iac_type": "terraform", "directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/java/com/appsecco/dvja/interceptors", "errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/java/com/appsecco/dvja/interceptors' has no terraform config files" }, { "iac_type": "terraform", "directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/java/com/appsecco/dvja/models", "errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/java/com/appsecco/dvja/models' has no terraform config files" }, { "iac_type": "terraform", "directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/java/com/appsecco/dvja/services", "errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/java/com/appsecco/dvja/services' has no terraform config files" }, { "iac_type": "terraform", "directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/java/com/appsecco/example", "errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/java/com/appsecco/example' has no terraform config files" }, { "iac_type": "terraform", "directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/resources", "errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/resources' has no terraform config files" }, { "iac_type": "terraform", "directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/resources/META-INF", "errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/resources/META-INF' has no terraform config files" }, { "iac_type": "terraform", "directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/resources/com", "errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/resources/com' has no terraform config files" }, { "iac_type": "terraform", "directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/resources/com/appsecco", "errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/resources/com/appsecco' has no terraform config files" }, { "iac_type": "terraform", "directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/resources/com/appsecco/example", "errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/resources/com/appsecco/example' has no terraform config files" }, { "iac_type": "terraform", "directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/webapp", "errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/webapp' has no terraform config files" }, { "iac_type": "terraform", "directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF", "errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF' has no terraform config files" }, { "iac_type": "terraform", "directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja", "errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja' has no terraform config files" }, { "iac_type": "terraform", "directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a10_redirect", "errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a10_redirect' has no terraform config files" }, { "iac_type": "terraform", "directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a1_injection", "errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a1_injection' has no terraform config files" }, { "iac_type": "terraform", "directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a2_broken_auth", "errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a2_broken_auth' has no terraform config files" }, { "iac_type": "terraform", "directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a3_xss", "errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a3_xss' has no terraform config files" }, { "iac_type": "terraform", "directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a4_idor", "errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a4_idor' has no terraform config files" }, { "iac_type": "terraform", "directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a5_sec_misconf", "errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a5_sec_misconf' has no terraform config files" }, { "iac_type": "terraform", "directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a6_sensitive_data", "errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a6_sensitive_data' has no terraform config files" }, { "iac_type": "terraform", "directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a7_missing_access_control", "errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a7_missing_access_control' has no terraform config files" } ], "violations": [ { "rule_name": "runUsingApt", "description": "Ensure apt is not used with RUN command for Docker file", "rule_id": "AC_DOCKER_0002", "severity": "MEDIUM", "category": "Infrastructure Security", "resource_name": "Dockerfile", "resource_type": "docker_run", "file": "Dockerfile", "line": 4 }, { "rule_name": "runUsingApt", "description": "Ensure apt is not used with RUN command for Docker file", "rule_id": "AC_DOCKER_0002", "severity": "MEDIUM", "category": "Infrastructure Security", "resource_name": "Dockerfile", "resource_type": "docker_run", "file": "Dockerfile", "line": 5 }, { "rule_name": "runUsingApt", "description": "Ensure apt is not used with RUN command for Docker file", "rule_id": "AC_DOCKER_0002", "severity": "MEDIUM", "category": "Infrastructure Security", "resource_name": "Dockerfile", "resource_type": "docker_run", "file": "Dockerfile", "line": 6 } ], "skipped_violations": null, "scan_summary": { "file/folder": "/builds/vulnerable-apps/vulnerable-java-app", "iac_type": "docker", "scanned_at": "2023-12-11 10:55:58.562986649 +0000 UTC", "policies_validated": 24, "violated_policies": 3, "low": 0, "medium": 3, "high": 0 } } }