cfn-nag 0.3.50 → 0.3.51

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (19) hide show
  1. checksums.yaml +4 -4
  2. data/bin/cfn_nag +32 -20
  3. data/bin/cfn_nag_scan +40 -19
  4. data/lib/cfn-nag/cfn_nag.rb +3 -5
  5. data/lib/cfn-nag/custom_rule_loader.rb +5 -7
  6. data/lib/cfn-nag/custom_rules/CloudFormationAuthenticationRule.rb +1 -2
  7. data/lib/cfn-nag/custom_rules/CloudFrontDistributionAccessLoggingRule.rb +4 -5
  8. data/lib/cfn-nag/custom_rules/EbsVolumeHasSseRule.rb +4 -4
  9. data/lib/cfn-nag/custom_rules/ElasticLoadBalancerAccessLoggingRule.rb +4 -6
  10. data/lib/cfn-nag/custom_rules/IamManagedPolicyNotActionRule.rb +4 -5
  11. data/lib/cfn-nag/custom_rules/IamManagedPolicyNotResourceRule.rb +4 -5
  12. data/lib/cfn-nag/custom_rules/IamManagedPolicyWildcardActionRule.rb +4 -5
  13. data/lib/cfn-nag/custom_rules/IamManagedPolicyWildcardResourceRule.rb +4 -5
  14. data/lib/cfn-nag/custom_rules/IamPolicyNotActionRule.rb +4 -5
  15. data/lib/cfn-nag/custom_rules/IamPolicyNotResourceRule.rb +4 -5
  16. data/lib/cfn-nag/custom_rules/RDSInstanceMasterUsernameRule.rb +1 -2
  17. data/lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb +1 -2
  18. data/lib/cfn-nag/result_view/json_results.rb +1 -2
  19. metadata +1 -1
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 0cc438f47aca265ffa006cf0c5e17f3159ad8e74397e92688e8b562fae9fbd42
4
- data.tar.gz: 6d3bd228fb46a2ec3d195aa894649162fd21830e456af318b2930b38f3da5f4d
3
+ metadata.gz: 9e764bdbe8170764ddbcc2c6ed6030e2626300ef312af2284f6ba52d32158a75
4
+ data.tar.gz: b90488a204b909cf5decba7db589c0dc570231354a686f3713e33b056484fdb7
5
5
  SHA512:
6
- metadata.gz: 00d323cfa11018ef0952f949fe94a89e8f1cae8c9173badf6d530dfc24981b473d2ce54d5165e4b1b7b27bd5bb7ffd463efd7a289bd92ebf9b2e12bd8226b40e
7
- data.tar.gz: 44537e829f2162cc50159ddcd124503ab0f02d758ecfadd024dda3e8ab71b216b49ac25cb4d20a7a34349a06ed9a0a686ac5974dc71d6d7acbe7fa59b0c0c245
6
+ metadata.gz: 242bdde3f47c84cb12246b0c54305df8751ad927bd90a75bebf46fdf1e4ec3e6d93405906d234c2ad1f44b137fd7257a7b22969a867078a1120370d03d9818df
7
+ data.tar.gz: 0f87bcb3a3c6e404b972c2219b4ca93118ce30a9f2e06f792aed6c75d07b36071e3649df5b58968f54f61286606975bfeae89a87d45785abafbb8d934658fdd6
data/bin/cfn_nag CHANGED
@@ -6,32 +6,44 @@ require 'json'
6
6
  require 'rubygems/specification'
7
7
 
8
8
  opts = Trollop.options do
9
- usage '[options] <cloudformation template path ...>|' \
10
- '<cloudformation template in STDIN>'
9
+ usage '[options] <cloudformation template path ...>|<cloudformation template in STDIN>'
11
10
  version Gem::Specification.find_by_name('cfn-nag').version
12
11
 
13
- opt :debug, 'Enable debug output', type: :boolean, required: false,
14
- default: false
12
+ opt :debug,
13
+ 'Enable debug output',
14
+ type: :boolean,
15
+ required: false,
16
+ default: false
15
17
  opt :allow_suppression,
16
18
  'Allow using Metadata to suppress violations',
17
- type: :boolean, required: false, default: true
18
- opt :print_suppression, 'Emit suppressions to stderr', type: :boolean,
19
- required: false,
20
- default: false
21
- opt :rule_directory, 'Extra rule directory', type: :io,
22
- required: false,
23
- default: nil
24
- opt :profile_path, 'Path to a profile file', type: :io,
25
- required: false,
26
- default: nil
19
+ type: :boolean,
20
+ required: false,
21
+ default: true
22
+ opt :print_suppression,
23
+ 'Emit suppressions to stderr',
24
+ type: :boolean,
25
+ required: false,
26
+ default: false
27
+ opt :rule_directory,
28
+ 'Extra rule directory',
29
+ type: :io,
30
+ required: false,
31
+ default: nil
32
+ opt :profile_path,
33
+ 'Path to a profile file',
34
+ type: :io,
35
+ required: false,
36
+ default: nil
27
37
  opt :parameter_values_path,
28
- 'Path to a JSON file to pull Parameter values from', type: :io,
29
- required: false,
30
- default: nil
38
+ 'Path to a JSON file to pull Parameter values from',
39
+ type: :io,
40
+ required: false,
41
+ default: nil
31
42
  opt :isolate_custom_rule_exceptions,
32
- 'Isolate custom rule exceptions - just emit the exception ' \
33
- 'without stack trace and keep chugging',
34
- type: :boolean, required: false, default: false
43
+ 'Isolate custom rule exceptions - just emit the exception without stack trace and keep chugging',
44
+ type: :boolean,
45
+ required: false,
46
+ default: false
35
47
  end
36
48
 
37
49
  CfnNag.configure_logging(opts)
data/bin/cfn_nag_scan CHANGED
@@ -8,28 +8,49 @@ require 'rubygems/specification'
8
8
  opts = Trollop.options do
9
9
  version Gem::Specification.find_by_name('cfn-nag').version
10
10
 
11
- opt :input_path, 'CloudFormation template to nag on or directory of ' \
12
- 'templates - all *.json, *.yaml, *.yml and *.template ' \
13
- 'recursively', type: :io, required: true
14
- opt :output_format, 'Format of results: [txt, json]',
15
- type: :string, default: 'txt'
16
- opt :debug, 'Enable debug output',
17
- type: :boolean, required: false, default: false
18
- opt :rule_directory, 'Extra rule directory',
19
- type: :io, required: false, default: nil
20
- opt :profile_path, 'Path to a profile file',
21
- type: :io, required: false, default: nil
11
+ opt :input_path,
12
+ 'CloudFormation template to nag on or directory of templates - all *.json, *.yaml, *.yml and *.template recursively',
13
+ type: :io,
14
+ required: true
15
+ opt :output_format,
16
+ 'Format of results: [txt, json]',
17
+ type: :string,
18
+ default: 'txt'
19
+ opt :debug,
20
+ 'Enable debug output',
21
+ type: :boolean,
22
+ required: false,
23
+ default: false
24
+ opt :rule_directory,
25
+ 'Extra rule directory',
26
+ type: :io,
27
+ required: false,
28
+ default: nil
29
+ opt :profile_path,
30
+ 'Path to a profile file',
31
+ type: :io,
32
+ required: false,
33
+ default: nil
22
34
  opt :parameter_values_path,
23
35
  'Path to a JSON file to pull Parameter values from',
24
- type: :io, required: false, default: nil
25
- opt :allow_suppression, 'Allow using Metadata to suppress violations',
26
- type: :boolean, required: false, default: true
27
- opt :print_suppression, 'Emit suppressions to stderr',
28
- type: :boolean, required: false, default: false
36
+ type: :io,
37
+ required: false,
38
+ default: nil
39
+ opt :allow_suppression,
40
+ 'Allow using Metadata to suppress violations',
41
+ type: :boolean,
42
+ required: false,
43
+ default: true
44
+ opt :print_suppression,
45
+ 'Emit suppressions to stderr',
46
+ type: :boolean,
47
+ required: false,
48
+ default: false
29
49
  opt :isolate_custom_rule_exceptions,
30
- 'Isolate custom rule exceptions - just emit the exception without ' \
31
- 'stack trace and keep chugging',
32
- type: :boolean, required: false, default: false
50
+ 'Isolate custom rule exceptions - just emit the exception without stack trace and keep chugging',
51
+ type: :boolean,
52
+ required: false,
53
+ default: false
33
54
  end
34
55
 
35
56
  unless %w[txt json].include?(opts[:output_format])
data/lib/cfn-nag/cfn_nag.rb CHANGED
@@ -31,9 +31,8 @@ class CfnNag
31
31
  def audit_aggregate_across_files_and_render_results(
32
32
  input_path:, output_format: 'txt', parameter_values_path: nil
33
33
  )
34
- aggregate_results = \
35
- audit_aggregate_across_files input_path: input_path,
36
- parameter_values_path: parameter_values_path
34
+ aggregate_results = audit_aggregate_across_files input_path: input_path,
35
+ parameter_values_path: parameter_values_path
37
36
 
38
37
  render_results(aggregate_results: aggregate_results,
39
38
  output_format: output_format)
@@ -49,8 +48,7 @@ class CfnNag
49
48
  # Given a file or directory path, return aggregate results
50
49
  #
51
50
  def audit_aggregate_across_files(input_path:, parameter_values_path: nil)
52
- parameter_values_string = \
53
- parameter_values_path.nil? ? nil : IO.read(parameter_values_path)
51
+ parameter_values_string = parameter_values_path.nil? ? nil : IO.read(parameter_values_path)
54
52
  templates = TemplateDiscovery.new.discover_templates(input_path)
55
53
  aggregate_results = []
56
54
  templates.each do |template|
data/lib/cfn-nag/custom_rule_loader.rb CHANGED
@@ -74,9 +74,9 @@ class CustomRuleLoader
74
74
  def filter_rule_classes(cfn_model, violations)
75
75
  discover_rule_classes(@rule_directory).each do |rule_class|
76
76
  begin
77
- filtered_cfn_model = cfn_model_with_suppressed_resources_removed \
78
- cfn_model: cfn_model, rule_id: rule_class.new.rule_id,
79
- allow_suppression: @allow_suppression
77
+ filtered_cfn_model = cfn_model_with_suppressed_resources_removed cfn_model: cfn_model,
78
+ rule_id: rule_class.new.rule_id,
79
+ allow_suppression: @allow_suppression
80
80
  audit_result = rule_class.new.audit(filtered_cfn_model)
81
81
  violations << audit_result unless audit_result.nil?
82
82
  rescue Exception => exception
@@ -113,8 +113,7 @@ class CustomRuleLoader
113
113
  logical_resource_id = mangled_metadata.first
114
114
  mangled_rules = mangled_metadata[1]
115
115
 
116
- STDERR.puts "#{logical_resource_id} has missing cfn_nag " \
117
- "suppression rule id: #{mangled_rules}"
116
+ STDERR.puts "#{logical_resource_id} has missing cfn_nag suppression rule id: #{mangled_rules}"
118
117
  end
119
118
  end
120
119
 
@@ -124,8 +123,7 @@ class CustomRuleLoader
124
123
  rule_to_suppress['id'] == rule_id
125
124
  end
126
125
  if found_suppression_rule && @print_suppression
127
- STDERR.puts "Suppressing #{rule_id} on #{logical_resource_id} " \
128
- "for reason: #{found_suppression_rule['reason']}"
126
+ STDERR.puts "Suppressing #{rule_id} on #{logical_resource_id} for reason: #{found_suppression_rule['reason']}"
129
127
  end
130
128
  !found_suppression_rule.nil?
131
129
  end
data/lib/cfn-nag/custom_rules/CloudFormationAuthenticationRule.rb CHANGED
@@ -4,8 +4,7 @@ require_relative 'base'
4
4
  # Rule to ensure credentials are not specified in template
5
5
  class CloudFormationAuthenticationRule < BaseRule
6
6
  def rule_text
7
- 'Specifying credentials in the template itself ' \
8
- 'is probably not the safest thing'
7
+ 'Specifying credentials in the template itself is probably not the safest thing'
9
8
  end
10
9
 
11
10
  def rule_type
data/lib/cfn-nag/custom_rules/CloudFrontDistributionAccessLoggingRule.rb CHANGED
@@ -16,11 +16,10 @@ class CloudFrontDistributionAccessLoggingRule < BaseRule
16
16
  end
17
17
 
18
18
  def audit_impl(cfn_model)
19
- violating_distributions = \
20
- cfn_model.resources_by_type('AWS::CloudFront::Distribution')
21
- .select do |distribution|
22
- distribution.distributionConfig['Logging'].nil?
23
- end
19
+ violating_distributions = cfn_model.resources_by_type('AWS::CloudFront::Distribution')
20
+ .select do |distribution|
21
+ distribution.distributionConfig['Logging'].nil?
22
+ end
24
23
 
25
24
  violating_distributions.map(&:logical_resource_id)
26
25
  end
data/lib/cfn-nag/custom_rules/EbsVolumeHasSseRule.rb CHANGED
@@ -15,10 +15,10 @@ class EbsVolumeHasSseRule < BaseRule
15
15
  end
16
16
 
17
17
  def audit_impl(cfn_model)
18
- violating_volumes = \
19
- cfn_model.resources_by_type('AWS::EC2::Volume').select do |volume|
20
- volume.encrypted.nil? || volume.encrypted.to_s.casecmp('false').zero?
21
- end
18
+ violating_volumes = cfn_model.resources_by_type('AWS::EC2::Volume')
19
+ .select do |volume|
20
+ volume.encrypted.nil? || volume.encrypted.to_s.casecmp('false').zero?
21
+ end
22
22
 
23
23
  violating_volumes.map(&:logical_resource_id)
24
24
  end
data/lib/cfn-nag/custom_rules/ElasticLoadBalancerAccessLoggingRule.rb CHANGED
@@ -15,12 +15,10 @@ class ElasticLoadBalancerAccessLoggingRule < BaseRule
15
15
  end
16
16
 
17
17
  def audit_impl(cfn_model)
18
- violating_elbs = \
19
- cfn_model.resources_by_type('AWS::ElasticLoadBalancing::LoadBalancer')
20
- .select do |elb|
21
- elb.accessLoggingPolicy.nil? ||
22
- elb.accessLoggingPolicy['Enabled'] != true
23
- end
18
+ violating_elbs = cfn_model.resources_by_type('AWS::ElasticLoadBalancing::LoadBalancer')
19
+ .select do |elb|
20
+ elb.accessLoggingPolicy.nil? || elb.accessLoggingPolicy['Enabled'] != true
21
+ end
24
22
 
25
23
  violating_elbs.map(&:logical_resource_id)
26
24
  end
data/lib/cfn-nag/custom_rules/IamManagedPolicyNotActionRule.rb CHANGED
@@ -15,11 +15,10 @@ class IamManagedPolicyNotActionRule < BaseRule
15
15
  end
16
16
 
17
17
  def audit_impl(cfn_model)
18
- violating_policies = \
19
- cfn_model.resources_by_type('AWS::IAM::ManagedPolicy')
20
- .select do |policy|
21
- !policy.policy_document.allows_not_action.empty?
22
- end
18
+ violating_policies = cfn_model.resources_by_type('AWS::IAM::ManagedPolicy')
19
+ .select do |policy|
20
+ !policy.policy_document.allows_not_action.empty?
21
+ end
23
22
 
24
23
  violating_policies.map(&:logical_resource_id)
25
24
  end
data/lib/cfn-nag/custom_rules/IamManagedPolicyNotResourceRule.rb CHANGED
@@ -15,11 +15,10 @@ class IamManagedPolicyNotResourceRule < BaseRule
15
15
  end
16
16
 
17
17
  def audit_impl(cfn_model)
18
- violating_policies = \
19
- cfn_model.resources_by_type('AWS::IAM::ManagedPolicy')
20
- .select do |policy|
21
- !policy.policy_document.allows_not_resource.empty?
22
- end
18
+ violating_policies = cfn_model.resources_by_type('AWS::IAM::ManagedPolicy')
19
+ .select do |policy|
20
+ !policy.policy_document.allows_not_resource.empty?
21
+ end
23
22
 
24
23
  violating_policies.map(&:logical_resource_id)
25
24
  end
data/lib/cfn-nag/custom_rules/IamManagedPolicyWildcardActionRule.rb CHANGED
@@ -15,11 +15,10 @@ class IamManagedPolicyWildcardActionRule < BaseRule
15
15
  end
16
16
 
17
17
  def audit_impl(cfn_model)
18
- violating_policies = \
19
- cfn_model.resources_by_type('AWS::IAM::ManagedPolicy')
20
- .select do |policy|
21
- !policy.policy_document.wildcard_allowed_actions.empty?
22
- end
18
+ violating_policies = cfn_model.resources_by_type('AWS::IAM::ManagedPolicy')
19
+ .select do |policy|
20
+ !policy.policy_document.wildcard_allowed_actions.empty?
21
+ end
23
22
 
24
23
  violating_policies.map(&:logical_resource_id)
25
24
  end
data/lib/cfn-nag/custom_rules/IamManagedPolicyWildcardResourceRule.rb CHANGED
@@ -15,11 +15,10 @@ class IamManagedPolicyWildcardResourceRule < BaseRule
15
15
  end
16
16
 
17
17
  def audit_impl(cfn_model)
18
- violating_policies = \
19
- cfn_model.resources_by_type('AWS::IAM::ManagedPolicy')
20
- .select do |policy|
21
- !policy.policy_document.wildcard_allowed_resources.empty?
22
- end
18
+ violating_policies = cfn_model.resources_by_type('AWS::IAM::ManagedPolicy')
19
+ .select do |policy|
20
+ !policy.policy_document.wildcard_allowed_resources.empty?
21
+ end
23
22
 
24
23
  violating_policies.map(&:logical_resource_id)
25
24
  end
data/lib/cfn-nag/custom_rules/IamPolicyNotActionRule.rb CHANGED
@@ -15,11 +15,10 @@ class IamPolicyNotActionRule < BaseRule
15
15
  end
16
16
 
17
17
  def audit_impl(cfn_model)
18
- violating_policies = \
19
- cfn_model.resources_by_type('AWS::IAM::Policy')
20
- .select do |policy|
21
- !policy.policy_document.allows_not_action.empty?
22
- end
18
+ violating_policies = cfn_model.resources_by_type('AWS::IAM::Policy')
19
+ .select do |policy|
20
+ !policy.policy_document.allows_not_action.empty?
21
+ end
23
22
 
24
23
  violating_policies.map(&:logical_resource_id)
25
24
  end
data/lib/cfn-nag/custom_rules/IamPolicyNotResourceRule.rb CHANGED
@@ -15,11 +15,10 @@ class IamPolicyNotResourceRule < BaseRule
15
15
  end
16
16
 
17
17
  def audit_impl(cfn_model)
18
- violating_policies = \
19
- cfn_model.resources_by_type('AWS::IAM::Policy')
20
- .select do |policy|
21
- !policy.policy_document.allows_not_resource.empty?
22
- end
18
+ violating_policies = cfn_model.resources_by_type('AWS::IAM::Policy')
19
+ .select do |policy|
20
+ !policy.policy_document.allows_not_resource.empty?
21
+ end
23
22
 
24
23
  violating_policies.map(&:logical_resource_id)
25
24
  end
data/lib/cfn-nag/custom_rules/RDSInstanceMasterUsernameRule.rb CHANGED
@@ -4,8 +4,7 @@ require_relative 'base'
4
4
  # cfn_nag rules related to RDS Instance master username
5
5
  class RDSInstanceMasterUsernameRule < BaseRule
6
6
  def rule_text
7
- 'RDS instance master username must be Ref to NoEcho Parameter. ' \
8
- 'Default credentials are not recommended'
7
+ 'RDS instance master username must be Ref to NoEcho Parameter. Default credentials are not recommended'
9
8
  end
10
9
 
11
10
  def rule_type
data/lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb CHANGED
@@ -6,8 +6,7 @@ class SecurityGroupIngressOpenToWorldRule < BaseRule
6
6
  include IpAddr
7
7
 
8
8
  def rule_text
9
- 'Security Groups found with cidr open to world on ingress. ' \
10
- 'This should never be true on instance. Permissible on ELB'
9
+ 'Security Groups found with cidr open to world on ingress. This should never be true on instance. Permissible on ELB'
11
10
  end
12
11
 
13
12
  def rule_type
data/lib/cfn-nag/result_view/json_results.rb CHANGED
@@ -3,8 +3,7 @@ require 'json'
3
3
  class JsonResults
4
4
  def render(results)
5
5
  hashified_results = results.each do |result|
6
- result[:file_results][:violations] = \
7
- result[:file_results][:violations].map(&:to_h)
6
+ result[:file_results][:violations] = result[:file_results][:violations].map(&:to_h)
8
7
  end
9
8
 
10
9
  puts JSON.pretty_generate(hashified_results)
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: cfn-nag
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.3.50
4
+ version: 0.3.51
5
5
  platform: ruby
6
6
  authors:
7
7
  - Eric Kascic