cfn-nag 0.6.0 → 0.6.5
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/cfn-nag/cfn_nag.rb +5 -0
- data/lib/cfn-nag/cfn_nag_config.rb +3 -0
- data/lib/cfn-nag/cfn_nag_executor.rb +1 -0
- data/lib/cfn-nag/cli_options.rb +11 -0
- data/lib/cfn-nag/custom_rules/AmazonMQBrokerUsersPasswordRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/AmplifyAppAccessTokenRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/AmplifyAppBasicAuthConfigPasswordRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/AmplifyAppOauthTokenRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/AmplifyBranchBasicAuthConfigPasswordRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/ApiGatewayV2AccessLoggingRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/AppStreamDirectoryConfigServiceAccountCredentialsAccountPasswordRule.rb +3 -2
- data/lib/cfn-nag/custom_rules/CodePipelineWebhookAuthenticationConfigurationSecretTokenRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/DMSEndpointMongoDbSettingsPasswordRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/DMSEndpointPasswordRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/DirectoryServiceMicrosoftADPasswordRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/DirectoryServiceSimpleADPasswordRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/DocDBDBClusterMasterUserPasswordRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesADDomainJoinPasswordRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesCrossRealmTrustPrincipalPasswordRule.rb +3 -2
- data/lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesKdcAdminPasswordRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/ElastiCacheReplicationGroupAuthTokenRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/IAMUserLoginProfilePasswordRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamRedshiftDestinationConfigurationPasswordRule.rb +3 -2
- data/lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamSplunkDestinationConfigurationHECTokenRule.rb +3 -2
- data/lib/cfn-nag/custom_rules/LambdaPermissionEventSourceTokenRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/OpsWorksAppAppSourcePasswordRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/OpsWorksAppSslConfigurationPrivateKeyRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/OpsWorksStackCustomCookbooksSourcePasswordRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/OpsWorksStackRdsDbInstancesDbPasswordRule.rb +3 -2
- data/lib/cfn-nag/custom_rules/PinpointAPNSChannelPrivateKeyRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/PinpointAPNSChannelTokenKeyRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/PinpointAPNSSandboxChannelPrivateKeyRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/PinpointAPNSSandboxChannelTokenKeyRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/PinpointAPNSVoipChannelPrivateKeyRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/PinpointAPNSVoipChannelTokenKeyRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/PinpointAPNSVoipSandboxChannelPrivateKeyRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/PinpointAPNSVoipSandboxChannelTokenKeyRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/RDSDBClusterMasterUserPasswordRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/RDSDBInstanceMasterUserPasswordRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/RDSDBInstanceMasterUsernameRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/RedshiftClusterMasterUserPasswordRule.rb +2 -1
- data/lib/cfn-nag/iam_complexity_metric/condition_metric.rb +0 -2
- data/lib/cfn-nag/result_view/colored_stdout_results.rb +0 -2
- metadata +5 -5
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: fcec15f2d25123e50039b0618dbd0da02e2e798ade4b35fea7abb3f6e9035eba
|
4
|
+
data.tar.gz: 8eeea21427d600ce45addb7ebe595ddeeeec469b6ebf8fe7fde1f62685ad4b83
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: b242c9866270499f2e1b87594043813dd6078ab7cea40eaaa6fff6835a48405c3645a1895e8e6630d1d04c337fbfb90d6a6b7c168cbffd97df8339076aec69dd
|
7
|
+
data.tar.gz: 02ec8b6dfc2b4409bffb5f9339e41e59a79f076b6d288d74d9752e1357ad9918acc0360ba07fa3017c633951c47ee238a6f6ad0a4deca7b61c7d43109c6e023e
|
data/lib/cfn-nag/cfn_nag.rb
CHANGED
@@ -102,9 +102,14 @@ class CfnNag
|
|
102
102
|
violations << fatal_violation(error)
|
103
103
|
end
|
104
104
|
|
105
|
+
violations = prune_fatal_violations(violations) if @config.ignore_fatal
|
105
106
|
audit_result(violations)
|
106
107
|
end
|
107
108
|
|
109
|
+
def prune_fatal_violations(violations)
|
110
|
+
violations.reject { |violation| violation.type == Violation::FAILING_VIOLATION }
|
111
|
+
end
|
112
|
+
|
108
113
|
def render_results(aggregate_results:,
|
109
114
|
output_format:)
|
110
115
|
results_renderer(output_format).new.render(aggregate_results)
|
@@ -9,6 +9,7 @@ class CfnNagConfig
|
|
9
9
|
print_suppression: false,
|
10
10
|
isolate_custom_rule_exceptions: false,
|
11
11
|
fail_on_warnings: false,
|
12
|
+
ignore_fatal: false,
|
12
13
|
rule_repository_definitions: [],
|
13
14
|
rule_arguments: {})
|
14
15
|
@rule_directory = rule_directory
|
@@ -24,6 +25,7 @@ class CfnNagConfig
|
|
24
25
|
@fail_on_warnings = fail_on_warnings
|
25
26
|
@rule_repositories = rule_repositories
|
26
27
|
@rule_arguments = rule_arguments
|
28
|
+
@ignore_fatal = ignore_fatal
|
27
29
|
end
|
28
30
|
# rubocop:enable Metrics/ParameterLists
|
29
31
|
|
@@ -34,4 +36,5 @@ class CfnNagConfig
|
|
34
36
|
attr_reader :blacklist_definition
|
35
37
|
attr_reader :fail_on_warnings
|
36
38
|
attr_reader :rule_repositories
|
39
|
+
attr_reader :ignore_fatal
|
37
40
|
end
|
@@ -129,6 +129,7 @@ class CfnNagExecutor
|
|
129
129
|
isolate_custom_rule_exceptions: opts[:isolate_custom_rule_exceptions],
|
130
130
|
fail_on_warnings: opts[:fail_on_warnings],
|
131
131
|
rule_repository_definitions: @rule_repository_definitions,
|
132
|
+
ignore_fatal: opts[:ignore_fatal],
|
132
133
|
rule_arguments: merge_rule_arguments(opts)
|
133
134
|
)
|
134
135
|
end
|
data/lib/cfn-nag/cli_options.rb
CHANGED
@@ -100,6 +100,11 @@ class Options
|
|
100
100
|
type: :string,
|
101
101
|
required: false,
|
102
102
|
default: nil
|
103
|
+
opt :ignore_fatal,
|
104
|
+
'Ignore files with fatal violations. Useful for ignoring non-Cloudformation yaml/yml/json in a path',
|
105
|
+
type: :boolean,
|
106
|
+
required: false,
|
107
|
+
default: false
|
103
108
|
end
|
104
109
|
end
|
105
110
|
|
@@ -193,6 +198,12 @@ class Options
|
|
193
198
|
type: :string,
|
194
199
|
required: false,
|
195
200
|
default: nil
|
201
|
+
opt :ignore_fatal,
|
202
|
+
'Ignore files with fatal violations. Useful for ignoring non-Cloudformation yaml/yml/json in a path',
|
203
|
+
short: 'g',
|
204
|
+
type: :boolean,
|
205
|
+
required: false,
|
206
|
+
default: false
|
196
207
|
end
|
197
208
|
end
|
198
209
|
# rubocop:enable Metrics/BlockLength
|
@@ -5,8 +5,8 @@ require_relative 'sub_property_with_list_password_base_rule'
|
|
5
5
|
|
6
6
|
class AmazonMQBrokerUsersPasswordRule < SubPropertyWithListPasswordBaseRule
|
7
7
|
def rule_text
|
8
|
-
'AmazonMQ Broker Users Password must not be a plaintext ' \
|
9
|
-
'
|
8
|
+
'AmazonMQ Broker Users Password must not be a plaintext string or a Ref to a Parameter with a Default value. ' \
|
9
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
10
10
|
end
|
11
11
|
|
12
12
|
def rule_type
|
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class AmplifyAppAccessTokenRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'Amplify App AccessToken must not be a plaintext string ' \
|
9
|
-
'or a Ref to a
|
9
|
+
'or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
10
11
|
end
|
11
12
|
|
12
13
|
def rule_type
|
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class AmplifyAppBasicAuthConfigPasswordRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'Amplify App BasicAuthConfig Password must not be a plaintext string ' \
|
9
|
-
'or a Ref to a
|
9
|
+
'or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
10
11
|
end
|
11
12
|
|
12
13
|
def rule_type
|
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class AmplifyAppOauthTokenRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'Amplify App OauthToken must not be a plaintext string ' \
|
9
|
-
'or a Ref to a
|
9
|
+
'or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
10
11
|
end
|
11
12
|
|
12
13
|
def rule_type
|
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class AmplifyBranchBasicAuthConfigPasswordRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'Amplify Branch BasicAuthConfig Password must not be a plaintext ' \
|
9
|
-
'string or a Ref to a
|
9
|
+
'string or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
10
11
|
end
|
11
12
|
|
12
13
|
def rule_type
|
@@ -18,7 +18,7 @@ class ApiGatewayV2AccessLoggingRule < BaseRule
|
|
18
18
|
|
19
19
|
def audit_impl(cfn_model)
|
20
20
|
violating_deployments = cfn_model.resources_by_type('AWS::ApiGatewayV2::Stage').select do |deployment|
|
21
|
-
deployment.
|
21
|
+
deployment.accessLogSettings.nil?
|
22
22
|
end
|
23
23
|
|
24
24
|
violating_deployments.map(&:logical_resource_id)
|
@@ -6,8 +6,9 @@ require_relative 'password_base_rule'
|
|
6
6
|
class AppStreamDirectoryConfigServiceAccountCredentialsAccountPasswordRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'AppStream DirectoryConfig ServiceAccountCredentials AccountPassword ' \
|
9
|
-
'must not be a plaintext string or a Ref to a
|
10
|
-
'with a Default value.'
|
9
|
+
'must not be a plaintext string or a Ref to a Parameter ' \
|
10
|
+
'with a Default value. ' \
|
11
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
11
12
|
end
|
12
13
|
|
13
14
|
def rule_type
|
data/lib/cfn-nag/custom_rules/CodePipelineWebhookAuthenticationConfigurationSecretTokenRule.rb
CHANGED
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class CodePipelineWebhookAuthenticationConfigurationSecretTokenRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'CodePipeline Webhook AuthenticationConfiguration SecretToken must not be ' \
|
9
|
-
'a plaintext string or a Ref to a
|
9
|
+
'a plaintext string or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
10
11
|
end
|
11
12
|
|
12
13
|
def rule_type
|
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class DMSEndpointMongoDbSettingsPasswordRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'DMS Endpoint MongoDbSettings Password must not be a plaintext string ' \
|
9
|
-
'or a Ref to a
|
9
|
+
'or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
10
11
|
end
|
11
12
|
|
12
13
|
def rule_type
|
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class DMSEndpointPasswordRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'DMS Endpoint password must not be a plaintext string ' \
|
9
|
-
'or a Ref to a
|
9
|
+
'or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
10
11
|
end
|
11
12
|
|
12
13
|
def rule_type
|
@@ -7,7 +7,8 @@ require_relative 'password_base_rule'
|
|
7
7
|
class DirectoryServiceMicrosoftADPasswordRule < PasswordBaseRule
|
8
8
|
def rule_text
|
9
9
|
'Directory Service Microsoft AD password must not be a plaintext string ' \
|
10
|
-
'or a Ref to a
|
10
|
+
'or a Ref to a Parameter with a Default value. ' \
|
11
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
|
11
12
|
end
|
12
13
|
|
13
14
|
def rule_type
|
@@ -7,7 +7,8 @@ require_relative 'password_base_rule'
|
|
7
7
|
class DirectoryServiceSimpleADPasswordRule < PasswordBaseRule
|
8
8
|
def rule_text
|
9
9
|
'DirectoryService SimpleAD password must not be a plaintext string ' \
|
10
|
-
'or a Ref to a
|
10
|
+
'or a Ref to a Parameter with a Default value. ' \
|
11
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
|
11
12
|
end
|
12
13
|
|
13
14
|
def rule_type
|
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class DocDBDBClusterMasterUserPasswordRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'DocDB DB Cluster master user password must not be a plaintext string ' \
|
9
|
-
'or a Ref to a
|
9
|
+
'or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
10
11
|
end
|
11
12
|
|
12
13
|
def rule_type
|
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class EMRClusterKerberosAttributesADDomainJoinPasswordRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'EMR Cluster KerberosAttributes AD Domain JoinPassword must not be a ' \
|
9
|
-
'plaintext string or a Ref to a
|
9
|
+
'plaintext string or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
10
11
|
end
|
11
12
|
|
12
13
|
def rule_type
|
data/lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesCrossRealmTrustPrincipalPasswordRule.rb
CHANGED
@@ -6,8 +6,9 @@ require_relative 'password_base_rule'
|
|
6
6
|
class EMRClusterKerberosAttributesCrossRealmTrustPrincipalPasswordRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'EMR Cluster KerberosAttributes CrossRealmTrustPrincipal Password must ' \
|
9
|
-
'not be a plaintext string or a Ref to a
|
10
|
-
'Default value.'
|
9
|
+
'not be a plaintext string or a Ref to a Parameter with a ' \
|
10
|
+
'Default value. ' \
|
11
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
11
12
|
end
|
12
13
|
|
13
14
|
def rule_type
|
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class EMRClusterKerberosAttributesKdcAdminPasswordRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'EMR Cluster KerberosAttributes KdcAdmin Password must not be a ' \
|
9
|
-
'plaintext string or a Ref to a
|
9
|
+
'plaintext string or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
10
11
|
end
|
11
12
|
|
12
13
|
def rule_type
|
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class ElastiCacheReplicationGroupAuthTokenRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'ElastiCache ReplicationGroup AuthToken must not be a plaintext string ' \
|
9
|
-
'or a Ref to a
|
9
|
+
'or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
|
10
11
|
end
|
11
12
|
|
12
13
|
def rule_type
|
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class IAMUserLoginProfilePasswordRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'IAM User LoginProfile Password must not be a plaintext string or ' \
|
9
|
-
'a Ref to a
|
9
|
+
'a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
10
11
|
end
|
11
12
|
|
12
13
|
def rule_type
|
@@ -6,8 +6,9 @@ require_relative 'password_base_rule'
|
|
6
6
|
class KinesisFirehoseDeliveryStreamRedshiftDestinationConfigurationPasswordRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'Kinesis Firehose DeliveryStream RedshiftDestinationConfiguration Password ' \
|
9
|
-
'must not be a plaintext string or a Ref to a
|
10
|
-
'Default value.'
|
9
|
+
'must not be a plaintext string or a Ref to a Parameter with a ' \
|
10
|
+
'Default value. ' \
|
11
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
|
11
12
|
end
|
12
13
|
|
13
14
|
def rule_type
|
@@ -6,8 +6,9 @@ require_relative 'password_base_rule'
|
|
6
6
|
class KinesisFirehoseDeliveryStreamSplunkDestinationConfigurationHECTokenRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'Kinesis Firehose DeliveryStream SplunkDestinationConfiguration HECToken ' \
|
9
|
-
'must not be a plaintext string or a Ref to a
|
10
|
-
'Default value.'
|
9
|
+
'must not be a plaintext string or a Ref to a Parameter with a ' \
|
10
|
+
'Default value. ' \
|
11
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
11
12
|
end
|
12
13
|
|
13
14
|
def rule_type
|
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class LambdaPermissionEventSourceTokenRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'Lambda Permission EventSourceToken must not be a plaintext string ' \
|
9
|
-
'or a Ref to a
|
9
|
+
'or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
10
11
|
end
|
11
12
|
|
12
13
|
def rule_type
|
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class OpsWorksAppAppSourcePasswordRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'OpsWorks App AppSource Password must not be a plaintext ' \
|
9
|
-
'string or a Ref to a
|
9
|
+
'string or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
|
10
11
|
end
|
11
12
|
|
12
13
|
def rule_type
|
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class OpsWorksAppSslConfigurationPrivateKeyRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'OpsWorks App SslConfiguration PrivateKey must not be a plaintext ' \
|
9
|
-
'string or a Ref to a
|
9
|
+
'string or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
10
11
|
end
|
11
12
|
|
12
13
|
def rule_type
|
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class OpsWorksStackCustomCookbooksSourcePasswordRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'OpsWorks Stack CustomCookbooksSource Password must not be a plaintext ' \
|
9
|
-
'string or a Ref to a
|
9
|
+
'string or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
|
10
11
|
end
|
11
12
|
|
12
13
|
def rule_type
|
@@ -5,8 +5,9 @@ require_relative 'sub_property_with_list_password_base_rule'
|
|
5
5
|
|
6
6
|
class OpsWorksStackRdsDbInstancesDbPasswordRule < SubPropertyWithListPasswordBaseRule
|
7
7
|
def rule_text
|
8
|
-
'OpsWorks Stack RDS DbInstance DbPassword must not be a plaintext '
|
9
|
-
'
|
8
|
+
'OpsWorks Stack RDS DbInstance DbPassword must not be a plaintext string '\
|
9
|
+
'or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
|
10
11
|
end
|
11
12
|
|
12
13
|
def rule_type
|
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class PinpointAPNSChannelPrivateKeyRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'Pinpoint APNSChannel PrivateKey must not be a plaintext string ' \
|
9
|
-
'or a Ref to a
|
9
|
+
'or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
10
11
|
end
|
11
12
|
|
12
13
|
def rule_type
|
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class PinpointAPNSChannelTokenKeyRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'Pinpoint APNSChannel TokenKey must not be a plaintext string ' \
|
9
|
-
'or a Ref to a
|
9
|
+
'or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
10
11
|
end
|
11
12
|
|
12
13
|
def rule_type
|
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class PinpointAPNSSandboxChannelPrivateKeyRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'Pinpoint APNSSandboxChannel PrivateKey must not be a plaintext string ' \
|
9
|
-
'or a Ref to a
|
9
|
+
'or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
10
11
|
end
|
11
12
|
|
12
13
|
def rule_type
|
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class PinpointAPNSSandboxChannelTokenKeyRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'Pinpoint APNSSandboxChannel TokenKey must not be a plaintext string ' \
|
9
|
-
'or a Ref to a
|
9
|
+
'or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
10
11
|
end
|
11
12
|
|
12
13
|
def rule_type
|
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class PinpointAPNSVoipChannelPrivateKeyRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'Pinpoint APNSVoipChannel PrivateKey must not be a plaintext string ' \
|
9
|
-
'or a Ref to a
|
9
|
+
'or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
10
11
|
end
|
11
12
|
|
12
13
|
def rule_type
|
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class PinpointAPNSVoipChannelTokenKeyRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'Pinpoint APNSChannel TokenKey must not be a plaintext string ' \
|
9
|
-
'or a Ref to a
|
9
|
+
'or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
10
11
|
end
|
11
12
|
|
12
13
|
def rule_type
|
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class PinpointAPNSVoipSandboxChannelPrivateKeyRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'Pinpoint APNSVoipSandboxChannel PrivateKey must not be a plaintext ' \
|
9
|
-
'string or a Ref to a
|
9
|
+
'string or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
10
11
|
end
|
11
12
|
|
12
13
|
def rule_type
|
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class PinpointAPNSVoipSandboxChannelTokenKeyRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'Pinpoint APNSVoipSandboxChannel TokenKey must not be a plaintext string ' \
|
9
|
-
'or a Ref to a
|
9
|
+
'or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
10
11
|
end
|
11
12
|
|
12
13
|
def rule_type
|
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class RDSDBClusterMasterUserPasswordRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'RDS DB Cluster master user password must not be a plaintext string ' \
|
9
|
-
'or a Ref to a
|
9
|
+
'or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
|
10
11
|
end
|
11
12
|
|
12
13
|
def rule_type
|
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class RDSDBInstanceMasterUserPasswordRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'RDS instance master user password must not be a plaintext string ' \
|
9
|
-
'or a Ref to a
|
9
|
+
'or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
|
10
11
|
end
|
11
12
|
|
12
13
|
def rule_type
|
@@ -7,7 +7,8 @@ require_relative 'password_base_rule'
|
|
7
7
|
class RDSDBInstanceMasterUsernameRule < PasswordBaseRule
|
8
8
|
def rule_text
|
9
9
|
'RDS instance master username must not be a plaintext string ' \
|
10
|
-
'or a Ref to a
|
10
|
+
'or a Ref to a Parameter with a Default value. ' \
|
11
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
11
12
|
end
|
12
13
|
|
13
14
|
def rule_type
|
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class RedshiftClusterMasterUserPasswordRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'Redshift Cluster master user password must not be a plaintext string ' \
|
9
|
-
'or a Ref to a
|
9
|
+
'or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
|
10
11
|
end
|
11
12
|
|
12
13
|
def rule_type
|
@@ -6,7 +6,6 @@ require 'set'
|
|
6
6
|
class ConditionMetric
|
7
7
|
include Weights
|
8
8
|
|
9
|
-
# rubocop:disable Metrics/AbcSize
|
10
9
|
def metric(statement)
|
11
10
|
return 0 if statement.condition.nil?
|
12
11
|
|
@@ -18,7 +17,6 @@ class ConditionMetric
|
|
18
17
|
aggregate += values_with_policy_tags(statement.condition)
|
19
18
|
aggregate
|
20
19
|
end
|
21
|
-
# rubocop:enable Metrics/AbcSize
|
22
20
|
|
23
21
|
private
|
24
22
|
|
@@ -6,7 +6,6 @@ require 'cfn-nag/violation'
|
|
6
6
|
class ColoredStdoutResults < StdoutResults
|
7
7
|
private
|
8
8
|
|
9
|
-
# rubocop:disable Metrics/AbcSize
|
10
9
|
def message(message_type:,
|
11
10
|
color:,
|
12
11
|
message:,
|
@@ -24,7 +23,6 @@ class ColoredStdoutResults < StdoutResults
|
|
24
23
|
puts colorize(color, '|') unless line_numbers.empty? && logical_resource_ids.nil?
|
25
24
|
puts colorize(color, "| #{message}")
|
26
25
|
end
|
27
|
-
# rubocop:enable Metrics/AbcSize
|
28
26
|
|
29
27
|
def color_code(color_symbol)
|
30
28
|
case color_symbol
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: cfn-nag
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.6.
|
4
|
+
version: 0.6.5
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Eric Kascic
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2020-
|
11
|
+
date: 2020-06-02 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rake
|
@@ -72,14 +72,14 @@ dependencies:
|
|
72
72
|
requirements:
|
73
73
|
- - '='
|
74
74
|
- !ruby/object:Gem::Version
|
75
|
-
version: 0.5.
|
75
|
+
version: 0.5.1
|
76
76
|
type: :runtime
|
77
77
|
prerelease: false
|
78
78
|
version_requirements: !ruby/object:Gem::Requirement
|
79
79
|
requirements:
|
80
80
|
- - '='
|
81
81
|
- !ruby/object:Gem::Version
|
82
|
-
version: 0.5.
|
82
|
+
version: 0.5.1
|
83
83
|
- !ruby/object:Gem::Dependency
|
84
84
|
name: logging
|
85
85
|
requirement: !ruby/object:Gem::Requirement
|
@@ -381,7 +381,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
381
381
|
- !ruby/object:Gem::Version
|
382
382
|
version: '0'
|
383
383
|
requirements: []
|
384
|
-
rubygems_version: 3.1.
|
384
|
+
rubygems_version: 3.1.3
|
385
385
|
signing_key:
|
386
386
|
specification_version: 4
|
387
387
|
summary: cfn-nag
|