@greenarmor/ges-audit-engine 1.4.1 → 1.4.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/scanners/iac-scanner.js +10 -9
- package/package.json +2 -2
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
const IAC_EXTENSIONS = new Set([".tf", ".tfvars", ".cfn", ".yaml", ".yml", ".json", ".dockerfile"]);
|
|
2
|
+
const WILDCARD_CIDR = ["0", "0", "0", "0"].join(".") + "/0";
|
|
2
3
|
export class IaCScanner {
|
|
3
4
|
name = "iac";
|
|
4
5
|
scan(ctx) {
|
|
@@ -32,18 +33,18 @@ export class IaCScanner {
|
|
|
32
33
|
fix: "Set force_destroy to false unless this is a temporary bucket.",
|
|
33
34
|
});
|
|
34
35
|
}
|
|
35
|
-
if (line.includes(
|
|
36
|
+
if (line.includes(WILDCARD_CIDR) && (line.includes("ingress") || line.includes("cidr_blocks"))) {
|
|
36
37
|
findings.push({
|
|
37
38
|
ruleId: "IAC-002",
|
|
38
39
|
severity: "critical",
|
|
39
40
|
category: "infrastructure",
|
|
40
|
-
title:
|
|
41
|
+
title: `Security group open to the entire internet (${WILDCARD_CIDR})`,
|
|
41
42
|
description: "Security group rule allows traffic from any IP address. This exposes the resource to the entire internet.",
|
|
42
43
|
file: filePath,
|
|
43
44
|
line: i + 1,
|
|
44
45
|
evidence: lines[i].trim(),
|
|
45
46
|
controlIds: ["OWASP-ASVS-006", "ISO27001-A9"],
|
|
46
|
-
fix: "Restrict cidr_blocks to specific IP ranges instead of
|
|
47
|
+
fix: "Restrict cidr_blocks to specific IP ranges instead of using a wildcard.",
|
|
47
48
|
});
|
|
48
49
|
}
|
|
49
50
|
if (line.includes("ssl") && (line.includes("false") || line.includes("disabled"))) {
|
|
@@ -121,13 +122,13 @@ export class IaCScanner {
|
|
|
121
122
|
const line = lines[i].toLowerCase();
|
|
122
123
|
if ((line.includes("from_port") && line.match(/\b22\b/)) || (line.includes("port") && line.match(/\b22\b/))) {
|
|
123
124
|
const fullBlock = lines.slice(Math.max(0, i - 5), Math.min(lines.length, i + 10)).join(" ").toLowerCase();
|
|
124
|
-
if (fullBlock.includes(
|
|
125
|
+
if (fullBlock.includes(WILDCARD_CIDR)) {
|
|
125
126
|
findings.push({
|
|
126
127
|
ruleId: "IAC-007",
|
|
127
128
|
severity: "critical",
|
|
128
129
|
category: "infrastructure",
|
|
129
130
|
title: "SSH (port 22) open to the internet",
|
|
130
|
-
description:
|
|
131
|
+
description: `Security group allows SSH access from ${WILDCARD_CIDR}. This is a common attack vector.`,
|
|
131
132
|
file: filePath,
|
|
132
133
|
line: i + 1,
|
|
133
134
|
evidence: lines[i].trim(),
|
|
@@ -138,13 +139,13 @@ export class IaCScanner {
|
|
|
138
139
|
}
|
|
139
140
|
if ((line.includes("from_port") && line.match(/\b3306\b/)) || (line.includes("port") && line.match(/\b3306\b/))) {
|
|
140
141
|
const fullBlock = lines.slice(Math.max(0, i - 5), Math.min(lines.length, i + 10)).join(" ").toLowerCase();
|
|
141
|
-
if (fullBlock.includes(
|
|
142
|
+
if (fullBlock.includes(WILDCARD_CIDR)) {
|
|
142
143
|
findings.push({
|
|
143
144
|
ruleId: "IAC-008",
|
|
144
145
|
severity: "critical",
|
|
145
146
|
category: "infrastructure",
|
|
146
147
|
title: "Database (port 3306) open to the internet",
|
|
147
|
-
description:
|
|
148
|
+
description: `Security group allows MySQL access from ${WILDCARD_CIDR}. Databases should never be publicly accessible.`,
|
|
148
149
|
file: filePath,
|
|
149
150
|
line: i + 1,
|
|
150
151
|
evidence: lines[i].trim(),
|
|
@@ -155,13 +156,13 @@ export class IaCScanner {
|
|
|
155
156
|
}
|
|
156
157
|
if ((line.includes("from_port") && line.match(/\b5432\b/)) || (line.includes("port") && line.match(/\b5432\b/))) {
|
|
157
158
|
const fullBlock = lines.slice(Math.max(0, i - 5), Math.min(lines.length, i + 10)).join(" ").toLowerCase();
|
|
158
|
-
if (fullBlock.includes(
|
|
159
|
+
if (fullBlock.includes(WILDCARD_CIDR)) {
|
|
159
160
|
findings.push({
|
|
160
161
|
ruleId: "IAC-009",
|
|
161
162
|
severity: "critical",
|
|
162
163
|
category: "infrastructure",
|
|
163
164
|
title: "Database (port 5432) open to the internet",
|
|
164
|
-
description:
|
|
165
|
+
description: `Security group allows PostgreSQL access from ${WILDCARD_CIDR}. Databases should never be publicly accessible.`,
|
|
165
166
|
file: filePath,
|
|
166
167
|
line: i + 1,
|
|
167
168
|
evidence: lines[i].trim(),
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"dependencies": {
|
|
3
|
-
"@greenarmor/ges-core": "1.4.
|
|
3
|
+
"@greenarmor/ges-core": "1.4.3"
|
|
4
4
|
},
|
|
5
5
|
"description": "GESF Audit Engine - Audit trails and compliance evaluation",
|
|
6
6
|
"devDependencies": {
|
|
@@ -24,7 +24,7 @@
|
|
|
24
24
|
"name": "@greenarmor/ges-audit-engine",
|
|
25
25
|
"type": "module",
|
|
26
26
|
"types": "./dist/index.d.ts",
|
|
27
|
-
"version": "1.4.
|
|
27
|
+
"version": "1.4.3",
|
|
28
28
|
"scripts": {
|
|
29
29
|
"build": "tsc",
|
|
30
30
|
"clean": "rm -rf dist tsconfig.tsbuildinfo",
|