agent-security-scanner-mcp 1.1.1 → 1.2.0

package/rules/terraform.security.yaml

@@ -0,0 +1,505 @@
+rules:
+  # =============================================================================
+  # TERRAFORM SECURITY RULES - AWS S3
+  # =============================================================================
+
+  - id: terraform.aws.security.s3-public-read
+    languages: [hcl, terraform]
+    severity: ERROR
+    message: "S3 bucket has public read access. Remove public-read ACL and use bucket policies for access control."
+    patterns:
+      - "acl\\s*=\\s*\"public-read\""
+      - "acl\\s*=\\s*\"public-read-write\""
+    metadata:
+      cwe: "CWE-284"
+      owasp: "A01:2021 - Broken Access Control"
+      confidence: HIGH
+      references:
+        - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
+
+  - id: terraform.aws.security.s3-encryption-disabled
+    languages: [hcl, terraform]
+    severity: WARNING
+    message: "S3 bucket encryption not configured. Enable server-side encryption with SSE-S3 or SSE-KMS."
+    patterns:
+      - "resource\\s*\"aws_s3_bucket\"(?![^}]*server_side_encryption_configuration)"
+    metadata:
+      cwe: "CWE-311"
+      owasp: "A02:2021 - Cryptographic Failures"
+      confidence: MEDIUM
+      references:
+        - https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html
+
+  - id: terraform.aws.security.s3-versioning-disabled
+    languages: [hcl, terraform]
+    severity: INFO
+    message: "S3 bucket versioning not enabled. Enable versioning for data protection and recovery."
+    patterns:
+      - "resource\\s*\"aws_s3_bucket\"(?![^}]*versioning)"
+    metadata:
+      cwe: "CWE-693"
+      owasp: "A05:2021 - Security Misconfiguration"
+      confidence: LOW
+      references:
+        - https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html
+
+  - id: terraform.aws.security.s3-logging-disabled
+    languages: [hcl, terraform]
+    severity: INFO
+    message: "S3 bucket logging not configured. Enable access logging for audit trails."
+    patterns:
+      - "resource\\s*\"aws_s3_bucket\"(?![^}]*logging)"
+    metadata:
+      cwe: "CWE-778"
+      owasp: "A09:2021 - Security Logging and Monitoring Failures"
+      confidence: LOW
+      references:
+        - https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html
+
+  # =============================================================================
+  # TERRAFORM SECURITY RULES - AWS Security Groups
+  # =============================================================================
+
+  - id: terraform.aws.security.security-group-open-ingress
+    languages: [hcl, terraform]
+    severity: ERROR
+    message: "Security group allows unrestricted ingress (0.0.0.0/0). Restrict to specific IP ranges."
+    patterns:
+      - "cidr_blocks\\s*=\\s*\\[\\s*\"0\\.0\\.0\\.0/0\"\\s*\\]"
+      - "ipv6_cidr_blocks\\s*=\\s*\\[\\s*\"::/0\"\\s*\\]"
+    metadata:
+      cwe: "CWE-284"
+      owasp: "A01:2021 - Broken Access Control"
+      confidence: HIGH
+      references:
+        - https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html
+
+  - id: terraform.aws.security.security-group-open-ssh
+    languages: [hcl, terraform]
+    severity: ERROR
+    message: "Security group allows SSH from anywhere. Restrict SSH access to specific IPs or use bastion hosts."
+    patterns:
+      - "from_port\\s*=\\s*22[^}]*cidr_blocks\\s*=\\s*\\[\\s*\"0\\.0\\.0\\.0/0\""
+      - "to_port\\s*=\\s*22[^}]*cidr_blocks\\s*=\\s*\\[\\s*\"0\\.0\\.0\\.0/0\""
+    metadata:
+      cwe: "CWE-284"
+      owasp: "A01:2021 - Broken Access Control"
+      confidence: HIGH
+      references:
+        - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html
+
+  - id: terraform.aws.security.security-group-open-rdp
+    languages: [hcl, terraform]
+    severity: ERROR
+    message: "Security group allows RDP from anywhere. Restrict RDP access to specific IPs."
+    patterns:
+      - "from_port\\s*=\\s*3389[^}]*cidr_blocks\\s*=\\s*\\[\\s*\"0\\.0\\.0\\.0/0\""
+      - "to_port\\s*=\\s*3389[^}]*cidr_blocks\\s*=\\s*\\[\\s*\"0\\.0\\.0\\.0/0\""
+    metadata:
+      cwe: "CWE-284"
+      owasp: "A01:2021 - Broken Access Control"
+      confidence: HIGH
+      references:
+        - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html
+
+  # =============================================================================
+  # TERRAFORM SECURITY RULES - AWS IAM
+  # =============================================================================
+
+  - id: terraform.aws.security.iam-admin-policy
+    languages: [hcl, terraform]
+    severity: ERROR
+    message: "IAM policy grants admin access with Action:* and Resource:*. Follow least privilege principle."
+    patterns:
+      - "\"Action\"\\s*:\\s*\"\\*\"[^}]*\"Resource\"\\s*:\\s*\"\\*\""
+      - "actions\\s*=\\s*\\[\\s*\"\\*\"\\s*\\][^}]*resources\\s*=\\s*\\[\\s*\"\\*\"\\s*\\]"
+    metadata:
+      cwe: "CWE-250"
+      owasp: "A01:2021 - Broken Access Control"
+      confidence: HIGH
+      references:
+        - https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
+
+  - id: terraform.aws.security.iam-user-policy-attachment
+    languages: [hcl, terraform]
+    severity: WARNING
+    message: "IAM policy attached directly to user. Attach policies to groups or roles instead."
+    patterns:
+      - "resource\\s*\"aws_iam_user_policy_attachment\""
+      - "resource\\s*\"aws_iam_user_policy\""
+    metadata:
+      cwe: "CWE-250"
+      owasp: "A01:2021 - Broken Access Control"
+      confidence: MEDIUM
+      references:
+        - https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
+
+  # =============================================================================
+  # TERRAFORM SECURITY RULES - AWS RDS
+  # =============================================================================
+
+  - id: terraform.aws.security.rds-public-access
+    languages: [hcl, terraform]
+    severity: ERROR
+    message: "RDS instance is publicly accessible. Set publicly_accessible to false."
+    patterns:
+      - "publicly_accessible\\s*=\\s*true"
+    metadata:
+      cwe: "CWE-284"
+      owasp: "A01:2021 - Broken Access Control"
+      confidence: HIGH
+      references:
+        - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Security.html
+
+  - id: terraform.aws.security.rds-encryption-disabled
+    languages: [hcl, terraform]
+    severity: ERROR
+    message: "RDS storage encryption disabled. Set storage_encrypted to true."
+    patterns:
+      - "storage_encrypted\\s*=\\s*false"
+      - "resource\\s*\"aws_db_instance\"(?![^}]*storage_encrypted\\s*=\\s*true)"
+    metadata:
+      cwe: "CWE-311"
+      owasp: "A02:2021 - Cryptographic Failures"
+      confidence: HIGH
+      references:
+        - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html
+
+  - id: terraform.aws.security.rds-deletion-protection
+    languages: [hcl, terraform]
+    severity: INFO
+    message: "RDS deletion protection not enabled. Enable for production databases."
+    patterns:
+      - "deletion_protection\\s*=\\s*false"
+    metadata:
+      cwe: "CWE-693"
+      owasp: "A05:2021 - Security Misconfiguration"
+      confidence: MEDIUM
+      references:
+        - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_DeleteInstance.html
+
+  # =============================================================================
+  # TERRAFORM SECURITY RULES - AWS CloudTrail/Logging
+  # =============================================================================
+
+  - id: terraform.aws.security.cloudtrail-disabled
+    languages: [hcl, terraform]
+    severity: WARNING
+    message: "CloudTrail logging disabled. Enable multi-region CloudTrail for audit logging."
+    patterns:
+      - "enable_logging\\s*=\\s*false"
+      - "is_multi_region_trail\\s*=\\s*false"
+    metadata:
+      cwe: "CWE-778"
+      owasp: "A09:2021 - Security Logging and Monitoring Failures"
+      confidence: HIGH
+      references:
+        - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html
+
+  - id: terraform.aws.security.cloudtrail-encryption
+    languages: [hcl, terraform]
+    severity: WARNING
+    message: "CloudTrail logs not encrypted with KMS. Configure kms_key_id for encryption."
+    patterns:
+      - "resource\\s*\"aws_cloudtrail\"(?![^}]*kms_key_id)"
+    metadata:
+      cwe: "CWE-311"
+      owasp: "A02:2021 - Cryptographic Failures"
+      confidence: MEDIUM
+      references:
+        - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html
+
+  # =============================================================================
+  # TERRAFORM SECURITY RULES - AWS KMS
+  # =============================================================================
+
+  - id: terraform.aws.security.kms-key-rotation
+    languages: [hcl, terraform]
+    severity: WARNING
+    message: "KMS key rotation not enabled. Enable automatic key rotation for security."
+    patterns:
+      - "enable_key_rotation\\s*=\\s*false"
+      - "resource\\s*\"aws_kms_key\"(?![^}]*enable_key_rotation\\s*=\\s*true)"
+    metadata:
+      cwe: "CWE-320"
+      owasp: "A02:2021 - Cryptographic Failures"
+      confidence: HIGH
+      references:
+        - https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
+
+  # =============================================================================
+  # TERRAFORM SECURITY RULES - AWS EC2/EBS
+  # =============================================================================
+
+  - id: terraform.aws.security.ebs-encryption-disabled
+    languages: [hcl, terraform]
+    severity: WARNING
+    message: "EBS volume encryption disabled. Set encrypted to true."
+    patterns:
+      - "encrypted\\s*=\\s*false"
+      - "resource\\s*\"aws_ebs_volume\"(?![^}]*encrypted\\s*=\\s*true)"
+    metadata:
+      cwe: "CWE-311"
+      owasp: "A02:2021 - Cryptographic Failures"
+      confidence: HIGH
+      references:
+        - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
+
+  - id: terraform.aws.security.ec2-imdsv1
+    languages: [hcl, terraform]
+    severity: WARNING
+    message: "EC2 instance metadata service v1 enabled. Require IMDSv2 for security."
+    patterns:
+      - "http_tokens\\s*=\\s*\"optional\""
+    metadata:
+      cwe: "CWE-284"
+      owasp: "A05:2021 - Security Misconfiguration"
+      confidence: HIGH
+      references:
+        - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html
+
+  # =============================================================================
+  # TERRAFORM SECURITY RULES - Hardcoded Secrets
+  # =============================================================================
+
+  - id: terraform.generic.security.hardcoded-password
+    languages: [hcl, terraform]
+    severity: ERROR
+    message: "Hardcoded password in Terraform. Use variables with sensitive=true or secrets manager."
+    patterns:
+      - "password\\s*=\\s*\"[^\"]{4,}\""
+      - "master_password\\s*=\\s*\"[^\"]{4,}\""
+      - "admin_password\\s*=\\s*\"[^\"]{4,}\""
+    metadata:
+      cwe: "CWE-798"
+      owasp: "A07:2021 - Identification and Authentication Failures"
+      confidence: HIGH
+      references:
+        - https://developer.hashicorp.com/terraform/tutorials/configuration-language/sensitive-variables
+
+  - id: terraform.generic.security.hardcoded-api-key
+    languages: [hcl, terraform]
+    severity: ERROR
+    message: "Hardcoded API key in Terraform. Use variables or secrets manager."
+    patterns:
+      - "api_key\\s*=\\s*\"[a-zA-Z0-9_-]{20,}\""
+      - "access_key\\s*=\\s*\"AKIA[A-Z0-9]{16}\""
+      - "secret_key\\s*=\\s*\"[a-zA-Z0-9/+=]{40}\""
+    metadata:
+      cwe: "CWE-798"
+      owasp: "A07:2021 - Identification and Authentication Failures"
+      confidence: HIGH
+      references:
+        - https://developer.hashicorp.com/terraform/tutorials/configuration-language/sensitive-variables
+
+  # =============================================================================
+  # KUBERNETES SECURITY RULES - Pod Security
+  # =============================================================================
+
+  - id: kubernetes.security.privileged-container
+    languages: [yaml]
+    severity: ERROR
+    message: "Container running as privileged. Remove privileged: true for security."
+    patterns:
+      - "privileged:\\s*true"
+    metadata:
+      cwe: "CWE-250"
+      owasp: "A05:2021 - Security Misconfiguration"
+      confidence: HIGH
+      references:
+        - https://kubernetes.io/docs/concepts/security/pod-security-standards/
+
+  - id: kubernetes.security.run-as-root
+    languages: [yaml]
+    severity: ERROR
+    message: "Container running as root. Set runAsNonRoot: true and specify runAsUser."
+    patterns:
+      - "runAsUser:\\s*0"
+      - "runAsNonRoot:\\s*false"
+    metadata:
+      cwe: "CWE-250"
+      owasp: "A05:2021 - Security Misconfiguration"
+      confidence: HIGH
+      references:
+        - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+  - id: kubernetes.security.host-network
+    languages: [yaml]
+    severity: WARNING
+    message: "Pod using host network. This bypasses network isolation. Remove hostNetwork: true."
+    patterns:
+      - "hostNetwork:\\s*true"
+    metadata:
+      cwe: "CWE-284"
+      owasp: "A05:2021 - Security Misconfiguration"
+      confidence: HIGH
+      references:
+        - https://kubernetes.io/docs/concepts/security/pod-security-standards/
+
+  - id: kubernetes.security.host-pid
+    languages: [yaml]
+    severity: WARNING
+    message: "Pod using host PID namespace. This can expose sensitive process information."
+    patterns:
+      - "hostPID:\\s*true"
+    metadata:
+      cwe: "CWE-284"
+      owasp: "A05:2021 - Security Misconfiguration"
+      confidence: HIGH
+      references:
+        - https://kubernetes.io/docs/concepts/security/pod-security-standards/
+
+  - id: kubernetes.security.host-path
+    languages: [yaml]
+    severity: WARNING
+    message: "Container mounting host path. This can expose sensitive host files."
+    patterns:
+      - "hostPath:"
+    metadata:
+      cwe: "CWE-284"
+      owasp: "A05:2021 - Security Misconfiguration"
+      confidence: MEDIUM
+      references:
+        - https://kubernetes.io/docs/concepts/storage/volumes/#hostpath
+
+  # =============================================================================
+  # KUBERNETES SECURITY RULES - Resource Limits
+  # =============================================================================
+
+  - id: kubernetes.security.no-resource-limits
+    languages: [yaml]
+    severity: WARNING
+    message: "Container without resource limits. Set CPU and memory limits to prevent DoS."
+    patterns:
+      - "containers:(?![^}]*limits:)"
+    metadata:
+      cwe: "CWE-770"
+      owasp: "A05:2021 - Security Misconfiguration"
+      confidence: MEDIUM
+      references:
+        - https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+
+  # =============================================================================
+  # KUBERNETES SECURITY RULES - Secrets
+  # =============================================================================
+
+  - id: kubernetes.security.secrets-in-env
+    languages: [yaml]
+    severity: WARNING
+    message: "Secret exposed in environment variable. Use secretKeyRef or volume mounts instead."
+    patterns:
+      - "env:[^}]*value:\\s*[\"'][^\"']{20,}[\"']"
+      - "PASSWORD[\"']?:\\s*[\"'][^\"']{4,}[\"']"
+    metadata:
+      cwe: "CWE-798"
+      owasp: "A07:2021 - Identification and Authentication Failures"
+      confidence: MEDIUM
+      references:
+        - https://kubernetes.io/docs/concepts/configuration/secret/
+
+  - id: kubernetes.security.hardcoded-secret
+    languages: [yaml]
+    severity: ERROR
+    message: "Hardcoded secret in Kubernetes manifest. Use Kubernetes Secrets or external secrets manager."
+    patterns:
+      - "stringData:[^}]*password:"
+      - "stringData:[^}]*api_key:"
+      - "data:[^}]*password:\\s*[a-zA-Z0-9+/=]{10,}"
+    metadata:
+      cwe: "CWE-798"
+      owasp: "A07:2021 - Identification and Authentication Failures"
+      confidence: HIGH
+      references:
+        - https://kubernetes.io/docs/concepts/configuration/secret/
+
+  # =============================================================================
+  # KUBERNETES SECURITY RULES - RBAC
+  # =============================================================================
+
+  - id: kubernetes.security.cluster-admin-binding
+    languages: [yaml]
+    severity: ERROR
+    message: "ClusterRoleBinding to cluster-admin. This grants full cluster access. Use least privilege."
+    patterns:
+      - "roleRef:[^}]*name:\\s*cluster-admin"
+    metadata:
+      cwe: "CWE-250"
+      owasp: "A01:2021 - Broken Access Control"
+      confidence: HIGH
+      references:
+        - https://kubernetes.io/docs/reference/access-authn-authz/rbac/
+
+  - id: kubernetes.security.wildcard-rbac
+    languages: [yaml]
+    severity: WARNING
+    message: "RBAC rule with wildcard permissions. Specify explicit resources and verbs."
+    patterns:
+      - "resources:\\s*\\[\\s*\"\\*\"\\s*\\]"
+      - "verbs:\\s*\\[\\s*\"\\*\"\\s*\\]"
+    metadata:
+      cwe: "CWE-250"
+      owasp: "A01:2021 - Broken Access Control"
+      confidence: HIGH
+      references:
+        - https://kubernetes.io/docs/reference/access-authn-authz/rbac/
+
+  # =============================================================================
+  # KUBERNETES SECURITY RULES - Network Policies
+  # =============================================================================
+
+  - id: kubernetes.security.allow-all-ingress
+    languages: [yaml]
+    severity: WARNING
+    message: "NetworkPolicy allows all ingress traffic. Restrict to specific sources."
+    patterns:
+      - "ingress:\\s*\\[\\s*\\{\\s*\\}\\s*\\]"
+      - "ingress:\\s*-\\s*\\{\\}"
+    metadata:
+      cwe: "CWE-284"
+      owasp: "A05:2021 - Security Misconfiguration"
+      confidence: HIGH
+      references:
+        - https://kubernetes.io/docs/concepts/services-networking/network-policies/
+
+  # =============================================================================
+  # KUBERNETES SECURITY RULES - Security Context
+  # =============================================================================
+
+  - id: kubernetes.security.capabilities-add
+    languages: [yaml]
+    severity: WARNING
+    message: "Container adding Linux capabilities. Review and minimize added capabilities."
+    patterns:
+      - "capabilities:[^}]*add:"
+    metadata:
+      cwe: "CWE-250"
+      owasp: "A05:2021 - Security Misconfiguration"
+      confidence: MEDIUM
+      references:
+        - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+  - id: kubernetes.security.no-readonly-root
+    languages: [yaml]
+    severity: INFO
+    message: "Container filesystem not read-only. Set readOnlyRootFilesystem: true."
+    patterns:
+      - "readOnlyRootFilesystem:\\s*false"
+    metadata:
+      cwe: "CWE-732"
+      owasp: "A05:2021 - Security Misconfiguration"
+      confidence: MEDIUM
+      references:
+        - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+  - id: kubernetes.security.allow-privilege-escalation
+    languages: [yaml]
+    severity: WARNING
+    message: "Container allows privilege escalation. Set allowPrivilegeEscalation: false."
+    patterns:
+      - "allowPrivilegeEscalation:\\s*true"
+    metadata:
+      cwe: "CWE-250"
+      owasp: "A05:2021 - Security Misconfiguration"
+      confidence: HIGH
+      references:
+        - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/