Terrascan
Terrascan - это инструмент с открытым исходным кодом, который используется для обнаружения нарушений соответствия и безопасности в Infrastructure as Code (IaC) фреймворках.
Название задания в Auditor: Terrascan
Образ в Auditor: registry.gitlab.com/whitespots-public/security-images/terrascan:1.18.11
Название импортера в Security Center: Terrascan Scan
Terrascan гарантирует, что определения IaC соответствуют лучшим практикам безопасности, и позволяет обнаружить проблемы, которые могут привести к нарушению безопасности, потере данных или сбоям в работе сервисов. Terrascan поддерживает несколько популярных IaC-фреймворков, включая Terraform, Kubernetes, Helm, AWS CloudFormation, Azure Resource Manager и Google Cloud Deployment Manager.
Инструмент использует набор предопределенных политик, которые можно настроить в соответствии с конкретными требованиями организации к безопасности и соответствию нормативным требованиям. Политики основаны на стандартных отраслевых системах безопасности, таких как NIST, CIS, PCI-DSS и GDPR.
Пример команды Curl
curl -X POST localhost/api/v1/scan/import/ -H "Authorization: Token a75bb26171cf391671e67b128bfc8ae1c779ff7b" -H "Content-Type: multipart/form-data" -F "file=@./terrascan.json" -F "product_name=Product1" -F "product_type=Application" -F "scanner_name=Terrascan Scan" -F "branch=dev" -F "repository=git@gitlab.com:whitespots-public/appsec-portal.git"В этой команде используются следующие параметры:
-X POST: задает используемый метод HTTP (в данном случае POST).-H "Authorization: Token <authorization_token>": задает токен авторизации, полученный от Security Center.-H "Content-Type: multipart/form-data": задает тип содержимого запроса.-F "file=@<report_file_path>": задает путь к файлу отчета, создаваемого сканером.-F "product_name=<product_name>": задает название сканируемого продукта.-F "product_type=<product_type>": задает тип сканируемого продукта.-F "scanner_name=<scanner_name>": задает имя сканера, используемого для создания отчета (Bandit Scan или GitLab Bandit)-F "branch=<branch_name>": (необязательно) указывает имя ветки в репозитории исходного кода (если применимо). Этот параметр особенно полезен, когда вы хотите связать результаты сканирования с определенной веткой в вашем репозитории. Если параметр не указан, сканирование будет связано с веткой по умолчанию
Информация об активах, если используется Auditor
-F "repository=<repository SSH URL>": Если ваш продукт хранится в репозитории, введите адрес репозитория в определенном формате, например: git@gitlab.com:whitespots-public/appsec-portal.git-F "docker_image=<registry address>": Если ваш продукт является образом, введите адрес реестра, в котором находится ваш продукт, например: registry.gitlab.com/whitespots-public/appsec-portal/back/auto_validator:latest-F "domain=<domain>": Если ваш продукт является веб-продуктом, введите доменное имя вашего продукта, например: cybercodereview.ru-F "host=<host>": Если ваш продукт является веб-продуктом, введите IP-адрес вашего продукта, например: 0.0.0.0
Пример отчета:
{
"results": {
"scan_errors": [
{
"iac_type": "terraform",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app",
"errMsg": "directory '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/db",
"errMsg": "directory '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/db' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/docs",
"errMsg": "directory '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/docs' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/docs/assessment",
"errMsg": "directory '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/docs/assessment' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/docs/assets",
"errMsg": "directory '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/docs/assets' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/docs/development",
"errMsg": "directory '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/docs/development' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/docs/solution",
"errMsg": "directory '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/docs/solution' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/scripts",
"errMsg": "directory '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/scripts' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src",
"errMsg": "directory '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main",
"errMsg": "directory '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/java",
"errMsg": "directory '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/java' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/java/com",
"errMsg": "directory '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/java/com' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/java/com/appsecco",
"errMsg": "directory '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/java/com/appsecco' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/java/com/appsecco/dvja",
"errMsg": "directory '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/java/com/appsecco/dvja' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/java/com/appsecco/dvja/controllers",
"errMsg": "directory '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/java/com/appsecco/dvja/controllers' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/java/com/appsecco/dvja/interceptors",
"errMsg": "directory '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/java/com/appsecco/dvja/interceptors' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/java/com/appsecco/dvja/models",
"errMsg": "directory '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/java/com/appsecco/dvja/models' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/java/com/appsecco/dvja/services",
"errMsg": "directory '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/java/com/appsecco/dvja/services' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/java/com/appsecco/example",
"errMsg": "directory '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/java/com/appsecco/example' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/resources",
"errMsg": "directory '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/resources' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/resources/META-INF",
"errMsg": "directory '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/resources/META-INF' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/resources/com",
"errMsg": "directory '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/resources/com' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/resources/com/appsecco",
"errMsg": "directory '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/resources/com/appsecco' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/resources/com/appsecco/example",
"errMsg": "directory '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/resources/com/appsecco/example' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/webapp",
"errMsg": "directory '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/webapp' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF",
"errMsg": "directory '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja",
"errMsg": "directory '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a10_redirect",
"errMsg": "directory '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a10_redirect' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a1_injection",
"errMsg": "directory '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a1_injection' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a2_broken_auth",
"errMsg": "directory '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a2_broken_auth' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a3_xss",
"errMsg": "directory '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a3_xss' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a4_idor",
"errMsg": "directory '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a4_idor' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a5_sec_misconf",
"errMsg": "directory '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a5_sec_misconf' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a6_sensitive_data",
"errMsg": "directory '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a6_sensitive_data' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a7_missing_access_control",
"errMsg": "directory '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a7_missing_access_control' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a8_csrf",
"errMsg": "directory '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a8_csrf' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a9_vuln_component",
"errMsg": "directory '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a9_vuln_component' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/common",
"errMsg": "directory '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/common' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/example",
"errMsg": "directory '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/example' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/webapp/assets",
"errMsg": "directory '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/webapp/assets' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/webapp/assets/fa",
"errMsg": "directory '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/webapp/assets/fa' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/webapp/assets/fa/css",
"errMsg": "directory '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/webapp/assets/fa/css' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/webapp/assets/fa/fonts",
"errMsg": "directory '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/webapp/assets/fa/fonts' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/webapp/assets/fa/less",
"errMsg": "directory '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/webapp/assets/fa/less' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/webapp/assets/fa/scss",
"errMsg": "directory '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/src/main/webapp/assets/fa/scss' has no terraform config files"
},
{
"iac_type": "cft",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app",
"errMsg": "error while loading iac file '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/.gitlab-ci.yml', err: failed to find valid Resources key in file: /builds/whitespots-public/vulnerable-apps/vulnerable-java-app/.gitlab-ci.yml"
},
{
"iac_type": "cft",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app",
"errMsg": "error while loading iac file '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/docker-compose.yml', err: failed to find valid Resources key in file: /builds/whitespots-public/vulnerable-apps/vulnerable-java-app/docker-compose.yml"
},
{
"iac_type": "cft",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app",
"errMsg": "error while loading iac file '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/terrascan.json', err: error while resolving intrinsic functions, error invalid JSON: unexpected end of JSON input"
},
{
"iac_type": "arm",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app",
"errMsg": "error while loading iac file '/builds/whitespots-public/vulnerable-apps/vulnerable-java-app/terrascan.json'. err: unable to parse file /builds/whitespots-public/vulnerable-apps/vulnerable-java-app/terrascan.json"
},
{
"iac_type": "kustomize",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app",
"errMsg": "kustomization.y(a)ml file not found in the directory /builds/whitespots-public/vulnerable-apps/vulnerable-java-app"
},
{
"iac_type": "helm",
"directory": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app",
"errMsg": "no helm charts found in directory /builds/whitespots-public/vulnerable-apps/vulnerable-java-app"
}
],
"violations": [
{
"rule_name": "runUsingApt",
"description": "Ensure apt is not used with RUN command for Docker file",
"rule_id": "AC_DOCKER_0002",
"severity": "MEDIUM",
"category": "Infrastructure Security",
"resource_name": "Dockerfile",
"resource_type": "docker_run",
"file": "Dockerfile",
"line": 4
},
{
"rule_name": "runUsingApt",
"description": "Ensure apt is not used with RUN command for Docker file",
"rule_id": "AC_DOCKER_0002",
"severity": "MEDIUM",
"category": "Infrastructure Security",
"resource_name": "Dockerfile",
"resource_type": "docker_run",
"file": "Dockerfile",
"line": 5
},
{
"rule_name": "runUsingApt",
"description": "Ensure apt is not used with RUN command for Docker file",
"rule_id": "AC_DOCKER_0002",
"severity": "MEDIUM",
"category": "Infrastructure Security",
"resource_name": "Dockerfile",
"resource_type": "docker_run",
"file": "Dockerfile",
"line": 6
}
],
"skipped_violations": null,
"scan_summary": {
"file/folder": "/builds/whitespots-public/vulnerable-apps/vulnerable-java-app",
"iac_type": "docker",
"scanned_at": "2023-12-11 10:55:58.562986649 +0000 UTC",
"policies_validated": 24,
"violated_policies": 3,
"low": 0,
"medium": 3,
"high": 0
}
}
}Last updated