Terrascan - это инструмент с открытым исходным кодом, который используется для обнаружения нарушений соответствия и безопасности в Infrastructure as Code (IaC) фреймворках.
Название задания в Auditor: Terrascan
Образ в Auditor:registry.cybercodereview.ru/cybercodereview/security-images/terrascan:1.18.11
Название импортера в Security Center: Terrascan Scan
гарантирует, что определения IaC соответствуют лучшим практикам безопасности, и позволяет обнаружить проблемы, которые могут привести к нарушению безопасности, потере данных или сбоям в работе сервисов. Terrascan поддерживает несколько популярных IaC-фреймворков, включая Terraform, Kubernetes, Helm, AWS CloudFormation, Azure Resource Manager и Google Cloud Deployment Manager.
Инструмент использует набор предопределенных политик, которые можно настроить в соответствии с конкретными требованиями организации к безопасности и соответствию нормативным требованиям. Политики основаны на стандартных отраслевых системах безопасности, таких как NIST, CIS, PCI-DSS и GDPR.
-X POST: задает используемый метод HTTP (в данном случае POST).
-H "Authorization: Token <authorization_token>": задает , полученный от Security Center.
-H "Content-Type: multipart/form-data": задает тип содержимого запроса.
-F "file=@<report_file_path>": задает путь к файлу отчета, создаваемого сканером.
-F "product_name=<product_name>": задает название сканируемого продукта.
-F "product_type=<product_type>": задает тип сканируемого продукта.
-F "scanner_name=<scanner_name>": задает имя сканера, используемого для создания отчета (Bandit Scan или GitLab Bandit)
-F "branch=<branch_name>": (необязательно) указывает имя ветки в репозитории исходного кода (если применимо). Этот параметр особенно полезен, когда вы хотите связать результаты сканирования с определенной веткой в вашем репозитории. Если параметр не указан, сканирование будет связано с веткой по умолчанию
Информация об активах, если используется
-F "repository=<repository SSH URL>": Если ваш продукт хранится в репозитории, введите адрес репозитория в определенном формате, например: git@gitlab.cybercodereview.ru:cybercodereview/security-center.git
-F "docker_image=<registry address>": Если ваш продукт является образом, введите адрес реестра, в котором находится ваш продукт, например: registry.cybercodereview.ru/cybercodereview/security-center/back/importer:latest
-F "domain=<domain>": Если ваш продукт является веб-продуктом, введите доменное имя вашего продукта, например: cybercodereview.ru
-F "host=<host>": Если ваш продукт является веб-продуктом, введите IP-адрес вашего продукта, например: 0.0.0.0
Пример отчета:
{
"results": {
"scan_errors": [
{
"iac_type": "terraform",
"directory": "/builds/vulnerable-apps/vulnerable-java-app",
"errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/vulnerable-apps/vulnerable-java-app/db",
"errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/db' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/vulnerable-apps/vulnerable-java-app/docs",
"errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/docs' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/vulnerable-apps/vulnerable-java-app/docs/assessment",
"errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/docs/assessment' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/vulnerable-apps/vulnerable-java-app/docs/assets",
"errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/docs/assets' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/vulnerable-apps/vulnerable-java-app/docs/development",
"errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/docs/development' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/vulnerable-apps/vulnerable-java-app/docs/solution",
"errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/docs/solution' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/vulnerable-apps/vulnerable-java-app/scripts",
"errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/scripts' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/vulnerable-apps/vulnerable-java-app/src",
"errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main",
"errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/java",
"errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/java' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/java/com",
"errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/java/com' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/java/com/appsecco",
"errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/java/com/appsecco' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/java/com/appsecco/dvja",
"errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/java/com/appsecco/dvja' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/java/com/appsecco/dvja/controllers",
"errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/java/com/appsecco/dvja/controllers' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/java/com/appsecco/dvja/interceptors",
"errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/java/com/appsecco/dvja/interceptors' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/java/com/appsecco/dvja/models",
"errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/java/com/appsecco/dvja/models' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/java/com/appsecco/dvja/services",
"errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/java/com/appsecco/dvja/services' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/java/com/appsecco/example",
"errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/java/com/appsecco/example' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/resources",
"errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/resources' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/resources/META-INF",
"errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/resources/META-INF' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/resources/com",
"errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/resources/com' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/resources/com/appsecco",
"errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/resources/com/appsecco' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/resources/com/appsecco/example",
"errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/resources/com/appsecco/example' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/webapp",
"errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/webapp' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF",
"errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja",
"errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a10_redirect",
"errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a10_redirect' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a1_injection",
"errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a1_injection' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a2_broken_auth",
"errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a2_broken_auth' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a3_xss",
"errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a3_xss' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a4_idor",
"errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a4_idor' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a5_sec_misconf",
"errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a5_sec_misconf' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a6_sensitive_data",
"errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a6_sensitive_data' has no terraform config files"
},
{
"iac_type": "terraform",
"directory": "/builds/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a7_missing_access_control",
"errMsg": "directory '/builds/vulnerable-apps/vulnerable-java-app/src/main/webapp/WEB-INF/dvja/a7_missing_access_control' has no terraform config files"
}
],
"violations": [
{
"rule_name": "runUsingApt",
"description": "Ensure apt is not used with RUN command for Docker file",
"rule_id": "AC_DOCKER_0002",
"severity": "MEDIUM",
"category": "Infrastructure Security",
"resource_name": "Dockerfile",
"resource_type": "docker_run",
"file": "Dockerfile",
"line": 4
},
{
"rule_name": "runUsingApt",
"description": "Ensure apt is not used with RUN command for Docker file",
"rule_id": "AC_DOCKER_0002",
"severity": "MEDIUM",
"category": "Infrastructure Security",
"resource_name": "Dockerfile",
"resource_type": "docker_run",
"file": "Dockerfile",
"line": 5
},
{
"rule_name": "runUsingApt",
"description": "Ensure apt is not used with RUN command for Docker file",
"rule_id": "AC_DOCKER_0002",
"severity": "MEDIUM",
"category": "Infrastructure Security",
"resource_name": "Dockerfile",
"resource_type": "docker_run",
"file": "Dockerfile",
"line": 6
}
],
"skipped_violations": null,
"scan_summary": {
"file/folder": "/builds/vulnerable-apps/vulnerable-java-app",
"iac_type": "docker",
"scanned_at": "2023-12-11 10:55:58.562986649 +0000 UTC",
"policies_validated": 24,
"violated_policies": 3,
"low": 0,
"medium": 3,
"high": 0
}
}
}
