Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug(misconf): False positive AWS-0102 #7006

Closed
nikpivkin opened this issue Jun 25, 2024 Discussed in #7004 · 0 comments · Fixed by aquasecurity/trivy-checks#161
Closed

bug(misconf): False positive AWS-0102 #7006

nikpivkin opened this issue Jun 25, 2024 Discussed in #7004 · 0 comments · Fixed by aquasecurity/trivy-checks#161
Assignees
@simar7 @nikpivkin
Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Milestone
v0.53.0

Comments

@nikpivkin
Copy link
Contributor

Discussed in #7004

The check is triggered for the deny rule.

Example config:

resource "aws_network_acl_rule" "bar" {
  rule_number    = 200
  egress         = false
  protocol       = "all"
  rule_action    = "deny"
  cidr_block     = "0.0.0.0/0"
}

Output:

main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:4
   via main.tf:1-7 (aws_network_acl_rule.bar)
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1   resource "aws_network_acl_rule" "bar" {
   2     rule_number    = 200
   3     egress         = false
   4 [   protocol       = "all"
   5     rule_action    = "deny"
   6     cidr_block     = "0.0.0.0/0"
   7   }
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
@nikpivkin nikpivkin added kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning labels Jun 25, 2024
@nikpivkin nikpivkin self-assigned this Jun 25, 2024
@nikpivkin nikpivkin mentioned this issue Jun 25, 2024
Merged
@simar7 simar7 added this to the v0.53.0 milestone Jun 25, 2024
@simar7 simar7 self-assigned this Jun 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@simar7 simar7

@nikpivkin nikpivkin

Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Projects
Trivy Roadmap
Archived in project
Milestone
v0.53.0
Development

Successfully merging a pull request may close this issue.

fix(checks): correctly check the protocol in the AVD-AWS-0102 rule nikpivkin/trivy-policies
2 participants
@simar7 @nikpivkin