Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[TM-827] added access to LZ shared-service laa-software-library bucket to CIS DB instance #9160

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

[TM-827] added access to LZ shared-service laa-software-library bucket to CIS DB instance #9160

wants to merge 5 commits into from

Conversation

vladimir-kovalyov
Copy link
Contributor

No description provided.

@vladimir-kovalyov vladimir-kovalyov requested review from a team as code owners December 19, 2024 15:46
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Dec 19, 2024
@vladimir-kovalyov vladimir-kovalyov had a problem deploying to corporate-information-system-development December 19, 2024 15:48 — with GitHub Actions Error
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/corporate-information-system

Running Trivy in terraform/environments/corporate-information-system
2024-12-19T15:49:22Z INFO [vulndb] Need to update DB
2024-12-19T15:49:22Z INFO [vulndb] Downloading vulnerability DB...
2024-12-19T15:49:22Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-19T15:49:25Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-19T15:49:25Z INFO [vuln] Vulnerability scanning is enabled
2024-12-19T15:49:25Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-19T15:49:25Z INFO [misconfig] Need to update the built-in checks
2024-12-19T15:49:25Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-19T15:49:25Z INFO [secret] Secret scanning is enabled
2024-12-19T15:49:25Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-19T15:49:25Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-19T15:49:26Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-19T15:49:26Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-12-19T15:49:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-19T15:49:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-12-19T15:49:27Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-19T15:49:27Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-19T15:49:29Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-12-19T15:49:29Z INFO Number of language-specific files num=0
2024-12-19T15:49:29Z INFO Detected config files num=4
trivy_exitcode=0

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/corporate-information-system

*****************************

Running Checkov in terraform/environments/corporate-information-system
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-19 15:49:31,964 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
2024-12-19 15:49:42,029 [MainThread  ] [WARNI]  Code block execution exceeded 10 seconds timeout
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/dist-packages/checkov/terraform/tf_parser.py", line 758, in __parse_with_timeout
    raw_data = hcl2.load(f)
  File "/usr/local/lib/python3.9/dist-packages/hcl2/api.py", line 15, in load
    return loads(file.read())
  File "/usr/local/lib/python3.9/dist-packages/hcl2/api.py", line 89, in loads
    return hcl2.parse(text + "\n")
  File "/usr/local/lib/python3.9/dist-packages/hcl2/parser.py", line 50, in parse
    tree = Hcl2.lark_parser.parse(text)
  File "/usr/local/lib/python3.9/dist-packages/lark/lark.py", line 655, in parse
    return self.parser.parse(text, start=start, on_error=on_error)
  File "/usr/local/lib/python3.9/dist-packages/lark/parser_frontends.py", line 104, in parse
    return self.parser.parse(stream, chosen_start, **kw)
  File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 42, in parse
    return self.parser.parse(lexer, start)
  File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 88, in parse
    return self.parse_from_state(parser_state)
  File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 100, in parse_from_state
    for token in state.lexer.lex(state):
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 665, in lex
    yield lexer.next_token(lexer_state, parser_state)
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 593, in next_token
    res = self.match(lex_state.text, line_ctr.char_pos)
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 588, in match
    return self.scanner.match(text, pos)
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 389, in match
    m = mre.match(text, pos)
  File "/usr/local/lib/python3.9/dist-packages/checkov/common/util/stopit/signalstop.py", line 35, in handle_timeout
    raise TimeoutException(f"Block exceeded maximum timeout value ({self.seconds} seconds).")
checkov.common.util.stopit.utils.TimeoutException: Block exceeded maximum timeout value (10 seconds).
terraform scan results:

Passed checks: 122, Failed checks: 6, Skipped checks: 0, Parsing errors: 1

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name_short}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 | 
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }
Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group_rule.app_outbound
	File: /ec2.tf:170-177

		170 | resource "aws_security_group_rule" "app_outbound" {
		171 |   type              = "egress"
		172 |   from_port         = 0
		173 |   to_port           = 0
		174 |   protocol          = "-1"
		175 |   cidr_blocks       = ["0.0.0.0/0"]
		176 |   security_group_id = aws_security_group.ec2_instance_sg.id
		177 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.app_outbound
	File: /ec2.tf:170-177
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		170 | resource "aws_security_group_rule" "app_outbound" {
		171 |   type              = "egress"
		172 |   from_port         = 0
		173 |   to_port           = 0
		174 |   protocol          = "-1"
		175 |   cidr_blocks       = ["0.0.0.0/0"]
		176 |   security_group_id = aws_security_group.ec2_instance_sg.id
		177 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.efs
	File: /efs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		1 | resource "aws_kms_key" "efs" {
		2 |   description = "KMS key for encrypting EFS"
		3 |   # enable_key_rotation = true
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.cis_s3fs_policy
	File: /iam.tf:72-120
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		72  | resource "aws_iam_role_policy" "cis_s3fs_policy" {
		73  |   name = "${local.application_name_short}-s3fs-policy"
		74  |   role = aws_iam_role.cis_s3fs_role.id
		75  | 
		76  |   policy = jsonencode({
		77  |     Version = "2012-10-17"
		78  |     Statement = [
		79  |       {
		80  |         "Action" : [
		81  |           "s3:*"
		82  |         ],
		83  |         "Resource" : [
		84  |           "arn:aws:s3:::laa-software-bucket2",
		85  |           "arn:aws:s3:::laa-software-bucket2/*",
		86  |           "arn:aws:s3:::laa-software-library",
		87  |           "arn:aws:s3:::laa-software-library/*",
		88  |           "arn:aws:s3:::laa-cis-inbound-production",
		89  |           "arn:aws:s3:::laa-cis-inbound-production/*",
		90  |           "arn:aws:s3:::laa-cis-outbound-production",
		91  |           "arn:aws:s3:::laa-cis-outbound-production/*",
		92  |           "arn:aws:s3:::laa-ccms-outbound-production",
		93  |           "arn:aws:s3:::laa-ccms-outbound-production/*",
		94  |           "arn:aws:s3:::laa-ccms-inbound-production",
		95  |           "arn:aws:s3:::laa-ccms-inbound-production/*"
		96  |         ],
		97  |         "Effect" : "Allow"
		98  |       },
		99  |       {
		100 |         "Action" : [
		101 |           "logs:CreateLogGroup",
		102 |           "logs:CreateLogStream",
		103 |           "logs:DescribeLogStreams",
		104 |           "logs:PutRetentionPolicy",
		105 |           "logs:PutLogEvents",
		106 |           "ec2:DescribeInstances"
		107 |         ],
		108 |         "Resource" : "*",
		109 |         "Effect" : "Allow"
		110 |       },
		111 |       {
		112 |         "Action" : [
		113 |           "ec2:CreateTags"
		114 |         ],
		115 |         "Resource" : "*",
		116 |         "Effect" : "Allow"
		117 |       }
		118 |     ]
		119 |   })
		120 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.cis_s3fs_policy
	File: /iam.tf:72-120
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		72  | resource "aws_iam_role_policy" "cis_s3fs_policy" {
		73  |   name = "${local.application_name_short}-s3fs-policy"
		74  |   role = aws_iam_role.cis_s3fs_role.id
		75  | 
		76  |   policy = jsonencode({
		77  |     Version = "2012-10-17"
		78  |     Statement = [
		79  |       {
		80  |         "Action" : [
		81  |           "s3:*"
		82  |         ],
		83  |         "Resource" : [
		84  |           "arn:aws:s3:::laa-software-bucket2",
		85  |           "arn:aws:s3:::laa-software-bucket2/*",
		86  |           "arn:aws:s3:::laa-software-library",
		87  |           "arn:aws:s3:::laa-software-library/*",
		88  |           "arn:aws:s3:::laa-cis-inbound-production",
		89  |           "arn:aws:s3:::laa-cis-inbound-production/*",
		90  |           "arn:aws:s3:::laa-cis-outbound-production",
		91  |           "arn:aws:s3:::laa-cis-outbound-production/*",
		92  |           "arn:aws:s3:::laa-ccms-outbound-production",
		93  |           "arn:aws:s3:::laa-ccms-outbound-production/*",
		94  |           "arn:aws:s3:::laa-ccms-inbound-production",
		95  |           "arn:aws:s3:::laa-ccms-inbound-production/*"
		96  |         ],
		97  |         "Effect" : "Allow"
		98  |       },
		99  |       {
		100 |         "Action" : [
		101 |           "logs:CreateLogGroup",
		102 |           "logs:CreateLogStream",
		103 |           "logs:DescribeLogStreams",
		104 |           "logs:PutRetentionPolicy",
		105 |           "logs:PutLogEvents",
		106 |           "ec2:DescribeInstances"
		107 |         ],
		108 |         "Resource" : "*",
		109 |         "Effect" : "Allow"
		110 |       },
		111 |       {
		112 |         "Action" : [
		113 |           "ec2:CreateTags"
		114 |         ],
		115 |         "Resource" : "*",
		116 |         "Effect" : "Allow"
		117 |       }
		118 |     ]
		119 |   })
		120 | }

checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/corporate-information-system

*****************************

Running tflint in terraform/environments/corporate-information-system
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/corporate-information-system

*****************************

Running Trivy in terraform/environments/corporate-information-system
2024-12-19T15:49:22Z	INFO	[vulndb] Need to update DB
2024-12-19T15:49:22Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-19T15:49:22Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-19T15:49:25Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-19T15:49:25Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-19T15:49:25Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-19T15:49:25Z	INFO	[misconfig] Need to update the built-in checks
2024-12-19T15:49:25Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-19T15:49:25Z	INFO	[secret] Secret scanning is enabled
2024-12-19T15:49:25Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-19T15:49:25Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-19T15:49:26Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-19T15:49:26Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-12-19T15:49:27Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-19T15:49:27Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-12-19T15:49:27Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-19T15:49:27Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-19T15:49:29Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-12-19T15:49:29Z	INFO	Number of language-specific files	num=0
2024-12-19T15:49:29Z	INFO	Detected config files	num=4
trivy_exitcode=0

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/corporate-information-system

Running Trivy in terraform/environments/corporate-information-system
2024-12-19T16:07:12Z INFO [vulndb] Need to update DB
2024-12-19T16:07:12Z INFO [vulndb] Downloading vulnerability DB...
2024-12-19T16:07:12Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-19T16:07:14Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-19T16:07:14Z INFO [vuln] Vulnerability scanning is enabled
2024-12-19T16:07:14Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-19T16:07:14Z INFO [misconfig] Need to update the built-in checks
2024-12-19T16:07:14Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-19T16:07:15Z INFO [secret] Secret scanning is enabled
2024-12-19T16:07:15Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-19T16:07:15Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-19T16:07:16Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-19T16:07:16Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-12-19T16:07:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-19T16:07:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-12-19T16:07:17Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-19T16:07:17Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-19T16:07:18Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-12-19T16:07:18Z INFO Number of language-specific files num=0
2024-12-19T16:07:18Z INFO Detected config files num=4
trivy_exitcode=0

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/corporate-information-system

*****************************

Running Checkov in terraform/environments/corporate-information-system
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-19 16:07:21,463 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
2024-12-19 16:07:31,518 [MainThread  ] [WARNI]  Code block execution exceeded 10 seconds timeout
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/dist-packages/checkov/terraform/tf_parser.py", line 758, in __parse_with_timeout
    raw_data = hcl2.load(f)
  File "/usr/local/lib/python3.9/dist-packages/hcl2/api.py", line 15, in load
    return loads(file.read())
  File "/usr/local/lib/python3.9/dist-packages/hcl2/api.py", line 89, in loads
    return hcl2.parse(text + "\n")
  File "/usr/local/lib/python3.9/dist-packages/hcl2/parser.py", line 50, in parse
    tree = Hcl2.lark_parser.parse(text)
  File "/usr/local/lib/python3.9/dist-packages/lark/lark.py", line 655, in parse
    return self.parser.parse(text, start=start, on_error=on_error)
  File "/usr/local/lib/python3.9/dist-packages/lark/parser_frontends.py", line 104, in parse
    return self.parser.parse(stream, chosen_start, **kw)
  File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 42, in parse
    return self.parser.parse(lexer, start)
  File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 88, in parse
    return self.parse_from_state(parser_state)
  File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 100, in parse_from_state
    for token in state.lexer.lex(state):
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 665, in lex
    yield lexer.next_token(lexer_state, parser_state)
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 593, in next_token
    res = self.match(lex_state.text, line_ctr.char_pos)
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 588, in match
    return self.scanner.match(text, pos)
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 389, in match
    m = mre.match(text, pos)
  File "/usr/local/lib/python3.9/dist-packages/checkov/common/util/stopit/signalstop.py", line 35, in handle_timeout
    raise TimeoutException(f"Block exceeded maximum timeout value ({self.seconds} seconds).")
checkov.common.util.stopit.utils.TimeoutException: Block exceeded maximum timeout value (10 seconds).
terraform scan results:

Passed checks: 122, Failed checks: 6, Skipped checks: 0, Parsing errors: 1

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name_short}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 | 
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }
Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group_rule.app_outbound
	File: /ec2.tf:170-177

		170 | resource "aws_security_group_rule" "app_outbound" {
		171 |   type              = "egress"
		172 |   from_port         = 0
		173 |   to_port           = 0
		174 |   protocol          = "-1"
		175 |   cidr_blocks       = ["0.0.0.0/0"]
		176 |   security_group_id = aws_security_group.ec2_instance_sg.id
		177 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.app_outbound
	File: /ec2.tf:170-177
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		170 | resource "aws_security_group_rule" "app_outbound" {
		171 |   type              = "egress"
		172 |   from_port         = 0
		173 |   to_port           = 0
		174 |   protocol          = "-1"
		175 |   cidr_blocks       = ["0.0.0.0/0"]
		176 |   security_group_id = aws_security_group.ec2_instance_sg.id
		177 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.efs
	File: /efs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		1 | resource "aws_kms_key" "efs" {
		2 |   description = "KMS key for encrypting EFS"
		3 |   # enable_key_rotation = true
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.cis_s3fs_policy
	File: /iam.tf:72-120
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		72  | resource "aws_iam_role_policy" "cis_s3fs_policy" {
		73  |   name = "${local.application_name_short}-s3fs-policy"
		74  |   role = aws_iam_role.cis_s3fs_role.id
		75  | 
		76  |   policy = jsonencode({
		77  |     Version = "2012-10-17"
		78  |     Statement = [
		79  |       {
		80  |         "Action" : [
		81  |           "s3:*"
		82  |         ],
		83  |         "Resource" : [
		84  |           "arn:aws:s3:::laa-software-bucket2",
		85  |           "arn:aws:s3:::laa-software-bucket2/*",
		86  |           "arn:aws:s3:::laa-software-library",
		87  |           "arn:aws:s3:::laa-software-library/*",
		88  |           "arn:aws:s3:::laa-cis-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
		89  |           "arn:aws:s3:::laa-cis-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
		90  |           "arn:aws:s3:::laa-cis-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
		91  |           "arn:aws:s3:::laa-cis-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
		92  |           "arn:aws:s3:::laa-ccms-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
		93  |           "arn:aws:s3:::laa-ccms-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
		94  |           "arn:aws:s3:::laa-ccms-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
		95  |           "arn:aws:s3:::laa-ccms-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*"
		96  |         ],
		97  |         "Effect" : "Allow"
		98  |       },
		99  |       {
		100 |         "Action" : [
		101 |           "logs:CreateLogGroup",
		102 |           "logs:CreateLogStream",
		103 |           "logs:DescribeLogStreams",
		104 |           "logs:PutRetentionPolicy",
		105 |           "logs:PutLogEvents",
		106 |           "ec2:DescribeInstances"
		107 |         ],
		108 |         "Resource" : "*",
		109 |         "Effect" : "Allow"
		110 |       },
		111 |       {
		112 |         "Action" : [
		113 |           "ec2:CreateTags"
		114 |         ],
		115 |         "Resource" : "*",
		116 |         "Effect" : "Allow"
		117 |       }
		118 |     ]
		119 |   })
		120 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.cis_s3fs_policy
	File: /iam.tf:72-120
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		72  | resource "aws_iam_role_policy" "cis_s3fs_policy" {
		73  |   name = "${local.application_name_short}-s3fs-policy"
		74  |   role = aws_iam_role.cis_s3fs_role.id
		75  | 
		76  |   policy = jsonencode({
		77  |     Version = "2012-10-17"
		78  |     Statement = [
		79  |       {
		80  |         "Action" : [
		81  |           "s3:*"
		82  |         ],
		83  |         "Resource" : [
		84  |           "arn:aws:s3:::laa-software-bucket2",
		85  |           "arn:aws:s3:::laa-software-bucket2/*",
		86  |           "arn:aws:s3:::laa-software-library",
		87  |           "arn:aws:s3:::laa-software-library/*",
		88  |           "arn:aws:s3:::laa-cis-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
		89  |           "arn:aws:s3:::laa-cis-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
		90  |           "arn:aws:s3:::laa-cis-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
		91  |           "arn:aws:s3:::laa-cis-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
		92  |           "arn:aws:s3:::laa-ccms-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
		93  |           "arn:aws:s3:::laa-ccms-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
		94  |           "arn:aws:s3:::laa-ccms-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
		95  |           "arn:aws:s3:::laa-ccms-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*"
		96  |         ],
		97  |         "Effect" : "Allow"
		98  |       },
		99  |       {
		100 |         "Action" : [
		101 |           "logs:CreateLogGroup",
		102 |           "logs:CreateLogStream",
		103 |           "logs:DescribeLogStreams",
		104 |           "logs:PutRetentionPolicy",
		105 |           "logs:PutLogEvents",
		106 |           "ec2:DescribeInstances"
		107 |         ],
		108 |         "Resource" : "*",
		109 |         "Effect" : "Allow"
		110 |       },
		111 |       {
		112 |         "Action" : [
		113 |           "ec2:CreateTags"
		114 |         ],
		115 |         "Resource" : "*",
		116 |         "Effect" : "Allow"
		117 |       }
		118 |     ]
		119 |   })
		120 | }

checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/corporate-information-system

*****************************

Running tflint in terraform/environments/corporate-information-system
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/corporate-information-system

*****************************

Running Trivy in terraform/environments/corporate-information-system
2024-12-19T16:07:12Z	INFO	[vulndb] Need to update DB
2024-12-19T16:07:12Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-19T16:07:12Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-19T16:07:14Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-19T16:07:14Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-19T16:07:14Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-19T16:07:14Z	INFO	[misconfig] Need to update the built-in checks
2024-12-19T16:07:14Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-19T16:07:15Z	INFO	[secret] Secret scanning is enabled
2024-12-19T16:07:15Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-19T16:07:15Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-19T16:07:16Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-19T16:07:16Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-12-19T16:07:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-19T16:07:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-12-19T16:07:17Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-19T16:07:17Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-19T16:07:18Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-12-19T16:07:18Z	INFO	Number of language-specific files	num=0
2024-12-19T16:07:18Z	INFO	Detected config files	num=4
trivy_exitcode=0

@vladimir-kovalyov vladimir-kovalyov temporarily deployed to corporate-information-system-development December 19, 2024 16:10 — with GitHub Actions Inactive
@vladimir-kovalyov vladimir-kovalyov had a problem deploying to corporate-information-system-development December 19, 2024 17:22 — with GitHub Actions Error
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/corporate-information-system

Running Trivy in terraform/environments/corporate-information-system
2024-12-19T17:23:12Z INFO [vulndb] Need to update DB
2024-12-19T17:23:12Z INFO [vulndb] Downloading vulnerability DB...
2024-12-19T17:23:12Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-19T17:23:14Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-19T17:23:14Z INFO [vuln] Vulnerability scanning is enabled
2024-12-19T17:23:14Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-19T17:23:14Z INFO [misconfig] Need to update the built-in checks
2024-12-19T17:23:14Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-19T17:23:14Z INFO [secret] Secret scanning is enabled
2024-12-19T17:23:14Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-19T17:23:14Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-19T17:23:15Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-19T17:23:15Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-12-19T17:23:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-19T17:23:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-12-19T17:23:16Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-19T17:23:16Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-19T17:23:17Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-12-19T17:23:17Z INFO Number of language-specific files num=0
2024-12-19T17:23:17Z INFO Detected config files num=4
trivy_exitcode=0

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/corporate-information-system

*****************************

Running Checkov in terraform/environments/corporate-information-system
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-19 17:23:19,820 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
2024-12-19 17:23:29,883 [MainThread  ] [WARNI]  Code block execution exceeded 10 seconds timeout
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/dist-packages/checkov/terraform/tf_parser.py", line 758, in __parse_with_timeout
    raw_data = hcl2.load(f)
  File "/usr/local/lib/python3.9/dist-packages/hcl2/api.py", line 15, in load
    return loads(file.read())
  File "/usr/local/lib/python3.9/dist-packages/hcl2/api.py", line 89, in loads
    return hcl2.parse(text + "\n")
  File "/usr/local/lib/python3.9/dist-packages/hcl2/parser.py", line 50, in parse
    tree = Hcl2.lark_parser.parse(text)
  File "/usr/local/lib/python3.9/dist-packages/lark/lark.py", line 655, in parse
    return self.parser.parse(text, start=start, on_error=on_error)
  File "/usr/local/lib/python3.9/dist-packages/lark/parser_frontends.py", line 104, in parse
    return self.parser.parse(stream, chosen_start, **kw)
  File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 42, in parse
    return self.parser.parse(lexer, start)
  File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 88, in parse
    return self.parse_from_state(parser_state)
  File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 100, in parse_from_state
    for token in state.lexer.lex(state):
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 665, in lex
    yield lexer.next_token(lexer_state, parser_state)
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 593, in next_token
    res = self.match(lex_state.text, line_ctr.char_pos)
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 588, in match
    return self.scanner.match(text, pos)
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 389, in match
    m = mre.match(text, pos)
  File "/usr/local/lib/python3.9/dist-packages/checkov/common/util/stopit/signalstop.py", line 35, in handle_timeout
    raise TimeoutException(f"Block exceeded maximum timeout value ({self.seconds} seconds).")
checkov.common.util.stopit.utils.TimeoutException: Block exceeded maximum timeout value (10 seconds).
terraform scan results:

Passed checks: 122, Failed checks: 6, Skipped checks: 0, Parsing errors: 1

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name_short}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 | 
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }
Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group_rule.app_outbound
	File: /ec2.tf:170-177

		170 | resource "aws_security_group_rule" "app_outbound" {
		171 |   type              = "egress"
		172 |   from_port         = 0
		173 |   to_port           = 0
		174 |   protocol          = "-1"
		175 |   cidr_blocks       = ["0.0.0.0/0"]
		176 |   security_group_id = aws_security_group.ec2_instance_sg.id
		177 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.app_outbound
	File: /ec2.tf:170-177
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		170 | resource "aws_security_group_rule" "app_outbound" {
		171 |   type              = "egress"
		172 |   from_port         = 0
		173 |   to_port           = 0
		174 |   protocol          = "-1"
		175 |   cidr_blocks       = ["0.0.0.0/0"]
		176 |   security_group_id = aws_security_group.ec2_instance_sg.id
		177 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.efs
	File: /efs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		1 | resource "aws_kms_key" "efs" {
		2 |   description = "KMS key for encrypting EFS"
		3 |   # enable_key_rotation = true
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.cis_s3fs_policy
	File: /iam.tf:84-132
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		84  | resource "aws_iam_role_policy" "cis_s3fs_policy" {
		85  |   name = "${local.application_name_short}-s3fs-policy"
		86  |   role = aws_iam_role.cis_s3fs_role.id
		87  | 
		88  |   policy = jsonencode({
		89  |     Version = "2012-10-17"
		90  |     Statement = [
		91  |       {
		92  |         "Action" : [
		93  |           "s3:*"
		94  |         ],
		95  |         "Resource" : [
		96  |           "arn:aws:s3:::laa-software-bucket2",
		97  |           "arn:aws:s3:::laa-software-bucket2/*",
		98  |           "arn:aws:s3:::laa-software-library",
		99  |           "arn:aws:s3:::laa-software-library/*",
		100 |           "arn:aws:s3:::laa-cis-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
		101 |           "arn:aws:s3:::laa-cis-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
		102 |           "arn:aws:s3:::laa-cis-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
		103 |           "arn:aws:s3:::laa-cis-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
		104 |           "arn:aws:s3:::laa-ccms-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
		105 |           "arn:aws:s3:::laa-ccms-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
		106 |           "arn:aws:s3:::laa-ccms-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
		107 |           "arn:aws:s3:::laa-ccms-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*"
		108 |         ],
		109 |         "Effect" : "Allow"
		110 |       },
		111 |       {
		112 |         "Action" : [
		113 |           "logs:CreateLogGroup",
		114 |           "logs:CreateLogStream",
		115 |           "logs:DescribeLogStreams",
		116 |           "logs:PutRetentionPolicy",
		117 |           "logs:PutLogEvents",
		118 |           "ec2:DescribeInstances"
		119 |         ],
		120 |         "Resource" : "*",
		121 |         "Effect" : "Allow"
		122 |       },
		123 |       {
		124 |         "Action" : [
		125 |           "ec2:CreateTags"
		126 |         ],
		127 |         "Resource" : "*",
		128 |         "Effect" : "Allow"
		129 |       }
		130 |     ]
		131 |   })
		132 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.cis_s3fs_policy
	File: /iam.tf:84-132
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		84  | resource "aws_iam_role_policy" "cis_s3fs_policy" {
		85  |   name = "${local.application_name_short}-s3fs-policy"
		86  |   role = aws_iam_role.cis_s3fs_role.id
		87  | 
		88  |   policy = jsonencode({
		89  |     Version = "2012-10-17"
		90  |     Statement = [
		91  |       {
		92  |         "Action" : [
		93  |           "s3:*"
		94  |         ],
		95  |         "Resource" : [
		96  |           "arn:aws:s3:::laa-software-bucket2",
		97  |           "arn:aws:s3:::laa-software-bucket2/*",
		98  |           "arn:aws:s3:::laa-software-library",
		99  |           "arn:aws:s3:::laa-software-library/*",
		100 |           "arn:aws:s3:::laa-cis-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
		101 |           "arn:aws:s3:::laa-cis-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
		102 |           "arn:aws:s3:::laa-cis-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
		103 |           "arn:aws:s3:::laa-cis-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
		104 |           "arn:aws:s3:::laa-ccms-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
		105 |           "arn:aws:s3:::laa-ccms-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
		106 |           "arn:aws:s3:::laa-ccms-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
		107 |           "arn:aws:s3:::laa-ccms-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*"
		108 |         ],
		109 |         "Effect" : "Allow"
		110 |       },
		111 |       {
		112 |         "Action" : [
		113 |           "logs:CreateLogGroup",
		114 |           "logs:CreateLogStream",
		115 |           "logs:DescribeLogStreams",
		116 |           "logs:PutRetentionPolicy",
		117 |           "logs:PutLogEvents",
		118 |           "ec2:DescribeInstances"
		119 |         ],
		120 |         "Resource" : "*",
		121 |         "Effect" : "Allow"
		122 |       },
		123 |       {
		124 |         "Action" : [
		125 |           "ec2:CreateTags"
		126 |         ],
		127 |         "Resource" : "*",
		128 |         "Effect" : "Allow"
		129 |       }
		130 |     ]
		131 |   })
		132 | }

checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/corporate-information-system

*****************************

Running tflint in terraform/environments/corporate-information-system
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/corporate-information-system

*****************************

Running Trivy in terraform/environments/corporate-information-system
2024-12-19T17:23:12Z	INFO	[vulndb] Need to update DB
2024-12-19T17:23:12Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-19T17:23:12Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-19T17:23:14Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-19T17:23:14Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-19T17:23:14Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-19T17:23:14Z	INFO	[misconfig] Need to update the built-in checks
2024-12-19T17:23:14Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-19T17:23:14Z	INFO	[secret] Secret scanning is enabled
2024-12-19T17:23:14Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-19T17:23:14Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-19T17:23:15Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-19T17:23:15Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-12-19T17:23:16Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-19T17:23:16Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-12-19T17:23:16Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-19T17:23:16Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-19T17:23:17Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-12-19T17:23:17Z	INFO	Number of language-specific files	num=0
2024-12-19T17:23:17Z	INFO	Detected config files	num=4
trivy_exitcode=0

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/corporate-information-system

Running Trivy in terraform/environments/corporate-information-system
2024-12-19T17:27:04Z INFO [vulndb] Need to update DB
2024-12-19T17:27:04Z INFO [vulndb] Downloading vulnerability DB...
2024-12-19T17:27:04Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-19T17:27:06Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-19T17:27:06Z INFO [vuln] Vulnerability scanning is enabled
2024-12-19T17:27:06Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-19T17:27:06Z INFO [misconfig] Need to update the built-in checks
2024-12-19T17:27:06Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-19T17:27:07Z INFO [secret] Secret scanning is enabled
2024-12-19T17:27:07Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-19T17:27:07Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-19T17:27:08Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-19T17:27:08Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-12-19T17:27:08Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-19T17:27:08Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-12-19T17:27:08Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-19T17:27:08Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-19T17:27:09Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-12-19T17:27:09Z INFO Number of language-specific files num=0
2024-12-19T17:27:09Z INFO Detected config files num=4
trivy_exitcode=0

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/corporate-information-system

*****************************

Running Checkov in terraform/environments/corporate-information-system
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-19 17:27:12,201 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
2024-12-19 17:27:22,264 [MainThread  ] [WARNI]  Code block execution exceeded 10 seconds timeout
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/dist-packages/checkov/terraform/tf_parser.py", line 758, in __parse_with_timeout
    raw_data = hcl2.load(f)
  File "/usr/local/lib/python3.9/dist-packages/hcl2/api.py", line 15, in load
    return loads(file.read())
  File "/usr/local/lib/python3.9/dist-packages/hcl2/api.py", line 89, in loads
    return hcl2.parse(text + "\n")
  File "/usr/local/lib/python3.9/dist-packages/hcl2/parser.py", line 50, in parse
    tree = Hcl2.lark_parser.parse(text)
  File "/usr/local/lib/python3.9/dist-packages/lark/lark.py", line 655, in parse
    return self.parser.parse(text, start=start, on_error=on_error)
  File "/usr/local/lib/python3.9/dist-packages/lark/parser_frontends.py", line 104, in parse
    return self.parser.parse(stream, chosen_start, **kw)
  File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 42, in parse
    return self.parser.parse(lexer, start)
  File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 88, in parse
    return self.parse_from_state(parser_state)
  File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 100, in parse_from_state
    for token in state.lexer.lex(state):
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 665, in lex
    yield lexer.next_token(lexer_state, parser_state)
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 593, in next_token
    res = self.match(lex_state.text, line_ctr.char_pos)
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 588, in match
    return self.scanner.match(text, pos)
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 389, in match
    m = mre.match(text, pos)
  File "/usr/local/lib/python3.9/dist-packages/checkov/common/util/stopit/signalstop.py", line 35, in handle_timeout
    raise TimeoutException(f"Block exceeded maximum timeout value ({self.seconds} seconds).")
checkov.common.util.stopit.utils.TimeoutException: Block exceeded maximum timeout value (10 seconds).
terraform scan results:

Passed checks: 122, Failed checks: 6, Skipped checks: 0, Parsing errors: 1

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name_short}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 | 
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }
Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group_rule.app_outbound
	File: /ec2.tf:170-177

		170 | resource "aws_security_group_rule" "app_outbound" {
		171 |   type              = "egress"
		172 |   from_port         = 0
		173 |   to_port           = 0
		174 |   protocol          = "-1"
		175 |   cidr_blocks       = ["0.0.0.0/0"]
		176 |   security_group_id = aws_security_group.ec2_instance_sg.id
		177 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.app_outbound
	File: /ec2.tf:170-177
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		170 | resource "aws_security_group_rule" "app_outbound" {
		171 |   type              = "egress"
		172 |   from_port         = 0
		173 |   to_port           = 0
		174 |   protocol          = "-1"
		175 |   cidr_blocks       = ["0.0.0.0/0"]
		176 |   security_group_id = aws_security_group.ec2_instance_sg.id
		177 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.efs
	File: /efs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		1 | resource "aws_kms_key" "efs" {
		2 |   description = "KMS key for encrypting EFS"
		3 |   # enable_key_rotation = true
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.cis_s3fs_policy
	File: /iam.tf:84-132
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		84  | resource "aws_iam_role_policy" "cis_s3fs_policy" {
		85  |   name = "${local.application_name_short}-s3fs-policy"
		86  |   role = aws_iam_role.cis_s3fs_role.id
		87  | 
		88  |   policy = jsonencode({
		89  |     Version = "2012-10-17"
		90  |     Statement = [
		91  |       {
		92  |         "Action" : [
		93  |           "s3:*"
		94  |         ],
		95  |         "Resource" : [
		96  |           "arn:aws:s3:::laa-software-bucket2",
		97  |           "arn:aws:s3:::laa-software-bucket2/*",
		98  |           "arn:aws:s3:::laa-software-library",
		99  |           "arn:aws:s3:::laa-software-library/*",
		100 |           "arn:aws:s3:::laa-cis-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
		101 |           "arn:aws:s3:::laa-cis-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
		102 |           "arn:aws:s3:::laa-cis-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
		103 |           "arn:aws:s3:::laa-cis-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
		104 |           "arn:aws:s3:::laa-ccms-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
		105 |           "arn:aws:s3:::laa-ccms-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
		106 |           "arn:aws:s3:::laa-ccms-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
		107 |           "arn:aws:s3:::laa-ccms-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*"
		108 |         ],
		109 |         "Effect" : "Allow"
		110 |       },
		111 |       {
		112 |         "Action" : [
		113 |           "logs:CreateLogGroup",
		114 |           "logs:CreateLogStream",
		115 |           "logs:DescribeLogStreams",
		116 |           "logs:PutRetentionPolicy",
		117 |           "logs:PutLogEvents",
		118 |           "ec2:DescribeInstances"
		119 |         ],
		120 |         "Resource" : "*",
		121 |         "Effect" : "Allow"
		122 |       },
		123 |       {
		124 |         "Action" : [
		125 |           "ec2:CreateTags"
		126 |         ],
		127 |         "Resource" : "*",
		128 |         "Effect" : "Allow"
		129 |       }
		130 |     ]
		131 |   })
		132 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.cis_s3fs_policy
	File: /iam.tf:84-132
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		84  | resource "aws_iam_role_policy" "cis_s3fs_policy" {
		85  |   name = "${local.application_name_short}-s3fs-policy"
		86  |   role = aws_iam_role.cis_s3fs_role.id
		87  | 
		88  |   policy = jsonencode({
		89  |     Version = "2012-10-17"
		90  |     Statement = [
		91  |       {
		92  |         "Action" : [
		93  |           "s3:*"
		94  |         ],
		95  |         "Resource" : [
		96  |           "arn:aws:s3:::laa-software-bucket2",
		97  |           "arn:aws:s3:::laa-software-bucket2/*",
		98  |           "arn:aws:s3:::laa-software-library",
		99  |           "arn:aws:s3:::laa-software-library/*",
		100 |           "arn:aws:s3:::laa-cis-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
		101 |           "arn:aws:s3:::laa-cis-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
		102 |           "arn:aws:s3:::laa-cis-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
		103 |           "arn:aws:s3:::laa-cis-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
		104 |           "arn:aws:s3:::laa-ccms-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
		105 |           "arn:aws:s3:::laa-ccms-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
		106 |           "arn:aws:s3:::laa-ccms-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
		107 |           "arn:aws:s3:::laa-ccms-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*"
		108 |         ],
		109 |         "Effect" : "Allow"
		110 |       },
		111 |       {
		112 |         "Action" : [
		113 |           "logs:CreateLogGroup",
		114 |           "logs:CreateLogStream",
		115 |           "logs:DescribeLogStreams",
		116 |           "logs:PutRetentionPolicy",
		117 |           "logs:PutLogEvents",
		118 |           "ec2:DescribeInstances"
		119 |         ],
		120 |         "Resource" : "*",
		121 |         "Effect" : "Allow"
		122 |       },
		123 |       {
		124 |         "Action" : [
		125 |           "ec2:CreateTags"
		126 |         ],
		127 |         "Resource" : "*",
		128 |         "Effect" : "Allow"
		129 |       }
		130 |     ]
		131 |   })
		132 | }
terraform_plan scan results:

Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1


checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/corporate-information-system

*****************************

Running tflint in terraform/environments/corporate-information-system
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/corporate-information-system

*****************************

Running Trivy in terraform/environments/corporate-information-system
2024-12-19T17:27:04Z	INFO	[vulndb] Need to update DB
2024-12-19T17:27:04Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-19T17:27:04Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-19T17:27:06Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-19T17:27:06Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-19T17:27:06Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-19T17:27:06Z	INFO	[misconfig] Need to update the built-in checks
2024-12-19T17:27:06Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-19T17:27:07Z	INFO	[secret] Secret scanning is enabled
2024-12-19T17:27:07Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-19T17:27:07Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-19T17:27:08Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-19T17:27:08Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-12-19T17:27:08Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-19T17:27:08Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-12-19T17:27:08Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-19T17:27:08Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-19T17:27:09Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-12-19T17:27:09Z	INFO	Number of language-specific files	num=0
2024-12-19T17:27:09Z	INFO	Detected config files	num=4
trivy_exitcode=0

@vladimir-kovalyov vladimir-kovalyov deployed to corporate-information-system-development December 19, 2024 17:28 — with GitHub Actions Active
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/corporate-information-system

Running Trivy in terraform/environments/corporate-information-system
2024-12-19T17:28:48Z INFO [vulndb] Need to update DB
2024-12-19T17:28:48Z INFO [vulndb] Downloading vulnerability DB...
2024-12-19T17:28:48Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-19T17:28:50Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-19T17:28:50Z INFO [vuln] Vulnerability scanning is enabled
2024-12-19T17:28:50Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-19T17:28:50Z INFO [misconfig] Need to update the built-in checks
2024-12-19T17:28:50Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-19T17:28:51Z INFO [secret] Secret scanning is enabled
2024-12-19T17:28:51Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-19T17:28:51Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-19T17:28:52Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-19T17:28:52Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-12-19T17:28:53Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-19T17:28:53Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-12-19T17:28:53Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-19T17:28:53Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-19T17:28:54Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-12-19T17:28:54Z INFO Number of language-specific files num=0
2024-12-19T17:28:54Z INFO Detected config files num=4
trivy_exitcode=0

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/corporate-information-system

*****************************

Running Checkov in terraform/environments/corporate-information-system
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-19 17:28:57,302 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
2024-12-19 17:29:07,358 [MainThread  ] [WARNI]  Code block execution exceeded 10 seconds timeout
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/dist-packages/checkov/terraform/tf_parser.py", line 758, in __parse_with_timeout
    raw_data = hcl2.load(f)
  File "/usr/local/lib/python3.9/dist-packages/hcl2/api.py", line 15, in load
    return loads(file.read())
  File "/usr/local/lib/python3.9/dist-packages/hcl2/api.py", line 89, in loads
    return hcl2.parse(text + "\n")
  File "/usr/local/lib/python3.9/dist-packages/hcl2/parser.py", line 50, in parse
    tree = Hcl2.lark_parser.parse(text)
  File "/usr/local/lib/python3.9/dist-packages/lark/lark.py", line 655, in parse
    return self.parser.parse(text, start=start, on_error=on_error)
  File "/usr/local/lib/python3.9/dist-packages/lark/parser_frontends.py", line 104, in parse
    return self.parser.parse(stream, chosen_start, **kw)
  File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 42, in parse
    return self.parser.parse(lexer, start)
  File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 88, in parse
    return self.parse_from_state(parser_state)
  File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 100, in parse_from_state
    for token in state.lexer.lex(state):
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 665, in lex
    yield lexer.next_token(lexer_state, parser_state)
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 593, in next_token
    res = self.match(lex_state.text, line_ctr.char_pos)
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 588, in match
    return self.scanner.match(text, pos)
  File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 389, in match
    m = mre.match(text, pos)
  File "/usr/local/lib/python3.9/dist-packages/checkov/common/util/stopit/signalstop.py", line 35, in handle_timeout
    raise TimeoutException(f"Block exceeded maximum timeout value ({self.seconds} seconds).")
checkov.common.util.stopit.utils.TimeoutException: Block exceeded maximum timeout value (10 seconds).
terraform scan results:

Passed checks: 122, Failed checks: 6, Skipped checks: 0, Parsing errors: 1

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name_short}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 | 
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }
Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group_rule.app_outbound
	File: /ec2.tf:170-177

		170 | resource "aws_security_group_rule" "app_outbound" {
		171 |   type              = "egress"
		172 |   from_port         = 0
		173 |   to_port           = 0
		174 |   protocol          = "-1"
		175 |   cidr_blocks       = ["0.0.0.0/0"]
		176 |   security_group_id = aws_security_group.ec2_instance_sg.id
		177 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.app_outbound
	File: /ec2.tf:170-177
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		170 | resource "aws_security_group_rule" "app_outbound" {
		171 |   type              = "egress"
		172 |   from_port         = 0
		173 |   to_port           = 0
		174 |   protocol          = "-1"
		175 |   cidr_blocks       = ["0.0.0.0/0"]
		176 |   security_group_id = aws_security_group.ec2_instance_sg.id
		177 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.efs
	File: /efs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		1 | resource "aws_kms_key" "efs" {
		2 |   description = "KMS key for encrypting EFS"
		3 |   # enable_key_rotation = true
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.cis_s3fs_policy
	File: /iam.tf:84-132
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		84  | resource "aws_iam_role_policy" "cis_s3fs_policy" {
		85  |   name = "${local.application_name_short}-s3fs-policy"
		86  |   role = aws_iam_role.cis_s3fs_role.id
		87  | 
		88  |   policy = jsonencode({
		89  |     Version = "2012-10-17"
		90  |     Statement = [
		91  |       {
		92  |         "Action" : [
		93  |           "s3:*"
		94  |         ],
		95  |         "Resource" : [
		96  |           "arn:aws:s3:::laa-software-bucket2",
		97  |           "arn:aws:s3:::laa-software-bucket2/*",
		98  |           "arn:aws:s3:::laa-software-library",
		99  |           "arn:aws:s3:::laa-software-library/*",
		100 |           "arn:aws:s3:::laa-cis-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
		101 |           "arn:aws:s3:::laa-cis-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
		102 |           "arn:aws:s3:::laa-cis-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
		103 |           "arn:aws:s3:::laa-cis-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
		104 |           "arn:aws:s3:::laa-ccms-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
		105 |           "arn:aws:s3:::laa-ccms-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
		106 |           "arn:aws:s3:::laa-ccms-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
		107 |           "arn:aws:s3:::laa-ccms-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*"
		108 |         ],
		109 |         "Effect" : "Allow"
		110 |       },
		111 |       {
		112 |         "Action" : [
		113 |           "logs:CreateLogGroup",
		114 |           "logs:CreateLogStream",
		115 |           "logs:DescribeLogStreams",
		116 |           "logs:PutRetentionPolicy",
		117 |           "logs:PutLogEvents",
		118 |           "ec2:DescribeInstances"
		119 |         ],
		120 |         "Resource" : "*",
		121 |         "Effect" : "Allow"
		122 |       },
		123 |       {
		124 |         "Action" : [
		125 |           "ec2:CreateTags"
		126 |         ],
		127 |         "Resource" : "*",
		128 |         "Effect" : "Allow"
		129 |       }
		130 |     ]
		131 |   })
		132 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.cis_s3fs_policy
	File: /iam.tf:84-132
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		84  | resource "aws_iam_role_policy" "cis_s3fs_policy" {
		85  |   name = "${local.application_name_short}-s3fs-policy"
		86  |   role = aws_iam_role.cis_s3fs_role.id
		87  | 
		88  |   policy = jsonencode({
		89  |     Version = "2012-10-17"
		90  |     Statement = [
		91  |       {
		92  |         "Action" : [
		93  |           "s3:*"
		94  |         ],
		95  |         "Resource" : [
		96  |           "arn:aws:s3:::laa-software-bucket2",
		97  |           "arn:aws:s3:::laa-software-bucket2/*",
		98  |           "arn:aws:s3:::laa-software-library",
		99  |           "arn:aws:s3:::laa-software-library/*",
		100 |           "arn:aws:s3:::laa-cis-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
		101 |           "arn:aws:s3:::laa-cis-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
		102 |           "arn:aws:s3:::laa-cis-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
		103 |           "arn:aws:s3:::laa-cis-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
		104 |           "arn:aws:s3:::laa-ccms-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
		105 |           "arn:aws:s3:::laa-ccms-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
		106 |           "arn:aws:s3:::laa-ccms-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
		107 |           "arn:aws:s3:::laa-ccms-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*"
		108 |         ],
		109 |         "Effect" : "Allow"
		110 |       },
		111 |       {
		112 |         "Action" : [
		113 |           "logs:CreateLogGroup",
		114 |           "logs:CreateLogStream",
		115 |           "logs:DescribeLogStreams",
		116 |           "logs:PutRetentionPolicy",
		117 |           "logs:PutLogEvents",
		118 |           "ec2:DescribeInstances"
		119 |         ],
		120 |         "Resource" : "*",
		121 |         "Effect" : "Allow"
		122 |       },
		123 |       {
		124 |         "Action" : [
		125 |           "ec2:CreateTags"
		126 |         ],
		127 |         "Resource" : "*",
		128 |         "Effect" : "Allow"
		129 |       }
		130 |     ]
		131 |   })
		132 | }

checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/corporate-information-system

*****************************

Running tflint in terraform/environments/corporate-information-system
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/corporate-information-system

*****************************

Running Trivy in terraform/environments/corporate-information-system
2024-12-19T17:28:48Z	INFO	[vulndb] Need to update DB
2024-12-19T17:28:48Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-19T17:28:48Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-19T17:28:50Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-19T17:28:50Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-19T17:28:50Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-19T17:28:50Z	INFO	[misconfig] Need to update the built-in checks
2024-12-19T17:28:50Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-19T17:28:51Z	INFO	[secret] Secret scanning is enabled
2024-12-19T17:28:51Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-19T17:28:51Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-19T17:28:52Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-19T17:28:52Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-12-19T17:28:53Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-19T17:28:53Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-12-19T17:28:53Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-19T17:28:53Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-19T17:28:54Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-12-19T17:28:54Z	INFO	Number of language-specific files	num=0
2024-12-19T17:28:54Z	INFO	Detected config files	num=4
trivy_exitcode=0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@vladimir-kovalyov