Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rename KMS key for sechub #635

Merged
merged 1 commit into from
Oct 23, 2024
Merged

Rename KMS key for sechub #635

merged 1 commit into from
Oct 23, 2024

Conversation

richgreen-moj
Copy link
Contributor

A reference to the issue / Description of it

ministryofjustice/modernisation-platform#8076

When rolling out v7.9.0 of the baseline I noticed a clash in the naming of KMS key in the core-network-services account.

How does this PR fix the problem?

I've updated the alias to include sechub so that it's unique and won't clash.

How has this been tested?

I've tested it by deploying in sprinkler locally.

@richgreen-moj richgreen-moj requested a review from a team as a code owner October 23, 2024 15:02
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
modules/securityhub
test/securityhub-test

Running Trivy in modules/securityhub
2024-10-23T15:04:23Z INFO [vulndb] Need to update DB
2024-10-23T15:04:23Z INFO [vulndb] Downloading vulnerability DB...
2024-10-23T15:04:23Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-23T15:04:23Z ERROR [vulndb] Failed to download artifact repo="ghcr.io/aquasecurity/trivy-db:2" err="oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-db/blobs/sha256:cae74bde88d988a66b3a4fb824b17b48f38c92258dfecbb748975694233641be: TOOMANYREQUESTS: retry-after: 41.097µs, allowed: 44000/minute"
2024-10-23T15:04:23Z FATAL Fatal error init error: DB error: failed to download vulnerability DB: OCI artifact error: failed to download vulnerability DB: failed to download artifact from any source
trivy_exitcode=1

Running Trivy in test/securityhub-test
2024-10-23T15:04:23Z INFO [vulndb] Need to update DB
2024-10-23T15:04:23Z INFO [vulndb] Downloading vulnerability DB...
2024-10-23T15:04:23Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-23T15:04:25Z INFO [vulndb] Artifact successfully downloaded repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-23T15:04:25Z INFO [vuln] Vulnerability scanning is enabled
2024-10-23T15:04:25Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-23T15:04:25Z INFO [misconfig] Need to update the built-in checks
2024-10-23T15:04:25Z INFO [misconfig] Downloading the built-in checks...
2024-10-23T15:04:25Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 818.699µs, allowed: 44000/minute\n\n"
2024-10-23T15:04:25Z INFO [secret] Secret scanning is enabled
2024-10-23T15:04:25Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-23T15:04:25Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-23T15:04:26Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-23T15:04:27Z INFO Number of language-specific files num=0
2024-10-23T15:04:27Z INFO Detected config files num=1
trivy_exitcode=1

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
modules/securityhub
test/securityhub-test

*****************************

Running Checkov in modules/securityhub
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-23 15:04:29,671 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=0179859e6fafc567843cd55c0b05d325d5012dc4:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 26, Failed checks: 0, Skipped checks: 3


checkov_exitcode=0

*****************************

Running Checkov in test/securityhub-test
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 28, Failed checks: 0, Skipped checks: 3


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
modules/securityhub
test/securityhub-test

*****************************

Running tflint in modules/securityhub
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

*****************************

Running tflint in test/securityhub-test
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
modules/securityhub
test/securityhub-test

*****************************

Running Trivy in modules/securityhub
2024-10-23T15:04:23Z	INFO	[vulndb] Need to update DB
2024-10-23T15:04:23Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-23T15:04:23Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-23T15:04:23Z	ERROR	[vulndb] Failed to download artifact	repo="ghcr.io/aquasecurity/trivy-db:2" err="oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-db/blobs/sha256:cae74bde88d988a66b3a4fb824b17b48f38c92258dfecbb748975694233641be: TOOMANYREQUESTS: retry-after: 41.097µs, allowed: 44000/minute"
2024-10-23T15:04:23Z	FATAL	Fatal error	init error: DB error: failed to download vulnerability DB: OCI artifact error: failed to download vulnerability DB: failed to download artifact from any source
trivy_exitcode=1

*****************************

Running Trivy in test/securityhub-test
2024-10-23T15:04:23Z	INFO	[vulndb] Need to update DB
2024-10-23T15:04:23Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-23T15:04:23Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-23T15:04:25Z	INFO	[vulndb] Artifact successfully downloaded	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-23T15:04:25Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-23T15:04:25Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-23T15:04:25Z	INFO	[misconfig] Need to update the built-in checks
2024-10-23T15:04:25Z	INFO	[misconfig] Downloading the built-in checks...
2024-10-23T15:04:25Z	ERROR	[misconfig] Falling back to embedded checks	err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 818.699µs, allowed: 44000/minute\n\n"
2024-10-23T15:04:25Z	INFO	[secret] Secret scanning is enabled
2024-10-23T15:04:25Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-23T15:04:25Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-23T15:04:26Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-23T15:04:27Z	INFO	Number of language-specific files	num=0
2024-10-23T15:04:27Z	INFO	Detected config files	num=1
trivy_exitcode=1

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
modules/securityhub
test/securityhub-test

Running Trivy in modules/securityhub
2024-10-23T15:08:16Z INFO [vulndb] Need to update DB
2024-10-23T15:08:16Z INFO [vulndb] Downloading vulnerability DB...
2024-10-23T15:08:16Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-23T15:08:18Z INFO [vulndb] Artifact successfully downloaded repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-23T15:08:18Z INFO [vuln] Vulnerability scanning is enabled
2024-10-23T15:08:18Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-23T15:08:18Z INFO [misconfig] Need to update the built-in checks
2024-10-23T15:08:18Z INFO [misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-10-23T15:08:18Z INFO [secret] Secret scanning is enabled
2024-10-23T15:08:18Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-23T15:08:18Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-23T15:08:19Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-23T15:08:20Z INFO Number of language-specific files num=0
2024-10-23T15:08:20Z INFO Detected config files num=1
trivy_exitcode=0

Running Trivy in test/securityhub-test
2024-10-23T15:08:20Z INFO [vuln] Vulnerability scanning is enabled
2024-10-23T15:08:20Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-23T15:08:20Z INFO [secret] Secret scanning is enabled
2024-10-23T15:08:20Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-23T15:08:20Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-23T15:08:21Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-23T15:08:21Z INFO Number of language-specific files num=0
2024-10-23T15:08:21Z INFO Detected config files num=1
trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
modules/securityhub
test/securityhub-test

*****************************

Running Checkov in modules/securityhub
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-23 15:08:23,827 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=0179859e6fafc567843cd55c0b05d325d5012dc4:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 26, Failed checks: 0, Skipped checks: 3


checkov_exitcode=0

*****************************

Running Checkov in test/securityhub-test
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 28, Failed checks: 0, Skipped checks: 3


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
modules/securityhub
test/securityhub-test

*****************************

Running tflint in modules/securityhub
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

*****************************

Running tflint in test/securityhub-test
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
modules/securityhub
test/securityhub-test

*****************************

Running Trivy in modules/securityhub
2024-10-23T15:08:16Z	INFO	[vulndb] Need to update DB
2024-10-23T15:08:16Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-23T15:08:16Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-23T15:08:18Z	INFO	[vulndb] Artifact successfully downloaded	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-23T15:08:18Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-23T15:08:18Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-23T15:08:18Z	INFO	[misconfig] Need to update the built-in checks
2024-10-23T15:08:18Z	INFO	[misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-10-23T15:08:18Z	INFO	[secret] Secret scanning is enabled
2024-10-23T15:08:18Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-23T15:08:18Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-23T15:08:19Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-23T15:08:20Z	INFO	Number of language-specific files	num=0
2024-10-23T15:08:20Z	INFO	Detected config files	num=1
trivy_exitcode=0

*****************************

Running Trivy in test/securityhub-test
2024-10-23T15:08:20Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-23T15:08:20Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-23T15:08:20Z	INFO	[secret] Secret scanning is enabled
2024-10-23T15:08:20Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-23T15:08:20Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-23T15:08:21Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-23T15:08:21Z	INFO	Number of language-specific files	num=0
2024-10-23T15:08:21Z	INFO	Detected config files	num=1
trivy_exitcode=0

markgov
markgov approved these changes Oct 23, 2024
View reviewed changes
Copy link
Contributor

@markgov markgov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@richgreen-moj richgreen-moj merged commit ab67b7b into main Oct 23, 2024
4 checks passed
@richgreen-moj richgreen-moj deleted the feature/8076-change-kms-alias branch October 23, 2024 15:11
@richgreen-moj richgreen-moj mentioned this pull request Oct 23, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@markgov markgov markgov approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@richgreen-moj @markgov