Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding some checkov errors to ignore #252

Closed
wants to merge 4 commits into from
Closed

Adding some checkov errors to ignore #252

wants to merge 4 commits into from

Conversation

SteveLinden
Copy link
Contributor

No description provided.

@SteveLinden SteveLinden requested a review from a team as a code owner September 11, 2023 09:37
@github-actions
Copy link
Contributor

TFSEC Scan Success

Show Output 
*****************************

TFSEC will check the following folders:
.

*****************************

Running TFSEC in .
Excluding the following checks: AWS089, AWS099, AWS009, AWS097, AWS018

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================
  timings
  ──────────────────────────────────────────
  disk i/o             134.002µs
  parsing              13.494607ms
  adaptation           433.507µs
  checks               17.811171ms
  total                31.873287ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     42
  files read           4

  results
  ──────────────────────────────────────────
  passed               6
  ignored              4
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

Checkov Scan Failed

Show Output 
*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
terraform scan results:

Passed checks: 83, Failed checks: 1, Skipped checks: 22

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: module.s3_with_AES256.aws_s3_bucket_lifecycle_configuration.default
	File: /main.tf:40-99
	Calling File: /test/unit-test/main.tf:14-23

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
github_actions scan results:

Passed checks: 175, Failed checks: 1, Skipped checks: 0

Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(Generate Terraform README docs)
	File: /.github/workflows/documentation.yml:0-1

checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
.

*****************************

Running tflint in .
tflint_exitcode=0

@SteveLinden SteveLinden mentioned this pull request Sep 11, 2023
Closed
31 tasks
@github-actions
Copy link
Contributor

TFSEC Scan Success

Show Output 
*****************************

TFSEC will check the following folders:
.

*****************************

Running TFSEC in .
Excluding the following checks: AWS089, AWS099, AWS009, AWS097, AWS018

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================
  timings
  ──────────────────────────────────────────
  disk i/o             123.102µs
  parsing              13.242386ms
  adaptation           216.701µs
  checks               7.540848ms
  total                21.123037ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     42
  files read           4

  results
  ──────────────────────────────────────────
  passed               6
  ignored              4
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

Checkov Scan Failed

Show Output 
*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
terraform scan results:

Passed checks: 83, Failed checks: 1, Skipped checks: 22

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: module.s3_with_AES256.aws_s3_bucket_lifecycle_configuration.default
	File: /main.tf:41-100
	Calling File: /test/unit-test/main.tf:14-23

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
github_actions scan results:

Passed checks: 175, Failed checks: 1, Skipped checks: 0

Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(Generate Terraform README docs)
	File: /.github/workflows/documentation.yml:0-1

checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
.

*****************************

Running tflint in .
tflint_exitcode=0

ewastempel
ewastempel reviewed Sep 11, 2023
View reviewed changes
main.tf
@@ -10,6 +10,8 @@ resource "aws_s3_bucket" "default" {
#checkov:skip=CKV_AWS_18: "Logging handled in logging configuration resource"
#checkov:skip=CKV_AWS_21: "Versioning handled in Versioning configuration resource"
#checkov:skip=CKV_AWS_145: "Encryption handled in encryption configuration resource"
# Up to customer whether they have notifications enabled.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This option is currently not supported in this module. The fix should be to allow to opt in for it by passing the sns topic arn.

main.tf
@@ -232,6 +234,8 @@ resource "aws_s3_bucket" "replication" {
#checkov:skip=CKV_AWS_18: "Logging handled in logging configuration resource"
#checkov:skip=CKV_AWS_21: "Versioning handled in versioning configuration resource"
#checkov:skip=CKV_AWS_145: "Encryption handled in encryption configuration resource"
# Up to customer whether they have notifications enabled.
#checkov:skip=CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see my previous comment

test/unit-test/main.tf
@@ -1,4 +1,7 @@
module "s3" {
# Not relecant to us
#checkov:skip=CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The comment should say that this is not need in our tests.

@SteveLinden SteveLinden mentioned this pull request Sep 13, 2023
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ewastempel ewastempel ewastempel left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@SteveLinden @ewastempel