From 5eb7ef2605dd123171cc50b6be71f3b1fefb6a13 Mon Sep 17 00:00:00 2001 From: Nikita Pivkin Date: Fri, 13 Feb 2026 01:37:57 +0600 Subject: [PATCH] ci: use checks bundle v2 in sync workflow (#505) * ci: use checks bundle v2 in sync workflow Signed-off-by: Nikita Pivkin * test: update golden files Signed-off-by: Nikita Pivkin --------- Signed-off-by: Nikita Pivkin --- .github/workflows/sync-trivy-checks.yaml | 2 +- test/data/config-sarif-report/report.sarif | 12 ++++++------ test/data/config-scan/report.json | 7 ++++--- 3 files changed, 11 insertions(+), 10 deletions(-) diff --git a/.github/workflows/sync-trivy-checks.yaml b/.github/workflows/sync-trivy-checks.yaml index 25cf1d3..23f8558 100644 --- a/.github/workflows/sync-trivy-checks.yaml +++ b/.github/workflows/sync-trivy-checks.yaml @@ -24,4 +24,4 @@ jobs: - name: Copy Trivy Checks run: | - oras cp ghcr.io/aquasecurity/trivy-checks:1 ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest \ No newline at end of file + oras cp ghcr.io/aquasecurity/trivy-checks:2 ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest diff --git a/test/data/config-sarif-report/report.sarif b/test/data/config-sarif-report/report.sarif index dcaa667..dbf362b 100644 --- a/test/data/config-sarif-report/report.sarif +++ b/test/data/config-sarif-report/report.sarif @@ -124,15 +124,15 @@ "text": "S3 Data should be versioned" }, "fullDescription": { - "text": "Versioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket.\n\nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets.\n\nWith versioning you can recover more easily from both unintended user actions and application failures.\n" + "text": "Versioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket.\n\nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets.\n\nWith versioning you can recover more easily from both unintended user actions and application failures.\n\nWhen you enable versioning, also keep in mind the potential costs of storing noncurrent versions of objects. To help manage those costs, consider setting up an S3 Lifecycle configuration.\n" }, "defaultConfiguration": { "level": "warning" }, "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0090", "help": { - "text": "Misconfiguration AVD-AWS-0090\nType: Terraform Security Check\nSeverity: MEDIUM\nCheck: S3 Data should be versioned\nMessage: Bucket does not have versioning enabled\nLink: [AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket.\n\nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets.\n\nWith versioning you can recover more easily from both unintended user actions and application failures.\n", - "markdown": "**Misconfiguration AVD-AWS-0090**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|MEDIUM|S3 Data should be versioned|Bucket does not have versioning enabled|[AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)|\n\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket.\n\nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets.\n\nWith versioning you can recover more easily from both unintended user actions and application failures.\n" + "text": "Misconfiguration AVD-AWS-0090\nType: Terraform Security Check\nSeverity: MEDIUM\nCheck: S3 Data should be versioned\nMessage: Bucket does not have versioning enabled\nLink: [AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket.\n\nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets.\n\nWith versioning you can recover more easily from both unintended user actions and application failures.\n\nWhen you enable versioning, also keep in mind the potential costs of storing noncurrent versions of objects. To help manage those costs, consider setting up an S3 Lifecycle configuration.\n", + "markdown": "**Misconfiguration AVD-AWS-0090**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|MEDIUM|S3 Data should be versioned|Bucket does not have versioning enabled|[AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)|\n\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket.\n\nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets.\n\nWith versioning you can recover more easily from both unintended user actions and application failures.\n\nWhen you enable versioning, also keep in mind the potential costs of storing noncurrent versions of objects. To help manage those costs, consider setting up an S3 Lifecycle configuration.\n" }, "properties": { "precision": "very-high", @@ -148,7 +148,7 @@ "id": "AVD-AWS-0091", "name": "Misconfiguration", "shortDescription": { - "text": "S3 Access Block should Ignore Public Acl" + "text": "S3 Access Block should Ignore Public ACL" }, "fullDescription": { "text": "S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n" @@ -158,8 +158,8 @@ }, "helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0091", "help": { - "text": "Misconfiguration AVD-AWS-0091\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 Access Block should Ignore Public Acl\nMessage: No public access block so not blocking public acls\nLink: [AVD-AWS-0091](https://avd.aquasec.com/misconfig/avd-aws-0091)\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n", - "markdown": "**Misconfiguration AVD-AWS-0091**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 Access Block should Ignore Public Acl|No public access block so not blocking public acls|[AVD-AWS-0091](https://avd.aquasec.com/misconfig/avd-aws-0091)|\n\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n" + "text": "Misconfiguration AVD-AWS-0091\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 Access Block should Ignore Public ACL\nMessage: No public access block so not blocking public acls\nLink: [AVD-AWS-0091](https://avd.aquasec.com/misconfig/avd-aws-0091)\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n", + "markdown": "**Misconfiguration AVD-AWS-0091**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 Access Block should Ignore Public ACL|No public access block so not blocking public acls|[AVD-AWS-0091](https://avd.aquasec.com/misconfig/avd-aws-0091)|\n\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n" }, "properties": { "precision": "very-high", diff --git a/test/data/config-scan/report.json b/test/data/config-scan/report.json index b2cd4a4..ce69f8a 100644 --- a/test/data/config-scan/report.json +++ b/test/data/config-scan/report.json @@ -8,7 +8,7 @@ "Class": "config", "Type": "terraform", "MisconfSummary": { - "Successes": 38, + "Successes": 40, "Failures": 0 } }, @@ -263,7 +263,7 @@ "ID": "AVD-AWS-0090", "AVDID": "AVD-AWS-0090", "Title": "S3 Data should be versioned", - "Description": "Versioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket.\n\nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets.\n\nWith versioning you can recover more easily from both unintended user actions and application failures.\n", + "Description": "Versioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket.\n\nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets.\n\nWith versioning you can recover more easily from both unintended user actions and application failures.\n\nWhen you enable versioning, also keep in mind the potential costs of storing noncurrent versions of objects. To help manage those costs, consider setting up an S3 Lifecycle configuration.\n", "Message": "Bucket does not have versioning enabled", "Namespace": "builtin.aws.s3.aws0090", "Query": "data.builtin.aws.s3.aws0090.deny", @@ -272,6 +272,7 @@ "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0090", "References": [ "https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html", + "https://aws.amazon.com/blogs/storage/reduce-storage-costs-with-fewer-noncurrent-versions-using-amazon-s3-lifecycle/", "https://avd.aquasec.com/misconfig/avd-aws-0090" ], "Status": "FAIL", @@ -382,7 +383,7 @@ "Type": "Terraform Security Check", "ID": "AVD-AWS-0091", "AVDID": "AVD-AWS-0091", - "Title": "S3 Access Block should Ignore Public Acl", + "Title": "S3 Access Block should Ignore Public ACL", "Description": "S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n", "Message": "No public access block so not blocking public acls", "Namespace": "builtin.aws.s3.aws0091",