mirror of
https://github.com/aquasecurity/trivy-action.git
synced 2026-05-14 03:02:40 +00:00
Aqua Security automated builds
453 lines
24 KiB
JSON
453 lines
24 KiB
JSON
{
|
|
"version": "2.1.0",
|
|
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
|
|
"runs": [
|
|
{
|
|
"tool": {
|
|
"driver": {
|
|
"fullName": "Trivy Vulnerability Scanner",
|
|
"informationUri": "https://github.com/aquasecurity/trivy",
|
|
"name": "Trivy",
|
|
"rules": [
|
|
{
|
|
"id": "AWS-0086",
|
|
"name": "Misconfiguration",
|
|
"shortDescription": {
|
|
"text": "S3 Access block should block public ACL"
|
|
},
|
|
"fullDescription": {
|
|
"text": "S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n"
|
|
},
|
|
"defaultConfiguration": {
|
|
"level": "error"
|
|
},
|
|
"helpUri": "https://avd.aquasec.com/misconfig/aws-0086",
|
|
"help": {
|
|
"text": "Misconfiguration AWS-0086\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 Access block should block public ACL\nMessage: No public access block so not blocking public acls\nLink: [AWS-0086](https://avd.aquasec.com/misconfig/aws-0086)\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n",
|
|
"markdown": "**Misconfiguration AWS-0086**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 Access block should block public ACL|No public access block so not blocking public acls|[AWS-0086](https://avd.aquasec.com/misconfig/aws-0086)|\n\nS3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.\n"
|
|
},
|
|
"properties": {
|
|
"precision": "very-high",
|
|
"security-severity": "8.0",
|
|
"tags": [
|
|
"misconfiguration",
|
|
"security",
|
|
"HIGH"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"id": "AWS-0087",
|
|
"name": "Misconfiguration",
|
|
"shortDescription": {
|
|
"text": "S3 Access block should block public policy"
|
|
},
|
|
"fullDescription": {
|
|
"text": "S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n"
|
|
},
|
|
"defaultConfiguration": {
|
|
"level": "error"
|
|
},
|
|
"helpUri": "https://avd.aquasec.com/misconfig/aws-0087",
|
|
"help": {
|
|
"text": "Misconfiguration AWS-0087\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 Access block should block public policy\nMessage: No public access block so not blocking public policies\nLink: [AWS-0087](https://avd.aquasec.com/misconfig/aws-0087)\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n",
|
|
"markdown": "**Misconfiguration AWS-0087**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 Access block should block public policy|No public access block so not blocking public policies|[AWS-0087](https://avd.aquasec.com/misconfig/aws-0087)|\n\nS3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.\n"
|
|
},
|
|
"properties": {
|
|
"precision": "very-high",
|
|
"security-severity": "8.0",
|
|
"tags": [
|
|
"misconfiguration",
|
|
"security",
|
|
"HIGH"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"id": "AWS-0089",
|
|
"name": "Misconfiguration",
|
|
"shortDescription": {
|
|
"text": "S3 Bucket Logging"
|
|
},
|
|
"fullDescription": {
|
|
"text": "Ensures S3 bucket logging is enabled for S3 buckets"
|
|
},
|
|
"defaultConfiguration": {
|
|
"level": "note"
|
|
},
|
|
"helpUri": "https://avd.aquasec.com/misconfig/aws-0089",
|
|
"help": {
|
|
"text": "Misconfiguration AWS-0089\nType: Terraform Security Check\nSeverity: LOW\nCheck: S3 Bucket Logging\nMessage: Bucket has logging disabled\nLink: [AWS-0089](https://avd.aquasec.com/misconfig/aws-0089)\nEnsures S3 bucket logging is enabled for S3 buckets",
|
|
"markdown": "**Misconfiguration AWS-0089**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|LOW|S3 Bucket Logging|Bucket has logging disabled|[AWS-0089](https://avd.aquasec.com/misconfig/aws-0089)|\n\nEnsures S3 bucket logging is enabled for S3 buckets"
|
|
},
|
|
"properties": {
|
|
"precision": "very-high",
|
|
"security-severity": "2.0",
|
|
"tags": [
|
|
"misconfiguration",
|
|
"security",
|
|
"LOW"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"id": "AWS-0090",
|
|
"name": "Misconfiguration",
|
|
"shortDescription": {
|
|
"text": "S3 Data should be versioned"
|
|
},
|
|
"fullDescription": {
|
|
"text": "Versioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket.\n\nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets.\n\nWith versioning you can recover more easily from both unintended user actions and application failures.\n\nWhen you enable versioning, also keep in mind the potential costs of storing noncurrent versions of objects. To help manage those costs, consider setting up an S3 Lifecycle configuration.\n"
|
|
},
|
|
"defaultConfiguration": {
|
|
"level": "warning"
|
|
},
|
|
"helpUri": "https://avd.aquasec.com/misconfig/aws-0090",
|
|
"help": {
|
|
"text": "Misconfiguration AWS-0090\nType: Terraform Security Check\nSeverity: MEDIUM\nCheck: S3 Data should be versioned\nMessage: Bucket does not have versioning enabled\nLink: [AWS-0090](https://avd.aquasec.com/misconfig/aws-0090)\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket.\n\nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets.\n\nWith versioning you can recover more easily from both unintended user actions and application failures.\n\nWhen you enable versioning, also keep in mind the potential costs of storing noncurrent versions of objects. To help manage those costs, consider setting up an S3 Lifecycle configuration.\n",
|
|
"markdown": "**Misconfiguration AWS-0090**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|MEDIUM|S3 Data should be versioned|Bucket does not have versioning enabled|[AWS-0090](https://avd.aquasec.com/misconfig/aws-0090)|\n\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket.\n\nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets.\n\nWith versioning you can recover more easily from both unintended user actions and application failures.\n\nWhen you enable versioning, also keep in mind the potential costs of storing noncurrent versions of objects. To help manage those costs, consider setting up an S3 Lifecycle configuration.\n"
|
|
},
|
|
"properties": {
|
|
"precision": "very-high",
|
|
"security-severity": "5.5",
|
|
"tags": [
|
|
"misconfiguration",
|
|
"security",
|
|
"MEDIUM"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"id": "AWS-0091",
|
|
"name": "Misconfiguration",
|
|
"shortDescription": {
|
|
"text": "S3 Access Block should Ignore Public ACL"
|
|
},
|
|
"fullDescription": {
|
|
"text": "S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n"
|
|
},
|
|
"defaultConfiguration": {
|
|
"level": "error"
|
|
},
|
|
"helpUri": "https://avd.aquasec.com/misconfig/aws-0091",
|
|
"help": {
|
|
"text": "Misconfiguration AWS-0091\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 Access Block should Ignore Public ACL\nMessage: No public access block so not blocking public acls\nLink: [AWS-0091](https://avd.aquasec.com/misconfig/aws-0091)\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n",
|
|
"markdown": "**Misconfiguration AWS-0091**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 Access Block should Ignore Public ACL|No public access block so not blocking public acls|[AWS-0091](https://avd.aquasec.com/misconfig/aws-0091)|\n\nS3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.\n"
|
|
},
|
|
"properties": {
|
|
"precision": "very-high",
|
|
"security-severity": "8.0",
|
|
"tags": [
|
|
"misconfiguration",
|
|
"security",
|
|
"HIGH"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"id": "AWS-0093",
|
|
"name": "Misconfiguration",
|
|
"shortDescription": {
|
|
"text": "S3 Access block should restrict public bucket to limit access"
|
|
},
|
|
"fullDescription": {
|
|
"text": "S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.\n"
|
|
},
|
|
"defaultConfiguration": {
|
|
"level": "error"
|
|
},
|
|
"helpUri": "https://avd.aquasec.com/misconfig/aws-0093",
|
|
"help": {
|
|
"text": "Misconfiguration AWS-0093\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 Access block should restrict public bucket to limit access\nMessage: No public access block so not restricting public buckets\nLink: [AWS-0093](https://avd.aquasec.com/misconfig/aws-0093)\nS3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.\n",
|
|
"markdown": "**Misconfiguration AWS-0093**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 Access block should restrict public bucket to limit access|No public access block so not restricting public buckets|[AWS-0093](https://avd.aquasec.com/misconfig/aws-0093)|\n\nS3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.\n"
|
|
},
|
|
"properties": {
|
|
"precision": "very-high",
|
|
"security-severity": "8.0",
|
|
"tags": [
|
|
"misconfiguration",
|
|
"security",
|
|
"HIGH"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"id": "AWS-0094",
|
|
"name": "Misconfiguration",
|
|
"shortDescription": {
|
|
"text": "S3 buckets should each define an aws_s3_bucket_public_access_block"
|
|
},
|
|
"fullDescription": {
|
|
"text": "The \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.\n"
|
|
},
|
|
"defaultConfiguration": {
|
|
"level": "note"
|
|
},
|
|
"helpUri": "https://avd.aquasec.com/misconfig/aws-0094",
|
|
"help": {
|
|
"text": "Misconfiguration AWS-0094\nType: Terraform Security Check\nSeverity: LOW\nCheck: S3 buckets should each define an aws_s3_bucket_public_access_block\nMessage: Bucket does not have a corresponding public access block.\nLink: [AWS-0094](https://avd.aquasec.com/misconfig/aws-0094)\nThe \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.\n",
|
|
"markdown": "**Misconfiguration AWS-0094**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|LOW|S3 buckets should each define an aws_s3_bucket_public_access_block|Bucket does not have a corresponding public access block.|[AWS-0094](https://avd.aquasec.com/misconfig/aws-0094)|\n\nThe \"block public access\" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.\n"
|
|
},
|
|
"properties": {
|
|
"precision": "very-high",
|
|
"security-severity": "2.0",
|
|
"tags": [
|
|
"misconfiguration",
|
|
"security",
|
|
"LOW"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"id": "AWS-0132",
|
|
"name": "Misconfiguration",
|
|
"shortDescription": {
|
|
"text": "S3 encryption should use Customer Managed Keys"
|
|
},
|
|
"fullDescription": {
|
|
"text": "Encryption using AWS keys provides protection for your S3 buckets. To gain greater control over encryption, such as key rotation, access policies, and auditability, use customer managed keys (CMKs) with SSE-KMS.\nNote that SSE-KMS is not supported for S3 server access logging destination buckets; in such cases, use SSE-S3 instead.\n"
|
|
},
|
|
"defaultConfiguration": {
|
|
"level": "error"
|
|
},
|
|
"helpUri": "https://avd.aquasec.com/misconfig/aws-0132",
|
|
"help": {
|
|
"text": "Misconfiguration AWS-0132\nType: Terraform Security Check\nSeverity: HIGH\nCheck: S3 encryption should use Customer Managed Keys\nMessage: Bucket does not encrypt data with a customer managed key.\nLink: [AWS-0132](https://avd.aquasec.com/misconfig/aws-0132)\nEncryption using AWS keys provides protection for your S3 buckets. To gain greater control over encryption, such as key rotation, access policies, and auditability, use customer managed keys (CMKs) with SSE-KMS.\nNote that SSE-KMS is not supported for S3 server access logging destination buckets; in such cases, use SSE-S3 instead.\n",
|
|
"markdown": "**Misconfiguration AWS-0132**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|S3 encryption should use Customer Managed Keys|Bucket does not encrypt data with a customer managed key.|[AWS-0132](https://avd.aquasec.com/misconfig/aws-0132)|\n\nEncryption using AWS keys provides protection for your S3 buckets. To gain greater control over encryption, such as key rotation, access policies, and auditability, use customer managed keys (CMKs) with SSE-KMS.\nNote that SSE-KMS is not supported for S3 server access logging destination buckets; in such cases, use SSE-S3 instead.\n"
|
|
},
|
|
"properties": {
|
|
"precision": "very-high",
|
|
"security-severity": "8.0",
|
|
"tags": [
|
|
"misconfiguration",
|
|
"security",
|
|
"HIGH"
|
|
]
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"results": [
|
|
{
|
|
"ruleId": "AWS-0086",
|
|
"ruleIndex": 0,
|
|
"level": "error",
|
|
"message": {
|
|
"text": "Artifact: main.tf\nType: terraform\nVulnerability AWS-0086\nSeverity: HIGH\nMessage: No public access block so not blocking public acls\nLink: [AWS-0086](https://avd.aquasec.com/misconfig/aws-0086)"
|
|
},
|
|
"locations": [
|
|
{
|
|
"physicalLocation": {
|
|
"artifactLocation": {
|
|
"uri": "main.tf",
|
|
"uriBaseId": "ROOTPATH"
|
|
},
|
|
"region": {
|
|
"startLine": 8,
|
|
"startColumn": 1,
|
|
"endLine": 10,
|
|
"endColumn": 1
|
|
}
|
|
},
|
|
"message": {
|
|
"text": "main.tf"
|
|
}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"ruleId": "AWS-0087",
|
|
"ruleIndex": 1,
|
|
"level": "error",
|
|
"message": {
|
|
"text": "Artifact: main.tf\nType: terraform\nVulnerability AWS-0087\nSeverity: HIGH\nMessage: No public access block so not blocking public policies\nLink: [AWS-0087](https://avd.aquasec.com/misconfig/aws-0087)"
|
|
},
|
|
"locations": [
|
|
{
|
|
"physicalLocation": {
|
|
"artifactLocation": {
|
|
"uri": "main.tf",
|
|
"uriBaseId": "ROOTPATH"
|
|
},
|
|
"region": {
|
|
"startLine": 8,
|
|
"startColumn": 1,
|
|
"endLine": 10,
|
|
"endColumn": 1
|
|
}
|
|
},
|
|
"message": {
|
|
"text": "main.tf"
|
|
}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"ruleId": "AWS-0089",
|
|
"ruleIndex": 2,
|
|
"level": "note",
|
|
"message": {
|
|
"text": "Artifact: main.tf\nType: terraform\nVulnerability AWS-0089\nSeverity: LOW\nMessage: Bucket has logging disabled\nLink: [AWS-0089](https://avd.aquasec.com/misconfig/aws-0089)"
|
|
},
|
|
"locations": [
|
|
{
|
|
"physicalLocation": {
|
|
"artifactLocation": {
|
|
"uri": "main.tf",
|
|
"uriBaseId": "ROOTPATH"
|
|
},
|
|
"region": {
|
|
"startLine": 8,
|
|
"startColumn": 1,
|
|
"endLine": 10,
|
|
"endColumn": 1
|
|
}
|
|
},
|
|
"message": {
|
|
"text": "main.tf"
|
|
}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"ruleId": "AWS-0090",
|
|
"ruleIndex": 3,
|
|
"level": "warning",
|
|
"message": {
|
|
"text": "Artifact: main.tf\nType: terraform\nVulnerability AWS-0090\nSeverity: MEDIUM\nMessage: Bucket does not have versioning enabled\nLink: [AWS-0090](https://avd.aquasec.com/misconfig/aws-0090)"
|
|
},
|
|
"locations": [
|
|
{
|
|
"physicalLocation": {
|
|
"artifactLocation": {
|
|
"uri": "main.tf",
|
|
"uriBaseId": "ROOTPATH"
|
|
},
|
|
"region": {
|
|
"startLine": 16,
|
|
"startColumn": 1,
|
|
"endLine": 16,
|
|
"endColumn": 1
|
|
}
|
|
},
|
|
"message": {
|
|
"text": "main.tf"
|
|
}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"ruleId": "AWS-0091",
|
|
"ruleIndex": 4,
|
|
"level": "error",
|
|
"message": {
|
|
"text": "Artifact: main.tf\nType: terraform\nVulnerability AWS-0091\nSeverity: HIGH\nMessage: No public access block so not blocking public acls\nLink: [AWS-0091](https://avd.aquasec.com/misconfig/aws-0091)"
|
|
},
|
|
"locations": [
|
|
{
|
|
"physicalLocation": {
|
|
"artifactLocation": {
|
|
"uri": "main.tf",
|
|
"uriBaseId": "ROOTPATH"
|
|
},
|
|
"region": {
|
|
"startLine": 8,
|
|
"startColumn": 1,
|
|
"endLine": 10,
|
|
"endColumn": 1
|
|
}
|
|
},
|
|
"message": {
|
|
"text": "main.tf"
|
|
}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"ruleId": "AWS-0093",
|
|
"ruleIndex": 5,
|
|
"level": "error",
|
|
"message": {
|
|
"text": "Artifact: main.tf\nType: terraform\nVulnerability AWS-0093\nSeverity: HIGH\nMessage: No public access block so not restricting public buckets\nLink: [AWS-0093](https://avd.aquasec.com/misconfig/aws-0093)"
|
|
},
|
|
"locations": [
|
|
{
|
|
"physicalLocation": {
|
|
"artifactLocation": {
|
|
"uri": "main.tf",
|
|
"uriBaseId": "ROOTPATH"
|
|
},
|
|
"region": {
|
|
"startLine": 8,
|
|
"startColumn": 1,
|
|
"endLine": 10,
|
|
"endColumn": 1
|
|
}
|
|
},
|
|
"message": {
|
|
"text": "main.tf"
|
|
}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"ruleId": "AWS-0094",
|
|
"ruleIndex": 6,
|
|
"level": "note",
|
|
"message": {
|
|
"text": "Artifact: main.tf\nType: terraform\nVulnerability AWS-0094\nSeverity: LOW\nMessage: Bucket does not have a corresponding public access block.\nLink: [AWS-0094](https://avd.aquasec.com/misconfig/aws-0094)"
|
|
},
|
|
"locations": [
|
|
{
|
|
"physicalLocation": {
|
|
"artifactLocation": {
|
|
"uri": "main.tf",
|
|
"uriBaseId": "ROOTPATH"
|
|
},
|
|
"region": {
|
|
"startLine": 8,
|
|
"startColumn": 1,
|
|
"endLine": 10,
|
|
"endColumn": 1
|
|
}
|
|
},
|
|
"message": {
|
|
"text": "main.tf"
|
|
}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"ruleId": "AWS-0132",
|
|
"ruleIndex": 7,
|
|
"level": "error",
|
|
"message": {
|
|
"text": "Artifact: main.tf\nType: terraform\nVulnerability AWS-0132\nSeverity: HIGH\nMessage: Bucket does not encrypt data with a customer managed key.\nLink: [AWS-0132](https://avd.aquasec.com/misconfig/aws-0132)"
|
|
},
|
|
"locations": [
|
|
{
|
|
"physicalLocation": {
|
|
"artifactLocation": {
|
|
"uri": "main.tf",
|
|
"uriBaseId": "ROOTPATH"
|
|
},
|
|
"region": {
|
|
"startLine": 8,
|
|
"startColumn": 1,
|
|
"endLine": 10,
|
|
"endColumn": 1
|
|
}
|
|
},
|
|
"message": {
|
|
"text": "main.tf"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"columnKind": "utf16CodeUnits"
|
|
}
|
|
]
|
|
}
|