Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix check for public addresses #100

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Fix check for public addresses #100

wants to merge 5 commits into from

Conversation

kidbomb
Copy link

@kidbomb kidbomb commented Mar 19, 2024

According to the check documentation:

Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible

However, the check fails even if you try to set the cidr_blocks parameter to a more restrictive range, such as:

 resource "aws_security_group_rule" "another_good_example" {
  type = "ingress"
  cidr_blocks = ["1.2.3.4/24"]
 }

Running trivy config . with the configuration above yields:

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════════════════════════════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:3
   via main.tf:1-4 (aws_security_group_rule.another_good_example)
────────────────────────────────────────────────────────────────────────────────────────────────────
   1    resource "aws_security_group_rule" "another_good_example" {
   2     type = "ingress"
   3 [   cidr_blocks = ["1.2.3.4/24"]
   4    }

@kidbomb kidbomb requested a review from simar7 as a code owner March 19, 2024 22:33
@CLAassistant
Copy link

CLAassistant commented Mar 19, 2024
edited
Loading

CLA assistant check
All committers have signed the CLA.

@nikpivkin
Copy link
Contributor

@simar7 We check the CIDR for publicity in many checks. Should we fix them?

@simar7
Copy link
Member

simar7 commented Mar 26, 2024

@simar7 We check the CIDR for publicity in many checks. Should we fix them?

Can you give an example and the proposed improvement?

@nikpivkin
Copy link
Contributor

@simar7 I mean this PR makes an improvement only for one check, but we have many similar checks related to CIDR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@simar7 simar7 Awaiting requested review from simar7 simar7 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
5 participants
@kidbomb @CLAassistant @nikpivkin @simar7 @filipe-rodrigues-hp