Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive on CKV2_AWS_28: "Ensure public facing ALB are protected by WAF" #6180

Open
rutomo-humi opened this issue Apr 16, 2024 · 0 comments
Open

False positive on CKV2_AWS_28: "Ensure public facing ALB are protected by WAF" #6180

rutomo-humi opened this issue Apr 16, 2024 · 0 comments
Labels
checks Check additions or changes

Comments

@rutomo-humi
Copy link

Describe the issue
We use terragrunt/terraform for our IaC. We structured our module into an app module consisted of multiple sub modules like Load Balancer and WAFv2

When we run checkov, it flags CKV2_AWS_28 on module.loadbalancer because we don't have our Load Balancer attached to a WAF, however, it does have. aws_wafregional_web_acl_association resource exists within our WAF module.

Examples

module "loadbalancer" {
  source = "s3:::https://s3.amazonaws.com/loadbalancer.tgz"
  name                = "loadbalancer"
}

module "waf" {
  source = "s3:::https://s3.amazonaws.com/waf.tgz"
  resource_arns                  = [module.loadbalancer.arn]
}

Version (please complete the following information):
3.2.60

Additional context
I'm aware that checkov does not support modules in s3. Would this false positive be caused by that? or does checkov expectaws_wafregional_web_acl_association to be in our loadbalancer module?
@rutomo-humi rutomo-humi added the checks Check additions or changes label Apr 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
checks Check additions or changes
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rutomo-humi