-
Notifications
You must be signed in to change notification settings - Fork 315
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #6364 from Checkmarx/feature/kicsbot-update-querie…
…s-docs docs(queries): update queries catalog
- Loading branch information
Showing
1,665 changed files
with
307,245 additions
and
3,296 deletions.
There are no files selected for viewing
Large diffs are not rendered by default.
Oops, something went wrong.
Large diffs are not rendered by default.
Oops, something went wrong.
85 changes: 85 additions & 0 deletions
85
docs/queries/ansible-queries/aws/01aec7c2-3e4d-4274-ae47-2b8fea22fd1f.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,85 @@ | ||
| --- | ||
| title: ECS Task Definition Network Mode Not Recommended | ||
| hide: | ||
| toc: true | ||
| navigation: true | ||
| --- | ||
|
|
||
| <style> | ||
| .highlight .hll { | ||
| background-color: #ff171742; | ||
| } | ||
| .md-content { | ||
| max-width: 1100px; | ||
| margin: 0 auto; | ||
| } | ||
| </style> | ||
|
|
||
| - **Query id:** 01aec7c2-3e4d-4274-ae47-2b8fea22fd1f | ||
| - **Query name:** ECS Task Definition Network Mode Not Recommended | ||
| - **Platform:** Ansible | ||
| - **Severity:** <span style="color:#C00">High</span> | ||
| - **Category:** Insecure Configurations | ||
| - **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/ecs_task_definition_network_mode_not_recommended) | ||
|
|
||
| ### Description | ||
| Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations<br> | ||
| [Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/ecs_taskdefinition_module.html#parameter-network_mode) | ||
|
|
||
| ### Code samples | ||
| #### Code samples with security vulnerabilities | ||
| ```yaml title="Postitive test num. 1 - yaml file" hl_lines="31 15" | ||
| --- | ||
| - name: Create task definition | ||
| community.aws.ecs_taskdefinition: | ||
| family: nginx | ||
| containers: | ||
| - name: nginx | ||
| essential: true | ||
| image: "nginx" | ||
| portMappings: | ||
| - containerPort: 8080 | ||
| hostPort: 8080 | ||
| cpu: 512 | ||
| memory: 1024 | ||
| state: present | ||
| network_mode: default | ||
|
|
||
| - name: Create task definition2 | ||
| community.aws.ecs_taskdefinition: | ||
| family: nginx | ||
| containers: | ||
| - name: nginx | ||
| essential: true | ||
| image: "nginx" | ||
| portMappings: | ||
| - containerPort: 8080 | ||
| hostPort: 8080 | ||
| launch_type: FARGATE | ||
| cpu: 512 | ||
| memory: 1024 | ||
| state: present | ||
| network_mode: none | ||
|
|
||
| ``` | ||
|
|
||
|
|
||
| #### Code samples without security vulnerabilities | ||
| ```yaml title="Negative test num. 1 - yaml file" | ||
| - name: Create task definition | ||
| community.aws.ecs_taskdefinition: | ||
| family: nginx | ||
| containers: | ||
| - name: nginx | ||
| essential: true | ||
| image: nginx | ||
| portMappings: | ||
| - containerPort: 8080 | ||
| hostPort: 8080 | ||
| launch_type: FARGATE | ||
| cpu: 512 | ||
| memory: 1024 | ||
| state: present | ||
| network_mode: awsvpc | ||
|
|
||
| ``` |
96 changes: 96 additions & 0 deletions
96
docs/queries/ansible-queries/aws/050f085f-a8db-4072-9010-2cca235cc02f.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,96 @@ | ||
| --- | ||
| title: Auto Scaling Group With No Associated ELB | ||
| hide: | ||
| toc: true | ||
| navigation: true | ||
| --- | ||
|
|
||
| <style> | ||
| .highlight .hll { | ||
| background-color: #ff171742; | ||
| } | ||
| .md-content { | ||
| max-width: 1100px; | ||
| margin: 0 auto; | ||
| } | ||
| </style> | ||
|
|
||
| - **Query id:** 050f085f-a8db-4072-9010-2cca235cc02f | ||
| - **Query name:** Auto Scaling Group With No Associated ELB | ||
| - **Platform:** Ansible | ||
| - **Severity:** <span style="color:#C60">Medium</span> | ||
| - **Category:** Availability | ||
| - **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/auto_scaling_group_with_no_associated_elb) | ||
|
|
||
| ### Description | ||
| AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.<br> | ||
| [Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/ec2_asg_module.html#parameter-load_balancers) | ||
|
|
||
| ### Code samples | ||
| #### Code samples with security vulnerabilities | ||
| ```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" | ||
| - name: elb1 | ||
| community.aws.ec2_asg: | ||
| name: special | ||
| load_balancers: [] | ||
| availability_zones: [ 'eu-west-1a', 'eu-west-1b' ] | ||
| launch_config_name: 'lc-1' | ||
| min_size: 1 | ||
| max_size: 10 | ||
| desired_capacity: 5 | ||
| vpc_zone_identifier: [ 'subnet-abcd1234', 'subnet-1a2b3c4d' ] | ||
| tags: | ||
| - environment: production | ||
| propagate_at_launch: no | ||
|
|
||
| ``` | ||
| ```yaml title="Postitive test num. 2 - yaml file" hl_lines="2" | ||
| - name: elb2 | ||
| ec2_asg: | ||
| name: special | ||
| availability_zones: [ 'eu-west-1a', 'eu-west-1b' ] | ||
| launch_config_name: 'lc-1' | ||
| min_size: 1 | ||
| max_size: 10 | ||
| desired_capacity: 5 | ||
| vpc_zone_identifier: [ 'subnet-abcd1234', 'subnet-1a2b3c4d' ] | ||
| tags: | ||
| - environment: production | ||
| propagate_at_launch: no | ||
|
|
||
| ``` | ||
|
|
||
|
|
||
| #### Code samples without security vulnerabilities | ||
| ```yaml title="Negative test num. 1 - yaml file" | ||
| - name: elb12 | ||
| community.aws.ec2_asg: | ||
| name: special | ||
| load_balancers: [ 'lb1', 'lb2' ] | ||
| availability_zones: [ 'eu-west-1a', 'eu-west-1b' ] | ||
| launch_config_name: 'lc-1' | ||
| min_size: 1 | ||
| max_size: 10 | ||
| desired_capacity: 5 | ||
| vpc_zone_identifier: [ 'subnet-abcd1234', 'subnet-1a2b3c4d' ] | ||
| tags: | ||
| - environment: production | ||
| propagate_at_launch: no | ||
|
|
||
| ``` | ||
| ```yaml title="Negative test num. 2 - yaml file" | ||
| - name: elb22 | ||
| ec2_asg: | ||
| name: special | ||
| load_balancers: [ 'lb1', 'lb2' ] | ||
| availability_zones: [ 'eu-west-1a', 'eu-west-1b' ] | ||
| launch_config_name: 'lc-1' | ||
| min_size: 1 | ||
| max_size: 10 | ||
| desired_capacity: 5 | ||
| vpc_zone_identifier: [ 'subnet-abcd1234', 'subnet-1a2b3c4d' ] | ||
| tags: | ||
| - environment: production | ||
| propagate_at_launch: no | ||
|
|
||
| ``` |
115 changes: 115 additions & 0 deletions
115
docs/queries/ansible-queries/aws/0956aedf-6a7a-478b-ab56-63e2b19923ad.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,115 @@ | ||
| --- | ||
| title: DB Security Group With Public Scope | ||
| hide: | ||
| toc: true | ||
| navigation: true | ||
| --- | ||
|
|
||
| <style> | ||
| .highlight .hll { | ||
| background-color: #ff171742; | ||
| } | ||
| .md-content { | ||
| max-width: 1100px; | ||
| margin: 0 auto; | ||
| } | ||
| </style> | ||
|
|
||
| - **Query id:** 0956aedf-6a7a-478b-ab56-63e2b19923ad | ||
| - **Query name:** DB Security Group With Public Scope | ||
| - **Platform:** Ansible | ||
| - **Severity:** <span style="color:#C00">High</span> | ||
| - **Category:** Networking and Firewall | ||
| - **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/db_security_group_with_public_scope) | ||
|
|
||
| ### Description | ||
| The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it<br> | ||
| [Documentation](https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html) | ||
|
|
||
| ### Code samples | ||
| #### Code samples with security vulnerabilities | ||
| ```yaml title="Postitive test num. 1 - yaml file" hl_lines="53 22" | ||
| - name: create minimal aurora instance in default VPC and default subnet group | ||
| community.aws.rds_instance: | ||
| engine: aurora | ||
| db_instance_identifier: ansible-test-aurora-db-instance | ||
| instance_type: db.t2.small | ||
| password: "{{ password }}" | ||
| username: "{{ username }}" | ||
| cluster_id: ansible-test-cluster | ||
| db_security_groups: ["example"] | ||
| - name: example ec2 group | ||
| ec2_group: | ||
| name: example | ||
| description: an example EC2 group | ||
| vpc_id: 12345 | ||
| region: eu-west-1a | ||
| aws_secret_key: SECRET | ||
| aws_access_key: ACCESS | ||
| rules: | ||
| - proto: tcp | ||
| from_port: 80 | ||
| to_port: 80 | ||
| cidr_ip: 0.0.0.0/0 | ||
| - proto: tcp | ||
| from_port: 22 | ||
| to_port: 22 | ||
| cidr_ip: 10.0.0.0/8 | ||
| - proto: tcp | ||
| from_port: 443 | ||
| to_port: 443 | ||
| group_id: amazon-elb/sg-87654321/amazon-elb-sg | ||
| - proto: tcp | ||
| from_port: 3306 | ||
| to_port: 3306 | ||
| group_id: 123412341234/sg-87654321/exact-name-of-sg | ||
| - proto: udp | ||
| from_port: 10050 | ||
| to_port: 10050 | ||
| cidr_ip: 10.0.0.0/8 | ||
| - proto: udp | ||
| from_port: 10051 | ||
| to_port: 10051 | ||
| group_id: sg-12345678 | ||
| - proto: icmp | ||
| from_port: 8 # icmp type, -1 = any type | ||
| to_port: -1 # icmp subtype, -1 = any subtype | ||
| cidr_ip: 192.168.1.0/24 | ||
| - proto: all | ||
| group_name: example | ||
| rules_egress: | ||
| - proto: tcp | ||
| from_port: 80 | ||
| to_port: 80 | ||
| cidr_ip: 0.0.0.0/0 | ||
| group_name: example-other | ||
| group_desc: other example EC2 group | ||
|
|
||
| ``` | ||
|
|
||
|
|
||
| #### Code samples without security vulnerabilities | ||
| ```yaml title="Negative test num. 1 - yaml file" | ||
| - name: example ec2 group2 | ||
| ec2_group: | ||
| name: example1 | ||
| description: an example EC2 group | ||
| vpc_id: 12345 | ||
| region: eu-west-1a | ||
| aws_secret_key: SECRET | ||
| aws_access_key: ACCESS | ||
| rules: | ||
| - proto: tcp | ||
| from_port: 80 | ||
| to_port: 80 | ||
| cidr_ip: 10.1.1.1/32 | ||
| rules_egress: | ||
| - proto: tcp | ||
| from_port: 80 | ||
| to_port: 80 | ||
| cidr_ip: 10.1.1.1/32 | ||
| group_name: example-other | ||
| # description to use if example-other needs to be created | ||
| group_desc: other example EC2 group | ||
|
|
||
| ``` |
Oops, something went wrong.