Merge branch 'master' into PRWLR-4351-gcp-provider-usage-and-init

prowler-cloud · Aug 23, 2024 · b20a848 · b20a848
2 parents 76805e4 + 61df2ce
commit b20a848
Show file tree

Hide file tree

Showing 213 changed files with 8,445 additions and 963 deletions.
diff --git a/.github/workflows/find-secrets.yml b/.github/workflows/find-secrets.yml
@@ -11,7 +11,7 @@ jobs:
         with:
           fetch-depth: 0
       - name: TruffleHog OSS
-        uses: trufflesecurity/[email protected].7
+        uses: trufflesecurity/[email protected].9
         with:
           path: ./
           base: ${{ github.event.repository.default_branch }}

diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml
@@ -22,7 +22,7 @@ jobs:
       - uses: actions/checkout@v4
       - name: Test if changes are in not ignored paths
         id: are-non-ignored-files-changed
-        uses: tj-actions/changed-files@v44
+        uses: tj-actions/changed-files@v45
         with:
           files: ./**
           files_ignore: |

diff --git a/docs/developer-guide/checks.md b/docs/developer-guide/checks.md
@@ -222,7 +222,7 @@ class ec2_securitygroup_with_many_ingress_egress_rules(Check):
         max_security_group_rules = ec2_client.audit_config.get(
             "max_security_group_rules", 50
         )
-        for security_group in ec2_client.security_groups:
+        for security_group_arn, security_group in ec2_client.security_groups.items():
 ```
 
 ```yaml title="config.yaml"

diff --git a/docs/tutorials/configuration_file.md b/docs/tutorials/configuration_file.md
@@ -18,6 +18,7 @@ The following list includes all the AWS checks with configurable variables that
 | `ec2_elastic_ip_shodan`                                       | `shodan_api_key`                                 | String          |
 | `ec2_securitygroup_with_many_ingress_egress_rules`            | `max_security_group_rules`                       | Integer         |
 | `ec2_instance_older_than_specific_days`                       | `max_ec2_instance_age_in_days`                   | Integer         |
+| `ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports`| `ec2_sg_high_risk_ports`                 | List of Integer |
 | `vpc_endpoint_connections_trust_boundaries`                   | `trusted_account_ids`                            | List of Strings |
 | `vpc_endpoint_services_allowed_principals_trust_boundaries`   | `trusted_account_ids`                            | List of Strings |
 | `cloudwatch_log_group_retention_policy_specific_days_enabled` | `log_group_retention_days`                       | Integer         |
@@ -39,12 +40,14 @@ The following list includes all the AWS checks with configurable variables that
 | `cloudtrail_threat_detection_enumeration`                     | `threat_detection_enumeration_entropy`           | Integer         |
 | `cloudtrail_threat_detection_enumeration`                     | `threat_detection_enumeration_minutes`           | Integer         |
 | `cloudtrail_threat_detection_enumeration`                     | `threat_detection_enumeration_actions`           | List of Strings |
+| `codebuild_project_no_secrets_in_variables`                   | `excluded_sensitive_environment_variables`       | List of Strings |
 | `rds_instance_backup_enabled`                                 | `check_rds_instance_replicas`                    | Boolean         |
 | `ec2_securitygroup_allow_ingress_from_internet_to_any_port`   | `ec2_allowed_interface_types`                    | List of Strings |
 | `ec2_securitygroup_allow_ingress_from_internet_to_any_port`   | `ec2_allowed_instance_owners`                    | List of Strings |
 | `acm_certificates_expiration_check`                           | `days_to_expire_threshold`                       | Integer         |
 | `eks_control_plane_logging_all_types_enabled`                 | `eks_required_log_types`                         | List of Strings |
-| `eks_cluster_uses_a_supported_version`                        | `eks_cluster_oldest_version_supported`                 | String          |
+| `eks_cluster_uses_a_supported_version`                        | `eks_cluster_oldest_version_supported`           | String          |
+| `elbv2_is_in_multiple_az`                                     | `elbv2_min_azs`                                  | Integer         |
 
 ## Azure
 
@@ -125,6 +128,21 @@ aws:
     [
         "amazon-elb"
     ]
+  # aws.ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports
+  ec2_sg_high_risk_ports:
+    [
+        25,
+        110,
+        135,
+        143,
+        445,
+        3000,
+        4333,
+        5000,
+        5500,
+        8080,
+        8088,
+    ]
 
   # AWS VPC Configuration (vpc_endpoint_connections_trust_boundaries, vpc_endpoint_services_allowed_principals_trust_boundaries)
   # Single account environment: No action required. The AWS account number will be automatically added by the checks.
@@ -372,6 +390,14 @@ aws:
   # EKS clusters must be version 1.28 or higher
   eks_cluster_oldest_version_supported: "1.28"
 
+  # AWS CodeBuild Configuration
+  # aws.codebuild_project_no_secrets_in_variables
+  # CodeBuild sensitive variables that are excluded from the check
+  excluded_sensitive_environment_variables:
+    [
+
+    ]
+
 # Azure Configuration
 azure:
   # Azure Network Configuration

diff --git a/docs/tutorials/mutelist.md b/docs/tutorials/mutelist.md
@@ -9,10 +9,13 @@ Mutelist option works along with other options and will modify the output in the
 
 ## How the Mutelist Works
 
-The Mutelist uses an "ANDed" and "ORed" logic to determine which resources, checks, regions, and tags should be muted. For each check, the Mutelist checks if the account, region, and resource match the specified criteria, using an "ANDed" logic. If tags are specified, the mutelist uses and "ORed" logic to see if at least one tag is present in the resource.
+The **Mutelist** uses both "AND" and "OR" logic to determine which resources, checks, regions, and tags should be muted. For each check, the Mutelist evaluates whether the account, region, and resource match the specified criteria using "AND" logic. If tags are specified, the Mutelist can apply either "AND" or "OR" logic.
 
 If any of the criteria do not match, the check is not muted.
 
+???+ note
+    Remember that mutelist can be used with regular expressions.
+
 ## Mutelist Specification
 
 ???+ note
@@ -52,6 +55,29 @@ Mutelist:
           Tags:
             - "test=test"         # Will mute every resource containing the string "test" and the tags 'test=test' and
             - "project=test|project=stage" # either of ('project=test' OR project=stage) in account 123456789012 and every region
+        "*":
+            Regions:
+              - "*"
+            Resources:
+              - "test"
+            Tags:
+              - "test=test"
+              - "project=test"    # This will mute every resource containing the string "test" and BOTH tags at the same time.
+        "*":
+            Regions:
+              - "*"
+            Resources:
+              - "test"
+            Tags:                 # This will mute every resource containing the string "test" and the ones that contain EITHER the `test=test` OR `project=test` OR `project=dev`
+              - "test=test|project=(test|dev)"
+        "*":
+            Regions:
+              - "*"
+            Resources:
+              - "test"
+            Tags:
+              - "test=test"       # This will mute every resource containing the string "test" and the tags `test=test` and either `project=test` OR `project=stage` in every account and region.
+              - "project=test|project=stage"
 
     "*":
       Checks: