Azure / Azure-Verified-Modules

Azure Verified Modules (AVM) is an initiative to consolidate and set the standards for what a good Infrastructure-as-Code module looks like. Modules will then align to these standards, across languages (Bicep, Terraform etc.) and will then be classified as AVMs and available from their respective language specific registries.

https://aka.ms/AVM

MIT License

365 stars 87 forks source link

[AVM Question/Feedback]: AVM Code Quality and Security Scan #1318

Open kumarkhatwani opened 3 months ago

kumarkhatwani commented 3 months ago

Check for previous/existing GitHub issues

[X] I have checked for previous/existing GitHub issues

Description

Hi,

This is general question for any module and not specific to Key Vault. We would like to know if the underlying terraform AVM module code in GitHub has been scanned for code quality and security vulnerabilities. If so, can you please share details of same on tools, thresholds used and publish findings for each module. This will give assurance to Security team and Module Consumers/Developers on Security Best Practices being followed. Thanks!!

matt-FFFFFF commented 3 months ago

Hi @kumarkhatwani

I transferred this issue to the main AVM repo.

We use our own linter and terraform validate to ensure code quality. What risks are you trying to mitigate? I would be interested to find out more about the security vulnerabilities that you are talking about. These tend to be in the providers and terraform core itself and not in the IaC code itself.

kumarkhatwani commented 2 months ago

Hi @matt-FFFFFF, thank you for acknowledging this request promptly and by the way I loved watching your videos series on Cloud Adoption Framework using Terraform and AVM. We cloned the GitHub repo for Key Vault AVM and ran the security scan on the code using Qwiet.ai/ShiftLeft and it flagged High and Medium vulnerabilities and most of the High vulnerabilities pointing to use of commit code in Git. The other vulnerabilities flagged are related to security best practices for Azure which can be applied using Azure Policies. The reason for cloning AVM code in our repos is to have internal registry of Terraform modules instead of opening outbound connectivity from our IaC Build Server/ADO Agent to https://registry.terraform.io/modules/Azure/ and to meet organization's AppSec requirement, we are scanning the code through required security tools.

matt-FFFFFF commented 2 months ago

Hi @kumarkhatwani

If you have found a vulnerability then please review the SECURITY.md for ways to submit privately.

I don't quite know what you mean by the use of the term 'commit code in Git'. But please don't publish anything publicly that may help somebody exploit anything.

I am interested to know what you have found so look forward to your report.

matt-FFFFFF commented 2 months ago

RR

kumarkhatwani commented 2 months ago

Hi @matt-FFFFFF, scan results have been deleted by our AppSec Team, so I will rerun the scan and share privately as per process described in SECURITY.md