search

Checkmarx / kics

Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx.
https://kics.io
Apache License 2.0
2.11k stars 315 forks source link

bug(cloudformation): false positive for "ECS Cluster Not Encrypted At Rest" when using task definition ref #7203

Open Cerisabeth opened 4 months ago

Cerisabeth commented 4 months ago

Expected Behavior

The ref-template.json (modified from test/negative2.json) to return negative for the ECS Cluster Not Encrypted At Rest query.

Actual Behavior

Query returns a positive for ECS Cluster Not Encrypted At Rest, even with the correct EFS volume configuration, due to this section of the above code:

          "TaskDefinition": {
            "Ref": "taskdefinition"
          },

It return negative when using the following syntax to reference the task definition:

          "TaskDefinition": "taskdefinition",

We are using AWS CDK to generate our template and it always generates a Ref block to refer to a resource.

Steps to Reproduce the Problem

  1. Scan ref-template.json for query ECS Cluster Not Encrypted At Rest query (id: 6c131358-c54d-419b-9dd6-1f7dd41d180c)
docker run -t -v $PWD/test:/path checkmarx/kics:latest scan -p /path/ref-template.json -o "/path/" --log-level "DEBUG" -i "6c131358-c54d-419b-9dd6-1f7dd41d180c" -v

debug-log.txt

Specifications

cx-monicac commented 4 months ago

Hi @Cerisabeth Thanks for your input!

We asked our internal AppSec team to provide you feedback on this. We will keep you updated. (APPSEC-2916)