search

aquasecurity / trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
https://aquasecurity.github.io/trivy
Apache License 2.0
22.14k stars 2.18k forks source link

bug(misconf): False positive AWS-0102 #7006

Closed nikpivkin closed 2 weeks ago

nikpivkin commented 2 weeks ago

Discussed in https://github.com/aquasecurity/trivy/discussions/7004

The check is triggered for the deny rule.

Example config:

resource "aws_network_acl_rule" "bar" {
  rule_number    = 200
  egress         = false
  protocol       = "all"
  rule_action    = "deny"
  cidr_block     = "0.0.0.0/0"
}

Output:

main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:4
   via main.tf:1-7 (aws_network_acl_rule.bar)
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1   resource "aws_network_acl_rule" "bar" {
   2     rule_number    = 200
   3     egress         = false
   4 [   protocol       = "all"
   5     rule_action    = "deny"
   6     cidr_block     = "0.0.0.0/0"
   7   }
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────