hvitved
commented
1 week ago @starcke: Is this one for your team?
Open clementrey-dev opened 1 week ago
hvitved
commented
1 week ago @starcke: Is this one for your team?
starcke
commented
1 week ago locationFromSarifResult: expected artifact location usually means that there is a missing location for one of the results. See https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#specifying-the-location-for-source-files. If the SARIF file looks correct according to the documentation, can you then share parts of it here (anonymizing it as needed), so that we can see how it looks?
clementrey-dev
commented
1 week ago I checked and it seems that all issue as well a location.
Please find below the SARIF file.
{
"version": "2.1.0",
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
"runs": [
{
"tool": {
"driver": {
"fullName": "Trivy Vulnerability Scanner",
"informationUri": "https://github.com/aquasecurity/trivy",
"name": "Trivy",
"rules": [
{
"id": "AVD-AWS-0066",
"name": "Misconfiguration",
"shortDescription": {
"text": "Lambda functions should have X-Ray tracing enabled"
},
"fullDescription": {
"text": "X-Ray tracing enables end-to-end debugging and analysis of all function activity. This will allow for identifying bottlenecks, slow downs and timeouts."
},
"defaultConfiguration": {
"level": "note"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0066",
"help": {
"text": "Misconfiguration AVD-AWS-0066\nType: CloudFormation Security Check\nSeverity: LOW\nCheck: Lambda functions should have X-Ray tracing enabled\nMessage: Function does not have tracing enabled.\nLink: [AVD-AWS-0066](https://avd.aquasec.com/misconfig/avd-aws-0066)\nX-Ray tracing enables end-to-end debugging and analysis of all function activity. This will allow for identifying bottlenecks, slow downs and timeouts.",
"markdown": "**Misconfiguration AVD-AWS-0066**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|CloudFormation Security Check|LOW|Lambda functions should have X-Ray tracing enabled|Function does not have tracing enabled.|[AVD-AWS-0066](https://avd.aquasec.com/misconfig/avd-aws-0066)|\n\nX-Ray tracing enables end-to-end debugging and analysis of all function activity. This will allow for identifying bottlenecks, slow downs and timeouts."
},
"properties": {
"precision": "very-high",
"security-severity": "2.0",
"tags": [
"misconfiguration",
"security",
"LOW"
]
}
},
{
"id": "AVD-AWS-0057",
"name": "Misconfiguration",
"shortDescription": {
"text": "IAM policy should avoid use of wildcards and instead apply the principle of least privilege"
},
"fullDescription": {
"text": "You should use the principle of least privilege when defining your IAM policies. This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0057",
"help": {
"text": "Misconfiguration AVD-AWS-0057\nType: Terraform Security Check\nSeverity: HIGH\nCheck: IAM policy should avoid use of wildcards and instead apply the principle of least privilege\nMessage: IAM policy document uses sensitive action 'logs:CreateLogGroup' on wildcarded resource 'df72e57f-3373-4d89-a731-ecde18753d1d:*'\nLink: [AVD-AWS-0057](https://avd.aquasec.com/misconfig/avd-aws-0057)\nYou should use the principle of least privilege when defining your IAM policies. This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals.",
"markdown": "**Misconfiguration AVD-AWS-0057**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|HIGH|IAM policy should avoid use of wildcards and instead apply the principle of least privilege|IAM policy document uses sensitive action 'logs:CreateLogGroup' on wildcarded resource 'df72e57f-3373-4d89-a731-ecde18753d1d:*'|[AVD-AWS-0057](https://avd.aquasec.com/misconfig/avd-aws-0057)|\n\nYou should use the principle of least privilege when defining your IAM policies. This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals."
},
"properties": {
"precision": "very-high",
"security-severity": "8.0",
"tags": [
"misconfiguration",
"security",
"HIGH"
]
}
},
{
"id": "AVD-AWS-0088",
"name": "Misconfiguration",
"shortDescription": {
"text": "Unencrypted S3 bucket."
},
"fullDescription": {
"text": "S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0088",
"help": {
"text": "Misconfiguration AVD-AWS-0088\nType: CloudFormation Security Check\nSeverity: HIGH\nCheck: Unencrypted S3 bucket.\nMessage: Bucket does not have encryption enabled\nLink: [AVD-AWS-0088](https://avd.aquasec.com/misconfig/avd-aws-0088)\nS3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.",
"markdown": "**Misconfiguration AVD-AWS-0088**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|CloudFormation Security Check|HIGH|Unencrypted S3 bucket.|Bucket does not have encryption enabled|[AVD-AWS-0088](https://avd.aquasec.com/misconfig/avd-aws-0088)|\n\nS3 Buckets should be encrypted to protect the data that is stored within them if access is compromised."
},
"properties": {
"precision": "very-high",
"security-severity": "8.0",
"tags": [
"misconfiguration",
"security",
"HIGH"
]
}
},
{
"id": "s3-bucket-logging",
"name": "Misconfiguration",
"shortDescription": {
"text": "S3 Bucket Logging"
},
"fullDescription": {
"text": "Ensures S3 bucket logging is enabled for S3 buckets"
},
"defaultConfiguration": {
"level": "note"
},
"helpUri": "https://avd.aquasec.com/misconfig/s3-bucket-logging",
"help": {
"text": "Misconfiguration s3-bucket-logging\nType: Terraform Security Check\nSeverity: LOW\nCheck: S3 Bucket Logging\nMessage: Bucket has logging disabled\nLink: [s3-bucket-logging](https://avd.aquasec.com/misconfig/s3-bucket-logging)\nEnsures S3 bucket logging is enabled for S3 buckets",
"markdown": "**Misconfiguration s3-bucket-logging**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|LOW|S3 Bucket Logging|Bucket has logging disabled|[s3-bucket-logging](https://avd.aquasec.com/misconfig/s3-bucket-logging)|\n\nEnsures S3 bucket logging is enabled for S3 buckets"
},
"properties": {
"precision": "very-high",
"security-severity": "2.0",
"tags": [
"misconfiguration",
"security",
"LOW"
]
}
},
{
"id": "AVD-AWS-0090",
"name": "Misconfiguration",
"shortDescription": {
"text": "S3 Data should be versioned"
},
"fullDescription": {
"text": "\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n"
},
"defaultConfiguration": {
"level": "warning"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0090",
"help": {
"text": "Misconfiguration AVD-AWS-0090\nType: CloudFormation Security Check\nSeverity: MEDIUM\nCheck: S3 Data should be versioned\nMessage: Bucket does not have versioning enabled\nLink: [AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)\n\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n",
"markdown": "**Misconfiguration AVD-AWS-0090**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|CloudFormation Security Check|MEDIUM|S3 Data should be versioned|Bucket does not have versioning enabled|[AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)|\n\n\nVersioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. \nYou can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. \nWith versioning you can recover more easily from both unintended user actions and application failures.\n"
},
"properties": {
"precision": "very-high",
"security-severity": "5.5",
"tags": [
"misconfiguration",
"security",
"MEDIUM"
]
}
},
{
"id": "AVD-AWS-0132",
"name": "Misconfiguration",
"shortDescription": {
"text": "S3 encryption should use Customer Managed Keys"
},
"fullDescription": {
"text": "Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0132",
"help": {
"text": "Misconfiguration AVD-AWS-0132\nType: CloudFormation Security Check\nSeverity: HIGH\nCheck: S3 encryption should use Customer Managed Keys\nMessage: Bucket does not encrypt data with a customer managed key.\nLink: [AVD-AWS-0132](https://avd.aquasec.com/misconfig/avd-aws-0132)\nEncryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.",
"markdown": "**Misconfiguration AVD-AWS-0132**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|CloudFormation Security Check|HIGH|S3 encryption should use Customer Managed Keys|Bucket does not encrypt data with a customer managed key.|[AVD-AWS-0132](https://avd.aquasec.com/misconfig/avd-aws-0132)|\n\nEncryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys."
},
"properties": {
"precision": "very-high",
"security-severity": "8.0",
"tags": [
"misconfiguration",
"security",
"HIGH"
]
}
},
{
"id": "AVD-AWS-0190",
"name": "Misconfiguration",
"shortDescription": {
"text": "Ensure that response caching is enabled for your Amazon API Gateway REST APIs."
},
"fullDescription": {
"text": "A REST API in API Gateway is a collection of resources and methods that are integrated with backend HTTP endpoints, Lambda functions, or other AWS services. You can enable API caching in Amazon API Gateway to cache your endpoint responses. With caching, you can reduce the number of calls made to your endpoint and also improve the latency of requests to your API."
},
"defaultConfiguration": {
"level": "note"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0190",
"help": {
"text": "Misconfiguration AVD-AWS-0190\nType: Terraform Security Check\nSeverity: LOW\nCheck: Ensure that response caching is enabled for your Amazon API Gateway REST APIs.\nMessage: Cache data is not enabled.\nLink: [AVD-AWS-0190](https://avd.aquasec.com/misconfig/avd-aws-0190)\nA REST API in API Gateway is a collection of resources and methods that are integrated with backend HTTP endpoints, Lambda functions, or other AWS services. You can enable API caching in Amazon API Gateway to cache your endpoint responses. With caching, you can reduce the number of calls made to your endpoint and also improve the latency of requests to your API.",
"markdown": "**Misconfiguration AVD-AWS-0190**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|LOW|Ensure that response caching is enabled for your Amazon API Gateway REST APIs.|Cache data is not enabled.|[AVD-AWS-0190](https://avd.aquasec.com/misconfig/avd-aws-0190)|\n\nA REST API in API Gateway is a collection of resources and methods that are integrated with backend HTTP endpoints, Lambda functions, or other AWS services. You can enable API caching in Amazon API Gateway to cache your endpoint responses. With caching, you can reduce the number of calls made to your endpoint and also improve the latency of requests to your API."
},
"properties": {
"precision": "very-high",
"security-severity": "2.0",
"tags": [
"misconfiguration",
"security",
"LOW"
]
}
},
{
"id": "DS026",
"name": "Misconfiguration",
"shortDescription": {
"text": "No HEALTHCHECK defined"
},
"fullDescription": {
"text": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers."
},
"defaultConfiguration": {
"level": "note"
},
"helpUri": "https://avd.aquasec.com/misconfig/ds026",
"help": {
"text": "Misconfiguration DS026\nType: Dockerfile Security Check\nSeverity: LOW\nCheck: No HEALTHCHECK defined\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)\nYou should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.",
"markdown": "**Misconfiguration DS026**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Dockerfile Security Check|LOW|No HEALTHCHECK defined|Add HEALTHCHECK instruction in your Dockerfile|[DS026](https://avd.aquasec.com/misconfig/ds026)|\n\nYou should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers."
},
"properties": {
"precision": "very-high",
"security-severity": "2.0",
"tags": [
"misconfiguration",
"security",
"LOW"
]
}
},
{
"id": "AVD-AWS-0178",
"name": "Misconfiguration",
"shortDescription": {
"text": "VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you\u0026#39;ve created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet \u0026#34;Rejects\u0026#34; for VPCs."
},
"fullDescription": {
"text": "VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows."
},
"defaultConfiguration": {
"level": "warning"
},
"helpUri": "https://avd.aquasec.com/misconfig/avd-aws-0178",
"help": {
"text": "Misconfiguration AVD-AWS-0178\nType: Terraform Security Check\nSeverity: MEDIUM\nCheck: VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet \"Rejects\" for VPCs.\nMessage: VPC Flow Logs is not enabled for VPC\nLink: [AVD-AWS-0178](https://avd.aquasec.com/misconfig/avd-aws-0178)\nVPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.",
"markdown": "**Misconfiguration AVD-AWS-0178**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Terraform Security Check|MEDIUM|VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet \"Rejects\" for VPCs.|VPC Flow Logs is not enabled for VPC|[AVD-AWS-0178](https://avd.aquasec.com/misconfig/avd-aws-0178)|\n\nVPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows."
},
"properties": {
"precision": "very-high",
"security-severity": "5.5",
"tags": [
"misconfiguration",
"security",
"MEDIUM"
]
}
}
],
"version": "0.53.0"
}
},
"results": [
{
"ruleId": "AVD-AWS-0066",
"ruleIndex": 0,
"level": "note",
"message": {
"text": "Artifact: \nType: cloudformation\nVulnerability AVD-AWS-0066\nSeverity: LOW\nMessage: Function does not have tracing enabled.\nLink: [AVD-AWS-0066](https://avd.aquasec.com/misconfig/avd-aws-0066)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1,
"startColumn": 1,
"endLine": 1,
"endColumn": 1
}
},
"message": {
"text": ""
}
}
]
},
{
"ruleId": "AVD-AWS-0057",
"ruleIndex": 1,
"level": "error",
"message": {
"text": "Artifact: deployment/dev_environment_cloud9/cfn/cloud9-htc-grid.yaml\nType: cloudformation\nVulnerability AVD-AWS-0057\nSeverity: HIGH\nMessage: IAM policy document uses sensitive action 'cloudformation:DescribeStacks' on wildcarded resource '*'\nLink: [AVD-AWS-0057](https://avd.aquasec.com/misconfig/avd-aws-0057)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "deployment/dev_environment_cloud9/cfn/cloud9-htc-grid.yaml",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 109,
"startColumn": 1,
"endLine": 109,
"endColumn": 1
}
},
"message": {
"text": "deployment/dev_environment_cloud9/cfn/cloud9-htc-grid.yaml"
}
}
]
},
{
"ruleId": "AVD-AWS-0057",
"ruleIndex": 1,
"level": "error",
"message": {
"text": "Artifact: deployment/dev_environment_cloud9/cfn/cloud9-htc-grid.yaml\nType: cloudformation\nVulnerability AVD-AWS-0057\nSeverity: HIGH\nMessage: IAM policy document uses sensitive action 'logs:CreateLogGroup' on wildcarded resource 'arn:${AWS::Partition}:logs:*:*:*'\nLink: [AVD-AWS-0057](https://avd.aquasec.com/misconfig/avd-aws-0057)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "deployment/dev_environment_cloud9/cfn/cloud9-htc-grid.yaml",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 109,
"startColumn": 1,
"endLine": 109,
"endColumn": 1
}
},
"message": {
"text": "deployment/dev_environment_cloud9/cfn/cloud9-htc-grid.yaml"
}
}
]
},
{
"ruleId": "AVD-AWS-0088",
"ruleIndex": 2,
"level": "error",
"message": {
"text": "Artifact: deployment/dev_environment_cloud9/cfn/cloud9-htc-grid.yaml\nType: cloudformation\nVulnerability AVD-AWS-0088\nSeverity: HIGH\nMessage: Bucket does not have encryption enabled\nLink: [AVD-AWS-0088](https://avd.aquasec.com/misconfig/avd-aws-0088)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "deployment/dev_environment_cloud9/cfn/cloud9-htc-grid.yaml",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 279,
"startColumn": 1,
"endLine": 290,
"endColumn": 1
}
},
"message": {
"text": "deployment/dev_environment_cloud9/cfn/cloud9-htc-grid.yaml"
}
}
]
},
{
"ruleId": "s3-bucket-logging",
"ruleIndex": 3,
"level": "note",
"message": {
"text": "Artifact: deployment/dev_environment_cloud9/cfn/cloud9-htc-grid.yaml\nType: cloudformation\nVulnerability s3-bucket-logging\nSeverity: LOW\nMessage: Bucket has logging disabled\nLink: [s3-bucket-logging](https://avd.aquasec.com/misconfig/s3-bucket-logging)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "deployment/dev_environment_cloud9/cfn/cloud9-htc-grid.yaml",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 279,
"startColumn": 1,
"endLine": 290,
"endColumn": 1
}
},
"message": {
"text": "deployment/dev_environment_cloud9/cfn/cloud9-htc-grid.yaml"
}
}
]
},
{
"ruleId": "AVD-AWS-0090",
"ruleIndex": 4,
"level": "warning",
"message": {
"text": "Artifact: deployment/dev_environment_cloud9/cfn/cloud9-htc-grid.yaml\nType: cloudformation\nVulnerability AVD-AWS-0090\nSeverity: MEDIUM\nMessage: Bucket does not have versioning enabled\nLink: [AVD-AWS-0090](https://avd.aquasec.com/misconfig/avd-aws-0090)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "deployment/dev_environment_cloud9/cfn/cloud9-htc-grid.yaml",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 279,
"startColumn": 1,
"endLine": 290,
"endColumn": 1
}
},
"message": {
"text": "deployment/dev_environment_cloud9/cfn/cloud9-htc-grid.yaml"
}
}
]
},
{
"ruleId": "AVD-AWS-0132",
"ruleIndex": 5,
"level": "error",
"message": {
"text": "Artifact: deployment/dev_environment_cloud9/cfn/cloud9-htc-grid.yaml\nType: cloudformation\nVulnerability AVD-AWS-0132\nSeverity: HIGH\nMessage: Bucket does not encrypt data with a customer managed key.\nLink: [AVD-AWS-0132](https://avd.aquasec.com/misconfig/avd-aws-0132)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "deployment/dev_environment_cloud9/cfn/cloud9-htc-grid.yaml",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 279,
"startColumn": 1,
"endLine": 290,
"endColumn": 1
}
},
"message": {
"text": "deployment/dev_environment_cloud9/cfn/cloud9-htc-grid.yaml"
}
}
]
},
{
"ruleId": "AVD-AWS-0190",
"ruleIndex": 6,
"level": "note",
"message": {
"text": "Artifact: deployment/grid/terraform/control_plane/openapi_private.tf\nType: terraform\nVulnerability AVD-AWS-0190\nSeverity: LOW\nMessage: Cache data is not enabled.\nLink: [AVD-AWS-0190](https://avd.aquasec.com/misconfig/avd-aws-0190)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "deployment/grid/terraform/control_plane/openapi_private.tf",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 124,
"startColumn": 1,
"endLine": 137,
"endColumn": 1
}
},
"message": {
"text": "deployment/grid/terraform/control_plane/openapi_private.tf"
}
}
]
},
{
"ruleId": "AVD-AWS-0190",
"ruleIndex": 6,
"level": "note",
"message": {
"text": "Artifact: deployment/grid/terraform/control_plane/openapi_public.tf\nType: terraform\nVulnerability AVD-AWS-0190\nSeverity: LOW\nMessage: Cache data is not enabled.\nLink: [AVD-AWS-0190](https://avd.aquasec.com/misconfig/avd-aws-0190)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "deployment/grid/terraform/control_plane/openapi_public.tf",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 123,
"startColumn": 1,
"endLine": 136,
"endColumn": 1
}
},
"message": {
"text": "deployment/grid/terraform/control_plane/openapi_public.tf"
}
}
]
},
{
"ruleId": "DS026",
"ruleIndex": 7,
"level": "note",
"message": {
"text": "Artifact: deployment/image_repository/lambda_runtimes/Dockerfile\nType: dockerfile\nVulnerability DS026\nSeverity: LOW\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "deployment/image_repository/lambda_runtimes/Dockerfile",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1,
"startColumn": 1,
"endLine": 1,
"endColumn": 1
}
},
"message": {
"text": "deployment/image_repository/lambda_runtimes/Dockerfile"
}
}
]
},
{
"ruleId": "s3-bucket-logging",
"ruleIndex": 3,
"level": "note",
"message": {
"text": "Artifact: deployment/init_grid/cloudformation/grid_state.yaml\nType: cloudformation\nVulnerability s3-bucket-logging\nSeverity: LOW\nMessage: Bucket has logging disabled\nLink: [s3-bucket-logging](https://avd.aquasec.com/misconfig/s3-bucket-logging)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "deployment/init_grid/cloudformation/grid_state.yaml",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 153,
"startColumn": 1,
"endLine": 172,
"endColumn": 1
}
},
"message": {
"text": "deployment/init_grid/cloudformation/grid_state.yaml"
}
}
]
},
{
"ruleId": "s3-bucket-logging",
"ruleIndex": 3,
"level": "note",
"message": {
"text": "Artifact: deployment/init_grid/cloudformation/grid_state.yaml\nType: cloudformation\nVulnerability s3-bucket-logging\nSeverity: LOW\nMessage: Bucket has logging disabled\nLink: [s3-bucket-logging](https://avd.aquasec.com/misconfig/s3-bucket-logging)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "deployment/init_grid/cloudformation/grid_state.yaml",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 239,
"startColumn": 1,
"endLine": 258,
"endColumn": 1
}
},
"message": {
"text": "deployment/init_grid/cloudformation/grid_state.yaml"
}
}
]
},
{
"ruleId": "s3-bucket-logging",
"ruleIndex": 3,
"level": "note",
"message": {
"text": "Artifact: deployment/init_grid/cloudformation/grid_state.yaml\nType: cloudformation\nVulnerability s3-bucket-logging\nSeverity: LOW\nMessage: Bucket has logging disabled\nLink: [s3-bucket-logging](https://avd.aquasec.com/misconfig/s3-bucket-logging)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "deployment/init_grid/cloudformation/grid_state.yaml",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 67,
"startColumn": 1,
"endLine": 86,
"endColumn": 1
}
},
"message": {
"text": "deployment/init_grid/cloudformation/grid_state.yaml"
}
}
]
},
{
"ruleId": "DS026",
"ruleIndex": 7,
"level": "note",
"message": {
"text": "Artifact: docs/workshop/Dockerfile\nType: dockerfile\nVulnerability DS026\nSeverity: LOW\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "docs/workshop/Dockerfile",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1,
"startColumn": 1,
"endLine": 1,
"endColumn": 1
}
},
"message": {
"text": "docs/workshop/Dockerfile"
}
}
]
},
{
"ruleId": "DS026",
"ruleIndex": 7,
"level": "note",
"message": {
"text": "Artifact: examples/submissions/k8s_jobs/Dockerfile.Submitter\nType: dockerfile\nVulnerability DS026\nSeverity: LOW\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "examples/submissions/k8s_jobs/Dockerfile.Submitter",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1,
"startColumn": 1,
"endLine": 1,
"endColumn": 1
}
},
"message": {
"text": "examples/submissions/k8s_jobs/Dockerfile.Submitter"
}
}
]
},
{
"ruleId": "DS026",
"ruleIndex": 7,
"level": "note",
"message": {
"text": "Artifact: examples/workloads/c++/mock_computation/Dockerfile.Build\nType: dockerfile\nVulnerability DS026\nSeverity: LOW\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "examples/workloads/c++/mock_computation/Dockerfile.Build",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1,
"startColumn": 1,
"endLine": 1,
"endColumn": 1
}
},
"message": {
"text": "examples/workloads/c++/mock_computation/Dockerfile.Build"
}
}
]
},
{
"ruleId": "DS026",
"ruleIndex": 7,
"level": "note",
"message": {
"text": "Artifact: examples/workloads/java/mock_computation/Dockerfile\nType: dockerfile\nVulnerability DS026\nSeverity: LOW\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "examples/workloads/java/mock_computation/Dockerfile",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1,
"startColumn": 1,
"endLine": 1,
"endColumn": 1
}
},
"message": {
"text": "examples/workloads/java/mock_computation/Dockerfile"
}
}
]
},
{
"ruleId": "DS026",
"ruleIndex": 7,
"level": "note",
"message": {
"text": "Artifact: examples/workloads/java/quant_lib/Dockerfile\nType: dockerfile\nVulnerability DS026\nSeverity: LOW\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "examples/workloads/java/quant_lib/Dockerfile",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1,
"startColumn": 1,
"endLine": 1,
"endColumn": 1
}
},
"message": {
"text": "examples/workloads/java/quant_lib/Dockerfile"
}
}
]
},
{
"ruleId": "DS026",
"ruleIndex": 7,
"level": "note",
"message": {
"text": "Artifact: examples/workloads/python/mock_computation/Dockerfile.Build\nType: dockerfile\nVulnerability DS026\nSeverity: LOW\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "examples/workloads/python/mock_computation/Dockerfile.Build",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1,
"startColumn": 1,
"endLine": 1,
"endColumn": 1
}
},
"message": {
"text": "examples/workloads/python/mock_computation/Dockerfile.Build"
}
}
]
},
{
"ruleId": "DS026",
"ruleIndex": 7,
"level": "note",
"message": {
"text": "Artifact: examples/workloads/python/quant_lib/Dockerfile.Build\nType: dockerfile\nVulnerability DS026\nSeverity: LOW\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "examples/workloads/python/quant_lib/Dockerfile.Build",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1,
"startColumn": 1,
"endLine": 1,
"endColumn": 1
}
},
"message": {
"text": "examples/workloads/python/quant_lib/Dockerfile.Build"
}
}
]
},
{
"ruleId": "DS026",
"ruleIndex": 7,
"level": "note",
"message": {
"text": "Artifact: source/compute_plane/python/agent/Dockerfile.Lambda\nType: dockerfile\nVulnerability DS026\nSeverity: LOW\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "source/compute_plane/python/agent/Dockerfile.Lambda",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1,
"startColumn": 1,
"endLine": 1,
"endColumn": 1
}
},
"message": {
"text": "source/compute_plane/python/agent/Dockerfile.Lambda"
}
}
]
},
{
"ruleId": "DS026",
"ruleIndex": 7,
"level": "note",
"message": {
"text": "Artifact: source/compute_plane/python/agent/Dockerfile.Local\nType: dockerfile\nVulnerability DS026\nSeverity: LOW\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "source/compute_plane/python/agent/Dockerfile.Local",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1,
"startColumn": 1,
"endLine": 1,
"endColumn": 1
}
},
"message": {
"text": "source/compute_plane/python/agent/Dockerfile.Local"
}
}
]
},
{
"ruleId": "DS026",
"ruleIndex": 7,
"level": "note",
"message": {
"text": "Artifact: source/compute_plane/shell/attach-layer/Dockerfile\nType: dockerfile\nVulnerability DS026\nSeverity: LOW\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "source/compute_plane/shell/attach-layer/Dockerfile",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1,
"startColumn": 1,
"endLine": 1,
"endColumn": 1
}
},
"message": {
"text": "source/compute_plane/shell/attach-layer/Dockerfile"
}
}
]
},
{
"ruleId": "AVD-AWS-0057",
"ruleIndex": 1,
"level": "error",
"message": {
"text": "Artifact: terraform-aws-modules/lambda/aws/iam.tf\nType: terraform\nVulnerability AVD-AWS-0057\nSeverity: HIGH\nMessage: IAM policy document uses sensitive action 'logs:CreateLogGroup' on wildcarded resource '08dc8bb2-e5b3-478e-9e5d-d02a9064d6c4:*'\nLink: [AVD-AWS-0057](https://avd.aquasec.com/misconfig/avd-aws-0057)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "terraform-aws-modules/lambda/aws/iam.tf",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 130,
"startColumn": 1,
"endLine": 130,
"endColumn": 1
}
},
"message": {
"text": "terraform-aws-modules/lambda/aws/iam.tf"
}
}
]
},
{
"ruleId": "AVD-AWS-0057",
"ruleIndex": 1,
"level": "error",
"message": {
"text": "Artifact: terraform-aws-modules/lambda/aws/iam.tf\nType: terraform\nVulnerability AVD-AWS-0057\nSeverity: HIGH\nMessage: IAM policy document uses sensitive action 'logs:CreateLogGroup' on wildcarded resource '11be5e6e-eedc-422d-be69-4f5aa9e53e28:*'\nLink: [AVD-AWS-0057](https://avd.aquasec.com/misconfig/avd-aws-0057)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "terraform-aws-modules/lambda/aws/iam.tf",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 130,
"startColumn": 1,
"endLine": 130,
"endColumn": 1
}
},
"message": {
"text": "terraform-aws-modules/lambda/aws/iam.tf"
}
}
]
},
{
"ruleId": "AVD-AWS-0057",
"ruleIndex": 1,
"level": "error",
"message": {
"text": "Artifact: terraform-aws-modules/lambda/aws/iam.tf\nType: terraform\nVulnerability AVD-AWS-0057\nSeverity: HIGH\nMessage: IAM policy document uses sensitive action 'logs:CreateLogGroup' on wildcarded resource '2f226c54-6f2d-454b-9da0-aa1bfe547896:*'\nLink: [AVD-AWS-0057](https://avd.aquasec.com/misconfig/avd-aws-0057)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "terraform-aws-modules/lambda/aws/iam.tf",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 130,
"startColumn": 1,
"endLine": 130,
"endColumn": 1
}
},
"message": {
"text": "terraform-aws-modules/lambda/aws/iam.tf"
}
}
]
},
{
"ruleId": "AVD-AWS-0057",
"ruleIndex": 1,
"level": "error",
"message": {
"text": "Artifact: terraform-aws-modules/lambda/aws/iam.tf\nType: terraform\nVulnerability AVD-AWS-0057\nSeverity: HIGH\nMessage: IAM policy document uses sensitive action 'logs:CreateLogGroup' on wildcarded resource '5bf0c93e-0bee-47bd-b82d-6107c3423a95:*'\nLink: [AVD-AWS-0057](https://avd.aquasec.com/misconfig/avd-aws-0057)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "terraform-aws-modules/lambda/aws/iam.tf",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 130,
"startColumn": 1,
"endLine": 130,
"endColumn": 1
}
},
"message": {
"text": "terraform-aws-modules/lambda/aws/iam.tf"
}
}
]
},
{
"ruleId": "AVD-AWS-0057",
"ruleIndex": 1,
"level": "error",
"message": {
"text": "Artifact: terraform-aws-modules/lambda/aws/iam.tf\nType: terraform\nVulnerability AVD-AWS-0057\nSeverity: HIGH\nMessage: IAM policy document uses sensitive action 'logs:CreateLogGroup' on wildcarded resource 'a64b0897-3644-42e4-bc9f-418cd15ede0d:*'\nLink: [AVD-AWS-0057](https://avd.aquasec.com/misconfig/avd-aws-0057)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "terraform-aws-modules/lambda/aws/iam.tf",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 130,
"startColumn": 1,
"endLine": 130,
"endColumn": 1
}
},
"message": {
"text": "terraform-aws-modules/lambda/aws/iam.tf"
}
}
]
},
{
"ruleId": "AVD-AWS-0057",
"ruleIndex": 1,
"level": "error",
"message": {
"text": "Artifact: terraform-aws-modules/lambda/aws/iam.tf\nType: terraform\nVulnerability AVD-AWS-0057\nSeverity: HIGH\nMessage: IAM policy document uses sensitive action 'logs:CreateLogGroup' on wildcarded resource 'df72e57f-3373-4d89-a731-ecde18753d1d:*'\nLink: [AVD-AWS-0057](https://avd.aquasec.com/misconfig/avd-aws-0057)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "terraform-aws-modules/lambda/aws/iam.tf",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 130,
"startColumn": 1,
"endLine": 130,
"endColumn": 1
}
},
"message": {
"text": "terraform-aws-modules/lambda/aws/iam.tf"
}
}
]
},
{
"ruleId": "s3-bucket-logging",
"ruleIndex": 3,
"level": "note",
"message": {
"text": "Artifact: terraform-aws-modules/s3-bucket/aws/main.tf\nType: terraform\nVulnerability s3-bucket-logging\nSeverity: LOW\nMessage: Bucket has logging disabled\nLink: [s3-bucket-logging](https://avd.aquasec.com/misconfig/s3-bucket-logging)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "terraform-aws-modules/s3-bucket/aws/main.tf",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 25,
"startColumn": 1,
"endLine": 34,
"endColumn": 1
}
},
"message": {
"text": "terraform-aws-modules/s3-bucket/aws/main.tf"
}
}
]
},
{
"ruleId": "AVD-AWS-0178",
"ruleIndex": 8,
"level": "warning",
"message": {
"text": "Artifact: terraform-aws-modules/vpc/aws/modules/vpc-endpoints/main.tf\nType: terraform\nVulnerability AVD-AWS-0178\nSeverity: MEDIUM\nMessage: VPC Flow Logs is not enabled for VPC\nLink: [AVD-AWS-0178](https://avd.aquasec.com/misconfig/avd-aws-0178)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "terraform-aws-modules/vpc/aws/modules/vpc-endpoints/main.tf",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 28,
"startColumn": 1,
"endLine": 51,
"endColumn": 1
}
},
"message": {
"text": "terraform-aws-modules/vpc/aws/modules/vpc-endpoints/main.tf"
}
}
]
}
],
"columnKind": "utf16CodeUnits",
"originalUriBaseIds": {
"ROOTPATH": {
"uri": "file:///github/workspace/"
}
}
}
]
}Thanks for posting the SARIF. The problem is that Code scanning does not support the originalUriBaseIds field. This means that the first result object:
{
"ruleId": "AVD-AWS-0066",
"ruleIndex": 0,
"level": "note",
"message": {
"text": "Artifact: \nType: cloudformation\nVulnerability AVD-AWS-0066\nSeverity: LOW\nMessage: Function does not have tracing enabled.\nLink: [AVD-AWS-0066](https://avd.aquasec.com/misconfig/avd-aws-0066)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1,
"startColumn": 1,
"endLine": 1,
"endColumn": 1
}
},
"message": {
"text": ""
}
}
]
},contains an empty URI and therefore cannot be processed by code scanning.
Note: even with originalUriBaseIds it seems to point to a directory and not a file, so I am unsure what that means in terms of the result.
Hello expert, I am trying to upload a SARIF file generated by a trivy scan. Whereas the SARIF file is generated, the upload of the file in the security tab failed with the message:
Do you have any clues what could be wrong with my SARIF files or how to improve observability of the action ?