search

tenable / terrascan

Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
https://runterrascan.io
Apache License 2.0
4.77k stars 504 forks source link

Violations for IaC templates lack accurate line number #1225

Open JohnathonMohr opened 2 years ago

JohnathonMohr commented 2 years ago

Description

I tried scanning a copy of the Azure Quickstart Templates repository to get an idea of what types of issues would be found. I noticed that in all violations reported, the line number is always 1. It would be helpful if the line number reported was actually where the failure is found in the template. For example, in the violations below, the line numbers should be a line within the declarations of the storage account and subnet that violate the rules.

More IaC file types may have this same issue, but I only tested this with ARM.

What I Did

d:\terrascan-1.13.2>terrascan.exe scan -i arm -f ..\azure-quickstart-templates\quickstarts\microsoft.compute\vm-simple-windows\azuredeploy.json

Violation Details -

        Description    :        Ensure that 'Secure transfer required' is enabled for Storage Accounts
        File           :        azuredeploy.json
        Line           :        1
        Severity       :        HIGH
        -----------------------------------------------------------------------

        Description    :        Ensure that Azure Virtual Network subnet is configured with a Network Security Group
        File           :        azuredeploy.json
        Line           :        1
        Severity       :        MEDIUM
        -----------------------------------------------------------------------

Scan Summary -

        File/Folder         :   d:\azure-quickstart-templates\quickstarts\microsoft.compute\vm-simple-windows\azuredeploy.json
        IaC Type            :   arm
        Scanned At          :   2022-04-21 00:24:29.8549459 +0000 UTC
        Policies Validated  :   4
        Violated Policies   :   2
        Low                 :   0
        Medium              :   1
        High                :   1
JohnathonMohr commented 2 years ago

I've also confirmed this is a problem for Docker templates as well, scanning the TerraGoat repository.

d:\terrascan-1.13.2>terrascan.exe scan -i docker -d ..\terragoat

Violation Details -

        Description    :        Ensure platform flag with FROM command is not used for Docker file
        File           :        terraform\aws\resources\Dockerfile
        Line           :        1
        Severity       :        MEDIUM
        -----------------------------------------------------------------------

Scan Summary -

        File/Folder         :   d:\terragoat
        IaC Type            :   docker
        Scanned At          :   2022-04-21 00:32:25.3564555 +0000 UTC
        Policies Validated  :   3
        Violated Policies   :   1
        Low                 :   0
        Medium              :   1
        High                :   0