Ignoring Policies on a scan

[JonZeolla]

Description

In the documentation there is a reference to #367, which has been closed via #466, but the documentation does not appear to have been updated.

[kanchwala-yusuf]

Hi @JonZeolla,

The documentation link that you have pointed out is an outdated one, we need to update our documentation.

But, we do support a couple of ways of ignoring policies on a scan:

Use of --skip-rules, --scan-rules:

For example, a normal terrascan scan

$ terrascan scan -t aws -v

Violation Details -

    Description    :    Enabling S3 versioning will enable easy recovery from both unintended user actions, like deletes and overwrites
    File           :    main.tf
    Line           :    5
    Severity       :    HIGH
    Rule Name      :    s3Versioning
    Rule ID        :    AWS.S3Bucket.IAM.High.0370
    Resource Name  :    demo-s3
    Resource Type  :    aws_s3_bucket
    Category       :    Resilience

    -----------------------------------------------------------------------

    Description    :    S3 bucket Access is allowed to all AWS Account Users.
    File           :    main.tf
    Line           :    5
    Severity       :    HIGH
    Rule Name      :    s3EnforceUserACL
    Rule ID        :    AWS.S3Bucket.DS.High.1043
    Resource Name  :    demo-s3
    Resource Type  :    aws_s3_bucket
    Category       :    Identity and Access Management

    -----------------------------------------------------------------------

Scan Summary -

    File/Folder         :   /Users/jarvis/terraform-examples/Damn-Vulnerable-Terraform-Project
    IaC Type            :   terraform
    Scanned At          :   2021-03-23 03:16:23.971338 +0000 UTC
    Policies Validated  :   561
    Violated Policies   :   2
    Low                 :   0
    Medium              :   0
    High                :   2

With use of --skip-rules:

$ terrascan scan -t aws -v --skip-rules="AWS.S3Bucket.DS.High.1043,AWS.S3Bucket.IAM.High.0370"
2021-03-23T08:49:49.820+0530    info    opa/engine.go:488   skip rule added. rule id: AWS.S3Bucket.DS.High.1043 found in policy path: /Users/jarvis/.terrascan/pkg/policies/opa/rego/aws
2021-03-23T08:49:49.820+0530    info    opa/engine.go:488   skip rule added. rule id: AWS.S3Bucket.IAM.High.0370 found in policy path: /Users/jarvis/.terrascan/pkg/policies/opa/rego/aws

Scan Summary -

    File/Folder         :   /Users/jarvis/terraform-examples/Damn-Vulnerable-Terraform-Project
    IaC Type            :   terraform
    Scanned At          :   2021-03-23 03:19:50.034008 +0000 UTC
    Policies Validated  :   156
    Violated Policies   :   0
    Low                 :   0
    Medium              :   0
    High                :   0

With use of --scan-rules:

$ terrascan scan -t aws -v --scan-rules="AWS.S3Bucket.DS.High.1043"
2021-03-23T08:51:13.514+0530    info    opa/engine.go:469   scan rule added. rule id: AWS.S3Bucket.DS.High.1043 found in policy path: /Users/jarvis/.terrascan/pkg/policies/opa/rego/aws

Violation Details -

    Description    :    S3 bucket Access is allowed to all AWS Account Users.
    File           :    main.tf
    Line           :    5
    Severity       :    HIGH
    Rule Name      :    s3EnforceUserACL
    Rule ID        :    AWS.S3Bucket.DS.High.1043
    Resource Name  :    demo-s3
    Resource Type  :    aws_s3_bucket
    Category       :    Identity and Access Management

    -----------------------------------------------------------------------

Scan Summary -

    File/Folder         :   /Users/jarvis/terraform-examples/Damn-Vulnerable-Terraform-Project
    IaC Type            :   terraform
    Scanned At          :   2021-03-23 03:21:13.518131 +0000 UTC
    Policies Validated  :   1
    Violated Policies   :   1
    Low                 :   0
    Medium              :   0
    High                :   1

Using scan and skip rules together:

$ terrascan scan -t aws -v --scan-rules="AWS.S3Bucket.DS.High.1043,AWS.S3Bucket.IAM.High.0370" --skip-rules="AWS.S3Bucket.DS.High.1043"
2021-03-23T08:53:42.866+0530    info    opa/engine.go:469   scan rule added. rule id: AWS.S3Bucket.DS.High.1043 found in policy path: /Users/jarvis/.terrascan/pkg/policies/opa/rego/aws
2021-03-23T08:53:42.866+0530    info    opa/engine.go:469   scan rule added. rule id: AWS.S3Bucket.IAM.High.0370 found in policy path: /Users/jarvis/.terrascan/pkg/policies/opa/rego/aws
2021-03-23T08:53:42.866+0530    info    opa/engine.go:488   skip rule added. rule id: AWS.S3Bucket.DS.High.1043 found in policy path: /Users/jarvis/.terrascan/pkg/policies/opa/rego/aws

Violation Details -

    Description    :    Enabling S3 versioning will enable easy recovery from both unintended user actions, like deletes and overwrites
    File           :    main.tf
    Line           :    5
    Severity       :    HIGH
    Rule Name      :    s3Versioning
    Rule ID        :    AWS.S3Bucket.IAM.High.0370
    Resource Name  :    demo-s3
    Resource Type  :    aws_s3_bucket
    Category       :    Resilience

    -----------------------------------------------------------------------

Scan Summary -

    File/Folder         :   /Users/jarvis/terraform-examples/Damn-Vulnerable-Terraform-Project
    IaC Type            :   terraform
    Scanned At          :   2021-03-23 03:23:42.869043 +0000 UTC
    Policies Validated  :   1
    Violated Policies   :   1
    Low                 :   0
    Medium              :   0
    High                :   1

[kanchwala-yusuf]

Use of --skip-rules is applicable to all the resources in a given configuration.

If you want to skip a rule for a particular resource. Then you can refer to https://github.com/accurics/terrascan#rule-suppression

[kanchwala-yusuf]

Hey @JonZeolla , were you able to ignore rules on a scan?

[JonZeolla]

Hi @kanchwala-yusuf thank you, yes I already knew how to I was specifically just opening this issue to get the docs corrected