如何在 tfsec 中创建自定义检查
How to create custom checks in tfsec
我希望在使用 tfsec 的 IaC 代码扫描中实施以下策略:
Custom Check: GCP Firewall rule allows all traffic on Telnet port (23)
下面是我的自定义签入.json格式:
{
"checks":
[
{
"code": "CUS003",
"description": "Custom Check: GCP Firewall rule allows all traffic on Telnet port (23)",
"requiredTypes":
[
"resource"
],
"requiredLabels":
[
"google_compute_firewall"
],
"severity": "WARNING",
"matchSpec":
{
"name": "CUS003_matchSpec_name",
"action": "and",
"predicateMatchSpec":
[
{
"name": "source_ranges",
"action": "contains",
"value": "0.0.0.0/0"
},
{
"name": "ports",
"action": "contains",
"value": "23"
}
]
},
"errorMessage": "[WARNING] GCP Firewall rule allows all traffic on Telnet port (23)",
"relatedLinks":
[
"https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall"
]
}
]
}
我试过使用“not”、“notContains”、“equals”、“subMatch”and/or“predicateMatchSpec”的组合,但没有任何效果。
为了测试它,我特意创建了应该失败的防火墙规则和其他应该通过检查的规则。当我检查失败时,它适用于所有规则,而不仅仅是一些规则。同样,当我获得检查通过时,它适用于所有规则,而不仅仅是一些规则。
可能有用的文档:tfsec custom checks
感谢任何帮助。不幸的是,“tfsec”不是标签,所以我希望这是我面临的地形问题。
我认为现在查看它的格式很清楚,source_ranges 是 google_compute_firewall 资源的 child。 ports 属性是 allow 的 child。您的检查假设 ports 是 source_ranges.
的兄弟姐妹
我认为此检查可以通过以下方式实现 - 它会根据需要进行谓词检查是否存在 source_range 并且存在一个名为 allow 的块,其属性端口包含 23
{
"checks": [
{
"code": "CUS003",
"description": "Custom Check: GCP Firewall rule allows all traffic on Telnet port (23)",
"requiredTypes": [
"resource"
],
"requiredLabels": [
"google_compute_firewall"
],
"severity": "WARNING",
"matchSpec": {
"action": "and",
"predicateMatchSpec": [
{
"name": "source_ranges",
"action": "contains",
"value": "0.0.0.0/0"
},
{
"name": "allow",
"action": "isPresent",
"subMatch": {
"name": "ports",
"action": "contains",
"value": "23",
"ignoreUndefined": true
}
}
]
},
"errorMessage": "[WARNING] GCP Firewall rule allows all traffic on Telnet port (23)",
"relatedLinks": [
"https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall"
]
}
]
}
我已经根据以下 body
对其进行了测试
resource "google_compute_firewall" "default" {
name = "test-firewall"
network = google_compute_network.default.name
allow {
protocol = "tcp"
ports = ["23", "8080", "1000-2000"]
}
source_ranges = ["0.0.0.0/0"]
source_tags = ["web"]
}
resource "google_compute_network" "default" {
name = "test-network"
}
我希望在使用 tfsec 的 IaC 代码扫描中实施以下策略:
Custom Check: GCP Firewall rule allows all traffic on Telnet port (23)
下面是我的自定义签入.json格式:
{
"checks":
[
{
"code": "CUS003",
"description": "Custom Check: GCP Firewall rule allows all traffic on Telnet port (23)",
"requiredTypes":
[
"resource"
],
"requiredLabels":
[
"google_compute_firewall"
],
"severity": "WARNING",
"matchSpec":
{
"name": "CUS003_matchSpec_name",
"action": "and",
"predicateMatchSpec":
[
{
"name": "source_ranges",
"action": "contains",
"value": "0.0.0.0/0"
},
{
"name": "ports",
"action": "contains",
"value": "23"
}
]
},
"errorMessage": "[WARNING] GCP Firewall rule allows all traffic on Telnet port (23)",
"relatedLinks":
[
"https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall"
]
}
]
}
我试过使用“not”、“notContains”、“equals”、“subMatch”and/or“predicateMatchSpec”的组合,但没有任何效果。
为了测试它,我特意创建了应该失败的防火墙规则和其他应该通过检查的规则。当我检查失败时,它适用于所有规则,而不仅仅是一些规则。同样,当我获得检查通过时,它适用于所有规则,而不仅仅是一些规则。
可能有用的文档:tfsec custom checks
感谢任何帮助。不幸的是,“tfsec”不是标签,所以我希望这是我面临的地形问题。
我认为现在查看它的格式很清楚,source_ranges 是 google_compute_firewall 资源的 child。 ports 属性是 allow 的 child。您的检查假设 ports 是 source_ranges.
我认为此检查可以通过以下方式实现 - 它会根据需要进行谓词检查是否存在 source_range 并且存在一个名为 allow 的块,其属性端口包含 23
{
"checks": [
{
"code": "CUS003",
"description": "Custom Check: GCP Firewall rule allows all traffic on Telnet port (23)",
"requiredTypes": [
"resource"
],
"requiredLabels": [
"google_compute_firewall"
],
"severity": "WARNING",
"matchSpec": {
"action": "and",
"predicateMatchSpec": [
{
"name": "source_ranges",
"action": "contains",
"value": "0.0.0.0/0"
},
{
"name": "allow",
"action": "isPresent",
"subMatch": {
"name": "ports",
"action": "contains",
"value": "23",
"ignoreUndefined": true
}
}
]
},
"errorMessage": "[WARNING] GCP Firewall rule allows all traffic on Telnet port (23)",
"relatedLinks": [
"https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall"
]
}
]
}
我已经根据以下 body
对其进行了测试resource "google_compute_firewall" "default" {
name = "test-firewall"
network = google_compute_network.default.name
allow {
protocol = "tcp"
ports = ["23", "8080", "1000-2000"]
}
source_ranges = ["0.0.0.0/0"]
source_tags = ["web"]
}
resource "google_compute_network" "default" {
name = "test-network"
}