Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: Add tfsec workflow #14

Merged
merged 1 commit into from
May 8, 2023
Merged

ci: Add tfsec workflow #14

merged 1 commit into from
May 8, 2023

Conversation

nileshgadgi
Copy link

what

  • Called tfsec workflow with shared workflow.
  • Changed "CHANGELOG.yaml" to "CHANGELOG.yml". Changed the format yaml to yml.
  • Changed source from static path to module path like "../" to "clouddrove/<service_module>/azure".

why

  • By adding tfsec workflow the repository will enhance the module features and automates the terraform scanning process.
  • Changed "yaml" to "yml" to follow the industry standards.
  • Changed source from local to remote URL to follow the best practices.

@nileshgadgi nileshgadgi added the enhancement New feature or request label May 8, 2023
@clouddrove-ci
Copy link
Member

Terraform Security Scan Failed

Show Output 
Result #1 CRITICAL Vault network ACL does not block access by default. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:16-67
────────────────────────────────────────────────────────────────────────────────
   16resource "azurerm_key_vault" "key_vault" {
   17count                           = var.enabled ? 1 : 0
   18name                            = format("%s-kv", module.labels.id)
   19location                        = var.location
   20resource_group_name             = var.resource_group_name
   21enabled_for_disk_encryption     = var.enabled_for_disk_encryption
   22tenant_id                       = data.azurerm_client_config.current_client_config.tenant_id
   23purge_protection_enabled        = var.purge_protection_enabled
   24soft_delete_retention_days      = var.soft_delete_retention_days
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID azure-keyvault-specify-network-acl
      Impact Without a network ACL the key vault is freely accessible
  Resolution Set a network ACL for the key vault

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/azure/keyvault/specify-network-acl/
  - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault#network_acls
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             129.501µs
  parsing              94.200646ms
  adaptation           100.902µs
  checks               12.197565ms
  total                106.628614ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     77
  files read           4

  results
  ──────────────────────────────────────────
  passed               3
  ignored              0
  critical             1
  high                 0
  medium               0
  low                  0

  3 passed, 1 potential problem(s) detected.

@anmolnagpal anmolnagpal merged commit 4bdc4e4 into master May 8, 2023
@delete-merged-branch delete-merged-branch bot deleted the CI-tfsec branch May 8, 2023 20:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@anmolnagpal anmolnagpal Awaiting requested review from anmolnagpal anmolnagpal is a code owner

@d4kverma d4kverma Awaiting requested review from d4kverma

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@nileshgadgi @clouddrove-ci @anmolnagpal