Skip to content

Commit 933d57e

Browse files
gabriel-cxgabriel-cx
authored
Merge pull request #6364 from Checkmarx/feature/kicsbot-update-queries-docs
docs(queries): update queries catalog
2 parents 0f294b8 + 2a1d802 commit 933d57e

1,665 files changed

Lines changed: 307245 additions & 3296 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

docs/queries/all-queries.md

Lines changed: 1648 additions & 1648 deletions
Large diffs are not rendered by default.

docs/queries/ansible-queries.md

Lines changed: 219 additions & 219 deletions
Large diffs are not rendered by default.

docs/queries/ansible-queries/aws/01aec7c2-3e4d-4274-ae47-2b8fea22fd1f.md

Lines changed: 85 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,85 @@
1+
---
2+
title: ECS Task Definition Network Mode Not Recommended
3+
hide:
4+
toc: true
5+
navigation: true
6+
---
7+
8+
<style>
9+
.highlight .hll {
10+
background-color: #ff171742;
11+
}
12+
.md-content {
13+
max-width: 1100px;
14+
margin: 0 auto;
15+
}
16+
</style>
17+
18+
- **Query id:** 01aec7c2-3e4d-4274-ae47-2b8fea22fd1f
19+
- **Query name:** ECS Task Definition Network Mode Not Recommended
20+
- **Platform:** Ansible
21+
- **Severity:** <span style="color:#C00">High</span>
22+
- **Category:** Insecure Configurations
23+
- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/ecs_task_definition_network_mode_not_recommended)
24+
25+
### Description
26+
Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations<br>
27+
[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/ecs_taskdefinition_module.html#parameter-network_mode)
28+
29+
### Code samples
30+
#### Code samples with security vulnerabilities
31+
```yaml title="Postitive test num. 1 - yaml file" hl_lines="31 15"
32+
---
33+
- name: Create task definition
34+
community.aws.ecs_taskdefinition:
35+
family: nginx
36+
containers:
37+
- name: nginx
38+
essential: true
39+
image: "nginx"
40+
portMappings:
41+
- containerPort: 8080
42+
hostPort: 8080
43+
cpu: 512
44+
memory: 1024
45+
state: present
46+
network_mode: default
47+
48+
- name: Create task definition2
49+
community.aws.ecs_taskdefinition:
50+
family: nginx
51+
containers:
52+
- name: nginx
53+
essential: true
54+
image: "nginx"
55+
portMappings:
56+
- containerPort: 8080
57+
hostPort: 8080
58+
launch_type: FARGATE
59+
cpu: 512
60+
memory: 1024
61+
state: present
62+
network_mode: none
63+
64+
```
65+
66+
67+
#### Code samples without security vulnerabilities
68+
```yaml title="Negative test num. 1 - yaml file"
69+
- name: Create task definition
70+
community.aws.ecs_taskdefinition:
71+
family: nginx
72+
containers:
73+
- name: nginx
74+
essential: true
75+
image: nginx
76+
portMappings:
77+
- containerPort: 8080
78+
hostPort: 8080
79+
launch_type: FARGATE
80+
cpu: 512
81+
memory: 1024
82+
state: present
83+
network_mode: awsvpc
84+
85+
```

docs/queries/ansible-queries/aws/050f085f-a8db-4072-9010-2cca235cc02f.md

Lines changed: 96 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,96 @@
1+
---
2+
title: Auto Scaling Group With No Associated ELB
3+
hide:
4+
toc: true
5+
navigation: true
6+
---
7+
8+
<style>
9+
.highlight .hll {
10+
background-color: #ff171742;
11+
}
12+
.md-content {
13+
max-width: 1100px;
14+
margin: 0 auto;
15+
}
16+
</style>
17+
18+
- **Query id:** 050f085f-a8db-4072-9010-2cca235cc02f
19+
- **Query name:** Auto Scaling Group With No Associated ELB
20+
- **Platform:** Ansible
21+
- **Severity:** <span style="color:#C60">Medium</span>
22+
- **Category:** Availability
23+
- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/auto_scaling_group_with_no_associated_elb)
24+
25+
### Description
26+
AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.<br>
27+
[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/ec2_asg_module.html#parameter-load_balancers)
28+
29+
### Code samples
30+
#### Code samples with security vulnerabilities
31+
```yaml title="Postitive test num. 1 - yaml file" hl_lines="4"
32+
- name: elb1
33+
community.aws.ec2_asg:
34+
name: special
35+
load_balancers: []
36+
availability_zones: [ 'eu-west-1a', 'eu-west-1b' ]
37+
launch_config_name: 'lc-1'
38+
min_size: 1
39+
max_size: 10
40+
desired_capacity: 5
41+
vpc_zone_identifier: [ 'subnet-abcd1234', 'subnet-1a2b3c4d' ]
42+
tags:
43+
- environment: production
44+
propagate_at_launch: no
45+
46+
```
47+
```yaml title="Postitive test num. 2 - yaml file" hl_lines="2"
48+
- name: elb2
49+
ec2_asg:
50+
name: special
51+
availability_zones: [ 'eu-west-1a', 'eu-west-1b' ]
52+
launch_config_name: 'lc-1'
53+
min_size: 1
54+
max_size: 10
55+
desired_capacity: 5
56+
vpc_zone_identifier: [ 'subnet-abcd1234', 'subnet-1a2b3c4d' ]
57+
tags:
58+
- environment: production
59+
propagate_at_launch: no
60+
61+
```
62+
63+
64+
#### Code samples without security vulnerabilities
65+
```yaml title="Negative test num. 1 - yaml file"
66+
- name: elb12
67+
community.aws.ec2_asg:
68+
name: special
69+
load_balancers: [ 'lb1', 'lb2' ]
70+
availability_zones: [ 'eu-west-1a', 'eu-west-1b' ]
71+
launch_config_name: 'lc-1'
72+
min_size: 1
73+
max_size: 10
74+
desired_capacity: 5
75+
vpc_zone_identifier: [ 'subnet-abcd1234', 'subnet-1a2b3c4d' ]
76+
tags:
77+
- environment: production
78+
propagate_at_launch: no
79+
80+
```
81+
```yaml title="Negative test num. 2 - yaml file"
82+
- name: elb22
83+
ec2_asg:
84+
name: special
85+
load_balancers: [ 'lb1', 'lb2' ]
86+
availability_zones: [ 'eu-west-1a', 'eu-west-1b' ]
87+
launch_config_name: 'lc-1'
88+
min_size: 1
89+
max_size: 10
90+
desired_capacity: 5
91+
vpc_zone_identifier: [ 'subnet-abcd1234', 'subnet-1a2b3c4d' ]
92+
tags:
93+
- environment: production
94+
propagate_at_launch: no
95+
96+
```

docs/queries/ansible-queries/aws/0956aedf-6a7a-478b-ab56-63e2b19923ad.md

Lines changed: 115 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,115 @@
1+
---
2+
title: DB Security Group With Public Scope
3+
hide:
4+
toc: true
5+
navigation: true
6+
---
7+
8+
<style>
9+
.highlight .hll {
10+
background-color: #ff171742;
11+
}
12+
.md-content {
13+
max-width: 1100px;
14+
margin: 0 auto;
15+
}
16+
</style>
17+
18+
- **Query id:** 0956aedf-6a7a-478b-ab56-63e2b19923ad
19+
- **Query name:** DB Security Group With Public Scope
20+
- **Platform:** Ansible
21+
- **Severity:** <span style="color:#C00">High</span>
22+
- **Category:** Networking and Firewall
23+
- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/db_security_group_with_public_scope)
24+
25+
### Description
26+
The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it<br>
27+
[Documentation](https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html)
28+
29+
### Code samples
30+
#### Code samples with security vulnerabilities
31+
```yaml title="Postitive test num. 1 - yaml file" hl_lines="53 22"
32+
- name: create minimal aurora instance in default VPC and default subnet group
33+
community.aws.rds_instance:
34+
engine: aurora
35+
db_instance_identifier: ansible-test-aurora-db-instance
36+
instance_type: db.t2.small
37+
password: "{{ password }}"
38+
username: "{{ username }}"
39+
cluster_id: ansible-test-cluster
40+
db_security_groups: ["example"]
41+
- name: example ec2 group
42+
ec2_group:
43+
name: example
44+
description: an example EC2 group
45+
vpc_id: 12345
46+
region: eu-west-1a
47+
aws_secret_key: SECRET
48+
aws_access_key: ACCESS
49+
rules:
50+
- proto: tcp
51+
from_port: 80
52+
to_port: 80
53+
cidr_ip: 0.0.0.0/0
54+
- proto: tcp
55+
from_port: 22
56+
to_port: 22
57+
cidr_ip: 10.0.0.0/8
58+
- proto: tcp
59+
from_port: 443
60+
to_port: 443
61+
group_id: amazon-elb/sg-87654321/amazon-elb-sg
62+
- proto: tcp
63+
from_port: 3306
64+
to_port: 3306
65+
group_id: 123412341234/sg-87654321/exact-name-of-sg
66+
- proto: udp
67+
from_port: 10050
68+
to_port: 10050
69+
cidr_ip: 10.0.0.0/8
70+
- proto: udp
71+
from_port: 10051
72+
to_port: 10051
73+
group_id: sg-12345678
74+
- proto: icmp
75+
from_port: 8 # icmp type, -1 = any type
76+
to_port: -1 # icmp subtype, -1 = any subtype
77+
cidr_ip: 192.168.1.0/24
78+
- proto: all
79+
group_name: example
80+
rules_egress:
81+
- proto: tcp
82+
from_port: 80
83+
to_port: 80
84+
cidr_ip: 0.0.0.0/0
85+
group_name: example-other
86+
group_desc: other example EC2 group
87+
88+
```
89+
90+
91+
#### Code samples without security vulnerabilities
92+
```yaml title="Negative test num. 1 - yaml file"
93+
- name: example ec2 group2
94+
ec2_group:
95+
name: example1
96+
description: an example EC2 group
97+
vpc_id: 12345
98+
region: eu-west-1a
99+
aws_secret_key: SECRET
100+
aws_access_key: ACCESS
101+
rules:
102+
- proto: tcp
103+
from_port: 80
104+
to_port: 80
105+
cidr_ip: 10.1.1.1/32
106+
rules_egress:
107+
- proto: tcp
108+
from_port: 80
109+
to_port: 80
110+
cidr_ip: 10.1.1.1/32
111+
group_name: example-other
112+
# description to use if example-other needs to be created
113+
group_desc: other example EC2 group
114+
115+
```

0 commit comments

Comments
 (0)