diff --git a/formatters/sarif.go b/formatters/sarif.go
index 152cbf33b..8e6b2bf59 100644
--- a/formatters/sarif.go
+++ b/formatters/sarif.go
@@ -39,6 +39,9 @@ func FormatSarif(w io.Writer, results []rules.Result, baseDir string, _ ...Forma
if err != nil {
return err
}
+ if baseDir == rng.GetFilename() {
+ relativePath = filepath.Base(baseDir)
+ }
message := sarif.NewTextMessage(res.Description())
region := sarif.NewSimpleRegion(rng.GetStartLine(), rng.GetEndLine())
diff --git a/output/output.go b/output/output.go
deleted file mode 100644
index 426eff65d..000000000
--- a/output/output.go
+++ /dev/null
@@ -1,21 +0,0 @@
-package output
-
-import "golang.org/x/crypto/ssh/terminal"
-
-type Output struct {
- width int
-}
-
-func New() *Output {
- width, _, err := terminal.GetSize(0)
- if err != nil {
- width = 80
- }
- return &Output{
- width: width,
- }
-}
-
-func (o *Output) Title(title string) {
-
-}
diff --git a/provider/aws/documentdb/documentdb.go b/provider/aws/documentdb/documentdb.go
index 6b44b3b5b..11b048d7c 100755
--- a/provider/aws/documentdb/documentdb.go
+++ b/provider/aws/documentdb/documentdb.go
@@ -32,3 +32,11 @@ type Instance struct {
types.Metadata
KMSKeyID types.StringValue
}
+
+func (i *Instance) GetMetadata() *types.Metadata {
+ return &i.Metadata
+}
+
+func (i *Instance) GetRawValue() interface{} {
+ return nil
+}
\ No newline at end of file
diff --git a/rules/aws/apigateway/enable_access_logging.go b/rules/aws/apigateway/enable_access_logging.go
index 53343128f..a0cfd968b 100755
--- a/rules/aws/apigateway/enable_access_logging.go
+++ b/rules/aws/apigateway/enable_access_logging.go
@@ -34,6 +34,7 @@ var CheckEnableAccessLogging = rules.Register(
if stage.AccessLogging.CloudwatchLogGroupARN.IsEmpty() {
results.Add(
"Access logging is not configured.",
+ &stage,
stage.AccessLogging.CloudwatchLogGroupARN,
)
} else {
diff --git a/rules/aws/apigateway/enable_cache_encryption.go b/rules/aws/apigateway/enable_cache_encryption.go
index 02f02b01d..c040fe285 100755
--- a/rules/aws/apigateway/enable_cache_encryption.go
+++ b/rules/aws/apigateway/enable_cache_encryption.go
@@ -33,6 +33,7 @@ var CheckEnableCacheEncryption = rules.Register(
if stage.RESTMethodSettings.CacheDataEncrypted.IsFalse() {
results.Add(
"Cache data is not encrypted.",
+ &stage,
stage.RESTMethodSettings.CacheDataEncrypted,
)
} else {
diff --git a/rules/aws/apigateway/enable_tracing.go b/rules/aws/apigateway/enable_tracing.go
index f375dc881..de1b7c0ac 100755
--- a/rules/aws/apigateway/enable_tracing.go
+++ b/rules/aws/apigateway/enable_tracing.go
@@ -33,6 +33,7 @@ var CheckEnableTracing = rules.Register(
if stage.XRayTracingEnabled.IsFalse() {
results.Add(
"X-Ray tracing is not enabled,",
+ &stage,
stage.XRayTracingEnabled,
)
} else {
diff --git a/rules/aws/apigateway/no_public_access.go b/rules/aws/apigateway/no_public_access.go
index 7efc96c2f..da2ba1676 100755
--- a/rules/aws/apigateway/no_public_access.go
+++ b/rules/aws/apigateway/no_public_access.go
@@ -36,6 +36,7 @@ var CheckNoPublicAccess = rules.Register(
if method.AuthorizationType.EqualTo(apigateway.AuthorizationNone) {
results.Add(
"Authorization is not enabled for this method.",
+ &method,
method.AuthorizationType,
)
} else {
diff --git a/rules/aws/apigateway/use_secure_tls_policy.go b/rules/aws/apigateway/use_secure_tls_policy.go
index 67d2c8b1c..a90c864c8 100755
--- a/rules/aws/apigateway/use_secure_tls_policy.go
+++ b/rules/aws/apigateway/use_secure_tls_policy.go
@@ -27,6 +27,7 @@ var CheckUseSecureTlsPolicy = rules.Register(
if domain.SecurityPolicy.NotEqualTo("TLS_1_2") {
results.Add(
"Domain name is configured with an outdated TLS policy.",
+ &domain,
domain.SecurityPolicy,
)
} else {
diff --git a/rules/aws/athena/enable_at_rest_encryption.go b/rules/aws/athena/enable_at_rest_encryption.go
index c1e974a3e..c7eeb8fcb 100755
--- a/rules/aws/athena/enable_at_rest_encryption.go
+++ b/rules/aws/athena/enable_at_rest_encryption.go
@@ -31,6 +31,7 @@ var CheckEnableAtRestEncryption = rules.Register(
if workgroup.Encryption.Type.EqualTo(athena.EncryptionTypeNone) {
results.Add(
"Workgroup does not have encryption configured.",
+ &workgroup,
workgroup.Encryption.Type,
)
} else {
@@ -44,6 +45,7 @@ var CheckEnableAtRestEncryption = rules.Register(
if database.Encryption.Type.EqualTo(athena.EncryptionTypeNone) {
results.Add(
"Database does not have encryption configured.",
+ &database,
database.Encryption.Type,
)
} else {
diff --git a/rules/aws/athena/no_encryption_override.go b/rules/aws/athena/no_encryption_override.go
index 435107383..4a7723a88 100755
--- a/rules/aws/athena/no_encryption_override.go
+++ b/rules/aws/athena/no_encryption_override.go
@@ -30,6 +30,7 @@ var CheckNoEncryptionOverride = rules.Register(
if workgroup.EnforceConfiguration.IsFalse() {
results.Add(
"The workgroup configuration is not enforced.",
+ &workgroup,
workgroup.EnforceConfiguration,
)
}
diff --git a/rules/aws/autoscaling/enable_at_rest_encryption.go b/rules/aws/autoscaling/enable_at_rest_encryption.go
index da8801925..0abbcf000 100755
--- a/rules/aws/autoscaling/enable_at_rest_encryption.go
+++ b/rules/aws/autoscaling/enable_at_rest_encryption.go
@@ -27,6 +27,7 @@ var CheckEnableAtRestEncryption = rules.Register(
if launchConfig.RootBlockDevice != nil && launchConfig.RootBlockDevice.Encrypted.IsFalse() {
results.Add(
"Root block device is not encrypted.",
+ &launchConfig,
launchConfig.RootBlockDevice.Encrypted,
)
} else {
@@ -36,6 +37,7 @@ var CheckEnableAtRestEncryption = rules.Register(
if device.Encrypted.IsFalse() {
results.Add(
"EBS block device is not encrypted.",
+ &device,
device.Encrypted,
)
} else {
diff --git a/rules/aws/autoscaling/no_public_ip.go b/rules/aws/autoscaling/no_public_ip.go
index e2cdde33d..1e3366afb 100755
--- a/rules/aws/autoscaling/no_public_ip.go
+++ b/rules/aws/autoscaling/no_public_ip.go
@@ -27,6 +27,7 @@ var CheckNoPublicIp = rules.Register(
if launchConfig.AssociatePublicIP.IsTrue() {
results.Add(
"Launch configuration associates public IP address.",
+ &launchConfig,
launchConfig.AssociatePublicIP,
)
} else {
diff --git a/rules/aws/autoscaling/no_sensitive_info.go b/rules/aws/autoscaling/no_sensitive_info.go
index 6505a912e..a8196d468 100755
--- a/rules/aws/autoscaling/no_sensitive_info.go
+++ b/rules/aws/autoscaling/no_sensitive_info.go
@@ -28,6 +28,7 @@ var CheckNoSensitiveInfo = rules.Register(
if result := scanner.Scan(launchConfig.UserData.Value()); result.TransgressionFound {
results.Add(
fmt.Sprintf("Sensitive data found in user data: %s", result.Description),
+ &launchConfig,
launchConfig.UserData,
)
} else {
diff --git a/rules/aws/cloudfront/enable_logging.go b/rules/aws/cloudfront/enable_logging.go
index d0cae15db..e2c14f9cc 100755
--- a/rules/aws/cloudfront/enable_logging.go
+++ b/rules/aws/cloudfront/enable_logging.go
@@ -27,6 +27,7 @@ var CheckEnableLogging = rules.Register(
if dist.Logging.Bucket.IsEmpty() {
results.Add(
"Distribution does not have logging enabled.",
+ &dist,
dist.Logging.Bucket,
)
} else {
diff --git a/rules/aws/cloudfront/enable_waf.go b/rules/aws/cloudfront/enable_waf.go
index af26931e3..521105545 100755
--- a/rules/aws/cloudfront/enable_waf.go
+++ b/rules/aws/cloudfront/enable_waf.go
@@ -27,6 +27,7 @@ var CheckEnableWaf = rules.Register(
if dist.WAFID.IsEmpty() {
results.Add(
"Distribution does not utilise a WAF.",
+ &dist,
dist.WAFID,
)
} else {
diff --git a/rules/aws/cloudfront/enforce_https.go b/rules/aws/cloudfront/enforce_https.go
index 5d7d2cdbd..e70963ab2 100755
--- a/rules/aws/cloudfront/enforce_https.go
+++ b/rules/aws/cloudfront/enforce_https.go
@@ -30,6 +30,7 @@ You should use HTTPS, which is HTTP over an encrypted (TLS) connection, meaning
if dist.DefaultCacheBehaviour.ViewerProtocolPolicy.EqualTo(cloudfront.ViewerPolicyProtocolAllowAll) {
results.Add(
"Distribution allows unencrypted communications.",
+ &dist,
dist.DefaultCacheBehaviour.ViewerProtocolPolicy,
)
} else {
@@ -39,6 +40,7 @@ You should use HTTPS, which is HTTP over an encrypted (TLS) connection, meaning
if behaviour.ViewerProtocolPolicy.EqualTo(cloudfront.ViewerPolicyProtocolAllowAll) {
results.Add(
"Distribution allows unencrypted communications.",
+ &behaviour,
behaviour.ViewerProtocolPolicy,
)
} else {
diff --git a/rules/aws/cloudfront/use_secure_tls_policy.go b/rules/aws/cloudfront/use_secure_tls_policy.go
index e5ba2ac04..194aa16f6 100755
--- a/rules/aws/cloudfront/use_secure_tls_policy.go
+++ b/rules/aws/cloudfront/use_secure_tls_policy.go
@@ -28,6 +28,7 @@ var CheckUseSecureTlsPolicy = rules.Register(
if dist.ViewerCertificate.MinimumProtocolVersion.NotEqualTo(cloudfront.ProtocolVersionTLS1_2) {
results.Add(
"Distribution allows unencrypted communications.",
+ &dist,
dist.ViewerCertificate.MinimumProtocolVersion,
)
} else {
diff --git a/rules/aws/cloudtrail/enable_all_regions.go b/rules/aws/cloudtrail/enable_all_regions.go
index 5d77c5095..99a4342c9 100755
--- a/rules/aws/cloudtrail/enable_all_regions.go
+++ b/rules/aws/cloudtrail/enable_all_regions.go
@@ -27,6 +27,7 @@ var CheckEnableAllRegions = rules.Register(
if trail.IsMultiRegion.IsFalse() {
results.Add(
"Trail is not enabled across all regions.",
+ &trail,
trail.IsMultiRegion,
)
} else {
diff --git a/rules/aws/cloudtrail/enable_at_rest_encryption.go b/rules/aws/cloudtrail/enable_at_rest_encryption.go
index 6e620014b..5970583ad 100755
--- a/rules/aws/cloudtrail/enable_at_rest_encryption.go
+++ b/rules/aws/cloudtrail/enable_at_rest_encryption.go
@@ -27,6 +27,7 @@ var CheckEnableAtRestEncryption = rules.Register(
if trail.KMSKeyID.IsEmpty() {
results.Add(
"Trail is not encrypted.",
+ &trail,
trail.KMSKeyID,
)
} else {
diff --git a/rules/aws/cloudtrail/enable_log_validation.go b/rules/aws/cloudtrail/enable_log_validation.go
index daf297228..5dbd660d5 100755
--- a/rules/aws/cloudtrail/enable_log_validation.go
+++ b/rules/aws/cloudtrail/enable_log_validation.go
@@ -27,6 +27,7 @@ var CheckEnableLogValidation = rules.Register(
if trail.EnableLogFileValidation.IsFalse() {
results.Add(
"Trail does not have log validation enabled.",
+ &trail,
trail.EnableLogFileValidation,
)
} else {
diff --git a/rules/aws/cloudwatch/log_group_customer_key.go b/rules/aws/cloudwatch/log_group_customer_key.go
index 0929db3f4..3653eb95c 100755
--- a/rules/aws/cloudwatch/log_group_customer_key.go
+++ b/rules/aws/cloudwatch/log_group_customer_key.go
@@ -27,6 +27,7 @@ var CheckLogGroupCustomerKey = rules.Register(
if group.KMSKeyID.IsEmpty() {
results.Add(
"Log group is not encrypted.",
+ &group,
group.KMSKeyID,
)
} else {
diff --git a/rules/aws/codebuild/enable_encryption.go b/rules/aws/codebuild/enable_encryption.go
index 32fad51cf..e34627244 100755
--- a/rules/aws/codebuild/enable_encryption.go
+++ b/rules/aws/codebuild/enable_encryption.go
@@ -28,6 +28,7 @@ var CheckEnableEncryption = rules.Register(
if project.ArtifactSettings.EncryptionEnabled.IsFalse() {
results.Add(
"Encryption is not enabled for project artifacts.",
+ &project,
project.ArtifactSettings.EncryptionEnabled,
)
} else {
@@ -38,6 +39,7 @@ var CheckEnableEncryption = rules.Register(
if setting.EncryptionEnabled.IsFalse() {
results.Add(
"Encryption is not enabled for secondary project artifacts.",
+ &setting,
setting.EncryptionEnabled,
)
} else {
diff --git a/rules/aws/documentdb/enable_storage_encryption.go b/rules/aws/documentdb/enable_storage_encryption.go
index 9d469a3cf..995c09dec 100755
--- a/rules/aws/documentdb/enable_storage_encryption.go
+++ b/rules/aws/documentdb/enable_storage_encryption.go
@@ -25,6 +25,7 @@ var CheckEnableStorageEncryption = rules.Register(
if cluster.StorageEncrypted.IsFalse() {
results.Add(
"Cluster storage does not have encryption enabled.",
+ &cluster,
cluster.StorageEncrypted,
)
} else {
diff --git a/rules/aws/documentdb/encryption_customer_key.go b/rules/aws/documentdb/encryption_customer_key.go
index bab02fa38..b0ca0b711 100755
--- a/rules/aws/documentdb/encryption_customer_key.go
+++ b/rules/aws/documentdb/encryption_customer_key.go
@@ -25,6 +25,7 @@ var CheckEncryptionCustomerKey = rules.Register(
if cluster.IsManaged() && cluster.KMSKeyID.IsEmpty() {
results.Add(
"Cluster encryption does not use a customer-managed KMS key.",
+ &cluster,
cluster.KMSKeyID,
)
} else {
@@ -37,6 +38,7 @@ var CheckEncryptionCustomerKey = rules.Register(
if instance.KMSKeyID.IsEmpty() {
results.Add(
"Instance encryption does not use a customer-managed KMS key.",
+ &instance,
instance.KMSKeyID,
)
} else {
diff --git a/rules/aws/ecr/enable_image_scans.go b/rules/aws/ecr/enable_image_scans.go
index 5bc1a424a..7109c8ba4 100755
--- a/rules/aws/ecr/enable_image_scans.go
+++ b/rules/aws/ecr/enable_image_scans.go
@@ -27,6 +27,7 @@ var CheckEnableImageScans = rules.Register(
if repo.ImageScanning.ScanOnPush.IsFalse() {
results.Add(
"Image scanning is not enabled.",
+ &repo,
repo.ImageScanning.ScanOnPush,
)
} else {
diff --git a/rules/aws/ecr/enforce_immutable_repository.go b/rules/aws/ecr/enforce_immutable_repository.go
index ae9ce2c21..b2b366b66 100755
--- a/rules/aws/ecr/enforce_immutable_repository.go
+++ b/rules/aws/ecr/enforce_immutable_repository.go
@@ -29,6 +29,7 @@ This can be done by setting image_tab_mutability to IMMUTABLE
if repo.ImageTagsImmutable.IsFalse() {
results.Add(
"Repository tags are mutable.",
+ &repo,
repo.ImageTagsImmutable,
)
} else {
diff --git a/rules/aws/ecr/no_public_access.go b/rules/aws/ecr/no_public_access.go
index 6d143b22e..4081015f8 100755
--- a/rules/aws/ecr/no_public_access.go
+++ b/rules/aws/ecr/no_public_access.go
@@ -46,6 +46,7 @@ var CheckNoPublicAccess = rules.Register(
foundIssue = true
results.Add(
"Policy provides public access to the ECR repository.",
+ &repo,
repo.Policy,
)
}
diff --git a/rules/aws/ecr/repository_customer_key.go b/rules/aws/ecr/repository_customer_key.go
index dcbb39aeb..633a72e6c 100755
--- a/rules/aws/ecr/repository_customer_key.go
+++ b/rules/aws/ecr/repository_customer_key.go
@@ -28,11 +28,13 @@ var CheckRepositoryCustomerKey = rules.Register(
if repo.Encryption.Type.NotEqualTo(ecr.EncryptionTypeKMS) {
results.Add(
"Repository is not encrypted using KMS.",
+ &repo,
repo.Encryption.Type,
)
} else if repo.Encryption.KMSKeyID.IsEmpty() {
results.Add(
"Repository encryption does not use a customer managed KMS key.",
+ &repo,
repo.Encryption.KMSKeyID,
)
} else {
diff --git a/rules/aws/ecs/enable_container_insight.go b/rules/aws/ecs/enable_container_insight.go
index e78a08897..d8853c509 100755
--- a/rules/aws/ecs/enable_container_insight.go
+++ b/rules/aws/ecs/enable_container_insight.go
@@ -27,6 +27,7 @@ var CheckEnableContainerInsight = rules.Register(
if cluster.Settings.ContainerInsightsEnabled.IsFalse() {
results.Add(
"Cluster does not have container insights enabled.",
+ &cluster,
cluster.Settings.ContainerInsightsEnabled,
)
} else {
diff --git a/rules/aws/ecs/enable_in_transit_encryption.go b/rules/aws/ecs/enable_in_transit_encryption.go
index 05dfe6b15..3798a51b2 100755
--- a/rules/aws/ecs/enable_in_transit_encryption.go
+++ b/rules/aws/ecs/enable_in_transit_encryption.go
@@ -29,6 +29,7 @@ var CheckEnableInTransitEncryption = rules.Register(
if volume.EFSVolumeConfiguration.TransitEncryptionEnabled.IsFalse() {
results.Add(
"Task definition includes a volume which does not have in-transit-encryption enabled.",
+ &volume,
volume.EFSVolumeConfiguration.TransitEncryptionEnabled,
)
} else {
diff --git a/rules/aws/ecs/no_plaintext_secrets.go b/rules/aws/ecs/no_plaintext_secrets.go
index e549d71c8..1ba33dc57 100755
--- a/rules/aws/ecs/no_plaintext_secrets.go
+++ b/rules/aws/ecs/no_plaintext_secrets.go
@@ -40,6 +40,7 @@ var CheckNoPlaintextSecrets = rules.Register(
if result := scanner.Scan(val); result.TransgressionFound {
results.Add(
fmt.Sprintf("Container definition contains a potentially sensitive environment variable '%s': %s", key, result.Description),
+ &definition,
definition.ContainerDefinitions,
)
} else {
diff --git a/rules/aws/efs/enable_at_rest_encryption.go b/rules/aws/efs/enable_at_rest_encryption.go
index 602c739a9..330bf1226 100755
--- a/rules/aws/efs/enable_at_rest_encryption.go
+++ b/rules/aws/efs/enable_at_rest_encryption.go
@@ -27,6 +27,7 @@ var CheckEnableAtRestEncryption = rules.Register(
if fs.Encrypted.IsFalse() {
results.Add(
"File system is not encrypted.",
+ &fs,
fs.Encrypted,
)
} else {
diff --git a/rules/aws/eks/enable_control_plane_logging.go b/rules/aws/eks/enable_control_plane_logging.go
index 5b0a1edaa..17f1f515a 100755
--- a/rules/aws/eks/enable_control_plane_logging.go
+++ b/rules/aws/eks/enable_control_plane_logging.go
@@ -27,6 +27,7 @@ var CheckEnableControlPlaneLogging = rules.Register(
if cluster.Logging.API.IsFalse() {
results.Add(
"Control plane API logging is not enabled.",
+ &cluster,
cluster.Logging.API,
)
} else {
@@ -36,6 +37,7 @@ var CheckEnableControlPlaneLogging = rules.Register(
if cluster.Logging.Audit.IsFalse() {
results.Add(
"Control plane audit logging is not enabled.",
+ &cluster,
cluster.Logging.Audit,
)
} else {
@@ -45,6 +47,7 @@ var CheckEnableControlPlaneLogging = rules.Register(
if cluster.Logging.Authenticator.IsFalse() {
results.Add(
"Control plane authenticator logging is not enabled.",
+ &cluster,
cluster.Logging.Authenticator,
)
} else {
@@ -54,6 +57,7 @@ var CheckEnableControlPlaneLogging = rules.Register(
if cluster.Logging.ControllerManager.IsFalse() {
results.Add(
"Control plane controller manager logging is not enabled.",
+ &cluster,
cluster.Logging.ControllerManager,
)
} else {
@@ -63,6 +67,7 @@ var CheckEnableControlPlaneLogging = rules.Register(
if cluster.Logging.Scheduler.IsFalse() {
results.Add(
"Control plane scheduler logging is not enabled.",
+ &cluster,
cluster.Logging.Scheduler,
)
} else {
diff --git a/rules/aws/eks/encrypt_secrets.go b/rules/aws/eks/encrypt_secrets.go
index 2120bbd43..5ce444b33 100755
--- a/rules/aws/eks/encrypt_secrets.go
+++ b/rules/aws/eks/encrypt_secrets.go
@@ -27,11 +27,13 @@ var CheckEncryptSecrets = rules.Register(
if cluster.Encryption.Secrets.IsFalse() {
results.Add(
"Cluster does not have secret encryption enabled.",
+ &cluster,
cluster.Encryption.Secrets,
)
} else if cluster.Encryption.KMSKeyID.IsEmpty() {
results.Add(
"Cluster encryption requires a KMS key ID, which is missing",
+ &cluster,
cluster.Encryption.KMSKeyID,
)
} else {
diff --git a/rules/aws/eks/no_public_cluster_access.go b/rules/aws/eks/no_public_cluster_access.go
index df51eb568..fbe1d999c 100755
--- a/rules/aws/eks/no_public_cluster_access.go
+++ b/rules/aws/eks/no_public_cluster_access.go
@@ -27,6 +27,7 @@ var CheckNoPublicClusterAccess = rules.Register(
if cluster.PublicAccessEnabled.IsTrue() {
results.Add(
"Public cluster access is enabled.",
+ &cluster,
cluster.PublicAccessEnabled,
)
} else {
diff --git a/rules/aws/elasticache/add_description_for_security_group.go b/rules/aws/elasticache/add_description_for_security_group.go
index c2675e835..c686a5b57 100755
--- a/rules/aws/elasticache/add_description_for_security_group.go
+++ b/rules/aws/elasticache/add_description_for_security_group.go
@@ -15,7 +15,7 @@ var CheckAddDescriptionForSecurityGroup = rules.Register(
ShortCode: "add-description-for-security-group",
Summary: "Missing description for security group/security group rule.",
Impact: "Descriptions provide context for the firewall rule reasons",
- Resolution: "Add descriptions for all security groups and rules",
+ Resolution: "AddOld descriptions for all security groups and rules",
Explanation: `Security groups and security group rules should include a description for auditing purposes.
Simplifies auditing, debugging, and managing security groups.`,
@@ -29,6 +29,7 @@ Simplifies auditing, debugging, and managing security groups.`,
if sg.Description.IsEmpty() {
results.Add(
"Security group does not have a description.",
+ &sg,
sg.Description,
)
} else {
diff --git a/rules/aws/elasticache/enable_backup_retention.go b/rules/aws/elasticache/enable_backup_retention.go
index af6b8c079..e76b29762 100755
--- a/rules/aws/elasticache/enable_backup_retention.go
+++ b/rules/aws/elasticache/enable_backup_retention.go
@@ -35,6 +35,7 @@ var CheckEnableBackupRetention = rules.Register(
if cluster.SnapshotRetentionLimit.EqualTo(0) {
results.Add(
"Cluster snapshot retention is not enabled.",
+ &cluster,
cluster.SnapshotRetentionLimit,
)
} else {
diff --git a/rules/aws/elasticache/enable_in_transit_encryption.go b/rules/aws/elasticache/enable_in_transit_encryption.go
index b61ba957d..36c43e4de 100755
--- a/rules/aws/elasticache/enable_in_transit_encryption.go
+++ b/rules/aws/elasticache/enable_in_transit_encryption.go
@@ -27,6 +27,7 @@ var CheckEnableInTransitEncryption = rules.Register(
if group.TransitEncryptionEnabled.IsFalse() {
results.Add(
"Replication group does not have transit encryption enabled.",
+ &group,
group.TransitEncryptionEnabled,
)
} else {
diff --git a/rules/aws/elasticsearch/enable_domain_encryption.go b/rules/aws/elasticsearch/enable_domain_encryption.go
index 09c8ff3f9..27591223c 100755
--- a/rules/aws/elasticsearch/enable_domain_encryption.go
+++ b/rules/aws/elasticsearch/enable_domain_encryption.go
@@ -27,6 +27,7 @@ var CheckEnableDomainEncryption = rules.Register(
if domain.AtRestEncryption.Enabled.IsFalse() {
results.Add(
"Domain does not have at-rest encryption enabled.",
+ &domain,
domain.AtRestEncryption.Enabled,
)
} else {
diff --git a/rules/aws/elasticsearch/enable_domain_logging.go b/rules/aws/elasticsearch/enable_domain_logging.go
index f683290a9..f31ff64a9 100755
--- a/rules/aws/elasticsearch/enable_domain_logging.go
+++ b/rules/aws/elasticsearch/enable_domain_logging.go
@@ -33,6 +33,7 @@ All the logs are disabled by default.`,
if domain.LogPublishing.AuditEnabled.IsFalse() {
results.Add(
"Domain audit logging is not enabled.",
+ &domain,
domain.LogPublishing.AuditEnabled,
)
} else {
diff --git a/rules/aws/elasticsearch/enable_in_transit_encryption.go b/rules/aws/elasticsearch/enable_in_transit_encryption.go
index 8a84c8202..7c729bc6e 100755
--- a/rules/aws/elasticsearch/enable_in_transit_encryption.go
+++ b/rules/aws/elasticsearch/enable_in_transit_encryption.go
@@ -27,6 +27,7 @@ var CheckEnableInTransitEncryption = rules.Register(
if domain.TransitEncryption.Enabled.IsFalse() {
results.Add(
"Domain does not have in-transit encryption enabled.",
+ &domain,
domain.TransitEncryption.Enabled,
)
} else {
diff --git a/rules/aws/elasticsearch/enforce_https.go b/rules/aws/elasticsearch/enforce_https.go
index 3a200efb7..cd987cb5a 100755
--- a/rules/aws/elasticsearch/enforce_https.go
+++ b/rules/aws/elasticsearch/enforce_https.go
@@ -29,6 +29,7 @@ You should use HTTPS, which is HTTP over an encrypted (TLS) connection, meaning
if domain.Endpoint.EnforceHTTPS.IsFalse() {
results.Add(
"Domain does not enfroce HTTPS.",
+ &domain,
domain.Endpoint.EnforceHTTPS,
)
} else {
diff --git a/rules/aws/elasticsearch/use_secure_tls_policy.go b/rules/aws/elasticsearch/use_secure_tls_policy.go
index cb51ed4e8..e7e176ba0 100755
--- a/rules/aws/elasticsearch/use_secure_tls_policy.go
+++ b/rules/aws/elasticsearch/use_secure_tls_policy.go
@@ -27,6 +27,7 @@ var CheckUseSecureTlsPolicy = rules.Register(
if domain.Endpoint.TLSPolicy.NotEqualTo("Policy-Min-TLS-1-2-2019-07") {
results.Add(
"Domain does not have a secure TLS policy.",
+ &domain,
domain.Endpoint.TLSPolicy,
)
} else {
diff --git a/rules/aws/elb/alb_not_public.go b/rules/aws/elb/alb_not_public.go
index e559dd281..17d345425 100755
--- a/rules/aws/elb/alb_not_public.go
+++ b/rules/aws/elb/alb_not_public.go
@@ -29,6 +29,7 @@ var CheckAlbNotPublic = rules.Register(
if lb.Internal.IsFalse() {
results.Add(
"Load balancer is exposed publicly.",
+ &lb,
lb.Internal,
)
} else {
diff --git a/rules/aws/elb/drop_invalid_headers.go b/rules/aws/elb/drop_invalid_headers.go
index 3dc68c66a..1a38048a0 100755
--- a/rules/aws/elb/drop_invalid_headers.go
+++ b/rules/aws/elb/drop_invalid_headers.go
@@ -33,6 +33,7 @@ By setting drop_invalid_header_fields to true, anything that doe not conform to
if lb.DropInvalidHeaderFields.IsFalse() {
results.Add(
"Application load balancer is not set to drop invalid headers.",
+ &lb,
lb.DropInvalidHeaderFields,
)
} else {
diff --git a/rules/aws/elb/http_not_used.go b/rules/aws/elb/http_not_used.go
index 3bca284c0..c63bf56be 100755
--- a/rules/aws/elb/http_not_used.go
+++ b/rules/aws/elb/http_not_used.go
@@ -43,6 +43,7 @@ You should use HTTPS, which is HTTP over an encrypted (TLS) connection, meaning
results.Add(
"Listener for application load balancer does not use HTTPS.",
+ &listener,
listener.Protocol,
)
}
diff --git a/rules/aws/elb/use_secure_tls_policy.go b/rules/aws/elb/use_secure_tls_policy.go
index fe72c283d..23d9af5a6 100755
--- a/rules/aws/elb/use_secure_tls_policy.go
+++ b/rules/aws/elb/use_secure_tls_policy.go
@@ -34,6 +34,7 @@ var CheckUseSecureTlsPolicy = rules.Register(
if listener.TLSPolicy.EqualTo(outdated) {
results.Add(
"Listener uses an outdated TLS policy.",
+ &listener,
listener.TLSPolicy,
)
} else {
diff --git a/rules/aws/iam/no_password_reuse.go b/rules/aws/iam/no_password_reuse.go
index 29144acc7..ad3bdd9d7 100755
--- a/rules/aws/iam/no_password_reuse.go
+++ b/rules/aws/iam/no_password_reuse.go
@@ -34,6 +34,7 @@ The account password policy should be set to prevent using any of the last five
if policy.ReusePreventionCount.LessThan(5) {
results.Add(
"Password policy allows reuse of recent passwords.",
+ &policy,
policy.ReusePreventionCount,
)
} else {
diff --git a/rules/aws/iam/require_lowercase_in_passwords.go b/rules/aws/iam/require_lowercase_in_passwords.go
index 4c496ce4c..cf03fe0f0 100755
--- a/rules/aws/iam/require_lowercase_in_passwords.go
+++ b/rules/aws/iam/require_lowercase_in_passwords.go
@@ -31,6 +31,7 @@ var CheckRequireLowercaseInPasswords = rules.Register(
if policy.RequireLowercase.IsFalse() {
results.Add(
"Password policy does not require lowercase characters.",
+ &policy,
policy.RequireLowercase,
)
} else {
diff --git a/rules/aws/iam/require_numbers_in_passwords.go b/rules/aws/iam/require_numbers_in_passwords.go
index bb00aa38a..33ed21fb2 100755
--- a/rules/aws/iam/require_numbers_in_passwords.go
+++ b/rules/aws/iam/require_numbers_in_passwords.go
@@ -31,6 +31,7 @@ var CheckRequireNumbersInPasswords = rules.Register(
if policy.RequireNumbers.IsFalse() {
results.Add(
"Password policy does not require numbers.",
+ &policy,
policy.RequireNumbers,
)
} else {
diff --git a/rules/aws/iam/require_symbols_in_passwords.go b/rules/aws/iam/require_symbols_in_passwords.go
index e93505abe..15dc4e20d 100755
--- a/rules/aws/iam/require_symbols_in_passwords.go
+++ b/rules/aws/iam/require_symbols_in_passwords.go
@@ -31,6 +31,7 @@ var CheckRequireSymbolsInPasswords = rules.Register(
if policy.RequireSymbols.IsFalse() {
results.Add(
"Password policy does not require symbols.",
+ &policy,
policy.RequireSymbols,
)
} else {
diff --git a/rules/aws/iam/require_uppercase_in_passwords.go b/rules/aws/iam/require_uppercase_in_passwords.go
index b513b8b6d..33bb4e88c 100755
--- a/rules/aws/iam/require_uppercase_in_passwords.go
+++ b/rules/aws/iam/require_uppercase_in_passwords.go
@@ -32,6 +32,7 @@ IAM account password policies should ensure that passwords content including at
if policy.RequireUppercase.IsFalse() {
results.Add(
"Password policy does not require uppercase characters.",
+ &policy,
policy.RequireUppercase,
)
} else {
diff --git a/rules/aws/iam/set_max_password_age.go b/rules/aws/iam/set_max_password_age.go
index faf8f18cf..2a36fd225 100755
--- a/rules/aws/iam/set_max_password_age.go
+++ b/rules/aws/iam/set_max_password_age.go
@@ -33,6 +33,7 @@ The account password policy should be set to expire passwords after 90 days or l
if policy.MaxAgeDays.GreaterThan(90) {
results.Add(
"Password policy allows a maximum password age of greater than 90 days.",
+ &policy,
policy.MaxAgeDays,
)
} else {
diff --git a/rules/aws/iam/set_minimum_password_length.go b/rules/aws/iam/set_minimum_password_length.go
index 3b4e31358..83d4ccce3 100755
--- a/rules/aws/iam/set_minimum_password_length.go
+++ b/rules/aws/iam/set_minimum_password_length.go
@@ -33,6 +33,7 @@ The account password policy should be set to enforce minimum password length of
if policy.MinimumLength.LessThan(14) {
results.Add(
"Password policy has a minimum password length of less than 14 characters.",
+ &policy,
policy.MinimumLength,
)
} else {
diff --git a/rules/aws/kinesis/enable_in_transit_encryption.go b/rules/aws/kinesis/enable_in_transit_encryption.go
index edb48d371..98d683cae 100755
--- a/rules/aws/kinesis/enable_in_transit_encryption.go
+++ b/rules/aws/kinesis/enable_in_transit_encryption.go
@@ -28,11 +28,13 @@ var CheckEnableInTransitEncryption = rules.Register(
if stream.Encryption.Type.NotEqualTo(kinesis.EncryptionTypeKMS) {
results.Add(
"Stream does not use KMS encryption.",
+ &stream,
stream.Encryption.Type,
)
} else if stream.Encryption.KMSKeyID.IsEmpty() {
results.Add(
"Stream does not use a custom-managed KMS key.",
+ &stream,
stream.Encryption.KMSKeyID,
)
} else {
diff --git a/rules/aws/kms/auto_rotate_keys.go b/rules/aws/kms/auto_rotate_keys.go
index cbfadbace..4e45c4a85 100755
--- a/rules/aws/kms/auto_rotate_keys.go
+++ b/rules/aws/kms/auto_rotate_keys.go
@@ -31,6 +31,7 @@ var CheckAutoRotateKeys = rules.Register(
if key.RotationEnabled.IsFalse() {
results.Add(
"Key does not have rotation enabled.",
+ &key,
key.RotationEnabled,
)
} else {
diff --git a/rules/aws/lambda/enable_tracing.go b/rules/aws/lambda/enable_tracing.go
index af4d2fb6c..d97322f14 100755
--- a/rules/aws/lambda/enable_tracing.go
+++ b/rules/aws/lambda/enable_tracing.go
@@ -28,6 +28,7 @@ var CheckEnableTracing = rules.Register(
if function.Tracing.Mode.NotEqualTo(lambda.TracingModeActive) && function.Tracing.Mode.NotEqualTo(lambda.TracingModePassThrough) {
results.Add(
"Function does not have tracing enabled.",
+ &function,
function.Tracing.Mode,
)
} else {
diff --git a/rules/aws/lambda/restrict_source_arn.go b/rules/aws/lambda/restrict_source_arn.go
index 6e61eb3c3..7ecc193e7 100755
--- a/rules/aws/lambda/restrict_source_arn.go
+++ b/rules/aws/lambda/restrict_source_arn.go
@@ -35,6 +35,7 @@ For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this sho
if permission.SourceARN.IsEmpty() {
results.Add(
"Lambda permission lacks source ARN for *.amazonaws.com principal.",
+ &function,
permission.SourceARN,
)
} else {
diff --git a/rules/aws/mq/enable_audit_logging.go b/rules/aws/mq/enable_audit_logging.go
index 3dea43350..62e277ce7 100755
--- a/rules/aws/mq/enable_audit_logging.go
+++ b/rules/aws/mq/enable_audit_logging.go
@@ -27,6 +27,7 @@ var CheckEnableAuditLogging = rules.Register(
if broker.Logging.Audit.IsFalse() {
results.Add(
"Broker does not have audit logging enabled.",
+ &broker,
broker.Logging.Audit,
)
} else {
diff --git a/rules/aws/mq/enable_general_logging.go b/rules/aws/mq/enable_general_logging.go
index 1c21d92fc..fb26cbade 100755
--- a/rules/aws/mq/enable_general_logging.go
+++ b/rules/aws/mq/enable_general_logging.go
@@ -27,6 +27,7 @@ var CheckEnableGeneralLogging = rules.Register(
if broker.Logging.General.IsFalse() {
results.Add(
"Broker does not have general logging enabled.",
+ &broker,
broker.Logging.General,
)
} else {
diff --git a/rules/aws/mq/no_public_access.go b/rules/aws/mq/no_public_access.go
index f941e7bd6..71f030e6c 100755
--- a/rules/aws/mq/no_public_access.go
+++ b/rules/aws/mq/no_public_access.go
@@ -27,6 +27,7 @@ var CheckNoPublicAccess = rules.Register(
if broker.PublicAccess.IsTrue() {
results.Add(
"Broker has public access enabled.",
+ &broker,
broker.PublicAccess,
)
} else {
diff --git a/rules/aws/msk/enable_in_transit_encryption.go b/rules/aws/msk/enable_in_transit_encryption.go
index b37dfb58e..504a310ea 100755
--- a/rules/aws/msk/enable_in_transit_encryption.go
+++ b/rules/aws/msk/enable_in_transit_encryption.go
@@ -28,11 +28,13 @@ var CheckEnableInTransitEncryption = rules.Register(
if cluster.EncryptionInTransit.ClientBroker.EqualTo(msk.ClientBrokerEncryptionPlaintext) {
results.Add(
"Cluster allows plaintext communication.",
+ &cluster,
cluster.EncryptionInTransit.ClientBroker,
)
} else if cluster.EncryptionInTransit.ClientBroker.EqualTo(msk.ClientBrokerEncryptionTLSOrPlaintext) {
results.Add(
"Cluster allows plaintext communication.",
+ &cluster,
cluster.EncryptionInTransit.ClientBroker,
)
} else {
diff --git a/rules/aws/msk/enable_logging.go b/rules/aws/msk/enable_logging.go
index e672ae7c1..a392e4448 100755
--- a/rules/aws/msk/enable_logging.go
+++ b/rules/aws/msk/enable_logging.go
@@ -43,6 +43,7 @@ var CheckEnableLogging = rules.Register(
results.Add(
"Cluster does not ship logs to any service.",
+ &cluster,
brokerLogging.Cloudwatch.Enabled,
)
}
diff --git a/rules/aws/neptune/enable_log_export.go b/rules/aws/neptune/enable_log_export.go
index 27cd29c8d..2e0a435a5 100755
--- a/rules/aws/neptune/enable_log_export.go
+++ b/rules/aws/neptune/enable_log_export.go
@@ -27,6 +27,7 @@ var CheckEnableLogExport = rules.Register(
if cluster.Logging.Audit.IsFalse() {
results.Add(
"Cluster does not have audit logging enabled.",
+ &cluster,
cluster.Logging.Audit,
)
} else {
diff --git a/rules/aws/neptune/enable_storage_encryption.go b/rules/aws/neptune/enable_storage_encryption.go
index a1f953eee..edb5fc6a5 100755
--- a/rules/aws/neptune/enable_storage_encryption.go
+++ b/rules/aws/neptune/enable_storage_encryption.go
@@ -27,11 +27,13 @@ var CheckEnableStorageEncryption = rules.Register(
if cluster.StorageEncrypted.IsFalse() {
results.Add(
"Cluster does not have storage encryption enabled.",
+ &cluster,
cluster.StorageEncrypted,
)
} else if cluster.KMSKeyID.IsEmpty() {
results.Add(
"Cluster does not encrypt data with a customer managed key.",
+ &cluster,
cluster.KMSKeyID,
)
} else {
diff --git a/rules/aws/rds/enable_performance_insights.go b/rules/aws/rds/enable_performance_insights.go
index 6fffd49e2..8ee16ce20 100755
--- a/rules/aws/rds/enable_performance_insights.go
+++ b/rules/aws/rds/enable_performance_insights.go
@@ -32,11 +32,13 @@ The encryption key specified in ` + "`" + `performance_insights_kms_key_id` + "`
if cluster.PerformanceInsights.Enabled.IsFalse() {
results.Add(
"Cluster does not have performance insights enabled.",
+ &cluster,
cluster.PerformanceInsights.Enabled,
)
} else if cluster.PerformanceInsights.KMSKeyID.IsEmpty() {
results.Add(
"Cluster has performance insights enabled without encryption.",
+ &cluster,
cluster.PerformanceInsights.KMSKeyID,
)
} else {
@@ -50,11 +52,13 @@ The encryption key specified in ` + "`" + `performance_insights_kms_key_id` + "`
if instance.PerformanceInsights.Enabled.IsFalse() {
results.Add(
"Instance does not have performance insights enabled.",
+ &instance,
instance.PerformanceInsights.Enabled,
)
} else if instance.PerformanceInsights.KMSKeyID.IsEmpty() {
results.Add(
"Instance has performance insights enabled without encryption.",
+ &instance,
instance.PerformanceInsights.KMSKeyID,
)
} else {
diff --git a/rules/aws/rds/encrypt_cluster_storage_data.go b/rules/aws/rds/encrypt_cluster_storage_data.go
index 355af70b1..d3cc5fbd4 100755
--- a/rules/aws/rds/encrypt_cluster_storage_data.go
+++ b/rules/aws/rds/encrypt_cluster_storage_data.go
@@ -32,11 +32,13 @@ When enabling encryption by setting the kms_key_id, the storage_encrypted must a
if cluster.Encryption.EncryptStorage.IsFalse() {
results.Add(
"Cluster does not have storage encryption enabled.",
+ &cluster,
cluster.Encryption.EncryptStorage,
)
} else if cluster.Encryption.KMSKeyID.IsEmpty() {
results.Add(
"Cluster does not specify a customer managed key for storage encryption.",
+ &cluster,
cluster.Encryption.KMSKeyID,
)
} else {
diff --git a/rules/aws/rds/encrypt_instance_storage_data.go b/rules/aws/rds/encrypt_instance_storage_data.go
index 2cd320449..c80ee386f 100755
--- a/rules/aws/rds/encrypt_instance_storage_data.go
+++ b/rules/aws/rds/encrypt_instance_storage_data.go
@@ -32,6 +32,7 @@ When enabling encryption by setting the kms_key_id.`,
if instance.Encryption.EncryptStorage.IsFalse() {
results.Add(
"Instance does not have storage encryption enabled.",
+ &instance,
instance.Encryption.EncryptStorage,
)
} else {
diff --git a/rules/aws/rds/no_public_db_access.go b/rules/aws/rds/no_public_db_access.go
index 98d0c9e4b..dc768a5b6 100755
--- a/rules/aws/rds/no_public_db_access.go
+++ b/rules/aws/rds/no_public_db_access.go
@@ -28,6 +28,7 @@ var CheckNoPublicDbAccess = rules.Register(
if instance.PublicAccess.IsTrue() {
results.Add(
"Cluster instance is exposed publicly.",
+ &instance,
instance.PublicAccess,
)
} else {
@@ -39,6 +40,7 @@ var CheckNoPublicDbAccess = rules.Register(
if instance.PublicAccess.IsTrue() {
results.Add(
"Instance is exposed publicly.",
+ &instance,
instance.PublicAccess,
)
} else {
diff --git a/rules/aws/rds/specify_backup_retention.go b/rules/aws/rds/specify_backup_retention.go
index 6779a8bf2..9ba5792c1 100755
--- a/rules/aws/rds/specify_backup_retention.go
+++ b/rules/aws/rds/specify_backup_retention.go
@@ -33,6 +33,7 @@ var CheckBackupRetentionSpecified = rules.Register(
if cluster.BackupRetentionPeriodDays.LessThan(2) {
results.Add(
"Cluster has very low backup retention period.",
+ &cluster,
cluster.BackupRetentionPeriodDays,
)
} else {
@@ -46,6 +47,7 @@ var CheckBackupRetentionSpecified = rules.Register(
if instance.BackupRetentionPeriodDays.LessThan(2) {
results.Add(
"Instance has very low backup retention period.",
+ &instance,
instance.BackupRetentionPeriodDays,
)
} else {
diff --git a/rules/aws/redshift/add_description_to_security_group.go b/rules/aws/redshift/add_description_to_security_group.go
index bb4e75883..9e464adcf 100755
--- a/rules/aws/redshift/add_description_to_security_group.go
+++ b/rules/aws/redshift/add_description_to_security_group.go
@@ -15,7 +15,7 @@ var CheckAddDescriptionToSecurityGroup = rules.Register(
ShortCode: "add-description-to-security-group",
Summary: "Missing description for security group/security group rule.",
Impact: "Descriptions provide context for the firewall rule reasons",
- Resolution: "Add descriptions for all security groups and rules",
+ Resolution: "AddOld descriptions for all security groups and rules",
Explanation: `Security groups and security group rules should include a description for auditing purposes.
Simplifies auditing, debugging, and managing security groups.`,
@@ -29,6 +29,7 @@ Simplifies auditing, debugging, and managing security groups.`,
if group.Description.IsEmpty() {
results.Add(
"Security group has no description.",
+ &group,
group.Description,
)
} else {
diff --git a/rules/aws/redshift/encryption_customer_key.go b/rules/aws/redshift/encryption_customer_key.go
index a6a5e01fc..c28c727b4 100755
--- a/rules/aws/redshift/encryption_customer_key.go
+++ b/rules/aws/redshift/encryption_customer_key.go
@@ -27,11 +27,13 @@ var CheckEncryptionCustomerKey = rules.Register(
if cluster.Encryption.Enabled.IsFalse() {
results.Add(
"Cluster does not have encryption enabled.",
+ &cluster,
cluster.Encryption.Enabled,
)
} else if cluster.Encryption.KMSKeyID.IsEmpty() {
results.Add(
"Cluster does not use a customer managed encryption key.",
+ &cluster,
cluster.Encryption.KMSKeyID,
)
} else {
diff --git a/rules/aws/redshift/non_default_vpc_deployment.go b/rules/aws/redshift/non_default_vpc_deployment.go
index 552570f20..5d73f6724 100755
--- a/rules/aws/redshift/non_default_vpc_deployment.go
+++ b/rules/aws/redshift/non_default_vpc_deployment.go
@@ -29,6 +29,7 @@ In order to benefit from the additional security features achieved with using an
if cluster.SubnetGroupName.IsEmpty() {
results.Add(
"Cluster is deployed outside of a VPC.",
+ &cluster,
cluster.SubnetGroupName,
)
} else {
diff --git a/rules/aws/s3/block_public_acls.go b/rules/aws/s3/block_public_acls.go
index 073295b74..ad9847636 100755
--- a/rules/aws/s3/block_public_acls.go
+++ b/rules/aws/s3/block_public_acls.go
@@ -31,6 +31,7 @@ S3 buckets should block public ACLs on buckets and any objects they contain. By
} else if bucket.PublicAccessBlock.BlockPublicACLs.IsFalse() {
results.Add(
"Public access block does not block public ACLs",
+ &bucket,
bucket.PublicAccessBlock.BlockPublicACLs,
)
} else {
diff --git a/rules/aws/s3/block_public_policy.go b/rules/aws/s3/block_public_policy.go
index 47e2471f9..3fc066f76 100755
--- a/rules/aws/s3/block_public_policy.go
+++ b/rules/aws/s3/block_public_policy.go
@@ -32,6 +32,7 @@ S3 bucket policy should have block public policy to prevent users from putting a
} else if bucket.PublicAccessBlock.BlockPublicPolicy.IsFalse() {
results.Add(
"Public access block does not block public policies",
+ &bucket,
bucket.PublicAccessBlock.BlockPublicPolicy,
)
} else {
diff --git a/rules/aws/s3/enable_encryption.go b/rules/aws/s3/enable_encryption.go
index f9ba8dfc1..224fd6201 100755
--- a/rules/aws/s3/enable_encryption.go
+++ b/rules/aws/s3/enable_encryption.go
@@ -30,6 +30,7 @@ S3 Buckets should be encrypted with customer managed KMS keys and not default AW
if bucket.Encryption.Enabled.IsFalse() {
results.Add(
"Bucket does not have encryption enabled",
+ &bucket,
bucket.Encryption.Enabled,
)
} else {
diff --git a/rules/aws/s3/enable_logging.go b/rules/aws/s3/enable_logging.go
index fd95b2d29..319150887 100755
--- a/rules/aws/s3/enable_logging.go
+++ b/rules/aws/s3/enable_logging.go
@@ -16,7 +16,7 @@ var CheckLoggingIsEnabled = rules.Register(
Summary: "S3 Bucket does not have logging enabled.",
Explanation: "Buckets should have logging enabled so that access can be audited.",
Impact: "There is no way to determine the access to this bucket",
- Resolution: "Add a logging block to the resource to enable access logging",
+ Resolution: "AddOld a logging block to the resource to enable access logging",
Links: []string{
"https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html",
},
@@ -27,6 +27,7 @@ var CheckLoggingIsEnabled = rules.Register(
if !bucket.Logging.Enabled.IsTrue() && bucket.ACL.NotEqualTo("log-delivery-write") {
results.Add(
"Bucket does not have logging enabled",
+ &bucket,
bucket.Logging.Enabled,
)
} else {
diff --git a/rules/aws/s3/enable_versioning.go b/rules/aws/s3/enable_versioning.go
index 23a64f520..0dbb5840d 100755
--- a/rules/aws/s3/enable_versioning.go
+++ b/rules/aws/s3/enable_versioning.go
@@ -31,6 +31,7 @@ With versioning you can recover more easily from both unintended user actions an
if !bucket.Versioning.Enabled.IsTrue() {
results.Add(
"Bucket does not have versioning enabled",
+ &bucket,
bucket.Versioning.Enabled,
)
} else {
diff --git a/rules/aws/s3/ignore_public_acls.go b/rules/aws/s3/ignore_public_acls.go
index 91d2fd178..66069d8a6 100755
--- a/rules/aws/s3/ignore_public_acls.go
+++ b/rules/aws/s3/ignore_public_acls.go
@@ -31,6 +31,7 @@ S3 buckets should ignore public ACLs on buckets and any objects they contain. By
} else if bucket.PublicAccessBlock.IgnorePublicACLs.IsFalse() {
results.Add(
"Public access block does not ignore public ACLs",
+ &bucket,
bucket.PublicAccessBlock.IgnorePublicACLs,
)
} else {
diff --git a/rules/aws/s3/no_public_acl.go b/rules/aws/s3/no_public_acl.go
index 2466a6de5..dfe6e3ab0 100755
--- a/rules/aws/s3/no_public_acl.go
+++ b/rules/aws/s3/no_public_acl.go
@@ -20,7 +20,7 @@ var CheckForPublicACL = rules.Register(
Buckets should have logging enabled so that access can be audited.
`,
Impact: "There is no way to determine the access to this bucket",
- Resolution: "Add a logging block to the resource to enable access logging",
+ Resolution: "AddOld a logging block to the resource to enable access logging",
Links: []string{
"https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html",
@@ -33,11 +33,13 @@ Buckets should have logging enabled so that access can be audited.
if bucket.ACL.EqualTo("authenticated-read") {
results.Add(
"Bucket is exposed to all AWS accounts via ACL.",
+ &bucket,
bucket.ACL,
)
} else {
results.Add(
fmt.Sprintf("Bucket has a public ACL: '%s'.", bucket.ACL.Value()),
+ &bucket,
bucket.ACL,
)
}
diff --git a/rules/aws/s3/restrict_public_buckets.go b/rules/aws/s3/restrict_public_buckets.go
index c3f6bb506..630af721d 100755
--- a/rules/aws/s3/restrict_public_buckets.go
+++ b/rules/aws/s3/restrict_public_buckets.go
@@ -29,6 +29,7 @@ var CheckPublicBucketsAreRestricted = rules.Register(
} else if bucket.PublicAccessBlock.RestrictPublicBuckets.IsFalse() {
results.Add(
"Public access block does not restrict public buckets",
+ &bucket,
bucket.PublicAccessBlock.RestrictPublicBuckets,
)
} else {
diff --git a/rules/aws/sns/enable_topic_encryption.go b/rules/aws/sns/enable_topic_encryption.go
index 821731750..5fcf65ace 100755
--- a/rules/aws/sns/enable_topic_encryption.go
+++ b/rules/aws/sns/enable_topic_encryption.go
@@ -32,6 +32,7 @@ var CheckEnableTopicEncryption = rules.Register(
} else if topic.Encryption.KMSKeyID.EqualTo("alias/aws/sns") {
results.Add(
"Topic encryption does not use a customer managed key.",
+ &topic,
topic.Encryption.KMSKeyID,
)
} else {
diff --git a/rules/aws/sqs/enable_queue_encryption.go b/rules/aws/sqs/enable_queue_encryption.go
index a198450cc..3657dfd4f 100755
--- a/rules/aws/sqs/enable_queue_encryption.go
+++ b/rules/aws/sqs/enable_queue_encryption.go
@@ -27,6 +27,7 @@ var CheckEnableQueueEncryption = rules.Register(
if queue.Encryption.KMSKeyID.IsEmpty() || queue.Encryption.KMSKeyID.EqualTo("alias/aws/sqs") {
results.Add(
"Queue is not encrypted with a customer managed key.",
+ &queue,
queue.Encryption.KMSKeyID,
)
} else {
diff --git a/rules/aws/sqs/no_wildcards_in_policy_documents.go b/rules/aws/sqs/no_wildcards_in_policy_documents.go
index 0f471a1a5..9546a9b09 100755
--- a/rules/aws/sqs/no_wildcards_in_policy_documents.go
+++ b/rules/aws/sqs/no_wildcards_in_policy_documents.go
@@ -39,6 +39,7 @@ This ensures that the queue itself cannot be modified or deleted, and prevents p
fail = true
results.Add(
"Queue policy does not restrict actions to a known set.",
+ &queue,
queue.Policy,
)
break
diff --git a/rules/aws/ssm/secret_use_customer_key.go b/rules/aws/ssm/secret_use_customer_key.go
index e9e6d1af0..bd4cdbec5 100755
--- a/rules/aws/ssm/secret_use_customer_key.go
+++ b/rules/aws/ssm/secret_use_customer_key.go
@@ -27,6 +27,7 @@ var CheckSecretUseCustomerKey = rules.Register(
if secret.KMSKeyID.IsEmpty() {
results.Add(
"Secret is not encrypted with a customer managed key.",
+ &secret,
secret.KMSKeyID,
)
} else {
diff --git a/rules/aws/vpc/add_description_to_security_group.go b/rules/aws/vpc/add_description_to_security_group.go
index af413b07a..209de1e03 100755
--- a/rules/aws/vpc/add_description_to_security_group.go
+++ b/rules/aws/vpc/add_description_to_security_group.go
@@ -15,7 +15,7 @@ var CheckAddDescriptionToSecurityGroup = rules.Register(
ShortCode: "add-description-to-security-group",
Summary: "Missing description for security group.",
Impact: "Descriptions provide context for the firewall rule reasons",
- Resolution: "Add descriptions for all security groups",
+ Resolution: "AddOld descriptions for all security groups",
Explanation: `Security groups should include a description for auditing purposes.
Simplifies auditing, debugging, and managing security groups.`,
@@ -32,6 +32,7 @@ Simplifies auditing, debugging, and managing security groups.`,
if group.Description.IsEmpty() {
results.Add(
"Security group does not have a description.",
+ &group,
group.Description,
)
} else {
diff --git a/rules/aws/vpc/add_description_to_security_group_rule.go b/rules/aws/vpc/add_description_to_security_group_rule.go
index 9e5af2b2e..51c8b1819 100755
--- a/rules/aws/vpc/add_description_to_security_group_rule.go
+++ b/rules/aws/vpc/add_description_to_security_group_rule.go
@@ -15,7 +15,7 @@ var CheckAddDescriptionToSecurityGroupRule = rules.Register(
ShortCode: "add-description-to-security-group-rule",
Summary: "Missing description for security group rule.",
Impact: "Descriptions provide context for the firewall rule reasons",
- Resolution: "Add descriptions for all security groups rules",
+ Resolution: "AddOld descriptions for all security groups rules",
Explanation: `Security group rules should include a description for auditing purposes.
Simplifies auditing, debugging, and managing security groups.`,
@@ -30,6 +30,7 @@ Simplifies auditing, debugging, and managing security groups.`,
if rule.Description.IsEmpty() {
results.Add(
"Security group rule does not have a description.",
+ &rule,
rule.Description,
)
} else {
diff --git a/rules/aws/vpc/no_excessive_port_access.go b/rules/aws/vpc/no_excessive_port_access.go
index 9a5d51ffa..e3e8b9663 100755
--- a/rules/aws/vpc/no_excessive_port_access.go
+++ b/rules/aws/vpc/no_excessive_port_access.go
@@ -28,6 +28,7 @@ var CheckNoExcessivePortAccess = rules.Register(
if rule.Protocol.EqualTo(-1) {
results.Add(
"Network ACL rule allows access using ALL ports.",
+ &rule,
rule.Protocol,
)
} else {
diff --git a/rules/aws/vpc/no_public_egress_sgr.go b/rules/aws/vpc/no_public_egress_sgr.go
index 724b76eb6..d9e007454 100755
--- a/rules/aws/vpc/no_public_egress_sgr.go
+++ b/rules/aws/vpc/no_public_egress_sgr.go
@@ -32,6 +32,7 @@ var CheckNoPublicEgressSgr = rules.Register(
fail = true
results.Add(
"Security group rule allows egress to public internet.",
+ &group,
block,
)
}
diff --git a/rules/aws/vpc/no_public_ingress_acl.go b/rules/aws/vpc/no_public_ingress_acl.go
index 7ec890ebe..d08db689a 100755
--- a/rules/aws/vpc/no_public_ingress_acl.go
+++ b/rules/aws/vpc/no_public_ingress_acl.go
@@ -39,6 +39,7 @@ var CheckNoPublicIngress = rules.Register(
fail = true
results.Add(
"Network ACL rule allows ingress from public internet.",
+ &rule,
block,
)
}
diff --git a/rules/aws/vpc/no_public_ingress_sgr.go b/rules/aws/vpc/no_public_ingress_sgr.go
index 9519dad4a..1e68d682b 100755
--- a/rules/aws/vpc/no_public_ingress_sgr.go
+++ b/rules/aws/vpc/no_public_ingress_sgr.go
@@ -32,6 +32,7 @@ var CheckNoPublicIngressSgr = rules.Register(
failed = true
results.Add(
"Security group rule allows ingress from public internet.",
+ &group,
block,
)
}
diff --git a/rules/aws/workspaces/enable_disk_encryption.go b/rules/aws/workspaces/enable_disk_encryption.go
index 473548bb3..915195393 100755
--- a/rules/aws/workspaces/enable_disk_encryption.go
+++ b/rules/aws/workspaces/enable_disk_encryption.go
@@ -28,6 +28,7 @@ var CheckEnableDiskEncryption = rules.Register(
if workspace.RootVolume.Encryption.Enabled.IsFalse() {
results.Add(
"Root volume does not have encryption enabled.",
+ &workspace,
workspace.RootVolume.Encryption.Enabled,
)
fail = true
@@ -35,6 +36,7 @@ var CheckEnableDiskEncryption = rules.Register(
if workspace.UserVolume.Encryption.Enabled.IsFalse() {
results.Add(
"User volume does not have encryption enabled.",
+ &workspace,
workspace.UserVolume.Encryption.Enabled,
)
fail = true
diff --git a/rules/flat.go b/rules/flat.go
index f217763cd..2352916d2 100755
--- a/rules/flat.go
+++ b/rules/flat.go
@@ -42,7 +42,7 @@ func (r *Result) Flatten() FlatResult {
RuleID: r.rule.AVDID,
RuleSummary: r.rule.Summary,
RuleProvider: r.rule.Provider,
- Impact: r.rule.AVDID,
+ Impact: r.rule.Impact,
Resolution: r.rule.Resolution,
Links: r.rule.Links,
Description: r.Description(),
diff --git a/rules/result.go b/rules/result.go
index fb5f31f66..6b7982995 100755
--- a/rules/result.go
+++ b/rules/result.go
@@ -87,19 +87,25 @@ type MetadataProvider interface {
GetRawValue() interface{}
}
-func (r *Results) Add(description string, source MetadataProvider) {
+func (r *Results) Add(description string, source MetadataProvider, issueBlock ...MetadataProvider) {
var annotationStr string
- metadata := source.GetMetadata()
- if metadata != nil && metadata.IsExplicit() {
- annotationStr = rawToString(source.GetRawValue())
+
+ result := Result{
+ description: description,
+ codeBlock: source.GetMetadata(),
}
- *r = append(*r,
- Result{
- description: description,
- codeBlock: metadata,
- annotation: annotationStr,
- },
- )
+
+ if len(issueBlock) > 0 {
+ metadata := issueBlock[0].GetMetadata()
+ if metadata != nil && metadata.IsExplicit() {
+ annotationStr = rawToString(issueBlock[0].GetRawValue())
+
+ }
+ result.annotation = annotationStr
+ result.issueBlock = issueBlock[0].GetMetadata()
+ }
+
+ *r = append(*r, result)
}
func (r *Results) AddPassed(source MetadataProvider, descriptions ...string) {