diff --git a/checks/check_extra768 b/checks/check_extra768 index 94089008..591983af 100644 --- a/checks/check_extra768 +++ b/checks/check_extra768 @@ -23,22 +23,22 @@ extra768(){ # this folder is deleted once this check is finished mkdir $SECRETS_TEMP_FOLDER fi - DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" textInfo "Looking for secrets in ECS task definitions' environment variables across all regions... " for regx in $REGIONS; do - # Get a list of ALL Task Definitions: - $AWSCLI ecs list-task-definitions $PROFILE_OPT --region $regx | jq -r .taskDefinitionArns[] > ALL_TASK_DEFINITIONS.txt - # Filter it down to ONLY the latest version of that task definition: - LIST_OF_TASK_DEFINITIONS=$(python ${DIR}/get_latest_ecs_task_definition_version.py -f ALL_TASK_DEFINITIONS.txt) - if [[ $LIST_OF_TASK_DEFINITIONS ]]; then - for taskDefinition in $LIST_OF_TASK_DEFINITIONS;do - IFS='/' read -r -a splitArn <<< "$taskDefinition" + # Get a list of all families first: + FAMILIES=$($AWSCLI ecs list-task-definition-families $PROFILE_OPT --region $regx --status ACTIVE | jq -r .families[]) + if [[ $FAMILIES ]]; then + for FAMILY in $FAMILIES;do + # Get the full task definition arn: + TASK_DEFINITION_TEMP=$($AWSCLI ecs list-task-definitions $PROFILE_OPT --region $regx --family-prefix $FAMILY --sort DESC --max-items 1 | jq -r .taskDefinitionArns[0]) + # We only care about the task definition name: + IFS='/' read -r -a splitArn <<< "$TASK_DEFINITION_TEMP" TASK_DEFINITION=${splitArn[1]} TASK_DEFINITION_ENV_VARIABLES_FILE="$SECRETS_TEMP_FOLDER/extra768-$TASK_DEFINITION-$regx-variables.txt" - TASK_DEFINITION_ENV_VARIABLES=$($AWSCLI ecs $PROFILE_OPT --region $regx describe-task-definition --task-definition $taskDefinition --query 'taskDefinition.containerDefinitions[*].environment' --output text > $TASK_DEFINITION_ENV_VARIABLES_FILE) + TASK_DEFINITION_ENV_VARIABLES=$($AWSCLI ecs $PROFILE_OPT --region $regx describe-task-definition --task-definition $TASK_DEFINITION --query 'taskDefinition.containerDefinitions[*].environment' --output text > $TASK_DEFINITION_ENV_VARIABLES_FILE) if [ -s $TASK_DEFINITION_ENV_VARIABLES_FILE ];then - # Implementation using https://github.com/Yelp/detect-secrets - FINDINGS=$(secretsDetector file $TASK_DEFINITION_ENV_VARIABLES_FILE) + # Implementation using https://github.com/Yelp/detect-secrets + FINDINGS=$(secretsDetector file $TASK_DEFINITION_ENV_VARIABLES_FILE) if [[ $FINDINGS -eq 0 ]]; then textPass "$regx: No secrets found in ECS task definition $TASK_DEFINITION variables" "$regx" # delete file if nothing interesting is there diff --git a/checks/get_latest_ecs_task_definition_version.py b/checks/get_latest_ecs_task_definition_version.py deleted file mode 100644 index d096d6fb..00000000 --- a/checks/get_latest_ecs_task_definition_version.py +++ /dev/null @@ -1,23 +0,0 @@ -import argparse - -def parseArgs(): - parser = argparse.ArgumentParser(formatter_class=argparse.ArgumentDefaultsHelpFormatter) - parser.add_argument('-f', help='file containing list of ecs task definitions', required=True) - args = parser.parse_args() - return args - - -if __name__ == '__main__': - args = parseArgs() - family = {} - with open(args.f, 'r') as fd: - for line in fd: - l = line.strip() - family_name = l[:l.rfind(':')] - version_int = int(l[l.rfind(':') + 1:]) - if family_name not in family: - family[family_name] = version_int - if family[family_name] < version_int: - family[family_name] = version_int - for family, version in family.items(): - print('{}:{}'.format(family, version))