feat(reorganize_folders): Merge checks. (#1196)

Co-authored-by: sergargar <sergio@verica.io>
2026-02-10 14:55:00 +00:00 · 2022-06-14 13:10:26 +02:00
parent 36fcab17f3
commit eb679f50f1
238 changed files with 0 additions and 549 deletions
--- a/providers/aws/services/ecr/check_extra765
+++ b/providers/aws/services/ecr/check_extra765
@@ -0,0 +1,64 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+# Remediation:
+#
+#   https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html
+#
+#   aws ecr put-image-scanning-configuration \
+#     --region <value> \
+#     --repository-name <value> \
+#     --image-scanning-configuration scanOnPush=true
+
+CHECK_ID_extra765="7.65"
+CHECK_TITLE_extra765="[extra765] Check if ECR image scan on push is enabled "
+CHECK_SCORED_extra765="NOT_SCORED"
+CHECK_CIS_LEVEL_extra765="EXTRA"
+CHECK_SEVERITY_extra765="Medium"
+CHECK_ALTERNATE_check765="extra765"
+CHECK_SERVICENAME_extra765="ecr"
+CHECK_RISK_extra765='Amazon ECR image scanning helps in identifying software vulnerabilities in your container images. Amazon ECR uses the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project and provides a list of scan findings. '
+CHECK_REMEDIATION_extra765='Enable ECR image scanning and review the scan findings for information about the security of the container images that are being deployed.'
+CHECK_DOC_extra765='https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html'
+CHECK_CAF_EPIC_extra765='Infrastructure Security'
+
+extra765(){
+  for region in $REGIONS; do
+    LIST_ECR_REPOS=$($AWSCLI ecr describe-repositories $PROFILE_OPT --region $region --query "repositories[*].[repositoryName]" --output text 2>&1)
+    if [[ $(echo "$LIST_ECR_REPOS" | grep AccessDenied) ]]; then
+      textInfo "$region: Access Denied Trying to describe ECR repositories" "$region"
+      continue
+    fi
+    if [[ ! -z "$LIST_ECR_REPOS" ]]; then
+      for repo in $LIST_ECR_REPOS; do
+        SCAN_ENABLED=$($AWSCLI ecr describe-repositories $PROFILE_OPT --region $region --query "repositories[?repositoryName==\`$repo\`].[imageScanningConfiguration.scanOnPush]" --output text 2>&1)
+        case "$SCAN_ENABLED" in
+          "True")
+            textPass "$region: ECR repository $repo has scan on push enabled" "$region" "$repo"
+            ;;
+          "False")
+            textFail "$region: ECR repository $repo has scan on push disabled!" "$region" "$repo"
+            ;;
+          "None")
+            textInfo "$region: ECR repository $repo has no scanOnPush status: newer awscli needed" "$region" "$repo"
+            ;;
+          "*")
+            textInfo "$region: ECR repository $repo has unknown scanOnPush status \"$SCAN_ENABLED\"" "$region" "$repo"
+            ;;
+        esac
+      done
+    else
+      textInfo "$region: No ECR repositories found" "$region"
+    fi
+  done
+}
--- a/providers/aws/services/ecr/check_extra77
+++ b/providers/aws/services/ecr/check_extra77
@@ -0,0 +1,68 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra77="7.7"
+CHECK_TITLE_extra77="[extra77] Ensure there are no ECR repositories set as Public"
+CHECK_SCORED_extra77="NOT_SCORED"
+CHECK_CIS_LEVEL_extra77="EXTRA"
+CHECK_SEVERITY_extra77="Critical"
+CHECK_ALTERNATE_extra707="extra77"
+CHECK_ALTERNATE_check77="extra77"
+CHECK_ALTERNATE_check707="extra77"
+CHECK_SERVICENAME_extra77="ecr"
+CHECK_RISK_extra77='Policy may allow Anonymous users to perform actions.'
+CHECK_REMEDIATION_extra77='Ensure this repository and its contents should be publicly accessible.'
+CHECK_DOC_extra77='https://docs.aws.amazon.com/AmazonECR/latest/public/security_iam_service-with-iam.html'
+CHECK_CAF_EPIC_extra77='Data Protection'
+
+extra77(){
+  # "Ensure there are no ECR repositories set as Public "
+  for regx in $REGIONS; do
+    LIST_ECR_REPOS=$($AWSCLI ecr describe-repositories $PROFILE_OPT --region $regx --query "repositories[*].[repositoryName]" --output text 2>&1)
+    if [[ $(echo "$LIST_ECR_REPOS" | grep AccessDenied) ]]; then
+      textInfo "$regx: Access Denied Trying to describe ECR repositories" "$regx" "$repo"
+      continue
+    fi
+    if [[ $(echo "$LIST_ECR_REPOS" | grep SubscriptionRequiredException) ]]; then
+      textInfo "$regx: Subscription Required Exception trying to describe ECR repositories" "$regx" "$repo"
+      continue
+    fi
+    if [[ ! -z "$LIST_ECR_REPOS" ]]; then
+      for repo in $LIST_ECR_REPOS; do
+        TEMP_POLICY_FILE=$(mktemp -t prowler-${ACCOUNT_NUM}-ecr-repo.policy.XXXXXXXXXX)
+        $AWSCLI ecr get-repository-policy $PROFILE_OPT --region $regx --repository-name $repo --query "policyText" --output text > $TEMP_POLICY_FILE 2>&1
+        if [[ $(grep AccessDenied $TEMP_POLICY_FILE) ]]; then
+          textInfo "$regx: Access Denied to get repository policy for repo $repo" "$regx" "$repo"
+          rm -f $TEMP_POLICY_FILE
+          continue
+        fi
+        # https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-policies.html - "By default, only the repository owner has access to a repository."
+        if [[ $(grep RepositoryPolicyNotFoundException $TEMP_POLICY_FILE) ]]; then
+          textPass "$regx: $repo is not open" "$regx" "$repo"
+          rm -f $TEMP_POLICY_FILE
+          continue
+        fi
+        # check if the policy has Principal as *
+        CHECK_ECR_REPO_ALLUSERS_POLICY=$(cat $TEMP_POLICY_FILE | jq '.Statement[]|select(.Effect=="Allow" and (((.Principal|type == "object") and .Principal.AWS == "*") or ((.Principal|type == "string") and .Principal == "*")))')
+        if [[ $CHECK_ECR_REPO_ALLUSERS_POLICY ]]; then
+          textFail "$regx: $repo policy \"may\" allow Anonymous users to perform actions (Principal: \"*\")" "$regx"
+        else
+          textPass "$regx: $repo is not open" "$regx" "$repo"
+        fi
+        rm -f $TEMP_POLICY_FILE
+      done
+    else
+      textInfo "$regx: No ECR repositories found" "$regx" "$repo"
+    fi
+  done
+}
--- a/providers/aws/services/ecr/check_extra776
+++ b/providers/aws/services/ecr/check_extra776
@@ -0,0 +1,114 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+# Remediation:
+#
+#   https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html
+#
+#   aws ecr put-image-scanning-configuration \
+#     --region <value> \
+#     --repository-name <value> \
+#     --image-scanning-configuration scanOnPush=true
+#
+#   aws ecr describe-image-scan-findings \
+#     --region <value> \
+#     --repository-name <value>
+#     --image-id imageTag=<value>
+
+CHECK_ID_extra776="7.76"
+CHECK_TITLE_extra776="[extra776] Check if ECR image scan found vulnerabilities in the newest image version"
+CHECK_SCORED_extra776="NOT_SCORED"
+CHECK_CIS_LEVEL_extra776="EXTRA"
+CHECK_SEVERITY_extra776="Medium"
+CHECK_ALTERNATE_check776="extra776"
+CHECK_SERVICENAME_extra776="ecr"
+CHECK_ASFF_RESOURCE_TYPE_extra776="AwsEcrRepository"
+CHECK_RISK_extra776='Amazon ECR image scanning helps in identifying software vulnerabilities in your container images. Amazon ECR uses the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project and provides a list of scan findings. '
+CHECK_REMEDIATION_extra776='Open the Amazon ECR console. Then look for vulnerabilities and fix them.'
+CHECK_DOC_extra776='https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html#describe-scan-findings'
+CHECK_CAF_EPIC_extra776='Logging and Monitoring'
+
+extra776(){
+  for region in ${REGIONS}; do
+    # List ECR repositories
+    LIST_ECR_REPOS=$($AWSCLI ecr describe-repositories $PROFILE_OPT --region "${region}" --query "repositories[*].[repositoryName]" --output text 2>&1)
+    # Handle authorization errors
+    if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "$LIST_ECR_REPOS"; then
+      textInfo "$region: Access Denied trying to describe ECR repositories" "$region"
+      continue
+    fi
+    if [[ -n "$LIST_ECR_REPOS" ]]; then
+      for repo in $LIST_ECR_REPOS; do
+        # Check if the repository has scanOnPush enabled
+        SCAN_ENABLED=$($AWSCLI ecr describe-repositories $PROFILE_OPT --region "${region}" --query "repositories[?repositoryName=='${repo}'].[imageScanningConfiguration.scanOnPush]" --output text 2>&1)
+        if [[ "${SCAN_ENABLED}" == "True" ]]; then
+          # Recover newest image digest
+          NEWEST_IMAGE_DIGEST=$($AWSCLI ecr describe-images $PROFILE_OPT --region "${region}" --repository-name "${repo}" --query "sort_by(imageDetails,& imagePushedAt)[-1].imageDigest" --output text | head -n 1 2>&1)
+          if [[ "${NEWEST_IMAGE_DIGEST}" != *"None"* ]]; then
+            # Recover newest image tag
+            NEWEST_IMAGE_TAG=$($AWSCLI ecr describe-images $PROFILE_OPT --region "${region}" --repository-name "${repo}" --query "sort_by(imageDetails,& imagePushedAt)[-1].imageTags[0]" --output text | head -n 1 2>&1)
+            if [[ -n "${LIST_ECR_REPOS}" ]]; then
+              # For this newest digest, recover the last scan status
+              IMAGE_SCAN_STATUS=$($AWSCLI ecr describe-image-scan-findings $PROFILE_OPT --region "${region}" --repository-name "${repo}" --image-id imageDigest="${NEWEST_IMAGE_DIGEST}" --query "imageScanStatus.status" --output text 2>&1)
+              if [[ "${IMAGE_SCAN_STATUS}" == *"ScanNotFoundException"* ]]; then
+                textFail "${region}: ECR repository ${repo} has imageTag ${NEWEST_IMAGE_TAG} without a scan" "${region}" "${repo}"
+              else
+                if [[ "${IMAGE_SCAN_STATUS}" == *"FAILED"* ]]; then
+                  textFail "${region}: ECR repository ${repo} has imageTag ${NEWEST_IMAGE_TAG} with scan status ${IMAGE_SCAN_STATUS}" "${region}" "${repo}"
+                else
+                  # For this newest digest, recover the number of findings found
+                  # This search needs a JSON response to match against severity
+                  FINDINGS_COUNT=$($AWSCLI ecr describe-image-scan-findings $PROFILE_OPT --region "${region}" --repository-name "${repo}" --image-id imageDigest="${NEWEST_IMAGE_DIGEST}" --query "imageScanFindings.findingSeverityCounts" --output json 2>&1)
+                  if [[ -n "${FINDINGS_COUNT}" ]]; then
+                      SEVERITY_CRITICAL=$(jq -r '.CRITICAL' <<< "${FINDINGS_COUNT}")
+                      if [[ "${SEVERITY_CRITICAL}" != "null" ]]; then
+                        textFail "${region}: ECR repository ${repo} has imageTag ${NEWEST_IMAGE_TAG} with CRITICAL ($SEVERITY_CRITICAL) findings" "${region}" "${repo}"
+                      fi
+                      SEVERITY_HIGH=$(jq -r '.HIGH' <<< "${FINDINGS_COUNT}")
+                      if [[ "${SEVERITY_HIGH}" != "null" ]]; then
+                        textFail "${region}: ECR repository ${repo} has imageTag ${NEWEST_IMAGE_TAG} with HIGH ($SEVERITY_HIGH) findings" "${region}" "${repo}"
+                      fi
+                      SEVERITY_MEDIUM=$(jq -r '.MEDIUM' <<< "${FINDINGS_COUNT}")
+                      if [[ "${SEVERITY_MEDIUM}" != "null" ]]; then
+                        textFail "${region}: ECR repository ${repo} has imageTag ${NEWEST_IMAGE_TAG} with MEDIUM ($SEVERITY_MEDIUM) findings" "${region}" "${repo}"
+                      fi
+                      SEVERITY_LOW=$(jq -r '.LOW' <<< "${FINDINGS_COUNT}")
+                      if [[ "${SEVERITY_LOW}" != "null" ]]; then
+                        textInfo "${region}: ECR repository ${repo} has imageTag ${NEWEST_IMAGE_TAG} with LOW ($SEVERITY_LOW) findings" "${region}" "${repo}"
+                      fi
+                      SEVERITY_INFORMATIONAL=$(jq -r '.INFORMATIONAL' <<< "${FINDINGS_COUNT}")
+                      if [[ "${SEVERITY_INFORMATIONAL}" != "null" ]]; then
+                        textInfo "${region}: ECR repository ${repo} has imageTag ${NEWEST_IMAGE_TAG} with INFORMATIONAL ($SEVERITY_INFORMATIONAL) findings" "${region}" "${repo}"
+                      fi
+                      SEVERITY_UNDEFINED=$(jq -r '.UNDEFINED' <<< "${FINDINGS_COUNT}")
+                      if [[ "${SEVERITY_UNDEFINED}" != "null" ]]; then
+                        textInfo "${region}: ECR repository ${repo} has imageTag ${NEWEST_IMAGE_TAG} with UNDEFINED ($SEVERITY_UNDEFINED) findings" "${region}" "${repo}"
+                      fi
+                  else
+                    textPass "${region}: ECR repository ${repo} has imageTag ${NEWEST_IMAGE_TAG} without findings" "${region}" "${repo}"
+                  fi
+                fi
+              fi
+            fi
+          else
+            textInfo "${region}: ECR repository ${repo} has no images" "${region}"
+          fi
+        else
+          textInfo "${region}: ECR repository ${repo} has scanOnPush disabled" "${region}" "${repo}"
+        fi
+      done
+    else
+      textInfo "${region}: No ECR repositories found" "${region}"
+    fi
+  done
+}