Force the batch-import-findings AWS CLI call to be directed at the region the currently reporting resource is located in, as Security Hub enforces this requirement
When checking that Security Hub is enabled, check for all regions that are in scope, e.g. all regions, unless '-f <region>' is used
Fixes#618
Write output files (CSV, JSON, etc.) to an `output` directory that is relative to prowler itself, no matter where prowler is invoked from.
Simplify Dockerfile by specifying a WORKDIR
Replace ADD command with the more recommended COPY command
Update README to cover how to run in Docker and access saved reports
Add a .dockerignore file to ignore .git and output directories
This partially addresses #570 - previously, within Docker, Prowler was attempting to write
reports to the root `/` directory in the container, which it did not have permission to do.
Instead, reports are now written to a path relative to Prowler
Continue to show (unwhitelisted) failed checks as failures in JUnit output, but rather than exclude failing whitelisted checks from JUnit, mark them as skipped
Fixes#590
Change `-l` flag to print a unique list of every single check (assuming none are orphaned outside of all groups)
Allow `-g <group_id>` to be specified in combination with `-l`, to only print checks that are referenced by the specified group
When listing all checks with `-l` only, print out all groups that reference each check
Fixes: #545
Rearrange output functions so they support outputting text alongside other formats, if specified
Add a convenience function for checking if JUnit output is enabled
Move monochrome setting into loop so it better supports multiple formats
Update README
If the -J flag is passed, generate JUnit XML reports for each check, in-line with how Java tools generate JUnit reports.
Check section numbers equate to 'root packages', checks are second-level packages, each check equates to a testsuite (mirroring Java where each test class is a testsuite) and each pass/fail of a check equates to a testcase
Time the execution of each check and include this in the report
Include properties (Prowler version, check level etc.) in-line with standard JUnit files
XML escape all strings for safety
Detect if a user has GNU coreutils installed on Mac OS X, but not as their default, switching to using gdate for date commands if so, as it has more features, including getting dates in milliseconds
Add prowler-output, junit-reports and VSCode files to .gitignore
Update README to include JUnit info, address markdownlint warnings
Remove unused arguments to jq in generateJsonAsffOutput
Fixes#537
Remove the second entry in any comma-separated check IDs from each check, formatting
the check ID with leading zeros in `include/outputs` if the `-n` flag is active
- Move Security Hub related code to a dedicated include/securityhub_integration file
- Check that Security Hub is enabled in the target region before beginning checks when -S is specified
- Add error handling to the batch-import-findings call
- Add CHECK_ASFF_TYPE variables to all CIS checks to override the default
- Add support for CHECK_ASFF_RESOURCE_TYPE variables which override the default 'AwsAccount' value for the resource a finding relates to.
- Add CHECK_ASFF_RESOURCE_TYPE variables to all checks where there is a suitable value in the schema
- Remove json-asff output for info messages as they are not appropriate for possible submission to Security Hub
- Update the README to cover Security Hub integration
- Add an IAM policy JSON document that provides the necessary BatchImportFindings permission for Security Hub
- Remove trailing whitespace and periods in pass/fail messages to be consistent with the majority of messages, to prevent future tidy-up from changing the finding IDs
json-asff mode outputs JSON, similar to the standard 'json' mode with one check per line, but in AWS Security Finding Format - used by AWS Security Hub
Currently uses a generic Type, Resources and ProductArn value, but sets the Id to a unique value that includes the details of the message, in order to separate out checks that run against multiple resources and output one result per resource per check. This ensures that findings can be updated, should the resource move in or out of compliance
securityhub mode generates the ASFF JSON and then passes it to an 'aws securityhub batch-import-findings' call, once per resource per check. Output to the screen is similar to the standard mode, but prints whether or not the finding was submitted successfully
Fixes#524
