Skip to content

Commit

Permalink
Address security static analysis things (#52)
Browse files Browse the repository at this point in the history
  • Loading branch information
Grunet authored Aug 5, 2023
1 parent bc80f86 commit 74649de
Show file tree
Hide file tree
Showing 7 changed files with 3,345 additions and 40 deletions.
8 changes: 7 additions & 1 deletion .devcontainer/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -14,4 +14,10 @@ RUN POETRY_VERSION=1.5.1 POETRY_HOME=/home/vscode/.local/ python poetryInstallSc
# AWS Cloudformation

RUN apt-get install -y python3-pip="22.0.2+dfsg-1ubuntu0.3"
RUN pip install cfn-lint=='0.79.5'
RUN pip install cfn-lint=='0.79.5'

# This is partially duplicated in ci.yaml, with the copy target being the only difference
RUN mkdir ./cfn-guard-temp/
RUN wget https://github.com/aws-cloudformation/cloudformation-guard/releases/download/3.0.0/cfn-guard-v3-ubuntu-latest.tar.gz -O - | tar -xzvf - -C ./cfn-guard-temp/
RUN cp ./cfn-guard-temp/cfn-guard-v3-ubuntu-latest/cfn-guard /home/vscode/.local/bin/
RUN rm -rf ./cfn-guard-temp/
12 changes: 12 additions & 0 deletions .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -82,3 +82,15 @@ jobs:
- name: Lint
run: |
make lint
- name: Install cfn-guard
# This is partially duplicated in .devcontainer/Dockerfile, with the copy target being the only difference
run: |
mkdir ./cfn-guard-temp/
wget https://github.com/aws-cloudformation/cloudformation-guard/releases/download/3.0.0/cfn-guard-v3-ubuntu-latest.tar.gz -O - | tar -xzvf - -C ./cfn-guard-temp/
cp ./cfn-guard-temp/cfn-guard-v3-ubuntu-latest/cfn-guard ~/.local/bin/
rm -rf ./cfn-guard-temp/
- name: Static Analysis - guard
run: |
make static-analysis-guard
7 changes: 6 additions & 1 deletion packages/aws-cloudformation/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,14 @@ What is in scope for breaking changes includes (but isn't necessarily limited to

## Changes

### (Unreleased)
### v0.2.0

- Restrict values for LogRetentionPolicy in the honeypot stack to the values log groups allow so there's feedback before stack creation
- Allow for injecting a KMS key into the honeypot stack to use for the new log group
- Switch to using managed policies instead of inline policies for the task and task execution roles

- (Dev only change) Always use the latest Amazon Linux 2023 image for the basion host
- (Dev only change) Start using cfn-guard for security static analysis

### v0.1.1

Expand Down
8 changes: 7 additions & 1 deletion packages/aws-cloudformation/Makefile
Original file line number Diff line number Diff line change
@@ -1,4 +1,10 @@
SHELL:=/bin/bash -O globstar # Needed to make sure the glob below finds file at the root of the folder

lint:
cfn-lint ./templates/**/*.yaml
cfn-lint ./templates/**/*.yaml
static-analysis-guard: # Only focusing on the templates that get published to consumers for now
cfn-guard validate \
--rules ./guard-rules-registry-all-rules.guard \
--data ./templates/honeypot.yaml \
--data ./templates/honeypot-stack-policies.yaml \
--show-summary all
Loading

0 comments on commit 74649de

Please sign in to comment.