Skip to content

feat: databricks workspace module #2

feat: databricks workspace module

feat: databricks workspace module #2

Triggered via pull request October 28, 2024 11:59
Status Success
Total duration 1m 31s
Billable time 2m
Artifacts

kics_sec_scan.yml

on: pull_request
Run security KICS scaner
1m 14s
Run security KICS scaner
Fit to window
Zoom out
Zoom in

Annotations

11 warnings
Run security KICS scaner
The following actions use a deprecated Node.js version and will be forced to run on node20: actions/checkout@v3. For more info: https://github.blog/changelog/2024-03-07-github-actions-all-actions-will-run-on-node20-instead-of-node16-by-default/
[HIGH] S3 Bucket Allows Public Policy: main.tf#L124
S3 bucket allows public policy
[HIGH] S3 Bucket Without Enabled MFA Delete: main.tf#L145
S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket=<BUCKET_NAME> --mfa=<MFA_SERIAL_NUMBER>'. Please, also notice that MFA delete can not be used with lifecycle configurations
[HIGH] S3 Bucket Without Enabled MFA Delete: main.tf#L145
S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket=<BUCKET_NAME> --mfa=<MFA_SERIAL_NUMBER>'. Please, also notice that MFA delete can not be used with lifecycle configurations
[HIGH] S3 Bucket Without Restriction Of Public Bucket: main.tf#L124
S3 bucket without restriction of public bucket
[MEDIUM] S3 Bucket Allows Public ACL: main.tf#L124
S3 bucket allows public ACL
[MEDIUM] S3 Bucket Logging Disabled: main.tf#L124
Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable
[MEDIUM] S3 Bucket Without Versioning: main.tf#L145
S3 bucket should have versioning enabled
[MEDIUM] Unpinned Actions Full Length Commit SHA: .github/workflows/pre-commit.yml#L75
Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
[MEDIUM] Unpinned Actions Full Length Commit SHA: .github/workflows/release.yml#L28
Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
[MEDIUM] Unpinned Actions Full Length Commit SHA: .github/workflows/pre-commit.yml#L39
Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.