fix: module update #9
levchykmkics_sec_scan.yml
on: pull_request
Run security KICS scaner
50s
Annotations
11 warnings
|
Run security KICS scaner
The following actions use a deprecated Node.js version and will be forced to run on node20: actions/checkout@v3. For more info: https://github.blog/changelog/2024-03-07-github-actions-all-actions-will-run-on-node20-instead-of-node16-by-default/
|
|
[HIGH] S3 Bucket Allows Public Policy:
main.tf#L124
S3 bucket allows public policy
|
|
[HIGH] S3 Bucket Without Enabled MFA Delete:
main.tf#L145
S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket=<BUCKET_NAME> --mfa=<MFA_SERIAL_NUMBER>'. Please, also notice that MFA delete can not be used with lifecycle configurations
|
|
[HIGH] S3 Bucket Without Enabled MFA Delete:
main.tf#L145
S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket=<BUCKET_NAME> --mfa=<MFA_SERIAL_NUMBER>'. Please, also notice that MFA delete can not be used with lifecycle configurations
|
|
[HIGH] S3 Bucket Without Restriction Of Public Bucket:
main.tf#L124
S3 bucket without restriction of public bucket
|
|
[MEDIUM] S3 Bucket Allows Public ACL:
main.tf#L124
S3 bucket allows public ACL
|
|
[MEDIUM] S3 Bucket Logging Disabled:
main.tf#L124
Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable
|
|
[MEDIUM] S3 Bucket Without Versioning:
main.tf#L145
S3 bucket should have versioning enabled
|
|
[MEDIUM] Unpinned Actions Full Length Commit SHA:
.github/workflows/pre-commit.yml#L39
Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
|
|
[MEDIUM] Unpinned Actions Full Length Commit SHA:
.github/workflows/kics_sec_scan.yml#L18
Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
|
|
[MEDIUM] Unpinned Actions Full Length Commit SHA:
.github/workflows/documentation.yml#L17
Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
|