Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Some insecure code #4

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Some insecure code #4

wants to merge 1 commit into from

Conversation

Turochamp
Copy link

No description provided.

jit-ci[bot]
jit-ci bot reviewed May 12, 2022
View reviewed changes
Copy link

@jit-ci jit-ci bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

❌ Jit has detected 4 important findings in this PR that you should review.
The findings are detailed below as separate comments.
It’s highly recommended that you fix these security issues before merge.

src/infra/workload/main.tf
@@ -0,0 +1,23 @@
resource "aws_s3_bucket" "this" {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security control: Iac Misconfig Detection

Type: S3 Bucket Sse Disabled

Description: If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required

Severity: HIGH

Learn more about this issue

Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

  • #jit_ignore_finding Ignore this specific single instance of finding
  • #jit_ignore_type_this_repo Ignore any finding of this type in this repo
  • #jit_undo_ignore Undo ignore command

src/infra/workload/main.tf
bucket = var.bucket_name
acl = "public"

versioning {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security control: Iac Misconfig Detection

Type: S3 Bucket Without Enabled Mfa Delete

Description: S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket=<BUCKET_NAME> --mfa=<MFA_SERIAL_NUMBER>'. Please, also notice that MFA delete can not be used with lifecycle configurations

Severity: HIGH

Learn more about this issue

Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

  • #jit_ignore_finding Ignore this specific single instance of finding
  • #jit_ignore_type_this_repo Ignore any finding of this type in this repo
  • #jit_undo_ignore Undo ignore command

src/ops/scripts/init.sh
@@ -0,0 +1 @@
MY_AZURE_SECRET="AKIAIOSFODNN7EXAMPLE"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security control: Secret Detection

Type: Aws-Access-Token

Description: An AWS Keypair was detected

Severity: HIGH

Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

  • #jit_ignore_finding Ignore this specific single instance of finding
  • #jit_ignore_type_this_repo Ignore any finding of this type in this repo
  • #jit_undo_ignore Undo ignore command

src/testing/chaos-testing/main.py
@@ -0,0 +1,2 @@
import subprocess
output = subprocess.check_output(f"nslookup2 {my_new_domain}", shell=True, encoding='UTF-8')
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security control: Static Code Analysis Python

Type: Subprocess Popen With Shell Equals True

Description: subprocess call with shell=True identified, security issue.

Severity: HIGH

Learn more about this issue

Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

  • #jit_ignore_finding Ignore this specific single instance of finding
  • #jit_ignore_type_this_repo Ignore any finding of this type in this repo
  • #jit_undo_ignore Undo ignore command

@Turochamp Turochamp changed the title Some code Some insecure code May 18, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jit-ci Jit CI jit-ci left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@Turochamp