github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/cloudformation/aws/ecr/repository.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/cloudformation/aws/ecr/repository.go (about)

     1  package ecr
     2  
     3  import (
     4  	"fmt"
     5  
     6  	defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types"
     7  
     8  	"github.com/khulnasoft-lab/defsec/pkg/scanners/cloudformation/parser"
     9  
    10  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/ecr"
    11  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/iam"
    12  
    13  	"github.com/liamg/iamgo"
    14  )
    15  
    16  func getRepositories(ctx parser.FileContext) (repositories []ecr.Repository) {
    17  
    18  	repositoryResources := ctx.GetResourcesByType("AWS::ECR::Repository")
    19  
    20  	for _, r := range repositoryResources {
    21  
    22  		repository := ecr.Repository{
    23  			Metadata: r.Metadata(),
    24  			ImageScanning: ecr.ImageScanning{
    25  				Metadata:   r.Metadata(),
    26  				ScanOnPush: defsecTypes.BoolDefault(false, r.Metadata()),
    27  			},
    28  			ImageTagsImmutable: hasImmutableImageTags(r),
    29  			Policies:           nil,
    30  			Encryption: ecr.Encryption{
    31  				Metadata: r.Metadata(),
    32  				Type:     defsecTypes.StringDefault(ecr.EncryptionTypeAES256, r.Metadata()),
    33  				KMSKeyID: defsecTypes.StringDefault("", r.Metadata()),
    34  			},
    35  		}
    36  
    37  		if imageScanningProp := r.GetProperty("ImageScanningConfiguration"); imageScanningProp.IsNotNil() {
    38  			repository.ImageScanning = ecr.ImageScanning{
    39  				Metadata:   imageScanningProp.Metadata(),
    40  				ScanOnPush: imageScanningProp.GetBoolProperty("ScanOnPush", false),
    41  			}
    42  		}
    43  
    44  		if encProp := r.GetProperty("EncryptionConfiguration"); encProp.IsNotNil() {
    45  			repository.Encryption = ecr.Encryption{
    46  				Metadata: encProp.Metadata(),
    47  				Type:     encProp.GetStringProperty("EncryptionType", ecr.EncryptionTypeAES256),
    48  				KMSKeyID: encProp.GetStringProperty("KmsKey", ""),
    49  			}
    50  		}
    51  
    52  		if policy, err := getPolicy(r); err == nil {
    53  			repository.Policies = append(repository.Policies, *policy)
    54  		}
    55  
    56  		repositories = append(repositories, repository)
    57  	}
    58  
    59  	return repositories
    60  }
    61  
    62  func getPolicy(r *parser.Resource) (*iam.Policy, error) {
    63  	policyProp := r.GetProperty("RepositoryPolicyText")
    64  	if policyProp.IsNil() {
    65  		return nil, fmt.Errorf("missing policy")
    66  	}
    67  
    68  	parsed, err := iamgo.Parse(policyProp.GetJsonBytes())
    69  	if err != nil {
    70  		return nil, err
    71  	}
    72  
    73  	return &iam.Policy{
    74  		Metadata: policyProp.Metadata(),
    75  		Name:     defsecTypes.StringDefault("", policyProp.Metadata()),
    76  		Document: iam.Document{
    77  			Metadata: policyProp.Metadata(),
    78  			Parsed:   *parsed,
    79  		},
    80  		Builtin: defsecTypes.Bool(false, policyProp.Metadata()),
    81  	}, nil
    82  }
    83  
    84  func hasImmutableImageTags(r *parser.Resource) defsecTypes.BoolValue {
    85  	mutabilityProp := r.GetProperty("ImageTagMutability")
    86  	if mutabilityProp.IsNil() {
    87  		return defsecTypes.BoolDefault(false, r.Metadata())
    88  	}
    89  	if !mutabilityProp.EqualTo("IMMUTABLE") {
    90  		return defsecTypes.Bool(false, mutabilityProp.Metadata())
    91  	}
    92  	return defsecTypes.Bool(true, mutabilityProp.Metadata())
    93  }