github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/ecr/no_public_access.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/ecr/no_public_access.go (about)

     1  package ecr
     2  
     3  import (
     4  	"strings"
     5  
     6  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     7  
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  
    10  	"github.com/khulnasoft-lab/defsec/pkg/scan"
    11  
    12  	"github.com/khulnasoft-lab/defsec/internal/rules"
    13  
    14  	"github.com/khulnasoft-lab/defsec/pkg/providers"
    15  )
    16  
    17  var CheckNoPublicAccess = rules.Register(
    18  	scan.Rule{
    19  		AVDID:       "AVD-AWS-0032",
    20  		Provider:    providers.AWSProvider,
    21  		Service:     "ecr",
    22  		ShortCode:   "no-public-access",
    23  		Summary:     "ECR repository policy must block public access",
    24  		Impact:      "Risk of potential data leakage of sensitive artifacts",
    25  		Resolution:  "Do not allow public access in the policy",
    26  		Explanation: `Allowing public access to the ECR repository risks leaking sensitive of abusable information`,
    27  		Links: []string{
    28  			"https://docs.aws.amazon.com/AmazonECR/latest/public/public-repository-policies.html",
    29  		},
    30  		Terraform: &scan.EngineMetadata{
    31  			GoodExamples:        terraformNoPublicAccessGoodExamples,
    32  			BadExamples:         terraformNoPublicAccessBadExamples,
    33  			Links:               terraformNoPublicAccessLinks,
    34  			RemediationMarkdown: terraformNoPublicAccessRemediationMarkdown,
    35  		},
    36  		CloudFormation: &scan.EngineMetadata{
    37  			GoodExamples:        cloudFormationNoPublicAccessGoodExamples,
    38  			BadExamples:         cloudFormationNoPublicAccessBadExamples,
    39  			Links:               cloudFormationNoPublicAccessLinks,
    40  			RemediationMarkdown: cloudFormationNoPublicAccessRemediationMarkdown,
    41  		},
    42  		Severity: severity.High,
    43  	},
    44  	func(s *state.State) (results scan.Results) {
    45  		for _, repo := range s.AWS.ECR.Repositories {
    46  			if repo.Metadata.IsUnmanaged() {
    47  				continue
    48  			}
    49  			for _, policyDocument := range repo.Policies {
    50  				policy := policyDocument.Document.Parsed
    51  				statements, _ := policy.Statements()
    52  				for _, statement := range statements {
    53  					var hasECRAction bool
    54  					actions, _ := statement.Actions()
    55  					for _, action := range actions {
    56  						if strings.HasPrefix(action, "ecr:") {
    57  							hasECRAction = true
    58  							break
    59  						}
    60  					}
    61  					if !hasECRAction {
    62  						continue
    63  					}
    64  					var foundIssue bool
    65  					principals, _ := statement.Principals()
    66  					if all, r := principals.All(); all {
    67  						foundIssue = true
    68  						results.Add(
    69  							"Policy provides public access to the ECR repository.",
    70  							policyDocument.Document.MetadataFromIamGo(statement.Range(), r),
    71  						)
    72  					} else {
    73  						accounts, r := principals.AWS()
    74  						for _, account := range accounts {
    75  							if account == "*" {
    76  								foundIssue = true
    77  								results.Add(
    78  									"Policy provides public access to the ECR repository.",
    79  									policyDocument.Document.MetadataFromIamGo(statement.Range(), r),
    80  								)
    81  							}
    82  							continue
    83  						}
    84  					}
    85  					if foundIssue {
    86  						results.AddPassed(&repo)
    87  					}
    88  				}
    89  			}
    90  		}
    91  		return
    92  	},
    93  )