From e80b22406ec379bb778b928aa23e2318d2f82cce Mon Sep 17 00:00:00 2001 From: Alexis-Maurer Fortin Date: Wed, 4 Dec 2024 15:40:16 -0500 Subject: [PATCH 1/4] BST-13671 Terraform Post Plan Resource Tag Checker (#163) tag-validator Signed-off-by: Alexis-Maurer Fortin --- scanners/boostsecurityio/checkov-tf-plan/module.yaml | 5 ++++- scanners/boostsecurityio/checkov-tf-plan/rules.yaml | 11 +++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/scanners/boostsecurityio/checkov-tf-plan/module.yaml b/scanners/boostsecurityio/checkov-tf-plan/module.yaml index d2ea551..287783c 100644 --- a/scanners/boostsecurityio/checkov-tf-plan/module.yaml +++ b/scanners/boostsecurityio/checkov-tf-plan/module.yaml @@ -20,5 +20,8 @@ steps: format: sarif post-processor: docker: - image: public.ecr.aws/boostsecurityio/boost-scanner-checkov:ec4f3d2@sha256:8fdf1b3eb4fb7ade9fe618e586a0d4f8d6fe316d390a1c28ead8812e7a388e93 + image: public.ecr.aws/boostsecurityio/boost-scanner-checkov:72d5f80@sha256:786f15fb33b57a26a72edbfcc4d2e9a32952a0d16186633f9d3d5ebbae9816da command: process + workdir: /src + environment: + BOOST_TF_TAGS_POLICY: $BOOST_TF_TAGS_POLICY diff --git a/scanners/boostsecurityio/checkov-tf-plan/rules.yaml b/scanners/boostsecurityio/checkov-tf-plan/rules.yaml index 8b7cac2..9f67599 100644 --- a/scanners/boostsecurityio/checkov-tf-plan/rules.yaml +++ b/scanners/boostsecurityio/checkov-tf-plan/rules.yaml @@ -14785,4 +14785,15 @@ rules: pretty_name: Ensure KMS symmetric key is rotated. recommended: true ref: https://www.checkov.io/5.Policy%20Index/all.html + BOOST_INVALID_TF_TAGS: + categories: + - ALL + - boost-hardened + - cloud-resources-tagging-requirements + description: Check that Terraform Resource are tagged according to the expected policy. + group: cloud-weak-configuration + name: BOOST_INVALID_TF_TAGS + pretty_name: Ensure Terraform Resources are tagged appropriately + recommended: true + ref: https://docs.boostsecurity.io/rules/BOOST_INVALID_TF_TAGS.html From d3e2fbda5388d3934d05344cc217116a709380da Mon Sep 17 00:00:00 2001 From: Jonathan Serafini Date: Fri, 22 Nov 2024 14:31:39 -0500 Subject: [PATCH 2/4] BST-13481: add new baseline scanner (#182) --- .github/workflows/registry-scanner.yaml | 2 +- scanners/boostsecurityio/baseline/module.yaml | 24 +++ scanners/boostsecurityio/baseline/rules.yaml | 131 ++++++++++++++++ scanners/boostsecurityio/scanner/module.yaml | 25 ++-- scanners/boostsecurityio/scanner/rules.yaml | 140 ++---------------- 5 files changed, 177 insertions(+), 145 deletions(-) create mode 100644 scanners/boostsecurityio/baseline/module.yaml create mode 100644 scanners/boostsecurityio/baseline/rules.yaml diff --git a/.github/workflows/registry-scanner.yaml b/.github/workflows/registry-scanner.yaml index 37b6116..222550d 100644 --- a/.github/workflows/registry-scanner.yaml +++ b/.github/workflows/registry-scanner.yaml @@ -29,7 +29,7 @@ jobs: - name: Checkout uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Scan Registry - uses: boostsecurityio/scanner-registry-action@91ede50ad22990f74865613c94fa51569b144f71 # v1.5.5 + uses: boostsecurityio/scanner-registry-action@9acd6b00ece9d419b5896a9e18b129dc1cf68afc # v1.5.6 with: api_endpoint: ${{ vars.BOOST_API_ENDPOINT }} api_token: ${{ secrets.BOOST_SYSTEM_API_KEY_REGISTRY }} diff --git a/scanners/boostsecurityio/baseline/module.yaml b/scanners/boostsecurityio/baseline/module.yaml new file mode 100644 index 0000000..18a60fa --- /dev/null +++ b/scanners/boostsecurityio/baseline/module.yaml @@ -0,0 +1,24 @@ +api_version: 1.0 + + +id: boostsecurityio/baseline +name: BoostSecurity Scanner +namespace: boostsecurityio/baseline +scan_types: + - sast + - cicd + + +config: + support_diff_scan: true + + +steps: + - scan: + command: + docker: + image: public.ecr.aws/boostsecurityio/boost-scanner-native:44a65bf@sha256:cefdba826edb2138b6d219d7ff398181158caac3755e6542171ba6d8c06e594f + command: scanner scan + workdir: /src + name: scanner + format: sarif diff --git a/scanners/boostsecurityio/baseline/rules.yaml b/scanners/boostsecurityio/baseline/rules.yaml new file mode 100644 index 0000000..a11c0ee --- /dev/null +++ b/scanners/boostsecurityio/baseline/rules.yaml @@ -0,0 +1,131 @@ +rules: + cert-expired: + categories: + - ALL + - cloud-weak-configuration + description: Checks for expired X509 certificates. + group: cloud-weak-configuration + name: cert-expired + pretty_name: Cert Expired + ref: '{BOOSTSEC_DOC_BASE_URL}/rules/x509-cert-expired.html' + cert-expires-soon: + categories: + - ALL + - cloud-weak-configuration + description: Checks for X509 certificates that will expire in a configured number + of days. + group: cloud-weak-configuration + name: cert-expires-soon + pretty_name: Cert Expires Soon + ref: '{BOOSTSEC_DOC_BASE_URL}/rules/x509-cert-expires-soon.html' + cert-insecure-signing-algorithm: + categories: + - ALL + - cloud-weak-configuration + - boost-baseline + - boost-hardened + description: Checks for X509 certificates with insecure signing algorithms. + group: cloud-weak-configuration + name: cert-insecure-signing-algorithm + pretty_name: Cert Insecure Signing Algorithm + ref: '{BOOSTSEC_DOC_BASE_URL}/rules/x509-cert-insecure-signing-algorithm.html' + recommended: true + cert-insufficient-key-length: + categories: + - ALL + - cloud-weak-configuration + - boost-baseline + - boost-hardened + description: Checks for X509 certificates with insecure key lengths. + group: cloud-weak-configuration + name: cert-insufficient-key-length + pretty_name: Cert Insufficient Key Length + ref: '{BOOSTSEC_DOC_BASE_URL}/rules/x509-cert-insufficient-key-length.html' + recommended: true + cicd-binary-artifacts-stored-in-scm: + categories: + - ALL + - supply-chain + - supply-chain-missing-artifact-integrity-verification + - boost-baseline + - boost-hardened + description: Checks for binary / executable artifacts (ex. *.jar, *.class, *.so, + etc.) stored in the Git repository.Generally, such binary artifacts should not + be committed to Git and should be built with reproducible build system from + source. + group: supply-chain-missing-artifact-integrity-verification + name: cicd-binary-artifacts-stored-in-scm + pretty_name: CI/CD - Binary artifacts stored in SCM + ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-binary-artifacts-stored-in-scm.html' + recommended: true + cicd-circleci-unversioned-orb: + categories: + - ALL + - supply-chain + - supply-chain-cicd-weak-configuration + - boost-baseline + - boost-hardened + description: Checks for CircleCI workflows using unversioned Orbs. + group: supply-chain-cicd-weak-configuration + name: cicd-circleci-unversioned-orb + pretty_name: CI/CD - CircleCI Unversionned Orb + ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-circleci-unversioned-orb.html' + recommended: true + cicd-circleci-shell-injection: + categories: + - ALL + - supply-chain + - supply-chain-cicd-vulnerable-pipeline + - boost-baseline + - boost-hardened + description: Checks for CircleCI workflows where pipeline variables are used in shell commands. + group: supply-chain-cicd-vulnerable-pipeline + name: cicd-circleci-shell-injection + pretty_name: CI/CD - CircleCI Shell Injection + ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-circleci-shell-injection.html' + recommended: true + cicd-gha-unsecure-commands: + categories: + - ALL + - supply-chain + - supply-chain-cicd-weak-configuration + - supply-chain-cicd-severe-issues + - boost-baseline + - boost-hardened + description: Checks for GitHub Acton workflows that enables deprecated unsecure commands. + group: supply-chain-cicd-weak-configuration + name: cicd-gha-unsecure-commands + pretty_name: CI/CD - GitHub Action Unsecure Commands + ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-gha-unsecure-commands.html' + recommended: true + cicd-unpinned-dependencies: + categories: + - ALL + - supply-chain + - supply-chain-missing-artifact-integrity-verification + - boost-baseline + - boost-hardened + description: Verifies the presence of dependency management manifests (e.g., + package.json, Gemfile, pyproject.toml, Pipfile, go.mod, etc.) without an + accompanying lockfile that cryptographically pins dependencies (e.g., + package-lock.json, Gemfile.lock, poetry.lock, Pipfile.lock, go.sum). + The absence of a lockfile increases the risk of dependency drift, + potentially introducing security vulnerabilities or compatibility issues into the project. + group: supply-chain-missing-artifact-integrity-verification + name: cicd-unpinned-dependencies + pretty_name: CI/CD - Missing Lockfile resulting in unpinned dependencies + ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-unpinned-dependencies.html' + recommended: true + cicd-gha-workflow-dispatch-inputs: + categories: + - ALL + - supply-chain + - supply-chain-cicd-weak-configuration + - boost-baseline + - boost-hardened + description: Checks for GitHub Action workflows defines workflow_dispatch inputs. + group: supply-chain-cicd-weak-configuration + name: cicd-gha-workflow-dispatch-inputs + pretty_name: CI/CD - GitHub Action uses inputs + ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-gha-workflow-dispatch-inputs.html' + recommended: true diff --git a/scanners/boostsecurityio/scanner/module.yaml b/scanners/boostsecurityio/scanner/module.yaml index 7d6961f..f029d3a 100644 --- a/scanners/boostsecurityio/scanner/module.yaml +++ b/scanners/boostsecurityio/scanner/module.yaml @@ -1,24 +1,23 @@ api_version: 1.0 +group: boostsecurityio/scanner id: boostsecurityio/scanner name: BoostSecurity Scanner namespace: boostsecurityio/scanner -scan_types: - - sast - - cicd - config: support_diff_scan: true +scan_types: + - sast + - cicd + - metadata + - sca + - sci + - license -steps: - - scan: - command: - docker: - image: public.ecr.aws/boostsecurityio/boost-scanner-native:44a65bf@sha256:cefdba826edb2138b6d219d7ff398181158caac3755e6542171ba6d8c06e594f - command: scanner scan - workdir: /src - name: scanner - format: sarif +includes: + - boostsecurityio/baseline + - boostsecurityio/composition + - boostsecurityio/supply-chain-inventory diff --git a/scanners/boostsecurityio/scanner/rules.yaml b/scanners/boostsecurityio/scanner/rules.yaml index a11c0ee..369ebfa 100644 --- a/scanners/boostsecurityio/scanner/rules.yaml +++ b/scanners/boostsecurityio/scanner/rules.yaml @@ -1,131 +1,9 @@ -rules: - cert-expired: - categories: - - ALL - - cloud-weak-configuration - description: Checks for expired X509 certificates. - group: cloud-weak-configuration - name: cert-expired - pretty_name: Cert Expired - ref: '{BOOSTSEC_DOC_BASE_URL}/rules/x509-cert-expired.html' - cert-expires-soon: - categories: - - ALL - - cloud-weak-configuration - description: Checks for X509 certificates that will expire in a configured number - of days. - group: cloud-weak-configuration - name: cert-expires-soon - pretty_name: Cert Expires Soon - ref: '{BOOSTSEC_DOC_BASE_URL}/rules/x509-cert-expires-soon.html' - cert-insecure-signing-algorithm: - categories: - - ALL - - cloud-weak-configuration - - boost-baseline - - boost-hardened - description: Checks for X509 certificates with insecure signing algorithms. - group: cloud-weak-configuration - name: cert-insecure-signing-algorithm - pretty_name: Cert Insecure Signing Algorithm - ref: '{BOOSTSEC_DOC_BASE_URL}/rules/x509-cert-insecure-signing-algorithm.html' - recommended: true - cert-insufficient-key-length: - categories: - - ALL - - cloud-weak-configuration - - boost-baseline - - boost-hardened - description: Checks for X509 certificates with insecure key lengths. - group: cloud-weak-configuration - name: cert-insufficient-key-length - pretty_name: Cert Insufficient Key Length - ref: '{BOOSTSEC_DOC_BASE_URL}/rules/x509-cert-insufficient-key-length.html' - recommended: true - cicd-binary-artifacts-stored-in-scm: - categories: - - ALL - - supply-chain - - supply-chain-missing-artifact-integrity-verification - - boost-baseline - - boost-hardened - description: Checks for binary / executable artifacts (ex. *.jar, *.class, *.so, - etc.) stored in the Git repository.Generally, such binary artifacts should not - be committed to Git and should be built with reproducible build system from - source. - group: supply-chain-missing-artifact-integrity-verification - name: cicd-binary-artifacts-stored-in-scm - pretty_name: CI/CD - Binary artifacts stored in SCM - ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-binary-artifacts-stored-in-scm.html' - recommended: true - cicd-circleci-unversioned-orb: - categories: - - ALL - - supply-chain - - supply-chain-cicd-weak-configuration - - boost-baseline - - boost-hardened - description: Checks for CircleCI workflows using unversioned Orbs. - group: supply-chain-cicd-weak-configuration - name: cicd-circleci-unversioned-orb - pretty_name: CI/CD - CircleCI Unversionned Orb - ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-circleci-unversioned-orb.html' - recommended: true - cicd-circleci-shell-injection: - categories: - - ALL - - supply-chain - - supply-chain-cicd-vulnerable-pipeline - - boost-baseline - - boost-hardened - description: Checks for CircleCI workflows where pipeline variables are used in shell commands. - group: supply-chain-cicd-vulnerable-pipeline - name: cicd-circleci-shell-injection - pretty_name: CI/CD - CircleCI Shell Injection - ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-circleci-shell-injection.html' - recommended: true - cicd-gha-unsecure-commands: - categories: - - ALL - - supply-chain - - supply-chain-cicd-weak-configuration - - supply-chain-cicd-severe-issues - - boost-baseline - - boost-hardened - description: Checks for GitHub Acton workflows that enables deprecated unsecure commands. - group: supply-chain-cicd-weak-configuration - name: cicd-gha-unsecure-commands - pretty_name: CI/CD - GitHub Action Unsecure Commands - ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-gha-unsecure-commands.html' - recommended: true - cicd-unpinned-dependencies: - categories: - - ALL - - supply-chain - - supply-chain-missing-artifact-integrity-verification - - boost-baseline - - boost-hardened - description: Verifies the presence of dependency management manifests (e.g., - package.json, Gemfile, pyproject.toml, Pipfile, go.mod, etc.) without an - accompanying lockfile that cryptographically pins dependencies (e.g., - package-lock.json, Gemfile.lock, poetry.lock, Pipfile.lock, go.sum). - The absence of a lockfile increases the risk of dependency drift, - potentially introducing security vulnerabilities or compatibility issues into the project. - group: supply-chain-missing-artifact-integrity-verification - name: cicd-unpinned-dependencies - pretty_name: CI/CD - Missing Lockfile resulting in unpinned dependencies - ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-unpinned-dependencies.html' - recommended: true - cicd-gha-workflow-dispatch-inputs: - categories: - - ALL - - supply-chain - - supply-chain-cicd-weak-configuration - - boost-baseline - - boost-hardened - description: Checks for GitHub Action workflows defines workflow_dispatch inputs. - group: supply-chain-cicd-weak-configuration - name: cicd-gha-workflow-dispatch-inputs - pretty_name: CI/CD - GitHub Action uses inputs - ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-gha-workflow-dispatch-inputs.html' - recommended: true +import: + - boostsecurityio/baseline + - boostsecurityio/cicd + - boostsecurityio/composition + - boostsecurityio/oss-license + - boostsecurityio/sbom-sca + - boostsecurityio/sci + - boostsecurityio/sci-sca + - boostsecurityio/supply-chain-inventory From 36c3f518b1b17482a7cc4026cf399e846bf56d4c Mon Sep 17 00:00:00 2001 From: Martin Roy Date: Thu, 28 Nov 2024 13:37:12 -0500 Subject: [PATCH 3/4] BST-13663 Move the rules from baseline to scanner (#185) --- scanners/boostsecurityio/baseline/rules.yaml | 132 +----------------- scanners/boostsecurityio/scanner/rules.yaml | 133 ++++++++++++++++++- 2 files changed, 133 insertions(+), 132 deletions(-) diff --git a/scanners/boostsecurityio/baseline/rules.yaml b/scanners/boostsecurityio/baseline/rules.yaml index a11c0ee..acd2a42 100644 --- a/scanners/boostsecurityio/baseline/rules.yaml +++ b/scanners/boostsecurityio/baseline/rules.yaml @@ -1,131 +1 @@ -rules: - cert-expired: - categories: - - ALL - - cloud-weak-configuration - description: Checks for expired X509 certificates. - group: cloud-weak-configuration - name: cert-expired - pretty_name: Cert Expired - ref: '{BOOSTSEC_DOC_BASE_URL}/rules/x509-cert-expired.html' - cert-expires-soon: - categories: - - ALL - - cloud-weak-configuration - description: Checks for X509 certificates that will expire in a configured number - of days. - group: cloud-weak-configuration - name: cert-expires-soon - pretty_name: Cert Expires Soon - ref: '{BOOSTSEC_DOC_BASE_URL}/rules/x509-cert-expires-soon.html' - cert-insecure-signing-algorithm: - categories: - - ALL - - cloud-weak-configuration - - boost-baseline - - boost-hardened - description: Checks for X509 certificates with insecure signing algorithms. - group: cloud-weak-configuration - name: cert-insecure-signing-algorithm - pretty_name: Cert Insecure Signing Algorithm - ref: '{BOOSTSEC_DOC_BASE_URL}/rules/x509-cert-insecure-signing-algorithm.html' - recommended: true - cert-insufficient-key-length: - categories: - - ALL - - cloud-weak-configuration - - boost-baseline - - boost-hardened - description: Checks for X509 certificates with insecure key lengths. - group: cloud-weak-configuration - name: cert-insufficient-key-length - pretty_name: Cert Insufficient Key Length - ref: '{BOOSTSEC_DOC_BASE_URL}/rules/x509-cert-insufficient-key-length.html' - recommended: true - cicd-binary-artifacts-stored-in-scm: - categories: - - ALL - - supply-chain - - supply-chain-missing-artifact-integrity-verification - - boost-baseline - - boost-hardened - description: Checks for binary / executable artifacts (ex. *.jar, *.class, *.so, - etc.) stored in the Git repository.Generally, such binary artifacts should not - be committed to Git and should be built with reproducible build system from - source. - group: supply-chain-missing-artifact-integrity-verification - name: cicd-binary-artifacts-stored-in-scm - pretty_name: CI/CD - Binary artifacts stored in SCM - ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-binary-artifacts-stored-in-scm.html' - recommended: true - cicd-circleci-unversioned-orb: - categories: - - ALL - - supply-chain - - supply-chain-cicd-weak-configuration - - boost-baseline - - boost-hardened - description: Checks for CircleCI workflows using unversioned Orbs. - group: supply-chain-cicd-weak-configuration - name: cicd-circleci-unversioned-orb - pretty_name: CI/CD - CircleCI Unversionned Orb - ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-circleci-unversioned-orb.html' - recommended: true - cicd-circleci-shell-injection: - categories: - - ALL - - supply-chain - - supply-chain-cicd-vulnerable-pipeline - - boost-baseline - - boost-hardened - description: Checks for CircleCI workflows where pipeline variables are used in shell commands. - group: supply-chain-cicd-vulnerable-pipeline - name: cicd-circleci-shell-injection - pretty_name: CI/CD - CircleCI Shell Injection - ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-circleci-shell-injection.html' - recommended: true - cicd-gha-unsecure-commands: - categories: - - ALL - - supply-chain - - supply-chain-cicd-weak-configuration - - supply-chain-cicd-severe-issues - - boost-baseline - - boost-hardened - description: Checks for GitHub Acton workflows that enables deprecated unsecure commands. - group: supply-chain-cicd-weak-configuration - name: cicd-gha-unsecure-commands - pretty_name: CI/CD - GitHub Action Unsecure Commands - ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-gha-unsecure-commands.html' - recommended: true - cicd-unpinned-dependencies: - categories: - - ALL - - supply-chain - - supply-chain-missing-artifact-integrity-verification - - boost-baseline - - boost-hardened - description: Verifies the presence of dependency management manifests (e.g., - package.json, Gemfile, pyproject.toml, Pipfile, go.mod, etc.) without an - accompanying lockfile that cryptographically pins dependencies (e.g., - package-lock.json, Gemfile.lock, poetry.lock, Pipfile.lock, go.sum). - The absence of a lockfile increases the risk of dependency drift, - potentially introducing security vulnerabilities or compatibility issues into the project. - group: supply-chain-missing-artifact-integrity-verification - name: cicd-unpinned-dependencies - pretty_name: CI/CD - Missing Lockfile resulting in unpinned dependencies - ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-unpinned-dependencies.html' - recommended: true - cicd-gha-workflow-dispatch-inputs: - categories: - - ALL - - supply-chain - - supply-chain-cicd-weak-configuration - - boost-baseline - - boost-hardened - description: Checks for GitHub Action workflows defines workflow_dispatch inputs. - group: supply-chain-cicd-weak-configuration - name: cicd-gha-workflow-dispatch-inputs - pretty_name: CI/CD - GitHub Action uses inputs - ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-gha-workflow-dispatch-inputs.html' - recommended: true +rules: {} # Rules are in boost-scanner, this scanner is not meant to be used alone diff --git a/scanners/boostsecurityio/scanner/rules.yaml b/scanners/boostsecurityio/scanner/rules.yaml index 369ebfa..afb193c 100644 --- a/scanners/boostsecurityio/scanner/rules.yaml +++ b/scanners/boostsecurityio/scanner/rules.yaml @@ -1,5 +1,4 @@ import: - - boostsecurityio/baseline - boostsecurityio/cicd - boostsecurityio/composition - boostsecurityio/oss-license @@ -7,3 +6,135 @@ import: - boostsecurityio/sci - boostsecurityio/sci-sca - boostsecurityio/supply-chain-inventory + +rules: + cert-expired: + categories: + - ALL + - cloud-weak-configuration + description: Checks for expired X509 certificates. + group: cloud-weak-configuration + name: cert-expired + pretty_name: Cert Expired + ref: '{BOOSTSEC_DOC_BASE_URL}/rules/x509-cert-expired.html' + cert-expires-soon: + categories: + - ALL + - cloud-weak-configuration + description: Checks for X509 certificates that will expire in a configured number + of days. + group: cloud-weak-configuration + name: cert-expires-soon + pretty_name: Cert Expires Soon + ref: '{BOOSTSEC_DOC_BASE_URL}/rules/x509-cert-expires-soon.html' + cert-insecure-signing-algorithm: + categories: + - ALL + - cloud-weak-configuration + - boost-baseline + - boost-hardened + description: Checks for X509 certificates with insecure signing algorithms. + group: cloud-weak-configuration + name: cert-insecure-signing-algorithm + pretty_name: Cert Insecure Signing Algorithm + ref: '{BOOSTSEC_DOC_BASE_URL}/rules/x509-cert-insecure-signing-algorithm.html' + recommended: true + cert-insufficient-key-length: + categories: + - ALL + - cloud-weak-configuration + - boost-baseline + - boost-hardened + description: Checks for X509 certificates with insecure key lengths. + group: cloud-weak-configuration + name: cert-insufficient-key-length + pretty_name: Cert Insufficient Key Length + ref: '{BOOSTSEC_DOC_BASE_URL}/rules/x509-cert-insufficient-key-length.html' + recommended: true + cicd-binary-artifacts-stored-in-scm: + categories: + - ALL + - supply-chain + - supply-chain-missing-artifact-integrity-verification + - boost-baseline + - boost-hardened + description: Checks for binary / executable artifacts (ex. *.jar, *.class, *.so, + etc.) stored in the Git repository.Generally, such binary artifacts should not + be committed to Git and should be built with reproducible build system from + source. + group: supply-chain-missing-artifact-integrity-verification + name: cicd-binary-artifacts-stored-in-scm + pretty_name: CI/CD - Binary artifacts stored in SCM + ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-binary-artifacts-stored-in-scm.html' + recommended: true + cicd-circleci-unversioned-orb: + categories: + - ALL + - supply-chain + - supply-chain-cicd-weak-configuration + - boost-baseline + - boost-hardened + description: Checks for CircleCI workflows using unversioned Orbs. + group: supply-chain-cicd-weak-configuration + name: cicd-circleci-unversioned-orb + pretty_name: CI/CD - CircleCI Unversionned Orb + ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-circleci-unversioned-orb.html' + recommended: true + cicd-circleci-shell-injection: + categories: + - ALL + - supply-chain + - supply-chain-cicd-vulnerable-pipeline + - boost-baseline + - boost-hardened + description: Checks for CircleCI workflows where pipeline variables are used in shell commands. + group: supply-chain-cicd-vulnerable-pipeline + name: cicd-circleci-shell-injection + pretty_name: CI/CD - CircleCI Shell Injection + ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-circleci-shell-injection.html' + recommended: true + cicd-gha-unsecure-commands: + categories: + - ALL + - supply-chain + - supply-chain-cicd-weak-configuration + - supply-chain-cicd-severe-issues + - boost-baseline + - boost-hardened + description: Checks for GitHub Acton workflows that enables deprecated unsecure commands. + group: supply-chain-cicd-weak-configuration + name: cicd-gha-unsecure-commands + pretty_name: CI/CD - GitHub Action Unsecure Commands + ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-gha-unsecure-commands.html' + recommended: true + cicd-unpinned-dependencies: + categories: + - ALL + - supply-chain + - supply-chain-missing-artifact-integrity-verification + - boost-baseline + - boost-hardened + description: Verifies the presence of dependency management manifests (e.g., + package.json, Gemfile, pyproject.toml, Pipfile, go.mod, etc.) without an + accompanying lockfile that cryptographically pins dependencies (e.g., + package-lock.json, Gemfile.lock, poetry.lock, Pipfile.lock, go.sum). + The absence of a lockfile increases the risk of dependency drift, + potentially introducing security vulnerabilities or compatibility issues into the project. + group: supply-chain-missing-artifact-integrity-verification + name: cicd-unpinned-dependencies + pretty_name: CI/CD - Missing Lockfile resulting in unpinned dependencies + ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-unpinned-dependencies.html' + recommended: true + cicd-gha-workflow-dispatch-inputs: + categories: + - ALL + - supply-chain + - supply-chain-cicd-weak-configuration + - boost-baseline + - boost-hardened + description: Checks for GitHub Action workflows defines workflow_dispatch inputs. + group: supply-chain-cicd-weak-configuration + name: cicd-gha-workflow-dispatch-inputs + pretty_name: CI/CD - GitHub Action uses inputs + ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-gha-workflow-dispatch-inputs.html' + recommended: true From 5d5d861a2a69302fc7869fd86949c0b36add33a4 Mon Sep 17 00:00:00 2001 From: Alexis-Maurer Fortin Date: Wed, 11 Dec 2024 09:53:52 -0500 Subject: [PATCH 4/4] Latest Changes To Prod (#166) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * disable monorepo support on composition scanner (#188) * Update registry-scanner.yaml to use v1.5.7 of scanner-registry-action (#189) Signed-off-by: Jake Bédard <32440974+Clearedkinkajou@users.noreply.github.com> * BST-11782 Latest Composition Fix (#190) Signed-off-by: Alexis-Maurer Fortin --------- Signed-off-by: Jake Bédard <32440974+Clearedkinkajou@users.noreply.github.com> Signed-off-by: Alexis-Maurer Fortin Signed-off-by: Alexis-Maurer Fortin Co-authored-by: François Proulx <76956526+fproulx-boostsecurity@users.noreply.github.com> Co-authored-by: Jonathan Serafini Co-authored-by: Martin Roy Co-authored-by: Jake Bédard <32440974+Clearedkinkajou@users.noreply.github.com> --- .github/workflows/registry-scanner.yaml | 2 +- scanners/boostsecurityio/composition/module.yaml | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/registry-scanner.yaml b/.github/workflows/registry-scanner.yaml index 222550d..7955712 100644 --- a/.github/workflows/registry-scanner.yaml +++ b/.github/workflows/registry-scanner.yaml @@ -29,7 +29,7 @@ jobs: - name: Checkout uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Scan Registry - uses: boostsecurityio/scanner-registry-action@9acd6b00ece9d419b5896a9e18b129dc1cf68afc # v1.5.6 + uses: boostsecurityio/scanner-registry-action@13a956983c6f1f1dd4dc9051df62c54097299c4d # v1.5.7 with: api_endpoint: ${{ vars.BOOST_API_ENDPOINT }} api_token: ${{ secrets.BOOST_SYSTEM_API_KEY_REGISTRY }} diff --git a/scanners/boostsecurityio/composition/module.yaml b/scanners/boostsecurityio/composition/module.yaml index 9fd218c..316fcb0 100644 --- a/scanners/boostsecurityio/composition/module.yaml +++ b/scanners/boostsecurityio/composition/module.yaml @@ -9,6 +9,7 @@ scan_types: config: support_diff_scan: false + support_mono_repo: false require_full_repo: true steps: @@ -16,8 +17,8 @@ steps: format: metadata command: docker: - image: public.ecr.aws/boostsecurityio/boost-scanner-composition:7704de1@sha256:bc554abe4a0e290cb1ca890ec4956c2cad94e3b286d65fe1f8f18b498a500947 + image: public.ecr.aws/boostsecurityio/boost-scanner-composition:b5ed688@sha256:a68838c47601fa6b98c6583cc099e3bc7748bf37adf33ca9a05a74efb719066c command: scan workdir: /src environment: - XDG_CONFIG_HOME: /tmp \ No newline at end of file + XDG_CONFIG_HOME: /tmp