SAST Scan Status

Report from the scan performed on   2020-05-24 at 00:11:11 for   https://github.com/nccgroup/sadcloud

Repository Details
https://github.com/nccgroup/sadcloud
Branch master
Commit 3ba4c281e172567b9b3cd0a79608079aa1218661
Invocation Details
Terraform static analysis
Run Id 6ea5d5bc-2cbb-494c-ad9f-5f62f2ba9951
Directory /sadcloud

Executive Summary

This report was generated by ShiftLeft from the SAST Scan invocation on 2020-05-24 at 00:11:11. The scan used the tool Terraform static analysis to scan the source code repository https://github.com/nccgroup/sadcloud.

Below is a summary of the issues identified:

Severity Count
CRITICAL 1
HIGH 17
MEDIUM 9
LOW 0
TOTAL 27

 

  ShiftLeft recommends immediate remediation of the key issues identified before using this application in a live environment.

Key Issues 4 / 1

AWS009

main.tf

Resource 'aws_security_group.all_ports_to_all' defines a fully open egress security group.

 51: protocol    = -1
cidr_blocks = ["0.0.0.0/0"]

AWS009

main.tf

Resource 'aws_security_group.all_ports_to_self' defines a fully open egress security group.

 80: protocol    = -1
cidr_blocks = ["0.0.0.0/0"]

AWS009

main.tf

Resource 'aws_security_group.icmp_to_all' defines a fully open egress security group.

 108: protocol    = -1
cidr_blocks = ["0.0.0.0/0"]

AWS009

main.tf

Resource 'aws_security_group.known_port_to_all' defines a fully open egress security group.

 199: protocol    = -1
cidr_blocks = ["0.0.0.0/0"]

All Issues (27)

Rule
Severity
Source location
Message
CRITICAL
Resource 'aws_sns_topic.main' defines an unencrypted SNS topic.
resource "aws_sns_topic" "main" {
name = var.name
HIGH
Resource 'aws_security_group.all_ports_to_all' defines a fully open egress security group.
protocol    = -1
cidr_blocks = ["0.0.0.0/0"]
HIGH
Resource 'aws_security_group.all_ports_to_self' defines a fully open egress security group.
protocol    = -1
cidr_blocks = ["0.0.0.0/0"]
HIGH
Resource 'aws_security_group.icmp_to_all' defines a fully open egress security group.
protocol    = -1
cidr_blocks = ["0.0.0.0/0"]
HIGH
Resource 'aws_security_group.known_port_to_all' defines a fully open egress security group.
protocol    = -1
cidr_blocks = ["0.0.0.0/0"]
HIGH
Resource 'aws_security_group.opens_plaintext_port' defines a fully open egress security group.
protocol    = -1
cidr_blocks = ["0.0.0.0/0"]
HIGH
Resource 'aws_security_group.opens_port_range' defines a fully open egress security group.
protocol    = -1
cidr_blocks = ["0.0.0.0/0"]
HIGH
Resource 'aws_security_group.opens_port_to_all' defines a fully open egress security group.
protocol    = -1
cidr_blocks = ["0.0.0.0/0"]
HIGH
Resource 'aws_security_group.whitelists_aws_ip_from_banned_region' defines a fully open egress security group.
protocol    = -1
cidr_blocks = ["0.0.0.0/0"]
HIGH
Resource 'aws_security_group.whitelists_aws' defines a fully open egress security group.
protocol    = -1
cidr_blocks = ["0.0.0.0/0"]
HIGH
Resource 'aws_security_group.whitelists_unknown_cidrs' defines a fully open egress security group.
protocol    = -1
cidr_blocks = ["0.0.0.0/0"]
HIGH
Resource 'aws_security_group.unused_security_group' defines a fully open egress security group.
protocol    = -1
cidr_blocks = ["0.0.0.0/0"]
HIGH
Resource 'aws_s3_bucket.access_logging' defines an unencrypted S3 bucket (missing server_side_encryption_configuration block).
resource "aws_s3_bucket" "access_logging" {
bucket_prefix = var.name
HIGH
Resource 'aws_s3_bucket.main' defines an unencrypted S3 bucket (missing server_side_encryption_configuration block).
resource "aws_s3_bucket" "main" {
bucket_prefix = var.name
HIGH
Resource 'aws_s3_bucket.logging' defines an unencrypted S3 bucket (missing server_side_encryption_configuration block).

resource "aws_s3_bucket" "logging" {
HIGH
Resource 'aws_s3_bucket.getonly' defines an unencrypted S3 bucket (missing server_side_encryption_configuration block).

resource "aws_s3_bucket" "getonly" {
HIGH
Resource 'aws_s3_bucket.public' defines an unencrypted S3 bucket (missing server_side_encryption_configuration block).

resource "aws_s3_bucket" "public" {
HIGH
Resource 'aws_s3_bucket.logging' defines an unencrypted S3 bucket (missing server_side_encryption_configuration block).

resource "aws_s3_bucket" "logging" {
MEDIUM
Resource 'aws_security_group.all_ports_to_all' defines a fully open ingress security group.
protocol    = -1
cidr_blocks = ["0.0.0.0/0"]
MEDIUM
Resource 'aws_security_group.all_ports_to_self' defines a fully open ingress security group.
protocol    = -1
cidr_blocks = ["0.0.0.0/0"]
MEDIUM
Resource 'aws_security_group.icmp_to_all' defines a fully open ingress security group.
protocol    = "icmp"
cidr_blocks = ["0.0.0.0/0"]
MEDIUM
Resource 'aws_security_group.known_port_to_all' defines a fully open ingress security group.
protocol    = "tcp"
cidr_blocks = ["0.0.0.0/0"]
MEDIUM
Resource 'aws_security_group.opens_plaintext_port' defines a fully open ingress security group.
protocol    = "tcp"
cidr_blocks = ["0.0.0.0/0"]
MEDIUM
Resource 'aws_security_group.opens_port_range' defines a fully open ingress security group.
protocol    = "tcp"
cidr_blocks = ["0.0.0.0/0"]
MEDIUM
Resource 'aws_security_group.opens_port_to_all' defines a fully open ingress security group.
protocol    = "tcp"
cidr_blocks = ["0.0.0.0/0"]
MEDIUM
Resource 'aws_lb.main' is exposed publicly.

resource "aws_lb" "main" {
MEDIUM
Resource 'aws_elb.main' is exposed publicly.
resource "aws_elb" "main" {
name = var.name

Thank you for using ShiftLeft. Looking for a more detailed analysis? Check out Inspect, our next generation SAST product