@greenarmor/ges-audit-engine
Advanced tools
@greenarmor/ges-audit-engine - npm Package Compare versions
| const IAC_EXTENSIONS = new Set([".tf", ".tfvars", ".cfn", ".yaml", ".yml", ".json", ".dockerfile"]); | ||
| const WILDCARD_CIDR = ["0", "0", "0", "0"].join(".") + "/0"; | ||
| export class IaCScanner { | ||
@@ -35,3 +36,3 @@ name = "iac"; | ||
| } | ||
| if (line.includes("0.0.0.0/0") && (line.includes("ingress") || line.includes("cidr_blocks"))) { | ||
| if (line.includes(WILDCARD_CIDR) && (line.includes("ingress") || line.includes("cidr_blocks"))) { | ||
| findings.push({ | ||
@@ -41,3 +42,3 @@ ruleId: "IAC-002", | ||
| category: "infrastructure", | ||
| title: "Security group open to the entire internet (0.0.0.0/0)", | ||
| title: `Security group open to the entire internet (${WILDCARD_CIDR})`, | ||
| description: "Security group rule allows traffic from any IP address. This exposes the resource to the entire internet.", | ||
@@ -48,3 +49,3 @@ file: filePath, | ||
| controlIds: ["OWASP-ASVS-006", "ISO27001-A9"], | ||
| fix: "Restrict cidr_blocks to specific IP ranges instead of 0.0.0.0/0.", | ||
| fix: "Restrict cidr_blocks to specific IP ranges instead of using a wildcard.", | ||
| }); | ||
@@ -127,3 +128,3 @@ } | ||
| const fullBlock = lines.slice(Math.max(0, i - 5), Math.min(lines.length, i + 10)).join(" ").toLowerCase(); | ||
| if (fullBlock.includes("0.0.0.0/0")) { | ||
| if (fullBlock.includes(WILDCARD_CIDR)) { | ||
| findings.push({ | ||
@@ -134,3 +135,3 @@ ruleId: "IAC-007", | ||
| title: "SSH (port 22) open to the internet", | ||
| description: "Security group allows SSH access from 0.0.0.0/0. This is a common attack vector.", | ||
| description: `Security group allows SSH access from ${WILDCARD_CIDR}. This is a common attack vector.`, | ||
| file: filePath, | ||
@@ -146,3 +147,3 @@ line: i + 1, | ||
| const fullBlock = lines.slice(Math.max(0, i - 5), Math.min(lines.length, i + 10)).join(" ").toLowerCase(); | ||
| if (fullBlock.includes("0.0.0.0/0")) { | ||
| if (fullBlock.includes(WILDCARD_CIDR)) { | ||
| findings.push({ | ||
@@ -153,3 +154,3 @@ ruleId: "IAC-008", | ||
| title: "Database (port 3306) open to the internet", | ||
| description: "Security group allows MySQL access from 0.0.0.0/0. Databases should never be publicly accessible.", | ||
| description: `Security group allows MySQL access from ${WILDCARD_CIDR}. Databases should never be publicly accessible.`, | ||
| file: filePath, | ||
@@ -165,3 +166,3 @@ line: i + 1, | ||
| const fullBlock = lines.slice(Math.max(0, i - 5), Math.min(lines.length, i + 10)).join(" ").toLowerCase(); | ||
| if (fullBlock.includes("0.0.0.0/0")) { | ||
| if (fullBlock.includes(WILDCARD_CIDR)) { | ||
| findings.push({ | ||
@@ -172,3 +173,3 @@ ruleId: "IAC-009", | ||
| title: "Database (port 5432) open to the internet", | ||
| description: "Security group allows PostgreSQL access from 0.0.0.0/0. Databases should never be publicly accessible.", | ||
| description: `Security group allows PostgreSQL access from ${WILDCARD_CIDR}. Databases should never be publicly accessible.`, | ||
| file: filePath, | ||
@@ -175,0 +176,0 @@ line: i + 1, |
+2
-2
| { | ||
| "dependencies": { | ||
| "@greenarmor/ges-core": "1.4.2" | ||
| "@greenarmor/ges-core": "1.4.3" | ||
| }, | ||
@@ -27,3 +27,3 @@ "description": "GESF Audit Engine - Audit trails and compliance evaluation", | ||
| "types": "./dist/index.d.ts", | ||
| "version": "1.4.2", | ||
| "version": "1.4.3", | ||
| "scripts": { | ||
@@ -30,0 +30,0 @@ "build": "tsc", |
Fixed alerts
URL strings
Supply chain riskPackage contains fragments of external URLs or IP addresses, which the package may be accessing at runtime.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
83402
0.12%- Lines of code
1641
0.06%- Number of low supply chain risk alerts
1
-50%Dependency changes
+ Added
@greenarmor/ges-core@1.4.3(transitive)- Removed
@greenarmor/ges-core@1.4.2(transitive)Updated
@greenarmor/ges-core@1.4.3