Merge branch 'master' into kics-923

.github/scripts/queries-validator/metadata-schema.json

@@ -85,6 +85,7 @@
                 "Ansible",
                 "AzureResourceManager",
                 "Buildah",
+                "CICD",
                 "CloudFormation",
                 "Crossplane",
                 "Common",

README.md

@@ -54,6 +54,7 @@ Find security vulnerabilities, compliance issues, and infrastructure misconfigur
 <br>
 <br>
 <img alt="Azure BluePrints" src="docs/img/logo-azure-blueprints.png" width="100">&nbsp;&nbsp;&nbsp;
+<img alt="GitHub Workflows" src="docs/img/logo-github-icon.png" width="100">&nbsp;&nbsp;&nbsp;
 
 
 Support of other solutions and additional cloud providers are on the [roadmap](docs/roadmap.md).

assets/libraries/cicd.rego

@@ -0,0 +1,2 @@
+package generic.cicd
+

assets/queries/ansible/config/allow_unsafe_lookups_enabled/metadata.json

@@ -0,0 +1,12 @@
+{
+    "id": "86b97bb4-85c9-462d-8635-cbc057c5c8c5",
+    "queryName": "Allow Unsafe Lookups Enabled",
+    "severity": "HIGH",
+    "category": "Insecure Configurations",
+    "descriptionText": "When enabled, this option allows lookup plugins to return data that is not marked 'unsafe'.",
+    "descriptionUrl": "https://docs.ansible.com/ansible/latest/reference_appendices/config.html#default-allow-unsafe-lookups",
+    "platform": "Ansible",
+    "descriptionID": "0d491461",
+    "cloudProvider": "common"
+  }
+

assets/queries/ansible/config/allow_unsafe_lookups_enabled/query.rego

@@ -0,0 +1,19 @@
+package Cx
+
+import data.generic.ansible as ansLib
+
+CxPolicy[result] {
+	defaultsGroup := input.document[i].groups.defaults
+
+    defaultsGroup.allow_unsafe_lookups == true
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceName": "defaults",
+		"resourceType": "n/a",
+		"searchKey": "defaults.allow_unsafe_lookups",
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "allow_unsafe_lookups should be set to 'False'",
+		"keyActualValue": "allow_unsafe_lookups is set to 'True'",
+	}
+}

assets/queries/ansible/config/allow_unsafe_lookups_enabled/test/negative1.cfg

@@ -0,0 +1,19 @@
+[defaults]
+action_warnings=True
+cowsay_enabled_stencils=bud-frogs, bunny, cheese, daemon, default, dragon, elephant-in-snake, elephant, eyes, hellokitty, kitty, luke-koala, meow, milk, moofasa, moose, ren, sheep, small, stegosaurus, stimpy, supermilker, three-eyes, turkey, turtle, tux, udder, vader-koala, vader, www
+cow_selection=default
+force_color=False
+nocolor=False
+nocows=False
+any_errors_fatal=False
+become_plugins=~/.ansible/plugins/become:/usr/share/ansible/plugins/become
+fact_caching=memory
+fact_caching_prefix=ansible_facts
+fact_caching_timeout=86400
+collections_on_ansible_version_mismatch=warning
+collections_path=~/.ansible/collections:/usr/share/ansible/collections
+collections_scan_sys_path=True
+command_warnings=False
+action_plugins=~/.ansible/plugins/action:/usr/share/ansible/plugins/action
+
+allow_unsafe_lookups=False

assets/queries/ansible/config/allow_unsafe_lookups_enabled/test/negative2.cfg

@@ -0,0 +1,17 @@
+[defaults]
+action_warnings=True
+cowsay_enabled_stencils=bud-frogs, bunny, cheese, daemon, default, dragon, elephant-in-snake, elephant, eyes, hellokitty, kitty, luke-koala, meow, milk, moofasa, moose, ren, sheep, small, stegosaurus, stimpy, supermilker, three-eyes, turkey, turtle, tux, udder, vader-koala, vader, www
+cow_selection=default
+force_color=False
+nocolor=False
+nocows=False
+any_errors_fatal=False
+become_plugins=~/.ansible/plugins/become:/usr/share/ansible/plugins/become
+fact_caching=memory
+fact_caching_prefix=ansible_facts
+fact_caching_timeout=86400
+collections_on_ansible_version_mismatch=warning
+collections_path=~/.ansible/collections:/usr/share/ansible/collections
+collections_scan_sys_path=True
+command_warnings=False
+action_plugins=~/.ansible/plugins/action:/usr/share/ansible/plugins/action

assets/queries/ansible/config/allow_unsafe_lookups_enabled/test/positive1.cfg

@@ -0,0 +1,19 @@
+[defaults]
+action_warnings=True
+cowsay_enabled_stencils=bud-frogs, bunny, cheese, daemon, default, dragon, elephant-in-snake, elephant, eyes, hellokitty, kitty, luke-koala, meow, milk, moofasa, moose, ren, sheep, small, stegosaurus, stimpy, supermilker, three-eyes, turkey, turtle, tux, udder, vader-koala, vader, www
+cow_selection=default
+force_color=False
+nocolor=False
+nocows=False
+any_errors_fatal=False
+become_plugins=~/.ansible/plugins/become:/usr/share/ansible/plugins/become
+fact_caching=memory
+fact_caching_prefix=ansible_facts
+fact_caching_timeout=86400
+collections_on_ansible_version_mismatch=warning
+collections_path=~/.ansible/collections:/usr/share/ansible/collections
+collections_scan_sys_path=True
+command_warnings=False
+action_plugins=~/.ansible/plugins/action:/usr/share/ansible/plugins/action
+
+allow_unsafe_lookups=True

assets/queries/ansible/config/allow_unsafe_lookups_enabled/test/positive_expected_result.json

@@ -0,0 +1,7 @@
+[
+	{
+		"queryName": "Allow Unsafe Lookups Enabled",
+		"severity": "HIGH",
+		"line": 19
+	}
+]

assets/queries/ansible/config/communication_over_http/metadata.json

@@ -0,0 +1,11 @@
+{
+    "id": "d7dc9350-74bc-485b-8c85-fed22d276c43",
+    "queryName": "Communication over HTTP",
+    "severity": "MEDIUM",
+    "category": "Insecure Configurations",
+    "descriptionText": "Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks",
+    "descriptionUrl": "https://docs.ansible.com/ansible/latest/plugins/httpapi.html",
+    "platform": "Ansible",
+    "descriptionID": "8c03b0c0",
+    "cloudProvider": "common"
+}

assets/queries/ansible/config/communication_over_http/query.rego

@@ -0,0 +1,21 @@
+package Cx
+
+import data.generic.ansible as ansLib
+import data.generic.common as common_lib
+
+CxPolicy[result] {
+	galaxyGroup := input.document[i].groups.galaxy
+
+	url := galaxyGroup.server
+	startswith(url, "http://")
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "n/a",
+		"resourceName": "n/a",
+		"searchKey": "[galaxy].server",
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "'server' from galaxy group should be accessed via the HTTPS protocol",
+		"keyActualValue": "'server' from galaxy group is accessed via the HTTP protocol'",
+	}
+}

assets/queries/ansible/config/communication_over_http/test/negative1.cfg

@@ -0,0 +1,5 @@
+[galaxy]
+cache_dir=~/.ansible/galaxy_cache
+ignore_certs=False
+role_skeleton_ignore=^.git$, ^.*/.git_keep$
+server=https://galaxy.ansible.com

assets/queries/ansible/config/communication_over_http/test/positive1.cfg

@@ -0,0 +1,5 @@
+[galaxy]
+cache_dir=~/.ansible/galaxy_cache
+ignore_certs=False
+role_skeleton_ignore=^.git$, ^.*/.git_keep$
+server=http://galaxy.ansible.com

assets/queries/ansible/config/communication_over_http/test/positive_expected_result.json

@@ -0,0 +1,7 @@
+[
+	{
+		"queryName": "Communication over HTTP",
+		"severity": "MEDIUM",
+		"line": 5
+	}
+]

assets/queries/ansible/config/privilege_escalation_using_become_plugin/metadata.json

@@ -0,0 +1,12 @@
+{
+    "id": "404908b6-4954-4611-98f0-e8ceacdabcb1",
+    "queryName": "Privilege Escalation Using Become Plugin",
+    "severity": "MEDIUM",
+    "category": "Access Control",
+    "descriptionText": "In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true'",
+    "descriptionUrl": "https://docs.ansible.com/ansible/latest/plugins/become.html",
+    "platform": "Ansible",
+    "descriptionID": "00396668",
+    "cloudProvider": "common"
+  }
+

assets/queries/ansible/config/privilege_escalation_using_become_plugin/query.rego

@@ -0,0 +1,38 @@
+package Cx
+
+import data.generic.ansible as ansLib
+import data.generic.common as common_lib
+
+CxPolicy[result] {
+	defaultsGroup := input.document[i].groups.defaults
+
+    not common_lib.valid_key(defaultsGroup, "become")
+	common_lib.valid_key(defaultsGroup, "become_user")
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "n/a",
+		"resourceName": "n/a",
+		"searchKey": "defaults.become_user",
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": "'become' should be defined and set to 'true'",
+		"keyActualValue": "'become' is not defined",
+	}
+}
+
+CxPolicy[result] {
+	defaultsGroup := input.document[i].groups.defaults
+
+    defaultsGroup.become == false
+	common_lib.valid_key(defaultsGroup, "become_user")
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "n/a",
+		"resourceName": "n/a",
+		"searchKey": "defaults.become",
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "'become' should be set to 'true'",
+		"keyActualValue": "'become' is set to 'false'",
+	}
+}

assets/queries/ansible/config/privilege_escalation_using_become_plugin/test/negative1.cfg

@@ -0,0 +1,10 @@
+[defaults]
+action_warnings=True
+cowsay_enabled_stencils=bud-frogs, bunny, cheese, daemon, default, dragon, elephant-in-snake, elephant, eyes, hellokitty, kitty, luke-koala, meow, milk, moofasa, moose, ren, sheep, small, stegosaurus, stimpy, supermilker, three-eyes, turkey, turtle, tux, udder, vader-koala, vader, www
+cow_selection=default
+force_color=False
+nocolor=False
+nocows=False
+any_errors_fatal=False
+become_plugins=~/.ansible/plugins/become:/usr/share/ansible/plugins/become
+fact_caching=memory

assets/queries/ansible/config/privilege_escalation_using_become_plugin/test/negative2.cfg

@@ -0,0 +1,13 @@
+[defaults]
+action_warnings=True
+cowsay_enabled_stencils=bud-frogs, bunny, cheese, daemon, default, dragon, elephant-in-snake, elephant, eyes, hellokitty, kitty, luke-koala, meow, milk, moofasa, moose, ren, sheep, small, stegosaurus, stimpy, supermilker, three-eyes, turkey, turtle, tux, udder, vader-koala, vader, www
+cow_selection=default
+force_color=False
+nocolor=False
+nocows=False
+any_errors_fatal=False
+fact_caching=memory
+become_ask_pass=False
+become_method=sudo
+become=True
+become_user=root

assets/queries/ansible/config/privilege_escalation_using_become_plugin/test/positive1.cfg

@@ -0,0 +1,13 @@
+[defaults]
+action_warnings=True
+cowsay_enabled_stencils=bud-frogs, bunny, cheese, daemon, default, dragon, elephant-in-snake, elephant, eyes, hellokitty, kitty, luke-koala, meow, milk, moofasa, moose, ren, sheep, small, stegosaurus, stimpy, supermilker, three-eyes, turkey, turtle, tux, udder, vader-koala, vader, www
+cow_selection=default
+force_color=False
+nocolor=False
+nocows=False
+any_errors_fatal=False
+fact_caching=memory
+become=False
+become_ask_pass=False
+become_method=sudo
+become_user=root

assets/queries/ansible/config/privilege_escalation_using_become_plugin/test/positive2.cfg

@@ -0,0 +1,12 @@
+[defaults]
+action_warnings=True
+cowsay_enabled_stencils=bud-frogs, bunny, cheese, daemon, default, dragon, elephant-in-snake, elephant, eyes, hellokitty, kitty, luke-koala, meow, milk, moofasa, moose, ren, sheep, small, stegosaurus, stimpy, supermilker, three-eyes, turkey, turtle, tux, udder, vader-koala, vader, www
+cow_selection=default
+force_color=False
+nocolor=False
+nocows=False
+any_errors_fatal=False
+fact_caching=memory
+become_ask_pass=False
+become_method=sudo
+become_user=root

assets/queries/ansible/config/privilege_escalation_using_become_plugin/test/positive_expected_result.json

@@ -0,0 +1,14 @@
+[
+	{
+		"queryName": "Privilege Escalation Using Become Plugin",
+		"severity": "MEDIUM",
+		"filename": "positive1.cfg",
+		"line": 10
+	},
+	{
+		"queryName": "Privilege Escalation Using Become Plugin",
+		"severity": "MEDIUM",
+		"filename": "positive2.cfg",
+		"line": 12
+	}
+]

assets/queries/ansible/general/communication_over_http/metadata.json

@@ -0,0 +1,12 @@
+{
+    "id": "2e8d4922-8362-4606-8c14-aa10466a1ce3",
+    "queryName": "Communication Over HTTP",
+    "severity": "MEDIUM",
+    "category": "Insecure Configurations",
+    "descriptionText": "Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks",
+    "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/ansible/builtin/uri_module.html#parameter-url",
+    "platform": "Ansible",
+    "descriptionID": "04892b9b",
+    "cloudProvider": "common"
+  }
+

assets/queries/ansible/general/communication_over_http/query.rego

@@ -0,0 +1,26 @@
+package Cx
+
+import data.generic.ansible as ansLib
+import data.generic.common as common_lib
+
+
+CxPolicy[result] {
+	task := ansLib.tasks[id][t]
+	modules := {"ansible.builtin.uri"}
+	builtin_uri := task[modules[m]]
+	ansLib.checkState(builtin_uri)
+
+	url := builtin_uri.url
+	startswith(url, "http://")
+
+	result := {
+		"documentId": id,
+		"resourceType": modules[m],
+		"resourceName": task.name,
+		"searchKey": sprintf("name={{%s}}.{{%s}}.url", [task.name, modules[m]]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "ansible.builtin.uri.url should be accessed via the HTTPS protocol",
+		"keyActualValue": "ansible.builtin.uri.url is accessed via the HTTP protocol'",
+		"searchLine": common_lib.build_search_line(["playbooks", t, modules[m], "url"], []),
+	}
+}

assets/queries/ansible/general/communication_over_http/test/negative1.yaml

@@ -0,0 +1,12 @@
+- name: Verificar o status de um site usando o módulo uri
+  hosts: localhost
+  tasks:
+    - name: Verificar o status do site
+      ansible.builtin.uri:
+        url: "https://www.example.com"
+        method: GET
+      register: site_response
+
+    - name: Exibir resposta do site
+      debug:
+        var: site_response

assets/queries/ansible/general/communication_over_http/test/positive1.yaml

@@ -0,0 +1,12 @@
+- name: Verificar o status de um site usando o módulo uri
+  hosts: localhost
+  tasks:
+    - name: Verificar o status do site
+      ansible.builtin.uri:
+        url: "http://www.example.com"
+        method: GET
+      register: site_response
+
+    - name: Exibir resposta do site
+      debug:
+        var: site_response

assets/queries/ansible/general/communication_over_http/test/positive_expected_result.json

@@ -0,0 +1,8 @@
+[
+    {
+      "queryName": "Communication Over HTTP",
+      "severity": "MEDIUM",
+      "line": 6,
+      "filename": "positive1.yaml"
+    }
+]

assets/queries/ansible/hosts/ansible_tower_exposed_to_internet/metadata.json

@@ -0,0 +1,12 @@
+{
+    "id": "1b2bf3ff-31e9-460e-bbfb-45e48f4f20cc",
+    "queryName": "Ansible Tower Exposed To Internet",
+    "severity": "MEDIUM",
+    "category": "Best Practices",
+    "descriptionText": "Avoid exposing Ansible Tower to the public internet, effectively reducing the potential attack surface of your deployment",
+    "descriptionUrl": "https://docs.ansible.com/ansible-tower/latest/html/administration/security_best_practices.html#understand-the-architecture-of-ansible-and-tower",
+    "platform": "Ansible",
+    "cloudProvider": "common",
+    "descriptionID": "657a8b1d"
+  }
+