In our team, we want to perform vulnerability scan on Yaml files

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
    we are using * Community Edition Version 8.6 (build 39681)
  • what are you trying to achieve
    we are trying to scan the Yaml file for vulnerabiltiy. as of now mainely we are focuing on 2 types of vulnerability. 1) Identation :- it means when we have any issue in the identation. it should scan and throw the error. 2) also in the scan it should find out some security vulnerable.
  • what have you tried so far to achieve this
    seaching on the Internet we found one document.
    SonarCloud can scan Terraform and CloudFormation files + cfn-lint support
    accoding to this document we have upgraded our sonarqueb to 9.2. and did some test on different scenario. we are able to successfull find the vulnerabiltiy for all . but on one scenario when we are passng the * sign on the templeate.yaml file under resouce tag. its not able to detect that.
    Accoding to our need,it should throw warning or error message as it can be code vulnerabilty scan

Hello,

Thanks for your feedback. We indeed recently released a feature in SonarQube 9.2 and SonarCloud to scan Terraform for AWS and CloudFormation files. Soon will come the support of Terraform for Azure and GCP.

Can you clarify, by sharing some code snippet, what do you want to detect as vulnerable code so we can review it and take a decision?

Thanks
Alex

hi Alexandre,

please find below the code snippet.
Policies:

PolicyName: "SomePolicyName"
PolicyDocument:
  Version: "2012-10-17"
  Statement:
    -
      Effect: "Allow"
      Action:
        - "*"
      Resource: "*"

under secrion action when i am passing * marks so it should detect it as a vulnerabiltiy.
we can also write our own template but being huge code line it will be difficult.