In our team, we want to perform vulnerability scan on Yaml files

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
    we are using * Community Edition Version 8.6 (build 39681)
  • what are you trying to achieve
    we are trying to scan the Yaml file for vulnerabiltiy. as of now mainely we are focuing on 2 types of vulnerability. 1) Identation :- it means when we have any issue in the identation. it should scan and throw the error. 2) also in the scan it should find out some security vulnerable.
  • what have you tried so far to achieve this
    seaching on the Internet we found one document.
    SonarCloud can scan Terraform and CloudFormation files + cfn-lint support
    accoding to this document we have upgraded our sonarqueb to 9.2. and did some test on different scenario. we are able to successfull find the vulnerabiltiy for all . but on one scenario when we are passng the * sign on the templeate.yaml file under resouce tag. its not able to detect that.
    Accoding to our need,it should throw warning or error message as it can be code vulnerabilty scan

Hello,

Thanks for your feedback. We indeed recently released a feature in SonarQube 9.2 and SonarCloud to scan Terraform for AWS and CloudFormation files. Soon will come the support of Terraform for Azure and GCP.

Can you clarify, by sharing some code snippet, what do you want to detect as vulnerable code so we can review it and take a decision?

Thanks
Alex

hi Alexandre,

please find below the code snippet.
Policies:

PolicyName: "SomePolicyName"
PolicyDocument:
  Version: "2012-10-17"
  Statement:
    -
      Effect: "Allow"
      Action:
        - "*"
      Resource: "*"

under secrion action when i am passing * marks so it should detect it as a vulnerabiltiy.
we can also write our own template but being huge code line it will be difficult.

hi ,
according to the link which has been pasted.

Is cfn lint still pending for getting implemented in sonarqube 9.2 version.?
2) also can i have ans to above question.?

Hello @aniket_gaurav,

Support of cfn-lint was provided with SonarQube 9.2.

Regarding the “Policies” snippet you shared, I think you expect CloudFormation static code analysis: Having AWS policies that grant all privileges is security-sensitive to be raised.

I did scan it and the expect Security Hotspot is raised:

Can you try it on your side once again? If you can’t manage it, it would be great to share a reproducer.

Thanks
Alex

log.json (735 Bytes)


hi ,
i ceated one the policy yaml file and ran below command (from command line)
cfn-lint Cfn_lint_test.yaml --inclide-checks I -f json --output-file log.json
when i am seeing the log.json file its not showing any error or critical activity.
please find the attachement for both file
log.json (735 Bytes)

please do let me know if i am doing somethign wrong…need to change anything.

Hello,

Can you attach your cloudformation.json file?

Thanks
Alex

hi Alex,
i have not created the Cloudformation.json file . but question is
1)why do we need to create one…
2)what will be the content of the file.
if i am running the cfn-lint from visual basic.(command mentioned above) so i have just created one yaml file whihc i need to scan. :slight_smile:

Hello,

We do provide rules to analyze CloudFormation and Terraform files for AWS, Azure and GCP. In addition to that, we allow to load the output of “cfn-lint”. It means if you are already using it, you can continue and visualize its results in SonarQube. If you don’t know how to use “cfn-lint”, I advice to forget it for the moment and/or ask to the “cfn-lint” community (so not here) to help you.

In order to help you, I need you to upload here the YAML files you want to scan so I can work on it and see if there is a problem in our engine or somewhere else.

Alex