Note: as of
v2, the cfn-security image is using AWS ECR for the image registry. cfn-securityv1will remain on docker hub unchanged; however, the docker hub rate limits could impact utilization. It is recommended to move tov2.
A simple GitHub Action for AWS CloudFormation static code analysis to improve infrastructure-as-code security.
The Action does not require AWS credentials!
cfn-security supports the following linting and security tools:
The directory of the repo to scan the cloudformation templates.
The scanner used to run security test. Options are cfn-lint, cfn-nag, checkov, or all
To get started simply add a workflow .yml file (name it whatever you would like) to your .github/workflows folder. Refer to the documentation on workflow YAML syntax here..
For examples GitHub Actions workflow files check out the example workflow templates. If you still do not know where to start, just use the all-security-scans.yml template which will create two security scan jobs. Update the template input vars as necessary.
The following example tests CloudFormation with cfn-lint:
name: cfn-lint Scan
on: [push]
jobs:
## cfn-lint scan
sast-cfn-lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: grolston/cfn-security@v2
with:
cloudformation_directory: './cloudformation/' ## change to your template directory
scanner: "cfn-lint"The cfn-lint scan will result in a pipeline failure for any identified rule violations. To suppress cfn-lint rules within your cloudformation template you can add in cfn-lint Metadata to the impacted resource. Example:
Resources:
myInstance:
Type: AWS::EC2::Instance
Metadata:
cfn-lint:
config:
ignore_checks:
- E3030
Properties:
InstanceType: nt.x4superlarge
ImageId: ami-abc1234The following example tests CloudFormation with cfn-nag:
name: cfn-nag Security Scan
on: [push]
jobs:
## cfn-nag security scan
sast-cfn-nag:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: grolston/cfn-security@v2
with:
cloudformation_directory: './cloudformation/' ## change to your template directory
scanner: "cfn-nag"The cfn-nag scan will result in a pipeline failure for any identified rule violations. To suppress cfn-nag rules within your cloudformation template you can add in cfn-nag Metadata to the impacted resource. Example:
# Partial template
PublicAlbSecurityGroup:
Properties:
GroupDescription: 'Security group for a public Application Load Balancer'
VpcId:
Ref: vpc
Type: AWS::EC2::SecurityGroup
Metadata:
cfn_nag:
rules_to_suppress:
- id: W9
reason: "This is a public facing ELB and ingress from the internet should be permitted."
- id: W2
reason: "This is a public facing ELB and ingress from the internet should be permitted."
PublicAlbSecurityGroupHttpIngress:
Properties:
CidrIp: 0.0.0.0/0
FromPort: 80
GroupId:
Ref: PublicAlbSecurityGroup
IpProtocol: tcp
ToPort: 80
Type: AWS::EC2::SecurityGroupIngressThe following example tests CloudFormation with checkov:
name: checkov Security Scan
on: [push]
jobs:
## checkov security scan
sast-checkov:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: grolston/cfn-security@v2
with:
cloudformation_directory: './cloudformation/' ## change to your template directory
scanner: "checkov"The checkov scan will result in a pipeline failure for any identified rule violations. To suppress checkov rules within your cloudformation template place a # checkov:skip=[Rule To Skip] within the impacted resource. Example:
Resources:
MyDB:
Type: 'AWS::RDS::DBInstance'
# Test case for check skip via comment
# checkov:skip=CKV_AWS_16:Ensure all data stored in the RDS is securely encrypted at rest
Properties:
DBName: 'mydb'
DBInstanceClass: 'db.t3.micro'
Engine: 'mysql'
MasterUsername: 'master'
MasterUserPassword: 'password'Note: it is possible to simple combine the two examples above into a single file which will run all tests as individual jobs. Reference all-security-scans.yml
This project is distributed under the MIT license.