aquasecurity · simar7 · Apr 17, 2024 · Apr 9, 2024 · Apr 9, 2024 · Apr 9, 2024
@@ -22,7 +22,15 @@ jobs:
           registry: ghcr.io
           username: ${{ env.GH_USER }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Deploy to GitHub Packages Container registry
+      - name: Deploy policy bundle to ghcr.io (for backwards compatibility)
+        run: |
+          tags=(latest ${{ env.RELEASE_VERSION}} ${{env.MINOR_VERSION }} ${{ env.MAJOR_VERSION }})
+          for tag in ${tags[@]}; do
+              oras push ghcr.io/aquasecurity/trivy-policies:${tag} \
+              --config /dev/null:application/vnd.cncf.openpolicyagent.config.v1+json \
+              bundle.tar.gz:application/vnd.cncf.openpolicyagent.layer.v1.tar+gzip
+          done
+      - name: Deploy checks bundle to ghcr.io
         run: |
           tags=(latest ${{ env.RELEASE_VERSION}} ${{env.MINOR_VERSION }} ${{ env.MAJOR_VERSION }})
           for tag in ${tags[@]}; do

@@ -1,10 +1,10 @@
 # Contributing
 
-Welcome, and thank you for considering contributing to trivy-policies!
+Welcome, and thank you for considering contributing to trivy-checks!
 
 The following guide gives an overview of the project and some directions on how to make common types of contribution. If something is missing, or you get stuck, please [start a discussion](https://github.com/aquasecurity/trivy/discussions/new) and we'll do our best to help.
 
-### Writing Rules
+### Writing Checks
 
 Writing a new rule can be relatively simple, but there are a few things to keep in mind. The following guide will help you get started.
 

diff --git a/avd_docs/aws/cloudfront/AVD-AWS-0013/Terraform.md b/avd_docs/aws/cloudfront/AVD-AWS-0013/Terraform.md
@@ -4,7 +4,7 @@ Use the most modern TLS/SSL policies available
 ```hcl
  resource "aws_cloudfront_distribution" "good_example" {
    viewer_certificate {
-     cloudfront_default_certificate = false
+     cloudfront_default_certificate = aws_acm_certificate.example.arn
      minimum_protocol_version = "TLSv1.2_2021"
    }
  }

diff --git a/avd_docs/aws/cloudfront/AVD-AWS-0013/docs.md b/avd_docs/aws/cloudfront/AVD-AWS-0013/docs.md
@@ -1,7 +1,7 @@
 
 You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
 
-Note: that setting *minimum_protocol_version = "TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name). 
+Note: that setting *minimum_protocol_version = "TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name) and *ssl_support_method* is *sni-only*. 
 If *cloudfront_default_certificate* is true then the Cloudfront API will only allow setting *minimum_protocol_version = "TLSv1"*, and setting it to any other value will result in a perpetual diff in your *terraform plan*'s. 
 The only option when using the cloudfront.net domain name is to ignore this rule.
 

diff --git a/avd_docs/aws/cloudtrail/AVD-AWS-0015/CloudFormation.md b/avd_docs/aws/cloudtrail/AVD-AWS-0015/CloudFormation.md
@@ -1,5 +1,5 @@
 
-Use Customer managed key
+Enable encryption at rest
 
 ```yaml---
 Resources:
@@ -15,6 +15,4 @@ Resources:
 
 ```
 
-#### Remediation Links
- - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html#cfn-cloudtrail-trail-kmskeyid
 
diff --git a/avd_docs/aws/cloudtrail/AVD-AWS-0015/Terraform.md b/avd_docs/aws/cloudtrail/AVD-AWS-0015/Terraform.md
@@ -1,5 +1,5 @@
 
-Use Customer managed key
+Enable encryption at rest
 
 ```hcl
  resource "aws_cloudtrail" "good_example" {

diff --git a/avd_docs/aws/cloudtrail/AVD-AWS-0015/docs.md b/avd_docs/aws/cloudtrail/AVD-AWS-0015/docs.md
@@ -1,15 +1,13 @@
 
-Using Customer managed keys provides comprehensive control over cryptographic keys, enabling management of policies, permissions, and rotation, thus enhancing security and compliance measures for sensitive data and systems.
+Cloudtrail logs should be encrypted at rest to secure the sensitive data. Cloudtrail logs record all activity that occurs in the the account through API calls and would be one of the first places to look when reacting to a breach.
 
 ### Impact
-Using AWS managed keys does not allow for fine grained control
+Data can be freely read if compromised
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}
 
 ### Links
 - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html
 
-- https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-mgmt
-
 
diff --git a/avd_docs/aws/iam/AVD-AWS-0123/Terraform.md b/avd_docs/aws/iam/AVD-AWS-0123/Terraform.md
@@ -5,7 +5,7 @@ Use terraform-module/enforce-mfa/aws to ensure that MFA is enforced
 resource "aws_iam_group" "support" {
   name =  "support"
 }
-resource "aws_iam_group_policy" "mfa" {
+resource aws_iam_group_policy mfa {
 
     group = aws_iam_group.support.name
     policy = <<EOF
@@ -33,7 +33,7 @@ EOF
 resource "aws_iam_group" "support" {
   name =  "support"
 }
-resource "aws_iam_policy" "mfa" {
+resource aws_iam_policy mfa {
 
     name = "something"
     policy = <<EOF
@@ -55,7 +55,7 @@ resource "aws_iam_policy" "mfa" {
 }
 EOF
 }
-resource "aws_iam_group_policy_attachment" "attach" {
+resource aws_iam_group_policy_attachment attach {
     group = aws_iam_group.support.name
     policy_arn = aws_iam_policy.mfa.id
 }
@@ -65,7 +65,7 @@ resource "aws_iam_group_policy_attachment" "attach" {
 resource "aws_iam_group" "support" {
   name =  "support"
 }
-resource "aws_iam_group_policy" "mfa" {
+resource aws_iam_group_policy mfa {
   group = aws_iam_group.support.name
   policy = data.aws_iam_policy_document.combined.json
 }

diff --git a/avd_docs/azure/database/AVD-AZU-0027/Terraform.md b/avd_docs/azure/database/AVD-AZU-0027/Terraform.md
@@ -9,18 +9,17 @@ Enable auditing on Azure SQL databases
    version                      = "12.0"
    administrator_login          = "mradministrator"
    administrator_login_password = "tfsecRocks"
- }
-
- resource "azurerm_mssql_server_extended_auditing_policy" "example" {
-  server_id                               = azurerm_sql_server.good_example.id
-  storage_endpoint                        = azurerm_storage_account.example.primary_blob_endpoint
-  storage_account_access_key              = azurerm_storage_account.example.primary_access_key
-  storage_account_access_key_is_secondary = true
-  retention_in_days                       = 6
+
+   extended_auditing_policy {
+     storage_endpoint                        = azurerm_storage_account.example.primary_blob_endpoint
+     storage_account_access_key              = azurerm_storage_account.example.primary_access_key
+     storage_account_access_key_is_secondary = true
+     retention_in_days                       = 6
+   }
  }
 
 ```
 
 #### Remediation Links
- - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_server_extended_auditing_policy
+ - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_server#extended_auditing_policy
 
diff --git a/avd_docs/dockerfile/general/AVD-DS-0017/docs.md b/avd_docs/dockerfile/general/AVD-DS-0017/docs.md
@@ -8,6 +8,6 @@ The instruction 'RUN <package-manager> update' should always be followed by '<pa
 {{ remediationActions }}
 
 ### Links
-- https://docs.docker.com/develop/develop-images/instructions/#run
+- https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run
 
 
@@ -1,7 +1,7 @@
 package accessanalyzer
 
 import (
-	"github.com/aquasecurity/trivy-policies/pkg/rules"
+	"github.com/aquasecurity/trivy-checks/pkg/rules"
 	"github.com/aquasecurity/trivy/pkg/iac/framework"
 	"github.com/aquasecurity/trivy/pkg/iac/providers"
 	"github.com/aquasecurity/trivy/pkg/iac/scan"

@@ -1,7 +1,7 @@
 package apigateway
 
 import (
-	"github.com/aquasecurity/trivy-policies/pkg/rules"
+	"github.com/aquasecurity/trivy-checks/pkg/rules"
 	"github.com/aquasecurity/trivy/pkg/iac/providers"
 	"github.com/aquasecurity/trivy/pkg/iac/scan"
 	"github.com/aquasecurity/trivy/pkg/iac/severity"

@@ -1,7 +1,7 @@
 package apigateway
 
 import (
-	"github.com/aquasecurity/trivy-policies/pkg/rules"
+	"github.com/aquasecurity/trivy-checks/pkg/rules"
 	"github.com/aquasecurity/trivy/pkg/iac/providers"
 	"github.com/aquasecurity/trivy/pkg/iac/scan"
 	"github.com/aquasecurity/trivy/pkg/iac/severity"

@@ -1,7 +1,7 @@
 package apigateway
 
 import (
-	"github.com/aquasecurity/trivy-policies/pkg/rules"
+	"github.com/aquasecurity/trivy-checks/pkg/rules"
 	"github.com/aquasecurity/trivy/pkg/iac/providers"
 	"github.com/aquasecurity/trivy/pkg/iac/scan"
 	"github.com/aquasecurity/trivy/pkg/iac/severity"

@@ -1,7 +1,7 @@
 package apigateway
 
 import (
-	"github.com/aquasecurity/trivy-policies/pkg/rules"
+	"github.com/aquasecurity/trivy-checks/pkg/rules"
 	"github.com/aquasecurity/trivy/pkg/iac/providers"
 	"github.com/aquasecurity/trivy/pkg/iac/scan"
 	"github.com/aquasecurity/trivy/pkg/iac/severity"

@@ -1,7 +1,7 @@
 package apigateway
 
 import (
-	"github.com/aquasecurity/trivy-policies/pkg/rules"
+	"github.com/aquasecurity/trivy-checks/pkg/rules"
 	"github.com/aquasecurity/trivy/pkg/iac/providers"
 	v1 "github.com/aquasecurity/trivy/pkg/iac/providers/aws/apigateway/v1"
 	"github.com/aquasecurity/trivy/pkg/iac/scan"

@@ -1,7 +1,7 @@
 package apigateway
 
 import (
-	"github.com/aquasecurity/trivy-policies/pkg/rules"
+	"github.com/aquasecurity/trivy-checks/pkg/rules"
 	"github.com/aquasecurity/trivy/pkg/iac/providers"
 	"github.com/aquasecurity/trivy/pkg/iac/scan"
 	"github.com/aquasecurity/trivy/pkg/iac/severity"

@@ -1,7 +1,7 @@
 package athena
 
 import (
-	"github.com/aquasecurity/trivy-policies/pkg/rules"
+	"github.com/aquasecurity/trivy-checks/pkg/rules"
 	"github.com/aquasecurity/trivy/pkg/iac/providers"
 	"github.com/aquasecurity/trivy/pkg/iac/providers/aws/athena"
 	"github.com/aquasecurity/trivy/pkg/iac/scan"

@@ -1,7 +1,7 @@
 package athena
 
 import (
-	"github.com/aquasecurity/trivy-policies/pkg/rules"
+	"github.com/aquasecurity/trivy-checks/pkg/rules"
 	"github.com/aquasecurity/trivy/pkg/iac/providers"
 	"github.com/aquasecurity/trivy/pkg/iac/scan"
 	"github.com/aquasecurity/trivy/pkg/iac/severity"

@@ -1,7 +1,7 @@
 package cloudfront
 
 import (
-	"github.com/aquasecurity/trivy-policies/pkg/rules"
+	"github.com/aquasecurity/trivy-checks/pkg/rules"
 	"github.com/aquasecurity/trivy/pkg/iac/providers"
 	"github.com/aquasecurity/trivy/pkg/iac/scan"
 	"github.com/aquasecurity/trivy/pkg/iac/severity"

@@ -1,7 +1,7 @@
 package cloudfront
 
 import (
-	"github.com/aquasecurity/trivy-policies/pkg/rules"
+	"github.com/aquasecurity/trivy-checks/pkg/rules"
 	"github.com/aquasecurity/trivy/pkg/iac/providers"
 	"github.com/aquasecurity/trivy/pkg/iac/scan"
 	"github.com/aquasecurity/trivy/pkg/iac/severity"

@@ -1,7 +1,7 @@
 package cloudfront
 
 import (
-	"github.com/aquasecurity/trivy-policies/pkg/rules"
+	"github.com/aquasecurity/trivy-checks/pkg/rules"
 	"github.com/aquasecurity/trivy/pkg/iac/providers"
 	"github.com/aquasecurity/trivy/pkg/iac/providers/aws/cloudfront"
 	"github.com/aquasecurity/trivy/pkg/iac/scan"

@@ -1,7 +1,7 @@
 package cloudfront
 
 import (
-	"github.com/aquasecurity/trivy-policies/pkg/rules"
+	"github.com/aquasecurity/trivy-checks/pkg/rules"
 	"github.com/aquasecurity/trivy/pkg/iac/providers"
 	"github.com/aquasecurity/trivy/pkg/iac/providers/aws/cloudfront"
 	"github.com/aquasecurity/trivy/pkg/iac/scan"

@@ -1,7 +1,7 @@
 package cloudtrail
 
 import (
-	"github.com/aquasecurity/trivy-policies/pkg/rules"
+	"github.com/aquasecurity/trivy-checks/pkg/rules"
 	"github.com/aquasecurity/trivy/pkg/iac/framework"
 	"github.com/aquasecurity/trivy/pkg/iac/providers"
 	"github.com/aquasecurity/trivy/pkg/iac/scan"

@@ -1,7 +1,7 @@
 package cloudtrail
 
 import (
-	"github.com/aquasecurity/trivy-policies/pkg/rules"
+	"github.com/aquasecurity/trivy-checks/pkg/rules"
 	"github.com/aquasecurity/trivy/pkg/iac/providers"
 	"github.com/aquasecurity/trivy/pkg/iac/scan"
 	"github.com/aquasecurity/trivy/pkg/iac/severity"

@@ -1,7 +1,7 @@
 package cloudtrail
 
 import (
-	"github.com/aquasecurity/trivy-policies/pkg/rules"
+	"github.com/aquasecurity/trivy-checks/pkg/rules"
 	"github.com/aquasecurity/trivy/pkg/iac/providers"
 	"github.com/aquasecurity/trivy/pkg/iac/scan"
 	"github.com/aquasecurity/trivy/pkg/iac/severity"

@@ -1,7 +1,7 @@
 package cloudtrail
 
 import (
-	"github.com/aquasecurity/trivy-policies/pkg/rules"
+	"github.com/aquasecurity/trivy-checks/pkg/rules"
 	"github.com/aquasecurity/trivy/pkg/iac/framework"
 	"github.com/aquasecurity/trivy/pkg/iac/providers"
 	"github.com/aquasecurity/trivy/pkg/iac/scan"

@@ -1,7 +1,7 @@
 package cloudtrail
 
 import (
-	"github.com/aquasecurity/trivy-policies/pkg/rules"
+	"github.com/aquasecurity/trivy-checks/pkg/rules"
 	"github.com/aquasecurity/trivy/pkg/iac/framework"
 	"github.com/aquasecurity/trivy/pkg/iac/providers"
 	"github.com/aquasecurity/trivy/pkg/iac/scan"

@@ -1,7 +1,7 @@
 package cloudtrail
 
 import (
-	"github.com/aquasecurity/trivy-policies/pkg/rules"
+	"github.com/aquasecurity/trivy-checks/pkg/rules"
 	"github.com/aquasecurity/trivy/pkg/iac/framework"
 	"github.com/aquasecurity/trivy/pkg/iac/providers"
 	"github.com/aquasecurity/trivy/pkg/iac/scan"

@@ -1,7 +1,7 @@
 package cloudwatch
 
 import (
-	"github.com/aquasecurity/trivy-policies/pkg/rules"
+	"github.com/aquasecurity/trivy-checks/pkg/rules"
 	"github.com/aquasecurity/trivy/pkg/iac/providers"
 	"github.com/aquasecurity/trivy/pkg/iac/scan"
 	"github.com/aquasecurity/trivy/pkg/iac/severity"

@@ -1,7 +1,7 @@
 package cloudwatch
 
 import (
-	"github.com/aquasecurity/trivy-policies/pkg/rules"
+	"github.com/aquasecurity/trivy-checks/pkg/rules"
 	"github.com/aquasecurity/trivy/pkg/iac/framework"
 	"github.com/aquasecurity/trivy/pkg/iac/providers"
 	"github.com/aquasecurity/trivy/pkg/iac/providers/aws/cloudwatch"

@@ -1,7 +1,7 @@
 package cloudwatch
 
 import (
-	"github.com/aquasecurity/trivy-policies/pkg/rules"
+	"github.com/aquasecurity/trivy-checks/pkg/rules"
 	"github.com/aquasecurity/trivy/pkg/iac/framework"
 	"github.com/aquasecurity/trivy/pkg/iac/providers"
 	"github.com/aquasecurity/trivy/pkg/iac/providers/aws/cloudwatch"

@@ -1,7 +1,7 @@
 package cloudwatch
 
 import (
-	"github.com/aquasecurity/trivy-policies/pkg/rules"
+	"github.com/aquasecurity/trivy-checks/pkg/rules"
 	"github.com/aquasecurity/trivy/pkg/iac/framework"
 	"github.com/aquasecurity/trivy/pkg/iac/providers"
 	"github.com/aquasecurity/trivy/pkg/iac/providers/aws/cloudwatch"

@@ -1,7 +1,7 @@
 package cloudwatch
 
 import (
-	"github.com/aquasecurity/trivy-policies/pkg/rules"
+	"github.com/aquasecurity/trivy-checks/pkg/rules"
 	"github.com/aquasecurity/trivy/pkg/iac/framework"
 	"github.com/aquasecurity/trivy/pkg/iac/providers"
 	"github.com/aquasecurity/trivy/pkg/iac/providers/aws/cloudwatch"

@@ -1,7 +1,7 @@
 package cloudwatch
 
 import (
-	"github.com/aquasecurity/trivy-policies/pkg/rules"
+	"github.com/aquasecurity/trivy-checks/pkg/rules"
 	"github.com/aquasecurity/trivy/pkg/iac/framework"
 	"github.com/aquasecurity/trivy/pkg/iac/providers"
 	"github.com/aquasecurity/trivy/pkg/iac/providers/aws/cloudwatch"

@@ -1,7 +1,7 @@
 package cloudwatch
 
 import (
-	"github.com/aquasecurity/trivy-policies/pkg/rules"
+	"github.com/aquasecurity/trivy-checks/pkg/rules"
 	"github.com/aquasecurity/trivy/pkg/iac/framework"
 	"github.com/aquasecurity/trivy/pkg/iac/providers"
 	"github.com/aquasecurity/trivy/pkg/iac/providers/aws/cloudwatch"