Git is a version control system that allows tracking changes to files. It can be used to commit changes locally and push them to remote repositories hosted on services like GitHub. Scout Suite is a tool that can audit cloud environments for security issues and misconfigurations. It supports scanning AWS, Azure, Google Cloud and Kubernetes environments. Terraform, CloudFormation, and Helm are infrastructure as code tools used to deploy and manage cloud resources, and tools like Terrascan, Checkov and CFN_NAG can detect security issues and misconfigurations in files used by these tools.
Git is a version control system that allows tracking changes to files. It can be used to commit changes locally and push them to remote repositories hosted on services like GitHub. Scout Suite is a tool that can audit cloud environments for security issues and misconfigurations. It supports scanning AWS, Azure, Google Cloud and Kubernetes environments. Terraform, CloudFormation, and Helm are infrastructure as code tools used to deploy and manage cloud resources, and tools like Terrascan, Checkov and CFN_NAG can detect security issues and misconfigurations in files used by these tools.
Git is a version control system that allows tracking changes to files. It can be used to commit changes locally and push them to remote repositories hosted on services like GitHub. Scout Suite is a tool that can audit cloud environments for security issues and misconfigurations. It supports scanning AWS, Azure, Google Cloud and Kubernetes environments. Terraform, CloudFormation, and Helm are infrastructure as code tools used to deploy and manage cloud resources, and tools like Terrascan, Checkov and CFN_NAG can detect security issues and misconfigurations in files used by these tools.
Git is a version control system that allows tracking changes to files. It can be used to commit changes locally and push them to remote repositories hosted on services like GitHub. Scout Suite is a tool that can audit cloud environments for security issues and misconfigurations. It supports scanning AWS, Azure, Google Cloud and Kubernetes environments. Terraform, CloudFormation, and Helm are infrastructure as code tools used to deploy and manage cloud resources, and tools like Terrascan, Checkov and CFN_NAG can detect security issues and misconfigurations in files used by these tools.
# Git Documentation # Scout Suite is a multi-cloud audit tool
# Git global setup # Install and configure git config --global user.name "John Doe" git clone https://github.com/nccgroup/ScoutSuite git config --global user.email cd ScoutSuite "[email protected]" sudo pip3 install -r requirements.txt python3 scout.py --help #Check install # Clone and Edit a repository git clone # Pull the latest ruleset Cloud Security and DevOps [email protected]:repository/project.git curl cd project https://raw.githubusercontent.com/nccgroup/Scout “Fix Security Issues Left of Prod” touch README.md Suite/master/ScoutSuite/providers/aws/rules/rule git add README.md sets/detailed.json > detailed-rules.json By Ross Young Cheat Sheet v1.1.4 git commit -m "add README" git push -u origin master # Run with the latest Ruleset SANS.ORG/CLOUD-SECURITY python3 scout.py aws --profile <profile> -- # Convert existing folder to repo and push ruleset <ruleset> Docker Security Checks cd existing_folder git init Dockle - Check your Dockerfile against the CIS git remote add origin Docker Benchmarks with a Container Image Linter [email protected]:repository/project.git # Install Dockle git add . # Docker Documentation https://github.com/goodwithtech/dockle git commit -m "Initial commit" docker pull <image>:<tag> git push -u origin master docker build -f /path/dockerfile -t imagename . dockle REPOSITORY/IMAGE:TAG dockle --exit-code 1 –exit-level fatal Git Secrets docker image ls IMAGE:TAG docker image rm <imageid> # Git-Secrets prevents you from committing docker commit containerid [REPOSITORY[:TAG]] Docker Scan - Find Vulnerabilities within a secrets/credentials into git repositories docker container ls -a Container Image # Scan for secrets on each commit docker container prune docker scan --file /Path/Dockerfile IMAGE:TAG git secrets –install /path/to/files docker info git secrets –register-aws docker kill <containerid> Container Vuln Scan (Excluding the Base Image) docker rm <containerid> docker scan --file /Path/Dockerfile --exclude- # Scan file/folders for secrets base IMAGE:TAG git secrets --scan /path/to/file # Bulk Delete All Containers git secrets --scan -r /path/to/directory docker ps -a -q | xargs -n 1 -I {} docker rm {} Dependency Tree docker scan --dependency-tree IMAGE:TAG # Adds a prohibited pattern to the current # Run Containers in Detached Mode repo: docker run -d -p 80:80 myimage nginx -g ‘daemon Docker-Bench - Evaluate your Docker Engine git secrets --add '[A-Z0-9]{20}' off;’ configuration against the CIS Benchmark Install Go, then clone this repository # Adds a prohibited pattern to the global git # Run Interactive Containers with Mounted Files https://github.com/aquasecurity/docker-bench config: docker run -v /hostpath:/containerpath -it git secrets --add --global '[A-Z0-9]{20}' <image>:<tag> go build -o docker-bench .
# Add an allowed pattern: docker save image:tag > image.tar ./docker-bench
git secrets --add -a 'allowed pattern' Terraform Syntax Infrastructure Scans (Terraform, CloudFormation, & Helm) AWS Systems Manager Parameter Store
Blocks are the configuration of an object Terrascan is a misconfiguration scanner. It can scan aws ssm put-parameter --name MyParameter -- Terraform, Kubernetes, and other file types. value "secret_value" --type SecureString Arguments assign a value to a name. git clone [email protected]:accurics/terrascan.git aws ssm get-parameter --name MyParameter -- Expressions represent a value, either cd terrascan with-decryption literally or by referencing and combining make build other values. ./bin/terrascan Jenkins Integration terrascan scan -t aws <BLOCK TYPE> "<BLOCK LABEL>" "<BLOCK Scan is a free open-source audit tool for DevOps LABEL>" { # Find security misconfigurations in Helm Charts teams. It can perform: # Block body terrascan scan -I helm • Credentials Scanning to detect accidental <IDENTIFIER> = <EXPRESSION> # Argument secret leaks } Checkov looks for misconfigurations in files such as • Static Analysis Security Testing (SAST) for a Terraform, Cloud Formation, and even Helm Charts. range of languages and frameworks # Example: • Open-source dependencies audit pip install checkov • License violation checks resource "aws_vpc" "main" { checkov -f /path/example.tf cidr_block = var.base_cidr_block You can add the following stage to your } # Find security misconfigurations in Helm Charts Jenkinsfile (declarative syntax) for basic checkov --framework kubernetes -d <template files> integrations
CloudFormation (YAML Syntax) stages {
CFN_NAG looks for misconfigurations in CloudFormation stage('Scan') { templates. agent { Resources: docker { image 'shiftleft/sast-scan' } Logical ID: gem install cfn-nag } Type: Resource type cfn_nag_scan --input-path <path to templates> steps { Properties: sh 'scan' Set of properties Azure Key Store } } } # Example # Create a Resource Group az group create --name “MyResourceGroup” -l “EastUS” Resources: MyInstance: # Create a new key in the keyvault Type: "AWS::EC2::Instance" az keyvault create --name “<unique name>” --resource- Properties: group “MyResourceGroup” --location “EastUS” UserData: "Fn::Base64": # Show details of a key vault !Sub | az keyvault show --name MyKeyVault Queue=${MyQueue} AvailabilityZone: "us-east-1a" # List Azure Key Vaults ImageId: "ami-0ff8a91507f77f867" az keyvault list --resource-group “MyResourceGroup” MyQueue: Type: "AWS::SQS::Queue" # Delete a Key Vault Properties: {} az keyvault delete --name MyKeyVault --resource-group MyResourceGroup
Kubernetes: Build and Deploy Modern Applications in a Scalable Infrastructure. The Complete Guide to the Most Modern Scalable Software Infrastructure.: Docker & Kubernetes, #2
