terrascan icon indicating copy to clipboard operation
terrascan copied to clipboard

Published 20 hours ago verified publisher icon tenable

Ignoring Policies on a scan

Open JonZeolla opened this issue 3 years ago • 4 comments

Description

In the documentation there is a reference to #367, which has been closed via #466, but the documentation does not appear to have been updated.

JonZeolla avatar Mar 22 '21 18:03 JonZeolla

Hi @JonZeolla,

The documentation link that you have pointed out is an outdated one, we need to update our documentation.

But, we do support a couple of ways of ignoring policies on a scan:

Use of --skip-rules, --scan-rules:

For example, a normal terrascan scan

$ terrascan scan -t aws -v


Violation Details -

	Description    :	Enabling S3 versioning will enable easy recovery from both unintended user actions, like deletes and overwrites
	File           :	main.tf
	Line           :	5
	Severity       :	HIGH
	Rule Name      :	s3Versioning
	Rule ID        :	AWS.S3Bucket.IAM.High.0370
	Resource Name  :	demo-s3
	Resource Type  :	aws_s3_bucket
	Category       :	Resilience

	-----------------------------------------------------------------------

	Description    :	S3 bucket Access is allowed to all AWS Account Users.
	File           :	main.tf
	Line           :	5
	Severity       :	HIGH
	Rule Name      :	s3EnforceUserACL
	Rule ID        :	AWS.S3Bucket.DS.High.1043
	Resource Name  :	demo-s3
	Resource Type  :	aws_s3_bucket
	Category       :	Identity and Access Management

	-----------------------------------------------------------------------


Scan Summary -

	File/Folder         :	/Users/jarvis/terraform-examples/Damn-Vulnerable-Terraform-Project
	IaC Type            :	terraform
	Scanned At          :	2021-03-23 03:16:23.971338 +0000 UTC
	Policies Validated  :	561
	Violated Policies   :	2
	Low                 :	0
	Medium              :	0
	High                :	2

With use of --skip-rules:

$ terrascan scan -t aws -v --skip-rules="AWS.S3Bucket.DS.High.1043,AWS.S3Bucket.IAM.High.0370"
2021-03-23T08:49:49.820+0530	info	opa/engine.go:488	skip rule added. rule id: AWS.S3Bucket.DS.High.1043 found in policy path: /Users/jarvis/.terrascan/pkg/policies/opa/rego/aws
2021-03-23T08:49:49.820+0530	info	opa/engine.go:488	skip rule added. rule id: AWS.S3Bucket.IAM.High.0370 found in policy path: /Users/jarvis/.terrascan/pkg/policies/opa/rego/aws


Scan Summary -

	File/Folder         :	/Users/jarvis/terraform-examples/Damn-Vulnerable-Terraform-Project
	IaC Type            :	terraform
	Scanned At          :	2021-03-23 03:19:50.034008 +0000 UTC
	Policies Validated  :	156
	Violated Policies   :	0
	Low                 :	0
	Medium              :	0
	High                :	0

With use of --scan-rules:

$ terrascan scan -t aws -v --scan-rules="AWS.S3Bucket.DS.High.1043"
2021-03-23T08:51:13.514+0530	info	opa/engine.go:469	scan rule added. rule id: AWS.S3Bucket.DS.High.1043 found in policy path: /Users/jarvis/.terrascan/pkg/policies/opa/rego/aws


Violation Details -

	Description    :	S3 bucket Access is allowed to all AWS Account Users.
	File           :	main.tf
	Line           :	5
	Severity       :	HIGH
	Rule Name      :	s3EnforceUserACL
	Rule ID        :	AWS.S3Bucket.DS.High.1043
	Resource Name  :	demo-s3
	Resource Type  :	aws_s3_bucket
	Category       :	Identity and Access Management

	-----------------------------------------------------------------------


Scan Summary -

	File/Folder         :	/Users/jarvis/terraform-examples/Damn-Vulnerable-Terraform-Project
	IaC Type            :	terraform
	Scanned At          :	2021-03-23 03:21:13.518131 +0000 UTC
	Policies Validated  :	1
	Violated Policies   :	1
	Low                 :	0
	Medium              :	0
	High                :	1

Using scan and skip rules together:

$ terrascan scan -t aws -v --scan-rules="AWS.S3Bucket.DS.High.1043,AWS.S3Bucket.IAM.High.0370" --skip-rules="AWS.S3Bucket.DS.High.1043"
2021-03-23T08:53:42.866+0530	info	opa/engine.go:469	scan rule added. rule id: AWS.S3Bucket.DS.High.1043 found in policy path: /Users/jarvis/.terrascan/pkg/policies/opa/rego/aws
2021-03-23T08:53:42.866+0530	info	opa/engine.go:469	scan rule added. rule id: AWS.S3Bucket.IAM.High.0370 found in policy path: /Users/jarvis/.terrascan/pkg/policies/opa/rego/aws
2021-03-23T08:53:42.866+0530	info	opa/engine.go:488	skip rule added. rule id: AWS.S3Bucket.DS.High.1043 found in policy path: /Users/jarvis/.terrascan/pkg/policies/opa/rego/aws


Violation Details -

	Description    :	Enabling S3 versioning will enable easy recovery from both unintended user actions, like deletes and overwrites
	File           :	main.tf
	Line           :	5
	Severity       :	HIGH
	Rule Name      :	s3Versioning
	Rule ID        :	AWS.S3Bucket.IAM.High.0370
	Resource Name  :	demo-s3
	Resource Type  :	aws_s3_bucket
	Category       :	Resilience

	-----------------------------------------------------------------------


Scan Summary -

	File/Folder         :	/Users/jarvis/terraform-examples/Damn-Vulnerable-Terraform-Project
	IaC Type            :	terraform
	Scanned At          :	2021-03-23 03:23:42.869043 +0000 UTC
	Policies Validated  :	1
	Violated Policies   :	1
	Low                 :	0
	Medium              :	0
	High                :	1

kanchwala-yusuf avatar Mar 23 '21 03:03 kanchwala-yusuf

Use of --skip-rules is applicable to all the resources in a given configuration.

If you want to skip a rule for a particular resource. Then you can refer to https://github.com/accurics/terrascan#rule-suppression

kanchwala-yusuf avatar Mar 23 '21 03:03 kanchwala-yusuf

Hey @JonZeolla , were you able to ignore rules on a scan?

kanchwala-yusuf avatar Apr 08 '21 03:04 kanchwala-yusuf

Hi @kanchwala-yusuf thank you, yes I already knew how to I was specifically just opening this issue to get the docs corrected

JonZeolla avatar Apr 08 '21 09:04 JonZeolla