{"id":13533598,"url":"https://github.com/aquasecurity/cfsec","last_synced_at":"2025-04-01T22:30:26.886Z","repository":{"id":45162396,"uuid":"395329596","full_name":"aquasecurity/cfsec","owner":"aquasecurity","description":"Static analysis for CloudFormation templates to identify common misconfiguration","archived":true,"fork":false,"pushed_at":"2022-02-16T13:55:40.000Z","size":10265,"stargazers_count":58,"open_issues_count":0,"forks_count":7,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-08-02T07:22:57.502Z","etag":null,"topics":["aws","aws-cloudformation","aws-sam","aws-sam-cli","cloudformation","cloudsecurity","go","golang","hacktoberfest","static-analysis"],"latest_commit_sha":null,"homepage":"https://aquasecurity.github.io/cfsec","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/aquasecurity.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-08-12T13:33:06.000Z","updated_at":"2024-04-17T06:21:17.000Z","dependencies_parsed_at":"2022-08-27T20:03:41.139Z","dependency_job_id":null,"html_url":"https://github.com/aquasecurity/cfsec","commit_stats":null,"previous_names":[],"tags_count":22,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aquasecurity%2Fcfsec","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aquasecurity%2Fcfsec/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aquasecurity%2Fcfsec/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aquasecurity%2Fcfsec/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/aquasecurity","download_url":"https://codeload.github.com/aquasecurity/cfsec/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":222774628,"owners_count":17035752,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-cloudformation","aws-sam","aws-sam-cli","cloudformation","cloudsecurity","go","golang","hacktoberfest","static-analysis"],"created_at":"2024-08-01T07:01:21.374Z","updated_at":"2024-11-02T20:31:47.533Z","avatar_url":"https://github.com/aquasecurity.png","language":"Go","readme":"\u003e ⚠️ The CloudFormation scanning logic is now integrated with [Aquasecurity Trivy](https://github.com/aquasecurity/trivy). cfsec will no longer be maintained as a stand alone scanner and Trivy should be used\n\n\n\u003cp align=\"center\"\u003e\n \u003cimg width=\"354\" src=\"logo.png\"\u003e\n\u003c/p\u003e\n\n\n\n[![GoReportCard](https://goreportcard.com/badge/github.com/aquasecurity/cfsec)](https://goreportcard.com/report/github.com/aquasecurity/cfsec)\n[![GitHub All Releases](https://img.shields.io/github/downloads/aquasecurity/cfsec/total)](https://github.com/aquasecurity/cfsec/releases)\n\n\n\n## What is it?\n\ncfsec scans your yaml or json CloudFormation configuration files for common security misconfigurations.\n\n## Installation\n\n### Home Brew - Mac and Linux\n\n```shell\nbrew tap cfsec/cfsec\n```\n\n### Chocolatey - Windows\n\n```shell\nchoco install cfsec\n```\n\n### Scoop - Windows\n\n```shell\nscoop install cfsec\n```\n\n### Installing latest from source\n\n```shell\ngo install github.com/aquasecurity/cmd/cfsec@latest\n```\n\n\n## An Example\n\nGiven the CloudFormation configuration file below;\n\n```yaml\n---\nAWSTemplateFormatVersion: \"2010-09-09\"\nDescription: An example Stack for a bucket\nParameters:\n BucketName:\n Type: String\n Default: naughty-bucket\n EncryptBucket:\n Type: Boolean\n Default: false\nResources:\n S3Bucket:\n Type: 'AWS::S3::Bucket'\n Properties:\n BucketName:\n Ref: BucketName\n PublicAccessBlockConfiguration:\n BlockPublicAcls: false\n BlockPublicPolicy: false\n IgnorePublicAcls: true\n RestrictPublicBuckets: false\n BucketEncryption:\n ServerSideEncryptionConfiguration:\n - BucketKeyEnabled: !Ref EncryptBucket\n```\n\nRunning the command `cfsec example.yaml`\n\nThe output would be\n\n```\n Result 1\n\n [aws-s3-block-public-acls][HIGH] Public access block does not block public ACLs\n /home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24\n 11 | S3Bucket:\n 12 | Type: 'AWS::S3::Bucket'\n 13 | Properties:\n 14 | BucketName:\n 15 | Ref: BucketName\n 16 | PublicAccessBlockConfiguration:\n 17 | BlockPublicAcls: false [false]\n 18 | BlockPublicPolicy: false\n 19 | IgnorePublicAcls: true\n 20 | RestrictPublicBuckets: false\n 21 | BucketEncryption:\n 22 | ServerSideEncryptionConfiguration:\n 23 | - BucketKeyEnabled: !Ref EncryptBucket\n 24 | \n\n\n Impact: PUT calls with public ACLs specified can make objects public\n Resolution: Enable blocking any PUT calls with a public ACL specified\n\n More Info:\n - https://cfsec.dev/docs/s3/block-public-acls/#s3 \n - https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html \n\n Result 2\n\n [aws-s3-block-public-policy][HIGH] Public access block does not block public policies\n /home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24\n 11 | S3Bucket:\n 12 | Type: 'AWS::S3::Bucket'\n 13 | Properties:\n 14 | BucketName:\n 15 | Ref: BucketName\n 16 | PublicAccessBlockConfiguration:\n 17 | BlockPublicAcls: false\n 18 | BlockPublicPolicy: false [false]\n 19 | IgnorePublicAcls: true\n 20 | RestrictPublicBuckets: false\n 21 | BucketEncryption:\n 22 | ServerSideEncryptionConfiguration:\n 23 | - BucketKeyEnabled: !Ref EncryptBucket\n 24 | \n\n\n Impact: Users could put a policy that allows public access\n Resolution: Prevent policies that allow public access being PUT\n\n More Info:\n - https://cfsec.dev/docs/s3/block-public-policy/#s3 \n - https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html \n\n Result 3\n\n [aws-s3-enable-bucket-encryption][HIGH] Bucket does not have encryption enabled\n /home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24\n 11 | S3Bucket:\n 12 | Type: 'AWS::S3::Bucket'\n 13 | Properties:\n 14 | BucketName:\n 15 | Ref: BucketName\n 16 | PublicAccessBlockConfiguration:\n 17 | BlockPublicAcls: false\n 18 | BlockPublicPolicy: false\n 19 | IgnorePublicAcls: true\n 20 | RestrictPublicBuckets: false\n 21 | BucketEncryption:\n 22 | ServerSideEncryptionConfiguration:\n 23 | - BucketKeyEnabled: !Ref EncryptBucket [false]\n 24 | \n\n\n Impact: The bucket objects could be read if compromised\n Resolution: Configure bucket encryption\n\n More Info:\n - https://cfsec.dev/docs/s3/enable-bucket-encryption/#s3 \n - https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html \n\n Result 4\n\n [aws-s3-enable-bucket-logging][MEDIUM] Bucket does not have logging enabled\n /home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24\n 11 | S3Bucket:\n 12 | Type: 'AWS::S3::Bucket'\n 13 | Properties:\n 14 | BucketName:\n 15 | Ref: BucketName\n 16 | PublicAccessBlockConfiguration:\n 17 | BlockPublicAcls: false\n 18 | BlockPublicPolicy: false\n 19 | IgnorePublicAcls: true\n 20 | RestrictPublicBuckets: false\n 21 | BucketEncryption:\n 22 | ServerSideEncryptionConfiguration:\n 23 | - BucketKeyEnabled: !Ref EncryptBucket\n 24 | \n\n\n Impact: There is no way to determine the access to this bucket\n Resolution: Add a logging block to the resource to enable access logging\n\n More Info:\n - https://cfsec.dev/docs/s3/enable-bucket-logging/#s3 \n - https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html \n\n Result 5\n\n [aws-s3-enable-versioning][MEDIUM] Bucket does not have versioning enabled\n /home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24\n 11 | S3Bucket:\n 12 | Type: 'AWS::S3::Bucket'\n 13 | Properties:\n 14 | BucketName:\n 15 | Ref: BucketName\n 16 | PublicAccessBlockConfiguration:\n 17 | BlockPublicAcls: false\n 18 | BlockPublicPolicy: false\n 19 | IgnorePublicAcls: true\n 20 | RestrictPublicBuckets: false\n 21 | BucketEncryption:\n 22 | ServerSideEncryptionConfiguration:\n 23 | - BucketKeyEnabled: !Ref EncryptBucket\n 24 | \n\n\n Impact: Deleted or modified data would not be recoverable\n Resolution: Enable versioning to protect against accidental/malicious removal or modification\n\n More Info:\n - https://cfsec.dev/docs/s3/enable-versioning/#s3 \n - https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html \n\n Result 6\n\n [aws-s3-no-public-buckets][HIGH] Public access block does not restrict public buckets\n /home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24\n 11 | S3Bucket:\n 12 | Type: 'AWS::S3::Bucket'\n 13 | Properties:\n 14 | BucketName:\n 15 | Ref: BucketName\n 16 | PublicAccessBlockConfiguration:\n 17 | BlockPublicAcls: false\n 18 | BlockPublicPolicy: false\n 19 | IgnorePublicAcls: true\n 20 | RestrictPublicBuckets: false [false]\n 21 | BucketEncryption:\n 22 | ServerSideEncryptionConfiguration:\n 23 | - BucketKeyEnabled: !Ref EncryptBucket\n 24 | \n\n\n Impact: Public buckets can be accessed by anyone\n Resolution: Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)\n\n More Info:\n - https://cfsec.dev/docs/s3/no-public-buckets/#s3 \n - https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html \n\n\n 6 potential problems detected.\n\n```\n\n## More Information\n\ncfsec scans single file Stack configurations with support for Parameters, Mappings and Resources. \n\n## Ignoring Findings\n\nIgnores are available in yaml configurations only.\n\nTo add an ignore to a resource - on the line of the check add the ignore.\n\nFor example, to ignore S3 bucket encryption errors, you might use\n\n```yaml\n---\nResources:\n UnencrypedBucketWithIgnore:\n Type: AWS::S3::Bucket\n Properties:\n AccessControl: Private\n BucketName: unencryptedbits\n BucketEncryption:\n ServerSideEncryptionConfiguration:\n - BucketKeyEnabled: false # cfsec:ignore:aws-s3-enable-bucket-encryption\n \n```\n\n## Supported Intrinsic functions\n\nNot all CloudFormation intrinsic functions are supported, we cover the list below\n\n```\nRef\nFn::Base64\nFn::Equals\nFn::FindInMap\nFn::GetAtt\nFn::Join\nFn::Select\nFn::Split\nFn::Sub\n```\n\nIn yaml configurations, cfsec supports both standard an short notation i.e; `!Base64` or `Fn::Base64`\n\n## Limitations\n\n- Not all intrinsic functions are supported\n - `ImportValue` requires access to the AWS account which is not currently supported\n - `GetAtt` is extremely naive. We don't have visibility of attribute values so it is best effort\n- No support for nested stacks. cfsec takes the individual files in isolation with no visibility of what exists in the AWS account\n\n## Comments, Suggestions, Issues\n\ncfsec is very early stages, and we are committed to making it the best it can be. Please raise issues or suggestions through GitHub issues or discussion as appropriate.\n\n`cfsec` is an [Aqua Security](https://aquasec.com) open source project.\nLearn about our open source work and portfolio [here](https://www.aquasec.com/products/open-source-projects/).\nJoin the community, and talk to us about any matter in [GitHub Discussion](https://github.com/aquasecurity/cfsec/discussions) or [Slack](https://slack.aquasec.com).\n\n","funding_links":[],"categories":["Infrastructure as code security"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faquasecurity%2Fcfsec","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faquasecurity%2Fcfsec","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faquasecurity%2Fcfsec/lists"}