Do not allow action “*” or resources “*” in an IOT Policy

Example policies are here: https://docs.aws.amazon.com/iot/latest/developerguide/example-iot-policies.html

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iot-policy.html
https://www.terraform.io/docs/providers/aws/r/iot_policy.html

The component_name and component_version fields were added recently. Some scanners already populate these fields, but lots of them don't. For some scanners these fields cannot be set, i.e. for scanners that try xss on web pages etc. But probably there are some scanners that can/should be updated.

• terrascan version: 1.2
• Operating System: all

Description

When scanning a repo, if the severity field is not all caps (HIGH|MEDIUM|LOW), when violations are output, the color of the severity field does not show up. The compare should be case-insensitive, OR we can normalize the severity field.

What I Did

terrascan scan -d [dir]

The current swagger definition is autogenerated. The automatically generated definitions rely on reflection and annotations to create the documentation. The reflection capabilities are poor at best and lead to missing API parameters. Annotations can help in some cases, but the only fix for Swagger is to create individual POJOs for every possible request. This will lead to unnecessary large number

Hi,

It would be interesting to have those new rules integrated in ChopChop, see : https://github.com/nnposter/nndefaccts/blob/master/http-default-accounts-fingerprints-nndefaccts.lua

It will be a fun exercise to make scan work for mono repos such as https://github.com/swapnil-linux/spring-boot-examples

In theory, this can be achieved using a bit of bash with the new scan AppImage.