refactor(docs): Move trivy-policies docs generator

Makefile

@@ -2,7 +2,8 @@ md-update-deps:
 	cd docGen && go get github.com/aquasecurity/defsec \
 	&& go mod tidy
 
-md-build: 
+md-build: misconfig-docs
+	cd test && go test -v ./...
 	cd docGen && go build -o ../generator .
 
 md-test:
@@ -73,4 +74,16 @@ build-all: md-clean md-build md-clone-all sync-all md-generate hugo-generate cop
 	echo "Build Done, navigate to http://localhost:9011/ to browse"
 
 compile-theme-sass:
-	cd themes/aquablank/static/sass && sass avdblank.scss:../css/avdblank.css && sass avdblank.scss:../css/avdblank.min.css --style compressed
+	cd themes/aquablank/static/sass && sass avdblank.scss:../css/avdblank.css && sass avdblank.scss:../css/avdblank.min.css --style compressed
+
+.PHONY: id
+id:
+	cd cmd/new-policy-id-generator && go run -v main.go
+
+.PHONY: misconfig-docs
+misconfig-docs:
+	cd cmd/trivy-policies-generator && go run -v main.go
+
+.PHONY: misconfig-docs-test
+misconfig-docs-test:
+	cd cmd/trivy-policies-generator && go test -v ./...

cmd/new-policy-id-generator/go.mod

@@ -0,0 +1,56 @@
+module github.com/aquasecurity/avd-generator/new-policy-id-generator
+
+go 1.21.4
+
+require github.com/aquasecurity/defsec v0.93.1
+
+require (
+	github.com/Microsoft/go-winio v0.6.1 // indirect
+	github.com/OneOfOne/xxhash v1.2.8 // indirect
+	github.com/ProtonMail/go-crypto v0.0.0-20221026131551-cf6655e29de4 // indirect
+	github.com/acomagu/bufpipe v1.0.3 // indirect
+	github.com/agext/levenshtein v1.2.3 // indirect
+	github.com/agnivade/levenshtein v1.1.1 // indirect
+	github.com/alecthomas/chroma v0.10.0 // indirect
+	github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
+	github.com/cloudflare/circl v1.3.3 // indirect
+	github.com/dlclark/regexp2 v1.4.0 // indirect
+	github.com/emirpasic/gods v1.18.1 // indirect
+	github.com/ghodss/yaml v1.0.0 // indirect
+	github.com/go-git/gcfg v1.5.0 // indirect
+	github.com/go-git/go-billy/v5 v5.4.0 // indirect
+	github.com/go-git/go-git/v5 v5.5.2 // indirect
+	github.com/gobwas/glob v0.2.3 // indirect
+	github.com/google/uuid v1.3.0 // indirect
+	github.com/hashicorp/hcl/v2 v2.17.0 // indirect
+	github.com/imdario/mergo v0.3.13 // indirect
+	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
+	github.com/kevinburke/ssh_config v1.2.0 // indirect
+	github.com/liamg/iamgo v0.0.9 // indirect
+	github.com/liamg/jfather v0.0.7 // indirect
+	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/open-policy-agent/opa v0.44.1-0.20220927105354-00e835a7cc15 // indirect
+	github.com/owenrumney/squealer v1.1.1 // indirect
+	github.com/pjbgf/sha1cd v0.2.3 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 // indirect
+	github.com/sergi/go-diff v1.1.0 // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
+	github.com/skeema/knownhosts v1.1.0 // indirect
+	github.com/tchap/go-patricia/v2 v2.3.1 // indirect
+	github.com/xanzy/ssh-agent v0.3.3 // indirect
+	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
+	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
+	github.com/yashtewari/glob-intersection v0.1.0 // indirect
+	github.com/zclconf/go-cty v1.13.0 // indirect
+	golang.org/x/crypto v0.11.0 // indirect
+	golang.org/x/mod v0.10.0 // indirect
+	golang.org/x/net v0.10.0 // indirect
+	golang.org/x/sys v0.10.0 // indirect
+	golang.org/x/text v0.11.0 // indirect
+	golang.org/x/tools v0.8.0 // indirect
+	gopkg.in/warnings.v0 v0.1.2 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+)

cmd/new-policy-id-generator/main.go

@@ -0,0 +1,52 @@
+package main
+
+import (
+	"fmt"
+	"os"
+	"sort"
+	"strconv"
+	"strings"
+
+	"github.com/aquasecurity/defsec/pkg/framework"
+
+	_ "github.com/aquasecurity/defsec/pkg/rego"
+	"github.com/aquasecurity/defsec/pkg/rules"
+)
+
+func main() {
+
+	// organise existing rules by provider
+	keyMap := make(map[string][]string)
+	for _, rule := range rules.GetRegistered(framework.ALL) {
+		id := rule.Rule().AVDID
+		if id == "" {
+			continue
+		}
+		parts := strings.Split(id, "-")
+		if len(parts) != 3 {
+			continue
+		}
+		keyMap[parts[1]] = append(keyMap[parts[1]], parts[2])
+	}
+
+	fmt.Print("\nThe following IDs are free - choose the one for the service you are targeting.\n\n")
+
+	var freeIDs []string
+	for key := range keyMap {
+		sort.Strings(keyMap[key])
+		all := keyMap[key]
+		max := all[len(all)-1]
+		i, err := strconv.Atoi(max)
+		if err != nil {
+			_, _ = fmt.Fprintf(os.Stderr, "Error, invalid AVD ID: AVD-%s-%s\n", key, max)
+		}
+		free := fmt.Sprintf("AVD-%s-%04d", key, i+1)
+		freeIDs = append(freeIDs, fmt.Sprintf("%16s: %s", key, free))
+	}
+
+	sort.Slice(freeIDs, func(i, j int) bool {
+		return strings.TrimSpace(freeIDs[i]) < strings.TrimSpace(freeIDs[j])
+	})
+	fmt.Println(strings.Join(freeIDs, "\n"))
+
+}

cmd/trivy-policies-generator/avd_docs/aws/accessanalyzer/AVD-AWS-0175/docs.md

@@ -0,0 +1,21 @@
+
+
+AWS IAM Access Analyzer helps you identify the resources in your organization and
+accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity.
+This lets you identify unintended access to your resources and data. Access Analyzer
+identifies resources that are shared with external principals by using logic-based reasoning
+to analyze the resource-based policies in your AWS environment. IAM Access Analyzer
+continuously monitors all policies for S3 bucket, IAM roles, KMS(Key Management Service)
+keys, AWS Lambda functions, and Amazon SQS(Simple Queue Service) queues.
+
+
+### Impact
+Reduced visibility of externally shared resources.
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html
+
+

cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0001/CloudFormation.md

@@ -0,0 +1,21 @@
+
+Enable logging for API Gateway stages
+
+```yaml---
+AWSTemplateFormatVersion: 2010-09-09
+Description: Good Example of ApiGateway
+Resources:
+  GoodApi:
+    Type: AWS::ApiGatewayV2::Api
+  GoodApiStage:
+    Type: AWS::ApiGatewayV2::Stage
+    Properties:
+      AccessLogSettings:
+        DestinationArn: gateway-logging
+        Format: json
+      ApiId: !Ref GoodApi
+      StageName: GoodApiStage
+
+```
+
+

cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0001/Terraform.md

@@ -0,0 +1,30 @@
+
+Enable logging for API Gateway stages
+
+```hcl
+ resource "aws_apigatewayv2_stage" "good_example" {
+   api_id = aws_apigatewayv2_api.example.id
+   name   = "example-stage"
+
+   access_log_settings {
+    destination_arn = "arn:aws:logs:region:0123456789:log-group:access_logging"
+    format          = "json"
+   }
+ }
+
+ resource "aws_api_gateway_stage" "good_example" {
+   deployment_id = aws_api_gateway_deployment.example.id
+   rest_api_id   = aws_api_gateway_rest_api.example.id
+   stage_name    = "example"
+
+   access_log_settings {
+     destination_arn = "arn:aws:logs:region:0123456789:log-group:access_logging"
+     format          = "json"
+   }
+ }
+
+```
+
+#### Remediation Links
+ - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/apigatewayv2_stage#access_log_settings
+

cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0001/docs.md

@@ -0,0 +1,13 @@
+
+API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.
+
+### Impact
+Logging provides vital information about access and usage
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html
+
+

cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0002/Terraform.md

@@ -0,0 +1,30 @@
+
+Enable cache encryption
+
+```hcl
+ resource "aws_api_gateway_rest_api" "example" {
+
+ }
+
+ resource "aws_api_gateway_stage" "example" {
+
+ }
+
+ resource "aws_api_gateway_method_settings" "good_example" {
+   rest_api_id = aws_api_gateway_rest_api.example.id
+   stage_name  = aws_api_gateway_stage.example.stage_name
+   method_path = "path1/GET"
+
+   settings {
+     metrics_enabled = true
+     logging_level   = "INFO"
+     caching_enabled = true
+     cache_data_encrypted = true
+   }
+ }
+
+```
+
+#### Remediation Links
+ - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method_settings#cache_data_encrypted
+

cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0002/docs.md

@@ -0,0 +1,10 @@
+
+Method cache encryption ensures that any sensitive data in the cache is not vulnerable to compromise in the event of interception
+
+### Impact
+Data stored in the cache that is unencrypted may be vulnerable to compromise
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+

cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0003/Terraform.md

@@ -0,0 +1,20 @@
+
+Enable tracing
+
+```hcl
+ resource "aws_api_gateway_rest_api" "test" {
+
+ }
+
+ resource "aws_api_gateway_stage" "good_example" {
+   stage_name    = "prod"
+   rest_api_id   = aws_api_gateway_rest_api.test.id
+   deployment_id = aws_api_gateway_deployment.test.id
+   xray_tracing_enabled = true
+ }
+
+```
+
+#### Remediation Links
+ - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_stage#xray_tracing_enabled
+

cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0003/docs.md

@@ -0,0 +1,10 @@
+
+X-Ray tracing enables end-to-end debugging and analysis of all API Gateway HTTP requests.
+
+### Impact
+Without full tracing enabled it is difficult to trace the flow of logs
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+

cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0004/Terraform.md

@@ -0,0 +1,59 @@
+
+Use and authorization method or require API Key
+
+```hcl
+ resource "aws_api_gateway_rest_api" "MyDemoAPI" {
+
+ }
+
+ resource "aws_api_gateway_resource" "MyDemoResource" {
+	rest_api_id      = aws_api_gateway_rest_api.MyDemoAPI.id
+ }
+
+ resource "aws_api_gateway_method" "good_example" {
+   rest_api_id   = aws_api_gateway_rest_api.MyDemoAPI.id
+   resource_id   = aws_api_gateway_resource.MyDemoResource.id
+   http_method   = "GET"
+   authorization = "AWS_IAM"
+ }
+
+```
+```hcl
+ resource "aws_api_gateway_rest_api" "MyDemoAPI" {
+
+ }
+
+ resource "aws_api_gateway_resource" "MyDemoResource" {
+	rest_api_id      = aws_api_gateway_rest_api.MyDemoAPI.id
+ }
+
+ resource "aws_api_gateway_method" "good_example" {
+   rest_api_id      = aws_api_gateway_rest_api.MyDemoAPI.id
+   resource_id      = aws_api_gateway_resource.MyDemoResource.id
+   http_method      = "GET"
+   authorization    = "NONE"
+   api_key_required = true
+ }
+
+```
+```hcl
+ resource "aws_api_gateway_rest_api" "MyDemoAPI" {
+
+ }
+
+ resource "aws_api_gateway_resource" "MyDemoResource" {
+	rest_api_id      = aws_api_gateway_rest_api.MyDemoAPI.id
+ }
+
+ resource "aws_api_gateway_method" "good_example" {
+   rest_api_id   = aws_api_gateway_rest_api.MyDemoAPI.id
+   resource_id   = aws_api_gateway_resource.MyDemoResource.id
+   http_method   = "OPTION"
+   authorization = "NONE"
+ }
+
+```
+
+#### Remediation Links
+ - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method#authorization
+

cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0004/docs.md

@@ -0,0 +1,10 @@
+
+API Gateway methods should generally be protected by authorization or api key. OPTION verb calls can be used without authorization
+
+### Impact
+API gateway methods can be accessed without authorization.
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+

cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0005/Terraform.md

@@ -0,0 +1,13 @@
+
+Use the most modern TLS/SSL policies available
+
+```hcl
+ resource "aws_api_gateway_domain_name" "good_example" {
+ 	security_policy = "TLS_1_2"
+ }
+
+```
+
+#### Remediation Links
+ - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_domain_name#security_policy
+