-
Notifications
You must be signed in to change notification settings - Fork 6
Expand file tree
/
Copy path.trivyignore
More file actions
111 lines (97 loc) · 5.08 KB
/
Copy path.trivyignore
File metadata and controls
111 lines (97 loc) · 5.08 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
# Trivy ignore file — config-scan suppressions
#
# Each entry below documents an accepted finding from `trivy config`.
# The findings predate the PR5 supply-chain hardening and are
# intentional design choices for the current threat model. When any
# underlying terraform changes (especially the networking module),
# re-evaluate these — they are accepted on the current shape, not
# forever.
# CloudFront distribution without WAF.
# Justification: CUDly's dashboard distribution serves a small number
# of authenticated users; a WAF would add operational cost and latency
# disproportionate to the threat model. Revisit if the distribution
# starts serving anonymous traffic.
AVD-AWS-0011
# CloudFront minimum TLS protocol version.
# Justification: pre-existing default (TLS 1.0) was tightened in a
# prior PR; the trivy ID still trips when the value is inherited
# rather than set explicitly. Tracked as a follow-up to pin
# TLSv1.2_2021 explicitly in modules/frontend/aws.
AVD-AWS-0013
# ALB drop_invalid_header_fields.
# Justification: CUDly does not pass arbitrary client headers to
# upstream services in a security-sensitive way; the Lambda backend
# parses the request body, not arbitrary headers. Tracked as a
# hardening follow-up.
AVD-AWS-0052
# Public-facing ALB.
# Justification: the ALB is intentionally public — it's the entry
# point for the dashboard. Internal-only would defeat the product.
AVD-AWS-0053
# Egress security group rule unrestricted.
# Justification: outbound to AWS service endpoints (Cost Explorer,
# Pricing API, multi-region cloud APIs) requires broad egress; AWS
# does not publish a stable IP range for "all AWS APIs the SDK might
# use". Mitigations are at the IAM layer (see PR #103) which
# restricts what the runtime can DO, not where it can reach.
AVD-AWS-0104
# S3 bucket encryption with default keys.
# Justification: dashboard assets bucket — no PII stored. Customer-
# managed key would add KMS cost without proportionate benefit.
AVD-AWS-0132
# SNS topic encryption with default keys.
# Justification: same as S3. SNS messages contain only execution
# notification metadata, no credentials.
AVD-AWS-0136
# Public subnet has map_public_ip_on_launch=true.
# Justification: the public subnets are deliberately public — they
# host the NAT gateway and the public ALB. The runtime Lambda lives
# in the private subnets and routes egress through the NAT.
AVD-AWS-0164
# Azure Function app HTTPS enforcement.
# Justification: the cleanup Function in
# terraform/modules/compute/azure/cleanup-function/ is invoked by
# Azure-internal triggers (timers + queue), never directly by external
# HTTP. https_only=true would still be correct hygiene; tracked as a
# follow-up to set explicitly.
AVD-AZU-0004
# Azure storage account network rules default allow.
# Justification: the cleanup function's storage account is in the
# same vnet as the function and is firewall-restricted at the Azure
# resource-group level. The trivy ID still trips because the network
# rules block isn't declared in the resource itself.
AVD-AZU-0012
# Azure Key Vault network ACL default action.
# ID: AZU-0013 (surfaced by trivy v0.70.0; v0.69.3 did not report this ID).
# Justification: the vault is in terraform/modules/secrets/azure/main.tf and
# exposes default_network_acl_action as a variable with a safe default. The
# network ACL is set at instantiation time; the module itself cannot enforce
# a default_action value without knowing the caller's network topology.
# Tracked as a hardening follow-up to set default_action = "Deny" in the
# module default.
AZU-0013
# Azure NSG rule allows unrestricted ingress.
# ID: AZU-0047 (surfaced by trivy v0.70.0; v0.69.3 did not report this ID).
# Justification: the networking module (terraform/modules/networking/azure/)
# uses a permissive NSG rule to allow HTTPS ingress from the internet to the
# Application Gateway. Restricting source IPs would break public access.
# Mitigations are at the Azure Front Door / Application Gateway WAF layer.
AZU-0047
# GCP Cloud SQL instance does not require TLS.
# ID: GCP-0015 (surfaced by trivy v0.70.0; v0.69.3 did not report this ID).
# Justification: the database module (terraform/modules/database/gcp/main.tf)
# exposes require_ssl as a variable. TLS is enforced at the application layer
# via Go's pgx driver TLS config. Tracked as a hardening follow-up to set
# require_ssl = true in the module default.
GCP-0015
# GCP Cloud Storage bucket: cleanup Cloud Function source bucket.
# ID: GCP-0001 (surfaced by trivy v0.70.0; v0.69.3 did not report this ID).
# Justification: the only GCS bucket in the GCP deployment is the cleanup
# Cloud Function source bucket (terraform/modules/compute/gcp/cleanup-function/main.tf).
# This bucket is NOT public: it has uniform_bucket_level_access = true and
# public_access_prevention = "enforced". Trivy may still flag the resource if
# it does not recognise the public_access_prevention attribute.
# The GCP frontend is served from Cloud Run (not a GCS bucket), so no frontend
# build artifacts -- including source maps (*.map, produced by hidden-source-map
# in webpack.config.js) -- are uploaded to any GCS bucket.
GCP-0001