feat: Add more scanners as regex for sca and iac rules

* add support to jfrog prevent password rule * add more tools to iac & sca rules * CR fixes
allero-io · Sep 29, 2022 · 378dc88 · 378dc88
1 parent 1763c8a
commit 378dc88
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 2 deletions.
diff --git a/pkg/rulesConfig/defaultRules/10-ensure-sca-scanner.go b/pkg/rulesConfig/defaultRules/10-ensure-sca-scanner.go
@@ -2,6 +2,7 @@ package defaultRules
 
 import (
 	"encoding/json"
+	"fmt"
 
 	githubConnector "github.com/allero-io/allero/pkg/connectors/github"
 	gitlabConnector "github.com/allero-io/allero/pkg/connectors/gitlab"
@@ -35,11 +36,16 @@ func githubErrorsRule10(githubData map[string]*githubConnector.GithubOwner) ([]*
 		".*anchore/scan-action@.*",
 		".*synopsys-sig/detect-action@.*",
 		".*aquasecurity/trivy-action@.*",
+		".*checkmarx-ts/checkmarx-cxflow-github-action@.*",
+		".*snyk/actions/maven@.*",
 	}
 
 	runRegexExpressions := []string{
 		".*^[\\S]*trivy.*|.*docker .* run .*(aquasec/)?trivy.*",
 		"^[\\S]*grype|docker .* run .*(anchore/)?grype.*",
+		"(jfrog|jf) (s|scan).*",
+		"ws scan.*",
+		"snyk (code | )test.*",
 	}
 
 	for _, owner := range githubData {
@@ -131,15 +137,31 @@ func gitlabErrorsRule10(gitlabData map[string]*gitlabConnector.GitlabGroup) ([]*
 }
 
 func findScaScannerRule10(project *gitlabConnector.GitlabProject) (bool, error) {
+
+	imageRegexExpressions := []string{
+		"registry.gitlab.com/secure.*",
+	}
+
 	scriptRegexExpressions := []string{
 		".*^[\\S]*trivy.*|.*docker .* run .*(aquasec/)?trivy.*",
 		"^[\\S]*grype|docker .* run .*(anchore/)?grype.*",
+		"(jfrog|jf) (s|scan).*",
+		"ws scan.*",
+		"snyk ?(code | )test.*",
 	}
 
 	for _, pipeline := range project.GitlabCi {
 
-		for _, stage := range pipeline.Content {
-			stageBytes, err := json.Marshal(stage)
+		for key, value := range pipeline.Content {
+			if key == "image" {
+				imageValue := fmt.Sprintf("%v", value)
+				for _, imageRegexExpression := range imageRegexExpressions {
+					if matchRegex(imageRegexExpression, imageValue) {
+						return true, nil
+					}
+				}
+			}
+			stageBytes, err := json.Marshal(value)
 			if err != nil {
 				return false, err
 			}

diff --git a/pkg/rulesConfig/defaultRules/11-ensure-terraform-scanner.go b/pkg/rulesConfig/defaultRules/11-ensure-terraform-scanner.go
@@ -36,10 +36,14 @@ func githubErrorsRule11(githubData map[string]*githubConnector.GithubOwner) ([]*
 		".*tenable/terrascan-action@.*",
 		".*snyk/actions/iac@.*",
 		".*aquasecurity/trivy-action@.*",
+		".*checkmarx/kics-github-action@.*",
+		".*kubescape/github-action@.*",
 	}
 
 	runRegexExpressions := []string{
 		".*^[\\S]*trivy.*|.*docker .* run .*(aquasec/)?trivy.*",
+		".*docker .* run .*checkmarx/kics scan.*",
+		".*kubescape scan.*",
 	}
 
 	for _, owner := range githubData {
@@ -133,6 +137,8 @@ func gitlabErrorsRule11(gitlabData map[string]*gitlabConnector.GitlabGroup) ([]*
 func findScaScannerRule11(project *gitlabConnector.GitlabProject) (bool, error) {
 	scriptRegexExpressions := []string{
 		".*^[\\S]*trivy.*|.*docker .* run .*(aquasec/)?trivy.*",
+		".*docker .* run .*checkmarx/kics scan.*",
+		".*kubescape scan.*",
 	}
 
 	for _, pipeline := range project.GitlabCi {