Initial security checks + docs + Terraform module skeleton + CI workflow#2
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 053f5d36a2
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if gcloud logging sinks list --project "$PROJECT_ID" >/dev/null 2>&1; then | ||
| echo '{"id":"CIS-GCP-2.1","cloud":"gcp","severity":"critical","status":"PASS","evidence":"consulta de logging executada","recommendation":"validar escopo e retenção"}' |
There was a problem hiding this comment.
This check marks CIS-GCP-2.1 as PASS whenever gcloud logging sinks list succeeds, but that command only lists sink resources (the SDK docs describe it as “list the defined sinks”), not whether Cloud Audit Logs are enabled. Google’s audit logging docs place this control in IAM policy auditConfigs (via gcloud projects get-iam-policy). In a project with default/disabled Data Access audit logging but normal Logging permissions, this branch returns a false PASS.
Useful? React with 👍 / 👎.
| COUNT=$(aws cloudtrail describe-trails --profile "$PROFILE" --query 'trailList | length(@)' --output text 2>/dev/null || echo "0") | ||
|
|
||
| if [[ "$COUNT" -ge 1 ]]; then |
There was a problem hiding this comment.
The script passes when describe-trails returns at least one trail, but AWS CLI documents describe-trails as retrieving trail “settings,” not active logging state. Logging activity is exposed by get-trail-status (IsLogging: whether the trail is currently logging). If a trail exists but logging was stopped, this code still reports PASS for CIS-AWS-3.1, which is a false negative.
Useful? React with 👍 / 👎.
| fi | ||
|
|
||
| OPEN_RULES=$(aws ec2 describe-security-groups --profile "$PROFILE" \ | ||
| --query 'SecurityGroups[?IpPermissions[?IpRanges[?CidrIp==`0.0.0.0/0`]]].GroupId' --output text 2>/dev/null || true) |
There was a problem hiding this comment.
The security group filter only checks IpRanges for 0.0.0.0/0, but describe-security-groups returns IPv6 sources separately under Ipv6Ranges/CidrIpv6. Any inbound rule open to ::/0 bypasses this query, so internet-exposed groups can be reported as PASS/WARN incorrectly depending on IPv4 presence.
Useful? React with 👍 / 👎.
1 participant
Motivation
Description
.github/workflows/security-checks.ymlthat defines avalidate-structurejob which checks script executability, runs a sample check (./checks/aws/logging/check_cloudtrail_enabled.sh || true) and uploads example evidence fromoutput/examples/.checks/for AWS and GCP:check_cloudtrail_enabled.sh,check_account_password_policy.sh,check_security_groups_open_ports.sh,check_audit_logging_enabled.sh,check_overprivileged_roles.sh, andcheck_firewall_allow_all.sh, each returning concise JSON and validating presence ofaws/gcloudCLIs.docs/includingmetodologia.md,matriz-cis.md, domain guides for AWS/GCP, and aCONTRIBUTING.mdto standardize contributions.output/examples/and create Terraform AWS module skeletons and an exampleterraform/aws/examples/baseline/main.tfto map checks to future remediations.Testing
test -xvalidations of scripts, a simulated run of./checks/aws/logging/check_cloudtrail_enabled.sh(guarded with|| true), and artifact upload viaactions/upload-artifact@v4.ERRORstatus when required CLIs are missing, enabling deterministic CI behavior when the workflow runs.Codex Task