Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

DevSecOps

DevSecOps

Section titled “DevSecOps”

5 automated security scanners

CI CD Pipeline Security

Section titled “CI CD Pipeline Security”

Purpose: The CI/CD Pipeline Security Scanner is designed to assess and enhance the security posture of Continuous Integration and Continuous Deployment (CI/CD) pipelines by evaluating configurations in AWS, Azure, and GCP environments. It aims to identify potential vulnerabilities related to S3 bucket management, IAM policies, Azure Storage accounts, and GCP Cloud Storage settings.

What It Detects:

  • S3 Bucket Configuration Issues:

    • BlockPublicAcls set to false: This indicates that public access is not restricted, which can lead to unauthorized data exposure.
    • ServerSideEncryptionConfiguration not found: Without server-side encryption, sensitive data in S3 buckets could be at risk of interception during transit or storage.
    • AllUsers or AuthenticatedUsers ACLs: These overly permissive policies allow any user access, increasing the risk of unauthorized access.

  • IAM Policy Vulnerabilities:

    • Unrestricted “Allow” actions: Broad permissions can lead to excessive privileges and potential misuse.
    • Root user usage: Actions performed by the root user are not auditable or traceable, posing significant security risks.
    • Old account creation dates: Accounts created long ago might indicate inactive accounts being used for operations, which could be a sign of mismanagement.

  • Azure Storage Account Security:

    • Public access enabled: Allowing public access to storage accounts can expose data to unauthorized users.
    • RBAC misconfigurations: Misconfigured Role-Based Access Control (RBAC) can lead to unauthorized assignments of permissions.
    • Network security rules: Overly permissive network settings can allow unauthenticated access, posing a risk.

  • GCP Cloud Storage Vulnerabilities:

    • Bucket policies allowing public access: Public buckets are vulnerable to unauthorized access and data exposure.
    • IAM role overprivileges: Unnecessary permissions assigned to roles can lead to potential misuse or privilege escalation.
    • Compute instance misconfigurations: Misconfigured instances, such as open SSH ports, can be exploited for malicious activities.

  • General Security Best Practices:

    • CloudTrail logging disabled: Disabling CloudTrail means critical audit trails are not being maintained, which is a significant security gap.
    • Security groups allowing wide access: Overly permissive rules in security groups can lead to unauthorized access and data leakage.
    • Firewall rules with broad CIDR ranges: Allowing traffic from large IP ranges exposes the network to unnecessary risks.

Inputs Required:

  • domain (string): The primary domain name of the organization, which is essential for auditing cloud resources under that domain.
  • github_org (string): The GitHub organization name helps in scanning repositories within this organization to identify potential misconfigurations or vulnerabilities related to CI/CD pipelines.

Business Impact: Enhancing the security posture of CI/CD pipelines through proactive detection and mitigation of identified vulnerabilities is crucial for safeguarding sensitive data, preventing unauthorized access, and maintaining regulatory compliance. This directly impacts the overall integrity and confidentiality of cloud-based assets and operations.

Risk Levels:

  • Critical: Conditions that lead to unrestricted public access in S3 buckets or use of the root user are critical risks as they can result in immediate exposure of sensitive data or complete system compromise.
  • High: Misconfigurations in IAM policies, such as broad “Allow” actions, pose high risks as they enable potential privilege escalation and unauthorized operations.
  • Medium: Issues like disabled CloudTrail logging and overly permissive security groups are medium risk since they affect auditability and access control but do not directly compromise system integrity.
  • Low: Informational findings such as missing ServerSideEncryptionConfiguration in S3 buckets are low risk unless specifically required for compliance or business needs.
  • Info: These include general best practices like ensuring CloudTrail is enabled, which primarily serves an informational role in maintaining operational transparency and auditability.

Example Findings:

  • A critical finding could be a misconfigured IAM policy that allows ”*” actions to any authenticated user, posing a significant risk of unauthorized data manipulation.
  • A high risk might involve an S3 bucket with BlockPublicAcls set to false, allowing public access and exposing sensitive information stored within the bucket.

Container Security

Section titled “Container Security”

Purpose: The Container Security Scanner is designed to identify and address vulnerabilities in container images as well as ensure robust runtime security across various cloud platforms such as AWS, Azure, and GCP. This tool aims to prevent potential security breaches by analyzing configurations and detecting misconfigurations that could be exploited during the deployment or execution of containers.

What It Detects:

  • Image Vulnerabilities: The scanner identifies known vulnerabilities in container images using real-time databases, checks for outdated base images and packages, and scans for malware and backdoors embedded within the image.
  • Runtime Security: It monitors runtime behavior to detect unauthorized access or privilege escalation, ensures containers run with minimal necessary privileges, and alerts on any deviations from expected behaviors.
  • AWS Configuration Issues: The scanner identifies misconfigurations in S3 buckets, IAM roles, EC2 instances, and CloudTrail logs using specific regex patterns designed to catch common security issues.
  • Azure Configuration Issues: It scans Azure Storage, RBAC roles, and Network configurations for public access settings, improper role-based access control (RBAC), and other vulnerabilities.
  • GCP Configuration Issues: The scanner audits GCP Cloud Storage, IAM roles, and Compute Engine instances to ensure they are not publicly accessible and have appropriate security measures in place.

Inputs Required:

  • domain (string): A primary domain used for analyzing runtime security issues related to the container deployments under this domain.
  • github_org (string): The name of a GitHub organization whose repositories will be scanned for potential security vulnerabilities and misconfigurations.

Business Impact: Ensuring that containers are secure from both within and without is crucial, as it directly impacts the integrity and confidentiality of sensitive data stored within these environments. This scanner helps in proactively identifying and mitigating risks associated with container-based applications across various cloud platforms, thereby enhancing overall security posture.

Risk Levels:

  • Critical: Conditions that lead to complete exposure of sensitive data or critical system functionalities without any mitigation options available are considered critical.
  • High: Issues that significantly increase the attack surface or directly impact core functionality with limited mitigations should be considered high risk.
  • Medium: Vulnerabilities that could be exploited with some effort but do not pose an immediate threat to all components of the system can be classified as medium risk.
  • Low: Informational findings that might indicate a need for further investigation or best practice adherence, without directly impacting security outcomes are considered low risk.
  • Info: These are non-critical issues providing supplementary information about potential improvements in configuration or usage practices.

Note: Risk levels are inferred based on the severity of detected vulnerabilities and their potential impact on system integrity and confidentiality.

Example Findings:

  1. “Bucket example-bucket has BlockPublicAcls set to false,” indicating a misconfiguration that could lead to unauthorized access if not corrected.
  2. “Storage account example-storage is publicly accessible,” highlighting a risk where sensitive data might be exposed without proper authorization controls.

IaC Security

Section titled “IaC Security”

Purpose: The IaC_Security Scanner is designed to identify potential security vulnerabilities in Terraform and CloudFormation templates by auditing AWS, Azure, and GCP configurations. It aims to detect misconfigurations that could lead to security issues such as unauthorized access, data leakage, and policy violations.

What It Detects:

  • S3 Bucket Misconfigurations:

    • BlockPublicAcls set to false: This configuration allows public ACLs on the S3 bucket, which can expose sensitive data.
    • ServerSideEncryptionConfiguration not found: The absence of server-side encryption can lead to unauthorized access and data leakage.
    • AllUsers or AuthenticatedUsers ACL present: These permissions allow any AWS user (including unauthenticated users) to access the bucket, posing a security risk.

  • IAM Policy Vulnerabilities:

    • Wildcard action in policy: This allows broad permissions that can be exploited for malicious activities.
    • Use of root user ARN: Policies that grant root user privileges are highly risky and should be tightly controlled.
    • Recent creation without justification: New policies created recently might not have undergone proper review or risk assessment.

  • EC2 Security Group Issues:

    • Insecure SSH access (port 22 open to all): Allowing direct SSH access from the internet can lead to brute-force attacks and unauthorized access.
    • Unrestricted RDP access (port 3389 open to all): Exposing RDP ports to the public network is highly insecure, especially without multi-factor authentication.

  • CloudTrail Configuration Flaws:

    • CloudTrail not enabled: Logging service events is crucial for forensic analysis and compliance auditing.
    • No global service events logged: Restricting logging to specific resources can mask potential security incidents.

  • Azure Storage Account Vulnerabilities:

    • Public access allowed: This setting allows any user on the internet to read or list blobs within the container, which is insecure for shared data storage.

Inputs Required:

  • domain (string): The primary domain name that the scanner will analyze to detect misconfigurations in related resources.
  • github_org (string): The GitHub organization from which Terraform and CloudFormation templates are fetched for analysis.

Business Impact: Identifying and remediating misconfigurations in infrastructure as code (IaC) files is crucial for maintaining a secure cloud environment. Misconfigured IaC can lead to unauthorized access, data leakage, compliance violations, and significant financial losses due to security incidents.

Risk Levels:

  • Critical: Policies that allow wildcard actions or direct root user permissions without explicit need are critical risks as they grant broad and potentially destructive privileges.
  • High: Insecure default configurations such as allowing all users access to S3 buckets, open SSH ports (22), or unrestricted RDP access are high risk issues that must be addressed promptly.
  • Medium: Partial or missing encryption settings in databases or storage solutions represent medium risks that should be mitigated with urgency.
  • Low: Informational findings such as unlogged global service events might not immediately impact security but contribute to a less secure environment and can be improved over time.

Example Findings:

  • A misconfigured S3 bucket has its BlockPublicAcls set to false, allowing public access that could lead to data leakage.
  • An IAM policy with wildcard actions poses a significant risk as it grants broad permissions without specific authorization being evident.

Secret Management

Section titled “Secret Management”

Purpose: The Secret Management Scanner is designed to identify and assess secrets within code repositories, evaluate secret rotation policies, audit vault configurations for cloud providers, detect public access risks, and analyze IAM policies for vulnerabilities. Its primary goal is to prevent unauthorized access and data breaches by detecting sensitive information that could lead to security incidents.

What It Detects:

  • Secrets in Code Repositories: Identifies hardcoded secrets such as AWS access keys, GitHub tokens, database credentials, and more using regex patterns.
  • Secret Rotation Policies: Assesses the implementation of secret rotation policies within code repositories to ensure they are updated regularly.
  • Vault Security Configuration: Audits cloud provider vaults for security best practices including encryption settings, access controls, and logging mechanisms.
  • Public Access Risks: Identifies resources such as S3 buckets that are publicly accessible, which could lead to unauthorized data exposure.
  • IAM Policy Vulnerabilities: Analyzes IAM policies for overly permissive permissions, granting root user access, or allowing wildcard actions that can pose significant security risks.

Inputs Required:

  • domain (string): The primary domain of the organization being analyzed, which helps in identifying relevant code repositories and resources.
  • github_org (string): The GitHub organization name for repository scanning, enabling the scanner to access and analyze specific repositories within that organization.

Business Impact: This scanner is crucial as it directly addresses the prevention of unauthorized data exposure and potential security breaches caused by hardcoded secrets or misconfigured vaults. By detecting and remediating these issues early, organizations can significantly reduce the risk associated with data theft and compliance violations.

Risk Levels:

  • Critical: Conditions that could lead to immediate and severe impacts on security posture, such as exposure of sensitive information in public repositories or unauthorized access via misconfigured IAM policies.
  • High: Issues that pose significant risks but are not as critical as those at the high level, including outdated secrets and improper ACL settings for cloud storage resources.
  • Medium: Findings that require attention but do not immediately compromise security, such as some aspects of secret rotation practices or minor misconfigurations in vault configurations.
  • Low: Informal findings that might indicate suboptimal security practices but are unlikely to lead to significant risks, including some public access issues and less permissive IAM policies.
  • Info: Non-critical findings providing informational insights into the scanner’s operations, such as successful connections to cloud APIs or detailed logs of detected secrets.

If specific risk levels are not defined in the README, it can be inferred that critical and high risks relate to immediate threats to security, while medium and low risks involve less severe issues requiring attention.

Example Findings:

  • A GitHub repository contains multiple hardcoded AWS access keys which could lead to unauthorized access of AWS resources.
  • An S3 bucket is configured with public read permissions, allowing any user on the internet to view its contents.
  • An IAM policy grants full administrative privileges to a specific user group, potentially leading to unauthorized modifications within cloud environments.

Artifact Repository Security

Section titled “Artifact Repository Security”

Purpose: The Artifact Repository Security Scanner is designed to safeguard software supply chains by detecting unauthorized packages and tampered artifacts within artifact repositories. It ensures the integrity and security of software components used in development processes, mitigating risks associated with unauthorized access and data interception.

What This Scanner Detects:

  • Unauthorized Packages: Identifies packages that are not part of the approved list or have been added without proper authorization.
  • Tampered Artifacts: Detects modifications to artifacts that do not match the expected checksums or signatures.
  • Public Access Issues: Identifies repositories or buckets with public access enabled, which can lead to unauthorized data exposure.
  • Missing Encryption: Detects artifacts stored without server-side encryption, increasing the risk of data interception.
  • Insecure Permissions: Identifies overly permissive permissions that could allow unauthorized access to repositories or buckets.

Inputs Required:

  • domain (string): The domain of the artifact repository to scan. This input is crucial for directing the scanner towards the specific repository where it will perform its analysis.
  • github_org (string): The GitHub organization name whose repositories need to be scanned. This parameter allows the scanner to focus on a particular set of repositories within GitHub, which can be either private or public depending on the organization’s settings.

Business Impact: Ensuring the integrity and security of software supply chains is paramount for maintaining a secure development environment. Unauthorized packages and tampered artifacts pose significant risks that could lead to data breaches, system vulnerabilities, and unauthorized access to sensitive information. The scanner helps in proactively identifying these issues before they can be exploited by malicious actors.

Risk Levels:

  • Critical: Conditions such as the discovery of unauthorized packages or tampered artifacts that directly compromise the security and integrity of software components are considered critical. These findings indicate a high level of risk where immediate action is required to prevent potential damage.
  • High: Issues like public access enabled in repositories, missing server-side encryption, and insecure permissions can lead to significant exposure of sensitive data or unauthorized access. These risks are assessed as high due to the potential impact on organizational security posture.
  • Medium: Findings such as the presence of potentially insecure configurations that could be exploited with some effort but do not pose an immediate threat are categorized under medium risk. These findings still require attention, but they may not immediately affect critical systems or data.
  • Low: Informational findings related to the discovery of standard package management files (like package-lock.json) without unauthorized content can be considered low risk as their impact on security is minimal and does not pose an immediate threat.
  • Info: These are purely informational findings that do not directly affect security but provide insights into repository configurations, such as missing or misconfigured encryption settings. They help in maintaining a baseline level of security hygiene without being classified as critical or high risks.

Example Findings:

  • “Detected unauthorized package: example-package in repository: example-repo” - This finding highlights an instance where a package was identified outside the approved list, indicating potential policy violations and unauthorized access to software components.
  • “Checksum mismatch detected for artifact: example-artifact in bucket: example-bucket” - This scenario suggests that there is a discrepancy between the expected checksum of an artifact and its actual value stored in the repository, which could indicate either tampering or misconfiguration within the storage environment.