Skyscanner/cfripper Skyscanner/cfripper

  • Stars
    star
    396
  • Rank 108,801 (Top 3 %)
  • Language
    Python
  • License
    Apache License 2.0
  • Created over 6 years ago
  • Updated 3 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
Skyscanner/cfripper
github

Skyscanner

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Library and CLI tool for analysing CloudFormation templates and check them for security compliance.

CFRipper

Build Status PyPI version Total alerts Language grade: Python

CFRipper is a Library and CLI security analyzer for AWS CloudFormation templates. You can use CFRipper to prevent deploying insecure AWS resources into your Cloud environment. You can write your own compliance checks by adding new custom plugins.

Docs and more details available in https://cfripper.readthedocs.io/

CLI Usage

Normal execution

$ cfripper /tmp/root.yaml /tmp/root_bypass.json --format txt
Analysing /tmp/root.yaml...
Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config.
Valid: False
Issues found:
 - FullWildcardPrincipalRule: rootRole should not allow full wildcard '*', or wildcard in account ID like 'arn:aws:iam::*:12345' at '*'
 - IAMRolesOverprivilegedRule: Role 'rootRole' contains an insecure permission '*' in policy 'root'
Analysing /tmp/root_bypass.json...
Valid: True

Using the "resolve" flag

$ cfripper /tmp/root.yaml /tmp/root_bypass.json --format txt --resolve
Analysing /tmp/root.yaml...
Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config.
Valid: False
Issues found:
 - FullWildcardPrincipalRule: rootRole should not allow full wildcard '*', or wildcard in account ID like 'arn:aws:iam::*:12345' at '*'
 - IAMRolesOverprivilegedRule: Role 'rootRole' contains an insecure permission '*' in policy 'root'
Analysing /tmp/root_bypass.json...
Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config.
Valid: False
Issues found:
 - IAMRolesOverprivilegedRule: Role 'rootRole' contains an insecure permission '*' in policy 'root'
Monitored issues found:
 - PartialWildcardPrincipalRule: rootRole contains an unknown principal: 123456789012
 - PartialWildcardPrincipalRule: rootRole should not allow wildcard, account-wide or root in resource-id like 'arn:aws:iam::12345:root' at 'arn:aws:iam::123456789012:root'

Using json format and output-folder argument

$ cfripper /tmp/root.yaml /tmp/root_bypass.json --format json --resolve --output-folder /tmp
Analysing /tmp/root.yaml...
Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config.
Result saved in /tmp/root.yaml.cfripper.results.json
Analysing /tmp/root_bypass.json...
Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config.
Result saved in /tmp/root_bypass.json.cfripper.results.json

Using rules config file

$ cfripper tests/test_templates/config/security_group_firehose_ips.json --rules-config-file cfripper/config/rule_configs/example_rules_config_for_cli.py
Analysing tests/test_templates/config/security_group_firehose_ips.json...
Valid: True

Using rules filters files

$ cfripper tests/test_templates/config/security_group_firehose_ips.json --rules-filters-folder cfripper/config/rule_configs/
example_rules_config_for_cli.py loaded
Analysing tests/test_templates/config/security_group_firehose_ips.json...
Valid: True

Exit Codes

"""
Analyse AWS Cloudformation templates passed by parameter.
Exit codes:
  - 0 = all templates valid and scanned successfully
  - 1 = error / issue in scanning at least one template
  - 2 = at least one template is not valid according to CFRipper (template scanned successfully)
  - 3 = unknown / unhandled exception in scanning the templates
"""

More Repositories

1

SkyFloatingLabelTextField

A beautiful and flexible text field control implementation of "Float Label Pattern". Written in Swift.
Swift
4,094
star
2

backpack

Backpack Design System
TypeScript
492
star
3

whispers

Identify hardcoded secrets in static structured text
Python
480
star
4

turbolift

A simple tool to help apply changes across many GitHub repositories simultaneously
Go
434
star
5

LambdaGuard

AWS Serverless Security
Python
399
star
6

Dixie

Dixie, turning chaos to your advantage.
Objective-C
192
star
7

aiotask-context

Contextual information for asyncio tasks
Python
161
star
8

engineering-principles

Skyscanner's Engineering Principles
133
star
9

backpack-android

Backpack Design System
Kotlin
127
star
10

applicationset-progressive-sync

Progressive sync controller for Argo ApplicationSet
Go
124
star
11

skyscanner-python-sdk

Skyscanner Python SDK
Python
121
star
12

full-stack-recruitment-test

JavaScript
110
star
13

backpack-ios

Backpack Design System
Swift
108
star
14

sonar-secrets

SonarQube plugin for identifying hardcoded secrets, such as passwords, API keys, AWS credentials, etc..
Java
99
star
15

pyfailsafe

Simple failure handling. Failsafe implementation in Python
Python
89
star
16

kms-issuer

KMS issuer is a cert-manager Certificate Request controller that uses AWS KMS to sign the certificate request.
Go
61
star
17

backpack-react-native

Backpack Design System
JavaScript
49
star
18

pycfmodel

A python model for Cloud Formation scripts
Python
27
star
19

ensure-node-env

A script that helps ensure you have the correct node & npm versions installed in your environment.
JavaScript
19
star
20

historical-bank-ruby

A Ruby Bank that serves historical exchange rates
Ruby
15
star
21

gradle-time-logger-plugin

Gradle plugin to log your build time
Kotlin
12
star
22

stylelint-config-skyscanner

Skyscanner's very own stylelint config.
JavaScript
10
star
23

gha-aws-oidc-sample

Enforcing per-repo privileges on AWS with GitHub Actions OIDC, without session tags
9
star
24

backpack-foundations

The foundational repo for Backpack platforms
JavaScript
9
star
25

eslint-config-skyscanner

Skyscanner's ESLint configuration
JavaScript
7
star
26

skyscanner-contentful-management

CLI tool for performing bulk actions with content managed using Contentful
Python
7
star
27

backpack-docs

Backpack design system's docs
JavaScript
7
star
28

skyscanner.github.io

Homepage of Skyscanner Open Source Software https://skyscanner.github.io
JavaScript
5
star
29

cra-template-backpack

The Backpack template used for Backpack React Scripts app creation.
HTML
4
star
30

backpack-node-sass

Parallelised node-sass with Backpack support.
JavaScript
3
star
31

OpenTSDB-rollup

Spark job generating rollup data points from a snapshot of an OpenTSDB raw data table
Java
3
star
32

backpack-usage-analyser

A tool to analyse the usage of Backpack resources in codebases.
JavaScript
2
star
33

grpc-asyncio

Python
2
star
34

eslint-plugin-backpack

JavaScript
1
star
35

eslint-config-skyscanner-with-prettier

Skyscanner's eslint config with additional support for Prettier
JavaScript
1
star
36

helm-argocd-appofapps

A helm chart that provides a relatively simple app of apps pattern
Smarty
1
star