Terragoat pr

.github/workflows/assiphloser.yaml

@@ -0,0 +1,23 @@
+name: Manual CI Pipeline
+
+on:
+  workflow_dispatch:
+
+jobs:
+  build-and-test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '18'
+
+      - name: Install dependencies
+        run: npm install
+
+      - name: Run tests
+        run: npm test

terragoat-master/.github/template.md

@@ -0,0 +1,252 @@
+# TerraGoat - Vulnerable Terraform Infrastructure
+
+[![Maintained by Bridgecrew.io](https://img.shields.io/badge/maintained%20by-bridgecrew.io-blueviolet)](https://bridgecrew.io/?utm_source=github&utm_medium=organic_oss&utm_campaign=terragoat)
+[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/bridgecrewio/terragoat/general)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=bridgecrewio%2Fterragoat&benchmark=INFRASTRUCTURE+SECURITY)
+[![CIS Azure](https://www.bridgecrew.cloud/badges/github/bridgecrewio/terragoat/cis_azure)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=bridgecrewio%2Fterragoat&benchmark=CIS+AZURE+V1.1)
+[![CIS GCP](https://www.bridgecrew.cloud/badges/github/bridgecrewio/terragoat/cis_gcp)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=bridgecrewio%2Fterragoat&benchmark=CIS+GCP+V1.1)
+[![CIS AWS](https://www.bridgecrew.cloud/badges/github/bridgecrewio/terragoat/cis_aws)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=bridgecrewio%2Fterragoat&benchmark=CIS+AWS+V1.2)
+[![PCI](https://www.bridgecrew.cloud/badges/github/bridgecrewio/terragoat/pci)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=bridgecrewio%2Fterragoat&benchmark=PCI-DSS+V3.2)
+![Terraform Version](https://img.shields.io/badge/tf-%3E%3D0.12.0-blue.svg) 
+[![slack-community](https://img.shields.io/badge/Slack-4A154B?style=plastic&logo=slack&logoColor=white)](https://slack.bridgecrew.io/)
+
+
+TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository.
+![Terragoat](terragoat-logo.png)
+
+TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository.
+TerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
+
+## Table of Contents
+
+* [Introduction](#introduction)
+* [Getting Started](#getting-started)
+  * [AWS](#aws-setup)
+  * [Azure](#azure-setup)
+  * [GCP](#gcp-setup)
+* [Contributing](#contributing)
+* [Support](#support)
+
+## Introduction
+
+TerraGoat was built to enable DevSecOps design and implement a sustainable misconfiguration prevention strategy. It can be used to test a policy-as-code framework like [Bridgecrew](https://bridgecrew.io/?utm_source=github&utm_medium=organic_oss&utm_campaign=terragoat) & [Checkov](https://github.com/bridgecrewio/checkov/), inline-linters, pre-commit hooks or other code scanning methods.
+
+TerraGoat follows the tradition of existing *Goat projects that provide a baseline training ground to practice implementing secure development best practices for cloud infrastructure.
+
+## Important notes
+
+* **Where to get help:** the [Bridgecrew Community Slack](https://slack.bridgecrew.io/?utm_source=github&utm_medium=organic_oss&utm_campaign=terragoat)
+
+Before you proceed please take a not of these warning:
+> :warning: TerraGoat creates intentionally vulnerable AWS resources into your account. **DO NOT deploy TerraGoat in a production environment or alongside any sensitive AWS resources.**
+
+## Requirements
+
+* Terraform 0.12
+* aws cli
+* azure cli
+
+To prevent vulnerable infrastructure from arriving to production see: [Bridgecrew](https://bridgecrew.io/?utm_source=github&utm_medium=organic_oss&utm_campaign=terragoat) & [checkov](https://github.com/bridgecrewio/checkov/), the open source static analysis tool for infrastructure as code.
+
+## Getting started
+
+### AWS Setup
+
+#### Installation (AWS)
+
+You can deploy multiple TerraGoat stacks in a single AWS account using the parameter `TF_VAR_environment`.
+
+#### Create an S3 Bucket backend to keep Terraform state
+
+```bash
+export TERRAGOAT_STATE_BUCKET="mydevsecops-bucket"
+export TF_VAR_company_name=acme
+export TF_VAR_environment=mydevsecops
+export TF_VAR_region="us-west-2"
+
+aws s3api create-bucket --bucket $TERRAGOAT_STATE_BUCKET \
+    --region $TF_VAR_region --create-bucket-configuration LocationConstraint=$TF_VAR_region
+
+# Enable versioning
+aws s3api put-bucket-versioning --bucket $TERRAGOAT_STATE_BUCKET --versioning-configuration Status=Enabled
+
+# Enable encryption
+aws s3api put-bucket-encryption --bucket $TERRAGOAT_STATE_BUCKET --server-side-encryption-configuration '{
+  "Rules": [
+    {
+      "ApplyServerSideEncryptionByDefault": {
+        "SSEAlgorithm": "aws:kms"
+      }
+    }
+  ]
+}'
+```
+
+#### Apply TerraGoat (AWS)
+
+```bash
+cd terraform/aws/
+terraform init \
+-backend-config="bucket=$TERRAGOAT_STATE_BUCKET" \
+-backend-config="key=$TF_VAR_company_name-$TF_VAR_environment.tfstate" \
+-backend-config="region=$TF_VAR_region"
+
+terraform apply
+```
+
+#### Remove TerraGoat (AWS)
+
+```bash
+terraform destroy
+```
+
+#### Creating multiple TerraGoat AWS stacks
+
+```bash
+cd terraform/aws/
+export TERRAGOAT_ENV=$TF_VAR_environment
+export TERRAGOAT_STACKS_NUM=5
+for i in $(seq 1 $TERRAGOAT_STACKS_NUM)
+do
+    export TF_VAR_environment=$TERRAGOAT_ENV$i
+    terraform init \
+    -backend-config="bucket=$TERRAGOAT_STATE_BUCKET" \
+    -backend-config="key=$TF_VAR_company_name-$TF_VAR_environment.tfstate" \
+    -backend-config="region=$TF_VAR_region"
+
+    terraform apply -auto-approve
+done
+```
+
+#### Deleting multiple TerraGoat stacks (AWS)
+
+```bash
+cd terraform/aws/
+export TF_VAR_environment = $TERRAGOAT_ENV
+for i in $(seq 1 $TERRAGOAT_STACKS_NUM)
+do
+    export TF_VAR_environment=$TERRAGOAT_ENV$i
+    terraform init \
+    -backend-config="bucket=$TERRAGOAT_STATE_BUCKET" \
+    -backend-config="key=$TF_VAR_company_name-$TF_VAR_environment.tfstate" \
+    -backend-config="region=$TF_VAR_region"
+
+    terraform destroy -auto-approve
+done
+```
+
+### Azure Setup
+
+#### Installation (Azure)
+
+You can deploy multiple TerraGoat stacks in a single Azure subscription using the parameter `TF_VAR_environment`.
+
+#### Create an Azure Storage Account backend to keep Terraform state
+
+```bash
+export TERRAGOAT_RESOURCE_GROUP="TerraGoatRG"
+export TERRAGOAT_STATE_STORAGE_ACCOUNT="mydevsecopssa"
+export TERRAGOAT_STATE_CONTAINER="mydevsecops"
+export TF_VAR_environment="dev"
+export TF_VAR_region="westus"
+
+# Create resource group
+az group create --location $TF_VAR_region --name $TERRAGOAT_RESOURCE_GROUP
+
+# Create storage account
+az storage account create --name $TERRAGOAT_STATE_STORAGE_ACCOUNT --resource-group $TERRAGOAT_RESOURCE_GROUP --location $TF_VAR_region --sku Standard_LRS --kind StorageV2 --https-only true --encryption-services blob
+
+# Get storage account key
+ACCOUNT_KEY=$(az storage account keys list --resource-group $TERRAGOAT_RESOURCE_GROUP --account-name $TERRAGOAT_STATE_STORAGE_ACCOUNT --query [0].value -o tsv)
+
+# Create blob container
+az storage container create --name $TERRAGOAT_STATE_CONTAINER --account-name $TERRAGOAT_STATE_STORAGE_ACCOUNT --account-key $ACCOUNT_KEY
+```
+
+#### Apply TerraGoat (Azure)
+
+```bash
+cd terraform/azure/
+terraform init -reconfigure -backend-config="resource_group_name=$TERRAGOAT_RESOURCE_GROUP" \
+    -backend-config "storage_account_name=$TERRAGOAT_STATE_STORAGE_ACCOUNT" \
+    -backend-config="container_name=$TERRAGOAT_STATE_CONTAINER" \
+    -backend-config "key=$TF_VAR_environment.terraform.tfstate"
+
+terraform apply
+```
+
+#### Remove TerraGoat (Azure)
+
+```bash
+terraform destroy
+```
+
+### GCP Setup
+
+#### Installation (GCP)
+
+You can deploy multiple TerraGoat stacks in a single GCP project using the parameter `TF_VAR_environment`.
+
+#### Create a GCS backend to keep Terraform state
+
+To use terraform, a Service Account and matching set of credentials are required.
+If they do not exist, they must be manually created for the relevant project.
+To create the Service Account:
+1. Sign into your GCP project, go to `IAM` > `Service Accounts`.
+2. Click the `CREATE SERVICE ACCOUNT`.
+3. Give a name to your service account (for example - `terragoat`) and click `CREATE`.
+4. Grant the Service Account the `Project` > `Editor` role and click `CONTINUE`.
+5. Click `DONE`.
+
+To create the credentials:
+1. Sign into your GCP project, go to `IAM` > `Service Accounts` and click on the relevant Service Account.
+2. Click `ADD KEY` > `Create new key` > `JSON` and click `CREATE`. This will create a `.json` file and download it to your computer.
+
+We recommend saving the key with a nicer name than the auto-generated one (i.e. `terragoat_credentials.json`), and storing the resulting JSON file inside `terraform/gcp` directory of terragoat.
+Once the credentials are set up, create the BE configuration as follows:
+
+```bash
+export TF_VAR_environment="dev"
+export TF_TERRAGOAT_STATE_BUCKET=remote-state-bucket-terragoat
+export TF_VAR_credentials_path=<PATH_TO_CREDNETIALS_FILE> # example: export TF_VAR_credentials_path=terragoat_credentials.json
+export TF_VAR_project=<YOUR_PROJECT_NAME_HERE>
+
+# Create storage bucket
+gsutil mb gs://${TF_TERRAGOAT_STATE_BUCKET}
+```
+
+#### Apply TerraGoat (GCP)
+
+```bash
+cd terraform/gcp/
+terraform init -reconfigure -backend-config="bucket=$TF_TERRAGOAT_STATE_BUCKET" \
+    -backend-config "credentials=$TF_VAR_credentials_path" \
+    -backend-config "prefix=terragoat/${TF_VAR_environment}"
+
+terraform apply
+```
+
+#### Remove TerraGoat (GCP)
+
+```bash
+terraform destroy
+```
+
+## Bridgecrew's IaC herd of goats
+
+* [CfnGoat](https://github.com/bridgecrewio/cfngoat) - Vulnerable by design Cloudformation template
+* [TerraGoat](https://github.com/bridgecrewio/terragoat) - Vulnerable by design Terraform stack
+* [CDKGoat](https://github.com/bridgecrewio/cdkgoat) - Vulnerable by design CDK application
+* [kustomizegoat](https://github.com/bridgecrewio/kustomizegoat) - Vulnerable by design kustomize deployment
+## Contributing
+
+Contribution is welcomed!
+
+We would love to hear about more ideas on how to find vulnerable infrastructure-as-code design patterns.
+
+## Support
+
+[Bridgecrew](https://bridgecrew.io/?utm_source=github&utm_medium=organic_oss&utm_campaign=terragoat) builds and maintains TerraGoat to encourage the adoption of policy-as-code.
+
+If you need direct support you can contact us at [info@bridgecrew.io](mailto:info@bridgecrew.io).
+
+## Existing vulnerabilities (Auto-Generated)

terragoat-master/.github/workflows/assiphloser.yaml

@@ -0,0 +1,23 @@
+name: Manual CI Pipeline
+
+on:
+  workflow_dispatch:
+
+jobs:
+  build-and-test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '18'
+
+      - name: Install dependencies
+        run: npm install
+
+      - name: Run tests
+        run: npm test

terragoat-master/.github/workflows/build.yaml

@@ -0,0 +1,37 @@
+name: build
+on:
+  push:
+    branches:
+      - master
+jobs:
+  build:
+    runs-on: [self-hosted, public, linux, x64]
+    steps:
+      - uses: actions/checkout@v2
+        name: Checkout repo
+        with:
+          fetch-depth: 0
+      - name: Run yor action
+        uses: bridgecrewio/yor-action@main
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v1
+        with:
+          python-version: 3.7
+      - name: Update documentation
+        run: |
+          git config --local user.email "action@github.com"
+          git config --local user.name "GitHub Action"
+          git fetch --tags
+          git pull
+          latest_tag=$(git describe --tags `git rev-list --tags --max-count=1`)
+          echo "latest tag: $latest_tag"
+          new_tag=$(echo $latest_tag | awk -F. -v a="$1" -v b="$2" -v c="$3" '{printf("%d.%d.%d", $1+a, $2+b , $3+1)}')
+          echo "new tag: $new_tag"
+
+          pip install -U checkov
+          cat .github/template.md > README.md && checkov -d terraform -o github_failed_only -s >> README.md
+          git add README.md  || echo "No changes to commit"
+          git commit -m "update resource scan result doc" README.md || echo "No changes to commit"
+          git push origin
+          git tag $new_tag
+          git push origin $new_tag

terragoat-master/.github/workflows/pull_request.yaml

@@ -0,0 +1,16 @@
+name: build
+on:
+  pull_request
+jobs:
+  checkov-job:
+    runs-on: ubuntu-latest
+    name: checkov-action
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v2
+
+      - name: Run Checkov action
+        id: checkov
+        uses: bridgecrewio/checkov-action@master
+        with:
+          directory: terraform/

terragoat-master/.github/workflows/semgrep.yml

@@ -0,0 +1,16 @@
+on:
+  pull_request: {}
+  push:
+    branches:
+    - main
+    - master
+name: Semgrep
+jobs:
+  semgrep:
+    name: Scan
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - uses: returntocorp/semgrep-action@v1
+      with:
+        publishToken: ${{ secrets.SEMGREP_APP_TOKEN }}