| #!/bin/bash | |
| IMAGE_NAME="postgres" | |
| IMAGE_TAG="15" | |
| # Read the JSON input from the standard input | |
| input_json=$(lw-scanner evaluate $IMAGE_NAME $IMAGE_TAG --save --build-id ${BUILD_ID} --fixable --json) | |
| filename="$(echo "$IMAGE_NAME:$IMAGE_TAG")_vuln_report_$(date +"%Y%m%d_%H%M%S").csv" |
Using iamlive to proxy AWS CLI commands to get an least-privilege IAM policy for remediation templates
Install brew install iann0036/iamlive/iamlive Open a terminal window and start the proxy iamlive --set-ini --profile NAME_OF_AN_AWS_PROFILE --mode proxy Open a new terminal window where you will run AWS CLI commands Tell the AWS CLI which CA Bundle to use export AWS_CA_BUNDLE=~/.iamlive/ca.pem Set proxy settings
export HTTP_PROXY=http://127.0.0.1:10080 export HTTPS_PROXY=http://127.0.0.1:10080
| # A sample Bash script to count the number of vCPU's consumed by GCP CloudRun. @author [email protected] | |
| REGIONS=(europe-north1 us-central1) | |
| for region in ${REGIONS[@]}; do | |
| SERVICES=$(gcloud run services list --region $region --format="json" | jq -r '.[] | .metadata.name') | |
| echo "##############################\n GCP Region: $region" | |
| for service in ${SERVICES[@]}; do | |
| echo "##############################\n CloudRun service: $service \n##############################\n" | |
| vcpu=$(gcloud run services describe $service --region $region --format="json" | jq -r '.spec.template.spec.containers | .[].resources.limits.cpu') | |
| echo "$vcpu\n" | |
| done |
| --- | |
| policyId: custom-global-1 | |
| title: Certificate due to expire in 20 days or less | |
| enabled: true | |
| policyType: Compliance | |
| alertEnabled: true | |
| alertProfile: LW_CFG_AWS_DEFAULT_PROFILE.CFG_AWS_Violation | |
| evalFrequency: Daily | |
| queryId: Verifone_AWS_Config_ACM_ExpiringCertificate | |
| severity: high |
| --- | |
| queryId: Custom_AWS_Config_ACM_ExpiringCertificate | |
| queryText: |- | |
| { | |
| source { | |
| LW_CFG_AWS_ACM_DESCRIBE_CERTIFICATE | |
| } | |
| filter { | |
| RESOURCE_CONFIG:Certificate.Status NOT IN ('EXPIRED') and | |
| DIFF_DAYS(current_timestamp_sec()::timestamp, RESOURCE_CONFIG:Certificate.NotAfter::timestamp) <= 20 |
| trigger: | |
| - main | |
| pool: | |
| vmImage: ubuntu-latest | |
| steps: | |
| - script: | | |
| docker pull ubuntu:latest | |
| docker run \ |
| # This pipeline has a single step which installs the LW IAC CLI, setups an auth token | |
| # stored as a pipeline variable and then scans TF code within a directory. | |
| trigger: | |
| - main | |
| pool: | |
| vmImage: ubuntu-latest | |
| steps: |
| stages: # List of stages for jobs, and their order of execution | |
| - iac-scan | |
| docker:image: | |
| stage: iac-scan | |
| image: docker:1.11 | |
| services: | |
| - docker:dind | |
| script: |
| { | |
| "ipcMode": null, | |
| "executionRoleArn": "arn:aws:iam::009213923942:role/ecsTaskExecutionRole", | |
| "containerDefinitions": [ | |
| { | |
| "dnsSearchDomains": null, | |
| "environmentFiles": null, | |
| "logConfiguration": { | |
| "logDriver": "awslogs", | |
| "secretOptions": null, |
| proxy-scanner: | |
| config: | |
| static_cache_location: /opt/lacework/cache | |
| default_registry: index.docker.io | |
| lacework: | |
| account_name: myAccount | |
| integration_access_token: myToken | |
| registries: | |
| - domain: index.docker.io | |
| ssl: true |