[HN Gopher] Scanning for AWS Security Issues with Trivy
___________________________________________________________________
Scanning for AWS Security Issues with Trivy
Author : pcw888
Score : 69 points
Date : 2022-08-16 10:53 UTC (12 hours ago)
(HTM) web link (lia.mg)
(TXT) w3m dump (lia.mg)
| nathanwallace wrote:
| Readers may also enjoy Steampipe [1]. It's an open source "ops as
| code" CLI to query 83+ services with SQL (AWS, GitHub, Terraform,
| etc) that comes with hundreds of ready to use benchmarks (CIS,
| NIST, Cost) and dashboards built in HCL. The AWS Compliance mod
| [2] and Trivy plugin [3] are specific examples. (Disclaimer - I'm
| a lead on the project.)
|
| 1 - https://steampipe.io 2 -
| https://hub.steampipe.io/mods/turbot/aws_compliance 3 -
| https://hub.steampipe.io/plugins/turbot/trivy
| bearjaws wrote:
| This is genuinely badass, this would have solved so many head
| aches in my career with AWS.
|
| Searching / filtering for resources in AWS SDK has always been
| cludgy and limited, sometimes requiring querying and then
| filtering locally to find specific records.
|
| Also love the pro-SQL approach.
| bearjaws wrote:
| Why not use AWS Security Hub? It already supports reading in all
| your accounts into a centralized report and running it against
| multiple standards.
|
| You do pay for it (~$30 a month for my job) but you quite
| literally check a box and have no setup.
| yevpats wrote:
| Shameless plug, you can also enjoy CloudQuery
| (https://github.com/cloudquery/cloudquery) where we take a more
| ELT approach so you can use plain SQL for policies
| (https://github.com/cloudquery/cloudquery/tree/main/plugins/s...)
| and then use any BI tools for visualization and monitoring (https
| ://github.com/cloudquery/cloudquery/tree/main/plugins/s...).
|
| Shout out to steampipe bellow as a similar project though that
| takes a more real-time approach rather then ELT which has it's
| use-cases as well.
| user3939382 wrote:
| Also this https://www.fugue.co/ I learned about this tool by
| interviewing with them. Nice guys.
| politelemon wrote:
| This doesn't make sense to me but probably because I've not
| understood trivy. Inspecting file type things (docker, file,
| terraform) was what trivy had been doing so far. This however is
| now a network inspection and doesn't feel like it fits?
| raesene9 wrote:
| So in theory this can fit pretty well, if you look it as a tool
| that can scan things at various stages of the development
| pipeline. As the rulesets are the same this means you can get
| consistent results when scanning your terraform and then in
| production against the running resources.
|
| If it works then it can solve a big problem in security
| scanning which is different tools applying different rules,
| which causes frustration as it reduces the risk of "it passed
| in dev, why is is failing in prod"
|
| (full disclosure, I used to work for Aqua who make Trivy)
| u1tron wrote:
| AWS has on it's one own native tool to scan the images.
| bfung wrote:
| One use case using trivy is in a CI/CD pipeline; fail container
| builds that have issues to begin with.
|
| Whereas container scanning in ECR, who knows when someone will
| actually fix the issue.
| pritambarhate wrote:
| Just tried it
|
| ./trivy aws --region us-east-1
|
| panic: runtime error: invalid memory address or nil pointer
| dereference
|
| Posted a Github issue as well
| FujiApple wrote:
| TIL: https://github.com/rust-secure-code/cargo-auditable
| InfoSecErik wrote:
| Alternate tool in the same space:
| https://github.com/nccgroup/ScoutSuite
___________________________________________________________________
(page generated 2022-08-16 23:02 UTC)