/terraform-vulnerability-lab

Learn security in Terraform code with tfsec!

Primary LanguageHCLMIT LicenseMIT

Terraform - An insecure and vulnerable laboratory

Purpose

The primary goal of this lab is to provide a hands-on experience for developers, security practitioners, and students to:

  • Gain insight into insecure Terraform code patterns.
  • Understand the potential risks associated with insecure infrastructure configurations.
  • Learn how to apply security best practices to mitigate vulnerabilities.

Usage

  1. Clone this repository to your local machine:

    git clone https://github.com/BreakingPitt/tfsec-vulnerability-lab.git

Install required security tools

Tfsec

Ensure you have tfsec installed.

  1. You can install it using the following:

    curl -L -o tfsec https://github.com/tfsec/tfsec/releases/latest/download/tfsec-linux-amd64
    chmod +x tfsec
    sudo mv tfsec /usr/local/bin/
  2. Ensure you have tfsec installed. You can install it using the following:

    tfsec --version

Checov

Ensure you have checkov installed.

  1. Ensure you have checkov installed. You can install it using the following:

    pip install checkov

Running tfsec for security analysis

To analyze the insecure Terraform code examples using tfsec, follow these steps:

  1. Navigate to the directory containing the insecure Terraform code you want to analyze:

    cd tfsec-vulnerability-lab/src/s3
  2. Run tfsec against the insecure Terraform code:

    tfsec .

Running checkov for security analysis

To analyze the insecure Terraform code examples using checkov, follow these steps:

  1. Navigate to the directory containing the insecure Terraform code you want to analyze:

    cd tfsec-vulnerability-lab/src/s3
  2. Run checkov against the insecure Terraform code:

    checkov -d .

Dependencies

The following dependencies are required to run the lab:

Disclaimer

This repository is for educational purposes only and should not be used in a production environment. The provided Terraform code intentionally showcases insecure configurations for educational exploration.

Contributing

Contributions to enhance and expand the lab with new vulnerability scenarios and mitigations are welcome! Please follow ethical guidelines and ensure the examples provided are solely intended for educational purposes.

License

The content in this repository is licensed under the MIT License.

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Authors