/terraform-aws-scanner

Terraform module which provides easy to configure AWS environment for running automated security scanning solutions at scheduled intervals.

Primary LanguageHCLMIT LicenseMIT

Follow on Twitter Codacy Badge

AWS Scanner Terraform Module

This terraform module provides easy to configure AWS environment for running automated security scanning solutions at scheduled intervals. You configure it. AWS will run it at minimal cost.

Running various types of scanners as part of your DevOps process is esential to keep on top of vulnerabilities. Ofthen this task is perfect by standalone tools such as Nessus, Nexpose, OpenVAS or even Qualys. However, all of these tools have their own blindspots and are not very DevOps-friendly. This module provides you a good starting point to improve your automated scanning infrastructure once and for all.

Getting Started

Getting started is easy. All resources such as the designated ECS cluster, VPCs, and task definitions are provisioned out of the box. Here is a complete example how to setup the Cohesion web security scanner:

module "scanner" {
  source = "opendevsecops/scanner/aws"
}

module "scanner_cohesion" {
  source = "opendevsecops/scanner/aws//modules/cohesion"

  schedule = "rate(24 hours)"

  target = "http://target"

  trigger_arn = "${module.scanner.trigger_arn}"
}

Scanners outputs are available in the designated CloudWatch groups.

This module is automatically published to the Terraform Module Registry. More information about the available inputs, outputs, dependencies, and instructions on how to use the module can be found at the official page here.

Supported Scanners

The following scanners are currently supported. More scanners can be easily added as long as they are packaged as docker containers:

  • Cohesion - Dynamic Web Application Security Scanner
  • Pown - Offensive security tooling
  • WPScan - Wordpress Security Scanner
  • Nmap - Network Security Scanner
  • GitLeaks - Git Security Scanner
  • Amass - Domain Enumeration
  • Nikto - Web Application Security Scanner

Cohesion

module "scanner_cohesion" {
  source = "opendevsecops/scanner/aws//modules/cohesion"

  schedule = "rate(24 hours)"

  target = "http://target"

  trigger_arn = "${module.scanner.trigger_arn}"
}

Pown

module "scanner_pown" {
  source = "opendevsecops/scanner/aws//modules/pown"

  schedule = "rate(24 hours)"

  args = ["recon", "transform", "ghlm", "target"]

  trigger_arn = "${module.scanner.trigger_arn}"
}

WPScan

module "scanner_wpscan" {
  source = "opendevsecops/scanner/aws//modules/wpscan"

  schedule = "rate(24 hours)"

  target = "http://target"

  trigger_arn = "${module.scanner.trigger_arn}"
}

Nmap

module "scanner_nmap" {
  source = "opendevsecops/scanner/aws//modules/nmap"

  schedule = "rate(24 hours)"

  target = "10.10.10.0/24"
  flags = ["-sS"]

  trigger_arn = "${module.scanner.trigger_arn}"
}

GitLeaks

module "scanner_gitleaks" {
  source = "opendevsecops/scanner/aws//modules/gitleaks"

  schedule = "rate(24 hours)"

  target = "https://github.com/target/target.git"

  trigger_arn = "${module.scanner.trigger_arn}"
}

Amass

module "scanner_amass" {
  source = "opendevsecops/scanner/aws//modules/amass"

  schedule = "rate(24 hours)"

  target = "target"

  trigger_arn = "${module.scanner.trigger_arn}"
}

Nikto

module "scanner_nikto" {
  source = "opendevsecops/scanner/aws//modules/nikto"

  schedule = "rate(24 hours)"

  target = "target"

  trigger_arn = "${module.scanner.trigger_arn}"
}

Contribute

Fork the project. Create a scanner definition in the modules subfolder. Use Cohesion, Nmap or any other scanner as an example. Once you are happy with your changes, create a pull request. We will review and if the submissison is good we will accept it as part of the official module distribution.