Skip to content

Merge pull request #23 from loganmarchione/renovate/terraform-linters… #207

Merge pull request #23 from loganmarchione/renovate/terraform-linters…

Merge pull request #23 from loganmarchione/renovate/terraform-linters… #207

Triggered via push December 9, 2024 15:40
Status Success
Total duration 1m 53s
Artifacts
Fit to window
Zoom out
Zoom in

Annotations

16 warnings and 1 notice
Terraform Lint
ubuntu-latest pipelines will use ubuntu-24.04 soon. For more details, see https://github.com/actions/runner-images/issues/10636
tfsec
ubuntu-latest pipelines will use ubuntu-24.04 soon. For more details, see https://github.com/actions/runner-images/issues/10636
Terrascan
ubuntu-latest pipelines will use ubuntu-24.04 soon. For more details, see https://github.com/actions/runner-images/issues/10636
Terrascan
The `set-output` command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/
Terrascan
The `set-output` command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/
KICS
ubuntu-latest pipelines will use ubuntu-24.04 soon. For more details, see https://github.com/actions/runner-images/issues/10636
[MEDIUM] CloudFront Without WAF: cloudfront.tf#L22
All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service
[LOW] IAM Access Analyzer Not Enabled: acm.tf#L5
IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
[LOW] IAM Access Analyzer Not Enabled: s3.tf#L10
IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
[LOW] IAM Access Analyzer Not Enabled: cloudfront.tf#L5
IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
[LOW] Shield Advanced Not In Use: cloudfront.tf#L22
AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks
[LOW] Unpinned Actions Full Length Commit SHA: .github/workflows/terraform_checks.yml#L62
Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
[LOW] Unpinned Actions Full Length Commit SHA: .github/workflows/terraform-docs.yml#L21
Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
[LOW] Unpinned Actions Full Length Commit SHA: .github/workflows/terraform_checks.yml#L81
Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
[LOW] Unpinned Actions Full Length Commit SHA: .github/workflows/terraform_checks.yml#L38
Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
[LOW] Unpinned Actions Full Length Commit SHA: .github/workflows/terraform_checks.yml#L22
Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
GitHub API token
Consider setting a GITHUB_TOKEN to prevent GitHub api rate limits