V2 - ECR (#12)

* adding in v2 ref and documentation

* document update

* doc update

closes #11 #10

Dockerfile

@@ -1,5 +1,5 @@
 # Container image that runs your code
-FROM grolston/cfn-security:1.0
+FROM public.ecr.aws/rolston/cfn-security:2.0
 
 # Copies your code file from your action repository to the filesystem path `/` of the container
 COPY entrypoint.sh /entrypoint.sh

README.md

@@ -1,5 +1,7 @@
 # cfn-security
 
+> **Note:** as of `v2`, the cfn-security image is using AWS ECR for the image registry. cfn-security `v1` will remain on docker hub unchanged; however, the docker hub rate limits could impact utilization. It is recommended to move to `v2`.
+
 A simple `GitHub Action` for AWS CloudFormation static code analysis to improve infrastructure-as-code security.
 
 ***The Action does not require AWS credentials!***
@@ -41,12 +43,28 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
-    - uses: grolston/cfn-security@v1
+    - uses: grolston/cfn-security@v2
       with:
         cloudformation_directory: './cloudformation/' ## change to your template directory
         scanner: "cfn-lint"
 ```
 
+The cfn-lint scan will result in a pipeline failure for any identified rule violations. To suppress cfn-lint rules within your cloudformation template you can add in cfn-lint `Metadata` to the impacted resource. Example:
+
+```yaml
+Resources:
+  myInstance:
+    Type: AWS::EC2::Instance
+    Metadata:
+      cfn-lint:
+        config:
+          ignore_checks:
+            - E3030
+    Properties:
+      InstanceType: nt.x4superlarge
+      ImageId: ami-abc1234
+```
+
 ### Example cfn-nag Test
 
 The following example tests CloudFormation with cfn-nag:
@@ -62,11 +80,38 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
-    - uses: grolston/cfn-security@v1
+    - uses: grolston/cfn-security@v2
       with:
         cloudformation_directory: './cloudformation/' ## change to your template directory
         scanner: "cfn-nag"
 ```
+The cfn-nag scan will result in a pipeline failure for any identified rule violations. To suppress cfn-nag rules within your cloudformation template you can add in cfn-nag `Metadata` to the impacted resource. Example:
+
+```yaml
+# Partial template
+PublicAlbSecurityGroup:
+  Properties:
+    GroupDescription: 'Security group for a public Application Load Balancer'
+    VpcId:
+      Ref: vpc
+  Type: AWS::EC2::SecurityGroup
+  Metadata:
+    cfn_nag:
+      rules_to_suppress:
+        - id: W9
+          reason: "This is a public facing ELB and ingress from the internet should be permitted."
+        - id: W2
+          reason: "This is a public facing ELB and ingress from the internet should be permitted."
+PublicAlbSecurityGroupHttpIngress:
+  Properties:
+    CidrIp: 0.0.0.0/0
+    FromPort: 80
+    GroupId:
+      Ref: PublicAlbSecurityGroup
+    IpProtocol: tcp
+    ToPort: 80
+  Type: AWS::EC2::SecurityGroupIngress
+```
 
 ### Example checkov Test
 
@@ -83,11 +128,26 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
-    - uses: grolston/cfn-security@v1
+    - uses: grolston/cfn-security@v2
       with:
         cloudformation_directory: './cloudformation/' ## change to your template directory
         scanner: "checkov"
 ```
+The checkov scan will result in a pipeline failure for any identified rule violations. To suppress checkov rules within your cloudformation template place a `# checkov:skip=[Rule To Skip]` within the impacted resource. Example:
+
+```yaml
+Resources:
+  MyDB:
+    Type: 'AWS::RDS::DBInstance'
+    # Test case for check skip via comment
+    # checkov:skip=CKV_AWS_16:Ensure all data stored in the RDS is securely encrypted at rest
+    Properties:
+      DBName: 'mydb'
+      DBInstanceClass: 'db.t3.micro'
+      Engine: 'mysql'
+      MasterUsername: 'master'
+      MasterUserPassword: 'password'
+```
 
 > **Note:** it is possible to simple combine the two examples above into a single file which will run all tests as individual jobs. Reference [all-security-scans.yml](workflow-examples/all-security-scans.yml)