terraform.gcp.security.gcp-artifact-registry-private-repo-iam-member.gcp-artifact-registry-private-repo-iam-member

profile photo of semgrepsemgrep
Author
unknown
Download Count*

Ensure that Artifact Registry repositories are not anonymously or publicly accessible

Run Locally

Run in CI

Defintion

rules:
  - id: gcp-artifact-registry-private-repo-iam-member
    patterns:
      - pattern: resource
      - pattern-either:
          - pattern-inside: |
              resource "google_artifact_registry_repository_iam_member" "..." {
              ...
              member = "allUsers"
              ...
              }
          - pattern-inside: |
              resource "google_artifact_registry_repository_iam_member" "..." {
              ...
              member = "allAuthenticatedUsers"
              ...
              }
    message: "Ensure that Artifact Registry repositories are not anonymously or
      publicly accessible\t"
    metadata:
      owasp:
        - A05:2017 - Broken Access Control
        - A01:2021 - Broken Access Control
      cwe:
        - "CWE-284: Improper Access Control"
      category: security
      technology:
        - terraform
        - gcp
      references:
        - https://docs.bridgecrew.io/docs/google-cloud-policy-index
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Authorization
    languages:
      - hcl
    severity: WARNING

Examples

gcp-artifact-registry-private-repo-iam-member.tf

# ok: gcp-artifact-registry-private-repo-iam-member
resource "google_artifact_registry_repository_iam_member" "pass1" {
  provider = google-beta
  location = google_artifact_registry_repository.my-repo.location
  repository = google_artifact_registry_repository.my-repo.name
  role = "roles/viewer"
  member = "user:jane@example.com"
}

# ok: gcp-artifact-registry-private-repo-iam-member
resource "google_artifact_registry_repository_iam_member" "pass2" {
  provider = google-beta
  location = google_artifact_registry_repository.my-repo.location
  repository = google_artifact_registry_repository.my-repo.name
  role = "roles/viewer"
  member = "domain:example.com"
}

# fail
# ruleid: gcp-artifact-registry-private-repo-iam-member
resource "google_artifact_registry_repository_iam_member" "fail1" {
  provider = google-beta
  location = google_artifact_registry_repository.my-repo.location
  repository = google_artifact_registry_repository.my-repo.name
  role = "roles/viewer"
  member  = "allAuthenticatedUsers"
}

# fail
# ruleid: gcp-artifact-registry-private-repo-iam-member
resource "google_artifact_registry_repository_iam_member" "fail2" {
  provider = google-beta
  location = google_artifact_registry_repository.my-repo.location
  repository = google_artifact_registry_repository.my-repo.name
  role = "roles/viewer"
  member  = "allUsers"
}