test: add deliberately vulnerable terraform file to trigger Polaris scan#3
test: add deliberately vulnerable terraform file to trigger Polaris scan#3Param-10 wants to merge 2 commits into
Conversation
This file contains two intentional issues: - S3 bucket with public-read ACL - Security group allowing SSH from 0.0.0.0/0 Used to verify the deployed Polaris GitHub App webhook + scanner pipeline. Made-with: Cursor
There was a problem hiding this comment.
IaC Security Scan 🔴 CRITICAL
The infrastructure changes introduce critical security vulnerabilities, including a publicly accessible S3 bucket and unrestricted SSH access from the internet, which could lead to data exposure and unauthorized system access.
| Severity | Count |
|---|---|
| 🔴 Critical | 1 |
| 🟠 High | 1 |
Powered by IaC Security Scanner + Gemini
| @@ -0,0 +1,15 @@ | |||
| resource "aws_s3_bucket" "demo" { | |||
| bucket = "polaris-test-bucket-demo" | |||
| acl = "public-read" | |||
There was a problem hiding this comment.
🔴 [CRITICAL] S3 bucket ACL is public-read
The S3 bucket is configured with a 'public-read' ACL, making all objects within the bucket accessible to anyone on the internet.
Risk: Threat: Unauthorized data exfiltration. Impact: Exposure of sensitive data stored in the bucket to the public internet, potentially leading to data breaches and compliance violations.
Suggested fix ✅ verified:
--- test.tf
+++ test.tf
@@ -1,4 +1,4 @@
resource "aws_s3_bucket" "demo" {
bucket = "polaris-test-bucket-demo"
- acl = "public-read"
+ acl = "private"
}
Changed the ACL from 'public-read' to 'private' to ensure the bucket is not accessible to the public. Access should be managed via IAM policies or Bucket Policies.
| from_port = 22 | ||
| to_port = 22 | ||
| protocol = "tcp" | ||
| cidr_blocks = ["0.0.0.0/0"] |
There was a problem hiding this comment.
🟠 [HIGH] TF001: Open ingress CIDR 0.0.0.0/0
Security group allows unrestricted inbound SSH traffic (port 22) from any IP address on the internet.
Risk: Threat: Brute-force attacks or exploitation of SSH vulnerabilities. Impact: Potential full compromise of the EC2 instances associated with this security group by unauthorized actors.
Suggested fix ✅ verified:
--- test.tf
+++ test.tf
@@ -10,6 +10,6 @@
from_port = 22
to_port = 22
protocol = "tcp"
- cidr_blocks = ["0.0.0.0/0"]
+ cidr_blocks = ["10.0.0.0/8"] # Example: Restrict to internal network
}
}
Restricted the CIDR block to a specific internal network range. Replace '10.0.0.0/8' with your actual corporate IP range or a specific bastion host IP.
Applied via Polaris one-click auto-fix from scan #1.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
IaC Security Scan 🟠 HIGH
The infrastructure changes introduce a significant security risk by exposing SSH (port 22) to the entire internet and lack proactive security controls for the S3 bucket.
| Severity | Count |
|---|---|
| 🟠 High | 1 |
| 🟡 Medium | 1 |
Powered by IaC Security Scanner + Gemini
| from_port = 22 | ||
| to_port = 22 | ||
| protocol = "tcp" | ||
| cidr_blocks = ["0.0.0.0/0"] |
There was a problem hiding this comment.
🟠 [HIGH] TF001: Open ingress CIDR 0.0.0.0/0
The security group allows inbound SSH traffic from any IP address (0.0.0.0/0).
Risk: Threat: Brute-force attacks and unauthorized remote access attempts. Impact: Potential full system compromise of any instance associated with this security group.
Suggested fix ✅ verified:
--- test.tf
+++ test.tf
@@ -10,3 +10,3 @@
protocol = "tcp"
- cidr_blocks = ["0.0.0.0/0"]
+ cidr_blocks = ["10.0.0.0/8"] # Replace with your corporate network range
}
Restrict the CIDR block to a known, trusted internal network range or a specific management IP.
| @@ -0,0 +1,15 @@ | |||
| resource "aws_s3_bucket" "demo" { | |||
There was a problem hiding this comment.
🟡 [MEDIUM] S3 bucket missing public access block
The S3 bucket is defined without a public access block resource, relying only on the legacy ACL.
Risk: Threat: Accidental data exposure due to future bucket policy changes. Impact: Loss of data confidentiality if the bucket is made public.
Suggested fix ✅ verified:
resource "aws_s3_bucket_public_access_block" "demo" {
bucket = aws_s3_bucket.demo.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
Adding an explicit public access block is the AWS-recommended way to prevent accidental public exposure of S3 data.
This file contains two intentional issues:
Used to verify the deployed Polaris GitHub App webhook + scanner pipeline.