Skip to content

test: add deliberately vulnerable terraform file to trigger Polaris scan#3

Closed
Param-10 wants to merge 2 commits into
mainfrom
polaris-scan-test
Closed

test: add deliberately vulnerable terraform file to trigger Polaris scan#3
Param-10 wants to merge 2 commits into
mainfrom
polaris-scan-test

Conversation

@Param-10

Copy link
Copy Markdown
Owner

This file contains two intentional issues:

  • S3 bucket with public-read ACL
  • Security group allowing SSH from 0.0.0.0/0

Used to verify the deployed Polaris GitHub App webhook + scanner pipeline.

This file contains two intentional issues:
- S3 bucket with public-read ACL
- Security group allowing SSH from 0.0.0.0/0

Used to verify the deployed Polaris GitHub App webhook + scanner pipeline.

Made-with: Cursor

@polaris-infra polaris-infra Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IaC Security Scan 🔴 CRITICAL

The infrastructure changes introduce critical security vulnerabilities, including a publicly accessible S3 bucket and unrestricted SSH access from the internet, which could lead to data exposure and unauthorized system access.

Severity Count
🔴 Critical 1
🟠 High 1

Powered by IaC Security Scanner + Gemini

Comment thread test.tf Outdated
@@ -0,0 +1,15 @@
resource "aws_s3_bucket" "demo" {
bucket = "polaris-test-bucket-demo"
acl = "public-read"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 [CRITICAL] S3 bucket ACL is public-read

The S3 bucket is configured with a 'public-read' ACL, making all objects within the bucket accessible to anyone on the internet.

Risk: Threat: Unauthorized data exfiltration. Impact: Exposure of sensitive data stored in the bucket to the public internet, potentially leading to data breaches and compliance violations.

Suggested fix ✅ verified:

--- test.tf
+++ test.tf
@@ -1,4 +1,4 @@
 resource "aws_s3_bucket" "demo" {
   bucket = "polaris-test-bucket-demo"
-  acl    = "public-read"
+  acl    = "private"
 }

Changed the ACL from 'public-read' to 'private' to ensure the bucket is not accessible to the public. Access should be managed via IAM policies or Bucket Policies.

Comment thread test.tf
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 [HIGH] TF001: Open ingress CIDR 0.0.0.0/0

Security group allows unrestricted inbound SSH traffic (port 22) from any IP address on the internet.

Risk: Threat: Brute-force attacks or exploitation of SSH vulnerabilities. Impact: Potential full compromise of the EC2 instances associated with this security group by unauthorized actors.

Suggested fix ✅ verified:

--- test.tf
+++ test.tf
@@ -10,6 +10,6 @@
     from_port   = 22
     to_port     = 22
     protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
+    cidr_blocks = ["10.0.0.0/8"] # Example: Restrict to internal network
   }
 }

Restricted the CIDR block to a specific internal network range. Replace '10.0.0.0/8' with your actual corporate IP range or a specific bastion host IP.

Applied via Polaris one-click auto-fix from scan #1.
@vercel

vercel Bot commented Apr 29, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
polaris Ready Ready Preview, Comment Apr 29, 2026 0:30am

@polaris-infra polaris-infra Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IaC Security Scan 🟠 HIGH

The infrastructure changes introduce a significant security risk by exposing SSH (port 22) to the entire internet and lack proactive security controls for the S3 bucket.

Severity Count
🟠 High 1
🟡 Medium 1

Powered by IaC Security Scanner + Gemini

Comment thread test.tf
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 [HIGH] TF001: Open ingress CIDR 0.0.0.0/0

The security group allows inbound SSH traffic from any IP address (0.0.0.0/0).

Risk: Threat: Brute-force attacks and unauthorized remote access attempts. Impact: Potential full system compromise of any instance associated with this security group.

Suggested fix ✅ verified:

--- test.tf
+++ test.tf
@@ -10,3 +10,3 @@
     protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
+    cidr_blocks = ["10.0.0.0/8"] # Replace with your corporate network range
   }

Restrict the CIDR block to a known, trusted internal network range or a specific management IP.

Comment thread test.tf
@@ -0,0 +1,15 @@
resource "aws_s3_bucket" "demo" {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 [MEDIUM] S3 bucket missing public access block

The S3 bucket is defined without a public access block resource, relying only on the legacy ACL.

Risk: Threat: Accidental data exposure due to future bucket policy changes. Impact: Loss of data confidentiality if the bucket is made public.

Suggested fix ✅ verified:

resource "aws_s3_bucket_public_access_block" "demo" {
  bucket = aws_s3_bucket.demo.id
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

Adding an explicit public access block is the AWS-recommended way to prevent accidental public exposure of S3 data.

@Param-10 Param-10 closed this Apr 29, 2026
@Param-10 Param-10 deleted the polaris-scan-test branch April 29, 2026 00:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant