Merge pull request #157 from purple-technology/f/checkov

bauer01 · web-flow · commit 7ac7a64cc9d7 · 2022-07-13T15:03:03.000+02:00
fix(ci): install fixed checkov version and resolved security recommendations ckv_aws_117 and ckv_aws_115
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -116,7 +116,7 @@ jobs:
           command: sudo apt update && sudo apt install python3-pip
       - run:
           name: Install Checkov
-          command: pip3 install -U checkov
+          command: pip3 install -U checkov==2.1.16
       - aws-cli/install
       - run: *commands_assume_aws_role
       - run:
diff --git a/README.md b/README.md
@@ -84,9 +84,9 @@ serverless.settings.yml
 - ❗️ Create an S3 bucket for the serverless deployments and then fill the bucket's name in `common.deploymentBucket`
 - ❗️ Replace `purple-stack.com` in `frontend.domain` with desired domain where you would like your application to be avalible. This domain needs to have a hosted zone in the same AWS account's Route53.
 - ❗️ Create a wilcard certificate in `N. Virginia` region for the `frontend.domain` and fill the certificate ARN to `frontend.certificate`
+- ❗️ Modify the `vpc` in case you need to have your functions inside a VPC (if you need reach to an RDS databases, for example) or replace value with `~` if not
 - 🌀 Modify the `common.projectName` to better identify your application
 - 🌀 Modify the `common.dnsRandomString` to better secure your feature deployments 
-- 🌀 Modify the `vpc` in case you need to have your functions inside a VPC (if you need reach to an RDS databases, for example)
 - 🌀 If you would like to enable monitoring, put a list of stages you would like to monitor in `monitoring.stages` and if you do so, ❗️ fill the `monitoring.topic` with the desired topic ARN
 
 
diff --git a/packages/checkov/.checkov.yaml b/packages/checkov/.checkov.yaml
@@ -24,3 +24,4 @@ skip-check:
 - CKV_AWS_54 # Ensure S3 bucket has block public policy enabled
 - CKV_AWS_53 # Ensure S3 bucket has block public ACLS enabled
 - CKV_AWS_28 # Ensure Dynamodb point in time recovery (backup) is enabled
+- CKV_AWS_115 # Ensure AWS Lambda function is configured for function-level concurrent execution limit
diff --git a/serverless.settings.yml b/serverless.settings.yml
@@ -12,11 +12,11 @@ ci:
   prodAwsRole: arn:aws:iam::000000000000:role/ReplaceCiRole
   stagingAwsRole: arn:aws:iam::000000000000:role/ReplaceCiRole
 
-vpc: ~
-  # securityGroupIds:
-  #   - SC_ID
-  # subnetIds:
-  #   - SUBNET_ID
+vpc:
+  securityGroupIds:
+    - SC_ID
+  subnetIds:
+    - SUBNET_ID
 
 monitoring:
   stages:
