Converts driftctl json output to AWS Security Hub asff format. Runnable as an AWS ECS Task via ECR.
This works, but you may want to customize it for your needs. PRs welcome.
https://docs.driftctl.com/0.35.0/usage/cmd/scan-usage#structure-1 https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format-syntax.html https://docs.aws.amazon.com/securityhub/latest/userguide/asff-required-attributes.html
- Terraform examples to get this up and running
- Tests
- Installable github action?
- Terraform module?
Open in VS Code as a remote container.
Assuming your default aws profile has the creds to scan, access tf state, and push to security hub:
driftctl scan --from tfstate+s3://my-bucket/path/to/state.tfstate --output json://data/real-output.json
python driftctl2asff.py 123456 us-west-2 data/real-output.json > asff.json
aws securityhub batch-import-findings --cli-input-json "$(<asff.json)"
- Make sure you have an ECR repository set up, and that Github has the ability to push to it (Terraform example coming soon)
- Take the
github-actions-ci-sample.yamlas a template to make something in.github/workflows/driftctl-ci.yaml. Mind the veraibles towards the top! - Enjoy as you get an images pushed to ECR as a result of each PR merge to
mainwherever your infra-as-code lives, for driftctl. - Run this image as a scheduled job in ECS with the right permissions, and enjoy results of driftctl appearing in your Security Hub.(Terraform example coming soon)
- Triage and fix all the wild things in your AWS tenant that should be ignored, or add them to code.