feat(query): add OIDC trust policy misconfiguration queries for AWS IAM#8023
Open
cx-antero-silva wants to merge 2 commits intoCheckmarx:masterfrom
Open
feat(query): add OIDC trust policy misconfiguration queries for AWS IAM#8023cx-antero-silva wants to merge 2 commits intoCheckmarx:masterfrom
cx-antero-silva wants to merge 2 commits intoCheckmarx:masterfrom
Conversation
…AM roles Adds two new Terraform/AWS queries addressing GitHub issue Checkmarx#6702: - IAM Role OIDC Trust Missing Sub Condition: detects AssumeRoleWithWebIdentity trust policies with no condition restricting the OIDC 'sub' claim, allowing any identity from the provider to assume the role. - IAM Role OIDC Trust Wildcard Sub Condition: detects AssumeRoleWithWebIdentity trust policies where StringLike is used with a 'sub' value that wildcards the repository/project segment (e.g. 'repo:*', 'project_path:*:...'), allowing any CI/CD pipeline on the OIDC provider to assume the role. Both queries cover aws_iam_role (inline JSON) and aws_iam_policy_document (HCL). Supports GitHub Actions, GitLab CI, CircleCI, and Bitbucket OIDC providers. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #6702
Adds two new Terraform/AWS queries to detect OIDC role trust policy misconfigurations between AWS IAM and CI/CD providers (GitHub Actions, GitLab CI, CircleCI, Bitbucket).
IAM Role OIDC Trust Missing Sub Condition (
HIGH): DetectsAssumeRoleWithWebIdentitytrust policies with no condition restricting the OIDCsub(subject) claim, or a condition that only checksaudbut notsub. Without this guard, any identity that can obtain a token from the OIDC provider can assume the role.IAM Role OIDC Trust Wildcard Sub Condition (
HIGH): Detects trust policies whereStringLikeis used on thesubclaim with a value that wildcards the org/project segment — e.g.repo:*(any GitHub repo) orproject_path:*:ref_type:branch:ref:*(any GitLab project on any branch). Allowsrepo:myorg/myrepo:ref:refs/heads/*as it scopes to a specific repo.Both queries cover
aws_iam_role(inline JSON heredoc) anddata "aws_iam_policy_document"HCL data sources.I submit this contribution under the Apache-2.0 license.