SecurityHub Updates (#401)

Signed-off-by: Frank Jogeleit <[email protected]>
kyverno · Jan 27, 2024 · 288b411 · 288b411
1 parent eab50c3
commit 288b411
Show file tree

Hide file tree

Showing 5 changed files with 18 additions and 3 deletions.
diff --git a/charts/policy-reporter/config.yaml b/charts/policy-reporter/config.yaml
@@ -280,6 +280,7 @@ securityHub:
   secretAccessKey:  {{ .Values.target.securityHub.secretAccessKey }}
   secretRef: {{ .Values.target.securityHub.secretRef | quote }}
   mountedSecret: {{ .Values.target.securityHub.mountedSecret | quote }}
+  productName: {{ .Values.target.securityHub.productName | quote }}
   region: {{ .Values.target.securityHub.region }}
   endpoint: {{ .Values.target.securityHub.endpoint }}
   streamName: {{ .Values.target.securityHub.streamName }}

diff --git a/charts/policy-reporter/values.yaml b/charts/policy-reporter/values.yaml
@@ -646,6 +646,8 @@ target:
     endpoint: ""
     # AWS accountID
     accountID: ""
+    # Used product name, defaults to "Polilcy Reporter"
+    productName: ""
     # minimum priority "" < info < warning < critical < error
     minimumPriority: ""
     # list of sources which should send to S3

diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -205,6 +205,7 @@ type SecurityHub struct {
 	TargetBaseOptions `mapstructure:",squash"`
 	AWSConfig         `mapstructure:",squash"`
 	AccountID         string         `mapstructure:"accountId"`
+	ProductName       string         `mapstructure:"productName"`
 	Channels          []*SecurityHub `mapstructure:"channels"`
 }
 

diff --git a/pkg/config/target_factory.go b/pkg/config/target_factory.go
@@ -700,7 +700,7 @@ func (f *TargetFactory) createSecurityHub(config, parent *SecurityHub) target.Cl
 	}
 
 	setFallback(&config.AccountID, parent.AccountID)
-	if config.AccountID == "" {
+	if !hasAWSIdentity() && config.AccountID == "" {
 		return nil
 	}
 
@@ -723,12 +723,15 @@ func (f *TargetFactory) createSecurityHub(config, parent *SecurityHub) target.Cl
 
 	sugar.Infof("%s configured", config.Name)
 
+	setFallback(&config.ProductName, parent.ProductName, "Policy Reporter")
+
 	return securityhub.NewClient(securityhub.Options{
 		ClientOptions: config.ClientOptions(),
 		CustomFields:  config.CustomFields,
 		Client:        client,
 		AccountID:     config.AccountID,
 		Region:        config.Region,
+		ProductName:   config.ProductName,
 	})
 }
 

diff --git a/pkg/target/securityhub/securityhub.go b/pkg/target/securityhub/securityhub.go
@@ -20,6 +20,7 @@ type Options struct {
 	Client       *hub.Client
 	AccountID    string
 	Region       string
+	ProductName  string
 }
 
 type client struct {
@@ -28,6 +29,7 @@ type client struct {
 	hub          *hub.Client
 	accountID    string
 	region       string
+	productName  string
 }
 
 func (c *client) Send(result v1alpha2.PolicyReportResult) {
@@ -43,11 +45,16 @@ func (c *client) Send(result v1alpha2.PolicyReportResult) {
 
 	t := time.Unix(result.Timestamp.Seconds, int64(result.Timestamp.Nanos))
 
+	var accID *string
+	if c.accountID != "" {
+		accID = toPointer(c.accountID)
+	}
+
 	res, err := c.hub.BatchImportFindings(context.TODO(), &hub.BatchImportFindingsInput{
 		Findings: []types.AwsSecurityFinding{
 			{
 				Id:            &result.ID,
-				AwsAccountId:  &c.accountID,
+				AwsAccountId:  accID,
 				SchemaVersion: toPointer("2018-10-08"),
 				ProductArn:    toPointer("arn:aws:securityhub:" + c.region + ":" + c.accountID + ":product/" + c.accountID + "/default"),
 				GeneratorId:   toPointer(fmt.Sprintf("%s/%s", result.Source, generator)),
@@ -60,7 +67,7 @@ func (c *client) Send(result v1alpha2.PolicyReportResult) {
 				Title:       &title,
 				Description: &result.Message,
 				ProductFields: map[string]string{
-					"Product Name": "Policy Reporter",
+					"Product Name": c.productName,
 				},
 				Resources: []types.Resource{
 					{
@@ -136,6 +143,7 @@ func NewClient(options Options) target.Client {
 		options.Client,
 		options.AccountID,
 		options.Region,
+		options.ProductName,
 	}
 }