feat: Add exclude-ignores flag and --config-file attribute (#1839)

* Add exclude-ignores flag and config

* Update defsec

* Add vendor to git ignore

* Run make publish-docs

* Run  make  update-defsec

.gitignore

@@ -2,6 +2,7 @@
 /tfsec-docs
 /bin
 /.idea
+vendor/
 
 # ignore windows compiled binary
 /tfsec.exe

docs/checks/aws/api-gateway/enable-cache-encryption/index.md

@@ -38,6 +38,7 @@ The following example will fail the aws-api-gateway-enable-cache-encryption chec
    settings {
      metrics_enabled = true
      logging_level   = "INFO"
+     caching_enabled = true
      cache_data_encrypted = false
    }
  }
@@ -67,6 +68,7 @@ The following example will pass the aws-api-gateway-enable-cache-encryption chec
    settings {
      metrics_enabled = true
      logging_level   = "INFO"
+     caching_enabled = true
      cache_data_encrypted = true
    }
  }

docs/checks/aws/api-gateway/no-public-access/index.md

@@ -26,6 +26,10 @@ The following example will fail the aws-api-gateway-no-public-access check.
 	
  }
 
+ resource "aws_api_gateway_resource" "MyDemoResource" {
+	rest_api_id      = aws_api_gateway_rest_api.MyDemoAPI.id
+ }
+
  resource "aws_api_gateway_method" "bad_example" {
    rest_api_id   = aws_api_gateway_rest_api.MyDemoAPI.id
    resource_id   = aws_api_gateway_resource.MyDemoResource.id
@@ -46,6 +50,10 @@ The following example will pass the aws-api-gateway-no-public-access check.
 	
  }
 
+ resource "aws_api_gateway_resource" "MyDemoResource" {
+	rest_api_id      = aws_api_gateway_rest_api.MyDemoAPI.id
+ }
+
  resource "aws_api_gateway_method" "good_example" {
    rest_api_id   = aws_api_gateway_rest_api.MyDemoAPI.id
    resource_id   = aws_api_gateway_resource.MyDemoResource.id

docs/checks/aws/dynamodb/enable-at-rest-encryption/index.md

@@ -1,14 +1,14 @@
 ---
-title: DAX Cluster should always encrypt data at rest
+title: DAX Cluster and tables should always encrypt data at rest
 ---
 
-# DAX Cluster should always encrypt data at rest
+# DAX Cluster and tables should always encrypt data at rest
 
 ### Default Severity: <span class="severity high">high</span>
 
 ### Explanation
 
-Amazon DynamoDB Accelerator (DAX) encryption at rest provides an additional layer of data protection by helping secure your data from unauthorized access to the underlying storage.
+Amazon DynamoDB Accelerator (DAX) and table encryption at rest provides an additional layer of data protection by helping secure your data from unauthorized access to the underlying storage.
 
 ### Possible Impact
 Data can be freely read if compromised

docs/checks/aws/dynamodb/index.md

@@ -7,7 +7,7 @@ title: dynamodb
 ## Checks
 
 
-- [enable-at-rest-encryption](enable-at-rest-encryption) DAX Cluster should always encrypt data at rest
+- [enable-at-rest-encryption](enable-at-rest-encryption) DAX Cluster and tables should always encrypt data at rest
 
 - [enable-recovery](enable-recovery) Point in time recovery should be enabled to protect DynamoDB table
 

docs/checks/aws/ec2/add-description-to-security-group-rule/index.md

@@ -0,0 +1,74 @@
+---
+title: Missing description for security group rule.
+---
+
+# Missing description for security group rule.
+
+### Default Severity: <span class="severity low">low</span>
+
+### Explanation
+
+Security group rules should include a description for auditing purposes.
+
+Simplifies auditing, debugging, and managing security groups.
+
+### Possible Impact
+Descriptions provide context for the firewall rule reasons
+
+### Suggested Resolution
+Add descriptions for all security groups rules
+
+
+### Insecure Example
+
+The following example will fail the aws-ec2-add-description-to-security-group-rule check.
+```terraform
+
+ resource "aws_security_group" "bad_example" {
+   name        = "http"
+ 
+   ingress {
+     from_port   = 80
+     to_port     = 80
+     protocol    = "tcp"
+     cidr_blocks = [aws_vpc.main.cidr_block]
+   }
+ }
+ 
+```
+
+
+
+### Secure Example
+
+The following example will pass the aws-ec2-add-description-to-security-group-rule check.
+```terraform
+
+ resource "aws_security_group" "good_example" {
+   name        = "http"
+   description = "Allow inbound HTTP traffic"
+ 
+   ingress {
+     description = "HTTP from VPC"
+     from_port   = 80
+     to_port     = 80
+     protocol    = "tcp"
+     cidr_blocks = [aws_vpc.main.cidr_block]
+   }
+ }
+ 
+```
+
+
+
+### Links
+
+
+- [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group){:target="_blank" rel="nofollow noreferrer noopener"}
+
+- [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule){:target="_blank" rel="nofollow noreferrer noopener"}
+
+- [https://www.cloudconformity.com/knowledge-base/aws/EC2/security-group-rules-description.html](https://www.cloudconformity.com/knowledge-base/aws/EC2/security-group-rules-description.html){:target="_blank" rel="nofollow noreferrer noopener"}
+
+
+

docs/checks/aws/ec2/add-description-to-security-group/index.md

@@ -0,0 +1,76 @@
+---
+title: Missing description for security group.
+---
+
+# Missing description for security group.
+
+### Default Severity: <span class="severity low">low</span>
+
+### Explanation
+
+Security groups should include a description for auditing purposes.
+
+Simplifies auditing, debugging, and managing security groups.
+
+### Possible Impact
+Descriptions provide context for the firewall rule reasons
+
+### Suggested Resolution
+Add descriptions for all security groups
+
+
+### Insecure Example
+
+The following example will fail the aws-ec2-add-description-to-security-group check.
+```terraform
+
+ resource "aws_security_group" "bad_example" {
+   name        = "http"
+   description = ""
+ 
+   ingress {
+     description = "HTTP from VPC"
+     from_port   = 80
+     to_port     = 80
+     protocol    = "tcp"
+     cidr_blocks = [aws_vpc.main.cidr_block]
+   }
+ }
+ 
+```
+
+
+
+### Secure Example
+
+The following example will pass the aws-ec2-add-description-to-security-group check.
+```terraform
+
+ resource "aws_security_group" "good_example" {
+   name        = "http"
+   description = "Allow inbound HTTP traffic"
+ 
+   ingress {
+     description = "HTTP from VPC"
+     from_port   = 80
+     to_port     = 80
+     protocol    = "tcp"
+     cidr_blocks = [aws_vpc.main.cidr_block]
+   }
+ }
+ 
+```
+
+
+
+### Links
+
+
+- [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group){:target="_blank" rel="nofollow noreferrer noopener"}
+
+- [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule){:target="_blank" rel="nofollow noreferrer noopener"}
+
+- [https://www.cloudconformity.com/knowledge-base/aws/EC2/security-group-rules-description.html](https://www.cloudconformity.com/knowledge-base/aws/EC2/security-group-rules-description.html){:target="_blank" rel="nofollow noreferrer noopener"}
+
+
+

docs/checks/aws/ec2/enable-launch-config-at-rest-encryption/index.md

@@ -0,0 +1,58 @@
+---
+title: Launch configuration with unencrypted block device.
+---
+
+# Launch configuration with unencrypted block device.
+
+### Default Severity: <span class="severity high">high</span>
+
+### Explanation
+
+Block devices should be encrypted to ensure sensitive data is held securely at rest.
+
+### Possible Impact
+The block device could be compromised and read from
+
+### Suggested Resolution
+Turn on encryption for all block devices
+
+
+### Insecure Example
+
+The following example will fail the aws-ec2-enable-launch-config-at-rest-encryption check.
+```terraform
+
+ resource "aws_launch_configuration" "bad_example" {
+ 	root_block_device {
+ 		encrypted = false
+ 	}
+ }
+ 
+```
+
+
+
+### Secure Example
+
+The following example will pass the aws-ec2-enable-launch-config-at-rest-encryption check.
+```terraform
+
+ resource "aws_launch_configuration" "good_example" {
+ 	root_block_device {
+ 		encrypted = true
+ 	}
+ }
+ 
+```
+
+
+
+### Links
+
+
+- [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#ebs-ephemeral-and-root-block-devices](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#ebs-ephemeral-and-root-block-devices){:target="_blank" rel="nofollow noreferrer noopener"}
+
+- [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/RootDeviceStorage.html](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/RootDeviceStorage.html){:target="_blank" rel="nofollow noreferrer noopener"}
+
+
+

docs/checks/aws/ec2/enable-volume-encryption/index.md

@@ -0,0 +1,66 @@
+---
+title: EBS volumes must be encrypted
+---
+
+# EBS volumes must be encrypted
+
+### Default Severity: <span class="severity high">high</span>
+
+### Explanation
+
+By enabling encryption on EBS volumes you protect the volume, the disk I/O and any derived snapshots from compromise if intercepted.
+
+### Possible Impact
+Unencrypted sensitive data is vulnerable to compromise.
+
+### Suggested Resolution
+Enable encryption of EBS volumes
+
+
+### Insecure Example
+
+The following example will fail the aws-ec2-enable-volume-encryption check.
+```terraform
+
+ resource "aws_ebs_volume" "bad_example" {
+   availability_zone = "us-west-2a"
+   size              = 40
+ 
+   tags = {
+     Name = "HelloWorld"
+   }
+   encrypted = false
+ }
+ 
+```
+
+
+
+### Secure Example
+
+The following example will pass the aws-ec2-enable-volume-encryption check.
+```terraform
+
+ resource "aws_ebs_volume" "good_example" {
+   availability_zone = "us-west-2a"
+   size              = 40
+ 
+   tags = {
+     Name = "HelloWorld"
+   }
+   encrypted = true
+ }
+ 
+```
+
+
+
+### Links
+
+
+- [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_volume#encrypted](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_volume#encrypted){:target="_blank" rel="nofollow noreferrer noopener"}
+
+- [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html){:target="_blank" rel="nofollow noreferrer noopener"}
+
+
+