AureliaSRS Security Scanner - Vulnerability Report ================================================ Artifact: s3-bucket-module-v1.0.0.tar.gz Digest: sha256:abc123def456789012345678901234567890abcdef123456789012345678901234 Scan Time: 2026-01-15T11:00:00Z Scanner: Trivy v0.48.3 Scan Engine: trivy-verify v0.5.3 Report ID: report-20260115-110000-abc123 ================================================================================ EXECUTIVE SUMMARY ================================================================================ Overall Status: PASSED Critical Vulnerabilities: 0 High Vulnerabilities: 0 Medium Vulnerabilities: 0 Low Vulnerabilities: 2 Informational: 3 Risk Rating: LOW Recommendation: APPROVED FOR PRODUCTION USE ================================================================================ VULNERABILITY DETAILS ================================================================================ --- Low Severity (2 findings) --- [LOW-001] Outdated Dependency Version Package: example-lib Current Version: 1.2.3 Fixed Version: 1.2.4 Description: Minor version update available with non-security improvements CVSS Score: 3.1 (Low) Recommendation: Update to latest patch version in next maintenance cycle Impact: Minimal - no known exploits [LOW-002] Deprecated Function Usage Location: modules/storage/bucket.tf Function: aws_s3_bucket.policy (inline) Description: Terraform AWS provider recommends using aws_s3_bucket_policy resource CVSS Score: 2.5 (Low) Recommendation: Refactor to use separate policy resource Impact: None - functional deprecation only, no security risk --- Informational (3 findings) --- [INFO-001] Security Best Practice Check: S3 Bucket Encryption Status: PASS Details: All S3 buckets configured with AES-256 encryption by default [INFO-002] Security Best Practice Check: S3 Bucket Versioning Status: PASS Details: Versioning enabled on all buckets for data recovery [INFO-003] Security Best Practice Check: S3 Bucket Logging Status: PASS Details: Access logging configured for audit trail ================================================================================ DEPENDENCY SCAN ================================================================================ Total Dependencies Scanned: 47 Direct Dependencies: 12 Transitive Dependencies: 35 Vulnerable Dependencies: 0 Outdated Dependencies: 1 (see LOW-001) Latest Dependency Versions: ✓ terraform-aws-modules/s3-bucket/aws: 3.15.1 (latest) ✓ hashicorp/terraform: 1.6.6 (latest stable) ⚠ example-lib: 1.2.3 (1.2.4 available) ================================================================================ LICENSE COMPLIANCE ================================================================================ License Scan: PASS Total Licenses Found: 8 Approved Licenses: - MIT License (35 packages) - Apache 2.0 (10 packages) - BSD-3-Clause (2 packages) No GPL or Copyleft licenses detected. ================================================================================ CODE QUALITY ANALYSIS ================================================================================ Static Analysis: PASS - No hard-coded credentials detected - No exposed secrets or API keys - No SQL injection vectors - No command injection risks Terraform Linting (tflint): PASS - 0 errors - 0 warnings - All resources follow naming conventions - All required tags present Infrastructure Security (tfsec): PASS - No critical issues - No high-severity issues - No medium-severity issues - 2 low-severity recommendations (listed above) ================================================================================ SUPPLY CHAIN SECURITY ================================================================================ SBOM Verification: PASS - All dependencies match declared SBOM - No unexpected packages found - All checksums verified Provenance Verification: PASS - Build reproducibility confirmed - Source repository verified - Builder identity validated - Cryptographic signatures valid Transparency Log: PASS - Artifact logged in Sigstore Rekor - Timestamp verified - Merkle tree inclusion proof valid ================================================================================ COMPLIANCE CHECKS ================================================================================ SLSA Level 3: PASS ✓ Build platform verified ✓ Hermetic build process ✓ Provenance available ✓ Non-falsifiable provenance CIS Benchmarks: PASS ✓ S3 bucket security (CIS AWS 2.1.1) ✓ Encryption at rest (CIS AWS 2.1.2) ✓ Access logging (CIS AWS 2.1.3) NIST SP 800-53: COMPLIANT ✓ Access Control (AC-*) ✓ Audit and Accountability (AU-*) ✓ System and Communications Protection (SC-*) ================================================================================ RECOMMENDATIONS ================================================================================ Immediate Actions Required: NONE Suggested Improvements: 1. Update example-lib to 1.2.4 in next maintenance cycle (LOW-001) 2. Refactor inline bucket policies to separate resources (LOW-002) 3. Consider adding automated dependency update workflow Next Security Scan: 2026-01-22T11:00:00Z (7 days) ================================================================================ APPROVAL ================================================================================ Security Verdict: APPROVED FOR PRODUCTION USE This Terraform module has passed all critical security checks and meets organizational security standards. The identified low-severity findings do not pose immediate security risks and can be addressed in normal maintenance cycles. Approved By: AureliaSRS Security Team Approval Date: 2026-01-15T11:30:00Z Report Signature: sha256:report789abc012345678901234567890abcdef123456789 For questions about this security report, contact: Email: security@aureliasrs.ca Web: https://provenance.aureliasrs.ca/ ================================================================================ End of Security Report Generated: 2026-01-15T11:00:15Z Scanner: Trivy v0.48.3 Report Format Version: 1.0 ================================================================================