Reputation: 43
Amazon Inspector not detecting code vulnerability with transpiled Typescript file to Javascript on Lambda function
We created a test Typescript with an obvious code vulnerability (hardcoded credentials). AWS Lambda doesn't support Typescript so we transpile it to be Javascript. We then export our zipped build file to a Lambda function, when testing in Lambda, it runs, however Amazon Inspector doesn't seem to detect the code vulnerability.
What could be the reason behind this? Is anyone here experiencing the same issue with us? How did you make it work, or a work-around?
Upvotes: 0
Views: 174
Answers (1)
Reputation: 887
Amazon Inspector is a tool designed to analyze the security of your applications deployed on AWS. However, it might not always detect all types of vulnerabilities, especially those related to code specifics like hardcoded credentials. Here are some reasons why Amazon Inspector might not be detecting the hardcoded credentials in your Lambda function:
- Focus on Infrastructure Vulnerabilities: Amazon Inspector primarily focuses on identifying vulnerabilities in your AWS resources, such as EC2 instances, by checking against known CVEs (Common Vulnerabilities and Exposures) and security best practices. It might not be tailored to detect application-specific vulnerabilities like hardcoded credentials.
- Transpilation Complexity: When you transpile TypeScript to JavaScript, the resulting code might be different enough from typical patterns that Inspector checks, making it harder for the tool to recognize certain vulnerabilities.
- Code Scanning Limitations: Static analysis tools, including Amazon Inspector, have limitations and might not catch every potential security issue, especially if those issues are embedded within the code logic in non-standard ways.
- Scope of Analysis: Amazon Inspector might not be configured to analyze the source code of Lambda functions as thoroughly as it does for EC2 instances or other AWS resources.
Possible Solutions and Workarounds Here are some steps you can take to address this issue and ensure your Lambda function code is secure:
Use Specialized Code Scanners: Use specialized static code analysis tools designed for identifying code vulnerabilities, such as:
- SonarQube: Integrates with CI/CD pipelines and can detect hardcoded credentials.
- ESLint with Security Plugins: Can analyze your TypeScript code for security issues before transpilation.
- Snyk: Can be used to scan your code for known vulnerabilities and hardcoded secrets.
Manual Code Reviews: Conduct regular manual code reviews to ensure that no hardcoded credentials or other security vulnerabilities exist in your code.
Secrets Management: Use AWS Secrets Manager or AWS Systems Manager Parameter Store to manage and securely access secrets and credentials in your Lambda functions, rather than hardcoding them in your source code.
Security Best Practices: Follow security best practices for serverless applications, such as:
- Avoid hardcoding credentials.
- Implement environment variable-based configurations.
- Regularly update dependencies and libraries.
Lambda Layers: Use Lambda Layers to separate dependencies and secrets from your main code, allowing for better management and security practices.
Upvotes: 1
Related Questions
- Why does my JavaScript code receive a "No 'Access-Control-Allow-Origin' header is present on the requested resource" error, while Postman does not?
- Copy an object from the webkit inspector as code
- How do I measure the execution time of JavaScript code with callbacks?
- How can I get file extensions with JavaScript?
- Angular HTTP GET with TypeScript error http.get(...).map is not a function in [null]
- "Access key does not exist" when generating pre-signed S3 URL from Lambda function
- Loading large python packages into AWS lambda function
- AWS Lambda function with Node issue
- How do I configure an Amazon AWS Lambda function to prevent tailing the log in the response?