v2.5.2: Update GHA Versions

What's Changed

• Update Docker Dependencies by @gabrielsoltz in #170
• Updae Alpine to 321 by @gabrielsoltz in #171
• Update Github Actions by @gabrielsoltz in #172

Full Changelog: v2.5.1...v2.5.2

v2.5.1: Dependencies Updates

What's Changed

• Bump boto3 from 1.34.75 to 1.34.109 by @dependabot in #116
• Bump jinja2 from 3.1.3 to 3.1.4 by @dependabot in #113
• Bump safety from 3.1.0 to 3.2.0 by @dependabot in #112
• Bump jinja2 from 3.1.3 to 3.1.4 by @dependabot in #111
• Bump black from 24.3.0 to 24.4.2 by @dependabot in #109
• Bump aws-arn from 0.0.17 to 0.0.19 by @dependabot in #106
• Bump boto3 from 1.34.109 to 1.34.113 by @dependabot in #117
• Fix Bugs and Add more dashboards by @gabrielsoltz in #118
• update-docker-dependencies by @gabrielsoltz in #119
• Bump bandit from 1.7.8 to 1.7.9 by @dependabot in #126
• Bump boto3 from 1.34.113 to 1.34.128 by @dependabot in #125
• Bump flake8 from 7.0.0 to 7.1.0 by @dependabot in #124
• Bump safety from 3.2.0 to 3.2.3 by @dependabot in #122
• Bump boto3 from 1.34.128 to 1.35.20 by @dependabot in #147
• Bump rich from 13.7.1 to 13.8.1 by @dependabot in #146
• Bump safety from 3.2.3 to 3.2.7 by @dependabot in #144
• Bump flake8 from 7.1.0 to 7.1.1 by @dependabot in #136
• Bump black from 24.4.2 to 24.8.0 by @dependabot in #135
• Bump boto3 from 1.35.20 to 1.35.82 by @dependabot in #169
• Bump safety from 3.2.7 to 3.2.13 by @dependabot in #168
• Bump vulture from 2.11 to 2.14 by @dependabot in #167
• Bump bandit from 1.7.9 to 1.8.0 by @dependabot in #165
• Bump pyyaml from 6.0.1 to 6.0.2 by @dependabot in #149

Full Changelog: v2.5.0...v2.5.1

v2.5.0: SQLite and PowerPipe Dashboards Mod!

MetaHub now supports SQLite, so you can use it with PowerPipe for dashboarding!
A Powerpipe mod with 3 dashboards is now included as part of the tool!

Some other improvements, like not exiting on errors and enhancements to the ElasticCache resource.

What's Changed

• improve-elastic-cachche by @gabrielsoltz in #96
• Bump boto3 from 1.34.65 to 1.34.70 by @dependabot in #95
• Bump aws-arn from 0.0.16 to 0.0.17 by @dependabot in #94
• dont-exit-on-errors by @gabrielsoltz in #97
• associations-cache_clusters by @gabrielsoltz in #98
• New SQLite Output and Powerpipe Mod! by @gabrielsoltz in #101
• Bump safety from 3.0.1 to 3.1.0 by @dependabot in #100
• Bump boto3 from 1.34.70 to 1.34.75 by @dependabot in #99

Full Changelog: v2.4.3...v2.5.0

v2.4.3

New filters! You can now filter by Impact keys using the option --mh-filters-impact (in addition to --mh-filters-tags, --mh-filters-config and security hub filters --sh-filters

Examples:

Filter all Security Findings affecting resources with exposure calculated as effectively-public: ./metahub --mh-filters-impact exposure=effectively-public

Filter all Security Findings affecting resources with status calculated as not-attached: ./metahub --mh-filters-impact status=not-attached

Other changes:

• Implement different ASFF fixing mechanisms, as some sources are not correctly generating the outputs. For example, fixing Region when it is not present and fixing Resource Type when it is incorrect.
• Some improvements in error handling
• For some time already, AWS Security Hub has added Tags to the affected resources 🥳 The code will check if the Tags are present as part of the Resources Details, and avoid fetching the API if they are already there.
• New Resource Type: Container, for now, we check if there is a policy attached
• Improved README with examples on how to use MetaHub with PowerPipe, Trivy, and Prowler
• Code quality and improvements

What's Changed

• Implement different ASFF fixing mechanisms and other improvements by @gabrielsoltz in #88
• Bump black from 24.2.0 to 24.3.0 by @dependabot in #91
• Bump boto3 from 1.34.59 to 1.34.65 by @dependabot in #90
• code-improvements by @gabrielsoltz in #92
• New Impact Filters (--mh-filters-impact) by @gabrielsoltz in #93

Full Changelog: v2.4.2...v2.4.3

v2.4.2: fix release issues and update docker

The last release was incomplete due to errors in the docker build process. Now it is fixed, and docker images and dependencies are updated.

What's Changed

• fix-and-update-docker-dependencies by @gabrielsoltz in #86

Full Changelog: v2.4.1...v2.4.2

v2.4.1: Minor fixes and improvements

• New CloudTrail event for AwsEcrRepository
• Improve outputs for Access Impact
• Improve Dependencies version handling

What's Changed

• only-add-statements-once by @gabrielsoltz in #79
• Bump aws-arn from 0.0.10 to 0.0.11 by @dependabot in #80
• Bump aws-arn from 0.0.11 to 0.0.13 by @dependabot in #81
• add-ecr-repository by @gabrielsoltz in #83
• fix-banner-characters by @gabrielsoltz in #84
• pin-dependencies by @gabrielsoltz in #85

New Contributors

• @dependabot made their first contribution in #80

Full Changelog: v2.4.0...v2.4.1

v2.4.0: Accounts improvements for AWS Organizations and more

The AWS account context module has been improved and fixed, and is now enabled by default. Previously, only the AWS Organization admin or delegated admin could fetch AWS Organization information, leading to false positives. This issue has been resolved, and additional AWS organization context, such as parents and policies, has been added.

The CloudFront resource type can now detect s3 associated resources based on its configuration.

Finally, the MetaHub documentation has been completely rewritten.

What's Changed

• cloudfront-s3-associations by @gabrielsoltz in #76
• Account Context Module Improved and Enabled by Default by @gabrielsoltz in #77
• Documentation and Code Improvements by @gabrielsoltz in #78

Full Changelog: v2.3.0...v2.3.1

v2.3.0

For this new version, we have a lot of improvements:

Impact

• owner is a new Impact condition: You can identify the Owner by Tags, Account ID, and Account Alias and assign an impact scoring for each owner.
• Some code improvements to the Impact module for re-using code
• You can now evaluate Application by Account ID or Alias (in addition to tags)
• findings key is now under impact, with the scoring based on findings we will use as part of the final scoring calculation. Expanding this key, you get the details of how many findings we count and their severities.
• The statistics module was improved; now you can get statistics for every impact condition.

Context

• There are new resources like AwsAthenaWorkGroup and new associations for the resource AwsEc2Volume.
• Some improvements to the code for performance and recursion protection.

HTML

• The HTML report for Impact scoring now shows the number instead of the progress bar, making it easier to understand the difference between each row.
• There is a new widget for grouping findings by Impact scoring at the top of the HTML report.

Others

• Ignore not found errors for AwsIamPolicy resource
• Fix incorrect ARNs generated by AWS tools

Security Hub

• The lambda code for the security hub custom action will now execute by applying a filter by ResourceId, instead of Finding Id. This way, for one finding, we can calculate the impact scoring based on all the other findings affecting the same finding.
• Adding Security Hub Insights for Access and Status as part of the Terraform Code

Happy Hunting!

What's Changed

• add_AwsEc2Volume_associations by @gabrielsoltz in #67
• add-resource-AwsAthenaWorkGroup by @gabrielsoltz in #68
• documentation by @gabrielsoltz in #69
• Add Impact Statistics by @gabrielsoltz in #70
• switch-impact-to-number by @gabrielsoltz in #71
• Improve recursion protection and others by @gabrielsoltz in #72
• New Impact Owner key and improvements by @gabrielsoltz in #73
• Impact Findings Improvements by @gabrielsoltz in #74
• lambda-execute-by-resource-id by @gabrielsoltz in #75

Full Changelog: v2.2.0...v2.3.0

2.2.0: New Impact based on Application!

MetaHub now supports Impact scoring based on the new AWS myApplications feature.

The environment impact definition was also improved, and now you can define how many environments you need for your context, based on Tagging and Account information.

What's Changed

• Updating Logos by @gabrielsoltz in #62
• Html design by @gabrielsoltz in #63
• New customisable environment definition support by @gabrielsoltz in #64
• add-impact-application by @gabrielsoltz in #65
• Documentation by @gabrielsoltz in #66

Full Changelog: v2.1.2...v2.2.0

2.1.2: Enrichment and Security Hub integration improvements

Some improvements to the Enrichment feature and the Security Hub integration.

• Enrichment Function Improvements: When enriching a finding, all context categories (tags, account, config, associations, cloudtrail, and impact) are added by default, and this option is configurable using the configuration file. We now use the Criticality field for Impact Scoring.
• The lambda function is no longer configured to enrich findings by default; you need to enable it in the code manually.
• Enabled 2 levels of recursion for some resource types, which seems to be safe and useful.
• The Terraform Code now creates the Security Hub custom action and connects it to the Lambda!
• The Terraform Code now creates Security Hub insights for some of the Impact metrics!
• Don't generate an error when there is no AWS Organization
• Standardizing the status output with the details