Potential fix for code scanning alert no. 6: Incomplete regular expression for hostnames

.github/CODE_OF_CONDUCT.md

@@ -1,4 +1,4 @@
-# CloudSploit Code of Conduct
+# cloudExploit Code of Conduct
 
 ## Our Pledge
 

.github/CONTRIBUTING.md

@@ -1,14 +1,14 @@
-# Contributing to CloudSploit
-Thank you for your interest in contributing to CloudSploit! We welcome your PRs, issues, feedback, and other contributions to this open source repository. To keep things moving smoothly, please use the following guidelines when working with the CloudSploit source code.
+# Contributing to cloudExploit
+Thank you for your interest in contributing to cloudExploit! We welcome your PRs, issues, feedback, and other contributions to this open source repository. To keep things moving smoothly, please use the following guidelines when working with the cloudExploit source code.
 
 ## Code of Conduct
-The CloudSploit project, maintainers, and contributors are governed by the [CloudSploit Code of Conduct](CODE_OF_CONDUCT.md). By contributing, you are agreeing to uphold this code in your interactions with the CloudSploit community.
+The cloudExploit project, maintainers, and contributors are governed by the [cloudExploit Code of Conduct](CODE_OF_CONDUCT.md). By contributing, you are agreeing to uphold this code in your interactions with the cloudExploit community.
 
 ## License
-By contributing code to CloudSploit, you attest that you have the rights to all code and that you are assigning these rights to Khulnasoft Security, Ltd. for use within its projects.
+By contributing code to cloudExploit, you attest that you have the rights to all code and that you are assigning these rights to Khulnasoft Security, Ltd. for use within its projects.
 
 ## Getting Started
-Please read our [README](../README.md#installation) for information on getting setup to use and develop CloudSploit scans locally. We also have a [guide for writing new plugins](../docs/writing-plugins.md).
+Please read our [README](../README.md#installation) for information on getting setup to use and develop cloudExploit scans locally. We also have a [guide for writing new plugins](../docs/writing-plugins.md).
 
 ## Proposing Large Changes
 While we welcome all contributions, large pull requests that make significant changes to the codebase are difficult to review are merge without prior discussion. Please open an issue to discuss these changes before beginning work on them.

.github/workflows/scans_ci.yml

@@ -1,21 +1,24 @@
-name: 
+name: scan
 on: [push, pull_request, create, delete, issue_comment]
 
 jobs:
   build:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
+
       - name: Use Node.js
         uses: actions/setup-node@v1
         with:
-          node-version: '12.x'
-      - uses: codespell-project/actions-codespell@master
+          node-version: '16.x'  # Updated Node.js version
+
+      - uses: khulnasoft/codetypo-actions@master
         with:
           check_filenames: true
           skip: ./.github/*,.git,./package.json,./package-lock.json,./node_modules,./tests,./config,*.png,Dockerfile,./scripts,*.spec.js,./plugins/azure/storageaccounts/storageAccountsAADEnabled.js,./plugins/aws/cloudtrail/cloudtrailBucketAccessLogging.js,./helpers/google/index.js,*zip
           ignore_words_list: iam,\"tRe\",AKS,aks,optin,callInt,callInt
+
       - run: npm install
 
       - name: Lint

README.md

@@ -1,6 +1,6 @@
 [![Build Status](https://travis-ci.org/khulnasoft/cloudexploit.svg?branch=master)](https://travis-ci.org/khulnasoft/cloudexploit)
 
-CloudSploit by Khulnasoft - Cloud Security Scans
+cloudExploit by Khulnasoft - Cloud Security Scans
 =================
 
 [<img src="docs/console.png">](https://cloud.khulnasoft.com/signup)
@@ -33,7 +33,7 @@ $ docker run -e AWS_ACCESS_KEY_ID=XX -e AWS_SECRET_ACCESS_KEY=YY cloudexploit:0.
   + [Microsoft Azure](docs/azure.md#cloud-provider-configuration)
   + [Google Cloud Platform](docs/gcp.md#cloud-provider-configuration)
   + [Oracle Cloud Infrastructure](docs/oracle.md#cloud-provider-configuration)
-  + [CloudSploit Config File](#cloudexploit-config-file)
+  + [cloudExploit Config File](#cloudexploit-config-file)
   + [Credential Files](#credential-files)
     + [AWS](#aws)
     + [Azure](#azure)
@@ -60,16 +60,16 @@ $ docker run -e AWS_ACCESS_KEY_ID=XX -e AWS_SECRET_ACCESS_KEY=YY cloudexploit:0.
 * [Other Notes](#other-notes)
 
 ## Background
-CloudSploit by Khulnasoft is an open-source project designed to allow detection of security risks in cloud infrastructure accounts, including: Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), Oracle Cloud Infrastructure (OCI), and GitHub. These scripts are designed to return a series of potential misconfigurations and security risks.
+cloudExploit by Khulnasoft is an open-source project designed to allow detection of security risks in cloud infrastructure accounts, including: Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), Oracle Cloud Infrastructure (OCI), and GitHub. These scripts are designed to return a series of potential misconfigurations and security risks.
 
 ## Deployment Options
-CloudSploit is available in two deployment options:
+cloudExploit is available in two deployment options:
 
 ### Self-Hosted
-Follow the instructions below to deploy the open-source version of CloudSploit on your machine in just a few simple steps.
+Follow the instructions below to deploy the open-source version of cloudExploit on your machine in just a few simple steps.
 
 ### Hosted at Khulnasoft Wave
-A commercial version of CloudSploit hosted at Khulnasoft Wave. Try [Khulnasoft Wave](https://cloud.khulnasoft.com/signup) today!
+A commercial version of cloudExploit hosted at Khulnasoft Wave. Try [Khulnasoft Wave](https://cloud.khulnasoft.com/signup) today!
 
 ## Installation
 Ensure that NodeJS is installed. If not, install it from [here](https://nodejs.org/download/).
@@ -80,17 +80,17 @@ $ npm install
 ```
 
 ## Configuration
-CloudSploit requires read-only permission to your cloud account. Follow the guides below to provision this access:
+cloudExploit requires read-only permission to your cloud account. Follow the guides below to provision this access:
 
 * [Amazon Web Services](docs/aws.md#cloud-provider-configuration)
 * [Microsoft Azure](docs/azure.md#cloud-provider-configuration)
 * [Google Cloud Platform](docs/gcp.md#cloud-provider-configuration)
 * [Oracle Cloud Infrastructure](docs/oracle.md#cloud-provider-configuration)
 
-For AWS, you can run CloudSploit directly and it will detect credentials using the default [AWS credential chain](https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CredentialProviderChain.html).
+For AWS, you can run cloudExploit directly and it will detect credentials using the default [AWS credential chain](https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CredentialProviderChain.html).
 
-### CloudSploit Config File
-The CloudSploit config file allows you to pass cloud provider credentials by:
+### cloudExploit Config File
+The cloudExploit config file allows you to pass cloud provider credentials by:
 1. A JSON file on your file system
 1. Environment variables
 1. Hard-coding (not recommended)
@@ -157,7 +157,7 @@ Note: For GCP, you [generate a JSON file](docs/gcp.md) directly from the GCP con
 ```
 
 ### Environment Variables
-CloudSploit supports passing environment variables, but you must first uncomment the section of your `config.js` file relevant to the cloud provider being scanned.
+cloudExploit supports passing environment variables, but you must first uncomment the section of your `config.js` file relevant to the cloud provider being scanned.
 
 You can then pass the variables listed in each section. For example, for AWS:
 ```
@@ -175,7 +175,7 @@ $ ./index.js
 ```
 
 ## CLI Options
-CloudSploit supports many options to customize the run time. Some popular options include:
+cloudExploit supports many options to customize the run time. Some popular options include:
 * AWS GovCloud support: `--govcloud`
 * AWS China support: `--china`
 * Save the raw cloud provider response data: `--collection=file.json`
@@ -201,7 +201,7 @@ See [Output Formats](#output-formates) below for more output options.
                                        | |                  
                                        |_|    
 
-    CloudSploit by Khulnasoft Security, Ltd.
+    cloudExploit by Khulnasoft Security, Ltd.
     Cloud security auditing for AWS, Azure, GCP, Oracle, and GitHub
 
   usage: index.js [-h] --config CONFIG [--compliance {hipaa,cis,cis1,cis2,pci}] [--plugin PLUGIN] [--govcloud] [--china] [--csv CSV] [--json JSON] [--junit JUNIT]
@@ -233,7 +233,7 @@ See [Output Formats](#output-formates) below for more output options.
 
 ## Compliance
 
-CloudSploit supports mapping of its plugins to particular compliance policies. To run the compliance scan, use the `--compliance` flag. For example:
+cloudExploit supports mapping of its plugins to particular compliance policies. To run the compliance scan, use the `--compliance` flag. For example:
 ```
 $ ./index.js --compliance=hipaa
 $ ./index.js --compliance=pci
@@ -244,19 +244,19 @@ Multiple compliance modes can be run at the same time:
 $ ./index.js --compliance=cis1 --compliance=cis2
 ```
 
-CloudSploit currently supports the following compliance mappings:
+cloudExploit currently supports the following compliance mappings:
 
 ### HIPAA
 ```
 $ ./index.js --compliance=hipaa
 ```
-HIPAA scans map CloudSploit plugins to the Health Insurance Portability and Accountability Act of 1996.
+HIPAA scans map cloudExploit plugins to the Health Insurance Portability and Accountability Act of 1996.
 
 ### PCI
 ```
 $ ./index.js --compliance=pci
 ```
-PCI scans map CloudSploit plugins to the Payment Card Industry Data Security Standard.
+PCI scans map cloudExploit plugins to the Payment Card Industry Data Security Standard.
 
 ### CIS Benchmarks
 ```
@@ -268,7 +268,7 @@ $ ./index.js --compliance=cis2
 CIS Benchmarks are supported, both for Level 1 and Level 2 controls. Passing `--compliance=cis` will run both level 1 and level 2 controls.
 
 ## Output Formats
-CloudSploit supports output in several formats for consumption by other tools. If you do not specify otherwise, CloudSploit writes output to standard output (the console) as a table.
+cloudExploit supports output in several formats for consumption by other tools. If you do not specify otherwise, cloudExploit writes output to standard output (the console) as a table.
 
 Note: You can pass multiple output formats and combine options for further customization. For example:
 ```
@@ -280,7 +280,7 @@ $ ./index.js --json=file.json --junit=file.xml --console=text --ignore-ok
 ```
 
 ### Console Output
-By default, CloudSploit results are printed to the console in a table format (with colors). You can override this and use plain text instead, by running:
+By default, cloudExploit results are printed to the console in a table format (with colors). You can override this and use plain text instead, by running:
 ```
 $ ./index.js --console=text
 ```
@@ -309,7 +309,7 @@ $ ./index.js --junit=file.xml
 ```
 
 ### Collection Output
-CloudSploit saves the data queried from the cloud provider APIs in JSON format, which can be saved alongside other files for debugging or historical purposes.
+cloudExploit saves the data queried from the cloud provider APIs in JSON format, which can be saved alongside other files for debugging or historical purposes.
 ```
 $ ./index.js --collection=file.json
 ```
@@ -339,10 +339,10 @@ $ ./index.js --plugin acmValidation
 ```
 
 ## Architecture
-CloudSploit works in two phases. First, it queries the cloud infrastructure APIs for various metadata about your account, namely the "collection" phase. Once all the necessary data is collected, the result is passed to the "scanning" phase. The scan uses the collected data to search for potential misconfigurations, risks, and other security issues, which are the resulting output.
+cloudExploit works in two phases. First, it queries the cloud infrastructure APIs for various metadata about your account, namely the "collection" phase. Once all the necessary data is collected, the result is passed to the "scanning" phase. The scan uses the collected data to search for potential misconfigurations, risks, and other security issues, which are the resulting output.
 
 ## Writing a Plugin
-Please see our [contribution guidelines](.github/CONTRIBUTING.md) and [complete guide](docs/writing-plugins.md) to writing CloudSploit plugins.
+Please see our [contribution guidelines](.github/CONTRIBUTING.md) and [complete guide](docs/writing-plugins.md) to writing cloudExploit plugins.
 
 ## Writing a remediation
 The `--remediate` flag can be used if you want to run remediation for the plugins mentioned as part of this argument. This takes a list of plugin names.

collectors/alibaba/collector.js

@@ -1,6 +1,6 @@
 /*********************
 Collector - The collector will query Alibaba APIs for the information required
-to run the CloudSploit scans. This data will be returned in the callback
+to run the cloudExploit scans. This data will be returned in the callback
 as a JSON object.
 
 Arguments:

collectors/aws/collector.js

@@ -1,6 +1,6 @@
 /*********************
  Collector - The collector will query AWS APIs for the information required
- to run the CloudSploit scans. This data will be returned in the callback
+ to run the cloudExploit scans. This data will be returned in the callback
  as a JSON object.
 
  Arguments:

collectors/aws/collector_multipart.js

@@ -1,6 +1,6 @@
 /*********************
  Collector - The collector will query AWS APIs for the information required
- to run the CloudSploit scans. This data will be returned in the callback
+ to run the cloudExploit scans. This data will be returned in the callback
  as a JSON object.
 
  Arguments:

collectors/azure/collector.js

@@ -1,6 +1,6 @@
 /*********************
  Collector - The collector will query Azure APIs for the information required
- to run the CloudSploit scans. This data will be returned in the callback
+ to run the cloudExploit scans. This data will be returned in the callback
  as a JSON object.
 
  Arguments:

collectors/github/collector.js

@@ -2,7 +2,7 @@
 
 /*********************
  Collector - The collector will query GitHub APIs for the information required
- to run the CloudSploit scans. This data will be returned in the callback
+ to run the cloudExploit scans. This data will be returned in the callback
  as a JSON object.
  *********************/
 

collectors/google/collector.js

@@ -1,6 +1,6 @@
 /*********************
  Collector - The collector will query Google APIs for the information required
- to run the CloudSploit scans. This data will be returned in the callback
+ to run the cloudExploit scans. This data will be returned in the callback
  as a JSON object.
 
  Arguments:

collectors/oracle/collector.js

@@ -1,6 +1,6 @@
 /*********************
  Collector - The collector will query Oracle's APIs for the information required
- to run the CloudSploit scans. This data will be returned in the callback
+ to run the cloudExploit scans. This data will be returned in the callback
  as a JSON object.
 
  Arguments:

config_example.js

@@ -1,4 +1,4 @@
-// CloudSploit config file
+// cloudExploit config file
 
 module.exports = {
     credentials: {

docs/aws.md

@@ -1,4 +1,4 @@
-# CloudSploit For Amazon Web Services (AWS)
+# cloudExploit For Amazon Web Services (AWS)
 
 ## Cloud Provider Configuration
 Create a "cloudexploit" user, with the `SecurityAudit` policy.
@@ -33,7 +33,7 @@ Create a "cloudexploit" user, with the `SecurityAudit` policy.
     }
     ```
 1. Click "Review policy."
-1. Provide a name (`CloudSploitSupplemental`) and click "Create policy."
+1. Provide a name (`cloudExploitSupplemental`) and click "Create policy."
 1. Return to the "Create user" page and attach the newly-created policy. Click "Next: tags."
 1. Set tags as needed and then click on "Create user".
 1. Make sure you safely store the Access key ID and Secret access key.

docs/azure.md

@@ -1,9 +1,9 @@
-# CloudSploit For Microsoft Azure
+# cloudExploit For Microsoft Azure
 
 ## Cloud Provider Configuration
 1. Log into your Azure Portal and navigate to the Azure Active Directory service.
 1. Select App registrations and then click on New registration.
-1. Enter "CloudSploit" and/or a descriptive name in the Name field, take note of it, it will be used again in step 3.
+1. Enter "cloudExploit" and/or a descriptive name in the Name field, take note of it, it will be used again in step 3.
 1. Leave the "Supported account types" default: "Accounts in this organizational directory only (YOURDIRECTORYNAME)".
 1. Click on Register.
 1. Copy the Application ID and Paste it below.
@@ -20,6 +20,6 @@
 1. Click on "Add", then "Add role assignment".
 1. In the "Role" drop-down, select "Security Reader".
 1. Leave the "Assign access to" default value.
-1. In the "Select" drop-down, type the name of the app registration (e.g. "CloudSploit") you created and select it.
+1. In the "Select" drop-down, type the name of the app registration (e.g. "cloudExploit") you created and select it.
 1. Click "Save".
 1. Repeat the process for the role "Log Analytics Reader"

docs/gcp.md

@@ -1,4 +1,4 @@
-# CloudSploit For Google Cloud Platform (GCP)
+# cloudExploit For Google Cloud Platform (GCP)
 
 ## Create Security Audit Role
 
@@ -65,7 +65,7 @@ stage: GA
 
 1. Log into your Google Cloud console and navigate to IAM Admin > Service Accounts.
 1. Click on "Create Service Account".
-1. Enter "CloudSploit" in the "Service account name", then enter "CloudSploit API Access" in the description.
+1. Enter "cloudExploit" in the "Service account name", then enter "cloudExploit API Access" in the description.
 1. Click on Continue.
 1. Select the role: Custom > Khulnasoft CSPM Security Audit.
 1. Click on Continue.