Merge branch 'main' into v_net_single_dns_server

.github/checkov.yaml

@@ -21,6 +21,15 @@ skip-path:
 - tests/terraform/runner/tf_plan_skip_check_regex/resource/tfplan1.json
 - tests/terraform/runner/tfplan2.json
 - tests/unit/test_secrets.py
+- tests/terraform/runner/resources/example/example.tf
+- tests/terraform/graph
+- tests/terraform/checks
+- /checkov/secrets/plugins/entropy_keyword_combinator.py
+- /checkov/secrets/plugins/detector_utils.py
+- /cdk_integration_tests/src/python/RedshiftClusterPubliclyAccessible/pass.py
+- /cdk_integration_tests/src/python/RedshiftClusterEncryption/pass.py
+- /cdk_integration_tests/src/python/RedshiftClusterEncryption/fail__1__.py
+- /cdk_integration_tests/src/python/RedshiftClusterPubliclyAccessible/fail__1__.py
 - /cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtTransitAuthToken/fail__2__.py
 - /cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtTransitAuthToken/pass.py
 - /cdk_integration_tests/src/typescript

Pipfile

@@ -43,7 +43,7 @@ types-colorama = "<0.5.0,>=0.4.3"
 # REMINDER: Update "install_requires" deps on setup.py when changing
 #
 bc-python-hcl2 = "==0.4.2"
-bc-detect-secrets = "==1.5.9"
+bc-detect-secrets = "==1.5.11"
 bc-jsonpath-ng = "==1.6.1"
 pycep-parser = "==0.4.1"
 tabulate = ">=0.9.0,<0.10.0"
@@ -86,6 +86,7 @@ license-expression = ">=30.1.0,<31.0.0"
 rustworkx = ">=0.13.0,<0.14.0"
 pydantic = ">=2.0.0,<3.0.0"
 botocore = "==1.34.25"
+urllib3 = "*"
 
 [requires]
 python_version = "3.8"

README.md

@@ -15,7 +15,7 @@
 
 **Checkov** is a static code analysis tool for infrastructure as code (IaC) and also a software composition analysis (SCA) tool for images and open source packages.
 
-It scans cloud infrastructure provisioned using [Terraform](https://terraform.io/), [Terraform plan](docs/7.Scan%20Examples/Terraform%20Plan%20Scanning.md), [Cloudformation](docs/7.Scan%20Examples/Cloudformation.md), [AWS SAM](docs/7.Scan%20Examples/AWS%20SAM.md), [Kubernetes](docs/7.Scan%20Examples/Kubernetes.md), [Helm charts](docs/7.Scan%20Examples/Helm.md), [Kustomize](docs/7.Scan%20Examples/Kustomize.md), [Dockerfile](docs/7.Scan%20Examples/Dockerfile.md),  [Serverless](docs/7.Scan%20Examples/Serverless%20Framework.md), [Bicep](docs/7.Scan%20Examples/Bicep.md), [OpenAPI](docs/7.Scan%20Examples/OpenAPI.md) or [ARM Templates](docs/7.Scan%20Examples/Azure%20ARM%20templates.md) and detects security and compliance misconfigurations using graph-based scanning.
+It scans cloud infrastructure provisioned using [Terraform](https://terraform.io/), [Terraform plan](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Terraform%20Plan%20Scanning.md), [Cloudformation](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Cloudformation.md), [AWS SAM](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/AWS%20SAM.md), [Kubernetes](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Kubernetes.md), [Helm charts](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Helm.md), [Kustomize](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Kustomize.md), [Dockerfile](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Dockerfile.md),  [Serverless](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Serverless%20Framework.md), [Bicep](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Bicep.md), [OpenAPI](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/OpenAPI.md) or [ARM Templates](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Azure%20ARM%20templates.md) and detects security and compliance misconfigurations using graph-based scanning.
 
 It performs [Software Composition Analysis (SCA) scanning](docs/7.Scan%20Examples/Sca.md) which is a scan of open source packages and images for Common Vulnerabilities and Exposures (CVEs).
 
@@ -37,21 +37,21 @@ Checkov also powers [**Prisma Cloud Application Security**](https://www.prismacl
 - [Getting Started](#getting-started)
 - [Disclaimer](#disclaimer)
 - [Support](#support)
-- [Migration - v2 to v3](docs/1.Welcome/Migration.md)
+- [Migration - v2 to v3](https://github.com/bridgecrewio/checkov/blob/main/docs/1.Welcome/Migration.md)
 
  ## Features
 
- * [Over 1000 built-in policies](docs/5.Policy%20Index/all.md) cover security and compliance best practices for AWS, Azure and Google Cloud.
+ * [Over 1000 built-in policies](https://github.com/bridgecrewio/checkov/blob/main/docs/5.Policy%20Index/all.md) cover security and compliance best practices for AWS, Azure and Google Cloud.
  * Scans Terraform, Terraform Plan, Terraform JSON, CloudFormation, AWS SAM, Kubernetes, Helm, Kustomize, Dockerfile, Serverless framework, Ansible, Bicep and ARM template files.
  * Scans Argo Workflows, Azure Pipelines, BitBucket Pipelines, Circle CI Pipelines, GitHub Actions and GitLab CI workflow files
  * Supports Context-awareness policies based on in-memory graph-based scanning.
  * Supports Python format for attribute policies and YAML format for both attribute and composite policies.
- * Detects [AWS credentials](docs/2.Basics/Scanning%20Credentials%20and%20Secrets.md) in EC2 Userdata, Lambda environment variables and Terraform providers.
+ * Detects [AWS credentials](https://github.com/bridgecrewio/checkov/blob/main/docs/2.Basics/Scanning%20Credentials%20and%20Secrets.md) in EC2 Userdata, Lambda environment variables and Terraform providers.
  * [Identifies secrets](https://www.prismacloud.io/prisma/cloud/secrets-security) using regular expressions, keywords, and entropy based detection.
  * Evaluates [Terraform Provider](https://registry.terraform.io/browse/providers) settings to regulate the creation, management, and updates of IaaS, PaaS or SaaS managed through Terraform.
- * Policies support evaluation of [variables](docs/2.Basics/Handling%20Variables.md) to their optional default value.
- * Supports in-line [suppression](docs/2.Basics/Suppressing%20and%20Skipping%20Policies.md) of accepted risks or false-positives to reduce recurring scan failures. Also supports global skip from using CLI.
- * [Output](docs/2.Basics/Reviewing%20Scan%20Results.md) currently available as CLI, [CycloneDX](https://cyclonedx.org), JSON, JUnit XML, CSV, SARIF and github markdown and link to remediation [guides](https://docs.prismacloud.io/en/enterprise-edition/policy-reference/).
+ * Policies support evaluation of [variables](https://github.com/bridgecrewio/checkov/blob/main/docs/2.Basics/Handling%20Variables.md) to their optional default value.
+ * Supports in-line [suppression](https://github.com/bridgecrewio/checkov/blob/main/docs/2.Basics/Suppressing%20and%20Skipping%20Policies.md) of accepted risks or false-positives to reduce recurring scan failures. Also supports global skip from using CLI.
+ * [Output](https://github.com/bridgecrewio/checkov/blob/main/docs/2.Basics/Reviewing%20Scan%20Results.md) currently available as CLI, [CycloneDX](https://cyclonedx.org), JSON, JUnit XML, CSV, SARIF and github markdown and link to remediation [guides](https://docs.prismacloud.io/en/enterprise-edition/policy-reference/).
 
 ## Screenshots
 
@@ -172,7 +172,7 @@ Check: "Ensure all data stored in the S3 bucket is securely encrypted at rest"
 	 Failed for resource: aws_s3_bucket.sls_deployment_bucket_name
 ```
 
-Start using Checkov by reading the [Getting Started](docs/1.Welcome/Quick%20Start.md) page.
+Start using Checkov by reading the [Getting Started](https://github.com/bridgecrewio/checkov/blob/main/docs/1.Welcome/Quick%20Start.md) page.
 
 ### Using Docker
 
@@ -462,13 +462,13 @@ Defaults:
 
 Contribution is welcomed!
 
-Start by reviewing the [contribution guidelines](CONTRIBUTING.md). After that, take a look at a [good first issue](https://github.com/bridgecrewio/checkov/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22).
+Start by reviewing the [contribution guidelines](https://github.com/bridgecrewio/checkov/blob/main/CONTRIBUTING.md). After that, take a look at a [good first issue](https://github.com/bridgecrewio/checkov/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22).
 
 You can even start this with one-click dev in your browser through Gitpod at the following link:
 
 [![Open in Gitpod](https://gitpod.io/button/open-in-gitpod.svg)](https://gitpod.io/#https://github.com/bridgecrewio/checkov)
 
-Looking to contribute new checks? Learn how to write a new check (AKA policy) [here](docs/6.Contribution/Contribution%20Overview.md).
+Looking to contribute new checks? Learn how to write a new check (AKA policy) [here](https://github.com/bridgecrewio/checkov/blob/main/docs/6.Contribution/Contribution%20Overview.md).
 
 ## Disclaimer
 `checkov` does not save, publish or share with anyone any identifiable customer information.  

cdk_integration_tests/prepare_data.sh

@@ -19,9 +19,8 @@
 #  fi
 #done
 
-
-echo "creating report for CDK python"
+echo "creating report for CDK"
 pipenv run checkov -s --framework cdk --repo-id cli/cdk -o json \
-        -d "cdk_integration_tests/src/python" > "checkov_report_cdk_python.json"
+        -d "cdk_integration_tests/src" > "checkov_report_cdk.json"
 
 #todo: iterate over all the cdk typescript checks - when ts supported in sast

cdk_integration_tests/run_integration_tests.sh

@@ -18,9 +18,9 @@ set_env_vars() {
 }
 
 prepare_data () {
-  echo "creating report for CDK python"
+  echo "creating report for CDK"
   python checkov/main.py -s --framework cdk --repo-id prisma/cdk -o json \
-    -d "cdk_integration_tests/src/python" > "checkov_report_cdk_python.json"
+    -d "cdk_integration_tests/src" > "checkov_report_cdk.json"
 
 }
 

cdk_integration_tests/src/typescript/ALBListenerHTTPS/fail.ts

@@ -6,7 +6,7 @@ class ALBListenerHTTPSStack extends Stack {
     constructor(scope: Construct, id: string, props?: StackProps) {
         super(scope, id, props);
 
-        new elbv2.CfnLoadBalancer(this, {})
+        new elbv2.CfnListener(this, {})
     }
 }
 

cdk_integration_tests/src/typescript/ALBListenerHTTPS/pass.ts

@@ -6,12 +6,12 @@ class ALBListenerHTTPSStack extends Stack {
     constructor(scope: Construct, id: string, props?: StackProps) {
         super(scope, id, props);
 
-        new elbv2.CfnLoadBalancer(this, {protocol: 'HTTPS'})
-        new elbv2.CfnLoadBalancer(this, {protocol: 'TLS'})
-        new elbv2.CfnLoadBalancer(this, {protocol: 'TCP'})
-        new elbv2.CfnLoadBalancer(this, {protocol: 'UDP'})
-        new elbv2.CfnLoadBalancer(this, {protocol: 'TCP_UDP'})
-        new elbv2.CfnLoadBalancer(this, {defaultActions: [{type: 'redirect', redirectConfig:{protocol: 'HTTPS'}}]})
+        new elbv2.CfnListener(this, {protocol: 'HTTPS'})
+        new elbv2.CfnListener(this, {protocol: 'TLS'})
+        new elbv2.CfnListener(this, {protocol: 'TCP'})
+        new elbv2.CfnListener(this, {protocol: 'UDP'})
+        new elbv2.CfnListener(this, {protocol: 'TCP_UDP'})
+        new elbv2.CfnListener(this, {defaultActions: [{type: 'redirect', redirectConfig:{protocol: 'HTTPS'}}]})
     }
 }
 

cdk_integration_tests/src/typescript/AmazonMQBrokerPublicAccess/fail.ts

@@ -5,9 +5,7 @@ import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
 class AmazonMQBrokerPublicAccessStack extends Stack {
     constructor(scope: Construct, id: string, props?: StackProps) {
         super(scope, id, props);
-
-        new elbv2.CfnBroker(this, {})
-        new elbv2.CfnBroker(this, {publiclyAccessible: false})
+        new elbv2.CfnBroker(this, {publiclyAccessible: true})
     }
 }
 

cdk_integration_tests/src/typescript/AmazonMQBrokerPublicAccess/pass.ts

@@ -5,8 +5,8 @@ import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
 class AmazonMQBrokerPublicAccessStack extends Stack {
     constructor(scope: Construct, id: string, props?: StackProps) {
         super(scope, id, props);
-
-        new elbv2.CfnBroker(this, {publiclyAccessible: true})
+        new elbv2.CfnBroker(this, {})
+        new elbv2.CfnBroker(this, {publiclyAccessible: false})
     }
 }
 

cdk_integration_tests/src/typescript/RDSMultiAZEnabled/fail.ts

@@ -0,0 +1,10 @@
+// SOURCE
+import { DatabaseInstance } from '@aws-cdk/aws-rds';
+
+// SINK
+// SINK: Vulnerability found due to missing Multi-AZ setting
+new DatabaseInstance(stack, 'MyDatabaseInstance', {
+    instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.MICRO),
+    vpc
+    // missing Multi-AZ setting
+});

cdk_integration_tests/src/typescript/RDSMultiAZEnabled/pass.ts

@@ -0,0 +1,10 @@
+// SOURCE
+import { DatabaseInstance } from '@aws-cdk/aws-rds';
+
+// SINK
+// SINK: Vulnerability found due to missing Multi-AZ setting
+new DatabaseInstance(stack, 'MyDatabaseInstance', {
+    instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.MICRO),
+    vpc,
+    multiAZ: true
+});

cdk_integration_tests/src/typescript/RDSPubliclyAccessible/fail.ts

@@ -0,0 +1,10 @@
+// SOURCE
+import { DatabaseInstance } from '@aws-cdk/aws-rds';
+
+// SINK
+// SINK: Vulnerability found due to publicly accessible setting
+new DatabaseInstance(stack, 'MyDatabaseInstance', {
+    instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.MICRO),
+    vpc
+    // publicly accessible setting missing
+});

cdk_integration_tests/src/typescript/RDSPubliclyAccessible/pass.ts

@@ -0,0 +1,8 @@
+// SOURCE
+import { DatabaseInstance } from '@aws-cdk/aws-rds';
+
+// SINK
+new DatabaseInstance(stack, 'MyDatabaseInstance', {
+    instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.MICRO),
+    vpc, publicly_accessible: true
+});

cdk_integration_tests/src/typescript/RedShiftSSL/fail__2__.ts

@@ -0,0 +1,19 @@
+// FINDING
+import { CfnClusterParameterGroup } from '@aws-cdk/aws-redshift';
+
+// SINK
+// SINK: Vulnerability found due to Redshift not using SSL
+new CfnClusterParameterGroup(stack, 'MyClusterParameterGroup', {
+    description: 'Parameter group for my Redshift cluster',
+    family: 'redshift-1.0',
+    parameters: {
+        require_ssl: 'false', // This should be 'true' to enforce SSL
+    },
+});
+new CfnClusterParameterGroup(stack, 'MyClusterParameterGroup', {
+    description: 'Parameter group for my Redshift cluster',
+    family: 'redshift-1.0',
+    parameters: {
+        random_param: 100
+    },
+});

cdk_integration_tests/src/typescript/RedShiftSSL/pass.ts

@@ -0,0 +1,9 @@
+import { CfnClusterParameterGroup } from '@aws-cdk/aws-redshift';
+
+new CfnClusterParameterGroup(stack, 'MyClusterParameterGroup', {
+    description: 'Parameter group for my Redshift cluster',
+    family: 'redshift-1.0',
+    parameters: {
+        require_ssl: 'true', // This should be 'true' to enforce SSL
+    },
+});

cdk_integration_tests/src/typescript/RedshiftClusterEncryption/fail.ts

@@ -0,0 +1,12 @@
+// SOURCE
+import { Cluster } from '@aws-cdk/aws-redshift';
+
+// SINK
+// SINK: Vulnerability found due to missing encryption at rest
+new Cluster(stack, 'MyRedshiftCluster', {
+    masterUser: {
+        masterUsername: 'admin',
+        masterPassword: 'password',
+    },
+    vpc, encrypted: false
+});

cdk_integration_tests/src/typescript/RedshiftClusterEncryption/pass.ts

@@ -0,0 +1,19 @@
+// SOURCE
+import { Cluster } from '@aws-cdk/aws-redshift';
+
+// SINK
+// SINK: Vulnerability found due to missing encryption at rest
+new Cluster(stack, 'MyRedshiftCluster', {
+    masterUser: {
+        masterUsername: 'admin',
+        masterPassword: 'password',
+    },
+    vpc, encrypted: true
+});
+new Cluster(stack, 'MyRedshiftCluster', {
+    masterUser: {
+        masterUsername: 'admin',
+        masterPassword: 'password',
+    },
+    vpc
+});

cdk_integration_tests/src/typescript/RedshiftClusterLogging/fail.ts

@@ -0,0 +1,13 @@
+// SOURCE
+import { Cluster } from '@aws-cdk/aws-redshift';
+
+// SINK
+// SINK: Vulnerability found due to missing logging enabled
+new Cluster(stack, 'MyRedshiftCluster', {
+    masterUser: {
+        masterUsername: 'admin',
+        masterPassword: 'password',
+    },
+    vpc
+    // logging enabled missing
+});

cdk_integration_tests/src/typescript/RedshiftClusterLogging/pass.ts

@@ -0,0 +1,15 @@
+// SOURCE
+import { Cluster } from '@aws-cdk/aws-redshift';
+
+// SINK
+// SINK: Vulnerability found due to missing logging enabled
+let bucketName;
+let stack;
+new Cluster(stack, 'MyRedshiftCluster', {
+    masterUser: {
+        masterUsername: 'admin',
+        masterPassword: 'password',
+    },
+    logging_properties: Cluster.LoggingPropertiesProperty = {bucketName: 'name'}
+    // logging enabled missing
+});

cdk_integration_tests/src/typescript/RedshiftClusterPubliclyAccessible/fail.ts

@@ -0,0 +1,13 @@
+// SOURCE
+import { Cluster } from '@aws-cdk/aws-redshift';
+
+// SINK
+// SINK: Vulnerability found due to publicly accessible cluster
+new Cluster(stack, 'MyRedshiftCluster', {
+    masterUser: {
+        masterUsername: 'admin',
+        masterPassword: 'password',
+    },
+    vpc,
+    publiclyAccessible: true, // publicly accessible cluster
+});

cdk_integration_tests/src/typescript/RedshiftClusterPubliclyAccessible/pass.ts

@@ -0,0 +1,20 @@
+// SOURCE
+import { Cluster } from '@aws-cdk/aws-redshift';
+
+// SINK
+// SINK: Vulnerability found due to publicly accessible cluster
+new Cluster(stack, 'MyRedshiftCluster', {
+    masterUser: {
+        masterUsername: 'admin',
+        masterPassword: 'password',
+    },
+    vpc,
+    publiclyAccessible: false,
+});
+new Cluster(stack, 'MyRedshiftCluster', {
+    masterUser: {
+        masterUsername: 'admin',
+        masterPassword: 'password',
+    },
+    vpc
+});

cdk_integration_tests/src/typescript/RedshiftInEc2ClassicMode/fail.ts

@@ -0,0 +1,12 @@
+// SOURCE
+import { Cluster } from '@aws-cdk/aws-redshift';
+
+// SINK
+// SINK: Vulnerability found due to Redshift cluster deployed outside of a VPC
+new Cluster(stack, 'MyRedshiftCluster', {
+    masterUser: {
+        masterUsername: 'admin',
+        masterPassword: 'password',
+    },
+    vpc: vpc
+});

cdk_integration_tests/src/typescript/RedshiftInEc2ClassicMode/pass.ts

@@ -0,0 +1,12 @@
+// SOURCE
+import { Cluster } from '@aws-cdk/aws-redshift';
+
+// SINK
+new Cluster(stack, 'MyRedshiftCluster', {
+    masterUser: {
+        masterUsername: 'admin',
+        masterPassword: 'password',
+    },
+    vpc: vpc,
+    clusterSubnetGroupName: 'name'
+});

cdk_integration_tests/src/typescript/S3BlockPublicACLs/fail__2__.ts

@@ -0,0 +1,11 @@
+// FINDING
+import { Bucket } from '@aws-cdk/aws-s3';
+
+// SINK
+// SINK: Vulnerability found due to S3 bucket missing block public ACLs
+new Bucket(stack, 'MyBucket', {
+    blockPublicAcls: false, // This should be 'true' to block public ACLs
+});
+new Bucket(stack, 'MyBucket', {
+    random_param: 'true'
+});

cdk_integration_tests/src/typescript/S3BlockPublicACLs/pass.ts

@@ -0,0 +1,8 @@
+// FINDING
+import { Bucket } from '@aws-cdk/aws-s3';
+
+// SINK
+// SINK: Vulnerability found due to S3 bucket missing block public ACLs
+new Bucket(stack, 'MyBucket', {
+    blockPublicAcls: true, // This should be 'true' to block public ACLs
+});

cdk_integration_tests/src/typescript/S3BlockPublicPolicy/fail.ts

@@ -0,0 +1,8 @@
+// FINDING
+import { Bucket } from '@aws-cdk/aws-s3';
+
+// SINK
+// SINK: Vulnerability found due to S3 bucket missing block public policy
+new Bucket(stack, 'MyBucket', {
+    publicReadAccess: true, // This should be 'false' to block public policy
+});