Skip to content

Commit

Permalink
Merge branch 'main' into support-guideline-option-terraform-resource-…
Browse files Browse the repository at this point in the history 
…checks
  • Loading branch information
@cawilson
cawilson committed Sep 23, 2024
2 parents 53d5806 + b3978dc commit 3eaa094
Show file tree
Hide file tree
Showing 31 changed files with 2,234 additions and 1,358 deletions.
15 changes: 0 additions & 15 deletions .github/workflows/pr-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -105,21 +105,6 @@ jobs:
# list all dependencies to get a better view about installed package versions
pipenv run pip list
- name: Get venv path
id: get-venv
run: |
echo "venv=$(pipenv --venv)" >> "$GITHUB_OUTPUT"
- name: Run Redefine.dev
uses: redefinedev/redefine-action@main
with:
auth: ${{ secrets.REDEFINE_AUTH }}
python-venv-path: ${{ steps.get-venv.outputs.venv }}
testing-framework: pytest
mode: fail-fast
time-limit: 30 # approx 15% of the run time
config-args: matrix_value=${{ matrix.python }} file_based_prediction=true

- name: Unit tests
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Expand Down
2 changes: 1 addition & 1 deletion Pipfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ gitpython = ">=3.1.30,<4.0.0"
jmespath = ">=1.0.0,<2.0.0"
tqdm = ">=4.65.0,<5.0.0"
packaging = ">=23.0,<24.0"
cloudsplaining = ">=0.6.2,<0.7.0"
cloudsplaining = ">=0.7.0,<0.8.0"
networkx = "<2.7"
dockerfile-parse =">=2.0.0,<3.0.0"
docker = ">=6.0.1,<8.0.0"
Expand Down
2,810 changes: 1,494 additions & 1,316 deletions Pipfile.lock
View file

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -287,7 +287,7 @@ checkov -d /MyDirectory --framework secrets --repo-id ... --bc-api-key ... --ski
```
One can mask values from scanning results by supplying a configuration file (using --config-file flag) with mask entry.
The masking can apply on resource & value (or multiple values, seperated with a comma).
The masking can apply on resource & value (or multiple values, separated with a comma).
Examples:
```sh
mask:
Expand Down
2 changes: 1 addition & 1 deletion checkov/common/runners/runner_registry.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -718,7 +718,7 @@ def filter_runners_for_files(self, files: List[str]) -> None:

def remove_runner(self, runner: _BaseRunner) -> None:
if runner in self.runners:
self.runners.remove(runner)
self.runners.remove(runner) # type:ignore[arg-type] # existence is checked one line above

@staticmethod
def enrich_report_with_guidelines(scan_report: Report) -> None:
Expand Down
3 changes: 2 additions & 1 deletion checkov/common/util/tqdm_utils.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,7 @@ def turn_off_progress_bar(self) -> None:

@staticmethod
def should_show_progress_bar() -> bool:
if all([not LOGS_ENABLED, not RUN_IN_DOCKER, sys.__stdout__.isatty()]):
# making sure sys.__stdout__ is not None, but still need the type:ignore
if all([not LOGS_ENABLED, not RUN_IN_DOCKER, sys.__stdout__, sys.__stdout__.isatty()]): # type:ignore[union-attr]
return True
return False
11 changes: 8 additions & 3 deletions checkov/policies_3d/output.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
from checkov.common.output.common import compare_table_items_severity
from checkov.policies_3d.record import Policy3dRecord

TABLE_WIDTH = 136
TABLE_WIDTH = 138


def merge_line_with_previous_table(line: str, table: PrettyTable) -> str:
Expand Down Expand Up @@ -225,10 +225,15 @@ def render_iac_violations_table(record: Policy3dRecord) -> str | None:

def create_iac_violations_table(file_path: str, resource_violation_details_map: Dict[str, Dict[str, Any]]) -> str:
columns = 5 # it really has only 4 columns, but the title would get a width of two columns
column_width = int(TABLE_WIDTH / columns)
table_width = TABLE_WIDTH
column_width = int(table_width / columns)

# on python 3.12 and above, the columns are a bit bigger, need to make them smaller to have consistency.
if sys.version_info >= (3, 12):
table_width = 136

iac_table_lines = create_iac_violations_overview_table_part(
table_width=TABLE_WIDTH, column_width=column_width, resource_violation_details_map=resource_violation_details_map
table_width=table_width, column_width=column_width, resource_violation_details_map=resource_violation_details_map
)

return (
Expand Down
7 changes: 1 addition & 6 deletions checkov/sca_package_2/output.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@

import itertools
import logging
import sys
from collections import defaultdict
from dataclasses import dataclass
from typing import List, Union, Dict, Any
Expand Down Expand Up @@ -278,14 +277,10 @@ def create_cli_license_violations_table(file_path: str,
def create_cli_cves_table(file_path: str, cve_count: CveCount, package_details_map: Dict[str, Dict[str, Any]],
lines_details_found: bool) -> str:
columns = 7
table_width = 159
table_width = 165
fixed_line_with = 159
column_width = int(table_width / columns)

# on python 3.12 and above, the columns are smaller, need to make them wider in order to have consistency.
if sys.version_info >= (3, 12):
table_width = 165

cve_table_lines = create_cve_summary_table_part(
table_width=table_width, column_width=column_width, cve_count=cve_count
)
Expand Down
2 changes: 2 additions & 0 deletions checkov/terraform/checks/graph_checks/aws/SGAttachedToResource.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,9 @@ definition:
- aws_dax_cluster
- aws_db_instance
- aws_dms_replication_instance
- aws_dms_replication_config
- aws_docdb_cluster
- aws_docdbelastic_cluster
- aws_ec2_client_vpn_endpoint
- aws_ec2_client_vpn_network_association
- aws_ec2_spot_fleet_request
Expand Down
30 changes: 30 additions & 0 deletions checkov/terraform/checks/resource/aws/ELBwListenerNotTLSSSL.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
from __future__ import annotations

from typing import Any

from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck


class ELBwListenerNotTLSSSL(BaseResourceCheck):
def __init__(self) -> None:
name = "Ensure AWS Elastic Load Balancer listener uses TLS/SSL"
id = "CKV_AWS_376"
supported_resource = ("aws_elb",)
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resource)

def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult:
if 'listener' in conf:
for listener in conf.get('listener'):
if 'instance_protocol' in listener:
if listener.get('instance_protocol')[0].lower() in ('http', 'tcp'):
return CheckResult.FAILED
if listener.get('instance_protocol')[0].lower() in ('https', 'ssl') and \
('ssl_certificate_id' not in listener or listener.get('ssl_certificate_id') == ""):
return CheckResult.FAILED

return CheckResult.PASSED


check = ELBwListenerNotTLSSSL()
22 changes: 22 additions & 0 deletions checkov/terraform/checks/resource/aws/LBTargetGroup.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
from typing import Any, List

from checkov.common.models.enums import CheckCategories
from checkov.terraform.checks.resource.base_resource_negative_value_check import BaseResourceNegativeValueCheck


class LBTargetGroup(BaseResourceNegativeValueCheck):
def __init__(self) -> None:
name = "Ensure AWS Load Balancer doesn't use HTTP protocol"
id = "CKV_AWS_378"
supported_resources = ('aws_lb_target_group', 'aws_alb_target_group',)
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)

def get_inspected_key(self) -> str:
return 'protocol'

def get_forbidden_values(self) -> List[Any]:
return ["HTTP"]


check = LBTargetGroup()
22 changes: 22 additions & 0 deletions checkov/terraform/checks/resource/aws/Route53TransferLock.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
from typing import Any, List

from checkov.common.models.enums import CheckCategories
from checkov.terraform.checks.resource.base_resource_negative_value_check import BaseResourceNegativeValueCheck


class Route53TransferLock(BaseResourceNegativeValueCheck):
def __init__(self) -> None:
name = "Ensure Route 53 domains have transfer lock protection"
id = "CKV_AWS_377"
supported_resources = ('aws_route53domains_registered_domain',)
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)

def get_inspected_key(self) -> str:
return 'transfer_lock'

def get_forbidden_values(self) -> List[Any]:
return [False]


check = Route53TransferLock()
31 changes: 31 additions & 0 deletions checkov/terraform/checks/resource/aws/S3GlobalViewACL.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
from __future__ import annotations

from typing import Any

from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck


class S3GlobalViewACL(BaseResourceCheck):
def __init__(self) -> None:
name = "Ensure AWS S3 bucket does not have global view ACL permissions enabled"
id = "CKV_AWS_375"
supported_resource = ("aws_s3_bucket_acl",)
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resource)

def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult:
if 'access_control_policy' in conf:
for policy in conf.get('access_control_policy'):
if 'grant' in policy:
for grant in policy.get('grant'):
if 'permission' in grant and ('FULL_CONTROL' in grant.get('permission') or 'READ_ACP' in grant.get('permission')):
if 'grantee' in grant:
for grantee in grant.get('grantee'):
if 'uri' in grantee and 'http://acs.amazonaws.com/groups/global/AllUsers' in grantee.get('uri'):
return CheckResult.FAILED

return CheckResult.PASSED


check = S3GlobalViewACL()
72 changes: 66 additions & 6 deletions checkov/terraform/checks/resource/gcp/AbsGoogleImpersonationRoles.py
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
from checkov.common.models.enums import CheckResult
from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck

# Reference: https://cloud.google.com/iam/docs/best-practices-service-accounts
# Lookup: https://cloud.google.com/iam/docs/permissions-reference

IMPERSONATION_ROLES = [
"roles/owner",
"roles/editor",
Expand All @@ -10,15 +13,72 @@
"roles/iam.serviceAccountUser",
"roles/iam.serviceAccountTokenCreator",
"roles/iam.workloadIdentityUser",
"roles/dataproc.editor",
"roles/dataproc.admin",
"roles/dataflow.developer",
"roles/resourcemanager.folderAdmin",
"roles/resourcemanager.folderIamAdmin",
"roles/resourcemanager.projectIamAdmin",
"roles/resourcemanager.organizationAdmin",
"roles/serverless.serviceAgent",
"roles/dataproc.serviceAgent",
"roles/deploymentmanager.editor",
"roles/cloudbuild.builds.editor",
"roles/aiplatform.customCodeServiceAgent",
"roles/aiplatform.extensionServiceAgent",
"roles/aiplatform.serviceAgent",
"roles/apigateway.serviceAgent",
"roles/apigee.serviceAgent",
"roles/appengine.serviceAgent",
"roles/appengineflex.serviceAgent",
"roles/bigquerycontinuousquery.serviceAgent",
"roles/bigquerydatatransfer.serviceAgent",
"roles/bigqueryspark.serviceAgent",
"roles/cloudbuild.serviceAgent",
"roles/cloudconfig.serviceAgent",
"roles/clouddeploy.serviceAgent",
"roles/cloudfunctions.serviceAgent",
"roles/cloudscheduler.serviceAgent",
"roles/cloudtasks.serviceAgent",
"roles/composer.serviceAgent",
"roles/compute.serviceAgent",
"roles/connectors.serviceAgent",
"roles/dataflow.serviceAgent",
"roles/eventarc.serviceAgent",
"roles/integrations.serviceAgent",
"roles/ml.serviceAgent",
"roles/notebooks.serviceAgent",
"roles/pubsub.serviceAgent",
"roles/run.serviceAgent",
"roles/sourcerepo.serviceAgent",
"roles/workflows.serviceAgent",
"roles/iam.serviceAccountOpenIdTokenCreator",
"roles/aiplatform.colabServiceAgent",
"roles/backupdr.computeEngineOperator",
"roles/backupdr.serviceAgent",
"roles/batch.serviceAgent",
"roles/clouddeploymentmanager.serviceAgent",
"roles/cloudtpu.serviceAgent",
"roles/compute.instanceGroupManagerServiceAgent",
"roles/configdelivery.serviceAgent",
"roles/container.serviceAgent",
"roles/datapipelines.serviceAgent",
"roles/dataplex.serviceAgent",
"roles/dataprep.serviceAgent",
"roles/dataproc.hubAgent",
"roles/firebaseapphosting.serviceAgent",
"roles/firebasemods.serviceAgent",
"roles/gameservices.serviceAgent",
"roles/genomics.serviceAgent",
"roles/krmapihosting.anthosApiEndpointServiceAgent",
"roles/krmapihosting.serviceAgent",
"roles/lifesciences.serviceAgent",
"roles/osconfig.serviceAgent",
"roles/runapps.serviceAgent",
"roles/securitycenter.securityResponseServiceAgent",
"roles/workstations.serviceAgent",
"roles/securesourcemanager.serviceAgent",
"roles/assuredoss.admin",
"roles/securitycenter.admin",
"roles/vpcaccess.serviceAgent",
"roles/cloudbuild.builds.builder",
"roles/composer.worker",
"roles/dataflow.admin",
"roles/run.sourceDeveloper",
]


Expand Down
2 changes: 1 addition & 1 deletion checkov/terraform/checks/resource/gcp/CloudSqlMajorVersion.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ def get_inspected_key(self):
return 'database_version'

def get_expected_values(self):
return ["POSTGRES_15", "MYSQL_8_0", "SQLSERVER_2022_STANDARD", "SQLSERVER_2022_WEB",
return ["POSTGRES_16", "MYSQL_8_0", "SQLSERVER_2022_STANDARD", "SQLSERVER_2022_WEB",
"SQLSERVER_2022_ENTERPRISE", "SQLSERVER_2022_EXPRESS"]


Expand Down
2 changes: 1 addition & 1 deletion checkov/version.py
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
version = '3.2.254'
version = '3.2.255'
2 changes: 1 addition & 1 deletion kubernetes/requirements.txt
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
checkov==3.2.254
checkov==3.2.255
2 changes: 1 addition & 1 deletion setup.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,7 @@ def run(self) -> None:
"jmespath>=1.0.0,<2.0.0",
"tqdm<5.0.0,>=4.65.0",
"packaging>=23.0,<24.0",
"cloudsplaining<0.7.0,>=0.6.2",
"cloudsplaining<0.8.0,>=0.7.0",
"networkx<2.7",
"dockerfile-parse<3.0.0,>=2.0.0",
"docker>=6.0.1,<8.0.0",
Expand Down
Loading

0 comments on commit 3eaa094

Please sign in to comment.