-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'main' into feat/AzureOpenAI
- Loading branch information
Showing
36 changed files
with
5,491 additions
and
1,953 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
30 changes: 30 additions & 0 deletions
30
checkov/arm/checks/resource/DataFactoryUsesGitRepository.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| from __future__ import annotations | ||
|
|
||
| from typing import Any | ||
|
|
||
| from checkov.common.models.enums import CheckCategories, CheckResult | ||
| from checkov.arm.base_resource_check import BaseResourceCheck | ||
|
|
||
|
|
||
| class DataFactoryUsesGitRepository(BaseResourceCheck): | ||
| def __init__(self) -> None: | ||
| name = "Ensure that Azure Data Factory uses Git repository for source control" | ||
| id = "CKV_AZURE_103" | ||
| supported_resources = ("Microsoft.DataFactory/factories",) | ||
| categories = (CheckCategories.GENERAL_SECURITY,) | ||
| super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) | ||
|
|
||
| def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult: | ||
| properties = conf.get("properties") | ||
| if properties and isinstance(properties, dict): | ||
| self.evaluated_keys = ["properties/repoConfiguration/type"] | ||
| repo = properties.get("repoConfiguration") | ||
| if not repo: | ||
| return CheckResult.FAILED | ||
| if repo and isinstance(repo, dict) and repo.get("type") is not None: | ||
| return CheckResult.PASSED | ||
| return CheckResult.UNKNOWN | ||
| return CheckResult.FAILED | ||
|
|
||
|
|
||
| check = DataFactoryUsesGitRepository() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| from __future__ import annotations | ||
|
|
||
| from typing import Any | ||
| from checkov.common.models.enums import CheckCategories, CheckResult | ||
| from checkov.arm.base_resource_check import BaseResourceCheck | ||
|
|
||
|
|
||
| class MySQLEncryptionEnabled(BaseResourceCheck): | ||
| def __init__(self) -> None: | ||
| name = "Ensure that MySQL server enables infrastructure encryption" | ||
| id = "CKV_AZURE_96" | ||
| supported_resources = ("Microsoft.DBforMySQL/flexibleServers",) | ||
| categories = (CheckCategories.ENCRYPTION,) | ||
| super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) | ||
|
|
||
| def scan_resource_conf(self, conf: dict[str, Any], entity_type: str) -> CheckResult: | ||
| properties = conf.get("properties") | ||
| if properties and isinstance(properties, dict): | ||
| self.evaluated_keys = ["properties/dataencryption"] | ||
| data_encryption = properties.get("dataencryption") | ||
| if data_encryption and isinstance(data_encryption, dict): | ||
| if data_encryption is None: | ||
| return CheckResult.FAILED | ||
| return CheckResult.PASSED | ||
| # unparsed | ||
| elif data_encryption and isinstance(data_encryption, str): | ||
| return CheckResult.UNKNOWN | ||
| return CheckResult.FAILED | ||
| return CheckResult.UNKNOWN | ||
|
|
||
|
|
||
| check = MySQLEncryptionEnabled() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| from __future__ import annotations | ||
|
|
||
| from checkov.common.models.enums import CheckCategories, CheckResult | ||
| from checkov.arm.base_resource_check import BaseResourceCheck | ||
|
|
||
| from typing import Any | ||
|
|
||
| from checkov.common.util.data_structures_utils import find_in_dict | ||
|
|
||
|
|
||
| class VMEncryptionAtHostEnabled(BaseResourceCheck): | ||
| def __init__(self) -> None: | ||
| name = "Ensure that Virtual machine scale sets have encryption at host enabled" | ||
| id = "CKV_AZURE_97" | ||
| supported_resources = ("Microsoft.Compute/virtualMachineScaleSets", "Microsoft.Compute/virtualMachines") | ||
| categories = (CheckCategories.ENCRYPTION,) | ||
| super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) | ||
|
|
||
| def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult: | ||
| encryption = "" | ||
|
|
||
| if self.entity_type == "Microsoft.Compute/virtualMachines": | ||
| self.evaluated_keys = ["properties/securityProfile/encryptionAtHost"] | ||
| encryption = find_in_dict(input_dict=conf, key_path="properties/securityProfile/encryptionAtHost") | ||
| elif self.entity_type == "Microsoft.Compute/virtualMachineScaleSets": | ||
| self.evaluated_keys = ["properties/virtualMachineProfile/securityProfile/encryptionAtHost"] | ||
| encryption = find_in_dict( | ||
| input_dict=conf, key_path="properties/virtualMachineProfile/securityProfile/encryptionAtHost" | ||
| ) | ||
|
|
||
| if encryption == "true": | ||
| return CheckResult.PASSED | ||
|
|
||
| return CheckResult.FAILED | ||
|
|
||
|
|
||
| check = VMEncryptionAtHostEnabled() |
22 changes: 12 additions & 10 deletions
22
checkov/cloudformation/checks/resource/aws/LambdaEnvironmentEncryptionSettings.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,30 +1,32 @@ | ||
| from typing import List | ||
| from __future__ import annotations | ||
|
|
||
| from typing import Any | ||
|
|
||
| from checkov.common.models.enums import CheckResult, CheckCategories | ||
| from checkov.cloudformation.checks.resource.base_resource_check import BaseResourceCheck | ||
|
|
||
|
|
||
| class LambdaEnvironmentEncryptionSettings(BaseResourceCheck): | ||
| def __init__(self): | ||
| def __init__(self) -> None: | ||
| name = "Check encryption settings for Lambda environmental variable" | ||
| id = "CKV_AWS_173" | ||
| supported_resources = ['AWS::Lambda::Function', "AWS::Serverless::Function"] | ||
| categories = [CheckCategories.ENCRYPTION] | ||
| supported_resources = ("AWS::Lambda::Function", "AWS::Serverless::Function") | ||
| categories = (CheckCategories.ENCRYPTION,) | ||
| super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) | ||
|
|
||
| def scan_resource_conf(self, conf): | ||
| properties = conf.get('Properties') | ||
| def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult: | ||
| properties = conf.get("Properties") | ||
| if properties is not None: | ||
| env = properties.get('Environment') | ||
| env = properties.get("Environment") | ||
| if env is not None: | ||
| if not isinstance(env, dict): | ||
| return CheckResult.UNKNOWN | ||
| elif env.get('Variables') and not properties.get('KmsKeyArn'): | ||
| elif env.get("Variables") and not properties.get("KmsKeyArn"): | ||
| return CheckResult.FAILED | ||
| return CheckResult.PASSED | ||
|
|
||
| def get_evaluated_keys(self) -> List[str]: | ||
| return ['Properties/Environment/Variables', 'Properties/KmsKeyArn'] | ||
| def get_evaluated_keys(self) -> list[str]: | ||
| return ["Properties/KmsKeyArn"] | ||
|
|
||
|
|
||
| check = LambdaEnvironmentEncryptionSettings() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
14 changes: 8 additions & 6 deletions
14
checkov/terraform/checks/resource/aws/EKSPublicAccessCIDR.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
26 changes: 12 additions & 14 deletions
26
checkov/terraform/checks/resource/azure/MariaDBPublicAccessDisabled.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,24 +1,22 @@ | ||
| from checkov.common.models.enums import CheckResult, CheckCategories | ||
| from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceCheck | ||
| from typing import List | ||
| from typing import Any | ||
|
|
||
| from checkov.common.models.enums import CheckCategories | ||
| from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck | ||
|
|
||
| class MariaDBPublicAccessDisabled(BaseResourceCheck): | ||
| def __init__(self): | ||
|
|
||
| class MariaDBPublicAccessDisabled(BaseResourceValueCheck): | ||
| def __init__(self) -> None: | ||
| name = "Ensure 'public network access enabled' is set to 'False' for MariaDB servers" | ||
| id = "CKV_AZURE_48" | ||
| supported_resources = ['azurerm_mariadb_server'] | ||
| categories = [CheckCategories.NETWORKING] | ||
| supported_resources = ("azurerm_mariadb_server",) | ||
| categories = (CheckCategories.NETWORKING,) | ||
| super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) | ||
|
|
||
| def scan_resource_conf(self, conf): | ||
| # Whether or not public network access is allowed for this server. Defaults to true. Which is not optimal | ||
| if 'public_network_access_enabled' not in conf or conf['public_network_access_enabled'][0]: | ||
| return CheckResult.FAILED | ||
| return CheckResult.PASSED | ||
| def get_inspected_key(self) -> str: | ||
| return "public_network_access_enabled" | ||
|
|
||
| def get_evaluated_keys(self) -> List[str]: | ||
| return ['public_network_access_enabled'] | ||
| def get_expected_value(self) -> Any: | ||
| return False | ||
|
|
||
|
|
||
| check = MariaDBPublicAccessDisabled() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
32 changes: 12 additions & 20 deletions
32
checkov/terraform/checks/resource/gcp/GKEClusterLogging.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,30 +1,22 @@ | ||
| from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck | ||
| from checkov.common.models.enums import CheckResult, CheckCategories | ||
| from typing import List | ||
| from typing import Any | ||
|
|
||
| from checkov.common.models.enums import CheckCategories | ||
| from checkov.terraform.checks.resource.base_resource_negative_value_check import BaseResourceNegativeValueCheck | ||
|
|
||
| class GKEClusterLogging(BaseResourceCheck): | ||
| def __init__(self): | ||
|
|
||
| class GKEClusterLogging(BaseResourceNegativeValueCheck): | ||
| def __init__(self) -> None: | ||
| name = "Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters" | ||
| id = "CKV_GCP_1" | ||
| supported_resources = ['google_container_cluster'] | ||
| categories = [CheckCategories.KUBERNETES] | ||
| supported_resources = ("google_container_cluster",) | ||
| categories = (CheckCategories.KUBERNETES,) | ||
| super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) | ||
|
|
||
| def scan_resource_conf(self, conf): | ||
| """ | ||
| Looks for password configuration at azure_instance: | ||
| https://www.terraform.io/docs/providers/google/r/compute_ssl_policy.html | ||
| :param conf: google_compute_ssl_policy configuration | ||
| :return: <CheckResult> | ||
| """ | ||
| if 'logging_service' in conf.keys(): | ||
| if conf['logging_service'][0] == "none": | ||
| return CheckResult.FAILED | ||
| return CheckResult.PASSED | ||
| def get_inspected_key(self) -> str: | ||
| return "logging_service" | ||
|
|
||
| def get_evaluated_keys(self) -> List[str]: | ||
| return ['logging_service'] | ||
| def get_forbidden_values(self) -> Any: | ||
| return "none" | ||
|
|
||
|
|
||
| check = GKEClusterLogging() |
Oops, something went wrong.