Skip to content

Commit

Permalink
feat(arm): migrate check CKV_AZURE_50 to arm (#5453)
Browse files Browse the repository at this point in the history 
migrate check to arem
  • Loading branch information
@JamesWoolfenden
JamesWoolfenden committed Aug 23, 2023
1 parent 65e20f2 commit 9080329
Show file tree
Hide file tree
Showing 7 changed files with 394 additions and 21 deletions.
2 changes: 1 addition & 1 deletion checkov/arm/base_resource_value_check.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult: # type:ignor
inspected_key = self.get_inspected_key()
expected_values = self.get_expected_values()
value = find_in_dict(conf, inspected_key)
if value:
if value is not None:
if ANY_VALUE in expected_values:
# Key is found in the configuration - if it accepts any value, the check is PASSED
return CheckResult.PASSED
Expand Down
20 changes: 20 additions & 0 deletions checkov/arm/checks/resource/AzureInstanceExtensions.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
from checkov.common.models.enums import CheckCategories
from checkov.arm.base_resource_value_check import BaseResourceValueCheck


class AzureInstanceExtensions(BaseResourceValueCheck):
def __init__(self) -> None:
name = "Ensure Virtual Machine Extensions are not Installed"
id = "CKV_AZURE_50"
supported_resources = ["Microsoft.Compute/virtualMachines"]
categories = [CheckCategories.GENERAL_SECURITY]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)

def get_inspected_key(self) -> str:
return "properties/osProfile/allowExtensionOperations"

def get_expected_value(self) -> bool:
return False


check = AzureInstanceExtensions()
95 changes: 95 additions & 0 deletions tests/arm/checks/resource/example_AzureInstanceExtensions/fail.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"virtualMachines_pike_name": {
"defaultValue": "fail",
"type": "String"
},
"disks_pike_OsDisk_1_8456bd2e1ebc4b3e9ece2b8770126050_externalid": {
"defaultValue": "/subscriptions/037ce662-dfc1-4b8b-a8a7-6c414b540ed6/resourceGroups/example-resources/providers/Microsoft.Compute/disks/pike_OsDisk_1_8456bd2e1ebc4b3e9ece2b8770126050",
"type": "String"
},
"networkInterfaces_pike_nic_externalid": {
"defaultValue": "/subscriptions/037ce662-dfc1-4b8b-a8a7-6c414b540ed6/resourceGroups/example-resources/providers/Microsoft.Network/networkInterfaces/pike_nic",
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2023-03-01",
"name": "[parameters('virtualMachines_pike_name')]",
"location": "westeurope",
"properties": {
"hardwareProfile": {
"vmSize": "Standard_F2"
},
"storageProfile": {
"imageReference": {
"publisher": "Canonical",
"offer": "0001-com-ubuntu-server-focal",
"sku": "20_04-lts",
"version": "latest"
},
"osDisk": {
"osType": "Linux",
"name": "[concat(parameters('virtualMachines_pike_name'), '_OsDisk_1_8456bd2e1ebc4b3e9ece2b8770126050')]",
"createOption": "FromImage",
"caching": "ReadWrite",
"writeAcceleratorEnabled": false,
"managedDisk": {
"storageAccountType": "Standard_LRS",
"id": "[parameters('disks_pike_OsDisk_1_8456bd2e1ebc4b3e9ece2b8770126050_externalid')]"
},
"deleteOption": "Detach",
"diskSizeGB": 30
},
"dataDisks": []
},
"osProfile": {
"computerName": "[parameters('virtualMachines_pike_name')]",
"adminUsername": "adminuser",
"linuxConfiguration": {
"disablePasswordAuthentication": true,
"ssh": {
"publicKeys": [
{
"path": "/home/adminuser/.ssh/authorized_keys",
"keyData": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5M1Z6i9r0/5ld5oWUhWIDI8j1DPc1sDrRqfPc4GMuotkpg2Iza7mX+JkieB36RmzRmhOjNZDh8FdtnoW3gtJ/dTkY8t2cnttAAD49BWmg9C9scfVXj5zNYdaDX9eYFY+a4UyYNkDZtmTnaK+i4r32lIAahcCd8L4vD8ltpw/LIZmI4FpShy019pXadYMVhPA3X6Tav8+BUW76enj1BKD2e5WqUOSvdxuiKcLIiJeyveq2Yl30kbmB0o3hVp7fQYrIwtEjz/11X29NcIgyb9wNuEGPq751Vfgwk6vh0tBUasrOGrh5wo3gHezBEtfOWXYadIxMzGW/a7QYRbXhcUfz\n"
}
]
},
"provisionVMAgent": true,
"patchSettings": {
"patchMode": "ImageDefault",
"assessmentMode": "ImageDefault"
},
"enableVMAgentPlatformUpdates": false
},
"secrets": [],
"allowExtensionOperations": true,
"requireGuestProvisionSignal": true
},
"networkProfile": {
"networkInterfaces": [
{
"id": "[parameters('networkInterfaces_pike_nic_externalid')]",
"properties": {
"primary": true
}
}
]
},
"diagnosticsProfile": {
"bootDiagnostics": {
"enabled": false
}
},
"priority": "Regular",
"extensionsTimeBudget": "PT1H30M"
}
}
]
}
94 changes: 94 additions & 0 deletions tests/arm/checks/resource/example_AzureInstanceExtensions/fail2.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"virtualMachines_pike_name": {
"defaultValue": "fail2",
"type": "String"
},
"disks_pike_OsDisk_1_8456bd2e1ebc4b3e9ece2b8770126050_externalid": {
"defaultValue": "/subscriptions/037ce662-dfc1-4b8b-a8a7-6c414b540ed6/resourceGroups/example-resources/providers/Microsoft.Compute/disks/pike_OsDisk_1_8456bd2e1ebc4b3e9ece2b8770126050",
"type": "String"
},
"networkInterfaces_pike_nic_externalid": {
"defaultValue": "/subscriptions/037ce662-dfc1-4b8b-a8a7-6c414b540ed6/resourceGroups/example-resources/providers/Microsoft.Network/networkInterfaces/pike_nic",
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2023-03-01",
"name": "[parameters('virtualMachines_pike_name')]",
"location": "westeurope",
"properties": {
"hardwareProfile": {
"vmSize": "Standard_F2"
},
"storageProfile": {
"imageReference": {
"publisher": "Canonical",
"offer": "0001-com-ubuntu-server-focal",
"sku": "20_04-lts",
"version": "latest"
},
"osDisk": {
"osType": "Linux",
"name": "[concat(parameters('virtualMachines_pike_name'), '_OsDisk_1_8456bd2e1ebc4b3e9ece2b8770126050')]",
"createOption": "FromImage",
"caching": "ReadWrite",
"writeAcceleratorEnabled": false,
"managedDisk": {
"storageAccountType": "Standard_LRS",
"id": "[parameters('disks_pike_OsDisk_1_8456bd2e1ebc4b3e9ece2b8770126050_externalid')]"
},
"deleteOption": "Detach",
"diskSizeGB": 30
},
"dataDisks": []
},
"osProfile": {
"computerName": "[parameters('virtualMachines_pike_name')]",
"adminUsername": "adminuser",
"linuxConfiguration": {
"disablePasswordAuthentication": true,
"ssh": {
"publicKeys": [
{
"path": "/home/adminuser/.ssh/authorized_keys",
"keyData": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5M1Z6i9r0/5ld5oWUhWIDI8j1DPc1sDrRqfPc4GMuotkpg2Iza7mX+JkieB36RmzRmhOjNZDh8FdtnoW3gtJ/dTkY8t2cnttAAD49BWmg9C9scfVXj5zNYdaDX9eYFY+a4UyYNkDZtmTnaK+i4r32lIAahcCd8L4vD8ltpw/LIZmI4FpShy019pXadYMVhPA3X6Tav8+BUW76enj1BKD2e5WqUOSvdxuiKcLIiJeyveq2Yl30kbmB0o3hVp7fQYrIwtEjz/11X29NcIgyb9wNuEGPq751Vfgwk6vh0tBUasrOGrh5wo3gHezBEtfOWXYadIxMzGW/a7QYRbXhcUfz\n"
}
]
},
"provisionVMAgent": true,
"patchSettings": {
"patchMode": "ImageDefault",
"assessmentMode": "ImageDefault"
},
"enableVMAgentPlatformUpdates": false
},
"secrets": [],
"requireGuestProvisionSignal": true
},
"networkProfile": {
"networkInterfaces": [
{
"id": "[parameters('networkInterfaces_pike_nic_externalid')]",
"properties": {
"primary": true
}
}
]
},
"diagnosticsProfile": {
"bootDiagnostics": {
"enabled": false
}
},
"priority": "Regular",
"extensionsTimeBudget": "PT1H30M"
}
}
]
}
95 changes: 95 additions & 0 deletions tests/arm/checks/resource/example_AzureInstanceExtensions/pass.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"virtualMachines_pike_name": {
"defaultValue": "pike",
"type": "String"
},
"disks_pike_OsDisk_1_8456bd2e1ebc4b3e9ece2b8770126050_externalid": {
"defaultValue": "/subscriptions/037ce662-dfc1-4b8b-a8a7-6c414b540ed6/resourceGroups/example-resources/providers/Microsoft.Compute/disks/pike_OsDisk_1_8456bd2e1ebc4b3e9ece2b8770126050",
"type": "String"
},
"networkInterfaces_pike_nic_externalid": {
"defaultValue": "/subscriptions/037ce662-dfc1-4b8b-a8a7-6c414b540ed6/resourceGroups/example-resources/providers/Microsoft.Network/networkInterfaces/pike_nic",
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2023-03-01",
"name": "[parameters('virtualMachines_pike_name')]",
"location": "westeurope",
"properties": {
"hardwareProfile": {
"vmSize": "Standard_F2"
},
"storageProfile": {
"imageReference": {
"publisher": "Canonical",
"offer": "0001-com-ubuntu-server-focal",
"sku": "20_04-lts",
"version": "latest"
},
"osDisk": {
"osType": "Linux",
"name": "[concat(parameters('virtualMachines_pike_name'), '_OsDisk_1_8456bd2e1ebc4b3e9ece2b8770126050')]",
"createOption": "FromImage",
"caching": "ReadWrite",
"writeAcceleratorEnabled": false,
"managedDisk": {
"storageAccountType": "Standard_LRS",
"id": "[parameters('disks_pike_OsDisk_1_8456bd2e1ebc4b3e9ece2b8770126050_externalid')]"
},
"deleteOption": "Detach",
"diskSizeGB": 30
},
"dataDisks": []
},
"osProfile": {
"computerName": "[parameters('virtualMachines_pike_name')]",
"adminUsername": "adminuser",
"linuxConfiguration": {
"disablePasswordAuthentication": true,
"ssh": {
"publicKeys": [
{
"path": "/home/adminuser/.ssh/authorized_keys",
"keyData": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5M1Z6i9r0/5ld5oWUhWIDI8j1DPc1sDrRqfPc4GMuotkpg2Iza7mX+JkieB36RmzRmhOjNZDh8FdtnoW3gtJ/dTkY8t2cnttAAD49BWmg9C9scfVXj5zNYdaDX9eYFY+a4UyYNkDZtmTnaK+i4r32lIAahcCd8L4vD8ltpw/LIZmI4FpShy019pXadYMVhPA3X6Tav8+BUW76enj1BKD2e5WqUOSvdxuiKcLIiJeyveq2Yl30kbmB0o3hVp7fQYrIwtEjz/11X29NcIgyb9wNuEGPq751Vfgwk6vh0tBUasrOGrh5wo3gHezBEtfOWXYadIxMzGW/a7QYRbXhcUfz\n"
}
]
},
"provisionVMAgent": true,
"patchSettings": {
"patchMode": "ImageDefault",
"assessmentMode": "ImageDefault"
},
"enableVMAgentPlatformUpdates": false
},
"secrets": [],
"allowExtensionOperations": false,
"requireGuestProvisionSignal": true
},
"networkProfile": {
"networkInterfaces": [
{
"id": "[parameters('networkInterfaces_pike_nic_externalid')]",
"properties": {
"primary": true
}
}
]
},
"diagnosticsProfile": {
"bootDiagnostics": {
"enabled": false
}
},
"priority": "Regular",
"extensionsTimeBudget": "PT1H30M"
}
}
]
}
42 changes: 42 additions & 0 deletions tests/arm/checks/resource/test_AzureInstanceExtensions.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
import unittest
from pathlib import Path

from checkov.arm.checks.resource.AzureInstanceExtensions import check
from checkov.arm.runner import Runner
from checkov.runner_filter import RunnerFilter


class TestAzureInstanceExtensions(unittest.TestCase):
def test_summary(self):
# given
test_files_dir = Path(__file__).parent / "example_AzureInstanceExtensions"

# when
report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))

# then
summary = report.get_summary()

passing_resources = {
"Microsoft.Compute/virtualMachines.pike",
}
failing_resources = {
"Microsoft.Compute/virtualMachines.fail",
"Microsoft.Compute/virtualMachines.fail2",
}

passed_check_resources = {c.resource for c in report.passed_checks}
failed_check_resources = {c.resource for c in report.failed_checks}

self.assertEqual(summary["passed"], len(passing_resources))
self.assertEqual(summary["failed"], len(failing_resources))
self.assertEqual(summary["skipped"], 0)
self.assertEqual(summary["parsing_errors"], 0)
self.assertEqual(summary["resource_count"], 3) # includes 2 unknown

self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)


if __name__ == "__main__":
unittest.main()
Loading

0 comments on commit 9080329

Please sign in to comment.