-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'main' into feat/bigtabledeletion
- Loading branch information
Showing
60 changed files
with
6,040 additions
and
2,108 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
30 changes: 30 additions & 0 deletions
30
checkov/arm/checks/resource/DataFactoryUsesGitRepository.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
from __future__ import annotations | ||
|
||
from typing import Any | ||
|
||
from checkov.common.models.enums import CheckCategories, CheckResult | ||
from checkov.arm.base_resource_check import BaseResourceCheck | ||
|
||
|
||
class DataFactoryUsesGitRepository(BaseResourceCheck): | ||
def __init__(self) -> None: | ||
name = "Ensure that Azure Data Factory uses Git repository for source control" | ||
id = "CKV_AZURE_103" | ||
supported_resources = ("Microsoft.DataFactory/factories",) | ||
categories = (CheckCategories.GENERAL_SECURITY,) | ||
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) | ||
|
||
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult: | ||
properties = conf.get("properties") | ||
if properties and isinstance(properties, dict): | ||
self.evaluated_keys = ["properties/repoConfiguration/type"] | ||
repo = properties.get("repoConfiguration") | ||
if not repo: | ||
return CheckResult.FAILED | ||
if repo and isinstance(repo, dict) and repo.get("type") is not None: | ||
return CheckResult.PASSED | ||
return CheckResult.UNKNOWN | ||
return CheckResult.FAILED | ||
|
||
|
||
check = DataFactoryUsesGitRepository() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
from __future__ import annotations | ||
|
||
from typing import Any | ||
from checkov.common.models.enums import CheckCategories, CheckResult | ||
from checkov.arm.base_resource_check import BaseResourceCheck | ||
|
||
|
||
class MySQLEncryptionEnabled(BaseResourceCheck): | ||
def __init__(self) -> None: | ||
name = "Ensure that MySQL server enables infrastructure encryption" | ||
id = "CKV_AZURE_96" | ||
supported_resources = ("Microsoft.DBforMySQL/flexibleServers",) | ||
categories = (CheckCategories.ENCRYPTION,) | ||
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) | ||
|
||
def scan_resource_conf(self, conf: dict[str, Any], entity_type: str) -> CheckResult: | ||
properties = conf.get("properties") | ||
if properties and isinstance(properties, dict): | ||
self.evaluated_keys = ["properties/dataencryption"] | ||
data_encryption = properties.get("dataencryption") | ||
if data_encryption and isinstance(data_encryption, dict): | ||
if data_encryption is None: | ||
return CheckResult.FAILED | ||
return CheckResult.PASSED | ||
# unparsed | ||
elif data_encryption and isinstance(data_encryption, str): | ||
return CheckResult.UNKNOWN | ||
return CheckResult.FAILED | ||
return CheckResult.UNKNOWN | ||
|
||
|
||
check = MySQLEncryptionEnabled() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
from __future__ import annotations | ||
|
||
from checkov.common.models.enums import CheckCategories, CheckResult | ||
from checkov.arm.base_resource_check import BaseResourceCheck | ||
|
||
from typing import Any | ||
|
||
from checkov.common.util.data_structures_utils import find_in_dict | ||
|
||
|
||
class VMEncryptionAtHostEnabled(BaseResourceCheck): | ||
def __init__(self) -> None: | ||
name = "Ensure that Virtual machine scale sets have encryption at host enabled" | ||
id = "CKV_AZURE_97" | ||
supported_resources = ("Microsoft.Compute/virtualMachineScaleSets", "Microsoft.Compute/virtualMachines") | ||
categories = (CheckCategories.ENCRYPTION,) | ||
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) | ||
|
||
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult: | ||
encryption = "" | ||
|
||
if self.entity_type == "Microsoft.Compute/virtualMachines": | ||
self.evaluated_keys = ["properties/securityProfile/encryptionAtHost"] | ||
encryption = find_in_dict(input_dict=conf, key_path="properties/securityProfile/encryptionAtHost") | ||
elif self.entity_type == "Microsoft.Compute/virtualMachineScaleSets": | ||
self.evaluated_keys = ["properties/virtualMachineProfile/securityProfile/encryptionAtHost"] | ||
encryption = find_in_dict( | ||
input_dict=conf, key_path="properties/virtualMachineProfile/securityProfile/encryptionAtHost" | ||
) | ||
|
||
if encryption == "true": | ||
return CheckResult.PASSED | ||
|
||
return CheckResult.FAILED | ||
|
||
|
||
check = VMEncryptionAtHostEnabled() |
22 changes: 12 additions & 10 deletions
22
checkov/cloudformation/checks/resource/aws/LambdaEnvironmentEncryptionSettings.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,30 +1,32 @@ | ||
from typing import List | ||
from __future__ import annotations | ||
|
||
from typing import Any | ||
|
||
from checkov.common.models.enums import CheckResult, CheckCategories | ||
from checkov.cloudformation.checks.resource.base_resource_check import BaseResourceCheck | ||
|
||
|
||
class LambdaEnvironmentEncryptionSettings(BaseResourceCheck): | ||
def __init__(self): | ||
def __init__(self) -> None: | ||
name = "Check encryption settings for Lambda environmental variable" | ||
id = "CKV_AWS_173" | ||
supported_resources = ['AWS::Lambda::Function', "AWS::Serverless::Function"] | ||
categories = [CheckCategories.ENCRYPTION] | ||
supported_resources = ("AWS::Lambda::Function", "AWS::Serverless::Function") | ||
categories = (CheckCategories.ENCRYPTION,) | ||
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) | ||
|
||
def scan_resource_conf(self, conf): | ||
properties = conf.get('Properties') | ||
def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult: | ||
properties = conf.get("Properties") | ||
if properties is not None: | ||
env = properties.get('Environment') | ||
env = properties.get("Environment") | ||
if env is not None: | ||
if not isinstance(env, dict): | ||
return CheckResult.UNKNOWN | ||
elif env.get('Variables') and not properties.get('KmsKeyArn'): | ||
elif env.get("Variables") and not properties.get("KmsKeyArn"): | ||
return CheckResult.FAILED | ||
return CheckResult.PASSED | ||
|
||
def get_evaluated_keys(self) -> List[str]: | ||
return ['Properties/Environment/Variables', 'Properties/KmsKeyArn'] | ||
def get_evaluated_keys(self) -> list[str]: | ||
return ["Properties/KmsKeyArn"] | ||
|
||
|
||
check = LambdaEnvironmentEncryptionSettings() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
14 changes: 8 additions & 6 deletions
14
checkov/terraform/checks/resource/aws/EKSPublicAccessCIDR.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.