def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
self.evaluated_keys = ["managed_rules"]
managed_rules = conf.get("managed_rules")
if managed_rules:
managed_rule_sets = managed_rules[0].get("managed_rule_set") or []
for idx_rule_set, rule_set in enumerate(
force_list(managed_rule_sets)):
self.evaluated_keys = [
f"managed_rules/[0]/managed_rule_set[{idx_rule_set}]/type",
f"managed_rules/[0]/managed_rule_set[{idx_rule_set}]/version",
]
if rule_set.get("type", ["OWASP"]) == [
"OWASP"
] and rule_set.get("version") in (["3.1"], ["3.2"]):
rule_overrides = rule_set.get("rule_group_override") or []
for idx_override, rule_override in enumerate(
force_list(rule_overrides)):
self.evaluated_keys.extend([
f"managed_rules/[0]/managed_rule_set[{idx_rule_set}]/rule_group_override/[{idx_override}]/rule_group_name",
f"managed_rules/[0]/managed_rule_set[{idx_rule_set}]/rule_group_override/[{idx_override}]/disabled_rules",
])
if rule_override.get("rule_group_name") == [
"REQUEST-944-APPLICATION-ATTACK-JAVA"
]:
disabled_rules = rule_override.get(
"disabled_rules") or []
if isinstance(disabled_rules,
list) and "944240" in force_list(
disabled_rules[0]):
return CheckResult.FAILED
return CheckResult.PASSED
return CheckResult.FAILED
def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
self.evaluated_keys = ["managed_rule"]
managed_rules = conf.get("managed_rule") or []
for idx_managed_rule, managed_rule in enumerate(
force_list(managed_rules)):
self.evaluated_keys = [f"managed_rule/[{idx_managed_rule}]/type"]
if managed_rule.get("type") in (["DefaultRuleSet"],
["Microsoft_DefaultRuleSet"]):
rule_overrides = managed_rule.get("override") or []
for idx_override, rule_override in enumerate(
force_list(rule_overrides)):
self.evaluated_keys.append(
f"managed_rule/[{idx_managed_rule}]/override/[{idx_override}]/rule_group_name"
)
if rule_override.get("rule_group_name") == ["JAVA"]:
rules = rule_override.get("rule") or []
for idx_rule, rule in enumerate(force_list(rules)):
self.evaluated_keys.extend([
f"managed_rule/[{idx_managed_rule}]/override/[{idx_override}]/rule/[{idx_rule}]/rule_id",
f"managed_rule/[{idx_managed_rule}]/override/[{idx_override}]/rule/[{idx_rule}]/enabled",
f"managed_rule/[{idx_managed_rule}]/override/[{idx_override}]/rule/[{idx_rule}]/action",
])
if rule.get("rule_id") == ["944240"]:
if rule.get("enabled") != [True]:
return CheckResult.FAILED
if rule.get("action") not in (["Block"],
["Redirect"]):
return CheckResult.FAILED
return CheckResult.PASSED
return CheckResult.FAILED
def scan_resource_conf(self, conf):
"""
Looks for configuration at security group ingress rules :
https://www.terraform.io/docs/providers/aws/r/security_group.html
:param conf: aws_security_group configuration
:return: <CheckResult>
"""
if 'ingress' in conf:
ingress_conf = conf['ingress']
for ingress_rule in ingress_conf:
ingress_rules = force_list(ingress_rule)
for rule in ingress_rules:
if isinstance(rule, dict):
from_port = force_int(force_list(rule['from_port'])[0])
to_port = force_int(force_list(rule['to_port'])[0])
if from_port <= self.port <= to_port:
# It's not clear whether these can ever be a type other
# than an empty list but just in case…
cidr_blocks = force_list(
rule.get('cidr_blocks', [[]])[0])
security_groups = rule.get('security_groups', [])
if "0.0.0.0/0" in cidr_blocks and not security_groups:
return CheckResult.FAILED
return CheckResult.PASSED
def contains_violation(self, conf):
from_port = force_int(force_list(conf.get('port_range',[{-1}]))[0].split('/')[0])
to_port = force_int(force_list(conf.get('port_range',[{-1}]))[0].split('/')[1])
if from_port <= self.port <= to_port:
conf_cidr_blocks = conf.get('cidr_ip', [[]])
cidr_blocks = force_list(conf_cidr_blocks)
if "0.0.0.0/0" in cidr_blocks or not cidr_blocks[0]:
return True
return False
def scan_resource_conf(self, conf):
if len(conf.get('environment', [])) > 0 and isinstance(conf['environment'][0], dict) \
and 'variables' in conf['environment'][0] \
and isinstance(force_list(conf['environment'][0]['variables'])[0], dict):
# variables can be a string, which in this case it points to a variable
for values in list(force_list(conf['environment'][0]['variables'])[0].values()):
for value in list(filter(lambda value: isinstance(value, str), force_list(values))):
if string_has_secrets(value, AWS, GENERAL):
return CheckResult.FAILED
return CheckResult.PASSED
def contains_violation(self, conf):
from_port = force_int(force_list(conf.get('from_port', [{-1}]))[0])
to_port = force_int(force_list(conf.get('to_port', [{-1}]))[0])
if from_port is not None and to_port is not None and (
from_port <= self.port <= to_port):
cidr_blocks = force_list(conf.get('cidr_blocks', [[]])[0])
if "0.0.0.0/0" in cidr_blocks:
return True
return False
def check_policy(policy_block):
if policy_block and isinstance(policy_block, dict) and 'Statement' in policy_block.keys():
for statement in force_list(policy_block['Statement']):
if 'Action' in statement:
effect = statement.get('Effect', 'Allow')
action = force_list(statement.get('Action', ['']))
resource = force_list(statement.get('Resource', ['']))
if effect == 'Allow' and '*' in action and '*' in resource:
return CheckResult.FAILED
return CheckResult.PASSED
else:
return CheckResult.PASSED
def scan_resource_conf(self, conf):
"""
Looks for configuration at security group ingress rules :
https://www.terraform.io/docs/providers/aws/r/security_group.html
https://www.terraform.io/docs/providers/aws/r/security_group_rule.html
Return PASS if:
- The resource is an aws_security_group that contains no violating ingress rules (including if there are no
ingress rules at all), OR
- The resource is an aws_security_group_rule of type 'ingress' that does not violate the check.
Return FAIL if:
- The resource is an aws_security_group that contains a violating ingress rule, OR
- The resource is an aws_security_group_rule of type 'ingress' that violates the check.
Return UNKNOWN if:
- the resource is an aws_security_group_rule of type 'egress', OR
:param conf: aws_security_group configuration
:return: <CheckResult>
"""
if 'ingress' in conf: # This means it's an SG resource with ingress block(s)
ingress_conf = conf['ingress']
for ingress_rule in ingress_conf:
ingress_rules = force_list(ingress_rule)
for rule in ingress_rules:
if isinstance(rule, dict):
if self.contains_violation(rule):
self.evaluated_keys = [
f'ingress/[{ingress_conf.index(ingress_rule)}]/from_port',
f'ingress/[{ingress_conf.index(ingress_rule)}]/to_port',
f'ingress/[{ingress_conf.index(ingress_rule)}]/cidr_blocks',
f'ingress/[{ingress_conf.index(ingress_rule)}]/ipv6_cidr_blocks',
]
return CheckResult.FAILED
return CheckResult.PASSED
if 'type' in conf: # This means it's an SG_rule resource.
type = force_list(conf['type'])[0]
if type == 'ingress':
self.evaluated_keys = [
'from_port', 'to_port', 'cidr_blocks', 'ipv6_cidr_blocks'
]
if self.contains_violation(conf):
return CheckResult.FAILED
return CheckResult.PASSED
return CheckResult.UNKNOWN
# The result for an SG with no ingress block
return CheckResult.PASSED
def contains_violation(self, conf, protocol_key, from_port_key, to_port_key, cidr_key):
protocol = force_list(conf.get(protocol_key, [{-1}]))[0]
from_port = force_int(force_list(conf.get(from_port_key, [{-1}]))[0])
to_port = force_int(force_list(conf.get(to_port_key, [{-1}]))[0])
if protocol == "icmp":
return False
if from_port is not None and to_port is not None and (from_port <= self.port <= to_port):
cidr = conf.get(cidr_key, [])
if len(cidr) > 0 and cidr[0] in ['0.0.0.0/0', '::/0', '0000:0000:0000:0000:0000:0000:0000:0000/0']:
return True
return False
def scan_resource_conf(self, conf):
if 'policy' in conf.keys():
try:
policy_block = json.loads(conf['policy'][0])
if 'Statement' in policy_block.keys():
for statement in force_list(policy_block['Statement']):
if 'Action' in statement and \
statement.get('Effect', ['Allow']) == 'Allow' and \
'*' in force_list(statement['Action']):
return CheckResult.FAILED
except: # nosec
pass
return CheckResult.PASSED
def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
self.evaluated_keys = ["rule"]
rules = conf.get("rule") or []
for idx_rule, rule in enumerate(force_list(rules)):
self.evaluated_keys = [f"rule/[{idx_rule}]/statement"]
statement = rule.get("statement")
if statement:
self.evaluated_keys = [
f"rule/[{idx_rule}]/statement/[0]/managed_rule_group_statement"
]
managed_group = statement[0].get(
"managed_rule_group_statement")
if managed_group:
self.evaluated_keys = [
f"rule/[{idx_rule}]/statement/[0]/managed_rule_group_statement/[0]/name"
]
if managed_group[0] and managed_group[0].get("name") == [
"AWSManagedRulesKnownBadInputsRuleSet"
]:
self.evaluated_keys.append(
f"rule/[{idx_rule}]/statement/[0]/managed_rule_group_statement/[0]/excluded_rule"
)
excluded_rules = managed_group[0].get(
"excluded_rule") or []
# rule 'Log4JRCE' should not be set to count
for idx_excluded_rule, excluded_rule in enumerate(
force_list(excluded_rules)):
if excluded_rule and excluded_rule.get("name") == [
"Log4JRCE"
]:
self.evaluated_keys = [
f"rule/[{idx_rule}]/statement/[0]/managed_rule_group_statement/[0]/name",
f"rule/[{idx_rule}]/statement/[0]/managed_rule_group_statement/[0]/excluded_rule/[{idx_excluded_rule}]/name",
]
return CheckResult.FAILED
self.evaluated_keys.append(
f"rule/[{idx_rule}]/override_action/[0]/none")
override_action = rule.get("override_action")
# check for group override
override_action_none = override_action[0].get("none")
# Terraform plan includes both keys, but one is a dict and the not chosen one a list
if not override_action_none or not isinstance(
override_action_none[0], dict):
return CheckResult.FAILED
return CheckResult.PASSED
return CheckResult.FAILED
def scan_resource_conf(self, conf):
if 'policy' in conf.keys():
try:
policy_block = extract_policy_dict(conf['policy'][0])
if policy_block and 'Statement' in policy_block.keys():
for statement in force_list(policy_block['Statement']):
if 'Action' in statement:
effect = statement.get('Effect', 'Allow')
action = force_list(statement.get('Action', ['']))
resource = force_list(statement.get('Resource', ['']))
if effect == 'Allow' and '*' in action and '*' in resource:
return CheckResult.FAILED
except: # nosec
pass
return CheckResult.PASSED
def check_policy(policy_block):
if policy_block:
if isinstance(policy_block, str):
policy_block = ast.literal_eval(policy_block)
if 'Statement' in policy_block.keys():
for statement in force_list(policy_block['Statement']):
if 'Action' in statement and statement.get(
'Effect', ['Allow']) == 'Allow' and '*' in force_list(
statement['Action']):
return CheckResult.FAILED
return CheckResult.PASSED
else:
return CheckResult.PASSED
else:
return CheckResult.PASSED
def scan_resource_conf(self, conf):
if 'policy' not in conf:
return CheckResult.PASSED
self.evaluated_keys = ['policy']
try:
policy_block = conf['policy'][0]
if 'Statement' in policy_block:
self.evaluated_keys = ['policy/[0]/Statement']
for idx, statement in enumerate(force_list(policy_block['Statement'])):
if 'Principal' in statement:
principal = statement['Principal']
if 'Effect' in statement and statement['Effect'] == 'Deny':
continue
if 'AWS' in principal:
aws = principal['AWS']
if (type(aws) == str and aws == '*') or (type(aws) == list and '*' in aws):
idx_evaluated_key = f'[{idx}]/' if isinstance(policy_block['Statement'], list) else ''
self.evaluated_keys = [f'policy/[0]/Statement/{idx_evaluated_key}Principal/AWS']
return CheckResult.FAILED
if (type(principal) == str and principal == '*') or (type(principal) == list and '*' in principal):
idx_evaluated_key = f'[{idx}]/' if isinstance(policy_block['Statement'], list) else ''
self.evaluated_keys = [f'policy/[0]/Statement/{idx_evaluated_key}Principal']
return CheckResult.FAILED
except: # nosec
pass
return CheckResult.PASSED
def scan_resource_conf(self, conf):
"""
validates that ALB Listener is using TLS v1.2
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-listener.html
:param conf: aws_alb_listener configuration
:return: <CheckResult>
"""
if 'Properties' in conf.keys():
if 'Protocol' in conf['Properties'].keys():
# Check SslPolicy only if protocol is HTTPS or TLS.
# Other protocols are not intresting within the context of this check.
if conf['Properties']['Protocol'] in ('HTTPS', 'TLS'):
if 'SslPolicy' in conf['Properties'].keys():
if conf['Properties']['SslPolicy'].startswith(
("ELBSecurityPolicy-FS-1-2",
"ELBSecurityPolicy-TLS-1-2")):
return CheckResult.PASSED
return CheckResult.FAILED
elif conf['Properties']['Protocol'] in ('TCP', 'UDP',
'TCP_UDP'):
return CheckResult.PASSED
for idx_action, action in enumerate(
conf['Properties']['DefaultActions']):
redirects = action.get("RedirectConfig", [])
for idx_redirect, redirect in enumerate(
force_list(redirects)):
if redirect.get("Protocol", []) == 'HTTPS':
return CheckResult.PASSED
return CheckResult.FAILED
def scan_resource_conf(self, conf: Dict[str, List[Any]]) -> CheckResult:
aws_kms_alias = 'aws/'
kms_key_id = force_list(conf.get('kms_key_id', []))
if not kms_key_id:
return CheckResult.FAILED
else:
return CheckResult.FAILED if aws_kms_alias in kms_key_id[0] else CheckResult.PASSED
def scan_resource_conf(self, conf):
if 'policy' not in conf.keys() or not isinstance(
conf['policy'][0], str):
return CheckResult.PASSED
try:
policy_block = json.loads(conf['policy'][0])
if 'Statement' in policy_block.keys():
for statement in force_list(policy_block['Statement']):
if statement[
'Effect'] == 'Deny' or 'Principal' not in statement:
continue
principal = statement['Principal']
if principal == '*':
return CheckResult.FAILED
if 'AWS' in statement['Principal']:
# Can be a string or an array of strings
aws = statement['Principal']['AWS']
if (isinstance(aws, str)
and aws == '*') or (isinstance(aws, list)
and '*' in aws):
return CheckResult.FAILED
except Exception: # nosec
pass
return CheckResult.PASSED
def scan_resource_conf(self, conf):
if 'policy' not in conf.keys() or not isinstance(conf['policy'][0], str):
return CheckResult.PASSED
try:
policy_block = json.loads(conf['policy'][0])
if 'Statement' in policy_block.keys():
for statement in force_list(policy_block['Statement']):
if 'Condition' in statement.keys() or 'NotAction' in statement.keys() \
or statement.get('Effect') != 'Deny':
# https://github.com/bridgecrewio/checkov/pull/627#issuecomment-714681751
continue
principal = statement['Principal']
if principal == '*':
return CheckResult.FAILED
if 'AWS' in statement['Principal']:
# Can be a string or an array of strings
aws = statement['Principal']['AWS']
if (type(aws) == str and aws == '*') or (type(aws) == list and '*' in aws):
return CheckResult.FAILED
action = statement['Action']
if action == '*':
return CheckResult.FAILED
if 's3' in statement['Action']:
# Can be a string or an array of strings
s3 = statement['Action']['s3']
if (type(s3) == str and s3 == '*') or (type(s3) == list and '*' in s3):
return CheckResult.FAILED
except: # nosec
pass
return CheckResult.PASSED
def scan_resource_conf(self, conf):
"""
Looks for configuration at security group ingress rules :
https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/security_group_rule
Return PASS if:
- The resource is an alicloud_security_group_rule of type 'ingress' that does not violate the check.
Return FAIL if:
- The resource is an alicloud_security_group_rule of type 'ingress' that violates the check.
Return UNKNOWN if:
- the resource is an alicloud_security_group_rule of type 'egress'
:param conf: alicloud_security_group_rule configuration
:return: <CheckResult>
"""
if 'type' in conf: # This means it's an alicloud_security_group_rule resource.
type = force_list(conf['type'])[0]
if type == 'ingress':
self.evaluated_keys = ['port_range', 'cidr_ip']
if not conf.get('port_range'):
return CheckResult.PASSED
if self.contains_violation(conf):
return CheckResult.FAILED
return CheckResult.PASSED
return CheckResult.UNKNOWN
return CheckResult.PASSED
def scan_resource_conf(self, conf):
s3_enc = False
cw_enc = False
book_enc = False
if 'Properties' in conf.keys():
if 'EncryptionConfiguration' in conf['Properties'].keys():
enc_conf = conf['Properties']['EncryptionConfiguration']
if 'CloudWatchEncryption' in enc_conf.keys():
if 'CloudWatchEncryptionMode' in enc_conf['CloudWatchEncryption'].keys():
if enc_conf['CloudWatchEncryption']['CloudWatchEncryptionMode'] != 'DISABLED':
cw_enc = True
if 'JobBookmarksEncryption' in enc_conf.keys():
if 'JobBookmarksEncryptionMode' in enc_conf['JobBookmarksEncryption'].keys():
if enc_conf['JobBookmarksEncryption']['JobBookmarksEncryptionMode'] != 'DISABLED':
book_enc = True
if 'S3Encryptions' in enc_conf.keys():
for s3_encryption in force_list(enc_conf['S3Encryptions']):
if 'S3EncryptionMode' in s3_encryption.keys():
if s3_encryption['S3EncryptionMode'] != 'DISABLED':
s3_enc = True
break
if s3_enc and cw_enc and book_enc:
return CheckResult.PASSED
return CheckResult.FAILED
def scan_resource_conf(self, conf: Dict[str, List[Any]]) -> CheckResult:
key = "protocol"
self.evaluated_keys = [key]
if key in conf.keys():
if conf[key] in (["HTTPS"], ["TLS"]):
# Only interested in HTTPS & TLS listeners
policy = "ssl_policy"
if policy in conf.keys():
self.evaluated_keys.append(policy)
name = str(conf[policy]).strip("['']")
if name.startswith(
"ELBSecurityPolicy-FS-1-2") or name.startswith(
"ELBSecurityPolicy-TLS-1-2"):
return CheckResult.PASSED
return CheckResult.FAILED
elif conf[key] in (["TCP"], ["UDP"], ["TCP_UDP"]):
return CheckResult.PASSED
for idx_action, action in enumerate(conf.get("default_action",
[])):
redirects = action.get("redirect", [])
for idx_redirect, redirect in enumerate(force_list(redirects)):
if isinstance(redirect, dict) and redirect.get(
"protocol", []) == ["HTTPS"]:
redirect_index = f"[{idx_redirect}]/" if isinstance(
redirects, list) else ""
self.evaluated_keys.append(
f'default_action/[{idx_action}]/redirect/{redirect_index}protocol'
)
return CheckResult.PASSED
return CheckResult.FAILED
def scan_resource_conf(self, conf):
key = "protocol"
if key in conf.keys():
if conf[key] in (["HTTPS"], ["TLS"]):
# Only interested in HTTPS & TLS listeners
policy = "ssl_policy"
if policy in conf.keys():
name = str(conf[policy]).strip("['']")
if name.startswith(
"ELBSecurityPolicy-FS-1-2") or name.startswith(
"ELBSecurityPolicy-TLS-1-2"):
return CheckResult.PASSED
else:
return CheckResult.FAILED
else:
return CheckResult.FAILED
elif conf[key] in (["TCP"], ["UDP"], ["TCP_UDP"]):
return CheckResult.PASSED
else:
for action in conf.get("default_action", []):
for redirect in force_list(action.get("redirect", [])):
if redirect.get("protocol", []) == ["HTTPS"]:
return CheckResult.PASSED
return CheckResult.FAILED
else:
return CheckResult.FAILED
def scan_resource_conf(self, conf):
try:
policy_block = None
if 'policy' in conf.keys():
policy_block = extract_policy_dict(conf['policy'][0])
elif 'inline_policy' in conf.keys():
policy_block = extract_policy_dict(conf['inline_policy'][0])
if policy_block and 'Statement' in policy_block.keys():
for statement in force_list(policy_block['Statement']):
if 'Action' in statement and \
statement.get('Effect', ['Allow']) == 'Allow' and \
'*' in force_list(statement['Action']):
return CheckResult.FAILED
except Exception: # nosec
pass
return CheckResult.PASSED
def scan_data_conf(self, conf):
"""
validates iam policy document
https://learn.hashicorp.com/terraform/aws/iam-policy
:param conf: aws_kms_key configuration
:return: <CheckResult>
"""
key = 'statement'
if key in conf.keys():
for statement in conf[key]:
effect = statement.get('effect', ['Allow'])
if not effect or effect[0] == 'Allow':
if statement.get('actions') and '*' in force_list(statement['actions'][0]) \
and statement.get('resources') and '*' in force_list(statement['resources'][0]):
return CheckResult.FAILED
return CheckResult.PASSED
def collect_skip_comments(resource):
skipped_checks = []
bc_id_mapping = bc_integration.get_id_mapping()
ckv_to_bc_id_mapping = bc_integration.get_ckv_to_bc_id_mapping()
if "metadata" in resource:
if "checkov" in resource["metadata"]:
for index, item in enumerate(
force_list(resource["metadata"]["checkov"])):
skip_search = re.search(COMMENT_REGEX, str(item))
if skip_search:
skipped_check = {
'id':
skip_search.group(1),
'suppress_comment':
skip_search.group(2)[1:]
if skip_search.group(2) else "No comment provided"
}
if bc_id_mapping and skipped_check[
"id"] in bc_id_mapping:
skipped_check["bc_id"] = skipped_check["id"]
skipped_check["id"] = bc_id_mapping[
skipped_check["id"]]
elif ckv_to_bc_id_mapping:
skipped_check["bc_id"] = ckv_to_bc_id_mapping.get(
skipped_check["id"])
skipped_checks.append(skipped_check)
return skipped_checks
def scan_data_conf(self, conf: Dict[str, List[Any]]) -> CheckResult:
"""
validates iam policy document
https://learn.hashicorp.com/terraform/aws/iam-policy
:param conf: aws_kms_key configuration
:return: <CheckResult>
"""
for statement in conf.get("statement", []):
if (statement.get("effect", ["Allow"]) == ["Allow"]
and statement.get("actions")
and "*" in force_list(statement["actions"][0])
and statement.get("resources")
and "*" in force_list(statement["resources"][0])):
return CheckResult.FAILED
return CheckResult.PASSED
def contains_violation(self, conf):
from_port = force_int(force_list(conf.get('from_port', [{-1}]))[0])
to_port = force_int(force_list(conf.get('to_port', [{-1}]))[0])
if from_port is not None and to_port is not None and (
from_port <= self.port <= to_port):
cidr_blocks = force_list(conf.get('cidr_blocks', [[]])[0])
if "0.0.0.0/0" in cidr_blocks:
return True
ipv6_cidr_blocks = conf.get('ipv6_cidr_blocks', [])
if len(ipv6_cidr_blocks) > 0 and any(
ip in
['::/0', '0000:0000:0000:0000:0000:0000:0000:0000/0']
for ip in ipv6_cidr_blocks[0]):
return True
return False
def scan_spec_conf(self, conf):
if conf["metadata"]:
if conf["metadata"].get('annotations'):
for annotation in force_list(conf["metadata"]["annotations"]):
for key, value in annotation.items():
if "snippet" in key and "alias" in value:
return CheckResult.FAILED
return CheckResult.PASSED
def scan_spec_conf(self, conf):
metadata = {}
if conf['kind'] == 'Pod':
security_profile = dpath.search(
conf, 'spec/securityContext/seccompProfile/type')
if security_profile:
security_profile = dpath.get(
conf, 'spec/securityContext/seccompProfile/type')
return CheckResult.PASSED if security_profile == 'RuntimeDefault' else CheckResult.FAILED
if "metadata" in conf:
metadata = conf["metadata"]
if conf['kind'] == 'Deployment':
security_profile = dpath.search(
conf, 'spec/template/spec/securityContext/seccompProfile/type')
if security_profile:
security_profile = dpath.get(
conf,
'spec/template/spec/securityContext/seccompProfile/type')
return CheckResult.PASSED if security_profile == 'RuntimeDefault' else CheckResult.FAILED
if "metadata" in conf:
metadata = conf["metadata"]
if conf['kind'] == 'StatefulSet':
security_profile = dpath.search(
conf, 'spec/template/spec/securityContext/seccompProfile/type')
if security_profile:
security_profile = dpath.get(
conf,
'spec/template/spec/securityContext/seccompProfile/type')
return CheckResult.PASSED if security_profile == 'RuntimeDefault' else CheckResult.FAILED
if "metadata" in conf:
metadata = conf["metadata"]
elif conf['kind'] == 'CronJob':
if "spec" in conf:
if "jobTemplate" in conf["spec"]:
if "spec" in conf["spec"]["jobTemplate"]:
if "template" in conf["spec"]["jobTemplate"]["spec"]:
if "metadata" in conf["spec"]["jobTemplate"][
"spec"]["template"]:
metadata = conf["spec"]["jobTemplate"]["spec"][
"template"]["metadata"]
else:
if "spec" in conf:
if "template" in conf["spec"]:
if "metadata" in conf["spec"]["template"]:
metadata = conf["spec"]["template"]["metadata"]
if metadata:
if metadata.get('annotations'):
for annotation in force_list(metadata["annotations"]):
for key in annotation:
if "seccomp.security.alpha.kubernetes.io/pod" in key:
if "docker/default" in annotation[
key] or "runtime/default" in annotation[
key]:
return CheckResult.PASSED
return CheckResult.FAILED
def scan_spec_conf(self, conf):
if conf["metadata"]:
if conf["metadata"].get('annotations'):
for annotation in force_list(conf["metadata"]["annotations"]):
for key in annotation:
if "snippet" in key:
return CheckResult.FAILED
return CheckResult.PASSED
