def test_external_checks_and_graph_checks_load(self):
runner = Runner()
current_dir = os.path.dirname(os.path.realpath(__file__))
# without external yaml checks the external graph registry checks should be 0
extra_checks_dir_path = [current_dir + "/extra_checks"]
runner_filter = RunnerFilter(framework='terraform')
runner.run(root_folder=current_dir,
external_checks_dir=extra_checks_dir_path,
runner_filter=runner_filter)
external_graph_checks = 0
for check in runner.graph_registry.checks:
if runner_filter.is_external_check(check.id):
external_graph_checks += 1
self.assertEqual(external_graph_checks, 0)
# with external yaml checks external graph registry checks count should be equal to the external graph checks
extra_checks_dir_path = [
current_dir + "/extra_checks", current_dir + "/extra_yaml_checks"
]
runner.run(root_folder=current_dir,
external_checks_dir=extra_checks_dir_path,
runner_filter=runner_filter)
for check in runner.graph_registry.checks:
if runner_filter.is_external_check(check.id):
external_graph_checks += 1
self.assertTrue(len(runner.graph_registry.checks) > 1)
self.assertEqual(external_graph_checks, 1)
runner.graph_registry.checks[:] = [
check for check in runner.graph_registry.checks
if "CUSTOM_GRAPH_AWS_1" not in check.id
]
def test_internal_graph_checks_load(self):
registry = Registry(
parser=NXGraphCheckParser(),
checks_dir=str(
Path(__file__).parent.parent.parent.parent / "checkov" /
"terraform" / "checks" / "graph_checks"))
registry.load_checks()
runner_filter = RunnerFilter()
for check in registry.checks:
self.assertFalse(runner_filter.is_external_check(check))
def test_external_graph_check_load(self):
runner = Runner()
current_dir = os.path.dirname(os.path.realpath(__file__))
runner.graph_registry.checks = []
extra_checks_dir_path = [current_dir + "/extra_yaml_checks"]
runner.load_external_checks(extra_checks_dir_path)
self.assertEqual(len(runner.graph_registry.checks), 1)
runner_filter = RunnerFilter()
for check in runner.graph_registry.checks:
self.assertTrue(runner_filter.is_external_check(check.id))
runner.graph_registry.checks[:] = [
check for check in runner.graph_registry.checks
if "CUSTOM_GRAPH_AWS_1" not in check.id
]
def _should_run_scan(check_id, entity_configuration, runner_filter):
check_id_allowlist = runner_filter.checks
check_id_denylist = runner_filter.skip_checks
if check_id_allowlist:
# Allow list provides namespace-only allows, check-only allows, or both
# If namespaces not specified, all namespaces are scanned
# If checks not specified, all checks are scanned
run_check = False
allowed_namespaces = [
string for string in check_id_allowlist if "CKV_" not in string
]
if not any("CKV_" in check for check in check_id_allowlist):
if "metadata" in entity_configuration and "namespace" in entity_configuration[
"metadata"]:
if entity_configuration["metadata"][
"namespace"] in allowed_namespaces:
run_check = True
elif "parent_metadata" in entity_configuration and "namespace" in entity_configuration[
"parent_metadata"]:
if entity_configuration["parent_metadata"][
"namespace"] in allowed_namespaces:
run_check = True
else:
if "default" in allowed_namespaces:
run_check = True
else:
if check_id in check_id_allowlist or RunnerFilter.is_external_check(
check_id):
if allowed_namespaces:
# Check if namespace in allowed namespaces
if "metadata" in entity_configuration and "namespace" in entity_configuration[
"metadata"]:
if entity_configuration["metadata"][
"namespace"] in allowed_namespaces:
run_check = True
elif "parent_metadata" in entity_configuration and "namespace" in entity_configuration[
"parent_metadata"]:
if entity_configuration["parent_metadata"][
"namespace"] in allowed_namespaces:
run_check = True
else:
if "default" in allowed_namespaces:
run_check = True
else:
# No namespaces to filter
run_check = True
if run_check:
return True
elif check_id_denylist:
namespace_skip = False
if "metadata" in entity_configuration and "namespace" in entity_configuration[
"metadata"]:
if entity_configuration["metadata"][
"namespace"] in check_id_denylist:
namespace_skip = True
elif "parent_metadata" in entity_configuration and "namespace" in entity_configuration[
"parent_metadata"]:
if entity_configuration["parent_metadata"][
"namespace"] in check_id_denylist:
namespace_skip = True
else:
if "default" in check_id_denylist:
namespace_skip = True
if check_id not in check_id_denylist and namespace_skip is False:
return True
else:
return True
return False
