Ejemplos de Runner en Python

Ejemplo n.º 1

Archivo: test_WildcardRoles.py Proyecto: jakuta-tech/checkov

    def test_summary(self):
        runner = Runner()
        current_dir = os.path.dirname(os.path.realpath(__file__))

        test_files_dir = current_dir + "/example_WildcardRoles"
        report = runner.run(root_folder=test_files_dir,runner_filter=RunnerFilter(checks=[check.id]))
        summary = report.get_summary()

        passing_resources = {
            'Role.test-should-pass-3.test',
            'Role.test-should-pass-2.test'
        }
        failing_resources = {
            'Role.test-should-fail-1.test',
            'Role.test-should-fail-2.test',
            'ClusterRole.test-should-fail-3.test'
        }

        self.assertEqual(summary['passed'], 2)
        self.assertEqual(summary['failed'], 3)
        self.assertEqual(summary['skipped'], 0)
        self.assertEqual(summary['parsing_errors'], 0)

        passed_check_resources = set([c.resource for c in report.passed_checks])
        failed_check_resources = set([c.resource for c in report.failed_checks])

        self.assertEqual(passing_resources, passed_check_resources)
        self.assertEqual(failing_resources, failed_check_resources)

Ejemplo n.º 2

Archivo: test_runner.py Proyecto: njgibbon/checkov

    def test_record_relative_path_with_relative_dir(self):

        # test whether the record's repo_file_path is correct, relative to the CWD (with a / at the start).

        # this is just constructing the scan dir as normal
        current_dir = os.path.dirname(os.path.realpath(__file__))
        scan_dir_path = os.path.join(current_dir, "resources")

        # this is the relative path to the directory to scan (what would actually get passed to the -d arg)
        dir_rel_path = os.path.relpath(scan_dir_path)

        runner = Runner()
        checks_allowlist = ['CKV_K8S_21']
        report = runner.run(root_folder=dir_rel_path,
                            external_checks_dir=None,
                            runner_filter=RunnerFilter(
                                framework='kubernetes',
                                checks=checks_allowlist))

        all_checks = report.failed_checks + report.passed_checks
        self.assertTrue(
            len(all_checks) >
            0)  # ensure that the assertions below are going to do something
        for record in all_checks:
            # no need to join with a '/' because the CFN runner adds it to the start of the file path
            self.assertEqual(record.repo_file_path,
                             f'/{dir_rel_path}{record.file_path}')

Ejemplo n.º 3

Archivo: test_EtcdAutoTls.py Proyecto: tsmithv11/checkov

    def test_summary(self):
        # given
        test_files_dir = Path(__file__).parent / "example_EtcdAutoTls"

        # when
        report = Runner().run(root_folder=str(test_files_dir),
                              runner_filter=RunnerFilter(checks=[check.id]))

        # then
        summary = report.get_summary()

        passing_resources = {
            "Pod.kube-system.etcd-default",
            "Pod.kube-system.etcd-disabled",
        }
        failing_resources = {
            "Pod.kube-system.etcd-enabled",
        }

        passed_check_resources = {c.resource for c in report.passed_checks}
        failed_check_resources = {c.resource for c in report.failed_checks}

        self.assertEqual(summary["passed"], 2)
        self.assertEqual(summary["failed"], 1)
        self.assertEqual(summary["skipped"], 0)
        self.assertEqual(summary["parsing_errors"], 0)

        self.assertEqual(passing_resources, passed_check_resources)
        self.assertEqual(failing_resources, failed_check_resources)

Ejemplo n.º 4

    def test_summary(self):
        # given
        test_files_dir = Path(__file__).parent / "example_ApiServerAuditLog"

        # when
        report = Runner().run(root_folder=str(test_files_dir),
                              runner_filter=RunnerFilter(checks=[check.id]))

        # then
        summary = report.get_summary()

        passing_resources = {
            "Pod.kube-system.kube-apiserver-pass",
        }
        failing_resources = {
            "Pod.kube-system.kube-apiserver-fail",
        }

        passed_check_resources = {c.resource for c in report.passed_checks}
        failed_check_resources = {c.resource for c in report.failed_checks}

        self.assertEqual(summary["passed"], 1)
        self.assertEqual(summary["failed"], 1)
        self.assertEqual(summary["skipped"], 0)
        self.assertEqual(summary["parsing_errors"], 0)

        self.assertEqual(passing_resources, passed_check_resources)
        self.assertEqual(failing_resources, failed_check_resources)

Ejemplo n.º 5

Archivo: test_KubeControllerManagerServiceAccountPrivateKeyFile.py Proyecto: tsmithv11/checkov

    def test_summary(self):
        # given
        test_files_dir = Path(
            __file__
        ).parent / "example_KubeControllerManagerServiceAccountPrivateKeyFile"

        # when
        report = Runner().run(root_folder=str(test_files_dir),
                              runner_filter=RunnerFilter(checks=[check.id]))

        # then
        summary = report.get_summary()

        passing_resources = {
            "Pod.kube-system.kube-controller-manager-pem",
            "Pod.kube-system.kube-controller-manager-none",
        }
        failing_resources = {
            "Pod.kube-system.kube-controller-manager-no-pem",
        }

        passed_check_resources = {c.resource for c in report.passed_checks}
        failed_check_resources = {c.resource for c in report.failed_checks}

        self.assertEqual(summary["passed"], 2)
        self.assertEqual(summary["failed"], 1)
        self.assertEqual(summary["skipped"], 0)
        self.assertEqual(summary["parsing_errors"], 0)

        self.assertEqual(passing_resources, passed_check_resources)
        self.assertEqual(failing_resources, failed_check_resources)

Ejemplo n.º 6

    def test_summary(self):
        # given
        test_files_dir = Path(__file__).parent / "example_RotateKubeletServerCertificate"

        # when
        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))

        # then
        summary = report.get_summary()

        passing_resources = {
            "Pod.kube-system.kube-controller-manager-enabled",
            "Pod.kube-system.kubelet-enabled",
        }
        failing_resources = {
            "Pod.kube-system.kube-controller-manager-disabled",
            "Pod.kube-system.kubelet-disabled",
        }

        passed_check_resources = {c.resource for c in report.passed_checks}
        failed_check_resources = {c.resource for c in report.failed_checks}

        self.assertEqual(summary["passed"], 2)
        self.assertEqual(summary["failed"], 2)
        self.assertEqual(summary["skipped"], 0)
        self.assertEqual(summary["parsing_errors"], 0)

        self.assertEqual(passing_resources, passed_check_resources)
        self.assertEqual(failing_resources, failed_check_resources)

Ejemplo n.º 7

    def test_summary(self):
        # given
        test_files_dir = Path(__file__).parent / "example_AllowedCapabilities"

        # when
        report = Runner().run(root_folder=str(test_files_dir),
                              runner_filter=RunnerFilter(checks=[check.id]))

        # then
        summary = report.get_summary()

        passing_resources = {
            "CronJob.default.hello",
            "Deployment.default.my-nginx",
        }
        failing_resources = {
            "StatefulSet.default.cassandra",
        }

        passed_check_resources = {c.resource for c in report.passed_checks}
        failed_check_resources = {c.resource for c in report.failed_checks}

        self.assertEqual(summary["passed"], 2)
        self.assertEqual(summary["failed"], 1)
        self.assertEqual(summary["skipped"], 0)
        self.assertEqual(summary["parsing_errors"], 0)

        self.assertEqual(passing_resources, passed_check_resources)
        self.assertEqual(failing_resources, failed_check_resources)

Ejemplo n.º 8

    def test_summary(self):
        # given
        test_files_dir = Path(
            __file__).parent / "example_KubeControllerManagerBlockProfiles"

        # when
        report = Runner().run(root_folder=str(test_files_dir),
                              runner_filter=RunnerFilter(checks=[check.id]))

        # then
        summary = report.get_summary()

        passing_resources = {
            "Pod.kube-system.kube-controller-manager-disabled",
        }
        failing_resources = {
            "Pod.kube-system.kube-controller-manager-default",
            "Pod.kube-system.kube-controller-manager-enabled",
        }

        passed_check_resources = {c.resource for c in report.passed_checks}
        failed_check_resources = {c.resource for c in report.failed_checks}

        self.assertEqual(1, summary["passed"])
        self.assertEqual(2, summary["failed"])
        self.assertEqual(0, summary["skipped"])
        self.assertEqual(0, summary["parsing_errors"])

        self.assertEqual(passing_resources, passed_check_resources)
        self.assertEqual(failing_resources, failed_check_resources)

Ejemplo n.º 9

    def test_record_relative_path_with_abs_file(self):

        # test whether the record's repo_file_path is correct, relative to the CWD (with a / at the start).

        # this is just constructing the scan dir as normal
        current_dir = os.path.dirname(os.path.realpath(__file__))
        scan_file_path = os.path.join(current_dir, "resources", "example.yaml")

        file_rel_path = os.path.relpath(scan_file_path)
        file_abs_path = os.path.abspath(scan_file_path)

        runner = Runner()
        checks_allowlist = ['CKV_K8S_21']
        report = runner.run(root_folder=None,
                            external_checks_dir=None,
                            files=[file_abs_path],
                            runner_filter=RunnerFilter(
                                framework='kubernetes',
                                checks=checks_allowlist))

        all_checks = report.failed_checks + report.passed_checks
        self.assertGreater(
            len(all_checks),
            0)  # ensure that the assertions below are going to do something
        for record in all_checks:
            # no need to join with a '/' because the CFN runner adds it to the start of the file path
            self.assertEqual(record.repo_file_path, f'/{file_rel_path}')

Ejemplo n.º 10

Archivo: test_ApiServerKubeletClientCertAndKey.py Proyecto: tsmithv11/checkov

    def test_summary(self):
        # given
        test_files_dir = Path(__file__).parent / "example_ApiServerKubeletClientCertAndKey"

        # when
        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))

        # then
        summary = report.get_summary()

        passing_resources = {
            "Pod.kube-system.kube-apiserver-key-and-cert",
        }
        failing_resources = {
            "Pod.kube-system.kube-apiserver-no-key",
            "Pod.kube-system.kube-apiserver-both-missing",
        }

        passed_check_resources = {c.resource for c in report.passed_checks}
        failed_check_resources = {c.resource for c in report.failed_checks}

        self.assertEqual(summary["passed"], 1)
        self.assertEqual(summary["failed"], 2)
        self.assertEqual(summary["skipped"], 0)
        self.assertEqual(summary["parsing_errors"], 0)

        self.assertEqual(passing_resources, passed_check_resources)
        self.assertEqual(failing_resources, failed_check_resources)

Ejemplo n.º 11

    def test_summary(self):
        # given
        test_files_dir = Path(__file__).parent / "example_Seccomp"

        # when
        report = Runner().run(root_folder=str(test_files_dir),
                              runner_filter=RunnerFilter(checks=[check.id]))

        # then
        summary = report.get_summary()
        passed_resources = [check.resource for check in report.passed_checks]
        failed_resources = [check.resource for check in report.failed_checks]

        self.assertEqual(summary["passed"], 7)
        self.assertEqual(summary["failed"], 2)
        self.assertEqual(summary["skipped"], 0)
        self.assertEqual(summary["parsing_errors"], 0)

        expected_passed_resources = [
            "CronJob.cronjob-passed.default",
            "Deployment.seccomp-passed-deployment.default",
            "Deployment.seccomp-passed-metadata-annotations.default",
            "Pod.seccomp-passed-metadata-annotations-docker.default",
            "Pod.seccomp-passed-metadata-annotations-runtime.default",
            "Pod.seccomp-passed-security-context.default",
            "StatefulSet.RELEASE-NAME.default",
        ]
        expected_failed_resources = [
            "Deployment.app-cert-manager.infra",
            "Pod.seccomp-failed.default",
        ]
        self.assertCountEqual(expected_passed_resources, passed_resources)
        self.assertCountEqual(expected_failed_resources, failed_resources)

Ejemplo n.º 12

    def test_summary(self):
        # given
        test_files_dir = Path(__file__).parent / "example_ApiServerAuthorizationModeNotAlwaysAllow"

        # when
        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))

        # then
        summary = report.get_summary()

        passing_resources = {
            "Pod.kube-system.kube-apiserver-no-mode",
            "Pod.kube-system.kube-apiserver-no-allow",
        }
        failing_resources = {
            "Pod.kube-system.kube-apiserver-allow",
            "Pod.kube-system.kube-apiserver-extra-allow",
        }

        passed_check_resources = {c.resource for c in report.passed_checks}
        failed_check_resources = {c.resource for c in report.failed_checks}

        self.assertEqual(summary["passed"], 2)
        self.assertEqual(summary["failed"], 2)
        self.assertEqual(summary["skipped"], 0)
        self.assertEqual(summary["parsing_errors"], 0)

        self.assertEqual(passing_resources, passed_check_resources)
        self.assertEqual(failing_resources, failed_check_resources)

Ejemplo n.º 13

Archivo: test_AllowPrivilegeEscalationPSP.py Proyecto: xB-2048/checkov

    def test_summary_skip_check(self):
        runner = Runner()
        current_dir = os.path.dirname(os.path.realpath(__file__))

        test_files_dir = current_dir + "/example_PSP"
        report = runner.run(root_folder=test_files_dir,runner_filter=RunnerFilter(skip_checks=[check.id]))
        for record in report.failed_checks:
            self.assertNotEqual(record.check_id,check.id,"check should be skipped")

Ejemplo n.º 14

Archivo: test_running_graph_checks.py Proyecto: metahertz/checkov

 def test_runner(self):
     root_dir = os.path.realpath(os.path.join(TEST_DIRNAME, "../runner/resources"))
     report = Runner().run(root_dir)
     assert any(
         check.check_id == "CKV2_K8S_21" for check in itertools.chain(report.failed_checks, report.passed_checks))
     summary = report.get_summary()
     self.assertEqual(summary["passed"], 0)
     self.assertEqual(summary["failed"], 5)
     self.assertEqual(summary["skipped"], 0)
     self.assertEqual(summary["parsing_errors"], 0)

Ejemplo n.º 15

Archivo: test_runner.py Proyecto: tronxd/checkov

 def test_list_metadata_annotations(self):
     current_dir = os.path.dirname(os.path.realpath(__file__))
     scan_file_path = os.path.join(current_dir, "list_annotation", "example.yaml")
     file_rel_path = os.path.relpath(scan_file_path)
     runner = Runner()
     try:
         runner.run(root_folder=None, external_checks_dir=None, files=[file_rel_path],
                             runner_filter=RunnerFilter(framework='kubernetes'))
     except:
         self.assertTrue(False, "Could not run K8 runner on configuration")

Ejemplo n.º 16

Archivo: test_ApiServerAnonymousAuth.py Proyecto: tsmithv11/checkov

    def test_summary(self):
        runner = Runner()
        current_dir = os.path.dirname(os.path.realpath(__file__))

        test_files_dir = current_dir + "/example_ApiServerAnonymousAuth"
        report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]))
        summary = report.get_summary()

        self.assertEqual(summary['passed'], 1)
        self.assertEqual(summary['failed'], 2)
        self.assertEqual(summary['skipped'], 0)
        self.assertEqual(summary['parsing_errors'], 0)

Ejemplo n.º 17

Archivo: test_NginxIngressCVE202125742Lua.py Proyecto: tsmithv11/checkov

    def test_summary(self):
        runner = Runner()
        current_dir = os.path.dirname(os.path.realpath(__file__))

        test_files_dir = current_dir + "/example_NginxIngressCVE202125742"
        report = runner.run(root_folder=test_files_dir,runner_filter=RunnerFilter(checks=[check.id]))
        summary = report.get_summary()

        self.assertEqual(summary['passed'], 3)
        self.assertEqual(summary['failed'], 1)
        self.assertEqual(summary['skipped'], 0)
        self.assertEqual(summary['parsing_errors'], 0)

Ejemplo n.º 18

Archivo: test_runner.py Proyecto: tronxd/checkov

 def test_parse_with_empty_blocks(self):
     current_dir = os.path.dirname(os.path.realpath(__file__))
     scan_file_path = os.path.join(current_dir, "resources", "example_multiple.yaml")
     file_rel_path = os.path.relpath(scan_file_path)
     runner = Runner()
     try:
         report = runner.run(root_folder=None, external_checks_dir=None, files=[file_rel_path],
                    runner_filter=RunnerFilter(framework='kubernetes'))
         # just check that something was parsed and scanned
         self.assertGreater(len(report.failed_checks) + len(report.passed_checks), 0)
     except:
         self.assertTrue(False, "Could not run K8 runner on configuration")

Ejemplo n.º 19

Archivo: test_DefaultServiceAccountBinding.py Proyecto: tsmithv11/checkov

    def test_summary(self):
        runner = Runner()
        current_dir = os.path.dirname(os.path.realpath(__file__))

        test_files_dir = current_dir + "/example_DefaultServiceAccountBinding"
        report = runner.run(root_folder=test_files_dir,
                            runner_filter=RunnerFilter(checks=[check.id]))
        summary = report.get_summary()

        self.assertEqual(summary['passed'], 3)
        self.assertEqual(summary['failed'], 2)
        self.assertEqual(summary['skipped'], 0)
        self.assertEqual(summary['parsing_errors'], 0)

Ejemplo n.º 20

Archivo: test_PeerClientCertAuthTrue.py Proyecto: tsmithv11/checkov

    def test_summary(self):
        runner = Runner()
        current_dir = os.path.dirname(os.path.realpath(__file__))

        test_files_dir = current_dir + "/example_PeerClientCertAuthTrue"
        report = runner.run(root_folder=test_files_dir,
                            runner_filter=RunnerFilter(checks=[check.id]))
        summary = report.get_summary()
        self.assertEqual(1, summary['passed'])
        self.assertEqual(2, summary['failed'])
        for failed in report.failed_checks:
            self.assertIn("should-fail", failed.resource)
        for passed in report.passed_checks:
            self.assertIn("should-pass", passed.resource)

Ejemplo n.º 21

    def test_summary(self):
        runner = Runner()
        current_dir = os.path.dirname(os.path.realpath(__file__))

        check = KubernetesCheck()

        test_files_dir = current_dir + "/example_WildcardEntities"
        report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]))
        summary = report.get_summary()

        registry.wildcard_checks['container?'].remove(check)
        registry.wildcard_checks['Pod*Policy'].remove(check)

        self.assertEqual(summary['passed'], 2)
        self.assertEqual(summary['failed'], 0)
        self.assertEqual(summary['skipped'], 0)
        self.assertEqual(summary['parsing_errors'], 0)

Ejemplo n.º 22

Archivo: test_ApiServerAuthorizationModeNotAlwaysAllow.py Proyecto: jakuta-tech/checkov

    def test_summary(self):
        runner = Runner()
        current_dir = os.path.dirname(os.path.realpath(__file__))

        test_files_dir = current_dir + "/example_ApiServerAuthorizationModeNotAlwaysAllow"
        report = runner.run(root_folder=test_files_dir,runner_filter=RunnerFilter(checks=[check.id]))
        summary = report.get_summary()

        self.assertEqual(summary['passed'], 2)
        self.assertEqual(summary['failed'], 2)
        self.assertEqual(summary['skipped'], 0)
        self.assertEqual(summary['parsing_errors'], 0)

        for failed in report.failed_checks:
            self.assertIn("should-fail", failed.resource)
        for passed in report.passed_checks:
            self.assertIn("should-pass", passed.resource)

Ejemplo n.º 23

Archivo: test_EtcdAutoTls.py Proyecto: ulan-24/checkov

    def test_summary(self):
        runner = Runner()
        current_dir = os.path.dirname(os.path.realpath(__file__))

        test_files_dir = current_dir + "/example_EtcdAutoTls"
        report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]))
        summary = report.get_summary()

        self.assertEqual(summary['passed'], 2)
        self.assertEqual(summary['failed'], 1)
        self.assertEqual(summary['skipped'], 0)
        self.assertEqual(summary['parsing_errors'], 0)

        for failed in report.failed_checks:
            self.assertTrue("should-fail" in failed.resource)
        for passed in report.passed_checks:
            self.assertTrue("should-pass" in passed.resource)

Ejemplo n.º 24

    def test_summary(self):
        runner = Runner()
        current_dir = os.path.dirname(os.path.realpath(__file__))

        test_files_dir = current_dir + "/example_KubeControllerManagerServiceAccountCredentials"
        report = runner.run(root_folder=test_files_dir,
                            runner_filter=RunnerFilter(checks=[check.id]))
        summary = report.get_summary()

        self.assertEqual(1, summary['passed'])
        self.assertEqual(1, summary['failed'])
        self.assertEqual(0, summary['skipped'])
        self.assertEqual(0, summary['parsing_errors'])

        for failed in report.failed_checks:
            self.assertIn("should-fail", failed.resource)
        for passed in report.passed_checks:
            self.assertIn("should-pass", passed.resource)

Ejemplo n.º 25

    def test_summary(self):
        runner = Runner()
        current_dir = os.path.dirname(os.path.realpath(__file__))

        test_files_dir = current_dir + "/example_ApiServerAdmissionControlEventRateLimit"
        report = runner.run(root_folder=test_files_dir,runner_filter=RunnerFilter(checks=[check.id]))
        summary = report.get_summary()

        self.assertEqual(summary['passed'], 1)
        self.assertEqual(summary['failed'], 1)
        self.assertEqual(summary['skipped'], 0)
        self.assertEqual(summary['parsing_errors'], 0)

        for record in report.failed_checks:
            self.assertIn("FAILED", record.file_path)
            self.assertIn(record.check_id, [check.id])
            
        for record in report.passed_checks:
            self.assertIn("PASSED", record.file_path)
            self.assertIn(record.check_id, [check.id])

Ejemplo n.º 26

Archivo: test_KubeletAuthorizationModeNotAlwaysAllow.py Proyecto: ulan-24/checkov

    def test_summary(self):
        runner = Runner()
        current_dir = os.path.dirname(os.path.realpath(__file__))

        test_files_dir = current_dir + "/example_KubeletAuthorizationModeNotAlwaysAllow"
        report = runner.run(root_folder=test_files_dir,runner_filter=RunnerFilter(checks=[check.id]))
        summary = report.get_summary()

        self.assertEqual(summary['passed'], 1)
        self.assertEqual(summary['failed'], 1)
        self.assertEqual(summary['skipped'], 0)
        self.assertEqual(summary['parsing_errors'], 0)
        
        for record in report.failed_checks:
            self.assertTrue("FAILED" in record.file_path)
            self.assertTrue(record.check_id in [check.id])
            
        for record in report.passed_checks:
            self.assertTrue("PASSED" in record.file_path)
            self.assertTrue(record.check_id in [check.id])            

Ejemplo n.º 27

    def test_summary(self):
        runner = Runner()
        current_dir = os.path.dirname(os.path.realpath(__file__))

        test_files_dir = current_dir + "/example_KubeletProtectKernelDefaults"
        report = runner.run(root_folder=test_files_dir,
                            runner_filter=RunnerFilter(checks=[check.id]))
        summary = report.get_summary()

        self.assertEqual(summary['passed'], 1)
        self.assertEqual(summary['failed'], 1)
        self.assertEqual(summary['skipped'], 0)
        self.assertEqual(summary['parsing_errors'], 0)

        for record in report.failed_checks:
            self.assertIn("FAILED", record.file_path)
            self.assertIn(record.check_id, [check.id])

        for record in report.passed_checks:
            self.assertIn("PASSED", record.file_path)
            self.assertIn(record.check_id, [check.id])

Ejemplo n.º 28

Archivo: test_ControllerManagerBindAddress.py Proyecto: ulan-24/checkov

    def test_summary(self):
        runner = Runner()
        current_dir = os.path.dirname(os.path.realpath(__file__))

        test_files_dir = current_dir + "/example_ControllerManagerBindAddress"
        report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]))
        summary = report.get_summary()

        self.assertEqual(summary['passed'], 1)
        self.assertEqual(summary['failed'], 2)
        self.assertEqual(summary['skipped'], 0)
        self.assertEqual(summary['parsing_errors'], 0)


        for record in report.failed_checks:
            self.assertTrue("FAILED" in record.file_path)
            self.assertTrue(record.check_id in [check.id])

        for record in report.passed_checks:
            self.assertTrue("PASSED" in record.file_path)
            self.assertTrue(record.check_id in [check.id])