def scan_resource_conf(self, conf): """ Looks for configuration at security group ingress rules : https://www.terraform.io/docs/providers/aws/r/security_group.html :param conf: aws_security_group configuration :return: <CheckResult> """ if 'ingress' in conf: ingress_conf = conf['ingress'] for ingress_rule in ingress_conf: ingress_rules = force_list(ingress_rule) for rule in ingress_rules: if isinstance(rule, dict): from_port = force_int(force_list(rule['from_port'])[0]) to_port = force_int(force_list(rule['to_port'])[0]) if from_port <= self.port <= to_port: # It's not clear whether these can ever be a type other # than an empty list but just in caseā¦ cidr_blocks = force_list( rule.get('cidr_blocks', [[]])[0]) security_groups = rule.get('security_groups', []) if "0.0.0.0/0" in cidr_blocks and not security_groups: return CheckResult.FAILED return CheckResult.PASSED
def contains_violation(self, conf): from_port = force_int(force_list(conf.get('port_range',[{-1}]))[0].split('/')[0]) to_port = force_int(force_list(conf.get('port_range',[{-1}]))[0].split('/')[1]) if from_port <= self.port <= to_port: conf_cidr_blocks = conf.get('cidr_ip', [[]]) cidr_blocks = force_list(conf_cidr_blocks) if "0.0.0.0/0" in cidr_blocks or not cidr_blocks[0]: return True return False
def scan_resource_conf(self, conf): if conf['retention_policy'][0]['enabled'][0]: if 'days' in conf['retention_policy'][0] and force_int( conf['retention_policy'][0]['days'][0]) >= 365: return CheckResult.PASSED elif not conf['retention_policy'][0]['enabled'][0]: if 'days' in conf['retention_policy'][0]: if force_int(conf['retention_policy'][0]['days']) == 0: return CheckResult.PASSED return CheckResult.PASSED return CheckResult.FAILED
def scan_resource_conf(self, conf): if "properties" in conf: if "retentionPolicy" in conf["properties"]: if "enabled" in conf["properties"]["retentionPolicy"]: if str(conf["properties"]["retentionPolicy"] ["enabled"]).lower() == "true": if "days" in conf["properties"]["retentionPolicy"]: if force_int(conf["properties"]["retentionPolicy"]["days"]) >= 365 or \ force_int(conf["properties"]["retentionPolicy"]["days"]) == 0: return CheckResult.PASSED return CheckResult.FAILED
def contains_violation(self, conf): from_port = force_int(force_list(conf.get('from_port', [{-1}]))[0]) to_port = force_int(force_list(conf.get('to_port', [{-1}]))[0]) if from_port is not None and to_port is not None and ( from_port <= self.port <= to_port): cidr_blocks = force_list(conf.get('cidr_blocks', [[]])[0]) if "0.0.0.0/0" in cidr_blocks: return True return False
def scan_resource_conf(self, conf): """ validates iam password policy https://www.terraform.io/docs/providers/aws/r/iam_account_password_policy.html :param conf: aws_iam_account_password_policy configuration :return: <CheckResult> """ key = 'password_reuse_prevention' if key in conf.keys(): if not (force_int(conf[key][0]) and force_int(conf[key][0]) < 24): return CheckResult.PASSED return CheckResult.FAILED
def contains_violation(self, conf, protocol_key, from_port_key, to_port_key, cidr_key): protocol = force_list(conf.get(protocol_key, [{-1}]))[0] from_port = force_int(force_list(conf.get(from_port_key, [{-1}]))[0]) to_port = force_int(force_list(conf.get(to_port_key, [{-1}]))[0]) if protocol == "icmp": return False if from_port is not None and to_port is not None and (from_port <= self.port <= to_port): cidr = conf.get(cidr_key, []) if len(cidr) > 0 and cidr[0] in ['0.0.0.0/0', '::/0', '0000:0000:0000:0000:0000:0000:0000:0000/0']: return True return False
def scan_resource_conf(self, conf): if not conf.get('retention_policy'): self.evaluated_keys = ['retention_policy'] return CheckResult.FAILED self.evaluated_keys = ['retention_policy/[0]/enabled'] if conf['retention_policy'][0]['enabled'][0]: self.evaluated_keys.append('retention_policy/[0]/days') if 'days' in conf['retention_policy'][0] and force_int(conf['retention_policy'][0]['days'][0]) >= 365: return CheckResult.PASSED else: if 'days' in conf['retention_policy'][0]: self.evaluated_keys.append('retention_policy/[0]/days') if force_int(conf['retention_policy'][0]['days']) == 0: return CheckResult.PASSED return CheckResult.PASSED return CheckResult.FAILED
def contains_violation(self, conf): from_port = force_int(force_list(conf.get('from_port', [{-1}]))[0]) to_port = force_int(force_list(conf.get('to_port', [{-1}]))[0]) if from_port is not None and to_port is not None and ( from_port <= self.port <= to_port): cidr_blocks = force_list(conf.get('cidr_blocks', [[]])[0]) if "0.0.0.0/0" in cidr_blocks: return True ipv6_cidr_blocks = conf.get('ipv6_cidr_blocks', []) if len(ipv6_cidr_blocks) > 0 and any( ip in ['::/0', '0000:0000:0000:0000:0000:0000:0000:0000/0'] for ip in ipv6_cidr_blocks[0]): return True return False
def scan_resource_conf(self, conf: Dict[str, List[Any]]) -> CheckResult: self.evaluated_keys = ["rotation_period"] rotation = conf.get("rotation_period") if rotation and rotation[0]: time = force_int(rotation[0][:-1]) if time and ONE_DAY <= time <= NINETY_DAYS: return CheckResult.PASSED return CheckResult.FAILED
def scan_resource_conf(self, conf): if 'enabled' in conf and conf['enabled'][0]: retention_block = conf['retention_policy'][0] if retention_block['enabled'][0]: retention_in_days = force_int(retention_block['days'][0]) if retention_in_days and retention_in_days >= 90: return CheckResult.PASSED return CheckResult.FAILED
def scan_resource_conf(self, conf): key = "backup_retention_period" if key in conf.keys(): period = force_int(conf[key][0]) if period and 0 < period <= 35: return CheckResult.PASSED return CheckResult.FAILED #Default value is 1 which passes ^^^ return CheckResult.PASSED
def scan_resource_conf(self, conf): if 'retention_in_days' in conf: retention = force_int(conf['retention_in_days'][0]) if retention: if retention < 90: return CheckResult.FAILED else: return CheckResult.PASSED return CheckResult.FAILED
def scan_resource_conf(self, conf): key = "backup_retention_period" if key in conf.keys(): period = force_int(conf[key][0]) if period and 0 < period <= 35: return CheckResult.PASSED return CheckResult.FAILED else: return CheckResult.FAILED
def scan_resource_conf(self, conf): if 'extended_auditing_policy' in conf: policy = conf['extended_auditing_policy'][0] if not isinstance(policy, dict): return CheckResult.UNKNOWN retention = force_int( conf['extended_auditing_policy'][0]['retention_in_days'][0]) if retention and retention >= 90: return CheckResult.PASSED return CheckResult.FAILED
def scan_resource_conf(self, conf): key = "backup_retention_period" if key in conf.keys(): period = conf[key][0] if self._is_variable_dependant(period): return CheckResult.UNKNOWN period = force_int(period) if period and 0 < period <= 35: return CheckResult.PASSED return CheckResult.FAILED # Default value is 1 which passes ^^^ return CheckResult.PASSED
def scan_resource_conf(self, conf): """ validates iam password policy https://www.terraform.io/docs/providers/aws/r/iam_account_password_policy.html :param conf: aws_iam_account_password_policy configuration :return: <CheckResult> """ key = 'max_password_age' if key in conf.keys(): max_age = force_int(conf[key][0]) if max_age and max_age <= 90: return CheckResult.PASSED return CheckResult.FAILED
def _is_port_in_range(self, ports_list): for port_range in ports_list[0]: port = force_int(port_range) if port and self.port == port: return True if port is None and '-' in port_range: try: [from_port, to_port] = port_range.split('-') if int(from_port) <= self.port <= int(to_port): return True except Exception: return CheckResult.UNKNOWN return False
def scan_resource_conf(self, conf): self.evaluated_keys = ['enabled'] if 'enabled' in conf and conf['enabled'][0]: retention_block = conf['retention_policy'][0] if retention_block['enabled'][0]: retention_in_days = force_int(retention_block['days'][0]) self.evaluated_keys = [ 'retention_policy/[0]/enabled', 'retention_policy/[0]/days' ] if retention_in_days is not None and (retention_in_days == 0 or retention_in_days >= 90): return CheckResult.PASSED else: self.evaluated_keys = ['retention_policy/[0]/enabled'] return CheckResult.FAILED
def scan_resource_conf(self, conf): """ validates iam password policy https://www.terraform.io/docs/providers/aws/r/iam_account_password_policy.html :param conf: aws_iam_account_password_policy configuration :return: <CheckResult> """ key = 'password_reuse_prevention' if key in conf.keys(): reuse = conf[key][0] if self._is_variable_dependant(reuse): return CheckResult.UNKNOWN reuse = force_int(reuse) if not (reuse and reuse < 24): return CheckResult.PASSED return CheckResult.FAILED
def scan_resource_conf(self, conf): """ validates iam password policy https://www.terraform.io/docs/providers/aws/r/iam_account_password_policy.html :param conf: aws_iam_account_password_policy configuration :return: <CheckResult> """ key = 'minimum_password_length' if key in conf.keys(): length = conf[key][0] if self._is_variable_dependant(length): return CheckResult.UNKNOWN length = force_int(length) if not (length and length < 14): return CheckResult.PASSED return CheckResult.FAILED
def scan_resource_conf(self, conf): if "apiVersion" in conf: # Fail if apiVersion < 2017 as you could not set networkAcls year = force_int(conf["apiVersion"][0:4]) if year is None: return CheckResult.UNKNOWN elif year < 2017: return CheckResult.FAILED if "properties" in conf: if "networkAcls" in conf["properties"]: if "defaultAction" in conf["properties"]["networkAcls"]: if conf["properties"]["networkAcls"]["defaultAction"] == "Deny": return CheckResult.PASSED return CheckResult.FAILED
def scan_resource_conf(self, conf): if "apiVersion" in conf: # Fail if apiVersion < 2017 as you could not set networkAcls year = force_int(conf["apiVersion"][0:4]) if year is None: return CheckResult.UNKNOWN # Should be handled by variable rendering if year < 2017: return CheckResult.FAILED if "properties" in conf: if "networkAcls" in conf["properties"]: if "defaultAction" in conf["properties"]["networkAcls"]: if conf["properties"]["networkAcls"][ "defaultAction"] == "Allow": return CheckResult.PASSED elif "bypass" in conf["properties"]["networkAcls"] and \ conf["properties"]["networkAcls"]["bypass"] == "AzureServices": return CheckResult.PASSED return CheckResult.FAILED
def scan_resource_conf(self, conf): if "properties" in conf: if "supportsHttpsTrafficOnly" in conf["properties"]: if str(conf["properties"] ["supportsHttpsTrafficOnly"]).lower() == "true": return CheckResult.PASSED else: return CheckResult.FAILED # Use default if supportsHttpsTrafficOnly is not set if "apiVersion" in conf: # Default for apiVersion 2019 and newer is supportsHttpsTrafficOnly = True year = force_int(conf["apiVersion"][0:4]) if year is None: return CheckResult.UNKNOWN elif year < 2019: return CheckResult.FAILED else: return CheckResult.PASSED return CheckResult.FAILED
import logging import os import re from typing import Tuple from typing import Union, List, Any, Dict, Optional, Callable from checkov.common.util.type_forcers import force_int from checkov.common.graph.graph_builder.graph_components.attribute_names import CustomAttributes from checkov.terraform.graph_builder.graph_components.block_types import BlockType from checkov.terraform.graph_builder.variable_rendering.vertex_reference import TerraformVertexReference MODULE_DEPENDENCY_PATTERN_IN_PATH = re.compile(r"\[.+\#.+\]") CHECKOV_RENDER_MAX_LEN = force_int(os.getenv("CHECKOV_RENDER_MAX_LEN", "10000")) def is_local_path(root_dir: str, source: str) -> bool: # https://www.terraform.io/docs/modules/sources.html#local-paths return (source.startswith("./") or source.startswith("/./") or source.startswith("../") or source in os.listdir(root_dir)) def remove_module_dependency_in_path(path: str) -> Tuple[str, str, str]: """ :param path: path that looks like "dir/main.tf[other_dir/x.tf#0] :return: separated path from module dependency: dir/main.tf, other_dir/x.tf """ module_dependency = re.findall(MODULE_DEPENDENCY_PATTERN_IN_PATH, path) if re.findall(MODULE_DEPENDENCY_PATTERN_IN_PATH, path): path = re.sub(MODULE_DEPENDENCY_PATTERN_IN_PATH, "", path) module_and_num = extract_module_dependency_path(module_dependency)
def scan_resource_conf(self, conf): if 'rotation_period' in conf.keys(): time = force_int(conf['rotation_period'][0][:-1]) if time and ONE_DAY <= time <= NINETY_DAYS: return CheckResult.PASSED return CheckResult.FAILED