def run_terraform_scan():
current_dir = os.path.dirname(os.path.realpath(__file__))
test_files_dir = os.path.join(current_dir, repo_name)
runner_filter = RunnerFilter()
runner_registry = RunnerRegistry(banner, runner_filter, tf_runner())
reports = runner_registry.run(root_folder=test_files_dir)
assert len(reports) > 0
def run():
parser = argparse.ArgumentParser(description='Add some integers.')
parser.add_argument('-v', '--version',
help='Checkov version', action='store_true')
parser.add_argument('-d', '--directory',
help='IaC root directory (can not be used together with --file). Can be repeated')
parser.add_argument('-f', '--file', action='append',
help='IaC file(can not be used together with --directory)')
parser.add_argument('--external-checks-dir', action='append',
help='Directory for custom checks to be loaded. Can be repeated')
parser.add_argument('-l', '--list', help='List checks', action='store_true')
parser.add_argument('-o', '--output', nargs='?', choices=['cli', 'json', 'junitxml'], default='cli',
help='Report output format')
args = parser.parse_args()
if args.version:
print(version)
return
if args.list:
print_checks()
return
else:
runner_registry = RunnerRegistry(tf_runner(), cfn_runner())
root_folder = args.directory
file = args.file
scan_reports = runner_registry.run(root_folder, external_checks_dir=args.external_checks_dir, files=file)
runner_registry.print_reports(scan_reports, args)
def run(banner=checkov_banner):
parser = argparse.ArgumentParser(description='Infrastructure as code static analysis')
add_parser_args(parser)
args = parser.parse_args()
runner_filter = RunnerFilter(framework=args.framework, checks=args.check, skip_checks=args.skip_check)
if outer_registry:
runner_registry = outer_registry
runner_registry.runner_filter = runner_filter
else:
runner_registry = RunnerRegistry(banner, runner_filter, tf_runner(), cfn_runner(), k8_runner(), sls_runner(),
arm_runner(), tf_plan_runner())
if args.version:
print(version)
return
if args.bc_api_key:
if args.repo_id is None:
parser.error("--repo-id argument is required when using --bc-api-key")
if len(args.repo_id.split('/')) != 2:
parser.error("--repo-id argument format should be 'organization/repository_name' E.g "
"bridgecrewio/checkov")
bc_integration.setup_bridgecrew_credentials(bc_api_key=args.bc_api_key, repo_id=args.repo_id)
guidelines = {}
if not args.no_guide:
guidelines = bc_integration.get_guidelines()
if args.check and args.skip_check:
parser.error("--check and --skip-check can not be applied together. please use only one of them")
return
if args.list:
print_checks(framework=args.framework)
return
external_checks_dir = get_external_checks_dir(args)
if args.directory:
for root_folder in args.directory:
file = args.file
scan_reports = runner_registry.run(root_folder=root_folder, external_checks_dir=external_checks_dir,
files=file, guidelines=guidelines)
if bc_integration.is_integration_configured():
bc_integration.persist_repository(root_folder)
bc_integration.persist_scan_results(scan_reports)
bc_integration.commit_repository(args.branch)
runner_registry.print_reports(scan_reports, args)
return
elif args.file:
scan_reports = runner_registry.run(external_checks_dir=external_checks_dir, files=args.file,
guidelines=guidelines)
if bc_integration.is_integration_configured():
files = [os.path.abspath(file) for file in args.file]
root_folder = os.path.split(os.path.commonprefix(files))[0]
bc_integration.persist_repository(root_folder)
bc_integration.persist_scan_results(scan_reports)
bc_integration.commit_repository(args.branch)
runner_registry.print_reports(scan_reports, args)
else:
print(f"{banner}")
bc_integration.onboarding()
def test_multi_iac(self):
current_dir = os.path.dirname(os.path.realpath(__file__))
test_files_dir = current_dir + "/example_multi_iac"
runner_filter = RunnerFilter(framework=None, checks=None, skip_checks=None)
runner_registry = RunnerRegistry(
banner, runner_filter, tf_runner(), cfn_runner(), k8_runner()
)
reports = runner_registry.run(root_folder=test_files_dir)
for report in reports:
self.assertGreater(len(report.passed_checks), 1)
def verify_empty_report(self, test_files_dir, files=None):
runner_filter = RunnerFilter(framework=None, checks=None, skip_checks=None)
runner_registry = RunnerRegistry(
banner, runner_filter, tf_runner(), cfn_runner(), k8_runner()
)
reports = runner_registry.run(root_folder=test_files_dir, files=files)
for report in reports:
self.assertEqual(report.failed_checks, [])
self.assertEqual(report.skipped_checks, [])
self.assertEqual(report.passed_checks, [])
return runner_registry
def test_resource_counts(self):
current_dir = os.path.dirname(os.path.realpath(__file__))
test_files_dir = current_dir + "/example_multi_iac"
runner_filter = RunnerFilter(framework=None, checks=None, skip_checks=None)
runner_registry = RunnerRegistry(
banner, runner_filter, tf_runner(), cfn_runner(), k8_runner()
)
reports = runner_registry.run(root_folder=test_files_dir)
# The number of resources that will get scan results. Note that this may change if we add policies covering new resource types.
counts_by_type = {"kubernetes": 10, "terraform": 3, "cloudformation": 4}
for report in reports:
self.assertEqual(
counts_by_type[report.check_type],
report.get_summary()["resource_count"],
)
def run(banner=checkov_banner):
parser = argparse.ArgumentParser(
description='Infrastructure as code static analysis')
parser.add_argument('-v', '--version', help='version', action='store_true')
parser.add_argument(
'-d',
'--directory',
action='append',
help=
'IaC root directory (can not be used together with --file). Can be repeated'
)
parser.add_argument(
'-f',
'--file',
action='append',
help='IaC file(can not be used together with --directory)')
parser.add_argument(
'--external-checks-dir',
action='append',
help='Directory for custom checks to be loaded. Can be repeated')
parser.add_argument('-l',
'--list',
help='List checks',
action='store_true')
parser.add_argument(
'-o',
'--output',
nargs='?',
choices=['cli', 'json', 'junitxml', 'github_failed_only'],
default='cli',
help='Report output format')
parser.add_argument(
'--framework',
help=
'filter scan to run only on a specific infrastructure code frameworks',
choices=['cloudformation', 'terraform', 'kubernetes', 'all'],
default='all')
parser.add_argument(
'-c',
'--check',
help=
'filter scan to run only on a specific check identifier(whitelist), You can '
'specify multiple checks separated by comma delimiter',
default=None)
parser.add_argument(
'--skip-check',
help=
'filter scan to run on all check but a specific check identifier(blacklist), You can '
'specify multiple checks separated by comma delimiter',
default=None)
parser.add_argument('-s',
'--soft-fail',
help='Runs checks but suppresses error code',
action='store_true')
parser.add_argument('--bc-api-key', help='Bridgecrew API key')
parser.add_argument(
'--repo-id',
help=
'Identity string of the repository, with form <repo_owner>/<repo_name>'
)
parser.add_argument(
'-b',
'--branch',
help=
"Selected branch of the persisted repository. Only has effect when using the --bc-api-key flag",
default='master')
args = parser.parse_args()
bc_integration = BcPlatformIntegration()
runner_filter = RunnerFilter(framework=args.framework,
checks=args.check,
skip_checks=args.skip_check)
runner_registry = RunnerRegistry(banner, runner_filter, tf_runner(),
cfn_runner(), k8_runner())
if args.version:
print(version)
return
if args.bc_api_key:
if args.repo_id is None:
parser.error(
"--repo-id argument is required when using --bc-api-key")
if len(args.repo_id.split('/')) != 2:
parser.error(
"--repo-id argument format should be 'organization/repository_name' E.g "
"bridgecrewio/checkov")
bc_integration.setup_bridgecrew_credentials(bc_api_key=args.bc_api_key,
repo_id=args.repo_id)
if args.check and args.skip_check:
parser.error(
"--check and --skip-check can not be applied together. please use only one of them"
)
return
if args.list:
print_checks()
return
if args.directory:
for root_folder in args.directory:
file = args.file
scan_reports = runner_registry.run(
root_folder=root_folder,
external_checks_dir=args.external_checks_dir,
files=file)
if bc_integration.is_integration_configured():
bc_integration.persist_repository(root_folder)
bc_integration.persist_scan_results(scan_reports)
bc_integration.commit_repository(args.branch)
runner_registry.print_reports(scan_reports, args)
return
elif args.file:
scan_reports = runner_registry.run(
external_checks_dir=args.external_checks_dir, files=args.file)
if bc_integration.is_integration_configured():
files = [os.path.abspath(file) for file in args.file]
root_folder = os.path.split(os.path.commonprefix(files))[0]
bc_integration.persist_repository(root_folder)
bc_integration.persist_scan_results(scan_reports)
bc_integration.commit_repository(args.branch)
runner_registry.print_reports(scan_reports, args)
else:
print("No argument given. Try ` --help` for further information")
def run(banner=checkov_banner, argv=sys.argv[1:]):
parser = argparse.ArgumentParser(
description='Infrastructure as code static analysis')
add_parser_args(parser)
args = parser.parse_args(argv)
# Disable runners with missing system dependencies
args.skip_framework = runnerDependencyHandler.disable_incompatible_runners(
args.skip_framework)
runner_filter = RunnerFilter(
framework=args.framework,
skip_framework=args.skip_framework,
checks=args.check,
skip_checks=args.skip_check,
download_external_modules=convert_str_to_bool(
args.download_external_modules),
external_modules_download_path=args.external_modules_download_path,
evaluate_variables=convert_str_to_bool(args.evaluate_variables),
runners=checkov_runners)
if outer_registry:
runner_registry = outer_registry
runner_registry.runner_filter = runner_filter
else:
runner_registry = RunnerRegistry(banner, runner_filter, tf_runner(),
cfn_runner(), k8_runner(),
sls_runner(), arm_runner(),
tf_plan_runner(), helm_runner())
if args.version:
print(version)
return
if args.bc_api_key:
if args.repo_id is None:
parser.error(
"--repo-id argument is required when using --bc-api-key")
if len(args.repo_id.split('/')) != 2:
parser.error(
"--repo-id argument format should be 'organization/repository_name' E.g "
"bridgecrewio/checkov")
source = os.getenv('BC_SOURCE', 'cli')
source_version = os.getenv('BC_SOURCE_VERSION', version)
logger.debug(f'BC_SOURCE = {source}, version = {source_version}')
try:
bc_integration.setup_bridgecrew_credentials(
bc_api_key=args.bc_api_key,
repo_id=args.repo_id,
skip_fixes=args.skip_fixes,
skip_suppressions=args.skip_suppressions,
source=source,
source_version=source_version)
except Exception as e:
logger.error(
'An error occurred setting up the Bridgecrew platform integration. Please check your API token and try again.',
exc_info=True)
return
guidelines = {}
if not args.no_guide:
guidelines = bc_integration.get_guidelines()
if args.check and args.skip_check:
parser.error(
"--check and --skip-check can not be applied together. please use only one of them"
)
return
if args.list:
print_checks(framework=args.framework)
return
external_checks_dir = get_external_checks_dir(args)
url = None
if args.directory:
for root_folder in args.directory:
file = args.file
scan_reports = runner_registry.run(
root_folder=root_folder,
external_checks_dir=external_checks_dir,
files=file,
guidelines=guidelines,
bc_integration=bc_integration)
if bc_integration.is_integration_configured():
bc_integration.persist_repository(root_folder)
bc_integration.persist_scan_results(scan_reports)
url = bc_integration.commit_repository(args.branch)
runner_registry.print_reports(scan_reports, args, url)
return
elif args.file:
scan_reports = runner_registry.run(
external_checks_dir=external_checks_dir,
files=args.file,
guidelines=guidelines,
bc_integration=bc_integration)
if bc_integration.is_integration_configured():
files = [os.path.abspath(file) for file in args.file]
root_folder = os.path.split(os.path.commonprefix(files))[0]
bc_integration.persist_repository(root_folder)
bc_integration.persist_scan_results(scan_reports)
url = bc_integration.commit_repository(args.branch)
runner_registry.print_reports(scan_reports, args, url)
else:
print(f"{banner}")
bc_integration.onboarding()
def run(banner=checkov_banner):
parser = argparse.ArgumentParser(
description='Infrastructure as code static analysis')
parser.add_argument('-v', '--version', help='version', action='store_true')
parser.add_argument(
'-d',
'--directory',
action='append',
help=
'IaC root directory (can not be used together with --file). Can be repeated'
)
parser.add_argument(
'-f',
'--file',
action='append',
help='IaC file(can not be used together with --directory)')
parser.add_argument(
'--external-checks-dir',
action='append',
help='Directory for custom checks to be loaded. Can be repeated')
parser.add_argument('-l',
'--list',
help='List checks',
action='store_true')
parser.add_argument('-o',
'--output',
nargs='?',
choices=['cli', 'json', 'junitxml'],
default='cli',
help='Report output format')
parser.add_argument('-s',
'--soft-fail',
help='Runs checks but suppresses error code',
action='store_true')
parser.add_argument('--bc-api-key', help='Bridgecrew API key')
parser.add_argument(
'--repo-id',
help=
'Identity string of the repository, with form <repo_owner>/<repo_name>'
)
parser.add_argument(
'-b',
'--branch',
help=
"Selected branch of the persisted repository. Only has effect when using the --bc-api-key flag",
default='master')
args = parser.parse_args()
bc_integration = BcPlatformIntegration()
runner_registry = RunnerRegistry(banner, tf_runner(), cfn_runner())
if args.version:
print(version)
return
if args.bc_api_key:
if args.repo_id is None:
parser.error(
"--repo-id argument is required when using --bc-api-key")
bc_integration.setup_bridgecrew_credentials(bc_api_key=args.bc_api_key,
repo_id=args.repo_id)
if args.list:
print_checks()
return
if args.directory:
for root_folder in args.directory:
file = args.file
scan_reports = runner_registry.run(
root_folder=root_folder,
external_checks_dir=args.external_checks_dir,
files=file)
if bc_integration.is_integration_configured():
bc_integration.persist_repository(root_folder)
bc_integration.persist_scan_results(scan_reports)
bc_integration.commit_repository(args.branch)
runner_registry.print_reports(scan_reports, args)
return
elif args.file:
scan_reports = runner_registry.run(
external_checks_dir=args.external_checks_dir, files=args.file)
if bc_integration.is_integration_configured():
files = [os.path.abspath(file) for file in args.file]
root_folder = os.path.split(os.path.commonprefix(files))[0]
bc_integration.persist_repository(root_folder)
bc_integration.persist_scan_results(scan_reports)
bc_integration.commit_repository(args.branch)
runner_registry.print_reports(scan_reports, args)
else:
print("No argument given. Try ` --help` for further information")
def run():
parser = argparse.ArgumentParser(
description='Infrastructure as code static analysis')
parser.add_argument('-v',
'--version',
help='Checkov version',
action='store_true')
parser.add_argument(
'-d',
'--directory',
action='append',
help=
'IaC root directory (can not be used together with --file). Can be repeated'
)
parser.add_argument(
'-f',
'--file',
action='append',
help='IaC file(can not be used together with --directory)')
parser.add_argument(
'--external-checks-dir',
action='append',
help='Directory for custom checks to be loaded. Can be repeated')
parser.add_argument('-l',
'--list',
help='List checks',
action='store_true')
parser.add_argument('-o',
'--output',
nargs='?',
choices=['cli', 'json', 'junitxml'],
default='cli',
help='Report output format')
parser.add_argument('-s',
'--soft-fail',
help='Runs checks but suppresses error code',
action='store_true')
args = parser.parse_args()
runner_registry = RunnerRegistry(tf_runner(), cfn_runner())
if args.version:
print(version)
return
elif args.list:
print_checks()
return
elif args.directory:
for root_folder in args.directory:
file = args.file
scan_reports = runner_registry.run(
root_folder,
external_checks_dir=args.external_checks_dir,
files=file)
runner_registry.print_reports(scan_reports, args)
return
elif args.file:
scan_reports = runner_registry.run(
None,
external_checks_dir=args.external_checks_dir,
files=args.file)
runner_registry.print_reports(scan_reports, args)
else:
print(
"No argument given. Try `checkov --help` for further information")
