def test_should_scan_hcl_env_var(self):
orig_value = os.getenv(SCAN_HCL_FLAG)
os.unsetenv(SCAN_HCL_FLAG)
self.assertFalse(should_scan_hcl_files())
os.environ[SCAN_HCL_FLAG] = 'FALSE'
self.assertFalse(should_scan_hcl_files())
os.environ[SCAN_HCL_FLAG] = 'TrUe'
self.assertTrue(should_scan_hcl_files())
if orig_value:
os.environ[SCAN_HCL_FLAG] = orig_value
def _init(self, directory: str, out_definitions: Optional[Dict],
out_evaluations_context: Dict[str, Dict[str, EvaluationContext]],
out_parsing_errors: Dict[str, Exception],
env_vars: Mapping[str, str],
download_external_modules: bool,
external_modules_download_path: str,
excluded_paths: Optional[List[str]] = None,
tf_var_files: Optional[List[str]] = None):
self.directory = directory
self.out_definitions = out_definitions
self.out_evaluations_context = out_evaluations_context
self.out_parsing_errors = out_parsing_errors
self.env_vars = env_vars
self.download_external_modules = download_external_modules
self.external_modules_download_path = external_modules_download_path
self.external_modules_source_map = {}
self.module_address_map = {}
self.tf_var_files = tf_var_files
self.scan_hcl = should_scan_hcl_files()
if self.out_evaluations_context is None:
self.out_evaluations_context = {}
if self.out_parsing_errors is None:
self.out_parsing_errors = {}
if self.env_vars is None:
self.env_vars = dict(os.environ)
self.excluded_paths = excluded_paths
def run(self,
root_folder,
external_checks_dir=None,
files=None,
runner_filter=RunnerFilter(),
collect_skip_comments=True):
report = Report(self.check_type)
parsing_errors = {}
self.load_external_checks(external_checks_dir)
scan_hcl = should_scan_hcl_files()
if self.context is None or self.definitions is None or self.breadcrumbs is None:
self.definitions = {}
logging.info(
"Scanning root folder and producing fresh tf_definitions and context"
)
if root_folder:
root_folder = os.path.abspath(root_folder)
local_graph, tf_definitions = self.graph_manager.build_graph_from_source_directory(
source_dir=root_folder,
local_graph_class=self.graph_class,
download_external_modules=runner_filter.
download_external_modules,
external_modules_download_path=runner_filter.
external_modules_download_path,
parsing_errors=parsing_errors,
excluded_paths=runner_filter.excluded_paths,
vars_files=runner_filter.var_files)
elif files:
files = [os.path.abspath(file) for file in files]
root_folder = os.path.split(os.path.commonprefix(files))[0]
self.parser.evaluate_variables = False
self._parse_files(files, scan_hcl, parsing_errors)
local_graph = self.graph_manager.build_graph_from_definitions(
self.definitions)
else:
raise Exception(
"Root directory was not specified, files were not specified"
)
for vertex in local_graph.vertices:
if vertex.block_type == BlockType.RESOURCE:
report.add_resource(f'{vertex.path}:{vertex.id}')
self.graph_manager.save_graph(local_graph)
self.definitions, self.breadcrumbs = convert_graph_vertices_to_tf_definitions(
local_graph.vertices, root_folder)
else:
logging.info("Scanning root folder using existing tf_definitions")
self.check_tf_definition(report, root_folder, runner_filter,
collect_skip_comments)
report.add_parsing_errors(list(parsing_errors.keys()))
graph_report = self.get_graph_checks_report(root_folder, runner_filter)
merge_reports(report, graph_report)
report = remove_duplicate_results(report)
return report
import re
from checkov.common.util.config_utils import should_scan_hcl_files
SCAN_HCL_FLAG = "CKV_SCAN_HCL"
SUPPORTED_FILE_EXTENSIONS = [".tf", ".yml", ".yaml", ".json", ".template"]
if should_scan_hcl_files():
SUPPORTED_FILE_EXTENSIONS.append(".hcl")
ANY_VALUE = "CKV_ANY"
DOCKER_IMAGE_REGEX = re.compile(r'(?:[^\s\/]+/)?([^\s:]+):?([^\s]*)')
access_key_pattern = re.compile(
"(?<![A-Z0-9])[A-Z0-9]{20}(?![A-Z0-9])") # nosec
secret_key_pattern = re.compile(
"(?<![A-Za-z0-9/+=])[A-Za-z0-9/+=]{40}(?![A-Za-z0-9/+=])") # nosec
linode_token_pattern = re.compile(
"(?<![A-Za-z0-9/+=])[A-Za-z0-9/+=]{64}(?![A-Za-z0-9/+=])") # nosec
bridgecrew_token_pattern = re.compile(
r"^[a-f0-9]{8}-?[a-f0-9]{4}-?4[a-f0-9]{3}-?[89ab][a-f0-9]{3}-?[a-f0-9]{12}\Z"
) # nosec
panos_api_key_pattern = re.compile(r"^LUFRPT1[a-zA-Z0-9]+==\Z") # nosec
YAML_COMMENT_MARK = '#'