def test_should_scan_hcl_env_var(self): orig_value = os.getenv(SCAN_HCL_FLAG) os.unsetenv(SCAN_HCL_FLAG) self.assertFalse(should_scan_hcl_files()) os.environ[SCAN_HCL_FLAG] = 'FALSE' self.assertFalse(should_scan_hcl_files()) os.environ[SCAN_HCL_FLAG] = 'TrUe' self.assertTrue(should_scan_hcl_files()) if orig_value: os.environ[SCAN_HCL_FLAG] = orig_value
def _init(self, directory: str, out_definitions: Optional[Dict], out_evaluations_context: Dict[str, Dict[str, EvaluationContext]], out_parsing_errors: Dict[str, Exception], env_vars: Mapping[str, str], download_external_modules: bool, external_modules_download_path: str, excluded_paths: Optional[List[str]] = None, tf_var_files: Optional[List[str]] = None): self.directory = directory self.out_definitions = out_definitions self.out_evaluations_context = out_evaluations_context self.out_parsing_errors = out_parsing_errors self.env_vars = env_vars self.download_external_modules = download_external_modules self.external_modules_download_path = external_modules_download_path self.external_modules_source_map = {} self.module_address_map = {} self.tf_var_files = tf_var_files self.scan_hcl = should_scan_hcl_files() if self.out_evaluations_context is None: self.out_evaluations_context = {} if self.out_parsing_errors is None: self.out_parsing_errors = {} if self.env_vars is None: self.env_vars = dict(os.environ) self.excluded_paths = excluded_paths
def run(self, root_folder, external_checks_dir=None, files=None, runner_filter=RunnerFilter(), collect_skip_comments=True): report = Report(self.check_type) parsing_errors = {} self.load_external_checks(external_checks_dir) scan_hcl = should_scan_hcl_files() if self.context is None or self.definitions is None or self.breadcrumbs is None: self.definitions = {} logging.info( "Scanning root folder and producing fresh tf_definitions and context" ) if root_folder: root_folder = os.path.abspath(root_folder) local_graph, tf_definitions = self.graph_manager.build_graph_from_source_directory( source_dir=root_folder, local_graph_class=self.graph_class, download_external_modules=runner_filter. download_external_modules, external_modules_download_path=runner_filter. external_modules_download_path, parsing_errors=parsing_errors, excluded_paths=runner_filter.excluded_paths, vars_files=runner_filter.var_files) elif files: files = [os.path.abspath(file) for file in files] root_folder = os.path.split(os.path.commonprefix(files))[0] self.parser.evaluate_variables = False self._parse_files(files, scan_hcl, parsing_errors) local_graph = self.graph_manager.build_graph_from_definitions( self.definitions) else: raise Exception( "Root directory was not specified, files were not specified" ) for vertex in local_graph.vertices: if vertex.block_type == BlockType.RESOURCE: report.add_resource(f'{vertex.path}:{vertex.id}') self.graph_manager.save_graph(local_graph) self.definitions, self.breadcrumbs = convert_graph_vertices_to_tf_definitions( local_graph.vertices, root_folder) else: logging.info("Scanning root folder using existing tf_definitions") self.check_tf_definition(report, root_folder, runner_filter, collect_skip_comments) report.add_parsing_errors(list(parsing_errors.keys())) graph_report = self.get_graph_checks_report(root_folder, runner_filter) merge_reports(report, graph_report) report = remove_duplicate_results(report) return report
import re from checkov.common.util.config_utils import should_scan_hcl_files SCAN_HCL_FLAG = "CKV_SCAN_HCL" SUPPORTED_FILE_EXTENSIONS = [".tf", ".yml", ".yaml", ".json", ".template"] if should_scan_hcl_files(): SUPPORTED_FILE_EXTENSIONS.append(".hcl") ANY_VALUE = "CKV_ANY" DOCKER_IMAGE_REGEX = re.compile(r'(?:[^\s\/]+/)?([^\s:]+):?([^\s]*)') access_key_pattern = re.compile( "(?<![A-Z0-9])[A-Z0-9]{20}(?![A-Z0-9])") # nosec secret_key_pattern = re.compile( "(?<![A-Za-z0-9/+=])[A-Za-z0-9/+=]{40}(?![A-Za-z0-9/+=])") # nosec linode_token_pattern = re.compile( "(?<![A-Za-z0-9/+=])[A-Za-z0-9/+=]{64}(?![A-Za-z0-9/+=])") # nosec bridgecrew_token_pattern = re.compile( r"^[a-f0-9]{8}-?[a-f0-9]{4}-?4[a-f0-9]{3}-?[89ab][a-f0-9]{3}-?[a-f0-9]{12}\Z" ) # nosec panos_api_key_pattern = re.compile(r"^LUFRPT1[a-zA-Z0-9]+==\Z") # nosec YAML_COMMENT_MARK = '#'