def test_external_checks_and_graph_checks_load(self): runner = Runner() current_dir = os.path.dirname(os.path.realpath(__file__)) # without external yaml checks the external graph registry checks should be 0 extra_checks_dir_path = [current_dir + "/extra_checks"] runner_filter = RunnerFilter(framework='terraform') runner.run(root_folder=current_dir, external_checks_dir=extra_checks_dir_path, runner_filter=runner_filter) external_graph_checks = 0 for check in runner.graph_registry.checks: if runner_filter.is_external_check(check.id): external_graph_checks += 1 self.assertEqual(external_graph_checks, 0) # with external yaml checks external graph registry checks count should be equal to the external graph checks extra_checks_dir_path = [ current_dir + "/extra_checks", current_dir + "/extra_yaml_checks" ] runner.run(root_folder=current_dir, external_checks_dir=extra_checks_dir_path, runner_filter=runner_filter) for check in runner.graph_registry.checks: if runner_filter.is_external_check(check.id): external_graph_checks += 1 self.assertTrue(len(runner.graph_registry.checks) > 1) self.assertEqual(external_graph_checks, 1) runner.graph_registry.checks[:] = [ check for check in runner.graph_registry.checks if "CUSTOM_GRAPH_AWS_1" not in check.id ]
def test_internal_graph_checks_load(self): registry = Registry( parser=NXGraphCheckParser(), checks_dir=str( Path(__file__).parent.parent.parent.parent / "checkov" / "terraform" / "checks" / "graph_checks")) registry.load_checks() runner_filter = RunnerFilter() for check in registry.checks: self.assertFalse(runner_filter.is_external_check(check))
def test_external_graph_check_load(self): runner = Runner() current_dir = os.path.dirname(os.path.realpath(__file__)) runner.graph_registry.checks = [] extra_checks_dir_path = [current_dir + "/extra_yaml_checks"] runner.load_external_checks(extra_checks_dir_path) self.assertEqual(len(runner.graph_registry.checks), 1) runner_filter = RunnerFilter() for check in runner.graph_registry.checks: self.assertTrue(runner_filter.is_external_check(check.id)) runner.graph_registry.checks[:] = [ check for check in runner.graph_registry.checks if "CUSTOM_GRAPH_AWS_1" not in check.id ]
def _should_run_scan(check_id, entity_configuration, runner_filter): check_id_allowlist = runner_filter.checks check_id_denylist = runner_filter.skip_checks if check_id_allowlist: # Allow list provides namespace-only allows, check-only allows, or both # If namespaces not specified, all namespaces are scanned # If checks not specified, all checks are scanned run_check = False allowed_namespaces = [ string for string in check_id_allowlist if "CKV_" not in string ] if not any("CKV_" in check for check in check_id_allowlist): if "metadata" in entity_configuration and "namespace" in entity_configuration[ "metadata"]: if entity_configuration["metadata"][ "namespace"] in allowed_namespaces: run_check = True elif "parent_metadata" in entity_configuration and "namespace" in entity_configuration[ "parent_metadata"]: if entity_configuration["parent_metadata"][ "namespace"] in allowed_namespaces: run_check = True else: if "default" in allowed_namespaces: run_check = True else: if check_id in check_id_allowlist or RunnerFilter.is_external_check( check_id): if allowed_namespaces: # Check if namespace in allowed namespaces if "metadata" in entity_configuration and "namespace" in entity_configuration[ "metadata"]: if entity_configuration["metadata"][ "namespace"] in allowed_namespaces: run_check = True elif "parent_metadata" in entity_configuration and "namespace" in entity_configuration[ "parent_metadata"]: if entity_configuration["parent_metadata"][ "namespace"] in allowed_namespaces: run_check = True else: if "default" in allowed_namespaces: run_check = True else: # No namespaces to filter run_check = True if run_check: return True elif check_id_denylist: namespace_skip = False if "metadata" in entity_configuration and "namespace" in entity_configuration[ "metadata"]: if entity_configuration["metadata"][ "namespace"] in check_id_denylist: namespace_skip = True elif "parent_metadata" in entity_configuration and "namespace" in entity_configuration[ "parent_metadata"]: if entity_configuration["parent_metadata"][ "namespace"] in check_id_denylist: namespace_skip = True else: if "default" in check_id_denylist: namespace_skip = True if check_id not in check_id_denylist and namespace_skip is False: return True else: return True return False