def test_no_missing_ids(self): runner = Runner() unique_checks = set() for registry in list(runner.block_type_registries.values()): checks = [check for entity_type in list(registry.checks.values()) for check in entity_type] for check in checks: unique_checks.add(check.id) aws_checks = list(filter(lambda check_id: '_AWS_' in check_id, unique_checks)) for i in range(1, len(aws_checks)): self.assertIn(f'CKV_AWS_{i}', aws_checks, msg=f'The new AWS violation should have the ID "CKV_AWS_{i}"') gcp_checks = list(filter(lambda check_id: '_GCP_' in check_id, unique_checks)) for i in range(1, len(gcp_checks)): self.assertIn(f'CKV_GCP_{i}', gcp_checks, msg=f'The new GCP violation should have the ID "CKV_GCP_{i}"') azure_checks = list(filter(lambda check_id: '_AZURE_' in check_id, unique_checks)) for i in range(1, len(azure_checks)): self.assertIn(f'CKV_AZURE_{i}', azure_checks, msg=f'The new GCP violation should have the ID "CKV_AZURE_{i}"')
def test_runner_passing_valid_tf(self): current_dir = os.path.dirname(os.path.realpath(__file__)) passing_tf_dir_path = current_dir + "/resources/valid_tf_only_passed_checks" print("testing dir" + passing_tf_dir_path) runner = Runner() report = runner.run(root_folder=passing_tf_dir_path, external_checks_dir=None) report_json = report.get_json() self.assertTrue(isinstance(report_json, str)) self.assertIsNotNone(report_json) self.assertIsNotNone(report.get_test_suites()) # self.assertEqual(report.get_exit_code(), 0) summary = report.get_summary() self.assertGreaterEqual(summary['passed'], 1) self.assertEqual(summary['failed'], 0) self.assertEqual(summary["parsing_errors"], 0)
def test_runner_specific_file(self): current_dir = os.path.dirname(os.path.realpath(__file__)) passing_tf_file_path = current_dir + "/resources/valid_tf_only_passed_checks/example.tf" runner = Runner() report = runner.run(root_folder=None, external_checks_dir=None, files=[passing_tf_file_path]) report_json = report.get_json() self.assertTrue(isinstance(report_json, str)) self.assertIsNotNone(report_json) self.assertIsNotNone(report.get_test_suites()) # self.assertEqual(report.get_exit_code(), 0) summary = report.get_summary() self.assertGreaterEqual(summary['passed'], 1) self.assertEqual(3, summary['failed']) self.assertEqual(0, summary["parsing_errors"])
def test_loading_external_checks_yaml_multiple_times(self): runner = Runner() base_len = len(graph_registry.checks) current_dir = os.path.dirname(os.path.realpath(__file__)) extra_checks_dir_path = [current_dir + "/extra_yaml_checks"] runner.load_external_checks(extra_checks_dir_path) self.assertEqual(len(graph_registry.checks), base_len + 1) self.assertEqual(graph_registry.checks[base_len].id, CUSTOM_GRAPH_CHECK_ID) self.assertEqual(graph_registry.checks[base_len].name, 'Ensure bucket has versioning and owner tag') runner.load_external_checks(extra_checks_dir_path) self.assertEqual(len(graph_registry.checks), base_len + 1) self.assertEqual(graph_registry.checks[base_len].id, CUSTOM_GRAPH_CHECK_ID) graph_registry.checks = list( filter(lambda c: c.id != CUSTOM_GRAPH_CHECK_ID, graph_registry.checks))
def test_run_persistent_data(self): resources_path = os.path.join( os.path.dirname(os.path.dirname(__file__)), "resources", "graph_files_test") runner = Runner() data_path = os.path.join(os.path.dirname(__file__), "persistent_data.json") with open(data_path) as f: data = json.load(f) tf_definitions = data["tf_definitions"] breadcrumbs = data["breadcrumbs"] definitions_context = data["definitions_context"] runner.set_external_data(tf_definitions, definitions_context, breadcrumbs) report = runner.run(root_folder=resources_path) self.assertGreaterEqual(len(report.failed_checks), 4) self.assertEqual(len(report.passed_checks), 6) self.assertEqual(len(report.skipped_checks), 0)
def test_parser_error_handled_for_file_target(self): current_dir = os.path.dirname(os.path.realpath(__file__)) invalid_dir_path = os.path.join(current_dir, "resources/invalid_terraform_syntax") file_names = ['bad_tf_1.tf', 'bad_tf_2.tf'] invalid_dir_abs_path = os.path.abspath(invalid_dir_path) runner = Runner() result = runner.run(files=[ os.path.join(invalid_dir_path, file) for file in file_names ], root_folder=None, external_checks_dir=None) self.assertEqual(len(result.parsing_errors), 2) for file in file_names: self.assertIn(os.path.join(invalid_dir_abs_path, file), result.parsing_errors)
def test(self): test_files_dir = Path(__file__).parent / "example_external_data" external_check_dir = Path(__file__).parent / "external_check" runner = Runner() report = runner.run( root_folder=test_files_dir, runner_filter=RunnerFilter(checks=["CKV_TF_DATA_EXTERNAL_1"]), external_checks_dir=[external_check_dir]) summary = report.get_summary() print(data_registry) self.assertEqual(summary["passed"], 0) self.assertEqual(summary["failed"], 1) self.assertEqual(summary["skipped"], 0) self.assertEqual(summary["parsing_errors"], 0) check = next(c for c in data_registry.checks["external"] if c.id == "CKV_TF_DATA_EXTERNAL_1") data_registry.checks["external"].remove(check)
def test_runner_valid_tf(self): current_dir = os.path.dirname(os.path.realpath(__file__)) valid_dir_path = current_dir + "/resources/example" runner = Runner() report = runner.run(root_folder=valid_dir_path, external_checks_dir=None) report_json = report.get_json() self.assertTrue(isinstance(report_json, str)) self.assertIsNotNone(report_json) self.assertIsNotNone(report.get_test_suites()) self.assertEqual(report.get_exit_code(soft_fail=False), 1) self.assertEqual(report.get_exit_code(soft_fail=True), 0) summary = report.get_summary() self.assertGreaterEqual(summary['passed'], 1) self.assertGreaterEqual(summary['failed'], 1) self.assertEqual(summary["parsing_errors"], 1) report.print_json() report.print_console() report.print_junit_xml()
def test(self): # given test_files_dir = Path( __file__).parent / "example_CloudArmorWAFACLCVE202144228" # when report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) # then summary = report.get_summary() passing_resources = { "google_compute_security_policy.enabled_deny_403", "google_compute_security_policy.enabled_deny_404", } failing_resources = { "google_compute_security_policy.allow", "google_compute_security_policy.preview", "google_compute_security_policy.different_expr", } passed_check_resources = {c.resource for c in report.passed_checks} failed_check_resources = {c.resource for c in report.failed_checks} self.assertEqual(summary["passed"], 2) self.assertEqual(summary["failed"], 3) self.assertEqual(summary["skipped"], 0) self.assertEqual(summary["parsing_errors"], 0) self.assertEqual(passing_resources, passed_check_resources) self.assertEqual(failing_resources, failed_check_resources) # check especially for the evaluated keys actual_evaluated_keys = next( c.check_result["evaluated_keys"] for c in report.failed_checks if c.resource == "google_compute_security_policy.different_expr") expected_evaluated_keys = [ "rule/[0]/action", "rule/[0]/preview", "rule/[0]/match/[0]/expr/[0]/expression", ] self.assertCountEqual(expected_evaluated_keys, actual_evaluated_keys)
def test_typed_terraform_resource_checks_are_performed(self): test_self = self check_name = "TF_M_2" test_dir = "resources/valid_tf_only_resource_usage" from checkov.common.models.enums import CheckResult from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck from checkov.terraform.checks.resource.registry import resource_registry class ResourceCheck(BaseResourceCheck): def __init__(self): name = "Test check" id = check_name supported_resources = ['*'] categories = [] super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) def scan_resource_conf(self, conf, entity_type): if entity_type == 'type_1': test_self.assertIn('a', conf) test_self.assertEqual([1], conf['a']) elif entity_type == 'type_2': test_self.assertIn('b', conf) test_self.assertEqual([2], conf['b']) else: test_self.fail(f'Unexpected entity_type: {entity_type}. Expected type_1 or type_2, because no ' f'other resources are defined in the files inside of {test_dir}.') return CheckResult.PASSED check = ResourceCheck() current_dir = os.path.dirname(os.path.realpath(__file__)) valid_dir_path = os.path.join(current_dir, test_dir) runner = Runner() result = runner.run(root_folder=valid_dir_path, external_checks_dir=None, runner_filter=RunnerFilter(checks=check_name)) # unregister check for resource in check.supported_resources: resource_registry.wildcard_checks[resource].remove(check) self.assertEqual(len(result.passed_checks), 2)
def test_no_missing_ids(self): runner = Runner() unique_checks = set() for registry in list(runner.block_type_registries.values()): checks = [ check for entity_type in list(registry.checks.values()) for check in entity_type ] for check in checks: unique_checks.add(check.id) aws_checks = list( filter(lambda check_id: '_AWS_' in check_id, unique_checks)) for i in range(1, len(aws_checks)): if f'CKV_AWS_{i}' == 'CKV_AWS_4': # CKV_AWS_4 was deleted due to https://github.com/bridgecrewio/checkov/issues/371 continue if f'CKV_AWS_{i}' == 'CKV_AWS_95': # CKV_AWS_95 is currently implemented just on cfn continue self.assertIn( f'CKV_AWS_{i}', aws_checks, msg=f'The new AWS violation should have the ID "CKV_AWS_{i}"') gcp_checks = list( filter(lambda check_id: '_GCP_' in check_id, unique_checks)) for i in range(1, len(gcp_checks)): self.assertIn( f'CKV_GCP_{i}', gcp_checks, msg=f'The new GCP violation should have the ID "CKV_GCP_{i}"') azure_checks = list( filter(lambda check_id: '_AZURE_' in check_id, unique_checks)) for i in range(1, len(azure_checks)): if f'CKV_AZURE_{i}' == 'CKV_AZURE_43': continue # Pending merge; blocked by another issue https://github.com/bridgecrewio/checkov/pull/429 self.assertIn( f'CKV_AZURE_{i}', azure_checks, msg= f'The new Azure violation should have the ID "CKV_AZURE_{i}"')
def test_summary(self): runner = Runner() current_dir = os.path.dirname(os.path.realpath(__file__)) check = TerraformCheck() test_files_dir = current_dir + "/example_WildcardEntities" report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id])) summary = report.get_summary() registry.wildcard_checks['aws_iam_*'].remove(check) registry.checks['null_resource'].remove(check) registry.wildcard_checks['*s3*'].remove(check) # Only for resource and nof for data "aws_iam_policy_document" self.assertEqual(summary['passed'], 3) self.assertEqual(summary['failed'], 0) self.assertEqual(summary['skipped'], 0) self.assertEqual(summary['parsing_errors'], 0)
def test(self): runner = Runner() current_dir = os.path.dirname(os.path.realpath(__file__)) test_files_dir = current_dir + "/example_ElasticacheHasSecurityGroup" report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id])) summary = report.get_summary() failing_resources = { "aws_elasticache_security_group.exists", } failed_check_resources = {c.resource for c in report.failed_checks} self.assertEqual(summary["failed"], 1) self.assertEqual(summary["skipped"], 0) self.assertEqual(summary["parsing_errors"], 0) self.assertEqual(failing_resources, failed_check_resources)
def test(self): runner = Runner() current_dir = os.path.dirname(os.path.realpath(__file__)) test_files_dir = current_dir + "/example_AMILaunchIsShared" report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id])) summary = report.get_summary() failing_resources = {"aws_ami_launch_permission.fail"} failed_check_resources = set( [c.resource for c in report.failed_checks]) self.assertEqual(summary["failed"], 1) self.assertEqual(summary["skipped"], 0) self.assertEqual(summary["parsing_errors"], 0) self.assertEqual(failing_resources, failed_check_resources)
def test_record_relative_path_with_abs_file(self): # test whether the record's repo_file_path is correct, relative to the CWD (with a / at the start). # this is just constructing the scan dir as normal current_dir = os.path.dirname(os.path.realpath(__file__)) scan_file_path = os.path.join(current_dir, "resources", "nested_dir", "nested", "example.tf") file_rel_path = os.path.relpath(scan_file_path) file_abs_path = os.path.abspath(scan_file_path) runner = Runner() checks_allowlist = ['CKV_AWS_20'] report = runner.run(root_folder=None, external_checks_dir=None, files=[file_abs_path], runner_filter=RunnerFilter(framework='terraform', checks=checks_allowlist)) all_checks = report.failed_checks + report.passed_checks self.assertTrue(len(all_checks) > 0) # ensure that the assertions below are going to do something for record in all_checks: # no need to join with a '/' because the TF runner adds it to the start of the file path self.assertEqual(record.repo_file_path, f'/{file_rel_path}')
def test_module_version(self): external_checks = Path.joinpath( Path(__file__).parent, "example_external_dir_with_module_version_check/extra_checks" ).as_posix() test_files_dir = Path(__file__).parent / "resources" report = Runner().run( root_folder=test_files_dir, runner_filter=RunnerFilter(checks=["CKV_TF_MODULE_1"]), external_checks_dir=[external_checks]) summary = report.get_summary() self.assertEqual(summary["passed"], 2) self.assertEqual(summary["failed"], 3) self.assertEqual(summary["skipped"], 0) self.assertEqual(summary["parsing_errors"], 0) check = next(c for c in module_registry.checks["module"] if c.id == "CKV_TF_MODULE_1") module_registry.checks["module"].remove(check)
def test_failure_in_resolved_module(self): current_dir = os.path.dirname(os.path.realpath(__file__)) valid_dir_path = os.path.join(current_dir, "../parser/resources/parser_scenarios/module_matryoshka") valid_dir_path = os.path.normpath(valid_dir_path) runner = Runner() checks_allowlist = ['CKV_AWS_20'] report = runner.run(root_folder=valid_dir_path, external_checks_dir=None, runner_filter=RunnerFilter(framework='terraform', checks=checks_allowlist)) report_json = report.get_json() self.assertTrue(isinstance(report_json, str)) self.assertIsNotNone(report_json) self.assertIsNotNone(report.get_test_suites()) self.assertEqual(report.get_exit_code(soft_fail=False), 1) self.assertEqual(report.get_exit_code(soft_fail=True), 0) self.assertEqual(checks_allowlist[0], report.failed_checks[0].check_id) self.assertEqual("/bucket1/bucket2/bucket3/bucket.tf", report.failed_checks[0].file_path) self.assertEqual(1, len(report.failed_checks)) for record in report.failed_checks: self.assertIn(record.check_id, checks_allowlist)
def test(self): # given test_files_dir = Path( __file__).parent / "example_LaunchConfigurationEBSEncryption" # when report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) # then summary = report.get_summary() passing_resources = { "aws_instance.pass", "aws_instance.pass2", "aws_instance.pass3", "aws_launch_configuration.pass", "aws_launch_configuration.pass2", } failing_resources = { "aws_instance.fail", "aws_instance.fail2", "aws_instance.fail3", "aws_instance.fail4", "aws_instance.fail5", "aws_instance.fail_empty_root_list", "aws_instance.fail_empty_ebs_list", "aws_launch_configuration.fail", } passed_check_resources = {c.resource for c in report.passed_checks} failed_check_resources = {c.resource for c in report.failed_checks} self.assertEqual(summary["passed"], 5) self.assertEqual(summary["failed"], 8) self.assertEqual(summary["skipped"], 0) self.assertEqual(summary["parsing_errors"], 0) self.assertEqual(passing_resources, passed_check_resources) self.assertEqual(failing_resources, failed_check_resources)
def test(self): runner = Runner() current_dir = os.path.dirname(os.path.realpath(__file__)) test_files_dir = current_dir + "/example_SecurityListIngressStatelessListSyntax" report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id])) summary = report.get_summary() passing_resources = { "oci_core_security_list.pass", "oci_core_security_list.pass2", "oci_core_security_list.pass3", "oci_core_security_list.pass4", } failing_resources = { "oci_core_security_list.fail", "oci_core_security_list.fail2", } skipped_resources = { "oci_core_security_list.skipped", } passed_check_resources = set( [c.resource for c in report.passed_checks]) failed_check_resources = set( [c.resource for c in report.failed_checks]) skipped_check_resources = set( [c.resource for c in report.skipped_checks]) self.assertEqual(summary["passed"], 4) self.assertEqual(summary["failed"], 2) self.assertEqual(summary["skipped"], 1) self.assertEqual(summary["parsing_errors"], 0) self.assertEqual(skipped_resources, skipped_check_resources) self.assertEqual(passing_resources, passed_check_resources) self.assertEqual(failing_resources, failed_check_resources)
def test(self): # given test_files_dir = Path( __file__).parent / "example_LambdaEnvironmentCredentials" # when report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) # then summary = report.get_summary() passing_resources = { "aws_lambda_function.pass", "aws_lambda_function.no_env", } failing_resources = { "aws_lambda_function.fail", } passed_check_resources = {c.resource for c in report.passed_checks} failed_check_resources = {c.resource for c in report.failed_checks} self.assertEqual(summary["passed"], 2) self.assertEqual(summary["failed"], 1) self.assertEqual(summary["skipped"], 0) self.assertEqual(summary["parsing_errors"], 0) self.assertEqual(passing_resources, passed_check_resources) self.assertEqual(failing_resources, failed_check_resources) # check especially for the evaluated keys actual_evaluated_keys = next( c.check_result["evaluated_keys"] for c in report.failed_checks if c.resource == "aws_lambda_function.fail") expected_evaluated_keys = [ "environment/[0]/variables/[0]/AWS_ACCESS_KEY_ID", "environment/[0]/variables/[0]/AWS_SECRET_ACCESS_KEY", ] self.assertCountEqual(expected_evaluated_keys, actual_evaluated_keys)
def test_terraform_module_checks_are_performed(self): check_name = "TF_M_1" from checkov.common.models.enums import CheckResult from checkov.terraform.checks.module.base_module_check import BaseModuleCheck from checkov.terraform.checks.module.registry import module_registry class ModuleCheck(BaseModuleCheck): def __init__(self): name = "Test check" id = check_name supported_resources = ['module'] categories = [] super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) def scan_module_conf(self, conf): return CheckResult.PASSED check = ModuleCheck() current_dir = os.path.dirname(os.path.realpath(__file__)) valid_dir_path = os.path.join(current_dir, "resources/valid_tf_only_module_usage") runner = Runner() result = runner.run(root_folder=valid_dir_path, external_checks_dir=None, runner_filter=RunnerFilter(checks=check_name)) # unregister check for resource in check.supported_resources: module_registry.checks[resource].remove(check) self.assertEqual(len(result.passed_checks), 1) self.assertIn( 'module.some-module', map(lambda record: record.resource, result.passed_checks))
def test_external_checks_and_graph_checks_load(self): runner = Runner() current_dir = os.path.dirname(os.path.realpath(__file__)) runner_filter = RunnerFilter(framework=['terraform']) external_graph_checks = 0 # with external yaml checks external graph registry checks count should be equal to the external graph checks extra_checks_dir_path = [ current_dir + "/extra_checks", current_dir + "/extra_yaml_checks" ] runner.run(root_folder=current_dir, external_checks_dir=extra_checks_dir_path, runner_filter=runner_filter) for check in runner.graph_registry.checks: if runner_filter.is_external_check(check.id): external_graph_checks += 1 self.assertGreater(len(runner.graph_registry.checks), 1) self.assertGreaterEqual(external_graph_checks, 1) runner.graph_registry.checks[:] = [ check for check in runner.graph_registry.checks if "CUSTOM_GRAPH_AWS_1" not in check.id ]
def test_module_failure_reporting_772(self): current_dir = os.path.dirname(os.path.realpath(__file__)) report = Runner().run( root_folder=f"{current_dir}/resources/module_failure_reporting_772", external_checks_dir=None, runner_filter=RunnerFilter( checks="CKV_AWS_19")) # bucket encryption self.assertEqual(len(report.failed_checks), 4) self.assertEqual(len(report.passed_checks), 0) found_inside = False found_outside = False for record in report.failed_checks: # "outside" bucket (not defined in a module) should be a direct resource path and # should not have caller file info. if "outside" in record.resource: found_outside = True self.assertEqual(record.resource, "aws_s3_bucket.outside") assert record.file_path == "/main.tf" self.assertEqual(record.file_line_range, [11, 13]) self.assertIsNone(record.caller_file_path) self.assertIsNone(record.caller_file_line_range) if "inside" in record.resource: found_inside = True self.assertEqual(record.resource, "module.test_module.aws_s3_bucket.inside") assert record.file_path == "/module/module.tf" self.assertEqual(record.file_line_range, [7, 9]) assert record.caller_file_path == "/main.tf" # ATTENTION!! If this breaks, see the "HACK ALERT" comment in runner.run_block. # A bug might have been fixed. self.assertEqual(record.caller_file_line_range, [6, 8]) self.assertTrue(found_inside) self.assertTrue(found_outside)
def test(self): test_files_dir = Path(__file__).parent / "example_QLDBLedgerPermissionsMode" report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) summary = report.get_summary() passing_resources = { "aws_qldb_ledger.standard", } failing_resources = { "aws_qldb_ledger.allow_all", } passed_check_resources = {c.resource for c in report.passed_checks} failed_check_resources = {c.resource for c in report.failed_checks} self.assertEqual(summary["passed"], 1) self.assertEqual(summary["failed"], 1) self.assertEqual(summary["skipped"], 0) self.assertEqual(summary["parsing_errors"], 0) self.assertEqual(passing_resources, passed_check_resources) self.assertEqual(failing_resources, failed_check_resources)
def test(self): runner = Runner() current_dir = os.path.dirname(os.path.realpath(__file__)) test_files_dir = current_dir + "/example_AppLoadBalancerTLS12" report = runner.run( root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]) ) summary = report.get_summary() passing_resources = { "aws_lb_listener.http_redirect", "aws_lb_listener.tcp", "aws_lb_listener.udp", "aws_lb_listener.tcp_udp", "aws_lb_listener.tls_fs_1_2", "aws_lb_listener.https_fs_1_2", "aws_alb_listener.https_fs_1_2", } failing_resources = { "aws_lb_listener.http", "aws_lb_listener.https_2016", "aws_lb_listener.tls_fs_1_1", "aws_alb_listener.tls_fs_1_1", "aws_lb_listener.cognito", } passed_check_resources = set([c.resource for c in report.passed_checks]) failed_check_resources = set([c.resource for c in report.failed_checks]) self.assertEqual(summary["passed"], 7) self.assertEqual(summary["failed"], 5) self.assertEqual(summary["skipped"], 0) self.assertEqual(summary["parsing_errors"], 0) self.assertEqual(passing_resources, passed_check_resources) self.assertEqual(failing_resources, failed_check_resources)
def test(self): runner = Runner() current_dir = os.path.dirname(os.path.realpath(__file__)) test_files_dir = current_dir + "/example_DBInstanceBackupRetentionPeriod" report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id])) summary = report.get_summary() passing_resources = { "aws_rds_cluster.pass", "aws_db_instance.pass", "aws_rds_cluster.pass2", "aws_db_instance.pass2", } failing_resources = { "aws_rds_cluster.fail", "aws_rds_cluster.fail2", "aws_db_instance.fail", "aws_db_instance.fail2", } unknown_resources = {"aws_db_instance.unknown"} passed_check_resources = set( [c.resource for c in report.passed_checks]) failed_check_resources = set( [c.resource for c in report.failed_checks]) self.assertEqual(summary["passed"], 4) self.assertEqual(summary["failed"], 4) self.assertEqual(summary["skipped"], 0) self.assertEqual(summary["parsing_errors"], 0) self.assertEqual(passing_resources, passed_check_resources) self.assertEqual(failing_resources, failed_check_resources) self.assertEqual( len([r for r in report.resources if r in unknown_resources]), 0)
def test(self): runner = Runner() current_dir = os.path.dirname(os.path.realpath(__file__)) test_files_dir = current_dir + "/test_GKEReleaseChannel" report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id])) summary = report.get_summary() passing_resources = {'google_container_cluster.success'} failing_resources = {'google_container_cluster.fail'} passed_check_resources = set( [c.resource for c in report.passed_checks]) failed_check_resources = set( [c.resource for c in report.failed_checks]) self.assertEqual(summary['passed'], 1) self.assertEqual(summary['failed'], 1) self.assertEqual(summary['skipped'], 0) self.assertEqual(summary['parsing_errors'], 0) self.assertEqual(passing_resources, passed_check_resources) self.assertEqual(failing_resources, failed_check_resources)
def test(self): runner = Runner() current_dir = os.path.dirname(os.path.realpath(__file__)) test_files_dir = current_dir + "/example_WafHasAnyRules" report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id])) summary = report.get_summary() passing_resources = { "aws_waf_web_acl.pass", 'aws_wafv2_web_acl.pass', 'aws_wafregional_web_acl.pass', } failing_resources = { "aws_waf_web_acl.fail", "aws_waf_web_acl.fail2", 'aws_wafv2_web_acl.fail', 'aws_wafv2_web_acl.fail2', 'aws_wafregional_web_acl.fail', 'aws_wafregional_web_acl.fail2', } passed_check_resources = set( [c.resource for c in report.passed_checks]) failed_check_resources = set( [c.resource for c in report.failed_checks]) self.assertEqual(summary["passed"], 3) self.assertEqual(summary["failed"], 6) self.assertEqual(summary["skipped"], 0) self.assertEqual(summary["parsing_errors"], 0) self.assertEqual(passing_resources, passed_check_resources) self.assertEqual(failing_resources, failed_check_resources)
def test(self): test_files_dir = Path(__file__).parent / "example_FunctionAppMinTLSVersion" report = Runner().run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id])) summary = report.get_summary() passing_resources = { "azurerm_function_app.pass", "azurerm_function_app.pass2", } failing_resources = { "azurerm_function_app.fail", } passed_check_resources = {c.resource for c in report.passed_checks} failed_check_resources = {c.resource for c in report.failed_checks} self.assertEqual(summary["passed"], 2) self.assertEqual(summary["failed"], 1) self.assertEqual(summary["skipped"], 0) self.assertEqual(summary["parsing_errors"], 0) self.assertEqual(passing_resources, passed_check_resources) self.assertEqual(failing_resources, failed_check_resources)
def test(self): runner = Runner() current_dir = os.path.dirname(os.path.realpath(__file__)) test_files_dir = current_dir + "/example_SSMSessionManagerDocumentLogging" report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id])) summary = report.get_summary() passing_resources = { "aws_ssm_document.s3_enabled_encrypted", "aws_ssm_document.s3_enabled_encrypted_yaml", "aws_ssm_document.cw_enabled_encrypted", "aws_ssm_document.cw_enabled_encrypted_yaml", } failing_resources = { "aws_ssm_document.disabled", "aws_ssm_document.disabled_yaml", "aws_ssm_document.s3_enabled_not_encrypted", "aws_ssm_document.s3_enabled_not_encrypted_yaml", "aws_ssm_document.cw_enabled_not_encrypted", "aws_ssm_document.cw_enabled_not_encrypted_yaml", } passed_check_resources = set( [c.resource for c in report.passed_checks]) failed_check_resources = set( [c.resource for c in report.failed_checks]) self.assertEqual(summary["passed"], 4) self.assertEqual(summary["failed"], 6) self.assertEqual(summary["skipped"], 0) self.assertEqual(summary["parsing_errors"], 0) self.assertEqual(passing_resources, passed_check_resources) self.assertEqual(failing_resources, failed_check_resources)