def test_no_missing_ids(self):
runner = Runner()
unique_checks = set()
for registry in list(runner.block_type_registries.values()):
checks = [check for entity_type in list(registry.checks.values()) for check in entity_type]
for check in checks:
unique_checks.add(check.id)
aws_checks = list(filter(lambda check_id: '_AWS_' in check_id, unique_checks))
for i in range(1, len(aws_checks)):
self.assertIn(f'CKV_AWS_{i}', aws_checks, msg=f'The new AWS violation should have the ID "CKV_AWS_{i}"')
gcp_checks = list(filter(lambda check_id: '_GCP_' in check_id, unique_checks))
for i in range(1, len(gcp_checks)):
self.assertIn(f'CKV_GCP_{i}', gcp_checks, msg=f'The new GCP violation should have the ID "CKV_GCP_{i}"')
azure_checks = list(filter(lambda check_id: '_AZURE_' in check_id, unique_checks))
for i in range(1, len(azure_checks)):
self.assertIn(f'CKV_AZURE_{i}', azure_checks, msg=f'The new GCP violation should have the ID "CKV_AZURE_{i}"')
def test_runner_passing_valid_tf(self):
current_dir = os.path.dirname(os.path.realpath(__file__))
passing_tf_dir_path = current_dir + "/resources/valid_tf_only_passed_checks"
print("testing dir" + passing_tf_dir_path)
runner = Runner()
report = runner.run(root_folder=passing_tf_dir_path,
external_checks_dir=None)
report_json = report.get_json()
self.assertTrue(isinstance(report_json, str))
self.assertIsNotNone(report_json)
self.assertIsNotNone(report.get_test_suites())
# self.assertEqual(report.get_exit_code(), 0)
summary = report.get_summary()
self.assertGreaterEqual(summary['passed'], 1)
self.assertEqual(summary['failed'], 0)
self.assertEqual(summary["parsing_errors"], 0)
def test_runner_specific_file(self):
current_dir = os.path.dirname(os.path.realpath(__file__))
passing_tf_file_path = current_dir + "/resources/valid_tf_only_passed_checks/example.tf"
runner = Runner()
report = runner.run(root_folder=None,
external_checks_dir=None,
files=[passing_tf_file_path])
report_json = report.get_json()
self.assertTrue(isinstance(report_json, str))
self.assertIsNotNone(report_json)
self.assertIsNotNone(report.get_test_suites())
# self.assertEqual(report.get_exit_code(), 0)
summary = report.get_summary()
self.assertGreaterEqual(summary['passed'], 1)
self.assertEqual(3, summary['failed'])
self.assertEqual(0, summary["parsing_errors"])
def test_loading_external_checks_yaml_multiple_times(self):
runner = Runner()
base_len = len(graph_registry.checks)
current_dir = os.path.dirname(os.path.realpath(__file__))
extra_checks_dir_path = [current_dir + "/extra_yaml_checks"]
runner.load_external_checks(extra_checks_dir_path)
self.assertEqual(len(graph_registry.checks), base_len + 1)
self.assertEqual(graph_registry.checks[base_len].id,
CUSTOM_GRAPH_CHECK_ID)
self.assertEqual(graph_registry.checks[base_len].name,
'Ensure bucket has versioning and owner tag')
runner.load_external_checks(extra_checks_dir_path)
self.assertEqual(len(graph_registry.checks), base_len + 1)
self.assertEqual(graph_registry.checks[base_len].id,
CUSTOM_GRAPH_CHECK_ID)
graph_registry.checks = list(
filter(lambda c: c.id != CUSTOM_GRAPH_CHECK_ID,
graph_registry.checks))
def test_run_persistent_data(self):
resources_path = os.path.join(
os.path.dirname(os.path.dirname(__file__)), "resources",
"graph_files_test")
runner = Runner()
data_path = os.path.join(os.path.dirname(__file__),
"persistent_data.json")
with open(data_path) as f:
data = json.load(f)
tf_definitions = data["tf_definitions"]
breadcrumbs = data["breadcrumbs"]
definitions_context = data["definitions_context"]
runner.set_external_data(tf_definitions, definitions_context,
breadcrumbs)
report = runner.run(root_folder=resources_path)
self.assertGreaterEqual(len(report.failed_checks), 4)
self.assertEqual(len(report.passed_checks), 6)
self.assertEqual(len(report.skipped_checks), 0)
def test_parser_error_handled_for_file_target(self):
current_dir = os.path.dirname(os.path.realpath(__file__))
invalid_dir_path = os.path.join(current_dir,
"resources/invalid_terraform_syntax")
file_names = ['bad_tf_1.tf', 'bad_tf_2.tf']
invalid_dir_abs_path = os.path.abspath(invalid_dir_path)
runner = Runner()
result = runner.run(files=[
os.path.join(invalid_dir_path, file) for file in file_names
],
root_folder=None,
external_checks_dir=None)
self.assertEqual(len(result.parsing_errors), 2)
for file in file_names:
self.assertIn(os.path.join(invalid_dir_abs_path, file),
result.parsing_errors)
def test(self):
test_files_dir = Path(__file__).parent / "example_external_data"
external_check_dir = Path(__file__).parent / "external_check"
runner = Runner()
report = runner.run(
root_folder=test_files_dir,
runner_filter=RunnerFilter(checks=["CKV_TF_DATA_EXTERNAL_1"]),
external_checks_dir=[external_check_dir])
summary = report.get_summary()
print(data_registry)
self.assertEqual(summary["passed"], 0)
self.assertEqual(summary["failed"], 1)
self.assertEqual(summary["skipped"], 0)
self.assertEqual(summary["parsing_errors"], 0)
check = next(c for c in data_registry.checks["external"]
if c.id == "CKV_TF_DATA_EXTERNAL_1")
data_registry.checks["external"].remove(check)
def test_runner_valid_tf(self):
current_dir = os.path.dirname(os.path.realpath(__file__))
valid_dir_path = current_dir + "/resources/example"
runner = Runner()
report = runner.run(root_folder=valid_dir_path, external_checks_dir=None)
report_json = report.get_json()
self.assertTrue(isinstance(report_json, str))
self.assertIsNotNone(report_json)
self.assertIsNotNone(report.get_test_suites())
self.assertEqual(report.get_exit_code(soft_fail=False), 1)
self.assertEqual(report.get_exit_code(soft_fail=True), 0)
summary = report.get_summary()
self.assertGreaterEqual(summary['passed'], 1)
self.assertGreaterEqual(summary['failed'], 1)
self.assertEqual(summary["parsing_errors"], 1)
report.print_json()
report.print_console()
report.print_junit_xml()
def test(self):
# given
test_files_dir = Path(
__file__).parent / "example_CloudArmorWAFACLCVE202144228"
# when
report = Runner().run(root_folder=str(test_files_dir),
runner_filter=RunnerFilter(checks=[check.id]))
# then
summary = report.get_summary()
passing_resources = {
"google_compute_security_policy.enabled_deny_403",
"google_compute_security_policy.enabled_deny_404",
}
failing_resources = {
"google_compute_security_policy.allow",
"google_compute_security_policy.preview",
"google_compute_security_policy.different_expr",
}
passed_check_resources = {c.resource for c in report.passed_checks}
failed_check_resources = {c.resource for c in report.failed_checks}
self.assertEqual(summary["passed"], 2)
self.assertEqual(summary["failed"], 3)
self.assertEqual(summary["skipped"], 0)
self.assertEqual(summary["parsing_errors"], 0)
self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)
# check especially for the evaluated keys
actual_evaluated_keys = next(
c.check_result["evaluated_keys"] for c in report.failed_checks
if c.resource == "google_compute_security_policy.different_expr")
expected_evaluated_keys = [
"rule/[0]/action",
"rule/[0]/preview",
"rule/[0]/match/[0]/expr/[0]/expression",
]
self.assertCountEqual(expected_evaluated_keys, actual_evaluated_keys)
def test_typed_terraform_resource_checks_are_performed(self):
test_self = self
check_name = "TF_M_2"
test_dir = "resources/valid_tf_only_resource_usage"
from checkov.common.models.enums import CheckResult
from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck
from checkov.terraform.checks.resource.registry import resource_registry
class ResourceCheck(BaseResourceCheck):
def __init__(self):
name = "Test check"
id = check_name
supported_resources = ['*']
categories = []
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf, entity_type):
if entity_type == 'type_1':
test_self.assertIn('a', conf)
test_self.assertEqual([1], conf['a'])
elif entity_type == 'type_2':
test_self.assertIn('b', conf)
test_self.assertEqual([2], conf['b'])
else:
test_self.fail(f'Unexpected entity_type: {entity_type}. Expected type_1 or type_2, because no '
f'other resources are defined in the files inside of {test_dir}.')
return CheckResult.PASSED
check = ResourceCheck()
current_dir = os.path.dirname(os.path.realpath(__file__))
valid_dir_path = os.path.join(current_dir, test_dir)
runner = Runner()
result = runner.run(root_folder=valid_dir_path, external_checks_dir=None,
runner_filter=RunnerFilter(checks=check_name))
# unregister check
for resource in check.supported_resources:
resource_registry.wildcard_checks[resource].remove(check)
self.assertEqual(len(result.passed_checks), 2)
def test_no_missing_ids(self):
runner = Runner()
unique_checks = set()
for registry in list(runner.block_type_registries.values()):
checks = [
check for entity_type in list(registry.checks.values())
for check in entity_type
]
for check in checks:
unique_checks.add(check.id)
aws_checks = list(
filter(lambda check_id: '_AWS_' in check_id, unique_checks))
for i in range(1, len(aws_checks)):
if f'CKV_AWS_{i}' == 'CKV_AWS_4':
# CKV_AWS_4 was deleted due to https://github.com/bridgecrewio/checkov/issues/371
continue
if f'CKV_AWS_{i}' == 'CKV_AWS_95':
# CKV_AWS_95 is currently implemented just on cfn
continue
self.assertIn(
f'CKV_AWS_{i}',
aws_checks,
msg=f'The new AWS violation should have the ID "CKV_AWS_{i}"')
gcp_checks = list(
filter(lambda check_id: '_GCP_' in check_id, unique_checks))
for i in range(1, len(gcp_checks)):
self.assertIn(
f'CKV_GCP_{i}',
gcp_checks,
msg=f'The new GCP violation should have the ID "CKV_GCP_{i}"')
azure_checks = list(
filter(lambda check_id: '_AZURE_' in check_id, unique_checks))
for i in range(1, len(azure_checks)):
if f'CKV_AZURE_{i}' == 'CKV_AZURE_43':
continue # Pending merge; blocked by another issue https://github.com/bridgecrewio/checkov/pull/429
self.assertIn(
f'CKV_AZURE_{i}',
azure_checks,
msg=
f'The new Azure violation should have the ID "CKV_AZURE_{i}"')
def test_summary(self):
runner = Runner()
current_dir = os.path.dirname(os.path.realpath(__file__))
check = TerraformCheck()
test_files_dir = current_dir + "/example_WildcardEntities"
report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]))
summary = report.get_summary()
registry.wildcard_checks['aws_iam_*'].remove(check)
registry.checks['null_resource'].remove(check)
registry.wildcard_checks['*s3*'].remove(check)
# Only for resource and nof for data "aws_iam_policy_document"
self.assertEqual(summary['passed'], 3)
self.assertEqual(summary['failed'], 0)
self.assertEqual(summary['skipped'], 0)
self.assertEqual(summary['parsing_errors'], 0)
def test(self):
runner = Runner()
current_dir = os.path.dirname(os.path.realpath(__file__))
test_files_dir = current_dir + "/example_ElasticacheHasSecurityGroup"
report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]))
summary = report.get_summary()
failing_resources = {
"aws_elasticache_security_group.exists",
}
failed_check_resources = {c.resource for c in report.failed_checks}
self.assertEqual(summary["failed"], 1)
self.assertEqual(summary["skipped"], 0)
self.assertEqual(summary["parsing_errors"], 0)
self.assertEqual(failing_resources, failed_check_resources)
def test(self):
runner = Runner()
current_dir = os.path.dirname(os.path.realpath(__file__))
test_files_dir = current_dir + "/example_AMILaunchIsShared"
report = runner.run(root_folder=test_files_dir,
runner_filter=RunnerFilter(checks=[check.id]))
summary = report.get_summary()
failing_resources = {"aws_ami_launch_permission.fail"}
failed_check_resources = set(
[c.resource for c in report.failed_checks])
self.assertEqual(summary["failed"], 1)
self.assertEqual(summary["skipped"], 0)
self.assertEqual(summary["parsing_errors"], 0)
self.assertEqual(failing_resources, failed_check_resources)
def test_record_relative_path_with_abs_file(self):
# test whether the record's repo_file_path is correct, relative to the CWD (with a / at the start).
# this is just constructing the scan dir as normal
current_dir = os.path.dirname(os.path.realpath(__file__))
scan_file_path = os.path.join(current_dir, "resources", "nested_dir", "nested", "example.tf")
file_rel_path = os.path.relpath(scan_file_path)
file_abs_path = os.path.abspath(scan_file_path)
runner = Runner()
checks_allowlist = ['CKV_AWS_20']
report = runner.run(root_folder=None, external_checks_dir=None, files=[file_abs_path],
runner_filter=RunnerFilter(framework='terraform', checks=checks_allowlist))
all_checks = report.failed_checks + report.passed_checks
self.assertTrue(len(all_checks) > 0) # ensure that the assertions below are going to do something
for record in all_checks:
# no need to join with a '/' because the TF runner adds it to the start of the file path
self.assertEqual(record.repo_file_path, f'/{file_rel_path}')
def test_module_version(self):
external_checks = Path.joinpath(
Path(__file__).parent,
"example_external_dir_with_module_version_check/extra_checks"
).as_posix()
test_files_dir = Path(__file__).parent / "resources"
report = Runner().run(
root_folder=test_files_dir,
runner_filter=RunnerFilter(checks=["CKV_TF_MODULE_1"]),
external_checks_dir=[external_checks])
summary = report.get_summary()
self.assertEqual(summary["passed"], 2)
self.assertEqual(summary["failed"], 3)
self.assertEqual(summary["skipped"], 0)
self.assertEqual(summary["parsing_errors"], 0)
check = next(c for c in module_registry.checks["module"]
if c.id == "CKV_TF_MODULE_1")
module_registry.checks["module"].remove(check)
def test_failure_in_resolved_module(self):
current_dir = os.path.dirname(os.path.realpath(__file__))
valid_dir_path = os.path.join(current_dir, "../parser/resources/parser_scenarios/module_matryoshka")
valid_dir_path = os.path.normpath(valid_dir_path)
runner = Runner()
checks_allowlist = ['CKV_AWS_20']
report = runner.run(root_folder=valid_dir_path, external_checks_dir=None,
runner_filter=RunnerFilter(framework='terraform', checks=checks_allowlist))
report_json = report.get_json()
self.assertTrue(isinstance(report_json, str))
self.assertIsNotNone(report_json)
self.assertIsNotNone(report.get_test_suites())
self.assertEqual(report.get_exit_code(soft_fail=False), 1)
self.assertEqual(report.get_exit_code(soft_fail=True), 0)
self.assertEqual(checks_allowlist[0], report.failed_checks[0].check_id)
self.assertEqual("/bucket1/bucket2/bucket3/bucket.tf", report.failed_checks[0].file_path)
self.assertEqual(1, len(report.failed_checks))
for record in report.failed_checks:
self.assertIn(record.check_id, checks_allowlist)
def test(self):
# given
test_files_dir = Path(
__file__).parent / "example_LaunchConfigurationEBSEncryption"
# when
report = Runner().run(root_folder=str(test_files_dir),
runner_filter=RunnerFilter(checks=[check.id]))
# then
summary = report.get_summary()
passing_resources = {
"aws_instance.pass",
"aws_instance.pass2",
"aws_instance.pass3",
"aws_launch_configuration.pass",
"aws_launch_configuration.pass2",
}
failing_resources = {
"aws_instance.fail",
"aws_instance.fail2",
"aws_instance.fail3",
"aws_instance.fail4",
"aws_instance.fail5",
"aws_instance.fail_empty_root_list",
"aws_instance.fail_empty_ebs_list",
"aws_launch_configuration.fail",
}
passed_check_resources = {c.resource for c in report.passed_checks}
failed_check_resources = {c.resource for c in report.failed_checks}
self.assertEqual(summary["passed"], 5)
self.assertEqual(summary["failed"], 8)
self.assertEqual(summary["skipped"], 0)
self.assertEqual(summary["parsing_errors"], 0)
self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)
def test(self):
runner = Runner()
current_dir = os.path.dirname(os.path.realpath(__file__))
test_files_dir = current_dir + "/example_SecurityListIngressStatelessListSyntax"
report = runner.run(root_folder=test_files_dir,
runner_filter=RunnerFilter(checks=[check.id]))
summary = report.get_summary()
passing_resources = {
"oci_core_security_list.pass",
"oci_core_security_list.pass2",
"oci_core_security_list.pass3",
"oci_core_security_list.pass4",
}
failing_resources = {
"oci_core_security_list.fail",
"oci_core_security_list.fail2",
}
skipped_resources = {
"oci_core_security_list.skipped",
}
passed_check_resources = set(
[c.resource for c in report.passed_checks])
failed_check_resources = set(
[c.resource for c in report.failed_checks])
skipped_check_resources = set(
[c.resource for c in report.skipped_checks])
self.assertEqual(summary["passed"], 4)
self.assertEqual(summary["failed"], 2)
self.assertEqual(summary["skipped"], 1)
self.assertEqual(summary["parsing_errors"], 0)
self.assertEqual(skipped_resources, skipped_check_resources)
self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)
def test(self):
# given
test_files_dir = Path(
__file__).parent / "example_LambdaEnvironmentCredentials"
# when
report = Runner().run(root_folder=str(test_files_dir),
runner_filter=RunnerFilter(checks=[check.id]))
# then
summary = report.get_summary()
passing_resources = {
"aws_lambda_function.pass",
"aws_lambda_function.no_env",
}
failing_resources = {
"aws_lambda_function.fail",
}
passed_check_resources = {c.resource for c in report.passed_checks}
failed_check_resources = {c.resource for c in report.failed_checks}
self.assertEqual(summary["passed"], 2)
self.assertEqual(summary["failed"], 1)
self.assertEqual(summary["skipped"], 0)
self.assertEqual(summary["parsing_errors"], 0)
self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)
# check especially for the evaluated keys
actual_evaluated_keys = next(
c.check_result["evaluated_keys"] for c in report.failed_checks
if c.resource == "aws_lambda_function.fail")
expected_evaluated_keys = [
"environment/[0]/variables/[0]/AWS_ACCESS_KEY_ID",
"environment/[0]/variables/[0]/AWS_SECRET_ACCESS_KEY",
]
self.assertCountEqual(expected_evaluated_keys, actual_evaluated_keys)
def test_terraform_module_checks_are_performed(self):
check_name = "TF_M_1"
from checkov.common.models.enums import CheckResult
from checkov.terraform.checks.module.base_module_check import BaseModuleCheck
from checkov.terraform.checks.module.registry import module_registry
class ModuleCheck(BaseModuleCheck):
def __init__(self):
name = "Test check"
id = check_name
supported_resources = ['module']
categories = []
super().__init__(name=name,
id=id,
categories=categories,
supported_resources=supported_resources)
def scan_module_conf(self, conf):
return CheckResult.PASSED
check = ModuleCheck()
current_dir = os.path.dirname(os.path.realpath(__file__))
valid_dir_path = os.path.join(current_dir,
"resources/valid_tf_only_module_usage")
runner = Runner()
result = runner.run(root_folder=valid_dir_path,
external_checks_dir=None,
runner_filter=RunnerFilter(checks=check_name))
# unregister check
for resource in check.supported_resources:
module_registry.checks[resource].remove(check)
self.assertEqual(len(result.passed_checks), 1)
self.assertIn(
'module.some-module',
map(lambda record: record.resource, result.passed_checks))
def test_external_checks_and_graph_checks_load(self):
runner = Runner()
current_dir = os.path.dirname(os.path.realpath(__file__))
runner_filter = RunnerFilter(framework=['terraform'])
external_graph_checks = 0
# with external yaml checks external graph registry checks count should be equal to the external graph checks
extra_checks_dir_path = [
current_dir + "/extra_checks", current_dir + "/extra_yaml_checks"
]
runner.run(root_folder=current_dir,
external_checks_dir=extra_checks_dir_path,
runner_filter=runner_filter)
for check in runner.graph_registry.checks:
if runner_filter.is_external_check(check.id):
external_graph_checks += 1
self.assertGreater(len(runner.graph_registry.checks), 1)
self.assertGreaterEqual(external_graph_checks, 1)
runner.graph_registry.checks[:] = [
check for check in runner.graph_registry.checks
if "CUSTOM_GRAPH_AWS_1" not in check.id
]
def test_module_failure_reporting_772(self):
current_dir = os.path.dirname(os.path.realpath(__file__))
report = Runner().run(
root_folder=f"{current_dir}/resources/module_failure_reporting_772",
external_checks_dir=None,
runner_filter=RunnerFilter(
checks="CKV_AWS_19")) # bucket encryption
self.assertEqual(len(report.failed_checks), 4)
self.assertEqual(len(report.passed_checks), 0)
found_inside = False
found_outside = False
for record in report.failed_checks:
# "outside" bucket (not defined in a module) should be a direct resource path and
# should not have caller file info.
if "outside" in record.resource:
found_outside = True
self.assertEqual(record.resource, "aws_s3_bucket.outside")
assert record.file_path == "/main.tf"
self.assertEqual(record.file_line_range, [11, 13])
self.assertIsNone(record.caller_file_path)
self.assertIsNone(record.caller_file_line_range)
if "inside" in record.resource:
found_inside = True
self.assertEqual(record.resource,
"module.test_module.aws_s3_bucket.inside")
assert record.file_path == "/module/module.tf"
self.assertEqual(record.file_line_range, [7, 9])
assert record.caller_file_path == "/main.tf"
# ATTENTION!! If this breaks, see the "HACK ALERT" comment in runner.run_block.
# A bug might have been fixed.
self.assertEqual(record.caller_file_line_range, [6, 8])
self.assertTrue(found_inside)
self.assertTrue(found_outside)
def test(self):
test_files_dir = Path(__file__).parent / "example_QLDBLedgerPermissionsMode"
report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
summary = report.get_summary()
passing_resources = {
"aws_qldb_ledger.standard",
}
failing_resources = {
"aws_qldb_ledger.allow_all",
}
passed_check_resources = {c.resource for c in report.passed_checks}
failed_check_resources = {c.resource for c in report.failed_checks}
self.assertEqual(summary["passed"], 1)
self.assertEqual(summary["failed"], 1)
self.assertEqual(summary["skipped"], 0)
self.assertEqual(summary["parsing_errors"], 0)
self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)
def test(self):
runner = Runner()
current_dir = os.path.dirname(os.path.realpath(__file__))
test_files_dir = current_dir + "/example_AppLoadBalancerTLS12"
report = runner.run(
root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id])
)
summary = report.get_summary()
passing_resources = {
"aws_lb_listener.http_redirect",
"aws_lb_listener.tcp",
"aws_lb_listener.udp",
"aws_lb_listener.tcp_udp",
"aws_lb_listener.tls_fs_1_2",
"aws_lb_listener.https_fs_1_2",
"aws_alb_listener.https_fs_1_2",
}
failing_resources = {
"aws_lb_listener.http",
"aws_lb_listener.https_2016",
"aws_lb_listener.tls_fs_1_1",
"aws_alb_listener.tls_fs_1_1",
"aws_lb_listener.cognito",
}
passed_check_resources = set([c.resource for c in report.passed_checks])
failed_check_resources = set([c.resource for c in report.failed_checks])
self.assertEqual(summary["passed"], 7)
self.assertEqual(summary["failed"], 5)
self.assertEqual(summary["skipped"], 0)
self.assertEqual(summary["parsing_errors"], 0)
self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)
def test(self):
runner = Runner()
current_dir = os.path.dirname(os.path.realpath(__file__))
test_files_dir = current_dir + "/example_DBInstanceBackupRetentionPeriod"
report = runner.run(root_folder=test_files_dir,
runner_filter=RunnerFilter(checks=[check.id]))
summary = report.get_summary()
passing_resources = {
"aws_rds_cluster.pass",
"aws_db_instance.pass",
"aws_rds_cluster.pass2",
"aws_db_instance.pass2",
}
failing_resources = {
"aws_rds_cluster.fail",
"aws_rds_cluster.fail2",
"aws_db_instance.fail",
"aws_db_instance.fail2",
}
unknown_resources = {"aws_db_instance.unknown"}
passed_check_resources = set(
[c.resource for c in report.passed_checks])
failed_check_resources = set(
[c.resource for c in report.failed_checks])
self.assertEqual(summary["passed"], 4)
self.assertEqual(summary["failed"], 4)
self.assertEqual(summary["skipped"], 0)
self.assertEqual(summary["parsing_errors"], 0)
self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)
self.assertEqual(
len([r for r in report.resources if r in unknown_resources]), 0)
def test(self):
runner = Runner()
current_dir = os.path.dirname(os.path.realpath(__file__))
test_files_dir = current_dir + "/test_GKEReleaseChannel"
report = runner.run(root_folder=test_files_dir,
runner_filter=RunnerFilter(checks=[check.id]))
summary = report.get_summary()
passing_resources = {'google_container_cluster.success'}
failing_resources = {'google_container_cluster.fail'}
passed_check_resources = set(
[c.resource for c in report.passed_checks])
failed_check_resources = set(
[c.resource for c in report.failed_checks])
self.assertEqual(summary['passed'], 1)
self.assertEqual(summary['failed'], 1)
self.assertEqual(summary['skipped'], 0)
self.assertEqual(summary['parsing_errors'], 0)
self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)
def test(self):
runner = Runner()
current_dir = os.path.dirname(os.path.realpath(__file__))
test_files_dir = current_dir + "/example_WafHasAnyRules"
report = runner.run(root_folder=test_files_dir,
runner_filter=RunnerFilter(checks=[check.id]))
summary = report.get_summary()
passing_resources = {
"aws_waf_web_acl.pass",
'aws_wafv2_web_acl.pass',
'aws_wafregional_web_acl.pass',
}
failing_resources = {
"aws_waf_web_acl.fail",
"aws_waf_web_acl.fail2",
'aws_wafv2_web_acl.fail',
'aws_wafv2_web_acl.fail2',
'aws_wafregional_web_acl.fail',
'aws_wafregional_web_acl.fail2',
}
passed_check_resources = set(
[c.resource for c in report.passed_checks])
failed_check_resources = set(
[c.resource for c in report.failed_checks])
self.assertEqual(summary["passed"], 3)
self.assertEqual(summary["failed"], 6)
self.assertEqual(summary["skipped"], 0)
self.assertEqual(summary["parsing_errors"], 0)
self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)
def test(self):
test_files_dir = Path(__file__).parent / "example_FunctionAppMinTLSVersion"
report = Runner().run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]))
summary = report.get_summary()
passing_resources = {
"azurerm_function_app.pass",
"azurerm_function_app.pass2",
}
failing_resources = {
"azurerm_function_app.fail",
}
passed_check_resources = {c.resource for c in report.passed_checks}
failed_check_resources = {c.resource for c in report.failed_checks}
self.assertEqual(summary["passed"], 2)
self.assertEqual(summary["failed"], 1)
self.assertEqual(summary["skipped"], 0)
self.assertEqual(summary["parsing_errors"], 0)
self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)
def test(self):
runner = Runner()
current_dir = os.path.dirname(os.path.realpath(__file__))
test_files_dir = current_dir + "/example_SSMSessionManagerDocumentLogging"
report = runner.run(root_folder=test_files_dir,
runner_filter=RunnerFilter(checks=[check.id]))
summary = report.get_summary()
passing_resources = {
"aws_ssm_document.s3_enabled_encrypted",
"aws_ssm_document.s3_enabled_encrypted_yaml",
"aws_ssm_document.cw_enabled_encrypted",
"aws_ssm_document.cw_enabled_encrypted_yaml",
}
failing_resources = {
"aws_ssm_document.disabled",
"aws_ssm_document.disabled_yaml",
"aws_ssm_document.s3_enabled_not_encrypted",
"aws_ssm_document.s3_enabled_not_encrypted_yaml",
"aws_ssm_document.cw_enabled_not_encrypted",
"aws_ssm_document.cw_enabled_not_encrypted_yaml",
}
passed_check_resources = set(
[c.resource for c in report.passed_checks])
failed_check_resources = set(
[c.resource for c in report.failed_checks])
self.assertEqual(summary["passed"], 4)
self.assertEqual(summary["failed"], 6)
self.assertEqual(summary["skipped"], 0)
self.assertEqual(summary["parsing_errors"], 0)
self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)
