def test(self):
runner = Runner()
current_dir = os.path.dirname(os.path.realpath(__file__))
test_files_dir = current_dir + "/example_EMRClusterIsEncryptedKMS"
report = runner.run(root_folder=test_files_dir,
runner_filter=RunnerFilter(checks=[check.id]))
summary = report.get_summary()
passing_resources = {
"aws_emr_security_configuration.pass",
}
failing_resources = {
"aws_emr_security_configuration.fail",
}
passed_check_resources = set(
[c.resource for c in report.passed_checks])
failed_check_resources = set(
[c.resource for c in report.failed_checks])
self.assertEqual(summary["passed"], 1)
self.assertEqual(summary["failed"], 1)
self.assertEqual(summary["skipped"], 0)
self.assertEqual(summary["parsing_errors"], 0)
self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)
def test(self):
runner = Runner()
current_dir = os.path.dirname(os.path.realpath(__file__))
test_files_dir = current_dir + "/example_S3ObjectCopyEncryptedWithCMK"
report = runner.run(root_folder=test_files_dir,
runner_filter=RunnerFilter(checks=[check.id]))
summary = report.get_summary()
passing_resources = {
"aws_s3_object_copy.pass",
}
failing_resources = {
"aws_s3_object_copy.fail",
}
passed_check_resources = set(
[c.resource for c in report.passed_checks])
failed_check_resources = set(
[c.resource for c in report.failed_checks])
self.assertEqual(summary["passed"], 1)
self.assertEqual(summary["failed"], 1)
self.assertEqual(summary["skipped"], 0)
self.assertEqual(summary["parsing_errors"], 0)
self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)
def test(self):
runner = Runner()
current_dir = os.path.dirname(os.path.realpath(__file__))
test_files_dir = current_dir + "/test_GKEEnsureIntegrityMonitoring"
report = runner.run(root_folder=test_files_dir,
runner_filter=RunnerFilter(checks=[check.id]))
summary = report.get_summary()
passing_resources = {
'google_container_cluster.success1',
'google_container_cluster.success2',
'google_container_node_pool.success1',
'google_container_node_pool.success2',
}
failing_resources = {
'google_container_cluster.fail', 'google_container_node_pool.fail'
}
passed_check_resources = set(
[c.resource for c in report.passed_checks])
failed_check_resources = set(
[c.resource for c in report.failed_checks])
self.assertEqual(summary['passed'], 4)
self.assertEqual(summary['failed'], 2)
self.assertEqual(summary['skipped'], 0)
self.assertEqual(summary['parsing_errors'], 0)
self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)
def test(self):
runner = Runner()
current_dir = os.path.dirname(os.path.realpath(__file__))
test_files_dir = current_dir + "/example_DynamoDBTablesEncrypted"
report = runner.run(root_folder=test_files_dir,
runner_filter=RunnerFilter(checks=[check.id]))
summary = report.get_summary()
passing_resources = {
"aws_dynamodb_table.cmk",
}
failing_resources = {
"aws_dynamodb_table.default",
"aws_dynamodb_table.encrypted_false",
"aws_dynamodb_table.encrypted_no_cmk",
}
passed_check_resources = set(
[c.resource for c in report.passed_checks])
failed_check_resources = set(
[c.resource for c in report.failed_checks])
self.assertEqual(summary["passed"], 1)
self.assertEqual(summary["failed"], 3)
self.assertEqual(summary["skipped"], 0)
self.assertEqual(summary["parsing_errors"], 0)
self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)
def test_build_graph(self):
resources_path = os.path.join(
os.path.dirname(os.path.dirname(__file__)), "resources",
"graph_files_test")
source_files = ["pass_s3.tf", "variables.tf"]
runner = Runner()
report = runner.run(None,
None,
files=list(
map(lambda f: f'{resources_path}/{f}',
source_files)))
tf_definitions = runner.tf_definitions
self.assertEqual(4, len(report.failed_checks))
for file, definitions in tf_definitions.items():
if file.endswith('pass_s3.tf'):
s3_bucket_config = definitions['resource'][0]['aws_s3_bucket'][
'bucket_with_versioning']
# Evaluation succeeded for included vars
self.assertTrue(
s3_bucket_config['versioning'][0]['enabled'][0])
# Evaluation does not run for un-included vars
self.assertEqual(
s3_bucket_config['server_side_encryption_configuration'][0]
['rule'][0]['apply_server_side_encryption_by_default'][0]
['sse_algorithm'][0], 'var.encryption')
def test(self):
runner = Runner()
current_dir = os.path.dirname(os.path.realpath(__file__))
test_files_dir = current_dir + "/example_S3BucketObjectLock"
report = runner.run(root_folder=test_files_dir,
runner_filter=RunnerFilter(checks=[check.id]))
summary = report.get_summary()
passing_resources = {
"aws_s3_bucket.enabled_via_object",
"aws_s3_bucket.enabled_via_block",
}
failing_resources = {
"aws_s3_bucket.disabled_via_object",
"aws_s3_bucket.disabled_via_block",
}
passed_check_resources = set(
[c.resource for c in report.passed_checks])
failed_check_resources = set(
[c.resource for c in report.failed_checks])
self.assertEqual(summary["passed"], 2)
self.assertEqual(summary["failed"], 2)
self.assertEqual(summary["skipped"], 0)
self.assertEqual(summary["parsing_errors"], 0)
self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)
def test(self):
runner = Runner()
current_dir = os.path.dirname(os.path.realpath(__file__))
test_files_dir = current_dir + "/example_CloudsearchDomainEnforceHttps"
report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]))
summary = report.get_summary()
passing_resources = {
"aws_cloudsearch_domain.pass",
}
failing_resources = {
"aws_cloudsearch_domain.fail",
"aws_cloudsearch_domain.fail2",
}
passed_check_resources = set([c.resource for c in report.passed_checks])
failed_check_resources = set([c.resource for c in report.failed_checks])
self.assertEqual(summary["passed"], 1)
self.assertEqual(summary["failed"], 2)
self.assertEqual(summary["skipped"], 0)
self.assertEqual(summary["parsing_errors"], 0)
self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)
def test(self):
runner = Runner()
current_dir = os.path.dirname(os.path.realpath(__file__))
test_files_dir = current_dir + "/example_DBInstanceLogging"
report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]))
summary = report.get_summary()
passing_resources = {
"aws_db_instance.mysql",
"aws_db_instance.postgres",
}
failing_resources = {
"aws_db_instance.default",
"aws_db_instance.empty",
}
passed_check_resources = set([c.resource for c in report.passed_checks])
failed_check_resources = set([c.resource for c in report.failed_checks])
self.assertEqual(summary["passed"], 2)
self.assertEqual(summary["failed"], 2)
self.assertEqual(summary["skipped"], 0)
self.assertEqual(summary["parsing_errors"], 0)
self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)
def test_terraform_module_checks_are_performed_even_if_supported_resources_is_omitted(self):
check_name = "TF_M_2"
from checkov.common.models.enums import CheckResult
from checkov.terraform.checks.module.base_module_check import BaseModuleCheck
from checkov.terraform.checks.module.registry import module_registry
class ModuleCheck(BaseModuleCheck):
def __init__(self):
name = "Test check"
id = check_name
categories = []
super().__init__(name=name, id=id, categories=categories)
def scan_module_conf(self, conf):
return CheckResult.PASSED
check = ModuleCheck()
current_dir = os.path.dirname(os.path.realpath(__file__))
valid_dir_path = os.path.join(current_dir, "resources/valid_tf_only_module_usage")
runner = Runner()
result = runner.run(root_folder=valid_dir_path, external_checks_dir=None,
runner_filter=RunnerFilter(checks=check_name))
# unregister check
for resource in check.supported_resources:
module_registry.checks[resource].remove(check)
self.assertEqual(len(result.passed_checks), 1)
self.assertIn('module.some-module', map(lambda record: record.resource, result.passed_checks))
def test(self):
runner = Runner()
current_dir = os.path.dirname(os.path.realpath(__file__))
test_files_dir = current_dir + "/example_IAMAdminPolicyDocument"
report = runner.run(root_folder=test_files_dir,
runner_filter=RunnerFilter(checks=[check.id]))
summary = report.get_summary()
passing_resources = {
'aws_iam_policy.pass1', 'aws_iam_policy.pass2',
'aws_ssoadmin_permission_set_inline_policy.pass1'
}
failing_resources = {
'aws_iam_policy.fail1', 'aws_iam_policy.fail2',
'aws_iam_policy.fail3', 'aws_iam_policy.fail4',
'aws_ssoadmin_permission_set_inline_policy.fail1'
}
passed_check_resources = set(
[c.resource for c in report.passed_checks])
failed_check_resources = set(
[c.resource for c in report.failed_checks])
self.assertEqual(summary['passed'], 3)
self.assertEqual(summary['failed'], 5)
self.assertEqual(summary['skipped'], 0)
self.assertEqual(summary['parsing_errors'], 0)
self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)
def test(self):
runner = Runner()
current_dir = os.path.dirname(os.path.realpath(__file__))
test_files_dir = current_dir + "/example_ObjectStorageVersioning"
report = runner.run(root_folder=test_files_dir,
runner_filter=RunnerFilter(checks=[check.id]))
summary = report.get_summary()
passing_resources = {
"oci_objectstorage_bucket.pass",
}
failing_resources = {
"oci_objectstorage_bucket.fail",
"oci_objectstorage_bucket.default",
}
passed_check_resources = set(
[c.resource for c in report.passed_checks])
failed_check_resources = set(
[c.resource for c in report.failed_checks])
self.assertEqual(summary["passed"], 1)
self.assertEqual(summary["failed"], 2)
self.assertEqual(summary["skipped"], 0)
self.assertEqual(summary["parsing_errors"], 0)
self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)
def test(self):
runner = Runner()
current_dir = os.path.dirname(os.path.realpath(__file__))
test_files_dir = current_dir + "/example_LambdaEnvironmentEncryptionSettings"
report = runner.run(root_folder=test_files_dir,
runner_filter=RunnerFilter(checks=[check.id]))
summary = report.get_summary()
passing_resources = {
"aws_lambda_function.pass",
}
failing_resources = {
"aws_lambda_function.fail",
"aws_lambda_function.failkmsnovars",
"aws_lambda_function.failasempty",
}
passed_check_resources = set(
[c.resource for c in report.passed_checks])
failed_check_resources = set(
[c.resource for c in report.failed_checks])
self.assertEqual(summary["passed"], 1)
self.assertEqual(summary["failed"], 3)
self.assertEqual(summary["skipped"], 0)
self.assertEqual(summary["parsing_errors"], 0)
self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)
def test(self):
runner = Runner()
current_dir = os.path.dirname(os.path.realpath(__file__))
test_files_dir = current_dir + "/example_KubernetesSecretsEncryptedUsingCMK"
report = runner.run(root_folder=test_files_dir,
runner_filter=RunnerFilter(checks=[check.id]))
summary = report.get_summary()
passing_resources = {
"aws_eks_cluster.enabled",
}
failing_resources = {
"aws_eks_cluster.default",
}
passed_check_resources = set(
[c.resource for c in report.passed_checks])
failed_check_resources = set(
[c.resource for c in report.failed_checks])
self.assertEqual(summary["passed"], 1)
self.assertEqual(summary["failed"], 1)
self.assertEqual(summary["skipped"], 0)
self.assertEqual(summary["parsing_errors"], 0)
self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)
def test(self):
runner = Runner()
current_dir = os.path.dirname(os.path.realpath(__file__))
test_files_dir = current_dir + "/example_PolicyNoApplicationAny"
report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]))
summary = report.get_summary()
passing_resources = {
'panos_security_policy.pass1',
'panos_security_rule_group.pass2',
'panos_security_policy.pass3',
'panos_security_rule_group.pass4',
'panos_security_policy.pass5',
'panos_security_rule_group.pass6',
}
failing_resources = {
'panos_security_policy.fail1',
'panos_security_rule_group.fail2',
'panos_security_policy.fail3',
'panos_security_rule_group.fail4',
}
passed_check_resources = set([c.resource for c in report.passed_checks])
failed_check_resources = set([c.resource for c in report.failed_checks])
self.assertEqual(summary['passed'], 6)
self.assertEqual(summary['failed'], 4)
self.assertEqual(summary['skipped'], 0)
self.assertEqual(summary['parsing_errors'], 0)
self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)
def test(self):
runner = Runner()
current_dir = os.path.dirname(os.path.realpath(__file__))
test_files_dir = current_dir + "/example_InterfaceMgmtProfileNoHTTP"
report = runner.run(root_folder=test_files_dir,
runner_filter=RunnerFilter(checks=[check.id]))
summary = report.get_summary()
passing_resources = {
'panos_management_profile.pass1',
'panos_management_profile.pass2',
}
failing_resources = {
'panos_management_profile.fail',
}
passed_check_resources = set(
[c.resource for c in report.passed_checks])
failed_check_resources = set(
[c.resource for c in report.failed_checks])
self.assertEqual(summary['passed'], 2)
self.assertEqual(summary['failed'], 1)
self.assertEqual(summary['skipped'], 0)
self.assertEqual(summary['parsing_errors'], 0)
self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)
def test(self):
runner = Runner()
current_dir = os.path.dirname(os.path.realpath(__file__))
test_files_dir = current_dir + "/example_ElasticCacheAutomaticBackup"
report = runner.run(root_folder=test_files_dir,
runner_filter=RunnerFilter(checks=[check.id]))
summary = report.get_summary()
passing_resources = {
"aws_elasticache_cluster.enabled",
}
failing_resources = {
"aws_elasticache_cluster.default",
"aws_elasticache_cluster.disabled",
}
passed_check_resources = set(
[c.resource for c in report.passed_checks])
failed_check_resources = set(
[c.resource for c in report.failed_checks])
self.assertEqual(summary["passed"], 1)
self.assertEqual(summary["failed"], 2)
self.assertEqual(summary["skipped"], 0)
self.assertEqual(summary["parsing_errors"], 0)
self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)
def test(self):
runner = Runner()
current_dir = os.path.dirname(os.path.realpath(__file__))
test_files_dir = current_dir + "/example_PubSubPrivateTopic"
report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]))
summary = report.get_summary()
passing_resources = {
'google_pubsub_topic_iam_binding.pass1',
'google_pubsub_topic_iam_binding.pass2',
'google_pubsub_topic_iam_member.pass1',
'google_pubsub_topic_iam_member.pass2',
}
failing_resources = {
'google_pubsub_topic_iam_binding.fail1',
'google_pubsub_topic_iam_binding.fail2',
'google_pubsub_topic_iam_binding.fail3',
'google_pubsub_topic_iam_binding.fail4',
'google_pubsub_topic_iam_member.fail1',
'google_pubsub_topic_iam_member.fail2',
}
passed_check_resources = set([c.resource for c in report.passed_checks])
failed_check_resources = set([c.resource for c in report.failed_checks])
self.assertEqual(summary['passed'], 4)
self.assertEqual(summary['failed'], 6)
self.assertEqual(summary['skipped'], 0)
self.assertEqual(summary['parsing_errors'], 0)
self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)
def test(self):
runner = Runner()
current_dir = os.path.dirname(os.path.realpath(__file__))
test_files_dir = current_dir + "/example_GoogleComputeExternalIP"
report = runner.run(root_folder=test_files_dir,
runner_filter=RunnerFilter(checks=[check.id]))
summary = report.get_summary()
passing_resources = {
'google_compute_instance.pass',
'google_compute_instance_template.pass'
}
failing_resources = {
'google_compute_instance.fail',
'google_compute_instance_template.fail',
}
passed_check_resources = set(
[c.resource for c in report.passed_checks])
failed_check_resources = set(
[c.resource for c in report.failed_checks])
self.assertEqual(summary['passed'], 2)
self.assertEqual(summary['failed'], 2)
self.assertEqual(summary['skipped'], 0)
self.assertEqual(summary['parsing_errors'], 0)
self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)
def test(self):
runner = Runner()
current_dir = os.path.dirname(os.path.realpath(__file__))
test_files_dir = current_dir + "/example_APIGatewayDomainNameTLS"
report = runner.run(root_folder=test_files_dir,
runner_filter=RunnerFilter(checks=[check.id]))
summary = report.get_summary()
passing_resources = {
"aws_api_gateway_domain_name.pass",
}
failing_resources = {
"aws_api_gateway_domain_name.fail",
}
passed_check_resources = set(
[c.resource for c in report.passed_checks])
failed_check_resources = set(
[c.resource for c in report.failed_checks])
self.assertEqual(summary["passed"], 1)
self.assertEqual(summary["failed"], 1)
self.assertEqual(summary["skipped"], 0)
self.assertEqual(summary["parsing_errors"], 0)
self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)
def test_failure_in_resolved_module(self):
current_dir = os.path.dirname(os.path.realpath(__file__))
valid_dir_path = os.path.join(
current_dir,
"../parser/resources/parser_scenarios/module_matryoshka")
valid_dir_path = os.path.normpath(valid_dir_path)
runner = Runner()
checks_allowlist = ['CKV_AWS_20']
report = runner.run(
root_folder=valid_dir_path,
external_checks_dir=None,
runner_filter=RunnerFilter(framework='terraform',
checks=checks_allowlist))
report_json = report.get_json()
self.assertTrue(isinstance(report_json, str))
self.assertIsNotNone(report_json)
self.assertIsNotNone(report.get_test_suites())
self.assertEqual(report.get_exit_code(soft_fail=False), 1)
self.assertEqual(report.get_exit_code(soft_fail=True), 0)
self.assertEqual(checks_allowlist[0], report.failed_checks[0].check_id)
self.assertEqual("/bucket1/bucket2/bucket3/bucket.tf",
report.failed_checks[0].file_path)
self.assertEqual(1, len(report.failed_checks))
for record in report.failed_checks:
self.assertIn(record.check_id, checks_allowlist)
def test(self):
runner = Runner()
current_dir = os.path.dirname(os.path.realpath(__file__))
test_files_dir = current_dir + "/example_BatchJobIsNotPrivileged"
report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]))
summary = report.get_summary()
passing_resources = {
"aws_batch_job_definition.pass",
"aws_batch_job_definition.pass2",
"aws_batch_job_definition.pass3",
}
failing_resources = {
"aws_batch_job_definition.fail",
}
passed_check_resources = set([c.resource for c in report.passed_checks])
failed_check_resources = set([c.resource for c in report.failed_checks])
self.assertEqual(summary["passed"], 3)
self.assertEqual(summary["failed"], 1)
self.assertEqual(summary["skipped"], 0)
self.assertEqual(summary["parsing_errors"], 0)
self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)
def test_runner_extra_check(self):
current_dir = os.path.dirname(os.path.realpath(__file__))
tf_dir_path = current_dir + "/resources/extra_check_test"
extra_checks_dir_path = [current_dir + "/extra_checks"]
print("testing dir" + tf_dir_path)
runner = Runner()
report = runner.run(root_folder=tf_dir_path,
external_checks_dir=extra_checks_dir_path)
report_json = report.get_json()
for check in resource_registry.checks["aws_s3_bucket"]:
if check.id == "CUSTOM_AWS_1":
resource_registry.checks["aws_s3_bucket"].remove(check)
self.assertTrue(isinstance(report_json, str))
self.assertIsNotNone(report_json)
self.assertIsNotNone(report.get_test_suites())
passing_custom = 0
failed_custom = 0
for record in report.passed_checks:
if record.check_id == "CUSTOM_AWS_1":
passing_custom = passing_custom + 1
for record in report.failed_checks:
if record.check_id == "CUSTOM_AWS_1":
failed_custom = failed_custom + 1
self.assertEqual(passing_custom, 1)
self.assertEqual(failed_custom, 2)
def test(self):
runner = Runner()
current_dir = os.path.dirname(os.path.realpath(__file__))
test_files_dir = os.path.join(current_dir, "example_OSSBucketPublic")
report = runner.run(root_folder=test_files_dir,
runner_filter=RunnerFilter(checks=[check.id]))
summary = report.get_summary()
passing_resources = {
'alicloud_oss_bucket.good-bucket',
'alicloud_oss_bucket.good-bucket2',
}
failing_resources = {
'alicloud_oss_bucket.bad-bucket',
'alicloud_oss_bucket.bad-bucket2',
}
skipped_resources = {}
passed_check_resources = set([c.resource for c in report.passed_checks])
failed_check_resources = set([c.resource for c in report.failed_checks])
self.assertEqual(summary['passed'], len(passing_resources))
self.assertEqual(summary['failed'], len(failing_resources))
self.assertEqual(summary['skipped'], len(skipped_resources))
self.assertEqual(summary['parsing_errors'], 0)
self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)
def test_record_relative_path_with_abs_file(self):
# test whether the record's repo_file_path is correct, relative to the CWD (with a / at the start).
# this is just constructing the scan dir as normal
current_dir = os.path.dirname(os.path.realpath(__file__))
scan_file_path = os.path.join(current_dir, "resources", "nested_dir",
"nested", "example.tf")
file_rel_path = os.path.relpath(scan_file_path)
file_abs_path = os.path.abspath(scan_file_path)
runner = Runner()
checks_allowlist = ['CKV_AWS_20']
report = runner.run(
root_folder=None,
external_checks_dir=None,
files=[file_abs_path],
runner_filter=RunnerFilter(framework='terraform',
checks=checks_allowlist))
all_checks = report.failed_checks + report.passed_checks
self.assertTrue(
len(all_checks) >
0) # ensure that the assertions below are going to do something
for record in all_checks:
# no need to join with a '/' because the TF runner adds it to the start of the file path
self.assertEqual(record.repo_file_path, f'/{file_rel_path}')
def test_module_and_variables(self):
resources_path = os.path.join(
os.path.dirname(os.path.dirname(__file__)), "resources",
"modules-and-vars")
runner = Runner()
report = runner.run(root_folder=resources_path)
self.assertLessEqual(3, len(report.failed_checks))
self.assertLessEqual(12, len(report.passed_checks))
self.assertEqual(0, len(report.skipped_checks))
found_versioning_failure = False
for record in report.failed_checks:
if record.check_id != 'CKV_AWS_40':
self.assertIsNotNone(record.breadcrumbs)
if record.check_id == 'CKV_AWS_21':
found_versioning_failure = True
bc = record.breadcrumbs.get('versioning.enabled')
self.assertEqual(len(bc), 2)
bc = bc[0]
self.assertEqual(bc.get('type'), 'module')
self.assertEqual(
os.path.relpath(bc.get('path'), resources_path),
'examples/complete/main.tf')
self.assertTrue(found_versioning_failure)
def test(self):
runner = Runner()
current_dir = os.path.dirname(os.path.realpath(__file__))
test_files_dir = os.path.join(
current_dir, "example_ACRPublicNetworkAccessDisabled")
report = runner.run(root_folder=test_files_dir,
runner_filter=RunnerFilter(checks=[check.id]))
summary = report.get_summary()
passing_resources = {'azurerm_container_registry.ckv_unittest_pass'}
failing_resources = {
'azurerm_container_registry.ckv_unittest_fail',
'azurerm_container_registry.ckv_unittest_fail_2',
}
skipped_resources = {}
passed_check_resources = set(
[c.resource for c in report.passed_checks])
failed_check_resources = set(
[c.resource for c in report.failed_checks])
self.assertEqual(summary['passed'], len(passing_resources))
self.assertEqual(summary['failed'], len(failing_resources))
self.assertEqual(summary['skipped'], len(skipped_resources))
self.assertEqual(summary['parsing_errors'], 0)
self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)
def test(self):
runner = Runner()
current_dir = os.path.dirname(os.path.realpath(__file__))
test_files_dir = current_dir + "/example_SecretManagerSecretEncrypted"
report = runner.run(root_folder=test_files_dir,
runner_filter=RunnerFilter(checks=[check.id]))
summary = report.get_summary()
passing_resources = {
"aws_secretsmanager_secret.enabled1",
"aws_secretsmanager_secret.enabled2",
}
failing_resources = {
"aws_secretsmanager_secret.default",
"aws_secretsmanager_secret.default_explicit",
}
passed_check_resources = set(
[c.resource for c in report.passed_checks])
failed_check_resources = set(
[c.resource for c in report.failed_checks])
self.assertEqual(summary["passed"], 2)
self.assertEqual(summary["failed"], 2)
self.assertEqual(summary["skipped"], 0)
self.assertEqual(summary["parsing_errors"], 0)
self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)
def test(self):
runner = Runner()
current_dir = os.path.dirname(os.path.realpath(__file__))
test_files_dir = current_dir + "/example_KMSKeyWildcardPrincipal"
report = runner.run(root_folder=test_files_dir,
runner_filter=RunnerFilter(checks=[check.id]))
summary = report.get_summary()
passing_resources = {
'aws_kms_key.pass_0', 'aws_kms_key.pass_1', 'aws_kms_key.pass_2',
'aws_kms_key.pass_3'
}
failing_resources = {
'aws_kms_key.fail_0', 'aws_kms_key.fail_1', 'aws_kms_key.fail_2',
'aws_kms_key.fail_3', 'aws_kms_key.fail_4'
}
passed_check_resources = set(
[c.resource for c in report.passed_checks])
failed_check_resources = set(
[c.resource for c in report.failed_checks])
self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)
self.assertEqual(summary['passed'], 4)
self.assertEqual(summary['failed'], 5)
self.assertEqual(summary['skipped'], 0)
self.assertEqual(summary['parsing_errors'], 0)
def test(self):
runner = Runner()
current_dir = os.path.dirname(os.path.realpath(__file__))
test_files_dir = current_dir + "/example_InstanceMetadataServiceEnabled"
report = runner.run(root_folder=test_files_dir,
runner_filter=RunnerFilter(checks=[check.id]))
summary = report.get_summary()
passing_resources = {
"oci_core_instance.pass",
}
failing_resources = {
"oci_core_instance.fail",
"oci_core_instance.fail2",
}
passed_check_resources = set(
[c.resource for c in report.passed_checks])
failed_check_resources = set(
[c.resource for c in report.failed_checks])
self.assertEqual(summary["passed"], 1)
self.assertEqual(summary["failed"], 2)
self.assertEqual(summary["skipped"], 0)
self.assertEqual(summary["parsing_errors"], 0)
self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)
def test(self):
runner = Runner()
current_dir = os.path.dirname(os.path.realpath(__file__))
test_files_dir = current_dir + "/example_GlacierVaultAnyPrincipal"
report = runner.run(root_folder=test_files_dir,
runner_filter=RunnerFilter(checks=[check.id]))
summary = report.get_summary()
passing_resources = {
"aws_glacier_vault.my_archive1",
"aws_glacier_vault.my_archive6",
}
failing_resources = {
"aws_glacier_vault.my_archive2",
"aws_glacier_vault.my_archive3",
"aws_glacier_vault.my_archive4",
"aws_glacier_vault.my_archive5",
}
passed_check_resources = set(
[c.resource for c in report.passed_checks])
failed_check_resources = set(
[c.resource for c in report.failed_checks])
self.assertEqual(summary["passed"], 2)
self.assertEqual(summary["failed"], 4)
self.assertEqual(summary["skipped"], 0)
self.assertEqual(summary["parsing_errors"], 0)
self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)
