def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult: self.evaluated_keys = ["managed_rules"] managed_rules = conf.get("managed_rules") if managed_rules: managed_rule_sets = managed_rules[0].get("managed_rule_set") or [] for idx_rule_set, rule_set in enumerate( force_list(managed_rule_sets)): self.evaluated_keys = [ f"managed_rules/[0]/managed_rule_set[{idx_rule_set}]/type", f"managed_rules/[0]/managed_rule_set[{idx_rule_set}]/version", ] if rule_set.get("type", ["OWASP"]) == [ "OWASP" ] and rule_set.get("version") in (["3.1"], ["3.2"]): rule_overrides = rule_set.get("rule_group_override") or [] for idx_override, rule_override in enumerate( force_list(rule_overrides)): self.evaluated_keys.extend([ f"managed_rules/[0]/managed_rule_set[{idx_rule_set}]/rule_group_override/[{idx_override}]/rule_group_name", f"managed_rules/[0]/managed_rule_set[{idx_rule_set}]/rule_group_override/[{idx_override}]/disabled_rules", ]) if rule_override.get("rule_group_name") == [ "REQUEST-944-APPLICATION-ATTACK-JAVA" ]: disabled_rules = rule_override.get( "disabled_rules") or [] if isinstance(disabled_rules, list) and "944240" in force_list( disabled_rules[0]): return CheckResult.FAILED return CheckResult.PASSED return CheckResult.FAILED
def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult: self.evaluated_keys = ["managed_rule"] managed_rules = conf.get("managed_rule") or [] for idx_managed_rule, managed_rule in enumerate( force_list(managed_rules)): self.evaluated_keys = [f"managed_rule/[{idx_managed_rule}]/type"] if managed_rule.get("type") in (["DefaultRuleSet"], ["Microsoft_DefaultRuleSet"]): rule_overrides = managed_rule.get("override") or [] for idx_override, rule_override in enumerate( force_list(rule_overrides)): self.evaluated_keys.append( f"managed_rule/[{idx_managed_rule}]/override/[{idx_override}]/rule_group_name" ) if rule_override.get("rule_group_name") == ["JAVA"]: rules = rule_override.get("rule") or [] for idx_rule, rule in enumerate(force_list(rules)): self.evaluated_keys.extend([ f"managed_rule/[{idx_managed_rule}]/override/[{idx_override}]/rule/[{idx_rule}]/rule_id", f"managed_rule/[{idx_managed_rule}]/override/[{idx_override}]/rule/[{idx_rule}]/enabled", f"managed_rule/[{idx_managed_rule}]/override/[{idx_override}]/rule/[{idx_rule}]/action", ]) if rule.get("rule_id") == ["944240"]: if rule.get("enabled") != [True]: return CheckResult.FAILED if rule.get("action") not in (["Block"], ["Redirect"]): return CheckResult.FAILED return CheckResult.PASSED return CheckResult.FAILED
def scan_resource_conf(self, conf): """ Looks for configuration at security group ingress rules : https://www.terraform.io/docs/providers/aws/r/security_group.html :param conf: aws_security_group configuration :return: <CheckResult> """ if 'ingress' in conf: ingress_conf = conf['ingress'] for ingress_rule in ingress_conf: ingress_rules = force_list(ingress_rule) for rule in ingress_rules: if isinstance(rule, dict): from_port = force_int(force_list(rule['from_port'])[0]) to_port = force_int(force_list(rule['to_port'])[0]) if from_port <= self.port <= to_port: # It's not clear whether these can ever be a type other # than an empty list but just in case… cidr_blocks = force_list( rule.get('cidr_blocks', [[]])[0]) security_groups = rule.get('security_groups', []) if "0.0.0.0/0" in cidr_blocks and not security_groups: return CheckResult.FAILED return CheckResult.PASSED
def contains_violation(self, conf): from_port = force_int(force_list(conf.get('port_range',[{-1}]))[0].split('/')[0]) to_port = force_int(force_list(conf.get('port_range',[{-1}]))[0].split('/')[1]) if from_port <= self.port <= to_port: conf_cidr_blocks = conf.get('cidr_ip', [[]]) cidr_blocks = force_list(conf_cidr_blocks) if "0.0.0.0/0" in cidr_blocks or not cidr_blocks[0]: return True return False
def scan_resource_conf(self, conf): if len(conf.get('environment', [])) > 0 and isinstance(conf['environment'][0], dict) \ and 'variables' in conf['environment'][0] \ and isinstance(force_list(conf['environment'][0]['variables'])[0], dict): # variables can be a string, which in this case it points to a variable for values in list(force_list(conf['environment'][0]['variables'])[0].values()): for value in list(filter(lambda value: isinstance(value, str), force_list(values))): if string_has_secrets(value, AWS, GENERAL): return CheckResult.FAILED return CheckResult.PASSED
def contains_violation(self, conf): from_port = force_int(force_list(conf.get('from_port', [{-1}]))[0]) to_port = force_int(force_list(conf.get('to_port', [{-1}]))[0]) if from_port is not None and to_port is not None and ( from_port <= self.port <= to_port): cidr_blocks = force_list(conf.get('cidr_blocks', [[]])[0]) if "0.0.0.0/0" in cidr_blocks: return True return False
def check_policy(policy_block): if policy_block and isinstance(policy_block, dict) and 'Statement' in policy_block.keys(): for statement in force_list(policy_block['Statement']): if 'Action' in statement: effect = statement.get('Effect', 'Allow') action = force_list(statement.get('Action', [''])) resource = force_list(statement.get('Resource', [''])) if effect == 'Allow' and '*' in action and '*' in resource: return CheckResult.FAILED return CheckResult.PASSED else: return CheckResult.PASSED
def scan_resource_conf(self, conf): """ Looks for configuration at security group ingress rules : https://www.terraform.io/docs/providers/aws/r/security_group.html https://www.terraform.io/docs/providers/aws/r/security_group_rule.html Return PASS if: - The resource is an aws_security_group that contains no violating ingress rules (including if there are no ingress rules at all), OR - The resource is an aws_security_group_rule of type 'ingress' that does not violate the check. Return FAIL if: - The resource is an aws_security_group that contains a violating ingress rule, OR - The resource is an aws_security_group_rule of type 'ingress' that violates the check. Return UNKNOWN if: - the resource is an aws_security_group_rule of type 'egress', OR :param conf: aws_security_group configuration :return: <CheckResult> """ if 'ingress' in conf: # This means it's an SG resource with ingress block(s) ingress_conf = conf['ingress'] for ingress_rule in ingress_conf: ingress_rules = force_list(ingress_rule) for rule in ingress_rules: if isinstance(rule, dict): if self.contains_violation(rule): self.evaluated_keys = [ f'ingress/[{ingress_conf.index(ingress_rule)}]/from_port', f'ingress/[{ingress_conf.index(ingress_rule)}]/to_port', f'ingress/[{ingress_conf.index(ingress_rule)}]/cidr_blocks', f'ingress/[{ingress_conf.index(ingress_rule)}]/ipv6_cidr_blocks', ] return CheckResult.FAILED return CheckResult.PASSED if 'type' in conf: # This means it's an SG_rule resource. type = force_list(conf['type'])[0] if type == 'ingress': self.evaluated_keys = [ 'from_port', 'to_port', 'cidr_blocks', 'ipv6_cidr_blocks' ] if self.contains_violation(conf): return CheckResult.FAILED return CheckResult.PASSED return CheckResult.UNKNOWN # The result for an SG with no ingress block return CheckResult.PASSED
def contains_violation(self, conf, protocol_key, from_port_key, to_port_key, cidr_key): protocol = force_list(conf.get(protocol_key, [{-1}]))[0] from_port = force_int(force_list(conf.get(from_port_key, [{-1}]))[0]) to_port = force_int(force_list(conf.get(to_port_key, [{-1}]))[0]) if protocol == "icmp": return False if from_port is not None and to_port is not None and (from_port <= self.port <= to_port): cidr = conf.get(cidr_key, []) if len(cidr) > 0 and cidr[0] in ['0.0.0.0/0', '::/0', '0000:0000:0000:0000:0000:0000:0000:0000/0']: return True return False
def scan_resource_conf(self, conf): if 'policy' in conf.keys(): try: policy_block = json.loads(conf['policy'][0]) if 'Statement' in policy_block.keys(): for statement in force_list(policy_block['Statement']): if 'Action' in statement and \ statement.get('Effect', ['Allow']) == 'Allow' and \ '*' in force_list(statement['Action']): return CheckResult.FAILED except: # nosec pass return CheckResult.PASSED
def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult: self.evaluated_keys = ["rule"] rules = conf.get("rule") or [] for idx_rule, rule in enumerate(force_list(rules)): self.evaluated_keys = [f"rule/[{idx_rule}]/statement"] statement = rule.get("statement") if statement: self.evaluated_keys = [ f"rule/[{idx_rule}]/statement/[0]/managed_rule_group_statement" ] managed_group = statement[0].get( "managed_rule_group_statement") if managed_group: self.evaluated_keys = [ f"rule/[{idx_rule}]/statement/[0]/managed_rule_group_statement/[0]/name" ] if managed_group[0] and managed_group[0].get("name") == [ "AWSManagedRulesKnownBadInputsRuleSet" ]: self.evaluated_keys.append( f"rule/[{idx_rule}]/statement/[0]/managed_rule_group_statement/[0]/excluded_rule" ) excluded_rules = managed_group[0].get( "excluded_rule") or [] # rule 'Log4JRCE' should not be set to count for idx_excluded_rule, excluded_rule in enumerate( force_list(excluded_rules)): if excluded_rule and excluded_rule.get("name") == [ "Log4JRCE" ]: self.evaluated_keys = [ f"rule/[{idx_rule}]/statement/[0]/managed_rule_group_statement/[0]/name", f"rule/[{idx_rule}]/statement/[0]/managed_rule_group_statement/[0]/excluded_rule/[{idx_excluded_rule}]/name", ] return CheckResult.FAILED self.evaluated_keys.append( f"rule/[{idx_rule}]/override_action/[0]/none") override_action = rule.get("override_action") # check for group override override_action_none = override_action[0].get("none") # Terraform plan includes both keys, but one is a dict and the not chosen one a list if not override_action_none or not isinstance( override_action_none[0], dict): return CheckResult.FAILED return CheckResult.PASSED return CheckResult.FAILED
def scan_resource_conf(self, conf): if 'policy' in conf.keys(): try: policy_block = extract_policy_dict(conf['policy'][0]) if policy_block and 'Statement' in policy_block.keys(): for statement in force_list(policy_block['Statement']): if 'Action' in statement: effect = statement.get('Effect', 'Allow') action = force_list(statement.get('Action', [''])) resource = force_list(statement.get('Resource', [''])) if effect == 'Allow' and '*' in action and '*' in resource: return CheckResult.FAILED except: # nosec pass return CheckResult.PASSED
def check_policy(policy_block): if policy_block: if isinstance(policy_block, str): policy_block = ast.literal_eval(policy_block) if 'Statement' in policy_block.keys(): for statement in force_list(policy_block['Statement']): if 'Action' in statement and statement.get( 'Effect', ['Allow']) == 'Allow' and '*' in force_list( statement['Action']): return CheckResult.FAILED return CheckResult.PASSED else: return CheckResult.PASSED else: return CheckResult.PASSED
def scan_resource_conf(self, conf): if 'policy' not in conf: return CheckResult.PASSED self.evaluated_keys = ['policy'] try: policy_block = conf['policy'][0] if 'Statement' in policy_block: self.evaluated_keys = ['policy/[0]/Statement'] for idx, statement in enumerate(force_list(policy_block['Statement'])): if 'Principal' in statement: principal = statement['Principal'] if 'Effect' in statement and statement['Effect'] == 'Deny': continue if 'AWS' in principal: aws = principal['AWS'] if (type(aws) == str and aws == '*') or (type(aws) == list and '*' in aws): idx_evaluated_key = f'[{idx}]/' if isinstance(policy_block['Statement'], list) else '' self.evaluated_keys = [f'policy/[0]/Statement/{idx_evaluated_key}Principal/AWS'] return CheckResult.FAILED if (type(principal) == str and principal == '*') or (type(principal) == list and '*' in principal): idx_evaluated_key = f'[{idx}]/' if isinstance(policy_block['Statement'], list) else '' self.evaluated_keys = [f'policy/[0]/Statement/{idx_evaluated_key}Principal'] return CheckResult.FAILED except: # nosec pass return CheckResult.PASSED
def scan_resource_conf(self, conf): """ validates that ALB Listener is using TLS v1.2 https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-listener.html :param conf: aws_alb_listener configuration :return: <CheckResult> """ if 'Properties' in conf.keys(): if 'Protocol' in conf['Properties'].keys(): # Check SslPolicy only if protocol is HTTPS or TLS. # Other protocols are not intresting within the context of this check. if conf['Properties']['Protocol'] in ('HTTPS', 'TLS'): if 'SslPolicy' in conf['Properties'].keys(): if conf['Properties']['SslPolicy'].startswith( ("ELBSecurityPolicy-FS-1-2", "ELBSecurityPolicy-TLS-1-2")): return CheckResult.PASSED return CheckResult.FAILED elif conf['Properties']['Protocol'] in ('TCP', 'UDP', 'TCP_UDP'): return CheckResult.PASSED for idx_action, action in enumerate( conf['Properties']['DefaultActions']): redirects = action.get("RedirectConfig", []) for idx_redirect, redirect in enumerate( force_list(redirects)): if redirect.get("Protocol", []) == 'HTTPS': return CheckResult.PASSED return CheckResult.FAILED
def scan_resource_conf(self, conf: Dict[str, List[Any]]) -> CheckResult: aws_kms_alias = 'aws/' kms_key_id = force_list(conf.get('kms_key_id', [])) if not kms_key_id: return CheckResult.FAILED else: return CheckResult.FAILED if aws_kms_alias in kms_key_id[0] else CheckResult.PASSED
def scan_resource_conf(self, conf): if 'policy' not in conf.keys() or not isinstance( conf['policy'][0], str): return CheckResult.PASSED try: policy_block = json.loads(conf['policy'][0]) if 'Statement' in policy_block.keys(): for statement in force_list(policy_block['Statement']): if statement[ 'Effect'] == 'Deny' or 'Principal' not in statement: continue principal = statement['Principal'] if principal == '*': return CheckResult.FAILED if 'AWS' in statement['Principal']: # Can be a string or an array of strings aws = statement['Principal']['AWS'] if (isinstance(aws, str) and aws == '*') or (isinstance(aws, list) and '*' in aws): return CheckResult.FAILED except Exception: # nosec pass return CheckResult.PASSED
def scan_resource_conf(self, conf): if 'policy' not in conf.keys() or not isinstance(conf['policy'][0], str): return CheckResult.PASSED try: policy_block = json.loads(conf['policy'][0]) if 'Statement' in policy_block.keys(): for statement in force_list(policy_block['Statement']): if 'Condition' in statement.keys() or 'NotAction' in statement.keys() \ or statement.get('Effect') != 'Deny': # https://github.com/bridgecrewio/checkov/pull/627#issuecomment-714681751 continue principal = statement['Principal'] if principal == '*': return CheckResult.FAILED if 'AWS' in statement['Principal']: # Can be a string or an array of strings aws = statement['Principal']['AWS'] if (type(aws) == str and aws == '*') or (type(aws) == list and '*' in aws): return CheckResult.FAILED action = statement['Action'] if action == '*': return CheckResult.FAILED if 's3' in statement['Action']: # Can be a string or an array of strings s3 = statement['Action']['s3'] if (type(s3) == str and s3 == '*') or (type(s3) == list and '*' in s3): return CheckResult.FAILED except: # nosec pass return CheckResult.PASSED
def scan_resource_conf(self, conf): """ Looks for configuration at security group ingress rules : https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/security_group_rule Return PASS if: - The resource is an alicloud_security_group_rule of type 'ingress' that does not violate the check. Return FAIL if: - The resource is an alicloud_security_group_rule of type 'ingress' that violates the check. Return UNKNOWN if: - the resource is an alicloud_security_group_rule of type 'egress' :param conf: alicloud_security_group_rule configuration :return: <CheckResult> """ if 'type' in conf: # This means it's an alicloud_security_group_rule resource. type = force_list(conf['type'])[0] if type == 'ingress': self.evaluated_keys = ['port_range', 'cidr_ip'] if not conf.get('port_range'): return CheckResult.PASSED if self.contains_violation(conf): return CheckResult.FAILED return CheckResult.PASSED return CheckResult.UNKNOWN return CheckResult.PASSED
def scan_resource_conf(self, conf): s3_enc = False cw_enc = False book_enc = False if 'Properties' in conf.keys(): if 'EncryptionConfiguration' in conf['Properties'].keys(): enc_conf = conf['Properties']['EncryptionConfiguration'] if 'CloudWatchEncryption' in enc_conf.keys(): if 'CloudWatchEncryptionMode' in enc_conf['CloudWatchEncryption'].keys(): if enc_conf['CloudWatchEncryption']['CloudWatchEncryptionMode'] != 'DISABLED': cw_enc = True if 'JobBookmarksEncryption' in enc_conf.keys(): if 'JobBookmarksEncryptionMode' in enc_conf['JobBookmarksEncryption'].keys(): if enc_conf['JobBookmarksEncryption']['JobBookmarksEncryptionMode'] != 'DISABLED': book_enc = True if 'S3Encryptions' in enc_conf.keys(): for s3_encryption in force_list(enc_conf['S3Encryptions']): if 'S3EncryptionMode' in s3_encryption.keys(): if s3_encryption['S3EncryptionMode'] != 'DISABLED': s3_enc = True break if s3_enc and cw_enc and book_enc: return CheckResult.PASSED return CheckResult.FAILED
def scan_resource_conf(self, conf: Dict[str, List[Any]]) -> CheckResult: key = "protocol" self.evaluated_keys = [key] if key in conf.keys(): if conf[key] in (["HTTPS"], ["TLS"]): # Only interested in HTTPS & TLS listeners policy = "ssl_policy" if policy in conf.keys(): self.evaluated_keys.append(policy) name = str(conf[policy]).strip("['']") if name.startswith( "ELBSecurityPolicy-FS-1-2") or name.startswith( "ELBSecurityPolicy-TLS-1-2"): return CheckResult.PASSED return CheckResult.FAILED elif conf[key] in (["TCP"], ["UDP"], ["TCP_UDP"]): return CheckResult.PASSED for idx_action, action in enumerate(conf.get("default_action", [])): redirects = action.get("redirect", []) for idx_redirect, redirect in enumerate(force_list(redirects)): if isinstance(redirect, dict) and redirect.get( "protocol", []) == ["HTTPS"]: redirect_index = f"[{idx_redirect}]/" if isinstance( redirects, list) else "" self.evaluated_keys.append( f'default_action/[{idx_action}]/redirect/{redirect_index}protocol' ) return CheckResult.PASSED return CheckResult.FAILED
def scan_resource_conf(self, conf): key = "protocol" if key in conf.keys(): if conf[key] in (["HTTPS"], ["TLS"]): # Only interested in HTTPS & TLS listeners policy = "ssl_policy" if policy in conf.keys(): name = str(conf[policy]).strip("['']") if name.startswith( "ELBSecurityPolicy-FS-1-2") or name.startswith( "ELBSecurityPolicy-TLS-1-2"): return CheckResult.PASSED else: return CheckResult.FAILED else: return CheckResult.FAILED elif conf[key] in (["TCP"], ["UDP"], ["TCP_UDP"]): return CheckResult.PASSED else: for action in conf.get("default_action", []): for redirect in force_list(action.get("redirect", [])): if redirect.get("protocol", []) == ["HTTPS"]: return CheckResult.PASSED return CheckResult.FAILED else: return CheckResult.FAILED
def scan_resource_conf(self, conf): try: policy_block = None if 'policy' in conf.keys(): policy_block = extract_policy_dict(conf['policy'][0]) elif 'inline_policy' in conf.keys(): policy_block = extract_policy_dict(conf['inline_policy'][0]) if policy_block and 'Statement' in policy_block.keys(): for statement in force_list(policy_block['Statement']): if 'Action' in statement and \ statement.get('Effect', ['Allow']) == 'Allow' and \ '*' in force_list(statement['Action']): return CheckResult.FAILED except Exception: # nosec pass return CheckResult.PASSED
def scan_data_conf(self, conf): """ validates iam policy document https://learn.hashicorp.com/terraform/aws/iam-policy :param conf: aws_kms_key configuration :return: <CheckResult> """ key = 'statement' if key in conf.keys(): for statement in conf[key]: effect = statement.get('effect', ['Allow']) if not effect or effect[0] == 'Allow': if statement.get('actions') and '*' in force_list(statement['actions'][0]) \ and statement.get('resources') and '*' in force_list(statement['resources'][0]): return CheckResult.FAILED return CheckResult.PASSED
def collect_skip_comments(resource): skipped_checks = [] bc_id_mapping = bc_integration.get_id_mapping() ckv_to_bc_id_mapping = bc_integration.get_ckv_to_bc_id_mapping() if "metadata" in resource: if "checkov" in resource["metadata"]: for index, item in enumerate( force_list(resource["metadata"]["checkov"])): skip_search = re.search(COMMENT_REGEX, str(item)) if skip_search: skipped_check = { 'id': skip_search.group(1), 'suppress_comment': skip_search.group(2)[1:] if skip_search.group(2) else "No comment provided" } if bc_id_mapping and skipped_check[ "id"] in bc_id_mapping: skipped_check["bc_id"] = skipped_check["id"] skipped_check["id"] = bc_id_mapping[ skipped_check["id"]] elif ckv_to_bc_id_mapping: skipped_check["bc_id"] = ckv_to_bc_id_mapping.get( skipped_check["id"]) skipped_checks.append(skipped_check) return skipped_checks
def scan_data_conf(self, conf: Dict[str, List[Any]]) -> CheckResult: """ validates iam policy document https://learn.hashicorp.com/terraform/aws/iam-policy :param conf: aws_kms_key configuration :return: <CheckResult> """ for statement in conf.get("statement", []): if (statement.get("effect", ["Allow"]) == ["Allow"] and statement.get("actions") and "*" in force_list(statement["actions"][0]) and statement.get("resources") and "*" in force_list(statement["resources"][0])): return CheckResult.FAILED return CheckResult.PASSED
def contains_violation(self, conf): from_port = force_int(force_list(conf.get('from_port', [{-1}]))[0]) to_port = force_int(force_list(conf.get('to_port', [{-1}]))[0]) if from_port is not None and to_port is not None and ( from_port <= self.port <= to_port): cidr_blocks = force_list(conf.get('cidr_blocks', [[]])[0]) if "0.0.0.0/0" in cidr_blocks: return True ipv6_cidr_blocks = conf.get('ipv6_cidr_blocks', []) if len(ipv6_cidr_blocks) > 0 and any( ip in ['::/0', '0000:0000:0000:0000:0000:0000:0000:0000/0'] for ip in ipv6_cidr_blocks[0]): return True return False
def scan_spec_conf(self, conf): if conf["metadata"]: if conf["metadata"].get('annotations'): for annotation in force_list(conf["metadata"]["annotations"]): for key, value in annotation.items(): if "snippet" in key and "alias" in value: return CheckResult.FAILED return CheckResult.PASSED
def scan_spec_conf(self, conf): metadata = {} if conf['kind'] == 'Pod': security_profile = dpath.search( conf, 'spec/securityContext/seccompProfile/type') if security_profile: security_profile = dpath.get( conf, 'spec/securityContext/seccompProfile/type') return CheckResult.PASSED if security_profile == 'RuntimeDefault' else CheckResult.FAILED if "metadata" in conf: metadata = conf["metadata"] if conf['kind'] == 'Deployment': security_profile = dpath.search( conf, 'spec/template/spec/securityContext/seccompProfile/type') if security_profile: security_profile = dpath.get( conf, 'spec/template/spec/securityContext/seccompProfile/type') return CheckResult.PASSED if security_profile == 'RuntimeDefault' else CheckResult.FAILED if "metadata" in conf: metadata = conf["metadata"] if conf['kind'] == 'StatefulSet': security_profile = dpath.search( conf, 'spec/template/spec/securityContext/seccompProfile/type') if security_profile: security_profile = dpath.get( conf, 'spec/template/spec/securityContext/seccompProfile/type') return CheckResult.PASSED if security_profile == 'RuntimeDefault' else CheckResult.FAILED if "metadata" in conf: metadata = conf["metadata"] elif conf['kind'] == 'CronJob': if "spec" in conf: if "jobTemplate" in conf["spec"]: if "spec" in conf["spec"]["jobTemplate"]: if "template" in conf["spec"]["jobTemplate"]["spec"]: if "metadata" in conf["spec"]["jobTemplate"][ "spec"]["template"]: metadata = conf["spec"]["jobTemplate"]["spec"][ "template"]["metadata"] else: if "spec" in conf: if "template" in conf["spec"]: if "metadata" in conf["spec"]["template"]: metadata = conf["spec"]["template"]["metadata"] if metadata: if metadata.get('annotations'): for annotation in force_list(metadata["annotations"]): for key in annotation: if "seccomp.security.alpha.kubernetes.io/pod" in key: if "docker/default" in annotation[ key] or "runtime/default" in annotation[ key]: return CheckResult.PASSED return CheckResult.FAILED
def scan_spec_conf(self, conf): if conf["metadata"]: if conf["metadata"].get('annotations'): for annotation in force_list(conf["metadata"]["annotations"]): for key in annotation: if "snippet" in key: return CheckResult.FAILED return CheckResult.PASSED