def run(banner=checkov_banner): parser = argparse.ArgumentParser(description='Infrastructure as code static analysis') add_parser_args(parser) args = parser.parse_args() runner_filter = RunnerFilter(framework=args.framework, checks=args.check, skip_checks=args.skip_check) if outer_registry: runner_registry = outer_registry runner_registry.runner_filter = runner_filter else: runner_registry = RunnerRegistry(banner, runner_filter, tf_runner(), cfn_runner(), k8_runner(), sls_runner(), arm_runner(), tf_plan_runner()) if args.version: print(version) return if args.bc_api_key: if args.repo_id is None: parser.error("--repo-id argument is required when using --bc-api-key") if len(args.repo_id.split('/')) != 2: parser.error("--repo-id argument format should be 'organization/repository_name' E.g " "bridgecrewio/checkov") bc_integration.setup_bridgecrew_credentials(bc_api_key=args.bc_api_key, repo_id=args.repo_id) guidelines = {} if not args.no_guide: guidelines = bc_integration.get_guidelines() if args.check and args.skip_check: parser.error("--check and --skip-check can not be applied together. please use only one of them") return if args.list: print_checks(framework=args.framework) return external_checks_dir = get_external_checks_dir(args) if args.directory: for root_folder in args.directory: file = args.file scan_reports = runner_registry.run(root_folder=root_folder, external_checks_dir=external_checks_dir, files=file, guidelines=guidelines) if bc_integration.is_integration_configured(): bc_integration.persist_repository(root_folder) bc_integration.persist_scan_results(scan_reports) bc_integration.commit_repository(args.branch) runner_registry.print_reports(scan_reports, args) return elif args.file: scan_reports = runner_registry.run(external_checks_dir=external_checks_dir, files=args.file, guidelines=guidelines) if bc_integration.is_integration_configured(): files = [os.path.abspath(file) for file in args.file] root_folder = os.path.split(os.path.commonprefix(files))[0] bc_integration.persist_repository(root_folder) bc_integration.persist_scan_results(scan_reports) bc_integration.commit_repository(args.branch) runner_registry.print_reports(scan_reports, args) else: print(f"{banner}") bc_integration.onboarding()
def test_enrichment_of_plan_report_with_modules(self): allowed_checks = ["CKV_AWS_66", "CKV_AWS_158"] runner_registry = RunnerRegistry( banner, RunnerFilter(checks=allowed_checks, framework="terraform_plan"), tf_plan_runner()) repo_root = Path( __file__).parent / "plan_with_tf_modules_for_enrichment" valid_plan_path = repo_root / "tfplan.json" report = runner_registry.run(repo_root_for_plan_enrichment=repo_root, files=[valid_plan_path])[0] failed_check_ids = [c.check_id for c in report.failed_checks] passed_check_ids = [c.check_id for c in report.passed_checks] skipped_check_ids = [c.check_id for c in report.skipped_checks] expected_failed_check_ids = ["CKV_AWS_158", "CKV_AWS_158"] expected_passed_check_ids = ["CKV_AWS_66", "CKV_AWS_66"] expected_skipped_check_ids = [] enriched_data = set([(c.file_path, tuple(c.file_line_range), tuple(c.code_block)) for c in report.failed_checks]) expected_enriched_data = { ( f"/{Path.relative_to(valid_plan_path, Path.cwd())}", (16, 16), (), ), ( "log_group/main.tf", (1, 2), ( (1, 'resource "aws_cloudwatch_log_group" "not_encrypted" {\n' ), (2, "}\n"), ), ), } self.assertEqual(len(failed_check_ids), 2) self.assertEqual(failed_check_ids, expected_failed_check_ids) self.assertEqual(len(passed_check_ids), 2) self.assertEqual(passed_check_ids, expected_passed_check_ids) self.assertEqual(len(skipped_check_ids), 0) self.assertEqual(skipped_check_ids, expected_skipped_check_ids) self.assertEqual(enriched_data, expected_enriched_data)
def test_valid_cyclonedx_bom(self): runners = ( tf_graph_runner(), tf_plan_runner(), ) registry = RunnerRegistry("", RunnerFilter(), *runners) scan_reports = registry.run( files=[join(dirname(__file__), 'fixtures/main.tf')]) self.assertEqual(len(scan_reports), 2) r = scan_reports[0] cyclonedx_bom = r.get_cyclonedx_bom() # outputter = get_instance(bom=cyclonedx_bom) # outputter.output_to_file(filename='/tmp/test.xml', allow_overwrite=True) self.assertEqual(len(cyclonedx_bom.get_components()), 1) first_component = cyclonedx_bom.get_components()[0] self.assertEqual(len(first_component.get_vulnerabilities()), 5)
def test_skip_check(self): allowed_checks = ["CKV_AWS_20", "CKV_AWS_28"] runner_registry = RunnerRegistry( banner, RunnerFilter(checks=allowed_checks, framework="terraform_plan"), tf_plan_runner()) repo_root = Path(__file__).parent / "plan_with_hcl_for_enrichment" valid_plan_path = repo_root / "tfplan.json" report = runner_registry.run(repo_root_for_plan_enrichment=[repo_root], files=[valid_plan_path])[0] failed_check_ids = {c.check_id for c in report.failed_checks} skipped_check_ids = {c.check_id for c in report.skipped_checks} expected_skipped_check_ids = {"CKV_AWS_20", "CKV_AWS_28"} self.assertEqual(len(failed_check_ids), 0) self.assertEqual(len(skipped_check_ids), 2) self.assertEqual(skipped_check_ids, expected_skipped_check_ids)
from checkov.serverless.runner import Runner as sls_runner from checkov.terraform.plan_runner import Runner as tf_plan_runner from checkov.terraform.runner import Runner as tf_graph_runner from checkov.version import version outer_registry = None logging_init() logger = logging.getLogger(__name__) checkov_runners = [ 'cloudformation', 'terraform', 'kubernetes', 'serverless', 'arm', 'terraform_plan', 'helm', 'dockerfile', 'secrets' ] DEFAULT_RUNNERS = (tf_graph_runner(), cfn_runner(), k8_runner(), sls_runner(), arm_runner(), tf_plan_runner(), helm_runner(), dockerfile_runner(), secrets_runner()) def run(banner=checkov_banner, argv=sys.argv[1:]): default_config_paths = get_default_config_paths(sys.argv[1:]) parser = ExtArgumentParser( description='Infrastructure as code static analysis', default_config_files=default_config_paths, config_file_parser_class=configargparse.YAMLConfigFileParser, add_env_var_help=True) add_parser_args(parser) config = parser.parse_args(argv) # bridgecrew uses both the urllib3 and requests libraries, while checkov uses the requests library. # Allow the user to specify a CA bundle to be used by both libraries. bc_integration.setup_http_manager(config.ca_certificate)
def run(banner=checkov_banner, argv=sys.argv[1:]): parser = argparse.ArgumentParser( description='Infrastructure as code static analysis') add_parser_args(parser) args = parser.parse_args(argv) # Disable runners with missing system dependencies args.skip_framework = runnerDependencyHandler.disable_incompatible_runners( args.skip_framework) runner_filter = RunnerFilter( framework=args.framework, skip_framework=args.skip_framework, checks=args.check, skip_checks=args.skip_check, download_external_modules=convert_str_to_bool( args.download_external_modules), external_modules_download_path=args.external_modules_download_path, evaluate_variables=convert_str_to_bool(args.evaluate_variables), runners=checkov_runners) if outer_registry: runner_registry = outer_registry runner_registry.runner_filter = runner_filter else: runner_registry = RunnerRegistry(banner, runner_filter, tf_runner(), cfn_runner(), k8_runner(), sls_runner(), arm_runner(), tf_plan_runner(), helm_runner()) if args.version: print(version) return if args.bc_api_key: if args.repo_id is None: parser.error( "--repo-id argument is required when using --bc-api-key") if len(args.repo_id.split('/')) != 2: parser.error( "--repo-id argument format should be 'organization/repository_name' E.g " "bridgecrewio/checkov") source = os.getenv('BC_SOURCE', 'cli') source_version = os.getenv('BC_SOURCE_VERSION', version) logger.debug(f'BC_SOURCE = {source}, version = {source_version}') try: bc_integration.setup_bridgecrew_credentials( bc_api_key=args.bc_api_key, repo_id=args.repo_id, skip_fixes=args.skip_fixes, skip_suppressions=args.skip_suppressions, source=source, source_version=source_version) except Exception as e: logger.error( 'An error occurred setting up the Bridgecrew platform integration. Please check your API token and try again.', exc_info=True) return guidelines = {} if not args.no_guide: guidelines = bc_integration.get_guidelines() if args.check and args.skip_check: parser.error( "--check and --skip-check can not be applied together. please use only one of them" ) return if args.list: print_checks(framework=args.framework) return external_checks_dir = get_external_checks_dir(args) url = None if args.directory: for root_folder in args.directory: file = args.file scan_reports = runner_registry.run( root_folder=root_folder, external_checks_dir=external_checks_dir, files=file, guidelines=guidelines, bc_integration=bc_integration) if bc_integration.is_integration_configured(): bc_integration.persist_repository(root_folder) bc_integration.persist_scan_results(scan_reports) url = bc_integration.commit_repository(args.branch) runner_registry.print_reports(scan_reports, args, url) return elif args.file: scan_reports = runner_registry.run( external_checks_dir=external_checks_dir, files=args.file, guidelines=guidelines, bc_integration=bc_integration) if bc_integration.is_integration_configured(): files = [os.path.abspath(file) for file in args.file] root_folder = os.path.split(os.path.commonprefix(files))[0] bc_integration.persist_repository(root_folder) bc_integration.persist_scan_results(scan_reports) url = bc_integration.commit_repository(args.branch) runner_registry.print_reports(scan_reports, args, url) else: print(f"{banner}") bc_integration.onboarding()
def test_enrichment_of_plan_report(self): allowed_checks = [ "CKV_AWS_19", "CKV_AWS_20", "CKV_AWS_28", "CKV_AWS_63", "CKV_AWS_119" ] runner_registry = RunnerRegistry( banner, RunnerFilter(checks=allowed_checks, framework="terraform_plan"), tf_plan_runner()) repo_root = Path(__file__).parent / "plan_with_hcl_for_enrichment" valid_plan_path = repo_root / "tfplan.json" report = runner_registry.run(repo_root_for_plan_enrichment=repo_root, files=[valid_plan_path])[0] failed_check_ids = {c.check_id for c in report.failed_checks} skipped_check_ids = {c.check_id for c in report.skipped_checks} expected_failed_check_ids = {"CKV_AWS_19", "CKV_AWS_63", "CKV_AWS_119"} expected_skipped_check_ids = {"CKV_AWS_20", "CKV_AWS_28"} enriched_data = {(c.file_path, tuple(c.file_line_range), tuple(c.code_block)) for c in report.failed_checks} expected_enriched_data = { ( "iam.tf", (1, 19), ( (1, 'resource "aws_iam_policy" "policy" {\n'), (2, ' name = "my_policy-123456789101"\n'), (3, ' path = "/"\n'), (4, ' description = "My test policy"\n'), (5, " policy = <<EOF\n"), (6, "{\n"), (7, ' "Version": "2012-10-17",\n'), (8, ' "Statement": [\n'), (9, " {\n"), (10, ' "Action": [\n'), (11, ' "*"\n'), (12, " ],\n"), (13, ' "Effect": "Allow",\n'), (14, ' "Resource": "arn:aws:iam::${var.aws_account_id}:role/admin"\n' ), (15, " }\n"), (16, " ]\n"), (17, "}\n"), (18, "EOF\n"), (19, "}"), ), ), ( "s3.tf", (1, 17), ( (1, 'resource "aws_s3_bucket" "test-bucket1" {\n'), (2, ' bucket = "test-bucket1"\n'), (3, " # checkov:skip=CKV_AWS_20: The bucket is a public static content " "host\n"), (4, ' acl = "public-read"\n'), (5, " lifecycle_rule {\n"), (6, ' id = "90 Day Lifecycle"\n'), (7, " enabled = true\n"), (8, " expiration {\n"), (9, " days = 90\n"), (10, " }\n"), (11, " noncurrent_version_expiration {\n"), (12, " days = 90\n"), (13, " }\n"), (14, " abort_incomplete_multipart_upload_days = 90\n"), (15, " }\n"), (16, " provider = aws.current_region\n"), (17, "}"), ), ), ( "dynamodb.tf", (1, 12), ( (1, 'resource "aws_dynamodb_table" "cross-environment-violations" {\n' ), (2, " # checkov:skip=CKV_AWS_28: ignoring backups for now\n" ), (3, ' name = "CrossEnvironmentViolations"\n'), (4, " read_capacity = 20\n"), (5, " write_capacity = 20\n"), (6, ' hash_key = "id"\n'), (7, " attribute {\n"), (8, ' name = "id"\n'), (9, ' type = "S"\n'), (10, " }\n"), (11, " provider = aws.current_region\n"), (12, "}"), ), ), } self.assertEqual(len(failed_check_ids), 3) self.assertEqual(failed_check_ids, expected_failed_check_ids) self.assertEqual(len(skipped_check_ids), 2) self.assertEqual(skipped_check_ids, expected_skipped_check_ids) self.assertEqual(enriched_data, expected_enriched_data)
def run(banner=checkov_banner, argv=sys.argv[1:]): parser = argparse.ArgumentParser(description='Infrastructure as code static analysis') add_parser_args(parser) args = parser.parse_args(argv) # bridgecrew uses both the urllib3 and requests libraries, while checkov uses the requests library. # Allow the user to specify a CA bundle to be used by both libraries. bc_integration.setup_http_manager(args.ca_certificate) # Disable runners with missing system dependencies args.skip_framework = runnerDependencyHandler.disable_incompatible_runners(args.skip_framework) runner_filter = RunnerFilter(framework=args.framework, skip_framework=args.skip_framework, checks=args.check, skip_checks=args.skip_check, download_external_modules=convert_str_to_bool(args.download_external_modules), external_modules_download_path=args.external_modules_download_path, evaluate_variables=convert_str_to_bool(args.evaluate_variables), runners=checkov_runners) if outer_registry: runner_registry = outer_registry runner_registry.runner_filter = runner_filter else: runner_registry = RunnerRegistry(banner, runner_filter, tf_graph_runner(), cfn_runner(), k8_runner(), sls_runner(), arm_runner(), tf_plan_runner(), helm_runner(),dockerfile_runner()) if args.version: print(version) return if args.bc_api_key == '': parser.error('The --bc-api-key flag was specified but the value was blank. If this value was passed as a secret, you may need to double check the mapping.') elif args.bc_api_key: logger.debug(f'Using API key ending with {args.bc_api_key[-8:]}') if args.repo_id is None: parser.error("--repo-id argument is required when using --bc-api-key") if len(args.repo_id.split('/')) != 2: parser.error("--repo-id argument format should be 'organization/repository_name' E.g " "bridgecrewio/checkov") source = os.getenv('BC_SOURCE', 'cli') source_version = os.getenv('BC_SOURCE_VERSION', version) logger.debug(f'BC_SOURCE = {source}, version = {source_version}') try: bc_integration.setup_bridgecrew_credentials(bc_api_key=args.bc_api_key, repo_id=args.repo_id, skip_fixes=args.skip_fixes, skip_suppressions=args.skip_suppressions, source=source, source_version=source_version, repo_branch=args.branch) except Exception as e: logger.error('An error occurred setting up the Bridgecrew platform integration. Please check your API token and try again.', exc_info=True) return else: logger.debug('No API key found. Scanning locally only.') guidelines = {} if not args.no_guide: guidelines = bc_integration.get_guidelines() if args.check and args.skip_check: parser.error("--check and --skip-check can not be applied together. please use only one of them") return if args.list: print_checks(framework=args.framework) return external_checks_dir = get_external_checks_dir(args) url = None if args.directory: exit_codes = [] for root_folder in args.directory: file = args.file scan_reports = runner_registry.run(root_folder=root_folder, external_checks_dir=external_checks_dir, files=file, guidelines=guidelines, bc_integration=bc_integration) if bc_integration.is_integration_configured(): bc_integration.persist_repository(root_folder) bc_integration.persist_scan_results(scan_reports) url = bc_integration.commit_repository(args.branch) exit_codes.append(runner_registry.print_reports(scan_reports, args, url)) exit_code = 1 if 1 in exit_codes else 0 return exit_code elif args.file: scan_reports = runner_registry.run(external_checks_dir=external_checks_dir, files=args.file, guidelines=guidelines, bc_integration=bc_integration) if bc_integration.is_integration_configured(): files = [os.path.abspath(file) for file in args.file] root_folder = os.path.split(os.path.commonprefix(files))[0] bc_integration.persist_repository(root_folder) bc_integration.persist_scan_results(scan_reports) url = bc_integration.commit_repository(args.branch) return runner_registry.print_reports(scan_reports, args, url) elif args.docker_image: if args.bc_api_key is None: parser.error("--bc-api-key argument is required when using --docker-image") return if args.dockerfile_path is None: parser.error("--dockerfile-path argument is required when using --docker-image") return if args.branch is None: parser.error("--branch argument is required when using --docker-image") return image_scanner.scan(args.docker_image, args.dockerfile_path) else: print(f"{banner}") bc_integration.onboarding()