Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(terraform): adding 3 policies & tests #7011

Merged
merged 13 commits into from
Feb 25, 2025
Merged

feat(terraform): adding 3 policies & tests #7011

merged 13 commits into from
Feb 25, 2025

Conversation

TomerSegev241
Copy link
Collaborator

@TomerSegev241 TomerSegev241 commented Feb 12, 2025
edited by baz-reviewer bot
Loading

User description

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Description

CKV_AWS_386 is a unique check for WhoAMI
CKV_AZURE_250 aligns to ddf89efb-979f-412d-8e62-5ffa8d388e2c Azure Storage Sync Service configured with overly permissive network access
CKV_AZURE_251 aligns to fa6e9e09-d02e-418a-a573-baed692391ed Azure VM disk configured with public network access
CKV_OCI_23 aligns to 7e453ac3-32b3-4862-b720-8ca5d616b5a5 OCI Data Catalog configured with overly permissive network access

New/Edited policies (Delete if not relevant)

Description

Include a description of what makes it a violation and any relevant external links.

Fix

How does someone fix the issue in code and/or in runtime?

Checklist:

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have added tests that prove my feature, policy, or fix is effective and works
  • New and existing tests pass locally with my changes

Generated description

Below is a concise technical summary of the changes proposed in this PR:

TopicDetails
Security Checks Implements four new security checks for AWS, Azure, and OCI resources to prevent vulnerabilities and overly permissive network access
Modified files (4)
  • checkov/terraform/checks/resource/azure/VMDiskWithPublicAccess.py
  • checkov/terraform/checks/data/aws/WhoAMI.py
  • checkov/terraform/checks/resource/oci/DataCatalogWithPublicAccess.py
  • checkov/terraform/checks/resource/azure/StorageSyncServicePermissiveAccess.py
Latest Contributors(0)
UserCommitDate
Test Implementation Adds test files and example configurations for the new security checks
Modified files (8)
  • tests/terraform/checks/resource/azure/test_VMDiskWithPublicAccess.py
  • tests/terraform/checks/data/aws/test_WhoAMI.py
  • tests/terraform/checks/resource/oci/test_DataCatalogWithPublicAccess.py
  • tests/terraform/checks/resource/azure/test_StorageSyncServicePermissiveAccess.py
  • tests/terraform/checks/resource/oci/example_DataCatalogWithPublicAccess/main.tf
  • tests/terraform/checks/data/aws/example_WhoAMI/main.tf
  • tests/terraform/checks/resource/azure/example_StorageSyncServicePermissiveAccess/main.tf
  • tests/terraform/checks/resource/azure/example_VMDiskWithPublicAccess/main.tf
Latest Contributors(0)
UserCommitDate
 This pull request is reviewed by Baz. Join @TomerSegev241 and the rest of your team on (Baz).

@TomerSegev241 TomerSegev241 changed the title adding 3 policies + tests feat(terraform): adding 3 policies & tests Feb 13, 2025
tsmithv11
tsmithv11 requested changes Feb 17, 2025
View reviewed changes
Copy link
Collaborator

@tsmithv11 tsmithv11 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work! Added some suggested changes. Also, in the description for this PR, please add a map of the CKV ID to Prisma Policy ID if these are translated policies. For example, CKV_AZURE_250 translates ddf89efb-979f-412d-8e62-5ffa8d388e2c

checkov/terraform/checks/resource/aws/WhoAMI.py Outdated
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)

def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
if "image_owner_alias" in conf or 'owner_id' in conf:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are Attribute Reference attributes, so they are not written by the user for the resource type.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yet if they are specified (doesn't matter the actual value of it) its a best practice to avoid WhoAMI attack. So if it is declared it's enough in order to pass the policy. is that makes sense?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm saying that a user can't specify them in their Terraform code, so this would only apply to plan file scans. This check is effectively just looking for * in name and I don't think that is the intention.

checkov/terraform/checks/resource/aws/WhoAMI.py Outdated
from typing import Dict, Any

from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@TomerSegev241 users can't define owner in the resource type. I think you need a data type check instead.

checkov/terraform/checks/resource/oci/DataCatalogWithPublicAccess.py
@@ -0,0 +1,29 @@
# DataCatalogWithPublicAccess
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd remove this comment

aviadhahami
aviadhahami approved these changes Feb 25, 2025
View reviewed changes
Copy link
Contributor

@aviadhahami aviadhahami left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@TomerSegev241 TomerSegev241 merged commit ab84250 into main Feb 25, 2025
43 of 44 checks passed
@TomerSegev241 TomerSegev241 deleted the compute_critical_policies branch February 25, 2025 13:47
Saarett pushed a commit that referenced this pull request Feb 25, 2025
@TomerSegev241 @tsmithv11
@aviadhahami @actions-user
feat(terraform): adding 3 policies & tests (#7011)
da73f20 
* adding 3 policies + tests

* fix by flake8

* WhoAMI vulnerability

* flake8 - remove typing.List

* Update checkov/terraform/checks/resource/aws/WhoAMI.py

Co-authored-by: Taylor <[email protected]>

* Update checkov/terraform/checks/resource/azure/StorageSyncServicePermissiveAccess.py

Co-authored-by: Taylor <[email protected]>

* Update checkov/terraform/checks/resource/azure/VMDiskWithPublicAccess.py

Co-authored-by: Taylor <[email protected]>

* Update checkov/terraform/checks/resource/oci/DataCatalogWithPublicAccess.py

Co-authored-by: Taylor <[email protected]>

* Update checkov/terraform/checks/resource/azure/VMDiskWithPublicAccess.py

Co-authored-by: Taylor <[email protected]>

* Update checkov/terraform/checks/resource/oci/DataCatalogWithPublicAccess.py

Co-authored-by: Taylor <[email protected]>

* change resource to data policy

---------

Co-authored-by: Taylor <[email protected]>
Co-authored-by: Aviad Hahami <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aviadhahami aviadhahami aviadhahami approved these changes

@tsmithv11 tsmithv11 tsmithv11 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@TomerSegev241 @aviadhahami @tsmithv11