-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(arm): add CKV_AZURE_163 Enable vulnerability scanning for contai…
…ner images (#6339) * New files of the new policy * Amendment of the policy regarding the dictionary * Amendment of the policy regarding the dictionary * import correction * Filling a file with significant values * Changing a Boolean array to an accepted aliasUpdate pass.json * Update fail.json- failed to fail
- Loading branch information
Showing
4 changed files
with
145 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
|
||
from __future__ import annotations | ||
from typing import Any, Dict | ||
from checkov.common.models.enums import CheckResult, CheckCategories | ||
from checkov.arm.base_resource_check import BaseResourceCheck | ||
|
||
|
||
class ACRContainerScanEnabled(BaseResourceCheck): | ||
SKUS = {"Standard", "Premium"} # noqa: CCE003 # a static attribute | ||
|
||
def __init__(self) -> None: | ||
name = "Enable vulnerability scanning for container images." | ||
id = "CKV_AZURE_163" | ||
supported_resources = ("Microsoft.ContainerRegistry/registries",) | ||
categories = (CheckCategories.GENERAL_SECURITY,) | ||
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) | ||
|
||
def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult: | ||
sku = conf.get("sku", {}) | ||
sku_name = sku.get("name") | ||
|
||
if isinstance(sku_name, str) and sku_name in ACRContainerScanEnabled.SKUS: | ||
return CheckResult.PASSED | ||
|
||
return CheckResult.FAILED | ||
|
||
|
||
check = ACRContainerScanEnabled() |
37 changes: 37 additions & 0 deletions
37
tests/arm/checks/resource/example_ACRContainerScanEnabled/fail.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
{ | ||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", | ||
"contentVersion": "1.0.0.1", | ||
"resources": [ | ||
{ | ||
"apiVersion": "2019-05-01", | ||
"type": "Microsoft.ContainerRegistry/registries", | ||
"name": "fail", | ||
"location": "[resourceGroup().location]", | ||
"sku": { | ||
"name": "Basic" | ||
}, | ||
"properties": { | ||
"adminUserEnabled": true, | ||
"anonymousPullEnabled": true, | ||
"dataEndpointEnabled": true, | ||
"encryption": { | ||
"keyVaultProperties": { | ||
"identity": "someIdentity", | ||
"keyIdentifier": "someKeyIdentifier" | ||
}, | ||
"status": "enabled" | ||
}, | ||
"networkRuleBypassOptions": "AzureServices", | ||
"networkRuleSet": { | ||
"defaultAction": "Deny", | ||
"ipRules": [ | ||
{ | ||
"action": "Allow", | ||
"value": "127.0.0.1" | ||
} | ||
] | ||
} | ||
} | ||
} | ||
] | ||
} |
37 changes: 37 additions & 0 deletions
37
tests/arm/checks/resource/example_ACRContainerScanEnabled/pass.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
{ | ||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", | ||
"contentVersion": "1.0.0.1", | ||
"resources": [ | ||
{ | ||
"apiVersion": "2019-05-01", | ||
"type": "Microsoft.ContainerRegistry/registries", | ||
"name": "pass", | ||
"location": "[resourceGroup().location]", | ||
"sku": { | ||
"name": "Standard" | ||
}, | ||
"properties": { | ||
"adminUserEnabled": true, | ||
"anonymousPullEnabled": true, | ||
"dataEndpointEnabled": true, | ||
"encryption": { | ||
"keyVaultProperties": { | ||
"identity": "someIdentity", | ||
"keyIdentifier": "someKeyIdentifier" | ||
}, | ||
"status": "enabled" | ||
}, | ||
"networkRuleBypassOptions": "AzureServices", | ||
"networkRuleSet": { | ||
"defaultAction": "Deny", | ||
"ipRules": [ | ||
{ | ||
"action": "Allow", | ||
"value": "127.0.0.1" | ||
} | ||
] | ||
} | ||
} | ||
} | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
import os | ||
import unittest | ||
|
||
from checkov.arm.checks.resource.ACRContainerScanEnabled import check | ||
from checkov.arm.runner import Runner | ||
from checkov.runner_filter import RunnerFilter | ||
|
||
|
||
class TestACRContainerScanEnabled(unittest.TestCase): | ||
|
||
def test_summary(self): | ||
runner = Runner() | ||
current_dir = os.path.dirname(os.path.realpath(__file__)) | ||
|
||
test_files_dir = current_dir + "/example_ACRContainerScanEnabled" | ||
report = runner.run(root_folder=test_files_dir, | ||
runner_filter=RunnerFilter(checks=[check.id])) | ||
summary = report.get_summary() | ||
|
||
passing_resources = { | ||
'Microsoft.ContainerRegistry/registries.pass', | ||
} | ||
failing_resources = { | ||
'Microsoft.ContainerRegistry/registries.fail' | ||
} | ||
skipped_resources = {} | ||
|
||
passed_check_resources = set([c.resource for c in report.passed_checks]) | ||
failed_check_resources = set([c.resource for c in report.failed_checks]) | ||
|
||
|
||
|
||
self.assertEqual(summary['passed'], len(passing_resources)) | ||
self.assertEqual(summary['failed'], len(failing_resources)) | ||
self.assertEqual(summary['skipped'], len(skipped_resources)) | ||
self.assertEqual(summary['parsing_errors'], 0) | ||
|
||
self.assertEqual(passing_resources, passed_check_resources) | ||
self.assertEqual(failing_resources, failed_check_resources) | ||
|
||
|
||
if __name__ == '__main__': | ||
unittest.main() |