From 5d5b8d2238ff06ff3e4fee7dc24be72a375882a4 Mon Sep 17 00:00:00 2001 From: rutiNalenger Date: Sun, 19 May 2024 13:19:25 +0300 Subject: [PATCH 1/6] FunctionAppMinTLSVersion --- .../resource/FunctionAppMinTLSVersion.py | 26 +++++++++++ .../fail.json | 18 ++++++++ .../fail2.json | 18 ++++++++ .../pass.json | 18 ++++++++ .../pass2.json | 18 ++++++++ .../pass3.json | 18 ++++++++ .../pass4.json | 19 ++++++++ .../resource/test_FunctionAppMinTLSVersion.py | 44 +++++++++++++++++++ 8 files changed, 179 insertions(+) create mode 100644 checkov/arm/checks/resource/FunctionAppMinTLSVersion.py create mode 100644 tests/arm/checks/resource/example_FunctionAppMinTLSVersion/fail.json create mode 100644 tests/arm/checks/resource/example_FunctionAppMinTLSVersion/fail2.json create mode 100644 tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass.json create mode 100644 tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass2.json create mode 100644 tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass3.json create mode 100644 tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass4.json create mode 100644 tests/arm/checks/resource/test_FunctionAppMinTLSVersion.py diff --git a/checkov/arm/checks/resource/FunctionAppMinTLSVersion.py b/checkov/arm/checks/resource/FunctionAppMinTLSVersion.py new file mode 100644 index 00000000000..1667f728ef4 --- /dev/null +++ b/checkov/arm/checks/resource/FunctionAppMinTLSVersion.py @@ -0,0 +1,26 @@ +from typing import Any + +from checkov.common.models.enums import CheckResult, CheckCategories +from checkov.arm.base_resource_value_check import BaseResourceValueCheck + + +class FunctionAppMinTLSVersion(BaseResourceValueCheck): + def __init__(self) -> None: + name = "Ensure Function app is using the latest version of TLS encryption" + id = "CKV_AZURE_145" + supported_resources = ('Microsoft.Web/sites','Microsoft.Web/sites/slots',) + categories = [CheckCategories.NETWORKING] + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources, + missing_block_result=CheckResult.PASSED) + + def get_inspected_key(self) -> str: + return "properties/siteConfig/minTlsVersion" + + def get_expected_value(self) -> Any: + return 1.2 + + def get_expected_values(self): + return ["1.2", 1.2] + + +check = FunctionAppMinTLSVersion() diff --git a/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/fail.json b/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/fail.json new file mode 100644 index 00000000000..4a5965c74df --- /dev/null +++ b/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/fail.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Web/sites", + "apiVersion": "2021-02-01", + "name": "fail", + "location": "[resourceGroup().location]", + "properties": { + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'example-app-service-plan')]", + "siteConfig": { + "minTlsVersion": "1.1" + } + } + } + ] +} diff --git a/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/fail2.json b/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/fail2.json new file mode 100644 index 00000000000..c74057282fe --- /dev/null +++ b/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/fail2.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Web/sites/slots", + "apiVersion": "2021-02-01", + "name": "fail2", + "location": "[resourceGroup().location]", + "properties": { + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'example-app-service-plan')]", + "siteConfig": { + "minTlsVersion": "1.1" + } + } + } + ] +} diff --git a/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass.json b/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass.json new file mode 100644 index 00000000000..0dbbafaebb0 --- /dev/null +++ b/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Web/sites", + "apiVersion": "2021-02-01", + "name": "pass", + "location": "[resourceGroup().location]", + "properties": { + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'example-app-service-plan')]", + "siteConfig": { + "minTlsVersion": "1.2" + } + } + } + ] +} diff --git a/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass2.json b/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass2.json new file mode 100644 index 00000000000..b81f1b491f8 --- /dev/null +++ b/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass2.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Web/sites", + "apiVersion": "2021-02-01", + "name": "pass2", + "location": "[resourceGroup().location]", + "properties": { + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'example-app-service-plan')]", + "siteConfig": { + "minTlsVersion": 1.2 + } + } + } + ] +} diff --git a/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass3.json b/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass3.json new file mode 100644 index 00000000000..a21270870cc --- /dev/null +++ b/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass3.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Web/sites/slots", + "apiVersion": "2021-02-01", + "name": "pass3", + "location": "[resourceGroup().location]", + "properties": { + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'example-app-service-plan')]", + "siteConfig": { + "minTlsVersion": "1.2" + } + } + } + ] +} diff --git a/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass4.json b/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass4.json new file mode 100644 index 00000000000..93359bab29f --- /dev/null +++ b/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass4.json @@ -0,0 +1,19 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Web/sites/slots", + "apiVersion": "2021-02-01", + "name": "pass4", + "location": "[resourceGroup().location]", + "kind": "functionapp,linux", + "properties": { + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'example-app-service-plan')]", + "siteConfig": { + "minTlsVersion": 1.2 + } + } + } + ] +} diff --git a/tests/arm/checks/resource/test_FunctionAppMinTLSVersion.py b/tests/arm/checks/resource/test_FunctionAppMinTLSVersion.py new file mode 100644 index 00000000000..8fb3007b04d --- /dev/null +++ b/tests/arm/checks/resource/test_FunctionAppMinTLSVersion.py @@ -0,0 +1,44 @@ +import unittest +from pathlib import Path + +from checkov.arm.checks.resource.FunctionAppMinTLSVersion import check +from checkov.arm.runner import Runner +from checkov.runner_filter import RunnerFilter + + +class TestFunctionAppMinTLSVersion(unittest.TestCase): + def test_summary(self): + # given + test_files_dir = Path(__file__).parent / "example_FunctionAppMinTLSVersion" + + # when + report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) + + # then + summary = report.get_summary() + + passing_resources = { + "Microsoft.Web/sites.pass", + "Microsoft.Web/sites.pass2", + "Microsoft.Web/sites/slots.pass3", + "Microsoft.Web/sites/slots.pass4", + } + failing_resources = { + "Microsoft.Web/sites.fail", + "Microsoft.Web/sites/slots.fail2", + } + + passed_check_resources = {c.resource for c in report.passed_checks} + failed_check_resources = {c.resource for c in report.failed_checks} + + self.assertEqual(summary["passed"], len(passing_resources)) + self.assertEqual(summary["failed"], len(failing_resources)) + self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == "__main__": + unittest.main() From 28279a0d7c4e22062e5dfb1d599fe6887b115051 Mon Sep 17 00:00:00 2001 From: rutiNalenger Date: Tue, 28 May 2024 15:26:06 +0300 Subject: [PATCH 2/6] ACRAnonymousPullDisabled --- .../resource/ACRAnonymousPullDisabled.py | 38 +++++++++++++++ .../fail.json | 18 ++++++++ .../fail2.json | 18 ++++++++ .../pass.json | 18 ++++++++ .../pass2.json | 18 ++++++++ .../pass3.json | 19 ++++++++ .../pass4.json | 18 ++++++++ .../pass5.json | 18 ++++++++ .../pass6.json | 15 ++++++ .../resource/test_ACRAnonymousPullDisabled.py | 46 +++++++++++++++++++ 10 files changed, 226 insertions(+) create mode 100644 checkov/arm/checks/resource/ACRAnonymousPullDisabled.py create mode 100644 tests/arm/checks/resource/example_ACRAnonymousPullDisabled/fail.json create mode 100644 tests/arm/checks/resource/example_ACRAnonymousPullDisabled/fail2.json create mode 100644 tests/arm/checks/resource/example_ACRAnonymousPullDisabled/pass.json create mode 100644 tests/arm/checks/resource/example_ACRAnonymousPullDisabled/pass2.json create mode 100644 tests/arm/checks/resource/example_ACRAnonymousPullDisabled/pass3.json create mode 100644 tests/arm/checks/resource/example_ACRAnonymousPullDisabled/pass4.json create mode 100644 tests/arm/checks/resource/example_ACRAnonymousPullDisabled/pass5.json create mode 100644 tests/arm/checks/resource/example_ACRAnonymousPullDisabled/pass6.json create mode 100644 tests/arm/checks/resource/test_ACRAnonymousPullDisabled.py diff --git a/checkov/arm/checks/resource/ACRAnonymousPullDisabled.py b/checkov/arm/checks/resource/ACRAnonymousPullDisabled.py new file mode 100644 index 00000000000..fb01b185101 --- /dev/null +++ b/checkov/arm/checks/resource/ACRAnonymousPullDisabled.py @@ -0,0 +1,38 @@ +from __future__ import annotations + +from typing import Any + +from checkov.common.models.enums import CheckResult, CheckCategories +from checkov.arm.base_resource_check import BaseResourceCheck + + +class ACRAnonymousPullDisabled(BaseResourceCheck): + ANONYMOUS_PULL_SKUS = {"Standard", "Premium"} # noqa: CCE003 # a static attribute + + def __init__(self): + name = "Ensures that ACR disables anonymous pulling of images" + id = "CKV_AZURE_138" + supported_resources = ("Microsoft.ContainerRegistry/registries",) + categories = (CheckCategories.IAM,) + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult: + properties = conf.get("properties", {}) + + anonymousPullEnabled = properties.get("anonymousPullEnabled") + + sku = conf.get("sku") + + if ( + sku is not None + and isinstance(sku.get("name"), str) + and sku.get("name") in ACRAnonymousPullDisabled.ANONYMOUS_PULL_SKUS + and properties + and anonymousPullEnabled + ): + return CheckResult.FAILED + + return CheckResult.PASSED + + +check = ACRAnonymousPullDisabled() diff --git a/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/fail.json b/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/fail.json new file mode 100644 index 00000000000..f489195f39c --- /dev/null +++ b/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/fail.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.ContainerRegistry/registries", + "apiVersion": "2021-09-01", + "name": "fail", + "location": "eastus", + "sku": { + "name": "Standard" + }, + "properties": { + "anonymousPullEnabled": true + } + } + ] +} diff --git a/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/fail2.json b/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/fail2.json new file mode 100644 index 00000000000..74c8af184a0 --- /dev/null +++ b/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/fail2.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.ContainerRegistry/registries", + "apiVersion": "2021-09-01", + "name": "fail2", + "location": "eastus", + "sku": { + "name": "Premium" + }, + "properties": { + "anonymousPullEnabled": true + } + } + ] +} diff --git a/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/pass.json b/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/pass.json new file mode 100644 index 00000000000..07f29b948a3 --- /dev/null +++ b/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/pass.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.ContainerRegistry/registries", + "apiVersion": "2021-09-01", + "name": "pass", + "location": "eastus", + "sku": { + "name": [] + }, + "properties": { + "anonymousPullEnabled": true + } + } + ] +} diff --git a/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/pass2.json b/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/pass2.json new file mode 100644 index 00000000000..f48095bb9de --- /dev/null +++ b/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/pass2.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.ContainerRegistry/registries", + "apiVersion": "2021-09-01", + "name": "pass2", + "location": "eastus", + "sku": { + "name": "Premium" + }, + "properties": { + "anonymousPullEnabled": false + } + } + ] +} diff --git a/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/pass3.json b/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/pass3.json new file mode 100644 index 00000000000..a961d830bb4 --- /dev/null +++ b/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/pass3.json @@ -0,0 +1,19 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.ContainerRegistry/registries", + "apiVersion": "2021-09-01", + "name": "pass3", + "location": "eastus", + "sku": { + "name": "Premium" + }, + "properties": { + "zoneRedundancy": "Disabled" + + } + } + ] +} diff --git a/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/pass4.json b/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/pass4.json new file mode 100644 index 00000000000..9e83eae9d55 --- /dev/null +++ b/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/pass4.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.ContainerRegistry/registries", + "apiVersion": "2021-09-01", + "name": "pass4", + "location": "eastus", + "sku": { + "name": "Standard" + }, + "properties": { + "zoneRedundancy": "Disabled" + } + } + ] +} diff --git a/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/pass5.json b/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/pass5.json new file mode 100644 index 00000000000..61eef7b345e --- /dev/null +++ b/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/pass5.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.ContainerRegistry/registries", + "apiVersion": "2021-09-01", + "name": "pass5", + "location": "eastus", + "sku": { + "name": "Basic" + }, + "properties": { + "anonymousPullEnabled": true + } + } + ] +} diff --git a/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/pass6.json b/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/pass6.json new file mode 100644 index 00000000000..5936f1d2642 --- /dev/null +++ b/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/pass6.json @@ -0,0 +1,15 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.ContainerRegistry/registries", + "apiVersion": "2021-09-01", + "name": "pass6", + "location": "eastus", + "properties": { + "anonymousPullEnabled": true + } + } + ] +} diff --git a/tests/arm/checks/resource/test_ACRAnonymousPullDisabled.py b/tests/arm/checks/resource/test_ACRAnonymousPullDisabled.py new file mode 100644 index 00000000000..3f1e6ee4f03 --- /dev/null +++ b/tests/arm/checks/resource/test_ACRAnonymousPullDisabled.py @@ -0,0 +1,46 @@ +import unittest +from pathlib import Path + +from checkov.arm.checks.resource.ACRAnonymousPullDisabled import check +from checkov.arm.runner import Runner +from checkov.runner_filter import RunnerFilter + + +class TestACRAnonymousPullDisabled(unittest.TestCase): + def test_summary(self): + # given + test_files_dir = Path(__file__).parent / "example_ACRAnonymousPullDisabled" + + # when + report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) + + # then + summary = report.get_summary() + + passing_resources = { + "Microsoft.ContainerRegistry/registries.pass", + "Microsoft.ContainerRegistry/registries.pass2", + "Microsoft.ContainerRegistry/registries.pass3", + "Microsoft.ContainerRegistry/registries.pass4", + "Microsoft.ContainerRegistry/registries.pass5", + "Microsoft.ContainerRegistry/registries.pass6" + } + failing_resources = { + "Microsoft.ContainerRegistry/registries.fail", + "Microsoft.ContainerRegistry/registries.fail2" + } + + passed_check_resources = {c.resource for c in report.passed_checks} + failed_check_resources = {c.resource for c in report.failed_checks} + + self.assertEqual(summary["passed"], len(passing_resources)) + self.assertEqual(summary["failed"], len(failing_resources)) + self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == "__main__": + unittest.main() From c1aace22a8f227f691bddcff22f5239fe48668bc Mon Sep 17 00:00:00 2001 From: rutiNalenger Date: Tue, 28 May 2024 15:35:15 +0300 Subject: [PATCH 3/6] Deleting unnecessary files --- .../resource/FunctionAppMinTLSVersion.py | 26 ----------- .../fail.json | 18 -------- .../fail2.json | 18 -------- .../pass.json | 18 -------- .../pass2.json | 18 -------- .../pass3.json | 18 -------- .../pass4.json | 19 -------- .../resource/test_FunctionAppMinTLSVersion.py | 44 ------------------- 8 files changed, 179 deletions(-) delete mode 100644 checkov/arm/checks/resource/FunctionAppMinTLSVersion.py delete mode 100644 tests/arm/checks/resource/example_FunctionAppMinTLSVersion/fail.json delete mode 100644 tests/arm/checks/resource/example_FunctionAppMinTLSVersion/fail2.json delete mode 100644 tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass.json delete mode 100644 tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass2.json delete mode 100644 tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass3.json delete mode 100644 tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass4.json delete mode 100644 tests/arm/checks/resource/test_FunctionAppMinTLSVersion.py diff --git a/checkov/arm/checks/resource/FunctionAppMinTLSVersion.py b/checkov/arm/checks/resource/FunctionAppMinTLSVersion.py deleted file mode 100644 index 1667f728ef4..00000000000 --- a/checkov/arm/checks/resource/FunctionAppMinTLSVersion.py +++ /dev/null @@ -1,26 +0,0 @@ -from typing import Any - -from checkov.common.models.enums import CheckResult, CheckCategories -from checkov.arm.base_resource_value_check import BaseResourceValueCheck - - -class FunctionAppMinTLSVersion(BaseResourceValueCheck): - def __init__(self) -> None: - name = "Ensure Function app is using the latest version of TLS encryption" - id = "CKV_AZURE_145" - supported_resources = ('Microsoft.Web/sites','Microsoft.Web/sites/slots',) - categories = [CheckCategories.NETWORKING] - super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources, - missing_block_result=CheckResult.PASSED) - - def get_inspected_key(self) -> str: - return "properties/siteConfig/minTlsVersion" - - def get_expected_value(self) -> Any: - return 1.2 - - def get_expected_values(self): - return ["1.2", 1.2] - - -check = FunctionAppMinTLSVersion() diff --git a/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/fail.json b/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/fail.json deleted file mode 100644 index 4a5965c74df..00000000000 --- a/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/fail.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [ - { - "type": "Microsoft.Web/sites", - "apiVersion": "2021-02-01", - "name": "fail", - "location": "[resourceGroup().location]", - "properties": { - "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'example-app-service-plan')]", - "siteConfig": { - "minTlsVersion": "1.1" - } - } - } - ] -} diff --git a/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/fail2.json b/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/fail2.json deleted file mode 100644 index c74057282fe..00000000000 --- a/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/fail2.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [ - { - "type": "Microsoft.Web/sites/slots", - "apiVersion": "2021-02-01", - "name": "fail2", - "location": "[resourceGroup().location]", - "properties": { - "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'example-app-service-plan')]", - "siteConfig": { - "minTlsVersion": "1.1" - } - } - } - ] -} diff --git a/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass.json b/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass.json deleted file mode 100644 index 0dbbafaebb0..00000000000 --- a/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [ - { - "type": "Microsoft.Web/sites", - "apiVersion": "2021-02-01", - "name": "pass", - "location": "[resourceGroup().location]", - "properties": { - "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'example-app-service-plan')]", - "siteConfig": { - "minTlsVersion": "1.2" - } - } - } - ] -} diff --git a/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass2.json b/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass2.json deleted file mode 100644 index b81f1b491f8..00000000000 --- a/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass2.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [ - { - "type": "Microsoft.Web/sites", - "apiVersion": "2021-02-01", - "name": "pass2", - "location": "[resourceGroup().location]", - "properties": { - "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'example-app-service-plan')]", - "siteConfig": { - "minTlsVersion": 1.2 - } - } - } - ] -} diff --git a/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass3.json b/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass3.json deleted file mode 100644 index a21270870cc..00000000000 --- a/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass3.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [ - { - "type": "Microsoft.Web/sites/slots", - "apiVersion": "2021-02-01", - "name": "pass3", - "location": "[resourceGroup().location]", - "properties": { - "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'example-app-service-plan')]", - "siteConfig": { - "minTlsVersion": "1.2" - } - } - } - ] -} diff --git a/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass4.json b/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass4.json deleted file mode 100644 index 93359bab29f..00000000000 --- a/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass4.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [ - { - "type": "Microsoft.Web/sites/slots", - "apiVersion": "2021-02-01", - "name": "pass4", - "location": "[resourceGroup().location]", - "kind": "functionapp,linux", - "properties": { - "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'example-app-service-plan')]", - "siteConfig": { - "minTlsVersion": 1.2 - } - } - } - ] -} diff --git a/tests/arm/checks/resource/test_FunctionAppMinTLSVersion.py b/tests/arm/checks/resource/test_FunctionAppMinTLSVersion.py deleted file mode 100644 index 8fb3007b04d..00000000000 --- a/tests/arm/checks/resource/test_FunctionAppMinTLSVersion.py +++ /dev/null @@ -1,44 +0,0 @@ -import unittest -from pathlib import Path - -from checkov.arm.checks.resource.FunctionAppMinTLSVersion import check -from checkov.arm.runner import Runner -from checkov.runner_filter import RunnerFilter - - -class TestFunctionAppMinTLSVersion(unittest.TestCase): - def test_summary(self): - # given - test_files_dir = Path(__file__).parent / "example_FunctionAppMinTLSVersion" - - # when - report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) - - # then - summary = report.get_summary() - - passing_resources = { - "Microsoft.Web/sites.pass", - "Microsoft.Web/sites.pass2", - "Microsoft.Web/sites/slots.pass3", - "Microsoft.Web/sites/slots.pass4", - } - failing_resources = { - "Microsoft.Web/sites.fail", - "Microsoft.Web/sites/slots.fail2", - } - - passed_check_resources = {c.resource for c in report.passed_checks} - failed_check_resources = {c.resource for c in report.failed_checks} - - self.assertEqual(summary["passed"], len(passing_resources)) - self.assertEqual(summary["failed"], len(failing_resources)) - self.assertEqual(summary["skipped"], 0) - self.assertEqual(summary["parsing_errors"], 0) - - self.assertEqual(passing_resources, passed_check_resources) - self.assertEqual(failing_resources, failed_check_resources) - - -if __name__ == "__main__": - unittest.main() From e77e0756c4309697ed4b8d26e5b3289770279716 Mon Sep 17 00:00:00 2001 From: rutiNalenger Date: Thu, 30 May 2024 15:03:58 +0300 Subject: [PATCH 4/6] fixed mypy issues --- checkov/arm/checks/resource/ACRAnonymousPullDisabled.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/checkov/arm/checks/resource/ACRAnonymousPullDisabled.py b/checkov/arm/checks/resource/ACRAnonymousPullDisabled.py index fb01b185101..5c9f932210c 100644 --- a/checkov/arm/checks/resource/ACRAnonymousPullDisabled.py +++ b/checkov/arm/checks/resource/ACRAnonymousPullDisabled.py @@ -9,7 +9,7 @@ class ACRAnonymousPullDisabled(BaseResourceCheck): ANONYMOUS_PULL_SKUS = {"Standard", "Premium"} # noqa: CCE003 # a static attribute - def __init__(self): + def __init__(self) -> None: name = "Ensures that ACR disables anonymous pulling of images" id = "CKV_AZURE_138" supported_resources = ("Microsoft.ContainerRegistry/registries",) @@ -35,4 +35,5 @@ def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult: return CheckResult.PASSED -check = ACRAnonymousPullDisabled() +check = ACRAnonymousPullDisabled() # type: ignore + From fd7425c8a940ffcb4aa21f7f3c5d4a6372065bdb Mon Sep 17 00:00:00 2001 From: rutiNalenger Date: Thu, 30 May 2024 16:52:45 +0300 Subject: [PATCH 5/6] Fixed --- checkov/arm/checks/resource/ACRAnonymousPullDisabled.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/checkov/arm/checks/resource/ACRAnonymousPullDisabled.py b/checkov/arm/checks/resource/ACRAnonymousPullDisabled.py index 5c9f932210c..b6c56705e28 100644 --- a/checkov/arm/checks/resource/ACRAnonymousPullDisabled.py +++ b/checkov/arm/checks/resource/ACRAnonymousPullDisabled.py @@ -35,5 +35,4 @@ def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult: return CheckResult.PASSED -check = ACRAnonymousPullDisabled() # type: ignore - +check = ACRAnonymousPullDisabled From 023ec8baa4910b97ea52e568c47d7fe24f1471be Mon Sep 17 00:00:00 2001 From: rutiNalenger Date: Thu, 30 May 2024 21:33:32 +0300 Subject: [PATCH 6/6] Fixed --- checkov/arm/checks/resource/ACRAnonymousPullDisabled.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/checkov/arm/checks/resource/ACRAnonymousPullDisabled.py b/checkov/arm/checks/resource/ACRAnonymousPullDisabled.py index b6c56705e28..812a084160c 100644 --- a/checkov/arm/checks/resource/ACRAnonymousPullDisabled.py +++ b/checkov/arm/checks/resource/ACRAnonymousPullDisabled.py @@ -35,4 +35,4 @@ def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult: return CheckResult.PASSED -check = ACRAnonymousPullDisabled +check = ACRAnonymousPullDisabled()