From cd96b4c51b7fb9f793291a932bb7612c4148a972 Mon Sep 17 00:00:00 2001 From: chani6887 Date: Mon, 10 Jun 2024 17:18:38 +0300 Subject: [PATCH 1/4] Add CKV_AZURE_137 to ARM --- .../resource/ACRAdminAccountDisabled.py | 22 ++++++++++ .../example_ACRAdminAccountDisabled/fail.json | 37 ++++++++++++++++ .../example_ACRAdminAccountDisabled/pass.json | 37 ++++++++++++++++ .../resource/test_ACRAdminAccountDisabled.py | 43 +++++++++++++++++++ 4 files changed, 139 insertions(+) create mode 100644 checkov/arm/checks/resource/ACRAdminAccountDisabled.py create mode 100644 tests/arm/checks/resource/example_ACRAdminAccountDisabled/fail.json create mode 100644 tests/arm/checks/resource/example_ACRAdminAccountDisabled/pass.json create mode 100644 tests/arm/checks/resource/test_ACRAdminAccountDisabled.py diff --git a/checkov/arm/checks/resource/ACRAdminAccountDisabled.py b/checkov/arm/checks/resource/ACRAdminAccountDisabled.py new file mode 100644 index 00000000000..639d68c137a --- /dev/null +++ b/checkov/arm/checks/resource/ACRAdminAccountDisabled.py @@ -0,0 +1,22 @@ +from __future__ import annotations +from typing import Any, List +from checkov.common.models.enums import CheckCategories +from checkov.arm.base_resource_negative_value_check import BaseResourceNegativeValueCheck + + +class ACRAdminAccountDisabled(BaseResourceNegativeValueCheck): + def __init__(self): + name = "Ensure ACR admin account is disabled" + id = "CKV_AZURE_137" + supported_resources = ("Microsoft.ContainerRegistry/registries",) + categories = [CheckCategories.IAM] + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def get_inspected_key(self) -> str: + return "properties/adminUserEnabled" + + def get_forbidden_values(self) -> List[Any]: + return [True] + + +check = ACRAdminAccountDisabled() \ No newline at end of file diff --git a/tests/arm/checks/resource/example_ACRAdminAccountDisabled/fail.json b/tests/arm/checks/resource/example_ACRAdminAccountDisabled/fail.json new file mode 100644 index 00000000000..da47aaf9839 --- /dev/null +++ b/tests/arm/checks/resource/example_ACRAdminAccountDisabled/fail.json @@ -0,0 +1,37 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.1", + "resources": [ + { + "apiVersion": "2019-05-01", + "type": "Microsoft.ContainerRegistry/registries", + "name": "fail", + "location": "[resourceGroup().location]", + "sku": { + "name": "Basic" + }, + "properties": { + "adminUserEnabled": true, + "anonymousPullEnabled": true, + "dataEndpointEnabled": true, + "encryption": { + "keyVaultProperties": { + "identity": "someIdentity", + "keyIdentifier": "someKeyIdentifier" + }, + "status": "enabled" + }, + "networkRuleBypassOptions": "AzureServices", + "networkRuleSet": { + "defaultAction": "Deny", + "ipRules": [ + { + "action": "Allow", + "value": "127.0.0.1" + } + ] + } + } + } + ] +} diff --git a/tests/arm/checks/resource/example_ACRAdminAccountDisabled/pass.json b/tests/arm/checks/resource/example_ACRAdminAccountDisabled/pass.json new file mode 100644 index 00000000000..a415c30602e --- /dev/null +++ b/tests/arm/checks/resource/example_ACRAdminAccountDisabled/pass.json @@ -0,0 +1,37 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.1", + "resources": [ + { + "apiVersion": "2019-05-01", + "type": "Microsoft.ContainerRegistry/registries", + "name": "pass", + "location": "[resourceGroup().location]", + "sku": { + "name": "Standard" + }, + "properties": { + "adminUserEnabled": false, + "anonymousPullEnabled": true, + "dataEndpointEnabled": true, + "encryption": { + "keyVaultProperties": { + "identity": "someIdentity", + "keyIdentifier": "someKeyIdentifier" + }, + "status": "enabled" + }, + "networkRuleBypassOptions": "AzureServices", + "networkRuleSet": { + "defaultAction": "Deny", + "ipRules": [ + { + "action": "Allow", + "value": "127.0.0.1" + } + ] + } + } + } + ] +} diff --git a/tests/arm/checks/resource/test_ACRAdminAccountDisabled.py b/tests/arm/checks/resource/test_ACRAdminAccountDisabled.py new file mode 100644 index 00000000000..23b27e2c867 --- /dev/null +++ b/tests/arm/checks/resource/test_ACRAdminAccountDisabled.py @@ -0,0 +1,43 @@ +import os +import unittest + +from checkov.arm.checks.resource.ACRAdminAccountDisabled import check +from checkov.arm.runner import Runner +from checkov.runner_filter import RunnerFilter + + +class TestACRAdminAccountDisabled(unittest.TestCase): + + def test_summary(self): + runner = Runner() + current_dir = os.path.dirname(os.path.realpath(__file__)) + + test_files_dir = current_dir + "/example_ACRAdminAccountDisabled" + report = runner.run(root_folder=test_files_dir, + runner_filter=RunnerFilter(checks=[check.id])) + summary = report.get_summary() + + passing_resources = { + 'Microsoft.ContainerRegistry/registries.pass', + } + failing_resources = { + 'Microsoft.ContainerRegistry/registries.fail' + } + skipped_resources = {} + + passed_check_resources = set([c.resource for c in report.passed_checks]) + failed_check_resources = set([c.resource for c in report.failed_checks]) + + + + self.assertEqual(summary['passed'], len(passing_resources)) + self.assertEqual(summary['failed'], len(failing_resources)) + self.assertEqual(summary['skipped'], len(skipped_resources)) + self.assertEqual(summary['parsing_errors'], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == '__main__': + unittest.main() From d639b2462118f08d819d8cdaf51c68a0bd984afe Mon Sep 17 00:00:00 2001 From: chani6887 Date: Thu, 13 Jun 2024 12:06:48 +0300 Subject: [PATCH 2/4] fix --- checkov/arm/checks/resource/ACRAdminAccountDisabled.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/checkov/arm/checks/resource/ACRAdminAccountDisabled.py b/checkov/arm/checks/resource/ACRAdminAccountDisabled.py index 639d68c137a..19e3d8c2c7b 100644 --- a/checkov/arm/checks/resource/ACRAdminAccountDisabled.py +++ b/checkov/arm/checks/resource/ACRAdminAccountDisabled.py @@ -5,7 +5,7 @@ class ACRAdminAccountDisabled(BaseResourceNegativeValueCheck): - def __init__(self): + def __init__(self) -> None: name = "Ensure ACR admin account is disabled" id = "CKV_AZURE_137" supported_resources = ("Microsoft.ContainerRegistry/registries",) @@ -19,4 +19,5 @@ def get_forbidden_values(self) -> List[Any]: return [True] -check = ACRAdminAccountDisabled() \ No newline at end of file +check: ACRAdminAccountDisabled = ACRAdminAccountDisabled() + From 7b211309f0a8c2128ffdb211ee194796df421123 Mon Sep 17 00:00:00 2001 From: Chana Libarman <154217669+chani6887@users.noreply.github.com> Date: Thu, 13 Jun 2024 12:13:06 +0300 Subject: [PATCH 3/4] Update ACRAdminAccountDisabled.py --- checkov/arm/checks/resource/ACRAdminAccountDisabled.py | 1 + 1 file changed, 1 insertion(+) diff --git a/checkov/arm/checks/resource/ACRAdminAccountDisabled.py b/checkov/arm/checks/resource/ACRAdminAccountDisabled.py index 19e3d8c2c7b..35a88e4608c 100644 --- a/checkov/arm/checks/resource/ACRAdminAccountDisabled.py +++ b/checkov/arm/checks/resource/ACRAdminAccountDisabled.py @@ -21,3 +21,4 @@ def get_forbidden_values(self) -> List[Any]: check: ACRAdminAccountDisabled = ACRAdminAccountDisabled() + From 614335125330d764b67f9b4efced346c29f29af8 Mon Sep 17 00:00:00 2001 From: Chana Libarman <154217669+chani6887@users.noreply.github.com> Date: Thu, 13 Jun 2024 13:17:33 +0300 Subject: [PATCH 4/4] Update ACRAdminAccountDisabled.py --- checkov/arm/checks/resource/ACRAdminAccountDisabled.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/checkov/arm/checks/resource/ACRAdminAccountDisabled.py b/checkov/arm/checks/resource/ACRAdminAccountDisabled.py index 35a88e4608c..1235c707553 100644 --- a/checkov/arm/checks/resource/ACRAdminAccountDisabled.py +++ b/checkov/arm/checks/resource/ACRAdminAccountDisabled.py @@ -19,6 +19,4 @@ def get_forbidden_values(self) -> List[Any]: return [True] -check: ACRAdminAccountDisabled = ACRAdminAccountDisabled() - - +check = ACRAdminAccountDisabled()