platform(terraform): Add eval keys #6929

tsmithv11 · 2025-01-02T20:31:00Z

User description

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Description

Add evaluation_keys for more checks

Also Fixes #6932

Checklist:

I have performed a self-review of my own code
I have commented my code, particularly in hard-to-understand areas
I have made corresponding changes to the documentation
I have added tests that prove my feature, policy, or fix is effective and works
New and existing tests pass locally with my changes

Generated description

Below is a concise technical summary of the changes proposed in this PR:

Enhances the Checkov Terraform security scanning framework by implementing comprehensive evaluation key tracking across multiple cloud providers and resource types. This change improves the granularity and accuracy of security checks by explicitly defining which configuration elements are evaluated. Additionally, it includes code refactoring for better type hinting, consistency, and maintainability across various resource checks.

Topic

Details

Code Refactoring

Refactors resource check implementations to improve type hinting, add get_evaluated_keys methods, and enhance overall code quality and consistency

Modified files (34)

checkov/terraform/checks/resource/azure/SynapseSQLPoolDataEncryption.py
checkov/terraform/checks/resource/aws/RDSClusterAuditLogging.py
checkov/terraform/checks/resource/alicloud/DiskEncryptedWithCMK.py
checkov/terraform/checks/resource/azure/ACRGeoreplicated.py
checkov/terraform/checks/resource/alicloud/DiskIsEncrypted.py
checkov/terraform/checks/resource/kubernetes/WildcardRoles.py
checkov/terraform/checks/resource/azure/AppServiceInstanceMinimum.py
checkov/terraform/checks/resource/aws/SQSQueueEncryption.py
checkov/terraform/checks/resource/tencentcloud/VPCSecurityGroupRuleSet.py
checkov/terraform/checks/resource/gcp/GKEBinaryAuthorization.py
checkov/terraform/checks/resource/aws/ElasticBeanstalkUseEnhancedHealthChecks.py
checkov/terraform/checks/resource/gcp/GKEMetadataServerIsEnabled.py
checkov/terraform/checks/resource/aws/EMRClusterConfEncryptsLocalDisk.py
checkov/terraform/checks/resource/github/PrivateRepo.py
checkov/terraform/checks/resource/aws/ElasticsearchDomainAuditLogging.py
checkov/terraform/checks/resource/github/RepositoryEnableVulnerabilityAlerts.py
checkov/terraform/checks/resource/aws/ElasticBeanstalkUseManagedUpdates.py
checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py
checkov/terraform/checks/resource/ncp/RouteTableNATGatewayDefault.py
checkov/terraform/checks/resource/aws/CloudWatchLogGroupRetentionYear.py
checkov/terraform/checks/resource/azure/ACRContainerScanEnabled.py
checkov/terraform/checks/resource/ncp/LBTargetGroupDefinesHealthCheck.py
checkov/terraform/checks/resource/aws/TransferServerAllowsOnlySecureProtocols.py
checkov/terraform/checks/resource/aws/ECSServiceFargateLatest.py
checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py
checkov/terraform/checks/resource/aws/EMRClusterConfEncryptsInTransit.py
checkov/terraform/checks/resource/aws/AWSCodeGuruHasCMK.py
checkov/terraform/checks/resource/aws/TransferServerLatestPolicy.py
checkov/terraform/checks/resource/aws/NeptuneClusterBackupRetention.py
checkov/terraform/checks/resource/aws/MQBrokerVersion.py
checkov/terraform/checks/resource/aws/EMRClusterConfEncryptsEBS.py
checkov/terraform/checks/resource/ncp/LBTargetGroupUsingHTTPS.py
checkov/terraform/checks/resource/azure/AzureContainerInstanceEnvVarSecureValueType.py
checkov/terraform/checks/resource/azure/SynapseWorkspaceAdministratorLoginPasswordHidden.py

Latest Contributors(2)

User	Commit	Date
tazuri@paloaltonetwork...	feat-terraform-Add-che...	November 18, 2024
tsmithv11	feat-terraform-2-new-c...	October 14, 2024

Multi-Cloud Support

Extends and improves security checks across multiple cloud providers, enhancing Checkov's multi-cloud capabilities

Modified files (21)

checkov/terraform/checks/resource/yandexcloud/ObjectStorageBucketPublicAccess.py
checkov/terraform/checks/resource/alicloud/DiskEncryptedWithCMK.py
checkov/terraform/checks/resource/alicloud/DiskIsEncrypted.py
checkov/terraform/checks/resource/ncp/NACLInboundCheck.py
checkov/terraform/checks/resource/tencentcloud/CVMUseDefaultSecurityGroup.py
checkov/terraform/checks/resource/alicloud/AbsRDSParameter.py
checkov/terraform/checks/resource/tencentcloud/VPCSecurityGroupRuleSet.py
checkov/terraform/checks/resource/yandexcloud/VPCSecurityGroupRuleAllowAll.py
checkov/terraform/checks/resource/tencentcloud/CVMUserData.py
checkov/terraform/checks/resource/ncp/LBListenerUsesSecureProtocols.py
checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py
checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py
checkov/terraform/checks/resource/ncp/RouteTableNATGatewayDefault.py
checkov/terraform/checks/resource/ncp/AccessControlGroupOutboundRule.py
checkov/terraform/checks/resource/tencentcloud/CVMUseDefaultVPC.py
checkov/terraform/checks/resource/ncp/LBTargetGroupDefinesHealthCheck.py
checkov/terraform/checks/resource/tencentcloud/TKEPublicIpAssigned.py
checkov/terraform/checks/resource/alicloud/LaunchTemplateDisksAreEncrypted.py
checkov/terraform/checks/resource/yandexcloud/VPCSecurityGroupAllowAll.py
checkov/terraform/checks/resource/ncp/NACLPortCheck.py
checkov/terraform/checks/resource/ncp/LBTargetGroupUsingHTTPS.py

Latest Contributors(2)

User	Commit	Date
[email protected]	feat-terraform-add-14-...	July 23, 2024
jjchavanne	feat-terraform-added-a...	January 01, 2023

Eval Key Tracking

Implements evaluation key tracking for Terraform resource checks across multiple cloud providers to improve security scanning accuracy and traceability

Modified files (32)

checkov/terraform/checks/resource/yandexcloud/ObjectStorageBucketPublicAccess.py
checkov/terraform/checks/resource/aws/ECSClusterLoggingEncryptedWithCMK.py
checkov/terraform/checks/resource/azure/AppGWDefinesSecureProtocols.py
checkov/terraform/checks/resource/aws/S3GlobalViewACL.py
checkov/terraform/checks/resource/azure/AppServiceDotnetFrameworkVersion.py
checkov/terraform/checks/resource/azure/ACREnableZoneRedundancy.py
checkov/terraform/checks/resource/aws/ELBwListenerNotTLSSSL.py
checkov/terraform/checks/resource/ncp/NACLInboundCheck.py
checkov/terraform/checks/resource/azure/ACRAnonymousPullDisabled.py
checkov/terraform/checks/resource/tencentcloud/CVMUseDefaultSecurityGroup.py
checkov/terraform/checks/resource/aws/BatchJobIsNotPrivileged.py
checkov/terraform/checks/resource/yandexcloud/VPCSecurityGroupRuleAllowAll.py
checkov/terraform/checks/resource/tencentcloud/CVMUserData.py
checkov/terraform/checks/resource/aws/ImagebuilderImageRecipeEBSEncrypted.py
checkov/terraform/checks/resource/kubernetes/RootContainerPSP.py
checkov/terraform/checks/resource/azure/APIManagementMinTLS12.py
checkov/terraform/checks/resource/azure/OpenAICognitiveServicesRestrictOutboundNetwork.py
checkov/terraform/checks/resource/ncp/LBListenerUsesSecureProtocols.py
checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py
checkov/terraform/checks/resource/kubernetes/SeccompPSP.py
checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py
checkov/terraform/checks/resource/kubernetes/DropCapabilitiesPSP.py
checkov/terraform/checks/resource/ncp/AccessControlGroupOutboundRule.py
checkov/terraform/checks/resource/tencentcloud/CVMUseDefaultVPC.py
checkov/terraform/checks/resource/aws/CloudfrontDistributionOriginFailover.py
checkov/terraform/checks/resource/tencentcloud/TKEPublicIpAssigned.py
checkov/terraform/checks/resource/azure/CDNTLSProtocol12.py
checkov/terraform/checks/resource/yandexcloud/VPCSecurityGroupAllowAll.py
checkov/terraform/checks/resource/ncp/NACLPortCheck.py
checkov/terraform/checks/resource/aws/APIGatewayMethodWOAuth.py
checkov/terraform/checks/resource/aws/AMIEncryption.py
checkov/terraform/checks/resource/aws/SecretManagerSecret90days.py

Latest Contributors(2)

User	Commit	Date
tjwald	feat-terraform-check-c...	December 23, 2024
tsmithv11	fix-terraform-Fix-two-...	November 26, 2024

Other

Other files

Modified files (2)

checkov/terraform/checks/resource/gcp/GKEPodSecurityPolicyEnabled.py
checkov/terraform/checks/data/aws/IAMManagedAdminPolicy.py

Latest Contributors(2)

User	Commit	Date
tsmithv11	fix-terraform-Fix-cras...	October 21, 2024
JamesWoolfenden	fix-terraform-pod-secu...	December 21, 2023

This pull request is reviewed by Baz. Join @tsmithv11 and the rest of your team on (Baz).

Terraform resource AWS checks only

d53bfba

tsmithv11 requested a deployment to scan-security January 2, 2025 20:31 — with GitHub Actions Waiting

flake8 fixes

c66d07f

tsmithv11 requested a deployment to scan-security January 2, 2025 20:36 — with GitHub Actions Waiting

fix for Issue 6932

8549a24

tsmithv11 requested a deployment to scan-security January 3, 2025 17:30 — with GitHub Actions Waiting

Add AliCloud

5af1bdc

tsmithv11 requested a deployment to scan-security January 10, 2025 06:49 — with GitHub Actions Waiting

Terraform Azure

2c5a29e

tsmithv11 requested a deployment to scan-security January 10, 2025 07:11 — with GitHub Actions Waiting

flake8 fixes

22a231c

tsmithv11 requested a deployment to scan-security January 10, 2025 07:13 — with GitHub Actions Waiting

Merge branch 'main' into add-evaluated-keys-jan25

3203373

tsmithv11 requested a deployment to scan-security January 10, 2025 07:13 — with GitHub Actions Waiting

GCP

426725d

tsmithv11 requested a deployment to scan-security January 17, 2025 18:55 — with GitHub Actions Waiting

TF Kubernetes

e2090f8

tsmithv11 requested a deployment to scan-security January 17, 2025 19:07 — with GitHub Actions Waiting

GitHub

d51426a

tsmithv11 requested a deployment to scan-security January 17, 2025 19:15 — with GitHub Actions Waiting

Other terraform providers

6d9b0f0

tsmithv11 requested a deployment to scan-security January 17, 2025 21:12 — with GitHub Actions Waiting

Fix flake8

abc6d3c

tsmithv11 requested a deployment to scan-security January 17, 2025 21:16 — with GitHub Actions Waiting

Merge branch 'main' into add-evaluated-keys-jan25

49a52fd

tsmithv11 temporarily deployed to scan-security January 17, 2025 21:17 — with GitHub Actions Inactive

tsmithv11 marked this pull request as ready for review January 17, 2025 21:54

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

platform(terraform): Add eval keys #6929

platform(terraform): Add eval keys #6929

tsmithv11 commented Jan 2, 2025 •

edited by baz-reviewer bot

Loading

platform(terraform): Add eval keys #6929

Are you sure you want to change the base?

platform(terraform): Add eval keys #6929

Conversation

tsmithv11 commented Jan 2, 2025 • edited by baz-reviewer bot Loading

User description

Description

Checklist:

Generated description

tsmithv11 commented Jan 2, 2025 •

edited by baz-reviewer bot

Loading