diff --git a/checkov/terraform/checks/data/aws/IAMManagedAdminPolicy.py b/checkov/terraform/checks/data/aws/IAMManagedAdminPolicy.py index 6b817079c5e..962c36447df 100644 --- a/checkov/terraform/checks/data/aws/IAMManagedAdminPolicy.py +++ b/checkov/terraform/checks/data/aws/IAMManagedAdminPolicy.py @@ -28,10 +28,12 @@ def __init__(self): def scan_data_conf(self, conf: dict[str, list[Any]]) -> CheckResult: if "name" in conf.keys(): if conf.get("name")[0] == ADMIN_POLICY_NAME: + self.evaluated_keys = ["name"] return CheckResult.FAILED if "arn" in conf.keys(): if conf.get("arn")[0] == ADMIN_POLICY_ARN: + self.evaluated_keys = ["arn"] return CheckResult.FAILED return CheckResult.PASSED diff --git a/checkov/terraform/checks/resource/alicloud/AbsRDSParameter.py b/checkov/terraform/checks/resource/alicloud/AbsRDSParameter.py index 7492d133bc0..d0ca2869a11 100644 --- a/checkov/terraform/checks/resource/alicloud/AbsRDSParameter.py +++ b/checkov/terraform/checks/resource/alicloud/AbsRDSParameter.py @@ -25,3 +25,6 @@ def scan_resource_conf(self, conf): if param['name'][0] == self.parameter and (param['value'][0]).lower() == 'on': return CheckResult.PASSED return CheckResult.FAILED + + def get_evaluated_keys(self): + return ["parameters"] diff --git a/checkov/terraform/checks/resource/alicloud/DiskEncryptedWithCMK.py b/checkov/terraform/checks/resource/alicloud/DiskEncryptedWithCMK.py index ccc48be64f7..f8d5f16fb93 100644 --- a/checkov/terraform/checks/resource/alicloud/DiskEncryptedWithCMK.py +++ b/checkov/terraform/checks/resource/alicloud/DiskEncryptedWithCMK.py @@ -1,6 +1,6 @@ from __future__ import annotations -from typing import Any +from typing import Any, List from checkov.common.models.enums import CheckCategories, CheckResult from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck @@ -23,5 +23,8 @@ def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult: return CheckResult.PASSED return CheckResult.FAILED + def get_evaluated_keys(self) -> List[str]: + return ["encrypted"] + check = DiskEncryptedWithCMK() diff --git a/checkov/terraform/checks/resource/alicloud/DiskIsEncrypted.py b/checkov/terraform/checks/resource/alicloud/DiskIsEncrypted.py index cfba82f4dd6..cb8d4458617 100644 --- a/checkov/terraform/checks/resource/alicloud/DiskIsEncrypted.py +++ b/checkov/terraform/checks/resource/alicloud/DiskIsEncrypted.py @@ -1,21 +1,26 @@ +from typing import List + from checkov.common.models.enums import CheckCategories, CheckResult from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck class DiskIsEncrypted(BaseResourceCheck): - def __init__(self): + def __init__(self) -> None: name = "Ensure disk is encrypted" id = "CKV_ALI_7" supported_resources = ['alicloud_disk'] categories = [CheckCategories.ENCRYPTION] super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) - def scan_resource_conf(self, conf): + def scan_resource_conf(self, conf) -> CheckResult: if conf.get("snapshot_id"): return CheckResult.UNKNOWN if conf.get("encrypted") and conf.get("encrypted") == [True]: return CheckResult.PASSED return CheckResult.FAILED + def get_evaluated_keys(self) -> List[str]: + return ['encrypted'] + check = DiskIsEncrypted() diff --git a/checkov/terraform/checks/resource/alicloud/LaunchTemplateDisksAreEncrypted.py b/checkov/terraform/checks/resource/alicloud/LaunchTemplateDisksAreEncrypted.py index 0af4f83d280..d708c37bb1a 100644 --- a/checkov/terraform/checks/resource/alicloud/LaunchTemplateDisksAreEncrypted.py +++ b/checkov/terraform/checks/resource/alicloud/LaunchTemplateDisksAreEncrypted.py @@ -13,8 +13,9 @@ def __init__(self): def scan_resource_conf(self, conf): data_disks = conf.get("data_disks") if data_disks and isinstance(data_disks, list): - for disk in data_disks: + for idx, disk in enumerate(data_disks): if disk.get('encrypted') != [True]: + self.evaluated_keys = [f'data_disks/[{idx}]/encrypted'] return CheckResult.FAILED return CheckResult.PASSED diff --git a/checkov/terraform/checks/resource/aws/AMIEncryption.py b/checkov/terraform/checks/resource/aws/AMIEncryption.py index 487bc4b8c7d..8ce49a1da07 100644 --- a/checkov/terraform/checks/resource/aws/AMIEncryption.py +++ b/checkov/terraform/checks/resource/aws/AMIEncryption.py @@ -13,11 +13,13 @@ def __init__(self): def scan_resource_conf(self, conf) -> CheckResult: if conf.get('ebs_block_device'): mappings = conf.get('ebs_block_device') - for mapping in mappings: + self.evaluated_keys = ["ebs_block_device"] + for mapping_idx, mapping in enumerate(mappings): if not mapping.get("snapshot_id"): if not mapping.get("encrypted"): return CheckResult.FAILED if mapping.get("encrypted")[0] is False: + self.evaluated_keys.append(f"ebs_block_device/[{mapping_idx}]/encrypted") return CheckResult.FAILED # pass thru return CheckResult.PASSED diff --git a/checkov/terraform/checks/resource/aws/APIGatewayMethodWOAuth.py b/checkov/terraform/checks/resource/aws/APIGatewayMethodWOAuth.py index 3c1ab7f70ee..4130a27440f 100644 --- a/checkov/terraform/checks/resource/aws/APIGatewayMethodWOAuth.py +++ b/checkov/terraform/checks/resource/aws/APIGatewayMethodWOAuth.py @@ -13,7 +13,7 @@ def __init__(self) -> None: categories = (CheckCategories.NETWORKING,) super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) - def _is_policy_secure(self, policy: Dict[str, Any]) -> bool: + def _is_policy_secure(self, policy: Dict[str, Any]) -> CheckResult: # Check that the policy doesn't allow for all principals to us action execute-api:Invoke passed = True if policy.get("Statement"): diff --git a/checkov/terraform/checks/resource/aws/AWSCodeGuruHasCMK.py b/checkov/terraform/checks/resource/aws/AWSCodeGuruHasCMK.py index ed8ae3471aa..cc8fa568e96 100644 --- a/checkov/terraform/checks/resource/aws/AWSCodeGuruHasCMK.py +++ b/checkov/terraform/checks/resource/aws/AWSCodeGuruHasCMK.py @@ -29,5 +29,8 @@ def scan_resource_conf(self, conf: Dict[str, List[Any]]) -> CheckResult: return CheckResult.FAILED + def get_evaluated_keys(self) -> List[str]: + return ['kms_key_details'] + check = AWSCodeGuruHasCMK() diff --git a/checkov/terraform/checks/resource/aws/BatchJobIsNotPrivileged.py b/checkov/terraform/checks/resource/aws/BatchJobIsNotPrivileged.py index 955179e89d1..0a4847702bb 100644 --- a/checkov/terraform/checks/resource/aws/BatchJobIsNotPrivileged.py +++ b/checkov/terraform/checks/resource/aws/BatchJobIsNotPrivileged.py @@ -16,6 +16,7 @@ def __init__(self) -> None: super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult: + self.evaluated_keys = ["container_properties"] container_properties = conf.get("container_properties") if container_properties: if isinstance(container_properties[0], str): @@ -28,6 +29,7 @@ def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult: if not isinstance(container, dict): return CheckResult.UNKNOWN if container.get("privileged"): + self.evaluated_keys.append("container_properties/[0]/privileged") return CheckResult.FAILED return CheckResult.PASSED return CheckResult.UNKNOWN diff --git a/checkov/terraform/checks/resource/aws/CloudWatchLogGroupRetentionYear.py b/checkov/terraform/checks/resource/aws/CloudWatchLogGroupRetentionYear.py index 5c23070c2de..14b36468690 100644 --- a/checkov/terraform/checks/resource/aws/CloudWatchLogGroupRetentionYear.py +++ b/checkov/terraform/checks/resource/aws/CloudWatchLogGroupRetentionYear.py @@ -1,6 +1,6 @@ from __future__ import annotations -from typing import Any +from typing import Any, List from checkov.common.models.enums import CheckCategories, CheckResult from checkov.terraform.checks.resource.base_resource_check import \ @@ -33,5 +33,8 @@ def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult: return CheckResult.FAILED + def get_evaluated_keys(self) -> List[str]: + return ["retention_in_days"] + check = CloudWatchLogGroupRetentionYear() diff --git a/checkov/terraform/checks/resource/aws/CloudfrontDistributionOriginFailover.py b/checkov/terraform/checks/resource/aws/CloudfrontDistributionOriginFailover.py index 4f84d1d53ac..231ead0cf86 100644 --- a/checkov/terraform/checks/resource/aws/CloudfrontDistributionOriginFailover.py +++ b/checkov/terraform/checks/resource/aws/CloudfrontDistributionOriginFailover.py @@ -17,10 +17,12 @@ def __init__(self) -> None: def scan_resource_conf(self, conf): groups = conf.get("origin_group") if groups and isinstance(groups, list): - for group in groups: + self.evaluated_keys = ["origin_group"] + for group_idx, group in enumerate(groups): if isinstance(group, dict) and group.get("failover_criteria"): member = group.get("member") if not member or len(member) < 2: + self.evaluated_keys.append(f"origin_group/[{group_idx}]/member") return CheckResult.FAILED else: return CheckResult.FAILED diff --git a/checkov/terraform/checks/resource/aws/ECSClusterLoggingEncryptedWithCMK.py b/checkov/terraform/checks/resource/aws/ECSClusterLoggingEncryptedWithCMK.py index 3ed728d7ecb..ec2b52e5931 100644 --- a/checkov/terraform/checks/resource/aws/ECSClusterLoggingEncryptedWithCMK.py +++ b/checkov/terraform/checks/resource/aws/ECSClusterLoggingEncryptedWithCMK.py @@ -21,6 +21,7 @@ def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult: if execute_command and isinstance(execute_command, list): execute_command = execute_command[0] if isinstance(execute_command, dict) and not execute_command.get("logging") == ["NONE"]: + self.evaluated_keys = ["configuration/[0]/execute_command_configuration"] if execute_command.get("kms_key_id"): log_conf = execute_command.get("log_configuration") if log_conf and isinstance(log_conf, list): diff --git a/checkov/terraform/checks/resource/aws/ECSServiceFargateLatest.py b/checkov/terraform/checks/resource/aws/ECSServiceFargateLatest.py index 954481d98c9..4744234483c 100644 --- a/checkov/terraform/checks/resource/aws/ECSServiceFargateLatest.py +++ b/checkov/terraform/checks/resource/aws/ECSServiceFargateLatest.py @@ -1,6 +1,6 @@ from __future__ import annotations -from typing import Any +from typing import Any, List from checkov.common.models.enums import CheckCategories, CheckResult from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck @@ -33,5 +33,8 @@ def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult: return CheckResult.UNKNOWN + def get_evaluated_keys(self) -> List[str]: + return ["launch_type", "platform_version"] + check = ECSServiceFargateLatest() diff --git a/checkov/terraform/checks/resource/aws/ELBwListenerNotTLSSSL.py b/checkov/terraform/checks/resource/aws/ELBwListenerNotTLSSSL.py index 5f31e2a3845..4abc088771f 100644 --- a/checkov/terraform/checks/resource/aws/ELBwListenerNotTLSSSL.py +++ b/checkov/terraform/checks/resource/aws/ELBwListenerNotTLSSSL.py @@ -16,8 +16,10 @@ def __init__(self) -> None: def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult: if 'listener' in conf: - for listener in conf.get('listener'): + self.evaluated_keys = ['listener'] + for listener_idx, listener in enumerate(conf.get('listener')): if 'instance_protocol' in listener: + self.evaluated_keys.append(f'listener/[{listener_idx}]/instance_protocol') if listener.get('instance_protocol')[0].lower() in ('http', 'tcp'): return CheckResult.FAILED if listener.get('instance_protocol')[0].lower() in ('https', 'ssl') and \ diff --git a/checkov/terraform/checks/resource/aws/EMRClusterConfEncryptsEBS.py b/checkov/terraform/checks/resource/aws/EMRClusterConfEncryptsEBS.py index e9e51cdcf17..1d650ca514d 100644 --- a/checkov/terraform/checks/resource/aws/EMRClusterConfEncryptsEBS.py +++ b/checkov/terraform/checks/resource/aws/EMRClusterConfEncryptsEBS.py @@ -1,6 +1,6 @@ from __future__ import annotations -from typing import Any +from typing import Any, List from checkov.common.models.enums import CheckResult, CheckCategories from checkov.common.util.data_structures_utils import find_in_dict @@ -31,5 +31,11 @@ def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult: return CheckResult.UNKNOWN + def get_evaluated_keys(self) -> List[str]: + return [ + "configuration", + "configuration/[0]/EncryptionConfiguration/AtRestEncryptionConfiguration/LocalDiskEncryptionConfiguration/EnableEbsEncryption" + ] + check = EMRClusterConfEncryptsEBS() diff --git a/checkov/terraform/checks/resource/aws/EMRClusterConfEncryptsInTransit.py b/checkov/terraform/checks/resource/aws/EMRClusterConfEncryptsInTransit.py index f79865fd94f..b9b3c9aad0f 100644 --- a/checkov/terraform/checks/resource/aws/EMRClusterConfEncryptsInTransit.py +++ b/checkov/terraform/checks/resource/aws/EMRClusterConfEncryptsInTransit.py @@ -29,5 +29,8 @@ def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult: return CheckResult.UNKNOWN + def get_evaluated_keys(self) -> list[str]: + return ["configuration"] + check = EMRClusterConfEncryptsInTransit() diff --git a/checkov/terraform/checks/resource/aws/EMRClusterConfEncryptsLocalDisk.py b/checkov/terraform/checks/resource/aws/EMRClusterConfEncryptsLocalDisk.py index 6373a90c835..6edb8e251a5 100644 --- a/checkov/terraform/checks/resource/aws/EMRClusterConfEncryptsLocalDisk.py +++ b/checkov/terraform/checks/resource/aws/EMRClusterConfEncryptsLocalDisk.py @@ -1,6 +1,6 @@ from __future__ import annotations -from typing import Any +from typing import Any, List from checkov.common.models.enums import CheckResult, CheckCategories from checkov.common.util.data_structures_utils import find_in_dict @@ -31,5 +31,11 @@ def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult: return CheckResult.UNKNOWN + def get_evaluated_keys(self) -> List[str]: + return [ + "configuration", + "configuration/[0]/EncryptionConfiguration/AtRestEncryptionConfiguration/LocalDiskEncryptionConfiguration/EnableAtRestEncryption" + ] + check = EMRClusterConfEncryptsLocalDisk() diff --git a/checkov/terraform/checks/resource/aws/ElasticBeanstalkUseEnhancedHealthChecks.py b/checkov/terraform/checks/resource/aws/ElasticBeanstalkUseEnhancedHealthChecks.py index 88f3bf6aa87..ce3755339b5 100644 --- a/checkov/terraform/checks/resource/aws/ElasticBeanstalkUseEnhancedHealthChecks.py +++ b/checkov/terraform/checks/resource/aws/ElasticBeanstalkUseEnhancedHealthChecks.py @@ -1,3 +1,5 @@ +from typing import List + from checkov.common.models.enums import CheckCategories, CheckResult from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck @@ -30,5 +32,8 @@ def scan_resource_conf(self, conf): return CheckResult.PASSED return CheckResult.FAILED + def get_evaluated_keys(self) -> List[str]: + return ["setting"] + check = ElasticBeanstalkUseEnhancedHealthChecks() diff --git a/checkov/terraform/checks/resource/aws/ElasticBeanstalkUseManagedUpdates.py b/checkov/terraform/checks/resource/aws/ElasticBeanstalkUseManagedUpdates.py index 07cf2a2f2dc..13b4990e455 100644 --- a/checkov/terraform/checks/resource/aws/ElasticBeanstalkUseManagedUpdates.py +++ b/checkov/terraform/checks/resource/aws/ElasticBeanstalkUseManagedUpdates.py @@ -31,5 +31,8 @@ def scan_resource_conf(self, conf): return CheckResult.PASSED return CheckResult.FAILED + def get_evaluated_keys(self): + return ["setting"] + check = ElasticBeanstalkUseManagedUpdates() diff --git a/checkov/terraform/checks/resource/aws/ElasticsearchDomainAuditLogging.py b/checkov/terraform/checks/resource/aws/ElasticsearchDomainAuditLogging.py index 6d784ca6777..2538deccf9c 100644 --- a/checkov/terraform/checks/resource/aws/ElasticsearchDomainAuditLogging.py +++ b/checkov/terraform/checks/resource/aws/ElasticsearchDomainAuditLogging.py @@ -27,5 +27,8 @@ def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult: return CheckResult.FAILED + def get_evaluated_keys(self) -> list[str]: + return ["log_publishing_options"] + check = ElasticsearchDomainAuditLogging() diff --git a/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py b/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py index 3fe09bb6035..e5f3f1b6fdc 100644 --- a/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py +++ b/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py @@ -36,6 +36,7 @@ def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult: if self.entity_type == "aws_iam_role": if "managed_policy_arns" in conf.keys(): if ADMIN_POLICY_ARN in conf["managed_policy_arns"][0]: + self.evaluated_keys = ["managed_policy_arns"] return CheckResult.FAILED elif self.entity_type in ( @@ -46,6 +47,7 @@ def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult: ): policy_arn = conf.get("policy_arn") if policy_arn and isinstance(policy_arn, list) and policy_arn[0] == ADMIN_POLICY_ARN: + self.evaluated_keys = ["policy_arn"] return CheckResult.FAILED elif self.entity_type in ( @@ -53,6 +55,7 @@ def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult: ): managed_policy_arn = conf.get("managed_policy_arn") if managed_policy_arn and isinstance(managed_policy_arn, list) and managed_policy_arn[0] == ADMIN_POLICY_ARN: + self.evaluated_keys = ["managed_policy_arn"] return CheckResult.FAILED return CheckResult.PASSED diff --git a/checkov/terraform/checks/resource/aws/ImagebuilderImageRecipeEBSEncrypted.py b/checkov/terraform/checks/resource/aws/ImagebuilderImageRecipeEBSEncrypted.py index 42697780d08..1e849ba9c9a 100644 --- a/checkov/terraform/checks/resource/aws/ImagebuilderImageRecipeEBSEncrypted.py +++ b/checkov/terraform/checks/resource/aws/ImagebuilderImageRecipeEBSEncrypted.py @@ -15,8 +15,10 @@ def __init__(self) -> None: def scan_resource_conf(self, conf: Dict[str, List[Any]]) -> CheckResult: mappings = conf.get("block_device_mapping") if mappings and isinstance(mappings, list): + self.evaluated_keys = ["block_device_mapping"] for mapping in mappings: if mapping.get("ebs"): + self.evaluated_keys.append("block_device_mapping/[0]/ebs") ebs = mapping["ebs"][0] if not ebs.get("encrypted"): return CheckResult.FAILED diff --git a/checkov/terraform/checks/resource/aws/MQBrokerVersion.py b/checkov/terraform/checks/resource/aws/MQBrokerVersion.py index e8f9c402e25..73243988af1 100644 --- a/checkov/terraform/checks/resource/aws/MQBrokerVersion.py +++ b/checkov/terraform/checks/resource/aws/MQBrokerVersion.py @@ -1,4 +1,6 @@ import re +from typing import List + from checkov.common.models.enums import CheckCategories, CheckResult from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck @@ -37,5 +39,8 @@ def scan_resource_conf(self, conf) -> CheckResult: return CheckResult.FAILED + def get_evaluated_keys(self) -> List[str]: + return ["engine_type", "engine_version"] + check = MQBrokerVersion() diff --git a/checkov/terraform/checks/resource/aws/NeptuneClusterBackupRetention.py b/checkov/terraform/checks/resource/aws/NeptuneClusterBackupRetention.py index 8adaf9a10d8..87f2424d571 100644 --- a/checkov/terraform/checks/resource/aws/NeptuneClusterBackupRetention.py +++ b/checkov/terraform/checks/resource/aws/NeptuneClusterBackupRetention.py @@ -17,7 +17,7 @@ def scan_resource_conf(self, conf): return CheckResult.FAILED def get_evaluated_keys(self): - return 'backup_retention_period' + return ['backup_retention_period'] check = NeptuneClusterBackupRetention() diff --git a/checkov/terraform/checks/resource/aws/RDSClusterAuditLogging.py b/checkov/terraform/checks/resource/aws/RDSClusterAuditLogging.py index 2032273392a..b16ae4b6149 100644 --- a/checkov/terraform/checks/resource/aws/RDSClusterAuditLogging.py +++ b/checkov/terraform/checks/resource/aws/RDSClusterAuditLogging.py @@ -1,6 +1,6 @@ from __future__ import annotations -from typing import Any +from typing import Any, List from checkov.common.models.enums import CheckCategories, CheckResult from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck @@ -44,5 +44,8 @@ def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult: return CheckResult.FAILED + def get_evaluated_keys(self) -> List[str]: + return ["enabled_cloudwatch_logs_exports"] + check = RDSClusterAuditLogging() diff --git a/checkov/terraform/checks/resource/aws/S3GlobalViewACL.py b/checkov/terraform/checks/resource/aws/S3GlobalViewACL.py index 56492d6dba2..6cba34b8ac6 100644 --- a/checkov/terraform/checks/resource/aws/S3GlobalViewACL.py +++ b/checkov/terraform/checks/resource/aws/S3GlobalViewACL.py @@ -16,9 +16,10 @@ def __init__(self) -> None: def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult: if 'access_control_policy' in conf: - for policy in conf.get('access_control_policy'): + for policy_idx, policy in enumerate(conf["access_control_policy"]): if 'grant' in policy: - for grant in policy.get('grant'): + for grant_idx, grant in enumerate(policy["grant"]): + self.evaluated_keys = [f"access_control_policy/[{policy_idx}]/grant/[{grant_idx}]/permission"] if (isinstance(grant, dict) and 'permission' in grant and ('FULL_CONTROL' in grant.get('permission') or 'READ_ACP' in grant.get('permission'))): if 'grantee' in grant: diff --git a/checkov/terraform/checks/resource/aws/SQSQueueEncryption.py b/checkov/terraform/checks/resource/aws/SQSQueueEncryption.py index f1ca42be850..4397bdb8b95 100644 --- a/checkov/terraform/checks/resource/aws/SQSQueueEncryption.py +++ b/checkov/terraform/checks/resource/aws/SQSQueueEncryption.py @@ -1,6 +1,6 @@ from __future__ import annotations -from typing import Any +from typing import Any, List from checkov.common.models.enums import CheckCategories, CheckResult from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck @@ -29,5 +29,8 @@ def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult: return CheckResult.FAILED + def get_evaluated_keys(self) -> List[str]: + return ["sqs_managed_sse_enabled", "kms_master_key_id"] + check = SQSQueueEncryption() diff --git a/checkov/terraform/checks/resource/aws/SecretManagerSecret90days.py b/checkov/terraform/checks/resource/aws/SecretManagerSecret90days.py index 4795cc1903b..db9e6014fc0 100644 --- a/checkov/terraform/checks/resource/aws/SecretManagerSecret90days.py +++ b/checkov/terraform/checks/resource/aws/SecretManagerSecret90days.py @@ -16,10 +16,12 @@ def __init__(self) -> None: super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult: + self.evaluated_keys = ["rotation_rules"] rules = conf.get("rotation_rules") if rules and isinstance(rules, list): days = rules[0].get('automatically_after_days') if days and isinstance(days, list): + self.evaluated_keys = ["rotation_rules/[0]/automatically_after_days"] days = force_int(days[0]) if days is not None and days < 90: return CheckResult.PASSED diff --git a/checkov/terraform/checks/resource/aws/TransferServerAllowsOnlySecureProtocols.py b/checkov/terraform/checks/resource/aws/TransferServerAllowsOnlySecureProtocols.py index 85b97fdc82e..7f853025cdc 100644 --- a/checkov/terraform/checks/resource/aws/TransferServerAllowsOnlySecureProtocols.py +++ b/checkov/terraform/checks/resource/aws/TransferServerAllowsOnlySecureProtocols.py @@ -1,5 +1,7 @@ from __future__ import annotations +from typing import List + from checkov.common.models.enums import CheckCategories, CheckResult from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceCheck @@ -19,5 +21,8 @@ def scan_resource_conf(self, conf): return CheckResult.FAILED return CheckResult.PASSED + def get_evaluated_keys(self) -> List[str]: + return ["protocols"] + check = TransferServerAllowsOnlySecureProtocols() diff --git a/checkov/terraform/checks/resource/aws/TransferServerLatestPolicy.py b/checkov/terraform/checks/resource/aws/TransferServerLatestPolicy.py index 3fb52d5bfa2..8e0f3b7e6b4 100644 --- a/checkov/terraform/checks/resource/aws/TransferServerLatestPolicy.py +++ b/checkov/terraform/checks/resource/aws/TransferServerLatestPolicy.py @@ -1,4 +1,5 @@ from datetime import datetime +from typing import List from checkov.common.models.enums import CheckCategories, CheckResult from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck @@ -57,8 +58,8 @@ def scan_resource_conf(self, conf: any) -> CheckResult: return CheckResult.PASSED return CheckResult.FAILED # default is TransferSecurityPolicy-2018-11 which is old: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/transfer_server - def get_evaluated_key(self) -> str: - return "security_policy_name" + def get_evaluated_keys(self) -> List[str]: + return ["security_policy_name"] check = TransferServerLatestPolicy() diff --git a/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py b/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py index a25460c806a..294e4ad1cf8 100644 --- a/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py +++ b/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py @@ -1,6 +1,6 @@ from __future__ import annotations -from typing import Any +from typing import Any, List from checkov.common.models.enums import CheckCategories, CheckResult from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck @@ -48,5 +48,12 @@ def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult: return CheckResult.UNKNOWN + def get_evaluated_keys(self) -> List[str]: + return [ + "rule", + "rules", + "activated_rule", + ] + check = WAFRuleHasAnyActions() diff --git a/checkov/terraform/checks/resource/azure/ACRAnonymousPullDisabled.py b/checkov/terraform/checks/resource/azure/ACRAnonymousPullDisabled.py index 61c79b4c5fe..568e234cd54 100644 --- a/checkov/terraform/checks/resource/azure/ACRAnonymousPullDisabled.py +++ b/checkov/terraform/checks/resource/azure/ACRAnonymousPullDisabled.py @@ -25,6 +25,7 @@ def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult: and "anonymous_pull_enabled" in conf.keys() and conf["anonymous_pull_enabled"][0] ): + self.evaluated_keys = ["sku", "anonymous_pull_enabled"] return CheckResult.FAILED return CheckResult.PASSED diff --git a/checkov/terraform/checks/resource/azure/ACRContainerScanEnabled.py b/checkov/terraform/checks/resource/azure/ACRContainerScanEnabled.py index 0062c029419..ccd0949f097 100644 --- a/checkov/terraform/checks/resource/azure/ACRContainerScanEnabled.py +++ b/checkov/terraform/checks/resource/azure/ACRContainerScanEnabled.py @@ -1,6 +1,6 @@ from __future__ import annotations -from typing import Any +from typing import Any, List from checkov.common.models.enums import CheckResult, CheckCategories from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck @@ -29,5 +29,8 @@ def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult: return CheckResult.FAILED + def get_evaluated_keys(self) -> List[str]: + return ["sku"] + check = ACRContainerScanEnabled() diff --git a/checkov/terraform/checks/resource/azure/ACREnableZoneRedundancy.py b/checkov/terraform/checks/resource/azure/ACREnableZoneRedundancy.py index 7029139bab6..c1fe87518f0 100644 --- a/checkov/terraform/checks/resource/azure/ACREnableZoneRedundancy.py +++ b/checkov/terraform/checks/resource/azure/ACREnableZoneRedundancy.py @@ -21,14 +21,16 @@ def __init__(self) -> None: def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult: # check registry. default=false + self.evaluated_keys = ["zone_redundancy_enabled"] if conf.get("zone_redundancy_enabled", []) != [True]: return CheckResult.FAILED # check each replica. default=false replications = conf.get("georeplications", {}) - for replica in replications: + for idx, replica in enumerate(replications): zone_redundancy_enabled = replica.get('zone_redundancy_enabled', []) if zone_redundancy_enabled != [True]: + self.evaluated_keys.append(f"georeplications/[{idx}]/zone_redundancy_enabled") return CheckResult.FAILED return CheckResult.PASSED diff --git a/checkov/terraform/checks/resource/azure/ACRGeoreplicated.py b/checkov/terraform/checks/resource/azure/ACRGeoreplicated.py index 388f31056a4..399a50c523f 100644 --- a/checkov/terraform/checks/resource/azure/ACRGeoreplicated.py +++ b/checkov/terraform/checks/resource/azure/ACRGeoreplicated.py @@ -1,6 +1,6 @@ from __future__ import annotations -from typing import Any +from typing import Any, List from checkov.common.models.enums import CheckResult, CheckCategories from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck @@ -25,5 +25,8 @@ def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult: return CheckResult.FAILED + def get_evaluated_keys(self) -> List[str]: + return ['sku', 'georeplications'] + check = ACRGeoreplicated() diff --git a/checkov/terraform/checks/resource/azure/APIManagementMinTLS12.py b/checkov/terraform/checks/resource/azure/APIManagementMinTLS12.py index dcf4e814c02..da13cf29798 100644 --- a/checkov/terraform/checks/resource/azure/APIManagementMinTLS12.py +++ b/checkov/terraform/checks/resource/azure/APIManagementMinTLS12.py @@ -19,18 +19,23 @@ def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult: security = conf['security'][0] if 'enable_back_end_ssl30' in security: if security['enable_back_end_ssl30'][0]: + self.evaluated_keys = ['security/[0]/enable_back_end_ssl30'] return CheckResult.FAILED if 'enable_backend_tls10' in security: if security['enable_backend_tls10'][0]: + self.evaluated_keys = ['security/[0]/enable_backend_tls10'] return CheckResult.FAILED if 'enable_frontend_ssl30' in security: if security['enable_frontend_ssl30'][0]: + self.evaluated_keys = ['security/[0]/enable_frontend_ssl30'] return CheckResult.FAILED if 'enable_frontend_tls10' in security: if security['enable_frontend_tls10'][0]: + self.evaluated_keys = ['security/[0]/enable_frontend_tls10'] return CheckResult.FAILED if 'enable_frontend_tls11' in security: if security['enable_frontend_tls11'][0]: + self.evaluated_keys = ['security/[0]/enable_frontend_tls11'] return CheckResult.FAILED return CheckResult.PASSED diff --git a/checkov/terraform/checks/resource/azure/AppGWDefinesSecureProtocols.py b/checkov/terraform/checks/resource/azure/AppGWDefinesSecureProtocols.py index 363d153ed74..b6e3dc3e259 100644 --- a/checkov/terraform/checks/resource/azure/AppGWDefinesSecureProtocols.py +++ b/checkov/terraform/checks/resource/azure/AppGWDefinesSecureProtocols.py @@ -61,14 +61,17 @@ def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult: ): ciphers = ssl_policy.get("cipher_suites") if ciphers and isinstance(ciphers, list) and any(cipher in BAD_CIPHERS for cipher in ciphers[0]): + self.evaluated_keys = ["ssl_policy/[0]/cipher_suites"] return CheckResult.FAILED return CheckResult.PASSED policy_name = ssl_policy.get("policy_name") if policy_name and isinstance(policy_name, list) and policy_name[0] == "AppGwSslPolicy20220101S": return CheckResult.PASSED + self.evaluated_keys = ["ssl_policy/[0]/policy_name"] return CheckResult.FAILED + self.evaluated_keys = ["ssl_policy"] return CheckResult.FAILED diff --git a/checkov/terraform/checks/resource/azure/AppServiceDotnetFrameworkVersion.py b/checkov/terraform/checks/resource/azure/AppServiceDotnetFrameworkVersion.py index 2249f55ac5b..f7233117790 100644 --- a/checkov/terraform/checks/resource/azure/AppServiceDotnetFrameworkVersion.py +++ b/checkov/terraform/checks/resource/azure/AppServiceDotnetFrameworkVersion.py @@ -17,12 +17,14 @@ def scan_resource_conf(self, conf) -> CheckResult: if site_config.get('dotnet_framework_version') and isinstance(site_config.get('dotnet_framework_version'), list): if site_config.get('dotnet_framework_version')[0] == "v6.0": return CheckResult.PASSED + self.evaluated_keys = ['site_config/[0]/dotnet_framework_version'] return CheckResult.FAILED if site_config.get('application_stack') and isinstance(site_config.get('application_stack'), list): stack = site_config.get('application_stack')[0] if stack.get('dotnet_version') and isinstance(stack.get('dotnet_version'), list): if stack.get('dotnet_version')[0] == "v8.0": return CheckResult.PASSED + self.evaluated_keys = ['site_config/[0]/application_stack/[0]/dotnet_version'] return CheckResult.FAILED return CheckResult.UNKNOWN diff --git a/checkov/terraform/checks/resource/azure/AppServiceInstanceMinimum.py b/checkov/terraform/checks/resource/azure/AppServiceInstanceMinimum.py index 5b79256ff67..cc1643b4cb7 100644 --- a/checkov/terraform/checks/resource/azure/AppServiceInstanceMinimum.py +++ b/checkov/terraform/checks/resource/azure/AppServiceInstanceMinimum.py @@ -1,6 +1,6 @@ from __future__ import annotations -from typing import Any +from typing import Any, List from checkov.common.models.enums import CheckCategories, CheckResult from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck @@ -27,5 +27,8 @@ def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult: return CheckResult.PASSED return CheckResult.FAILED + def get_evaluated_keys(self) -> List[str]: + return ["worker_count"] + check = AppServiceInstanceMinimum() diff --git a/checkov/terraform/checks/resource/azure/AzureContainerInstanceEnvVarSecureValueType.py b/checkov/terraform/checks/resource/azure/AzureContainerInstanceEnvVarSecureValueType.py index 9592e85b1ac..99403009bdd 100644 --- a/checkov/terraform/checks/resource/azure/AzureContainerInstanceEnvVarSecureValueType.py +++ b/checkov/terraform/checks/resource/azure/AzureContainerInstanceEnvVarSecureValueType.py @@ -1,5 +1,5 @@ from __future__ import annotations -from typing import Any +from typing import Any, List from checkov.common.models.enums import CheckCategories, CheckResult from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck @@ -21,5 +21,8 @@ def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult: return CheckResult.FAILED return CheckResult.PASSED + def get_evaluated_keys(self) -> List[str]: + return ['container', 'init_container'] + check = AzureContainerInstanceEnvVarSecureValueType() diff --git a/checkov/terraform/checks/resource/azure/CDNTLSProtocol12.py b/checkov/terraform/checks/resource/azure/CDNTLSProtocol12.py index db87fd14dfb..102e2216705 100644 --- a/checkov/terraform/checks/resource/azure/CDNTLSProtocol12.py +++ b/checkov/terraform/checks/resource/azure/CDNTLSProtocol12.py @@ -25,12 +25,16 @@ def __init__(self) -> None: def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult: if "cdn_managed_https" in conf and isinstance(conf["cdn_managed_https"], list): + self.evaluated_keys = ["cdn_managed_https"] cdn = conf["cdn_managed_https"][0] if "tls_version" in cdn and isinstance(cdn["tls_version"], list) and cdn["tls_version"][0] in INSECURE_TLS_VERSIONS: + self.evaluated_keys = ["cdn_managed_https/[0]/tls_version"] return CheckResult.FAILED if "user_managed_https" in conf and isinstance(conf["user_managed_https"], list): + self.evaluated_keys = ["user_managed_https"] user = conf["user_managed_https"][0] if "tls_version" in user and isinstance(user["tls_version"], list) and user["tls_version"][0] in INSECURE_TLS_VERSIONS: + self.evaluated_keys = ["user_managed_https/[0]/tls_version"] return CheckResult.FAILED return CheckResult.PASSED diff --git a/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py b/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py index 6c1c56a94c7..980c55ded7e 100644 --- a/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py +++ b/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py @@ -24,6 +24,7 @@ def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult: https_only = conf.get('https_only')[0] if not https_only: + self.evaluated_keys = ['https_only'] return CheckResult.FAILED # relevant for linux/windows resources @@ -36,6 +37,7 @@ def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult: require_https = auth_settings_v2.get('require_https')[0] if not require_https: + self.evaluated_keys = ['auth_settings_v2', 'auth_settings_v2/[0]/require_https'] return CheckResult.FAILED return CheckResult.PASSED diff --git a/checkov/terraform/checks/resource/azure/OpenAICognitiveServicesRestrictOutboundNetwork.py b/checkov/terraform/checks/resource/azure/OpenAICognitiveServicesRestrictOutboundNetwork.py index ab286b51962..b24f9391003 100644 --- a/checkov/terraform/checks/resource/azure/OpenAICognitiveServicesRestrictOutboundNetwork.py +++ b/checkov/terraform/checks/resource/azure/OpenAICognitiveServicesRestrictOutboundNetwork.py @@ -24,6 +24,7 @@ def scan_resource_conf(self, conf: Dict[str, List[Any]]) -> CheckResult: outbound_network_access_restricted = conf.get('outbound_network_access_restricted', [None])[0] fqdns = conf.get('fqdns', [[]])[0] if not outbound_network_access_restricted or not fqdns: + self.evaluated_keys = ['outbound_network_access_restricted', 'fqdns'] return CheckResult.FAILED return CheckResult.PASSED diff --git a/checkov/terraform/checks/resource/azure/SynapseSQLPoolDataEncryption.py b/checkov/terraform/checks/resource/azure/SynapseSQLPoolDataEncryption.py index 75dc5d096eb..267ca06f82f 100644 --- a/checkov/terraform/checks/resource/azure/SynapseSQLPoolDataEncryption.py +++ b/checkov/terraform/checks/resource/azure/SynapseSQLPoolDataEncryption.py @@ -1,3 +1,5 @@ +from typing import List + from checkov.common.models.enums import CheckResult, CheckCategories from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck @@ -15,5 +17,8 @@ def scan_resource_conf(self, conf): return CheckResult.PASSED return CheckResult.FAILED + def get_evaluated_keys(self) -> List[str]: + return ['data_encrypted'] + check = SynapseSQLPoolDataEncryption() diff --git a/checkov/terraform/checks/resource/azure/SynapseWorkspaceAdministratorLoginPasswordHidden.py b/checkov/terraform/checks/resource/azure/SynapseWorkspaceAdministratorLoginPasswordHidden.py index 7eec03bc0bd..4318bcd35b2 100644 --- a/checkov/terraform/checks/resource/azure/SynapseWorkspaceAdministratorLoginPasswordHidden.py +++ b/checkov/terraform/checks/resource/azure/SynapseWorkspaceAdministratorLoginPasswordHidden.py @@ -1,19 +1,24 @@ +from typing import List + from checkov.common.models.enums import CheckResult, CheckCategories from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck class SynapseWorkspaceAdministratorLoginPasswordHidden(BaseResourceCheck): - def __init__(self): + def __init__(self) -> None: name = "Ensure Azure Synapse Workspace administrator login password is not exposed" id = "CKV_AZURE_239" supported_resources = ['azurerm_synapse_workspace'] categories = [CheckCategories.SECRETS] super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) - def scan_resource_conf(self, conf): + def scan_resource_conf(self, conf) -> CheckResult: if 'sql_administrator_login_password' in conf: return CheckResult.FAILED return CheckResult.PASSED + def get_evaluated_keys(self) -> List[str]: + return ['sql_administrator_login_password'] + check = SynapseWorkspaceAdministratorLoginPasswordHidden() diff --git a/checkov/terraform/checks/resource/gcp/GKEBinaryAuthorization.py b/checkov/terraform/checks/resource/gcp/GKEBinaryAuthorization.py index 506c96d4760..a0d1a880cef 100644 --- a/checkov/terraform/checks/resource/gcp/GKEBinaryAuthorization.py +++ b/checkov/terraform/checks/resource/gcp/GKEBinaryAuthorization.py @@ -25,5 +25,8 @@ def scan_resource_conf(self, conf): return CheckResult.PASSED return CheckResult.FAILED + def get_evaluated_keys(self): + return ['binary_authorization', 'enable_binary_authorization'] + check = GKEBinaryAuthorization() diff --git a/checkov/terraform/checks/resource/gcp/GKEMetadataServerIsEnabled.py b/checkov/terraform/checks/resource/gcp/GKEMetadataServerIsEnabled.py index 54769c48e15..8f2aab92e07 100644 --- a/checkov/terraform/checks/resource/gcp/GKEMetadataServerIsEnabled.py +++ b/checkov/terraform/checks/resource/gcp/GKEMetadataServerIsEnabled.py @@ -31,5 +31,8 @@ def scan_resource_conf(self, conf): return CheckResult.FAILED + def get_evaluated_keys(self): + return ['node_config'] + check = GKEMetadataServerIsEnabled() diff --git a/checkov/terraform/checks/resource/gcp/GKEPodSecurityPolicyEnabled.py b/checkov/terraform/checks/resource/gcp/GKEPodSecurityPolicyEnabled.py index 266043f7f99..002842dbc20 100644 --- a/checkov/terraform/checks/resource/gcp/GKEPodSecurityPolicyEnabled.py +++ b/checkov/terraform/checks/resource/gcp/GKEPodSecurityPolicyEnabled.py @@ -37,6 +37,7 @@ def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult: secure = policy.get('enabled')[0] if secure: return CheckResult.PASSED + self.evaluated_keys = ['min_master_version', 'pod_security_policy_config/[0]/enabled'] return CheckResult.FAILED return CheckResult.UNKNOWN diff --git a/checkov/terraform/checks/resource/github/PrivateRepo.py b/checkov/terraform/checks/resource/github/PrivateRepo.py index 78e5a8a3d1d..256e877bd94 100644 --- a/checkov/terraform/checks/resource/github/PrivateRepo.py +++ b/checkov/terraform/checks/resource/github/PrivateRepo.py @@ -19,5 +19,8 @@ def scan_resource_conf(self, conf: Dict[str, List[Any]]) -> CheckResult: return CheckResult.PASSED return CheckResult.FAILED + def get_evaluated_keys(self) -> List[str]: + return ["private", "visibility"] + check = PrivateRepo() diff --git a/checkov/terraform/checks/resource/github/RepositoryEnableVulnerabilityAlerts.py b/checkov/terraform/checks/resource/github/RepositoryEnableVulnerabilityAlerts.py index 3db9f005d78..b267d5aff8d 100644 --- a/checkov/terraform/checks/resource/github/RepositoryEnableVulnerabilityAlerts.py +++ b/checkov/terraform/checks/resource/github/RepositoryEnableVulnerabilityAlerts.py @@ -1,6 +1,6 @@ from __future__ import annotations -from typing import Any +from typing import Any, List from checkov.common.models.enums import CheckCategories, CheckResult from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceCheck @@ -29,5 +29,8 @@ def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult: return CheckResult.FAILED return CheckResult.PASSED + def get_evaluated_keys(self) -> List[str]: + return ["vulnerability_alerts"] + check = GithubRepositoryVulnerabilityAlerts() diff --git a/checkov/terraform/checks/resource/kubernetes/DropCapabilitiesPSP.py b/checkov/terraform/checks/resource/kubernetes/DropCapabilitiesPSP.py index 3ab3aa588fb..4f8b4c4a40f 100644 --- a/checkov/terraform/checks/resource/kubernetes/DropCapabilitiesPSP.py +++ b/checkov/terraform/checks/resource/kubernetes/DropCapabilitiesPSP.py @@ -4,7 +4,7 @@ class DropCapabilitiesPSP(BaseResourceCheck): - def __init__(self): + def __init__(self) -> None: # CIS-1.3 1.7.7 # CIS-1.5 5.2.7 name = "Do not admit containers with the NET_RAW capability" @@ -17,11 +17,13 @@ def __init__(self): def scan_resource_conf(self, conf) -> CheckResult: if conf.get('spec'): + self.evaluated_keys = ['spec'] spec = conf.get('spec')[0] if not spec: return CheckResult.UNKNOWN if spec.get("required_drop_capabilities"): + self.evaluated_keys = ['spec/[0]/required_drop_capabilities'] drop_cap = spec.get("required_drop_capabilities")[0] if drop_cap and isinstance(drop_cap, list): if any(cap in drop_cap for cap in ("ALL", "NET_RAW")): diff --git a/checkov/terraform/checks/resource/kubernetes/RootContainerPSP.py b/checkov/terraform/checks/resource/kubernetes/RootContainerPSP.py index 019a050ade6..079cdbf759e 100644 --- a/checkov/terraform/checks/resource/kubernetes/RootContainerPSP.py +++ b/checkov/terraform/checks/resource/kubernetes/RootContainerPSP.py @@ -16,10 +16,13 @@ def __init__(self): def scan_resource_conf(self, conf) -> CheckResult: # required param if "spec" in conf: + self.evaluated_keys = ["spec"] # required param if "run_as_user" in conf["spec"][0]: + self.evaluated_keys = ["spec/[0]/run_as_user"] runas = conf["spec"][0]["run_as_user"][0] if runas["rule"]: + self.evaluated_keys = ["spec/[0]/run_as_user/[0]/rule"] inspected_value = runas["rule"][0] if inspected_value == "MustRunAsNonRoot": return CheckResult.PASSED diff --git a/checkov/terraform/checks/resource/kubernetes/SeccompPSP.py b/checkov/terraform/checks/resource/kubernetes/SeccompPSP.py index 158e3127440..6cacc193298 100644 --- a/checkov/terraform/checks/resource/kubernetes/SeccompPSP.py +++ b/checkov/terraform/checks/resource/kubernetes/SeccompPSP.py @@ -14,7 +14,9 @@ def __init__(self): def scan_resource_conf(self, conf) -> CheckResult: if "metadata" in conf: + self.evaluated_keys = ["metadata"] if "annotations" in conf["metadata"][0]: + self.evaluated_keys = ["metadata/[0]/annotations"] metadata = conf["metadata"][0] if metadata.get("annotations"): annotations = metadata["annotations"][0] diff --git a/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py b/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py index c2cbe20c5c6..07039ef638b 100644 --- a/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py +++ b/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py @@ -1,3 +1,4 @@ +from typing import List from checkov.common.models.enums import CheckCategories, CheckResult from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck @@ -30,5 +31,8 @@ def scan_resource_conf(self, conf) -> CheckResult: return CheckResult.PASSED + def get_evaluated_keys(self) -> List[str]: + return ["rule"] + check = WildcardRoles() diff --git a/checkov/terraform/checks/resource/ncp/AccessControlGroupOutboundRule.py b/checkov/terraform/checks/resource/ncp/AccessControlGroupOutboundRule.py index 76e44c47121..2bed2a7aa82 100644 --- a/checkov/terraform/checks/resource/ncp/AccessControlGroupOutboundRule.py +++ b/checkov/terraform/checks/resource/ncp/AccessControlGroupOutboundRule.py @@ -15,9 +15,10 @@ def __init__(self) -> None: super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult: - for outbound in conf.get("outbound", []): + for idx, outbound in enumerate(conf.get("outbound", [])): ip = outbound.get("ip_block") if ip == ["0.0.0.0/0"] or ip == ["::/0"]: + self.evaluated_keys = [f"outbound/[{idx}]/ip_block"] return CheckResult.FAILED return CheckResult.PASSED diff --git a/checkov/terraform/checks/resource/ncp/LBListenerUsesSecureProtocols.py b/checkov/terraform/checks/resource/ncp/LBListenerUsesSecureProtocols.py index 4b6582f2773..0aeb46f4a2a 100644 --- a/checkov/terraform/checks/resource/ncp/LBListenerUsesSecureProtocols.py +++ b/checkov/terraform/checks/resource/ncp/LBListenerUsesSecureProtocols.py @@ -15,7 +15,9 @@ def scan_resource_conf(self, conf): if 'protocol' in conf.keys(): protocol = conf['protocol'][0] if protocol in ('HTTPS', 'TLS'): + self.evaluated_keys = ['protocol'] if 'tls_min_version_type' in conf.keys(): + self.evaluated_keys = ['protocol/[0]/tls_min_version_type'] if conf['tls_min_version_type'] == ['TLSV12']: return CheckResult.PASSED return CheckResult.FAILED diff --git a/checkov/terraform/checks/resource/ncp/LBTargetGroupDefinesHealthCheck.py b/checkov/terraform/checks/resource/ncp/LBTargetGroupDefinesHealthCheck.py index a920b6b20e9..ec160aa7a85 100644 --- a/checkov/terraform/checks/resource/ncp/LBTargetGroupDefinesHealthCheck.py +++ b/checkov/terraform/checks/resource/ncp/LBTargetGroupDefinesHealthCheck.py @@ -1,6 +1,6 @@ from __future__ import annotations -from typing import Any +from typing import Any, List from checkov.common.models.enums import CheckResult, CheckCategories from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck @@ -24,5 +24,8 @@ def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult: return CheckResult.FAILED return CheckResult.UNKNOWN + def get_evaluated_keys(self) -> List[str]: + return ["protocol", "health_check"] + check = LBTargetGroupDefinesHealthCheck() diff --git a/checkov/terraform/checks/resource/ncp/LBTargetGroupUsingHTTPS.py b/checkov/terraform/checks/resource/ncp/LBTargetGroupUsingHTTPS.py index 7dba0bbb3d0..4d85aab0b32 100644 --- a/checkov/terraform/checks/resource/ncp/LBTargetGroupUsingHTTPS.py +++ b/checkov/terraform/checks/resource/ncp/LBTargetGroupUsingHTTPS.py @@ -1,5 +1,7 @@ from __future__ import annotations +from typing import List + from checkov.common.models.enums import CheckResult, CheckCategories from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck @@ -19,5 +21,8 @@ def scan_resource_conf(self, conf): return CheckResult.PASSED return CheckResult.FAILED + def get_evaluated_keys(self) -> List[str]: + return ["protocol"] + check = LBTargetGroupUsingHTTPS() diff --git a/checkov/terraform/checks/resource/ncp/NACLInboundCheck.py b/checkov/terraform/checks/resource/ncp/NACLInboundCheck.py index 55cc60a0d03..f4f21dfaa56 100644 --- a/checkov/terraform/checks/resource/ncp/NACLInboundCheck.py +++ b/checkov/terraform/checks/resource/ncp/NACLInboundCheck.py @@ -12,8 +12,9 @@ def __init__(self, check_id, port): self.port = port def scan_resource_conf(self, conf): - for inbound in conf.get('inbound', []): + for idx, inbound in enumerate(conf.get('inbound', [])): if inbound['rule_action'] == ["ALLOW"]: + self.evaluated_keys = [f"inbound/[{idx}]/ip_block", f"inbound/[{idx}]/port_range"] ip = inbound.get('ip_block', ['0.0.0.0/0']) if ip == ['0.0.0.0/0'] or ip == ['::/0']: port = inbound.get('port_range', str(self.port))[0] diff --git a/checkov/terraform/checks/resource/ncp/NACLPortCheck.py b/checkov/terraform/checks/resource/ncp/NACLPortCheck.py index e12cac40a5a..a761f72177b 100644 --- a/checkov/terraform/checks/resource/ncp/NACLPortCheck.py +++ b/checkov/terraform/checks/resource/ncp/NACLPortCheck.py @@ -3,16 +3,17 @@ class NACLPortCheck(BaseResourceCheck): - def __init__(self): + def __init__(self) -> None: name = "An inbound Network ACL rule should not allow ALL ports." id = "CKV_NCP_12" supported_resources = ('ncloud_network_acl_rule',) categories = (CheckCategories.NETWORKING,) super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) - def scan_resource_conf(self, conf): + def scan_resource_conf(self, conf) -> CheckResult: if 'inbound' in conf.keys(): - for inbound in conf['inbound']: + for idx, inbound in enumerate(conf['inbound']): + self.evaluated_keys = [f"inbound/[{idx}]/port_range"] if 'port_range' in inbound.keys(): for port_range in inbound['port_range']: if port_range == "1-65535": diff --git a/checkov/terraform/checks/resource/ncp/RouteTableNATGatewayDefault.py b/checkov/terraform/checks/resource/ncp/RouteTableNATGatewayDefault.py index ada0883e76e..e5a0f0b7cac 100644 --- a/checkov/terraform/checks/resource/ncp/RouteTableNATGatewayDefault.py +++ b/checkov/terraform/checks/resource/ncp/RouteTableNATGatewayDefault.py @@ -1,3 +1,5 @@ +from typing import List + from checkov.common.models.enums import CheckResult, CheckCategories from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceCheck @@ -20,5 +22,8 @@ def scan_resource_conf(self, conf): return CheckResult.FAILED return CheckResult.UNKNOWN + def get_evaluated_keys(self) -> List[str]: + return ["destination_cidr_block"] + check = RouteTableNATGatewayDefault() diff --git a/checkov/terraform/checks/resource/tencentcloud/CVMUseDefaultSecurityGroup.py b/checkov/terraform/checks/resource/tencentcloud/CVMUseDefaultSecurityGroup.py index 54bc61f6dc2..8174e26b99f 100644 --- a/checkov/terraform/checks/resource/tencentcloud/CVMUseDefaultSecurityGroup.py +++ b/checkov/terraform/checks/resource/tencentcloud/CVMUseDefaultSecurityGroup.py @@ -15,11 +15,13 @@ def scan_resource_conf(self, conf: dict) -> CheckResult: if conf.get("orderly_security_groups"): for osg in conf["orderly_security_groups"][0]: if ".default." in osg: + self.evaluated_keys = ["orderly_security_groups"] return CheckResult.FAILED if conf.get("security_groups"): for sg in conf["security_groups"][0]: if ".default." in sg: + self.evaluated_keys = ["security_groups"] return CheckResult.FAILED return CheckResult.PASSED diff --git a/checkov/terraform/checks/resource/tencentcloud/CVMUseDefaultVPC.py b/checkov/terraform/checks/resource/tencentcloud/CVMUseDefaultVPC.py index b3e3c94375a..930b5671254 100644 --- a/checkov/terraform/checks/resource/tencentcloud/CVMUseDefaultVPC.py +++ b/checkov/terraform/checks/resource/tencentcloud/CVMUseDefaultVPC.py @@ -13,8 +13,10 @@ def __init__(self): def scan_resource_conf(self, conf) -> CheckResult: if conf.get("vpc_id") and ".default." in conf["vpc_id"][0]: + self.evaluated_keys = ["vpc_id"] return CheckResult.FAILED if conf.get("subnet_id") and ".default." in conf["subnet_id"][0]: + self.evaluated_keys = ["subnet_id"] return CheckResult.FAILED return CheckResult.PASSED diff --git a/checkov/terraform/checks/resource/tencentcloud/CVMUserData.py b/checkov/terraform/checks/resource/tencentcloud/CVMUserData.py index d75be4576c9..74aec1341b0 100644 --- a/checkov/terraform/checks/resource/tencentcloud/CVMUserData.py +++ b/checkov/terraform/checks/resource/tencentcloud/CVMUserData.py @@ -13,8 +13,10 @@ def __init__(self): def scan_resource_conf(self, conf: dict) -> CheckResult: if conf.get("user_data_raw") and ("TENCENTCLOUD_SECRET_ID" in conf["user_data_raw"][0] or "TENCENTCLOUD_SECRET_KEY" in conf["user_data_raw"][0]): + self.evaluated_keys = ["user_data_raw"] return CheckResult.FAILED if conf.get("user_data") and ("TENCENTCLOUD_SECRET_ID" in conf["user_data"][0] or "TENCENTCLOUD_SECRET_KEY" in conf["user_data"][0]): + self.evaluated_keys = ["user_data"] return CheckResult.FAILED return CheckResult.PASSED diff --git a/checkov/terraform/checks/resource/tencentcloud/TKEPublicIpAssigned.py b/checkov/terraform/checks/resource/tencentcloud/TKEPublicIpAssigned.py index 870f8931f47..27bdac29bb1 100644 --- a/checkov/terraform/checks/resource/tencentcloud/TKEPublicIpAssigned.py +++ b/checkov/terraform/checks/resource/tencentcloud/TKEPublicIpAssigned.py @@ -13,17 +13,21 @@ def __init__(self): def scan_resource_conf(self, conf) -> CheckResult: if conf.get("master_config"): - for mc in conf["master_config"]: + for idx, mc in enumerate(conf["master_config"]): if mc.get("public_ip_assigned") and mc["public_ip_assigned"][0]: + self.evaluated_keys = [f"master_config/[{idx}]/public_ip_assigned"] return CheckResult.FAILED if mc.get("public_ip_assigned") is None and mc.get("internet_max_bandwidth_out") and mc["internet_max_bandwidth_out"][0] > 0: + self.evaluated_keys = [f"master_config/[{idx}]/internet_max_bandwidth_out"] return CheckResult.FAILED if conf.get("worker_config"): - for mc in conf["worker_config"]: + for idx, mc in enumerate(conf["worker_config"]): if mc.get("public_ip_assigned") and mc["public_ip_assigned"][0]: + self.evaluated_keys = [f"worker_config/[{idx}]/public_ip_assigned"] return CheckResult.FAILED if mc.get("public_ip_assigned") is None and mc.get("internet_max_bandwidth_out") and mc["internet_max_bandwidth_out"][0] > 0: + self.evaluated_keys = [f"worker_config/[{idx}]/internet_max_bandwidth_out"] return CheckResult.FAILED return CheckResult.PASSED diff --git a/checkov/terraform/checks/resource/tencentcloud/VPCSecurityGroupRuleSet.py b/checkov/terraform/checks/resource/tencentcloud/VPCSecurityGroupRuleSet.py index 39340dd7b26..f50359ed3a1 100644 --- a/checkov/terraform/checks/resource/tencentcloud/VPCSecurityGroupRuleSet.py +++ b/checkov/terraform/checks/resource/tencentcloud/VPCSecurityGroupRuleSet.py @@ -1,3 +1,5 @@ +from typing import List + from checkov.common.models.enums import CheckCategories, CheckResult from checkov.terraform.checks.resource.base_resource_value_check import \ BaseResourceCheck @@ -26,5 +28,8 @@ def scan_resource_conf(self, conf) -> CheckResult: return CheckResult.PASSED + def get_evaluated_keys(self) -> List[str]: + return ["ingress"] + check = VPCSecurityGroupRuleSet() diff --git a/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py b/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py index 067ab69b255..2b1f467a72c 100644 --- a/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py +++ b/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py @@ -1,6 +1,6 @@ from __future__ import annotations -from typing import Any +from typing import Any, List from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck from checkov.common.models.enums import CheckResult, CheckCategories @@ -53,5 +53,8 @@ def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult: return CheckResult.FAILED return CheckResult.PASSED + def get_evaluated_keys(self) -> List[str]: + return ["members", "member"] + scanner = IAMPassportAccountUsage() diff --git a/checkov/terraform/checks/resource/yandexcloud/ObjectStorageBucketPublicAccess.py b/checkov/terraform/checks/resource/yandexcloud/ObjectStorageBucketPublicAccess.py index dd64a801160..bbad949bfbe 100644 --- a/checkov/terraform/checks/resource/yandexcloud/ObjectStorageBucketPublicAccess.py +++ b/checkov/terraform/checks/resource/yandexcloud/ObjectStorageBucketPublicAccess.py @@ -23,10 +23,12 @@ def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult: if "acl" in conf.keys(): acl_block = conf["acl"] if acl_block in [["public-read"], ["public-read-write"]]: + self.evaluated_keys = ["acl"] return CheckResult.FAILED if "grant" in conf.keys(): grant_uri_block = conf["grant"][0]["uri"] if grant_uri_block == ["http://acs.amazonaws.com/groups/global/AllUsers"]: + self.evaluated_keys = ["grant"] return CheckResult.FAILED return CheckResult.PASSED diff --git a/checkov/terraform/checks/resource/yandexcloud/VPCSecurityGroupAllowAll.py b/checkov/terraform/checks/resource/yandexcloud/VPCSecurityGroupAllowAll.py index e5d6f3e4974..b0fb91783b1 100644 --- a/checkov/terraform/checks/resource/yandexcloud/VPCSecurityGroupAllowAll.py +++ b/checkov/terraform/checks/resource/yandexcloud/VPCSecurityGroupAllowAll.py @@ -22,6 +22,7 @@ def __init__(self) -> None: def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult: if "ingress" in conf.keys(): cidr_block = conf["ingress"][0]["v4_cidr_blocks"] + self.evaluated_keys = ["ingress/[0]/v4_cidr_blocks"] for cidr in cidr_block[0]: if cidr == "0.0.0.0/0": if "port" in conf["ingress"][0].keys(): diff --git a/checkov/terraform/checks/resource/yandexcloud/VPCSecurityGroupRuleAllowAll.py b/checkov/terraform/checks/resource/yandexcloud/VPCSecurityGroupRuleAllowAll.py index af8bc815b13..e3e5dface68 100644 --- a/checkov/terraform/checks/resource/yandexcloud/VPCSecurityGroupRuleAllowAll.py +++ b/checkov/terraform/checks/resource/yandexcloud/VPCSecurityGroupRuleAllowAll.py @@ -22,15 +22,19 @@ def __init__(self) -> None: def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult: if conf["direction"][0] == "ingress": cidr_block = conf["v4_cidr_blocks"] + self.evaluated_keys = ["v4_cidr_blocks"] for cidr in cidr_block[0]: if cidr == "0.0.0.0/0": if "port" in conf.keys(): if conf["port"][0] == -1: + self.evaluated_keys.append("port") return CheckResult.FAILED return CheckResult.PASSED if "from_port" not in conf.keys() and "to_port" not in conf.keys(): + self.evaluated_keys.extend(["from_port", "to_port"]) return CheckResult.FAILED if conf["from_port"][0] == 0 and conf["to_port"][0] == 65535: + self.evaluated_keys.extend(["from_port", "to_port"]) return CheckResult.FAILED return CheckResult.PASSED