Issue checking Serverless Framework projects with multiple config files

[quickliketurtle]

Describe the issue For Serverless Framework, when leveraging multiple config files: https://www.serverless.com/framework/docs/providers/aws/guide/variables#multiple-configuration-files Checkov is not checking resources in the nested file, or directly in the array provided.

Examples With a definition without multiple files running heckov -d . --framework serverless --check CKV_AWS_28 returns the expected failed check.

service: checkov-issue

provider:
  name: aws

resources:
  Resources:
    UserTable:
      Type: AWS::DynamoDB::Table
      Properties:
        TableName: checkov-issue
        BillingMode: PAY_PER_REQUEST
        KeySchema:
          - AttributeName: id
            KeyType: HASH
        AttributeDefinitions:
          - AttributeName: id
            AttributeType: S

With the resources key as an array, checkov is not identifying the resources and performing checks on them.

service: checkov-issue

provider:
  name: aws

resources:
  - Resources:
      UserTable:
        Type: AWS::DynamoDB::Table
        Properties:
          TableName: checkov-issue
          BillingMode: PAY_PER_REQUEST
          KeySchema:
            - AttributeName: id
              KeyType: HASH
          AttributeDefinitions:
            - AttributeName: id
              AttributeType: S

Version (please complete the following information):

• Checkov Version 2.1.270 and 2.2.225

Additional context The same result happens if the resources key references a file include - ${file(resources/first-cf-resources.yml) I just wanted to provide the simplest example. if you run serverless package you can verify that serverless does parse the file properly and generate the expected cloudformation:

Please let me know if there is additional info I can provide.

[gruebel]

hey @quickliketurtle thanks for reaching out. yeah we don't support this setup at the moment, but are you interested in contributing the needed changes?

to support list syntax under the resources block you need to adjust this code part to allow both dict and list https://github.com/bridgecrewio/checkov/blob/19e8f9d8711073f8ec6c47df7b03fd46b9b44390/checkov/serverless/runner.py#L117-L118 after adjusting this you would also be one step closer to make the file reference syntax also work. Sadly there is challenge to fully support the file reference under the resources block. You would need to create some logic around the cf_context_parser here https://github.com/bridgecrewio/checkov/blob/19e8f9d8711073f8ec6c47df7b03fd46b9b44390/checkov/serverless/runner.py#L121-L134 something like checking it is indeed a file reference and then construct the needed file lines block.

[quickliketurtle]

Hey @gruebel, That's for the reply, and for the info on where changes would be needed. I'll take a look and see if I can make the necessary changes to support this. Might be a week or so before I can dig in though. :-)

[stale[bot]]

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io Thanks!

[stale[bot]]

Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: https://slack.bridgecrew.io Thanks!