checkov Incorrectly fails CKV_AWS_23 when no rules are specified in the security group

Incorrectly fails CKV_AWS_23 when no rules are specified in the security group

Open bgshacklett opened this issue 1 year ago • 1 comments

Describe the issue If all security group rules are specified as discrete aws_security_group_rule resources, Checkov throws CKV_AWS_23

Examples

resource "aws_security_group" "foo" {
  # checkov:skip=CKV2_AWS_5

  vpc_id = "foo"
}

resource "aws_security_group_rule" "foo" {
  security_group_id = aws_security_group.foo.id

  type              = "ingress"
  from_port         = 0
  to_port           = 65535
  protocol          = "tcp"
  cidr_blocks       = [aws_vpc.example.cidr_block]
  description       = "Example"
}

Expected behavior: No failure should be seen.

Actual behavior:

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.foo
	File: /main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		1 | resource "aws_security_group" "foo" {
		2 |   # checkov:skip=CKV2_AWS_5
		3 |   vpc_id = "foo"
		4 | }

Version (please complete the following information):

3.1.42
3.2.3

Jan 31 '24 20:01 bgshacklett

I had a look at the check and they are explicitly trying to catch this case, it even has a test case for this, but I know the name of the check doesn't match that well. ill update the description so its more obvious.

Feb 01 '24 09:02 JamesWoolfenden

checkov checkov copied to clipboard

Incorrectly fails CKV_AWS_23 when no rules are specified in the security group

checkov
checkov copied to clipboard