checkov
checkov copied to clipboard
bridgecrewio
Outdated check for `google_container_cluster` binary authorization
Describe the issue
Check: CKV_GCP_66: "Ensure use of Binary Authorization" is not checking against the updated property causing the check to fail.
The current property states that the old method enable_binary_authorization is deprecated in favor the new binary_authorization block
Examples
Before:
enable_binary_authorization = true
Now:
binary_authorization {
evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
}
Version (please complete the following information):
- Checkov Version 2.1.149
hey @calexandre thanks for reaching out. Great catch with the deprecation 🚀 are you maybe interested in contributing the needed change?
Relevant files: https://github.com/bridgecrewio/checkov/blob/master/checkov/terraform/checks/resource/gcp/GKEBinaryAuthorization.py and the related test files https://github.com/bridgecrewio/checkov/blob/master/tests/terraform/checks/resource/gcp/test_GKEBinaryAuthorization.py https://github.com/bridgecrewio/checkov/blob/master/tests/terraform/checks/resource/gcp/test_GKEBinaryAuthorization/main.tf
@gruebel the changes is that that binary auth is now always on so the check isnt needed at all
@JamesWoolfenden but as far as I understand, you can set the mode to DISABLED and then it is actually disabled. So it is more like a negative check, as long as you don't set it to DISABLED you are fine, right?
I think what @calexandre is trying to say is how we do the check needs to change. What used to be bool now is moved in module block. Missing block or setting evaluation_mode as DISABLED should still fail though. If @gruebel and @JamesWoolfenden agree I can have a go with this one.
