checkov
checkov copied to clipboard
feat(terraform): add new gcp postgresql checks
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Description
Add new Google Cloud PostgreSql checks for: log_statement
, log_hostname
, log_min_error_statement
and cloudsql.enable_pgaudit
. I also takes into account default values from cloud provider.
Fixes #3531
Description
These are from CIS 1.3, sections 6.2.4, 6.2.5, 6.2.7 and 6.2.9. Default values from cloud provider and from here
Checklist:
- [x] My code follows the style guidelines of this project
- [x] I have performed a self-review of my own code
- [x] I have commented my code, particularly in hard-to-understand areas
- [x] I have made corresponding changes to the documentation
- [x] I have added tests that prove my feature, policy, or fix is effective and works
- [x] New and existing tests pass locally with my changes
- [x] Any dependent changes have been merged and published in downstream modules
@gruebel @JamesWoolfenden is this PR something that would be of interest?
hey @losisin yeah definitely great work 🚀 I just need to find some time to go through them all 😄 next time it would be better to split the PR into 2 or 4 PRs then reviewing is also faster.
@gruebel next time will do!
I agree 💯 although my python skills are very humble :). If you refer to something like this, I would be definitely interested. Same PR or we merge this one and then refactor all gcp postgres checks at slower pace?
Just wanted to say thank you for including the benchmark!
@gruebel is the latest commit what you had in mind?
I really don't understand how is this possible? It's work in progress in my own branch in fork of this repository. what on earth is going on?
=================================== FAILURES ===================================
_______________ TestScannerRegistry.test_non_colliding_check_ids _______________
[gw1] linux -- Python 3.8.13 /home/runner/.local/share/virtualenvs/checkov-_hkiHoFg/bin/python
self = <tests.terraform.test_scanner_registry.TestScannerRegistry testMethod=test_non_colliding_check_ids>
def test_non_colliding_check_ids(self):
check_id_check_class_map = {}
for (resource_type, checks) in registry.checks.items():
for check in checks:
check_id_check_class_map.setdefault(check.id, []).append(check)
for check_id, check_classes in check_id_check_class_map.items():
> self.assertEqual(len(set(check_classes)), 1,"collision on check_id={}".format(check_id))
E AssertionError: 2 != 1 : collision on check_id=CKV_GCP_107
tests/terraform/test_scanner_registry.py:27: AssertionError
_________________ TestRunnerValid.test_check_ids_dont_collide __________________
[gw0] linux -- Python 3.8.13 /home/runner/.local/share/virtualenvs/checkov-_hkiHoFg/bin/python
self = <tests.terraform.runner.test_runner.TestRunnerValid testMethod=test_check_ids_dont_collide>
def test_check_ids_dont_collide(self):
runner = Runner()
unique_checks = {}
bad_checks = []
for registry in list(runner.block_type_registries.values()):
checks = [check for entity_type in list(registry.checks.values()) for check in entity_type]
for check in checks:
if check.id not in unique_checks:
unique_checks[check.id] = check
elif check != unique_checks[check.id]:
# A single check can have multiple resource blocks it checks, which means it will show up multiple times in the registry
bad_checks.append(f'{check.id}: {check.name}')
print(f'{check.id}: {check.name}')
> self.assertEqual(len(bad_checks), 0, f'Bad checks: {bad_checks}')
E AssertionError: 2 != 0 : Bad checks: ['CKV_GCP_107: Cloud functions should not be public', 'CKV_GCP_107: Cloud functions should not be public']
Can someone help me out?
Hi aleks, Your check id has been used up by a new check that was already merged but not yet in your branch. Merge with master and pick a new check id that isn't in use yet and you'll be golden. This happens all the time, especially if your pr takes a while to get merged. James
On Tue, 27 Sept 2022 at 07:18, Aleksandar Stojanov @.***> wrote:
I really don't understand how is this possible? It's work in progress in my own branch in fork of this repository. what on earth is going on?
=================================== FAILURES =================================== _______________ TestScannerRegistry.test_non_colliding_check_ids _______________ [gw1] linux -- Python 3.8.13 /home/runner/.local/share/virtualenvs/checkov-_hkiHoFg/bin/python
self = <tests.terraform.test_scanner_registry.TestScannerRegistry testMethod=test_non_colliding_check_ids>
def test_non_colliding_check_ids(self): check_id_check_class_map = {} for (resource_type, checks) in registry.checks.items(): for check in checks: check_id_check_class_map.setdefault(check.id, []).append(check) for check_id, check_classes in check_id_check_class_map.items():
self.assertEqual(len(set(check_classes)), 1,"collision on check_id={}".format(check_id))
E AssertionError: 2 != 1 : collision on check_id=CKV_GCP_107
tests/terraform/test_scanner_registry.py:27: AssertionError _________________ TestRunnerValid.test_check_ids_dont_collide __________________ [gw0] linux -- Python 3.8.13 /home/runner/.local/share/virtualenvs/checkov-_hkiHoFg/bin/python
self = <tests.terraform.runner.test_runner.TestRunnerValid testMethod=test_check_ids_dont_collide>
def test_check_ids_dont_collide(self): runner = Runner() unique_checks = {} bad_checks = [] for registry in list(runner.block_type_registries.values()): checks = [check for entity_type in list(registry.checks.values()) for check in entity_type] for check in checks: if check.id not in unique_checks: unique_checks[check.id] = check elif check != unique_checks[check.id]: # A single check can have multiple resource blocks it checks, which means it will show up multiple times in the registry bad_checks.append(f'{check.id}: {check.name}') print(f'{check.id}: {check.name}')
self.assertEqual(len(bad_checks), 0, f'Bad checks: {bad_checks}')
E AssertionError: 2 != 0 : Bad checks: ['CKV_GCP_107: Cloud functions should not be public', 'CKV_GCP_107: Cloud functions should not be public']
Can someone help me out?
— Reply to this email directly, view it on GitHub https://urldefense.com/v3/__https://github.com/bridgecrewio/checkov/pull/3532*issuecomment-1259030663__;Iw!!Mt_FR42WkD9csi9Y!cYw3M1ma7f3g3l1ip-I1TtX0aUyWn_j7gxVL-vpyB9ZXu-CdrExXN2wQqHV8wWMw4pIgC4bEnQoADjXWfWfeYE1tg3TYeTB7vfU$, or unsubscribe https://urldefense.com/v3/__https://github.com/notifications/unsubscribe-auth/AALDV4FJFNYRRCKMMH3XZOLWAKGUBANCNFSM6AAAAAAQP27CNQ__;!!Mt_FR42WkD9csi9Y!cYw3M1ma7f3g3l1ip-I1TtX0aUyWn_j7gxVL-vpyB9ZXu-CdrExXN2wQqHV8wWMw4pIgC4bEnQoADjXWfWfeYE1tg3TYABKDjnU$ . You are receiving this because you were mentioned.Message ID: @.***>