checkov icon indicating copy to clipboard operation
checkov copied to clipboard

Published 20 hours ago verified publisher icon bridgecrewio

Support Pulumi

Open thewizarodofoz opened this issue 5 years ago • 14 comments

Great job on this tool guys. Do you have plans to support Pulumi?

thewizarodofoz avatar Sep 13 '20 10:09 thewizarodofoz

@thewizarodofoz This is definitely doable :) And would accept a contribution. I'd love to discuss more and give guidance on it if you'd like at https://slack.bridgecrew.io/

schosterbarak avatar Sep 15 '20 06:09 schosterbarak

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io Thanks!

stale[bot] avatar Mar 23 '21 20:03 stale[bot]

Hey, this would still be really nice to have? I could check about the guidance on how to implement, just a bit concerned on how big the scope will, I can contribute, but don't really have that much time.

GaboFDC avatar Mar 24 '21 21:03 GaboFDC

Hey @GaboFDC! Thanks for jumping in here to 'unstale' this issue :) Any time at all is much appreciated. I've added the help wanted tag too, lets see if we can create a little Pulumi team!

metahertz avatar Mar 24 '21 22:03 metahertz

Hey @metahertz Is this project active? I would like to contribute.

spaceoddite avatar Oct 26 '21 12:10 spaceoddite

Hey @spaceoddite it certainly is active! We've had a crazy month of contributions with Hacktoberfest!

Theres been some conversation internally about how we'd go about supporting Pulumi (which we'd very much like too and any contributions would be awesome!).

Possibly the easiest implementation would be if Pulumi allowed rendering of the "resultant infrastructure" out into more schema'd languge (Terraform, CloudFormation etc) then we could run against those existing Checkov frameworks with some logic to annotate the original Pulumi code with the original location of the failed policies. This is very similar to how we support HELM, rendering out the chart to resultant Kubernetes manifests then passing them through the kubernetes policies.

Are you a Pulumi user? Would love any insights or thoughts on this :)

metahertz avatar Oct 26 '21 13:10 metahertz

@metahertz Glad to hear about the support :) we can get the infra using "pulumi stack export" cmd - but this is available only after deployment An other way could be using the "pulumi preview -j " cmd - this gives out json format some logic would be needed to convert this to into existing checkov frameworks.

spaceoddite avatar Oct 26 '21 17:10 spaceoddite

Ooh that sounds interesting with preview -j, especially if theres a documented schema for that output!

metahertz avatar Oct 27 '21 09:10 metahertz

Hi I have a sample output of preview -j for this example azure-py-webserver as a github gist here. The code creates a virtual machine and other related resources like vnet, publicip and starts a simple webserver. This code is written in python, but the output should be same when written in go or ts I will look if this output has any documentation.

spaceoddite avatar Oct 27 '21 13:10 spaceoddite

@metahertz @schosterbarak I did more digging and found that pulumi has a policy as code module crossguard an example implementation of checking public access for an s3 bucket is here - example Can we automate this to have all checkov policies someway?

spaceoddite avatar Oct 29 '21 05:10 spaceoddite

Any updates on this? My org is migrating to Pulumi and it would be incredibly helpful for us.

paige-wdc avatar May 18 '22 17:05 paige-wdc

Would be really good to get this support added as my org are currently using Pulumi but haven't implemented any policy validation yet.

joshrichards37 avatar May 18 '22 19:05 joshrichards37

This would be very nice to have! I would love to contribute to this!

JustJordanT avatar May 23 '22 14:05 JustJordanT

hi, I would love to contribute as well. A starting point of exploration would be policy as code module of pulumi - https://www.pulumi.com/docs/guides/crossguard/

spaceoddite avatar May 24 '22 07:05 spaceoddite

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io Thanks!

stale[bot] avatar Nov 20 '22 13:11 stale[bot]

Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: https://slack.bridgecrew.io Thanks!

stale[bot] avatar Dec 05 '22 00:12 stale[bot]

I think we could reopen this, a highly requested feature X)

WP-LKL avatar Dec 05 '22 09:12 WP-LKL

It's a shame these obnoxious bots go around closing Issues that aren't actually closed.

jmcvetta avatar Sep 20 '23 04:09 jmcvetta

Would be nice to have!

DaniWS avatar Nov 23 '23 17:11 DaniWS

Could this be reopened?

dulakm avatar Jan 23 '24 11:01 dulakm

Hi all, also we are starting to use Pulumi and I think the tool is getting a really decent traction, this should be reopened

juancho088 avatar Feb 25 '24 16:02 juancho088