checkov icon indicating copy to clipboard operation
checkov copied to clipboard
verified publisher icon bridgecrewio

Couldn't execute Custom Python Policy in Checkov

Open ghost opened this issue 2 years ago • 1 comments

Describe the issue: I have tried to scan a custom python policy that checks if a S3 bucket has SSL configured. I used the following Python script and added an init.py file into the custom checks folder. When I try to run a scan, I'm receiving the following error regarding the python file. Could you please tell me how to resolve this issue?

Python script:

from __future__ import annotations
from checkov.common.models.enums import CheckCategories
from checkov.cloudformation.checks.resource.base_resource_check import BaseResourceCheck
import yaml

class S3_SSL(BaseResourceCheck):
    def __init__(self,file):
        name = "S3 is securely connected to SSL"
        id = "CKV_S3_CUSTOM1"
        supported_resources = ("aws_s3_instance")
        categories = (CheckCategories.ENCRYPTION)
        self.file = file
        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)

    def scan_resource_conf(self, conf):
       with open(conf, 'r') as f:
         yaml_data =  yaml.safe_load(f)
         find_key_recursive(yaml_data, 'aws:SecureTransport')

           
def find_key_recursive(adict, key):
    for k, v in adict.items():
        print(k)
        if k == 'aws:SecureTransport' and adict[k] == 'true': 
            print ("SSL is configured")
        elif k == 'aws:SecureTransport' and adict[k] == 'false':
            print("SSL is not configured")
        if type(v) is dict:
            next_loop = find_key_recursive(v, key)
        elif isinstance(v,list):
            for item in v:
                if isinstance(item, dict):
                    next_loop = find_key_recursive(item, key)
           


check = S3_SSL()

Contents of init.py file:

from os.path import dirname, basename, isfile, join
import glob

modules = glob.glob(join(dirname(__file__), "*.py"))
__all__ = [basename(f)[:-3] for f in modules if isfile(f) and not f.endswith("__init__.py")]

Output Error: [ERROR] Cannot load external check 'S3-SSLEncryption' from ./checkov-custom-checks/S3-SSLEncryption.py Traceback (most recent call last): File "/Users/Python/3.11/lib/python/site-packages/checkov/common/checks/base_check_registry.py", line 211, in load_external_checks spec.loader.exec_module(module) # type: ignore[union-attr] # loader can't be None here ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "", line 940, in exec_module File "", line 241, in _call_with_frames_removed File "/Users/Iac/./checkov-custom-checks/S3-SSLEncryption.py", line 38, in check = S3_SSL() ^^^^^^^^ TypeError: S3_SSL.init() missing 1 required positional argument: 'file'

ghost avatar Mar 06 '24 23:03 ghost

I have similar issue when using a custom created policy written in Python. In the custom check I am importing a function from a different place in the project and Checkov cannot resolve the import. I see ModuleNotFoundError but also the spec.loader.exec_module(module) # type: ignore[union-attr] # loader can't be None here

SebastianBalle avatar May 15 '24 08:05 SebastianBalle

The user of the author has been deleted so I assume this issue is no longer needed. @SebastianBalle , please create a new issue if it is still relevant. The issues are probably unrelated. Thanks.

Saarett avatar Jul 01 '24 23:07 Saarett