checkov
checkov copied to clipboard
bridgecrewio
Sometimes provsioners are passed in a mangled form to `scan_resource_conf`
Describe the issue
Terraform provisioners are sometimes passed in a "mangled" form to the scan_resource_conf method.
Examples Try running the following policy:
from typing import Dict, Any
from checkov.common.typing import _SkippedCheck, _CheckResult
from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck
from checkov.common.models.enums import CheckResult, CheckCategories
CHECK_ID = "NO_LOCAL_EXEC_PROVISIONERS"
class ForbidLocalExecProvisioners(BaseResourceCheck):
def __init__(self):
id = CHECK_ID
name = "Forbid all local-exec provisioners"
supported_resources = ['*']
categories = [CheckCategories.SUPPLY_CHAIN, CheckCategories.GENERAL_SECURITY]
guideline = "https://some-docuementation.com/wiki/spaces/DE/pages/5409898650/Checkov#Forbid-all-local-exec-provisioners"
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources, guideline=guideline)
def scan_resource_conf(self, conf):
if 'provisioner' not in conf:
return CheckResult.PASSED
if not any('local-exec' in p for p in conf['provisioner']):
return CheckResult.PASSED
return CheckResult.FAILED
check = ForbidLocalExecProvisioners()
against the resource below.
terraform {
required_providers {
okta = {
source = "okta/okta"
version = "~> 4.0"
}
}
}
resource "okta_group_rule" "service_accounts" {
name = "Service Accounts"
status = "ACTIVE"
expression_type = "urn:okta:expression:1.0"
expression_value = "user.firstName == \"svc\""
group_assignments = [ 1234 ]
provisioner "local-exec" {
program = ["ls"]
}
}
The policy passes, when it should fail. Normally, we should be able to retrieve the provisioner with conf['provisoner'] but in this case it will be under the conf['provisioner/local-exec'] key.
Version (please complete the following information):
- Checkov Version: 3.2.471
