How to use the checkov.terraform.models.enums.CheckResult.FAILED function in checkov

To help you get started, we’ve selected a few checkov examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github bridgecrewio / checkov / tests / terraform / checks / resource / gcp / test_TestGoogleComputeFirewallUnrestrictedIngress22.py View on Github external
def test_failure(self):
        resource_conf = {'name': ['${var.name}-${var.region}-mesos-ssh'],
                         'network': ['${google_compute_network.mesos-global-net.name}'],
                         'allow': [{'protocol': ['tcp'], 'ports': [[PORT]]}], 'target_tags': [['ssh']],
                         'source_ranges': [['0.0.0.0/0']]}

        scan_result = check.scan_resource_conf(conf=resource_conf)
        self.assertEqual(CheckResult.FAILED, scan_result)
github bridgecrewio / checkov / tests / terraform / checks / resource / aws / test_SagemakerEncryption.py View on Github external
def test_failure(self):
        resource_conf = {'name': ['my-notebook-instance'], 'role_arn': ['${aws_iam_role.role.arn}'],
                         'instance_type': ['ml.t2.medium']}
        scan_result = check.scan_resource_conf(conf=resource_conf)
        self.assertEqual(CheckResult.FAILED, scan_result)
github bridgecrewio / checkov / tests / terraform / checks / resource / gcp / test_GoogleContainerNodePoolAutoUpgradeEnabled.py View on Github external
def test_failure(self):
        resource_conf = {'cluster': [''], 'management': [{}]}

        scan_result = check.scan_resource_conf(conf=resource_conf)
        self.assertEqual(CheckResult.FAILED, scan_result)
github bridgecrewio / checkov / tests / terraform / checks / resource / aws / test_LaunchConfigurationEBSEncryption.py View on Github external
def test_failure(self):
        resource_conf = {'image_id': ['ami-123'], 'instance_type': ['t2.micro'],
                         'root_block_device': [{'encrypted': [False]}]}
        scan_result = check.scan_resource_conf(conf=resource_conf)
        self.assertEqual(CheckResult.FAILED, scan_result)
github bridgecrewio / checkov / tests / terraform / checks / resource / aws / test_SecurityGroupUnrestrictedIngress22.py View on Github external
def test_failure(self):
        resource_conf = {'name': ['foo'],
                         'vpc_id': ['${var.vpc_id}'], 'ingress': [
                {'from_port': [22], 'to_port': [22], 'protocol': ['TCP'], 'cidr_blocks': [['0.0.0.0/0']]},
                {'from_port': [443], 'to_port': [443], 'protocol': ['TCP'], 'cidr_blocks': [['0.0.0.0/0']]}],
                         'egress': [
                             {'from_port': [0], 'to_port': [0], 'protocol': ['-1'], 'cidr_blocks': [['0.0.0.0/0']]}]
                        }

        scan_result = check.scan_resource_conf(conf=resource_conf)
        self.assertEqual(CheckResult.FAILED, scan_result)
github bridgecrewio / checkov / checkov / terraform / checks / resource / azure / AzureManagedDiscEncryption.py View on Github external
def scan_resource_conf(self, conf):
        """
            Looks for password configuration at azure_instance:
            https://www.terraform.io/docs/providers/azure/r/instance.html
        :param conf: azure_instance configuration
        :return: 
        """
        if 'encryption_settings' in conf.keys():
            config = conf['encryption_settings'][0]
            if config['enabled'] ==[False]:
                return CheckResult.FAILED
        return CheckResult.PASSED
github bridgecrewio / checkov / checkov / terraform / checks / resource / aws / PasswordPolicyExpiration.py View on Github external
def scan_resource_conf(self, conf):
        """
            validates iam password policy
            https://www.terraform.io/docs/providers/aws/r/iam_account_password_policy.html
        :param conf: aws_iam_account_password_policy configuration
        :return: 
        """
        key = 'max_password_age'
        if key in conf.keys():
            if conf[key][0] >= 90:
                return CheckResult.PASSED
        return CheckResult.FAILED
github bridgecrewio / checkov / checkov / terraform / checks / resource / aws / SecurityGroupUnrestrictedIngress22.py View on Github external
def scan_resource_conf(self, conf):
        """
            Looks for configuration at security group ingress rules :
            https://www.terraform.io/docs/providers/aws/r/security_group.html
        :param conf: aws_security_group configuration
        :return: 
        """
        if 'ingress' in conf.keys():
            ingress_conf = conf['ingress']
            for rule in ingress_conf:
                if rule['from_port'] == [PORT] and rule['to_port'] == [PORT] and rule['cidr_blocks'] == [[
                    "0.0.0.0/0"]] and 'self' not in rule.keys() and 'security_groups' not in rule.keys():
                    return CheckResult.FAILED

        return CheckResult.PASSED
github bridgecrewio / checkov / checkov / terraform / checks / resource / aws / PasswordPolicyReuse.py View on Github external
def scan_resource_conf(self, conf):
        """
            validates iam password policy
            https://www.terraform.io/docs/providers/aws/r/iam_account_password_policy.html
        :param conf: aws_iam_account_password_policy configuration
        :return: 
        """
        key = 'password_reuse_prevention'
        if key in conf.keys():
            if conf[key][0] >= 24:
                return CheckResult.PASSED
        return CheckResult.FAILED
github bridgecrewio / checkov / checkov / terraform / checks / resource / aws / S3Encryption.py View on Github external
def scan_resource_conf(self, conf):
        """
            Looks for encryption configuration at aws_s3_bucket:
            https://www.terraform.io/docs/providers/aws/r/s3_bucket.html
        :param conf: aws_s3_bucket configuration
        :return: 
        """
        if 'server_side_encryption_configuration' in conf.keys():
            sse_block = conf['server_side_encryption_configuration']
            if 'rule' in sse_block[0].keys():
                rule_block = sse_block[0]['rule']
                if 'apply_server_side_encryption_by_default' in rule_block[0].keys():
                    encryption_block = rule_block[0]['apply_server_side_encryption_by_default']
                    if  'sse_algorithm' in encryption_block[0].keys():
                        return CheckResult.PASSED
        return CheckResult.FAILED

checkov

Infrastructure as code static analysis

Apache-2.0
Latest version published 22 hours ago

Package Health Score

97 / 100
Full package analysis