How to use the checkov.terraform.checks.resource.base_check.BaseResourceCheck function in checkov

To help you get started, we’ve selected a few checkov examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github bridgecrewio / checkov / checkov / terraform / checks / resource / aws / PasswordPolicyLowercaseLetter.py View on Github external
from checkov.terraform.models.enums import CheckResult, CheckCategories
from checkov.terraform.checks.resource.base_check import BaseResourceCheck


class PasswordPolicyLowercaseLetter(BaseResourceCheck):
    def __init__(self):
        name = "Ensure IAM password policy requires at least one lowercase letter"
        id = "CKV_AWS_11"
        supported_resources = ['aws_iam_account_password_policy']
        categories = [CheckCategories.IAM]
        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)

    def scan_resource_conf(self, conf):
        """
            validates iam password policy
            https://www.terraform.io/docs/providers/aws/r/iam_account_password_policy.html
        :param conf: aws_iam_account_password_policy configuration
        :return: 
        """
        key = 'require_lowercase_characters'
        if key in conf.keys():
github bridgecrewio / checkov / checkov / terraform / checks / resource / aws / SNSTopicEncryption.py View on Github external
from checkov.terraform.models.enums import CheckResult, CheckCategories
from checkov.terraform.checks.resource.base_check import BaseResourceCheck


class SNSTopicEncryption(BaseResourceCheck):
    def __init__(self):
        name = "Ensure all data stored in the SNS topic is encrypted"
        id = "CKV_AWS_26"
        supported_resources = ['aws_sns_topic']
        categories = [CheckCategories.ENCRYPTION]
        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)

    def scan_resource_conf(self, conf):
        """
            Looks for encryption configuration at aws_sns_topic:
            https://www.terraform.io/docs/providers/aws/r/sns_topic.html
        :param conf: aws_s3_bucket configuration
        :return: 
        """
        if 'kms_master_key_id' in conf.keys():
            if conf['kms_master_key_id']:
github bridgecrewio / checkov / checkov / terraform / checks / resource / gcp / GoogleContainerClusterMonitoringEnabled.py View on Github external
from checkov.terraform.checks.resource.base_check import BaseResourceCheck
from checkov.terraform.models.enums import CheckResult, CheckCategories


class GoogleContainerClusterMonitoringEnabled(BaseResourceCheck):
    def __init__(self):
        name = "Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters"
        id = "CKV_GCP_8"
        supported_resources = ['google_container_cluster']
        categories = [CheckCategories.LOGGING]
        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)

    def scan_resource_conf(self, conf):
        """
            Looks for monitoring configuration on google_container_cluster:
            https://www.terraform.io/docs/providers/google/r/container_cluster.html
        :param conf: google_container_cluster configuration
        :return: 
        """
        if 'monitoring_service' in conf:
            if conf['monitoring_service'][0] == "none":
github bridgecrewio / checkov / checkov / terraform / checks / resource / aws / SQSQueueEncryption.py View on Github external
from checkov.terraform.models.enums import CheckResult, CheckCategories
from checkov.terraform.checks.resource.base_check import BaseResourceCheck


class SQSQueueEncryption(BaseResourceCheck):
    def __init__(self):
        name = "Ensure all data stored in the SQS queue  is encrypted"
        id = "CKV_AWS_27"
        supported_resources = ['aws_sqs_queue']
        categories = [CheckCategories.ENCRYPTION]
        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)

    def scan_resource_conf(self, conf):
        """
            Looks for encryption configuration at aws_sqs_queue:
            https://www.terraform.io/docs/providers/aws/r/sqs_queue.html
        :param conf: aws_s3_bucket configuration
        :return: 
        """
        if 'kms_master_key_id' in conf.keys():
            if conf['kms_master_key_id']:
github bridgecrewio / checkov / checkov / terraform / checks / resource / aws / SagemakerEncryption.py View on Github external
from checkov.terraform.models.enums import CheckResult, CheckCategories
from checkov.terraform.checks.resource.base_check import BaseResourceCheck


class SagemakerEncryption(BaseResourceCheck):
    def __init__(self):
        name = "Ensure all data stored in the Sagemaker is securely encrypted at rest"
        id = "CKV_AWS_22"
        supported_resources = ['aws_sagemaker_notebook_instance']
        categories = [CheckCategories.ENCRYPTION]
        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)

    def scan_resource_conf(self, conf):
        """
            Looks for encryption configuration at aws_sagemaker_notebook_instance:
            https://www.terraform.io/docs/providers/aws/r/sagemaker_notebook_instance.html
        :param conf: aws_sagemaker_notebook_instance configuration
        :return: 
        """
        if 'kms_key_id' in conf.keys():
                return CheckResult.PASSED
github bridgecrewio / checkov / checkov / terraform / checks / resource / aws / RDSPubliclyAccessible.py View on Github external
from checkov.terraform.models.enums import CheckResult, CheckCategories
from checkov.terraform.checks.resource.base_check import BaseResourceCheck


class RDSPubliclyAccessible(BaseResourceCheck):
    def __init__(self):
        name = "Ensure all data stored in the RDS bucket is not public accessible"
        id = "CKV_AWS_17"
        supported_resources = ['aws_db_instance','aws_rds_cluster_instance']
        categories = [CheckCategories.NETWORKING]
        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)

    def scan_resource_conf(self, conf):
        """
            Looks for publicly_accessible configuration at aws_db_instance:
            https://www.terraform.io/docs/providers/aws/d/db_instance.html
        :param conf: publicly_accessible configuration
        :return: 
        """
        if 'publicly_accessible' in conf.keys():
            key = conf['publicly_accessible'][0]
github bridgecrewio / checkov / checkov / terraform / checks / resource / aws / SecurityGroupRuleDescription.py View on Github external
from checkov.terraform.models.enums import CheckResult, CheckCategories
from checkov.terraform.checks.resource.base_check import BaseResourceCheck


class SecurityGroupRuleDescription(BaseResourceCheck):
    def __init__(self):
        name = "Ensure every security groups rule has a description"
        id = "CKV_AWS_23"
        supported_resource = ['aws_security_group', 'aws_security_group_rule', 'aws_db_security_group',
                              'aws_elasticache_security_group', 'aws_redshift_security_group']
        categories = [CheckCategories.NETWORKING]
        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resource)

    def scan_resource_conf(self, conf):
        """
            Looks for description at security group  rules :
            https://www.terraform.io/docs/providers/aws/r/security_group.html
        :param conf: aws_security_group configuration
        :return: 
        """
        if 'description' in conf.keys():
github bridgecrewio / checkov / checkov / terraform / checks / resource / gcp / GoogleComputeFirewallUnrestrictedIngress3389.py View on Github external
from checkov.terraform.models.enums import CheckResult, CheckCategories
from checkov.terraform.checks.resource.base_check import BaseResourceCheck

PORT = '3389'


class GoogleComputeFirewallUnrestrictedIngress22(BaseResourceCheck):
    def __init__(self):
        name = "Ensure Google compute firewall ingress does not allow unrestricted rdp access"
        id = "CKV_GCP_3"
        supported_resources = ['google_compute_firewall']
        categories = [CheckCategories.NETWORKING]
        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)

    def scan_resource_conf(self, conf):
        """
            Looks for password configuration at google_compute_firewall:
            https://www.terraform.io/docs/providers/google/r/compute_firewall.html
        :param conf: azure_instance configuration
        :return: 
        """
        if PORT in conf['allow'][0]['ports'][0]:
            if 'source_ranges' in conf.keys():
github bridgecrewio / checkov / checkov / terraform / checks / resource / gcp / GoogleComputeFirewallUnrestrictedIngress22.py View on Github external
from checkov.terraform.models.enums import CheckResult, CheckCategories
from checkov.terraform.checks.resource.base_check import BaseResourceCheck

PORT = '22'


class GoogleComputeFirewallUnrestrictedIngress22(BaseResourceCheck):
    def __init__(self):
        name = "Ensure Google compute firewall ingress does not allow unrestricted ssh access"
        id = "CKV_GCP_2"
        supported_resources = ['google_compute_firewall']
        categories = [CheckCategories.NETWORKING]
        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)

    def scan_resource_conf(self, conf):
        """
            Looks for password configuration at google_compute_firewall:
            https://www.terraform.io/docs/providers/google/r/compute_firewall.html
        :param conf: azure_instance configuration
        :return: 
        """
        if PORT in conf['allow'][0]['ports'][0]:
            if 'source_ranges' in conf.keys():
github bridgecrewio / checkov / checkov / terraform / checks / resource / aws / PasswordPolicyExpiration.py View on Github external
from checkov.terraform.models.enums import CheckResult, CheckCategories
from checkov.terraform.checks.resource.base_check import BaseResourceCheck


class PasswordPolicyExpiration(BaseResourceCheck):
    def __init__(self):
        name = "Ensure IAM password policy expires passwords within 90 days or less"
        id = "CKV_AWS_9"
        supported_resources = ['aws_iam_account_password_policy']
        categories = [CheckCategories.IAM]
        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)

    def scan_resource_conf(self, conf):
        """
            validates iam password policy
            https://www.terraform.io/docs/providers/aws/r/iam_account_password_policy.html
        :param conf: aws_iam_account_password_policy configuration
        :return: 
        """
        key = 'max_password_age'
        if key in conf.keys():

checkov

Infrastructure as code static analysis

Apache-2.0
Latest version published 15 hours ago

Package Health Score

97 / 100
Full package analysis