[
{
"path": ".cfnlintrc",
"content": "templates:\n - tests/cloudformation/checks/resource/aws/**/*.json\n - tests/cloudformation/checks/resource/aws/**/*.yaml\nignore_templates:\n - tests/cloudformation/checks/resource/aws/unused/*\n # https://github.com/aws-cloudformation/cfn-python-lint/issues/1577\n - tests/cloudformation/checks/resource/aws/example_AthenaWorkgroupConfiguration/*\n # added resource with Properties, which is not supported by cfn-lint\n - tests/cloudformation/checks/resource/aws/example_LambdaEnvironmentCredentials/sam.yaml\n # includes tests with booleans as strings\n - tests/cloudformation/checks/resource/aws/example_ECRImageScanning/*\n - tests/cloudformation/checks/resource/aws/example_ALBDropHttpHeaders/*\n - tests/cloudformation/checks/resource/aws/example_ELBv2AccessLogs/*\n - tests/cloudformation/checks/resource/aws/example_RedShiftSSL/*\n - tests/cloudformation/checks/resource/aws/example_LambdaEnvironmentCredentials/*\n - tests/cloudformation/checks/resource/aws/example_SecurityGroupRuleDescription/*\n - tests/cloudformation/checks/resource/aws/example_SecurityGroupRuleDescription\n - tests/cloudformation/checks/resource/aws/example_SecurityGroupUnrestrictedIngress22/SecurityGroupUnrestrictedIngress22-UNKNOWN.yaml\n - tests/cloudformation/checks/resource/aws/example_SecurityGroupUnrestrictedIngress80/SecurityGroupUnrestrictedIngress80-UNKNOWN.yaml\n - tests/cloudformation/checks/resource/*\n - tests/cloudformation/checks/resource/aws/example_IAMStarActionPolicyDocument/cfn_bad_iam_pass.yaml\n - tests/cloudformation/checks/resource/aws/example_IAMRoleAllowAssumeFromAccount/UNKNOWN.yml\n - tests/cloudformation/checks/resource/aws/example_cloudfrontDistribution/CloudfrontDistributionEncryption-UNKNOWN.yaml\n - tests/cloudformation/checks/resource/aws/example_ALBListenerTLS12/ALBListenerTLS1.2-FAILED.yaml\nignore_checks:\n - W\n"
},
{
"path": ".coveragerc",
"content": "[run]\nbranch = True\n[report]\nomit =\n tests/*\n */.pytest_cache/*\n */.local/*\n docs/*\n hooks/*"
},
{
"path": ".dockerignore",
"content": "bin/\ncheckov/\ndocs/\nintegration_tests/\ntests/"
},
{
"path": ".flake8",
"content": "# can be moved to pyproject.toml some day\n# https://github.com/PyCQA/flake8/issues/234\n[flake8]\nmax-line-length = 120\n# E203,E501 don't work with black together\nignore = E203,E501,E731,W503,W504,DUO107,DUO104,DUO130,DUO109,DUO116,B028,B950,TC001,TC003,TC006,B907,B038,B909\nselect = C,E,F,W,B,B9,A,TC\nextend-exclude = .github, .pytest_cache, docs/*, venv/*, tests/*, flake8_plugins/*, cdk_integration_tests/src/python/*\n\n[flake8:local-plugins]\nextension =\n CCE = flake8_plugins.flake8_class_attributes_plugin.flake8_class_attributes.checker:ClassAttributesChecker\npaths =\n . flake8_plugins/flake8_class_attributes_plugin/flake8_class_attributes"
},
{
"path": ".github/ISSUE_TEMPLATE/best_practices_issue.md",
"content": "---\nname: Best practices improvement\nabout: Issues that will help achieve best practices using checkov.\ntitle: ''\nlabels: 'best practices'\nassignees: ''\n\n---\n\n**Describe the issue**\nIf it is related to an existing check, please note the relevant check ID.\nAlso, explain the logic for this addition / change.\n\n**Examples**\nPlease share an example code sample (in the IaC of your choice) + the expected outcomes.\n\n**Version (please complete the following information):**\n - Checkov Version [e.g. 22]\n\n**Additional context**\nAdd any other context about the problem here.\n"
},
{
"path": ".github/ISSUE_TEMPLATE/checks_issue.md",
"content": "---\nname: Checks Issue\nabout: Create an issue regarding a check (existing or missing)\ntitle: ''\nlabels: 'checks'\nassignees: ''\n\n---\n\n**Describe the issue**\nIf it is related to an existing check, please note the relevant check ID.\nAlso, explain the logic for this addition / change.\n\n**Examples**\nPlease share an example code sample (in the IaC of your choice) + the expected outcomes.\n\n**Version (please complete the following information):**\n - Checkov Version [e.g. 22]\n\n**Additional context**\nAdd any other context about the problem here.\n"
},
{
"path": ".github/ISSUE_TEMPLATE/crash_report.md",
"content": "---\nname: Crash report\nabout: Create an issue for cases causing checkov to crash\ntitle: ''\nlabels: 'crash'\nassignees: ''\n\n---\n\n**Describe the issue**\nExplain what you expected to happen when checkov crashed.\n\n**Examples**\nPlease share an example code sample (in the IaC of your choice) + the expected outcomes.\n\n**Exception Trace**\nPlease share the trace for the exception and all relevant output by checkov.\nTo maximize the understanding, please run checkov with LOG_LEVEL set to debug\nas follows:\n```sh\nLOG_LEVEL=DEBUG checkov ...\n```\n\n**Desktop (please complete the following information):**\n - OS: [e.g. iOS]\n - Checkov Version [e.g. 22]\n\n**Additional context**\nAdd any other context about the problem here (e.g. code snippets).\n"
},
{
"path": ".github/ISSUE_TEMPLATE/feature_request.md",
"content": "---\nname: Feature request\nabout: Feature requests or requests for enhancements that are not bugs.\ntitle: ''\nlabels: 'contribution requested'\nassignees: ''\n\n---\n\n**Describe the feature**\n\nExplain the feature in detail. Note that feature requests are always reviewed, but prioritized based on popularity, effort, and impact. We also welcome contributions.\n\n**Examples**\n\nPlease share an example code sample (in the IaC of your choice) + expected inputs and outputs from Checkov + the expected outcomes.\n\n**Additional context**\n\nAdd any other context about the problem here.\n\n"
},
{
"path": ".github/ISSUE_TEMPLATE/graph_issue.md",
"content": "---\nname: Graph Issue\nabout: Create an issue regarding the graph creation and querying\ntitle: ''\nlabels: 'graph'\nassignees: ''\n\n---\n\n**Describe the issue**\nPlease explain what is missing or malfunctioning in the graph (creation or querying).\nAlso detail what is the expected behavior for this use case.\n\n**Examples**\nPlease share an example code sample (in the IaC of your choice) + the expected outcomes.\n\n**Desktop (please complete the following information):**\n - OS: [e.g. iOS]\n - Checkov Version [e.g. 22]\n\n**Additional context**\nAdd any other context about the problem here (e.g. code snippets).\n"
},
{
"path": ".github/ISSUE_TEMPLATE/integrations_issue.md",
"content": "---\nname: Integrations Issue\nabout: Create an issue regarding the integration of checkov with other tools.\ntitle: ''\nlabels: 'integrations'\nassignees: ''\n\n---\n\n**Describe the issue**\nIf an existing integration is malfunctioning, please describe the current state and \nwhat you expect to be happening.\nFor new integrations, please share an example use case this integration will help \ncheckov support.\n"
},
{
"path": ".github/ISSUE_TEMPLATE/languages_issue.md",
"content": "---\nname: Languages Issue\nabout: Create an issue regarding the frameworks and languages supported by checkov\ntitle: ''\nlabels: 'languages'\nassignees: ''\n\n---\n\n**Describe the issue**\nDescribe the framework / feature that is missing in a supported framework that you\nwould like to add and explain what the use case is.\n\n**Example Value**\nPlease share an example check / use case that this issue will allow checkov to support.\n"
},
{
"path": ".github/ISSUE_TEMPLATE/noise_issue.md",
"content": "---\nname: Noise Issue\nabout: Create an issue regarding checkov's output and noise it generates.\ntitle: ''\nlabels: 'noise'\nassignees: ''\n\n---\n\n**Describe the issue**\nPlease explain the use case that leads to this noise being generated.\n\n**Examples**\nPlease share an example code sample (in the IaC of your choice) + the expected outcomes.\n\n**Version (please complete the following information):**\n - Checkov Version [e.g. 22]\n\n**Additional context**\nAdd any other context about the problem here.\n"
},
{
"path": ".github/ISSUE_TEMPLATE/outputs_issue.md",
"content": "---\nname: Outputs Issue\nabout: Create an issue regarding checkov's output (addition or fix)\ntitle: ''\nlabels: 'outputs'\nassignees: ''\n\n---\n\n**Describe the issue**\nIf regarding an existing output (json, junit-xml etc.) please note what is the current state\nand what is the expected state. For new outputs - please describe the use case to add it.\n\n**Additional context**\nAdd any other context about the problem here.\n"
},
{
"path": ".github/ISSUE_TEMPLATE/skips_issue.md",
"content": "---\nname: Skipping Issue\nabout: Create an issue regarding checkov's skipping mechanism\ntitle: ''\nlabels: 'skips'\nassignees: ''\n\n---\n\n**Describe the issue**\nPlease explain the functionality that is missing for you, what you did and \nwhat was the actual output.\n\n**Examples**\nPlease share an example code sample (in the IaC of your choice) + the expected outcomes.\n\n**Version (please complete the following information):**\n - Checkov Version [e.g. 22]\n\n**Additional context**\nAdd any other context about the problem here.\n"
},
{
"path": ".github/PULL_REQUEST_TEMPLATE.md",
"content": "**By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.**\n\n[//]: # \"\n # PR Title\n We use the title to create changelog automatically and therefore only allow specific prefixes\n - break: to indicate a breaking change, this supersedes any of the other types\n - feat: to indicate new features or checks\n - fix: to indicate a bugfix or handling of edge cases of existing checks\n - docs: to indicate an update to our documentation\n - chore: to indicate adjustments to workflow files or dependency updates\n - platform: to indicate a change needed for the platform\n Each prefix should be accompanied by a scope that specifies the targeted framework. If uncertain, use 'general'.\n # \n Allowed prefixs:\n ansible|argo|arm|azure|bicep|bitbucket|circleci|cloudformation|dockerfile|github|gha|gitlab|helm|kubernetes|kustomize|openapi|sast|sca|secrets|serverless|terraform|general|graph|terraform_plan|terraform_json\n #\n ex.\n feat(terraform): add CKV_AWS_123 to ensure that VPC Endpoint Service is configured for Manual Acceptance\n\"\n\n## Description\n\n*Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change.*\n\nFixes # (issue)\n\n## New/Edited policies (Delete if not relevant)\n\n### Description\n*Include a description of what makes it a violation and any relevant external links.*\n\n### Fix\n*How does someone fix the issue in code and/or in runtime?*\n\n## Checklist:\n\n- [ ] I have performed a self-review of my own code\n- [ ] I have commented my code, particularly in hard-to-understand areas\n- [ ] I have made corresponding changes to the documentation\n- [ ] I have added tests that prove my feature, policy, or fix is effective and works\n- [ ] New and existing tests pass locally with my changes\n"
},
{
"path": ".github/actionlint.yaml",
"content": "self-hosted-runner:\n labels:\n - public\n"
},
{
"path": ".github/checkov.yaml",
"content": "enable-secret-scan-all-files: true\nframework:\n- secrets\nquiet: true\nskip-path:\n- docs\n- tests/arm/checks/resource/example_AzureScaleSetPassword/FAILED.json\n- tests/arm/checks/resource/example_AzureScaleSetPassword/UNKNOWN.json\n- tests/arm/checks/resource/example_StorageAccountAzureServicesAccessEnabled/storageAccountAzureServicesAccessEnabled-FAILED2.json\n- tests/arm/checks/resource/example_StorageAccountDefaultNetworkAccessDeny/storageAccountDefaultNetworkAccessDeny-FAILED2.json\n- tests/terraform/checks/resource/azure/example_AzureInstanceExtensions/main.tf\n- tests/common/utils/conftest.py\n- tests/common/utils/test_secrets_utils.py\n- tests/sca_image/conftest.py\n- tests/sca_package_2/conftest.py\n- tests/secrets\n- tests/terraform/checks/provider\n- tests/terraform/parser/resources/plan_tags/tfplan.json\n- tests/terraform/runner/resources/plan/tfplan.json\n- tests/terraform/runner/tf_plan_skip_check_regex/resource/skip_directory/tfplan2.json\n- tests/terraform/runner/tf_plan_skip_check_regex/resource/tfplan1.json\n- tests/terraform/runner/tfplan2.json\n- tests/unit/test_secrets.py\n- tests/terraform/runner/resources/example/example.tf\n- tests/terraform/graph\n- tests/terraform/checks\n- /checkov/secrets/plugins/entropy_keyword_combinator.py\n- /checkov/secrets/plugins/detector_utils.py\n- /cdk_integration_tests/src/python/RedshiftClusterPubliclyAccessible/pass.py\n- /cdk_integration_tests/src/python/RedshiftClusterEncryption/pass.py\n- /cdk_integration_tests/src/python/RedshiftClusterEncryption/fail__1__.py\n- /cdk_integration_tests/src/python/RedshiftClusterPubliclyAccessible/fail__1__.py\n- /cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtTransitAuthToken/fail__2__.py\n- /cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtTransitAuthToken/pass.py\n- /cdk_integration_tests/src/typescript\n- /checkov/cdk/checks/python/GlueDataCatalogEncryption.yaml\n- /checkov/cdk/checks/python/GlueDataCatalogEncryption.yaml\n- /checkov/cdk/checks/python/GlueDataCatalogEncryption.yaml\n- /checkov/cdk/checks/python/GlueDataCatalogEncryption.yaml\n- tests/terraform/runner/resources/plan_with_providers\nsummary-position: bottom\n"
},
{
"path": ".github/codeql-config.yml",
"content": "name: \"CodeQL config\"\n\npaths-ignore:\n - tests\n"
},
{
"path": ".github/dependabot.yml",
"content": "version: 2\nupdates:\n - package-ecosystem: \"github-actions\"\n directory: \"/\"\n schedule:\n interval: \"weekly\"\n"
},
{
"path": ".github/exclude-patterns.txt",
"content": "checkov/terraform/module_loading/loaders/github_access_token_loader.py\ncheckov/terraform/module_loading/loaders/git_loader.py\ndocs/2.Basics/Scanning Credentials and Secrets.md\ndocs/5.Contribution/New-Provider.md\ngithub_action_resources/entrypoint.sh\ntests/serverless/checks/aws/example_AWSCredentials/AWSCredentials-FAILED-func_level/serverless.yml\ntests/serverless/checks/aws/example_AWSCredentials/AWSCredentials-FAILED-provider_level/serverless.yml\ntests/serverless/checks/aws/example_AWSCredentials/AWSCredentials-FAILED-provider_level/serverless.yml\ntests/serverless/checks/aws/example_AWSCredentials/AWSCredentials-FAILED-func_level/serverless.yml\ntests/serverless/checks/aws/example_AWSCredentials/AWSCredentials-FAILED-provider_level/serverless.yml\ntests/cloudformation/checks/resource/aws/example_EC2Credentials/EC2Credentials-FAILED.yaml\ntests/cloudformation/checks/resource/aws/example_AWSCredentials/EC2Credentials-FAILED.yaml\ntests/cloudformation/checks/resource/aws/example_LambdaEnvironmentCredentials/sam.yaml\ntests/cloudformation/checks/resource/aws/example_LambdaEnvironmentCredentials/FAIL.yaml\ntests/cloudformation/graph/checks/resources/LambdaFunction/template.yaml\ntests/common/suppressions_resources/suppressions.tf\ntests/secrets/.*\ntests/common/utils/test_secrets_utils.py\ntests/terraform/runner/resources/example/example.tf\ntests/terraform/checks/resource/aws/example_EC2Credentials/main.tf\ntests/terraform/checks/resource/aws/example_LambdaEnvironmentCredentials/main.tf\ntests/terraform/checks/provider/aws/test_credentials.py\ntests/terraform/checks/resource/aws/test_EC2Credentials.py\ntests/terraform/checks/provider/ncp/test_credentials.py\ntests/terraform/checks/provider/openstack/test_credentials.py\ntests/terraform/module_loading/test_registry.py\ntests/terraform/checks/resource/azure/example_AzureInstanceExtensions/main.tf\ntests/unit/test_secrets.py\ntests/terraform/runner/resources/plan/tfplan.json\ntests/terraform/parser/resources/plan_tags/tfplan.json\ntests/terraform/image_referencer/resources/aws/batch_tfplan.json\ntests/helm/runner/resources/schema-registry\ntests/common/utils/conftest.py\ntests/terraform/runner/resources/get_graph_resource_entity_config/main.tf\ntests/terraform/runner/tf_plan_skip_check_regex/resource/.*\ntests/terraform/runner/tfplan2.json\ntests/terraform/runner/resources/plan_with_providers/tfplan.json\ntests/terraform/runner/resources/plan_with_providers/main.tf\n.*Scans.md\n.*Pipfile.lock\n"
},
{
"path": ".github/pr-title-checker-config.json",
"content": "{\n \"LABEL\": {\n \"name\": \"title needs adjustment\",\n \"color\": \"EEEEEE\"\n },\n \"CHECKS\": {\n \"prefixes\": [\n \"chore: \"\n ],\n \"regexp\": \"^(fix|feat|break|docs|chore|platform)\\\\((ansible|argo|arm|azure|bicep|bitbucket|circleci|cloudformation|dockerfile|github|gha|gitlab|helm|kubernetes|kustomize|openapi|sast|sca|secrets|serverless|terraform|general|graph|terraform_plan|terraform_json)\\\\): \"\n },\n \"MESSAGES\": {\n \"success\": \"PR title is valid\",\n \"failure\": \"PR title is invalid\",\n \"notice\": \"Title needs to pass regex '(fix|feat|break|docs|chore|platform)\\\\((ansible|argo|arm|azure|bicep|bitbucket|circleci|cloudformation|dockerfile|github|gha|gitlab|helm|kubernetes|kustomize|openapi|sast|sca|secrets|serverless|terraform|general|graph|terraform_plan|terraform_json)\\\\): '\"\n }\n}\n"
},
{
"path": ".github/release-changelog-config.json",
"content": "{\n \"categories\": [\n {\n \"title\": \"## Breaking Change\",\n \"labels\": [\"break\"]\n },\n {\n \"title\": \"## Feature\",\n \"labels\": [\"feat\"]\n },\n {\n \"title\": \"## Bug Fix\",\n \"labels\": [\"fix\"]\n },\n {\n \"title\": \"## Platform\",\n \"labels\": [\"platform\"]\n },\n {\n \"title\": \"## Documentation\",\n \"labels\": [\"docs\"]\n }\n ],\n \"sort\": {\n \"order\": \"ASC\",\n \"on_property\": \"title\"\n },\n \"template\": \"${{CHANGELOG}}\",\n \"pr_template\": \"- ${{TITLE}} - [#${{NUMBER}}](${{URL}})\",\n \"empty_template\": \"- no noteworthy changes\",\n \"label_extractor\": [\n {\n \"pattern\": \"([^\\\\(]+)\\\\(.+\\\\): .+\",\n \"on_property\": \"title\",\n \"target\": \"$1\"\n }\n ],\n \"transformers\": [\n {\n \"pattern\": \"([^\\\\(]+)\\\\(?([^\\\\)]+)?\\\\)?: (.+)\",\n \"target\": \"- **$2:** $3\"\n }\n ],\n \"max_pull_requests\": 100,\n \"max_back_track_time_days\": 7\n}\n"
},
{
"path": ".github/stale.yml",
"content": "# Configuration for probot-stale - https://github.com/probot/stale\n\n# Number of days of inactivity before an Issue or Pull Request becomes stale\ndaysUntilStale: 180\n\n# Number of days of inactivity before an Issue or Pull Request with the stale label is closed.\n# Set to false to disable. If disabled, issues still need to be closed manually, but will remain marked as stale.\ndaysUntilClose: 14\n\n# Only issues or pull requests with all of these labels are check if stale. Defaults to `[]` (disabled)\nonlyLabels: []\n\n# Issues or Pull Requests with these labels will never be considered stale. Set to `[]` to disable\nexemptLabels:\n - pinned\n - security\n - nostale\n\n# Set to true to ignore issues in a project (defaults to false)\nexemptProjects: false\n\n# Set to true to ignore issues in a milestone (defaults to false)\nexemptMilestones: false\n\n# Set to true to ignore issues with an assignee (defaults to false)\nexemptAssignees: false\n\n# Label to use when marking as stale\nstaleLabel: stale\n\n# Comment to post when marking as stale. Set to `false` to disable\nmarkComment: >\n Thanks for contributing to Checkov! \n We've automatically marked this issue as stale to keep our issues list tidy, \n because it has not had any activity for 6 months. \n It will be closed in 14 days if no further activity occurs. \n Commenting on this issue will remove the stale tag.\n If you want to talk through the issue or help us understand the priority and context, \n feel free to add a comment or join us in the Checkov slack channel at codifiedsecurity.slack.com\n\n Thanks! \n\n# Comment to post when removing the stale label.\n# unmarkComment: >\n# Your comment here.\n\n# Comment to post when closing a stale Issue or Pull Request.\ncloseComment: >\n Closing issue due to inactivity.\n If you feel this is in error, please re-open, or reach out to the community via slack:\n codifiedsecurity.slack.com\n Thanks!\n\n# Limit the number of actions per hour, from 1-30. Default is 30\nlimitPerRun: 30\n\n# Limit to only `issues` or `pulls`\n# only: issues\n\n# Optionally, specify configuration settings that are specific to just 'issues' or 'pulls':\n# pulls:\n# daysUntilStale: 30\n# markComment: >\n# This pull request has been automatically marked as stale because it has not had\n# recent activity. It will be closed if no further activity occurs. Thank you\n# for your contributions.\n\n# issues:\n# exemptLabels:\n# - confirmed"
},
{
"path": ".github/workflows/build.yml",
"content": "name: build\n\non:\n workflow_dispatch:\n inputs:\n versionBump:\n description: 'The part of the version to bump'\n required: true\n default: 'patch'\n type: choice\n options:\n - patch\n - minor\n - major\n\n push:\n branches:\n - main\n paths-ignore:\n - 'docs/**'\n - 'INTHEWILD.md'\n - 'README.md'\n - 'CHANGELOG.md'\n - '.github/**'\n - checkov/version.py\n - kubernetes/requirements.txt\n - coverage.svg\n - '.swm/**'\n - '.pre-commit-config.yaml'\n\npermissions:\n contents: read\n\nconcurrency:\n group: 'build'\n cancel-in-progress: true\n\njobs:\n security:\n uses: ./.github/workflows/security-shared.yml\n secrets: inherit\n\n integration-tests:\n strategy:\n fail-fast: true\n matrix:\n python: [\"3.10\", \"3.11\", \"3.12\", \"3.13\"]\n os: [ubuntu-latest, macos-latest, windows-latest]\n runs-on: ${{ matrix.os }}\n steps:\n - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3\n - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4\n with:\n python-version: ${{ matrix.python }}\n - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v3\n - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3\n with:\n version: \"v3.19.1\"\n token: ${{ secrets.GITHUB_TOKEN }}\n - uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1 # v2\n if: ${{ runner.os != 'windows' }}\n with:\n github-token: ${{ secrets.GITHUB_TOKEN }}\n - name: Install pipenv\n run: |\n python -m pip install --no-cache-dir --upgrade pipenv\n - name: Build & install checkov package\n run: |\n # remove venv, if exists\n pipenv --rm || true\n pipenv --python ${{ matrix.python }}\n pipenv run pip install pytest pytest-xdist setuptools wheel\n pipenv run python setup.py sdist bdist_wheel\n bash -c 'pipenv run pip install dist/checkov-*.whl'\n - name: Clone Terragoat - vulnerable terraform\n run: git clone https://github.com/bridgecrewio/terragoat\n - name: Clone Cfngoat - vulnerable cloudformation\n run: git clone https://github.com/bridgecrewio/cfngoat\n - name: Clone Kubernetes-goat - vulnerable kubernetes\n run: git clone https://github.com/madhuakula/kubernetes-goat\n - name: Clone kustomize-goat - vulnerable kustomize\n run: git clone https://github.com/bridgecrewio/kustomizegoat\n - name: Create checkov reports\n run: |\n # Just making sure the API key tests don't run on PRs\n bash -c './integration_tests/prepare_data.sh \"${{ matrix.os }}\" \"${{ matrix.python }}\"'\n env:\n LOG_LEVEL: INFO\n BC_KEY: ${{ secrets.PRISMA_KEY_API2 }}\n PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}\n TF_REGISTRY_TOKEN: ${{ secrets.TFC_TOKEN }}\n GITHUB_PAT: ${{ secrets.GITHUB_TOKEN }}\n - name: Run integration tests\n run: |\n pipenv run pytest integration_tests\n\n integration-tests-old-python:\n strategy:\n fail-fast: true\n matrix:\n python: [\"3.9\"]\n os: [ubuntu-latest, windows-latest]\n runs-on: ${{ matrix.os }}\n steps:\n - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3\n - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4\n with:\n python-version: ${{ matrix.python }}\n - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v3\n - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3\n with:\n version: \"v3.19.1\"\n token: ${{ secrets.GITHUB_TOKEN }}\n - uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1 # v2\n if: ${{ runner.os != 'windows' }}\n with:\n github-token: ${{ secrets.GITHUB_TOKEN }}\n - name: Install pipenv\n run: |\n python -m pip install --no-cache-dir --upgrade pipenv\n - name: Build & install checkov package\n run: |\n # remove venv, if exists\n pipenv --rm || true\n pipenv --python ${{ matrix.python }}\n pipenv run pip install pytest pytest-xdist setuptools wheel\n pipenv run python setup.py sdist bdist_wheel\n bash -c 'pipenv run pip install dist/checkov-*.whl'\n - name: Clone Terragoat - vulnerable terraform\n run: git clone https://github.com/bridgecrewio/terragoat\n - name: Clone Cfngoat - vulnerable cloudformation\n run: git clone https://github.com/bridgecrewio/cfngoat\n - name: Clone Kubernetes-goat - vulnerable kubernetes\n run: git clone https://github.com/madhuakula/kubernetes-goat\n - name: Clone kustomize-goat - vulnerable kustomize\n run: git clone https://github.com/bridgecrewio/kustomizegoat\n - name: Create checkov reports\n run: |\n # Just making sure the API key tests don't run on PRs\n bash -c './integration_tests/prepare_data.sh \"${{ matrix.os }}\" \"${{ matrix.python }}\"'\n env:\n LOG_LEVEL: INFO\n BC_KEY: ${{ secrets.PRISMA_KEY_API2 }}\n PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}\n TF_REGISTRY_TOKEN: ${{ secrets.TFC_TOKEN }}\n GITHUB_PAT: ${{ secrets.GITHUB_TOKEN }}\n - name: Run integration tests\n run: |\n pipenv run pytest integration_tests\n\n prisma-tests:\n runs-on: [ self-hosted, public, linux, x64 ]\n env:\n PYTHON_VERSION: \"3.9\"\n steps:\n - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3\n - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4\n with:\n python-version: ${{ env.PYTHON_VERSION }}\n - name: Install pipenv\n run: |\n python -m pip install --no-cache-dir --upgrade pipenv\n - name: Build & install checkov package\n run: |\n # remove venv, if exists\n pipenv --rm || true\n pipenv --python ${{ env.PYTHON_VERSION }}\n pipenv run pip install pytest pytest-xdist\n pipenv run python setup.py sdist bdist_wheel\n bash -c 'pipenv run pip install dist/checkov-*.whl'\n - name: Clone Terragoat - vulnerable terraform\n run: git clone https://github.com/bridgecrewio/terragoat\n - name: Run checkov with Prisma creds\n env:\n PRISMA_KEY: ${{ secrets.PRISMA_KEY_API2 }}\n PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}\n run: |\n pipenv run checkov -s -d terragoat --bc-api-key \"$PRISMA_KEY\" --repo-id yuvalyacoby/terragoat > checkov_report_prisma.txt\n grep \"prismacloud.io\" checkov_report_prisma.txt\n exit $?\n sast-integration-tests:\n strategy:\n fail-fast: true\n matrix:\n python: [\"3.10\", \"3.11\", \"3.12\", \"3.13\"]\n os: [ubuntu-latest, macos-latest]\n runs-on: ${{ matrix.os }}\n continue-on-error: true # for now it is ok to fail\n steps:\n - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3\n - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4\n with:\n python-version: ${{ matrix.python }}\n - name: Install pipenv\n run: |\n python -m pip install --no-cache-dir --upgrade pipenv\n - name: Build & install checkov package\n run: |\n # remove venv, if exists\n pipenv --rm || true\n pipenv --python ${{ matrix.python }}\n pipenv run pip install pytest pytest-xdist setuptools wheel\n pipenv run python setup.py sdist bdist_wheel\n bash -c 'pipenv run pip install dist/checkov-*.whl'\n - name: Clone flask - Python repo for SAST\n run: git clone https://github.com/pallets/flask\n - name: Clone WebGoat - Java repo for SAST\n run: git clone https://github.com/WebGoat/WebGoat\n - name: Clone axios - JavaScript repo for SAST\n run: git clone https://github.com/axios/axios\n - name: Create checkov reports\n env:\n LOG_LEVEL: INFO\n BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}\n PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}\n run: bash -c './sast_integration_tests/prepare_data.sh'\n - name: Run integration tests\n run: |\n pipenv run pytest sast_integration_tests\n\n sast-integration-tests-old-python:\n strategy:\n fail-fast: true\n matrix:\n python: [\"3.9\"]\n os: [ubuntu-latest]\n runs-on: ${{ matrix.os }}\n continue-on-error: true # for now it is ok to fail\n steps:\n - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3\n - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4\n with:\n python-version: ${{ matrix.python }}\n - name: Install pipenv\n run: |\n python -m pip install --no-cache-dir --upgrade pipenv\n - name: Build & install checkov package\n run: |\n # remove venv, if exists\n pipenv --rm || true\n pipenv --python ${{ matrix.python }}\n pipenv run pip install pytest pytest-xdist setuptools wheel\n pipenv run python setup.py sdist bdist_wheel\n bash -c 'pipenv run pip install dist/checkov-*.whl'\n - name: Clone flask - Python repo for SAST\n run: git clone https://github.com/pallets/flask\n - name: Clone WebGoat - Java repo for SAST\n run: git clone https://github.com/WebGoat/WebGoat\n - name: Clone axios - JavaScript repo for SAST\n run: git clone https://github.com/axios/axios\n - name: Create checkov reports\n env:\n LOG_LEVEL: INFO\n BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}\n PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}\n run: bash -c './sast_integration_tests/prepare_data.sh'\n - name: Run integration tests\n run: |\n pipenv run pytest sast_integration_tests\n\n unit-tests:\n timeout-minutes: 30\n runs-on: ubuntu-latest\n env:\n PYTHON_VERSION: \"3.9\"\n steps:\n - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3\n - name: Set up Python ${{ env.PYTHON_VERSION }}\n uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4\n with:\n python-version: ${{ env.PYTHON_VERSION }}\n - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3\n with:\n token: ${{ secrets.GITHUB_TOKEN }}\n - uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1 # v2\n with:\n github-token: ${{ secrets.GITHUB_TOKEN }}\n - name: Install pipenv\n run: |\n python -m pip install --no-cache-dir --upgrade pipenv\n - name: Install dependencies\n run: |\n # remove venv, if exists\n pipenv --rm || true\n pipenv --python ${{ env.PYTHON_VERSION }}\n pipenv install --dev\n - name: Test with pytest\n env:\n GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n IS_TEST: true\n run: |\n pipenv run python -m pytest tests\n bump-version:\n needs: [integration-tests, unit-tests, prisma-tests, sast-integration-tests, integration-tests-old-python, sast-integration-tests-old-python]\n runs-on: [self-hosted, public, linux, x64]\n environment: release\n permissions:\n contents: write\n # IMPORTANT: this permission is mandatory for trusted publishing to pypi\n id-token: write\n timeout-minutes: 30\n env:\n PYTHON_VERSION: \"3.9\"\n steps:\n - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3\n with:\n token: ${{ secrets.GH_PAT_SECRET }}\n - name: Import GPG key\n id: import_gpg\n uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v5\n with:\n gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}\n passphrase: ${{ secrets.PASSPHRASE }}\n - name: Set up Python ${{ env.PYTHON_VERSION }}\n uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4\n with:\n python-version: ${{ env.PYTHON_VERSION }}\n - name: Install pipenv\n run: |\n python -m pip install --no-cache-dir --upgrade pipenv\n - name: Install dependencies\n run: |\n # remove venv, if exists\n pipenv --rm || true\n pipenv --python ${{ env.PYTHON_VERSION }}\n pipenv install\n - name: Calculate version\n run: |\n git fetch --tags --force\n latest_tag=\"$(git tag --sort=v:refname | tail -n 1)\"\n echo \"latest tag: $latest_tag\"\n if [[ -z \"${{ inputs.versionBump }}\" ]]\n then\n version=\"patch\"\n else\n version=\"${{ inputs.versionBump }}\"\n fi\n case $version in\n minor)\n new_tag=$(echo \"$latest_tag\" | awk -F. -v a=\"$1\" -v b=\"$2\" -v c=\"$3\" '{printf(\"%d.%d.%d\", $1+a, $2+b+1 , 0)}')\n ;;\n major)\n new_tag=$(echo \"$latest_tag\" | awk -F. -v a=\"$1\" -v b=\"$2\" -v c=\"$3\" '{printf(\"%d.%d.%d\", $1+a+1, 0 , 0)}')\n ;;\n patch)\n new_tag=$(echo \"$latest_tag\" | awk -F. -v a=\"$1\" -v b=\"$2\" -v c=\"$3\" '{printf(\"%d.%d.%d\", $1+a, $2+b , $3+1)}')\n ;;\n esac\n\n echo \"new tag: $new_tag\"\n echo \"version=$new_tag\" >> \"$GITHUB_OUTPUT\"\n \n # grab major version for later image tag usage \n major_version=$(echo \"${new_tag}\" | head -c1)\n echo \"major_version=$major_version\" >> \"$GITHUB_OUTPUT\"\n id: calculateVersion\n - name: version\n env:\n GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }}\n run: |\n ## update docs\n export PYTHONPATH='.'\n # change the doc links to proper markdown versions\n export CHECKOV_CREATE_MARKDOWN_HYPERLINKS='True'\n git pull\n\n for i in cloudformation terraform kubernetes serverless arm dockerfile secrets github_configuration gitlab_configuration bitbucket_configuration github_actions gitlab_ci bicep openapi bitbucket_pipelines argo_workflows circleci_pipelines azure_pipelines ansible all\n do\n export scansdoc=\"docs/5.Policy Index/$i.md\"\n echo \"---\" > \"$scansdoc\"\n echo \"layout: default\" >> \"$scansdoc\"\n echo \"title: $i resource scans\" >> \"$scansdoc\"\n echo \"nav_order: 1\" >> \"$scansdoc\"\n echo \"---\" >> \"$scansdoc\"\n echo \"\" >> \"$scansdoc\"\n echo \"# $i resource scans (auto generated)\" >> \"$scansdoc\"\n echo \"\" >> \"$scansdoc\"\n pipenv run python checkov/main.py --list --framework \"$i\" >> \"$scansdoc\"\n done\n\n #add cloudformation scans to serverless\n export scansdoc=\"docs/5.Policy Index/serverless.md\"\n pipenv run python checkov/main.py --list --framework cloudformation >> \"$scansdoc\"\n git add \"docs/5.Policy Index/*\"\n git commit --reuse-message=\"HEAD@{1}\" || echo \"No changes to commit\"\n \n git config --global user.name 'GitHub Actions Bot'\n git config --global user.email 'actions@github.com'\n \n new_tag=${{ steps.calculateVersion.outputs.version }}\n echo \"new tag: $new_tag\"\n ## update python version\n echo \"version = '$new_tag'\" > 'checkov/version.py'\n echo \"checkov==$new_tag\" > 'kubernetes/requirements.txt'\n\n git commit --reuse-message=\"HEAD@{1}\" checkov/version.py kubernetes/requirements.txt || echo \"No changes to commit\"\n git push origin\n git tag $new_tag\n git push --tags\n id: version\n - name: create python package\n run: |\n pipenv run python setup.py sdist bdist_wheel\n - name: Publish a Python distribution to PyPI\n uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1\n - name: sleep and wait for package to refresh\n run: |\n sleep 2m\n outputs:\n version: ${{ steps.calculateVersion.outputs.version }}\n major_version: ${{ steps.calculateVersion.outputs.major_version }}\n publish-checkov-dockerhub:\n needs: bump-version\n uses: bridgecrewio/gha-reusable-workflows/.github/workflows/publish-image.yaml@main\n permissions:\n contents: read\n id-token: write # Enable OIDC\n packages: write\n with:\n image_name_dockerhub: bridgecrew/checkov\n image_name_ghcr: ghcr.io/${{ github.repository }}\n image_tag_full: ${{ needs.bump-version.outputs.version }}\n image_tag_short: ${{ needs.bump-version.outputs.major_version }}\n runner: \"['self-hosted', 'public', 'linux', 'x64']\"\n secrets:\n BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}\n PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}\n DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}\n DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}\n publish-checkov-k8s-dockerhub:\n needs: bump-version\n uses: bridgecrewio/gha-reusable-workflows/.github/workflows/publish-image.yaml@main\n permissions:\n contents: read\n id-token: write # Enable OIDC\n packages: write\n with:\n image_name_dockerhub: bridgecrew/checkov-k8s\n image_name_ghcr: ghcr.io/${{ github.repository }}-k8s\n image_tag_full: ${{ needs.bump-version.outputs.version }}\n image_tag_short: ${{ needs.bump-version.outputs.major_version }}\n dockerfile_path: kubernetes/Dockerfile\n runner: \"['self-hosted', 'public', 'linux', 'x64']\"\n secrets:\n BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}\n PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}\n DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}\n DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}\n update-bridgecrew-projects:\n needs: publish-checkov-dockerhub\n runs-on: [self-hosted, public, linux, x64]\n environment: release\n steps:\n - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3\n - name: update checkov release\n run: |\n curl -X POST \"https://jenkins-webhook.bridgecrew.cloud/buildByToken/build?job=Open-Source/upgrade-checkov&token=${{ secrets.BC_JENKINS_TOKEN }}\"\n\n # trigger checkov-action update\n curl -XPOST -u \"${{ secrets.GH_PAT_USER}}:${{secrets.GH_PAT_SECRET}}\" -H \"Accept: application/vnd.github.everest-preview+json\" -H \"Content-Type: application/json\" https://api.github.com/repos/bridgecrewio/checkov-action/dispatches --data '{\"event_type\": \"build\"}'\n\n # trigger bridgecrew-py update\n curl -XPOST -u \"${{ secrets.GH_PAT_USER}}:${{secrets.GH_PAT_SECRET}}\" -H \"Accept: application/vnd.github.everest-preview+json\" -H \"Content-Type: application/json\" https://api.github.com/repos/bridgecrewio/bridgecrew-py/dispatches --data '{\"event_type\": \"build\"}'\n\n # trigger whorf update\n curl -XPOST -u \"${{ secrets.GH_PAT_USER}}:${{secrets.GH_PAT_SECRET}}\" -H \"Accept: application/vnd.github.everest-preview+json\" -H \"Content-Type: application/json\" https://api.github.com/repos/bridgecrewio/whorf/dispatches --data '{\"event_type\": \"release\"}'\n"
},
{
"path": ".github/workflows/codeql-analysis.yml",
"content": "# For most projects, this workflow file will not need changing; you simply need\n# to commit it to your repository.\n#\n# You may wish to alter this file to override the set of languages analyzed,\n# or to provide custom queries or build logic.\n#\n# ******** NOTE ********\n# We have attempted to detect the languages in your repository. Please check\n# the `language` matrix defined below to confirm you have the correct set of\n# supported CodeQL languages.\n#\nname: \"CodeQL\"\n\non:\n push:\n branches: [ main ]\n pull_request:\n # The branches below must be a subset of the branches above\n branches: [ main ]\n schedule:\n - cron: '17 4 * * 2'\n workflow_dispatch:\n\npermissions:\n contents: read\n\njobs:\n analyze:\n name: Analyze\n runs-on: [self-hosted, public, linux, x64]\n permissions:\n actions: read\n contents: read\n security-events: write\n steps:\n - name: Checkout repository\n uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3\n - name: Set up Python\n uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4\n with:\n python-version: '3.10'\n - name: Setup python for CodeQL\n run: |\n python -m pip install --no-cache-dir --upgrade pip pipenv\n echo \"CODEQL_PYTHON=$(which python)\" >> \"$GITHUB_ENV\"\n - name: Check Pipfile.lock changed\n uses: tj-actions/verify-changed-files@a1c6acee9df209257a246f2cc6ae8cb6581c1edf # v13\n id: changed_files\n with:\n files: Pipfile.lock\n - name: Setup dependencies if they changed\n if: steps.changed_files.outputs.files_changed == 'true'\n run: |\n pipenv lock -r > requirements.txt\n pip install -r requirements.txt\n - name: Initialize CodeQL\n uses: github/codeql-action/init@45775bd8235c68ba998cffa5171334d58593da47 # v2\n with:\n languages: python\n setup-python-dependencies: false\n config-file: ./.github/codeql-config.yml\n - name: Autobuild\n uses: github/codeql-action/autobuild@45775bd8235c68ba998cffa5171334d58593da47 # v2\n - name: Perform CodeQL Analysis\n uses: github/codeql-action/analyze@45775bd8235c68ba998cffa5171334d58593da47 # v2\n"
},
{
"path": ".github/workflows/coverage.yaml",
"content": "name: Coverage\n\non:\n schedule:\n - cron: '0 0 * * 0'\n workflow_dispatch:\n\npermissions:\n contents: read\n\njobs:\n update-coverage:\n runs-on: [ self-hosted, public, linux, x64 ]\n permissions:\n contents: write\n environment: release\n env:\n PYTHON_VERSION: \"3.9\"\n steps:\n - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3\n with:\n token: ${{ secrets.GH_PAT_SECRET }}\n - name: Import GPG key\n id: import_gpg\n uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v5\n with:\n gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}\n passphrase: ${{ secrets.PASSPHRASE }}\n - name: Set up Python ${{ env.PYTHON_VERSION }}\n uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4\n with:\n python-version: ${{ env.PYTHON_VERSION }}\n - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3\n with:\n token: ${{ secrets.GITHUB_TOKEN }}\n - uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1 # v2\n with:\n github-token: ${{ secrets.GITHUB_TOKEN }}\n - name: Install pipenv\n run: |\n python -m pip install --no-cache-dir --upgrade pipenv\n - name: Install dependencies\n run: |\n # remove venv, if exists\n pipenv --rm || true\n pipenv --python ${{ env.PYTHON_VERSION }}\n pipenv install --dev\n pipenv run pip install pytest\n - name: Test with pytest\n run: |\n pipenv run pytest --cov-report term --cov=checkov tests\n pipenv run python -m coverage_badge -o coverage.svg -f\n git commit -m \"Update coverage\" coverage.svg || echo \"No changes to commit\"\n"
},
{
"path": ".github/workflows/jekyll-gh-pages.yml",
"content": "# Sample workflow for building and deploying a Jekyll site to GitHub Pages\nname: Deploy Jekyll with GitHub Pages dependencies preinstalled\n\non:\n # Runs on pushes targeting the default branch\n push:\n branches: [\"main\"]\n\n # Allows you to run this workflow manually from the Actions tab\n workflow_dispatch:\n\n# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages\npermissions:\n contents: read\n pages: write\n id-token: write\n\n# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.\n# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.\nconcurrency:\n group: \"pages\"\n cancel-in-progress: false\n\njobs:\n # Build job\n build:\n runs-on: [self-hosted, public, linux, x64]\n steps:\n - name: Checkout\n uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3\n - name: Setup Pages\n uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v3\n - name: Build with Jekyll\n uses: actions/jekyll-build-pages@44a6e6beabd48582f863aeeb6cb2151cc1716697 # v1\n with:\n source: ./docs\n destination: ./_site\n - name: Upload artifact\n uses: actions/upload-pages-artifact@0252fc4ba7626f0298f0cf00902a25c6afc77fa8 # v2\n\n # Deployment job\n deploy:\n environment:\n name: github-pages\n url: ${{ steps.deployment.outputs.page_url }}\n runs-on: [self-hosted, public, linux, x64]\n needs: build\n steps:\n - name: Deploy to GitHub Pages\n id: deployment\n uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v2\n"
},
{
"path": ".github/workflows/nightly.yml",
"content": "name: Nightly Run\n\non:\n schedule:\n # daily at 23:00 UTC\n - cron: \"0 23 * * *\"\n workflow_dispatch:\n\npermissions:\n contents: read\n\njobs:\n github-release:\n runs-on: [self-hosted, public, linux, x64]\n environment: release\n permissions:\n contents: write\n steps:\n - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3\n with:\n fetch-depth: 0\n token: ${{ secrets.GH_PAT_SECRET }}\n - name: Prepare Release\n id: prepare_release\n run: |\n # grab latest release and tag to compare and decide to create a new one\n create_release=true\n latest_gh_release=$(curl -s \"https://api.github.com/repos/${{ github.repository }}/releases/latest\" | grep -Po '\"tag_name\": \"\\K.*?(?=\")')\n latest_tag=$(git describe --abbrev=0 --tags)\n\n if [ \"$latest_gh_release\" = \"$latest_tag\" ]\n then\n create_release=false\n fi\n\n echo \"create_release=$create_release\" >> \"$GITHUB_OUTPUT\"\n echo \"latest_release_version=$latest_gh_release\" >> \"$GITHUB_OUTPUT\"\n echo \"version=$latest_tag\" >> \"$GITHUB_OUTPUT\"\n - name: Build GitHub Release changelog\n if: steps.prepare_release.outputs.create_release == 'true'\n id: build_github_release\n uses: mikepenz/release-changelog-builder-action@5f3409748e2230350e149a7f7b5b8e9bcd785d44 # v3\n env:\n GITHUB_TOKEN: ${{ secrets.GH_PAT_SECRET }}\n with:\n configuration: \".github/release-changelog-config.json\"\n fromTag: ${{ steps.prepare_release.outputs.latest_release_version }}\n toTag: ${{ steps.prepare_release.outputs.version }}\n - name: Create GitHub Release\n if: steps.build_github_release.outputs.changelog != ''\n uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2.2.2\n id: create_github_release\n with:\n tag_name: ${{ steps.prepare_release.outputs.version }}\n name: ${{ steps.prepare_release.outputs.version }}\n body: ${{ steps.build_github_release.outputs.changelog }}\n - name: Update CHANGELOG.md\n if: steps.build_github_release.outputs.changelog != ''\n uses: stefanzweifel/changelog-updater-action@a938690fad7edf25368f37e43a1ed1b34303eb36 # v1\n with:\n latest-version: ${{ steps.prepare_release.outputs.version }}\n release-notes: ${{ steps.build_github_release.outputs.changelog }}\n - name: Commit updated CHANGELOG.md\n if: steps.build_github_release.outputs.changelog != ''\n uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 # v5\n with:\n commit_message: \"chore: update release notes\"\n file_pattern: CHANGELOG.md\n outputs:\n upload_url: ${{ steps.create_github_release.outputs.upload_url }}\n version: ${{ steps.prepare_release.outputs.version }}\n build-release-artifacts:\n strategy:\n matrix:\n include:\n - os: macos-latest\n name: darwin\n suffix: ''\n - os: ubuntu-latest\n name: linux\n suffix: ''\n - os: windows-latest\n name: windows\n suffix: '.exe'\n needs: [github-release]\n if: needs.github-release.outputs.upload_url != ''\n runs-on: ${{ matrix.os }}\n permissions:\n contents: write\n env:\n PYTHON_VERSION: \"3.9\"\n steps:\n - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3\n with:\n fetch-depth: 0\n token: ${{ secrets.GITHUB_TOKEN }}\n - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4\n with:\n python-version: ${{ env.PYTHON_VERSION }}\n - name: Install pipenv\n run: |\n python -m pip install --no-cache-dir --upgrade pipenv\n - name: Install deps and run pyinstaller\n run: |\n pipenv sync\n pipenv run pip install pyinstaller\n - name: Build executable\n run: pipenv run pyinstaller checkov.spec\n - name: Windows - Test executable\n if: matrix.os == 'windows-latest'\n shell: bash\n # make sure it doesn't crash\n run: ./dist/checkov.exe -s -d tests/terraform/checks/resource/alicloud\n - name: Windows - zip artifact\n if: matrix.os == 'windows-latest'\n run: tar.exe -a -c -f checkov.zip dist\\\\checkov.exe\n - name: Linux/Mac - Test executable\n if: matrix.os != 'windows-latest'\n # make sure it doesn't crash\n run: ./dist/checkov -s -d tests/terraform/checks/resource/alicloud\n - name: Linux/Mac - zip artifact\n if: matrix.os != 'windows-latest'\n run: zip checkov.zip dist/checkov\n - name: Upload Release Asset\n uses: actions/upload-release-asset@v1\n env:\n GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n with:\n upload_url: ${{ needs.github-release.outputs.upload_url }}\n asset_path: checkov.zip\n asset_name: checkov_${{ matrix.name }}_X86_64.zip\n asset_content_type: application/zip\n build-release-artifact-linux-arm:\n needs: [ github-release ]\n if: needs.github-release.outputs.upload_url != ''\n runs-on: [self-hosted, public, linux, arm64]\n container:\n image: arm64v8/python:3.9\n permissions:\n contents: write\n steps:\n - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3\n with:\n fetch-depth: 0\n token: ${{ secrets.GITHUB_TOKEN }}\n - name: Install pipenv\n run: |\n python -m pip install --no-cache-dir --upgrade pipenv\n - name: Install deps and run pyinstaller\n run: |\n pipenv sync\n pipenv run pip install pyinstaller\n - name: Build executable\n run: pipenv run pyinstaller checkov.spec\n - name: zip artifact\n run: |\n apt-get update\n apt install zip\n zip checkov.zip dist/checkov\n - name: Upload Release Asset\n uses: actions/upload-release-asset@v1\n env:\n GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n with:\n upload_url: ${{ needs.github-release.outputs.upload_url }}\n asset_path: checkov.zip\n asset_name: checkov_linux_arm64.zip\n asset_content_type: application/zip\n"
},
{
"path": ".github/workflows/pipenv-update.yml",
"content": "name: pipenv-update\non:\n schedule:\n - cron: '8 22 * * 1'\n workflow_dispatch:\n\npermissions:\n contents: read\n\njobs:\n pipenv-update:\n runs-on: [self-hosted, public, linux, x64]\n permissions:\n contents: write\n pull-requests: write\n env:\n PYTHON_VERSION: \"3.9\"\n steps:\n - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3\n with:\n ref: ${{ github.head_ref }}\n token: ${{ secrets.GH_PAT_SECRET }}\n - name: Import GPG key\n id: import_gpg\n uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v5\n with:\n gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}\n passphrase: ${{ secrets.PASSPHRASE }}\n - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4\n with:\n python-version: ${{ env.PYTHON_VERSION }}\n - name: Install pipenv\n run: |\n python -m pip install --no-cache-dir --upgrade pipenv\n - run: |\n git config --local user.email \"action@github.com\"\n git config --local user.name \"GitHub Action\"\n pipenv update\n git add -u\n git commit -m \"update pipenv packages\"\n env:\n GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }}\n - name: Create Pull Request\n id: cpr\n uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v5\n with:\n token: ${{ secrets.PAT_TOKEN }}\n title: '[AUTO-PR] Update pipenv packages'\n body: |\n bump pipenv packages\n - Auto-generated by [pipenv-update github action](https://github.com/bridgecrewio/checkov/blob/main/.github/workflows/pipenv-update.yml)\n labels: automated pr\n branch: pipenvfix\n branch-suffix: timestamp\n"
},
{
"path": ".github/workflows/pr-test.yml",
"content": "name: PR Test\n\non: pull_request\n\npermissions:\n contents: read\n\njobs:\n lint:\n uses: bridgecrewio/gha-reusable-workflows/.github/workflows/pre-commit.yaml@main\n with:\n python-version: \"3.9\"\n\n danger-check:\n runs-on: [ self-hosted, public, linux, x64 ]\n permissions:\n contents: read\n pull-requests: read\n steps:\n - name: Checkout code\n uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3\n - name: Install Node.js\n uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4\n with:\n node-version: \"16\"\n - name: Install and run DangerJS\n env:\n GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n run: |\n npm install -g danger\n danger ci --verbose --failOnErrors\n cfn-lint:\n runs-on: ubuntu-latest\n env:\n PYTHON_VERSION: \"3.9\"\n steps:\n - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3\n - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4\n with:\n python-version: ${{ env.PYTHON_VERSION }}\n - name: Get changed CFN test files\n id: changed-files-specific\n uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v44\n with:\n files: tests/cloudformation/checks/resource/aws/**/*\n - name: Filter YAML and JSON files\n if: steps.changed-files-specific.outputs.any_changed == 'true'\n id: filter-files\n run: |\n YAML_JSON_FILES=$(echo ${{ steps.changed-files-specific.outputs.all_changed_files }} \\\n | tr ' ' '\\n' \\\n | grep -E '\\.ya?ml$|\\.json$' \\\n | grep -v 'sam\\.yaml$' \\\n | tr '\\n' ' ')\n if [ -n \"$YAML_JSON_FILES\" ]; then\n echo \"YAML_JSON_FILES=$YAML_JSON_FILES\" >> \"$GITHUB_ENV\"\n fi\n - name: Install cfn-lint & Lint Cloudformation templates\n if: env.YAML_JSON_FILES != ''\n run: |\n pip install -U cfn-lint\n for file in $YAML_JSON_FILES; do\n cfn-lint \"$file\" -i W\n done\n\n mypy:\n uses: bridgecrewio/gha-reusable-workflows/.github/workflows/mypy.yaml@main\n with:\n python-version: \"3.9\"\n\n unit-tests:\n strategy:\n fail-fast: true\n matrix:\n python: [\"3.9\", \"3.10\", \"3.11\", \"3.12\", \"3.13\"]\n runs-on: ubuntu-latest\n timeout-minutes: 30\n steps:\n - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3\n - name: Set up Python ${{ matrix.python }}\n uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4\n with:\n python-version: ${{ matrix.python }}\n allow-prereleases: true\n cache: \"pipenv\"\n cache-dependency-path: \"Pipfile.lock\"\n - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3\n with:\n token: ${{ secrets.GITHUB_TOKEN }}\n - uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1 # v2\n with:\n github-token: ${{ secrets.GITHUB_TOKEN }}\n - name: Install pipenv\n run: |\n if [ \"${{ matrix.python }}\" = \"3.12\" ] || [ \"${{ matrix.python }}\" = \"3.13\" ]; then\n # needed for numpy\n python -m pip install --no-cache-dir --upgrade pipenv==2024.4.0\n else\n python -m pip install --no-cache-dir --upgrade pipenv\n fi\n - name: Install dependencies\n run: |\n # remove venv, if exists\n pipenv --rm || true\n pipenv --python ${{ matrix.python }}\n\n if [ \"${{ matrix.python }}\" = \"3.12\" ] || [ \"${{ matrix.python }}\" = \"3.13\" ]; then\n echo \"patching >3.12 issues\"\n pipenv run pip install setuptools\n # needed for numpy\n pipenv install --skip-lock --dev -v\n else\n pipenv install --dev -v\n fi\n\n # list all dependencies to get a better view about installed package versions\n pipenv run pip list\n\n - name: Unit tests\n env:\n GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n run: pipenv run python -m pytest tests\n\n integration-tests:\n strategy:\n fail-fast: true\n matrix:\n python: [\"3.10\", \"3.11\", \"3.12\", \"3.13\"]\n os: [ubuntu-latest, macos-latest, windows-latest]\n runs-on: ${{ matrix.os }}\n steps:\n - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3\n - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4\n with:\n python-version: ${{ matrix.python }}\n allow-prereleases: true\n cache: \"pipenv\"\n cache-dependency-path: \"Pipfile.lock\"\n - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4\n - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3\n with:\n version: \"v3.19.1\" # the tests break starting v4 as checkov cannot support it, needs to be investigated\n token: ${{ secrets.GITHUB_TOKEN }}\n - uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1 # v2\n if: ${{ runner.os != 'windows' }}\n with:\n github-token: ${{ secrets.GITHUB_TOKEN }}\n - name: Install pipenv\n run: |\n python -m pip install --no-cache-dir --upgrade pipenv\n - name: Build & install checkov package\n shell: bash\n run: |\n # remove venv, if exists\n pipenv --rm || true\n pipenv --python ${{ matrix.python }}\n pipenv run pip install pytest pytest-xdist setuptools wheel\n pipenv run python setup.py sdist bdist_wheel\n bash -c 'pipenv run pip install dist/checkov-*.whl'\n - name: Clone Terragoat - vulnerable terraform\n run: git clone https://github.com/bridgecrewio/terragoat\n - name: Clone Cfngoat - vulnerable cloudformation\n run: git clone https://github.com/bridgecrewio/cfngoat\n - name: Clone Kubernetes-goat - vulnerable kubernetes\n run: git clone https://github.com/madhuakula/kubernetes-goat\n - name: Clone kustomize-goat - vulnerable kustomize\n run: git clone https://github.com/bridgecrewio/kustomizegoat\n - name: Create checkov reports\n env:\n LOG_LEVEL: INFO\n BC_KEY: ${{ secrets.PRISMA_KEY_API2 }}\n PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}\n run: |\n # Just making sure the API key tests don't run on PRs\n bash -c './integration_tests/prepare_data.sh ${{ matrix.os }} 3.9'\n - name: Run integration tests\n run: |\n pipenv run pytest integration_tests -k 'not api_key'\n\n integration-tests-old-python:\n strategy:\n fail-fast: true\n matrix:\n python: [\"3.9\"]\n os: [ubuntu-latest, windows-latest]\n runs-on: ${{ matrix.os }}\n steps:\n - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3\n - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4\n with:\n python-version: ${{ matrix.python }}\n allow-prereleases: true\n cache: \"pipenv\"\n cache-dependency-path: \"Pipfile.lock\"\n - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4\n - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3\n with:\n version: \"v3.19.1\"\n token: ${{ secrets.GITHUB_TOKEN }}\n - uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1 # v2\n if: ${{ runner.os != 'windows' }}\n with:\n github-token: ${{ secrets.GITHUB_TOKEN }}\n - name: Install pipenv\n run: |\n python -m pip install --no-cache-dir --upgrade pipenv\n - name: Build & install checkov package\n shell: bash\n run: |\n # remove venv, if exists\n pipenv --rm || true\n pipenv --python ${{ matrix.python }}\n pipenv run pip install pytest pytest-xdist setuptools wheel\n pipenv run python setup.py sdist bdist_wheel\n bash -c 'pipenv run pip install dist/checkov-*.whl'\n - name: Clone Terragoat - vulnerable terraform\n run: git clone https://github.com/bridgecrewio/terragoat\n - name: Clone Cfngoat - vulnerable cloudformation\n run: git clone https://github.com/bridgecrewio/cfngoat\n - name: Clone Kubernetes-goat - vulnerable kubernetes\n run: git clone https://github.com/madhuakula/kubernetes-goat\n - name: Clone kustomize-goat - vulnerable kustomize\n run: git clone https://github.com/bridgecrewio/kustomizegoat\n - name: Create checkov reports\n env:\n LOG_LEVEL: INFO\n BC_KEY: ${{ secrets.PRISMA_KEY_API2 }}\n PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}\n run: |\n # Just making sure the API key tests don't run on PRs\n bash -c './integration_tests/prepare_data.sh ${{ matrix.os }} 3.9'\n - name: Run integration tests\n run: |\n pipenv run pytest integration_tests -k 'not api_key'\n\n sast-integration-tests:\n strategy:\n fail-fast: true\n matrix:\n python: [\"3.12\", \"3.13\"]\n os: [ubuntu-latest, macos-latest]\n runs-on: ${{ matrix.os }}\n steps:\n - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3\n - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4\n with:\n python-version: ${{ matrix.python }}\n allow-prereleases: true\n cache: \"pipenv\"\n cache-dependency-path: \"Pipfile.lock\"\n - name: Install pipenv\n run: |\n python -m pip install --no-cache-dir --upgrade pipenv\n - name: Build & install checkov package\n run: |\n # remove venv, if exists\n pipenv --rm || true\n pipenv --python ${{ matrix.python }}\n pipenv run pip install pytest pytest-xdist setuptools wheel\n pipenv run python setup.py sdist bdist_wheel\n bash -c 'pipenv run pip install dist/checkov-*.whl'\n - name: Clone flask - Python repo for SAST\n run: git clone https://github.com/pallets/flask\n - name: Clone WebGoat - Java repo for SAST\n run: git clone https://github.com/WebGoat/WebGoat\n - name: Clone axios - JavaScript repo for SAST\n run: git clone https://github.com/axios/axios\n - name: Create checkov reports\n env:\n LOG_LEVEL: INFO\n BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}\n PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}\n if: env.BC_API_KEY != null\n run: bash -c './sast_integration_tests/prepare_data.sh'\n - name: Run integration tests\n env:\n LOG_LEVEL: INFO\n BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}\n PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}\n if: env.BC_API_KEY != null\n run: |\n pipenv run pytest sast_integration_tests\n\n sast-integration-tests-old-python:\n strategy:\n fail-fast: true\n matrix:\n python: [\"3.9\"]\n os: [ubuntu-latest]\n runs-on: ${{ matrix.os }}\n steps:\n - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3\n - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4\n with:\n python-version: ${{ matrix.python }}\n allow-prereleases: true\n cache: \"pipenv\"\n cache-dependency-path: \"Pipfile.lock\"\n - name: Install pipenv\n run: |\n python -m pip install --no-cache-dir --upgrade pipenv\n - name: Build & install checkov package\n run: |\n # remove venv, if exists\n pipenv --rm || true\n pipenv --python ${{ matrix.python }}\n pipenv run pip install pytest pytest-xdist setuptools wheel\n pipenv run python setup.py sdist bdist_wheel\n bash -c 'pipenv run pip install dist/checkov-*.whl'\n - name: Clone flask - Python repo for SAST\n run: git clone https://github.com/pallets/flask\n - name: Clone WebGoat - Java repo for SAST\n run: git clone https://github.com/WebGoat/WebGoat\n - name: Clone axios - JavaScript repo for SAST\n run: git clone https://github.com/axios/axios\n - name: Create checkov reports\n env:\n LOG_LEVEL: INFO\n BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}\n PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}\n if: env.BC_API_KEY != null\n run: bash -c './sast_integration_tests/prepare_data.sh'\n - name: Run integration tests\n env:\n LOG_LEVEL: INFO\n BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}\n PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}\n if: env.BC_API_KEY != null\n run: |\n pipenv run pytest sast_integration_tests\n\n cdk-integration-tests:\n strategy:\n fail-fast: true\n matrix:\n python: [\"3.12\", \"3.13\"]\n os: [ubuntu-latest, macos-latest]\n runs-on: ${{ matrix.os }}\n steps:\n - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3\n - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4\n with:\n python-version: ${{ matrix.python }}\n allow-prereleases: true\n cache: \"pipenv\"\n cache-dependency-path: \"Pipfile.lock\"\n - name: Install pipenv\n run: |\n python -m pip install --no-cache-dir --upgrade pipenv\n - name: Build & install checkov package\n run: |\n # remove venv, if exists\n pipenv --rm || true\n pipenv --python ${{ matrix.python }}\n pipenv run pip install pytest pytest-xdist setuptools wheel\n pipenv run python setup.py sdist bdist_wheel\n bash -c 'pipenv run pip install dist/checkov-*.whl'\n - name: Create checkov reports\n env:\n LOG_LEVEL: INFO\n BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}\n PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}\n if: env.BC_API_KEY != null\n run: bash -c './cdk_integration_tests/prepare_data.sh'\n - name: Run integration tests\n env:\n LOG_LEVEL: INFO\n BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}\n PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}\n if: env.BC_API_KEY != null\n run: |\n pipenv run pytest cdk_integration_tests\n\n cdk-integration-tests-old-python:\n strategy:\n fail-fast: true\n matrix:\n python: [\"3.9\"]\n os: [ubuntu-latest]\n runs-on: ${{ matrix.os }}\n steps:\n - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3\n - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4\n with:\n python-version: ${{ matrix.python }}\n allow-prereleases: true\n cache: \"pipenv\"\n cache-dependency-path: \"Pipfile.lock\"\n - name: Install pipenv\n run: |\n python -m pip install --no-cache-dir --upgrade pipenv\n - name: Build & install checkov package\n run: |\n # remove venv, if exists\n pipenv --rm || true\n pipenv --python ${{ matrix.python }}\n pipenv run pip install pytest pytest-xdist setuptools wheel\n pipenv run python setup.py sdist bdist_wheel\n bash -c 'pipenv run pip install dist/checkov-*.whl'\n - name: Create checkov reports\n env:\n LOG_LEVEL: INFO\n BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}\n PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}\n if: env.BC_API_KEY != null\n run: bash -c './cdk_integration_tests/prepare_data.sh'\n - name: Run integration tests\n env:\n LOG_LEVEL: INFO\n BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}\n PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}\n if: env.BC_API_KEY != null\n run: |\n pipenv run pytest cdk_integration_tests\n\n performance-tests:\n env:\n PYTHON_VERSION: \"3.9\"\n working-directory: ./performance_tests\n runs-on: [self-hosted, public, linux, x64]\n steps:\n - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3\n - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4\n with:\n python-version: ${{ env.PYTHON_VERSION }}\n cache: \"pipenv\"\n cache-dependency-path: \"Pipfile.lock\"\n - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4\n - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3\n with:\n token: ${{ secrets.GITHUB_TOKEN }}\n - uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1 # v2\n with:\n github-token: ${{ secrets.GITHUB_TOKEN }}\n - name: Install pipenv\n run: |\n python -m pip install --no-cache-dir --upgrade pipenv\n - name: Build & install checkov package\n run: |\n # remove venv, if exists\n pipenv --rm || true\n pipenv --python ${{ env.PYTHON_VERSION }}\n # 'py' package is used in 'pytest-benchmark', but 'pytest' removed it in their latest version\n pipenv run pip install pytest pytest-benchmark py\n pipenv run python setup.py sdist bdist_wheel\n bash -c 'pipenv run pip install dist/checkov-*.whl'\n - name: Clone terraform-aws-components\n run: git clone --branch 0.182.0 https://github.com/cloudposse/terraform-aws-components.git\n working-directory: ${{ env.working-directory }}\n - name: Clone aws-cloudformation-templates\n run: git clone --branch 0.0.1 https://github.com/awslabs/aws-cloudformation-templates.git\n working-directory: ${{ env.working-directory }}\n - name: Clone kubernetes-yaml-templates\n run: git clone https://github.com/dennyzhang/kubernetes-yaml-templates.git\n working-directory: ${{ env.working-directory }}\n# TODO: migrate to separate performance tests\n# - name: Clone Python-Mini-Projects\n# run: git clone https://github.com/alimoustafa2000/Python-Mini-Projects.git\n# working-directory: ${{ env.working-directory }}\n# - name: Clone NodeJs\n# run: git clone https://github.com/harshitbansal373/NodeJs.git\n# working-directory: ${{ env.working-directory }}\n# - name: Clone Mini-Project-using-Java\n# run: git clone https://github.com/ikanurfitriani/Mini-Project-using-Java.git\n# working-directory: ${{ env.working-directory }}\n - name: Run performance tests\n run: |\n pipenv run pytest\n working-directory: ${{ env.working-directory }}\n\n dogfood-tests:\n runs-on: ubuntu-latest\n env:\n PYTHON_VERSION: \"3.9\"\n WORKING_DIRECTORY: ./dogfood_tests\n steps:\n - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3\n - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4\n with:\n python-version: ${{ env.PYTHON_VERSION }}\n cache: \"pipenv\"\n cache-dependency-path: \"Pipfile.lock\"\n - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3\n with:\n token: ${{ secrets.GITHUB_TOKEN }}\n - uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1 # v2\n with:\n github-token: ${{ secrets.GITHUB_TOKEN }}\n - name: Install pipenv\n run: |\n python -m pip install --no-cache-dir --upgrade pipenv\n\n - name: Build & install checkov package\n run: |\n # remove venv, if exists\n pipenv --rm || true\n pipenv --python ${{ env.PYTHON_VERSION }}\n pipenv run pip install pytest pytest-xdist\n pipenv run python setup.py sdist bdist_wheel\n bash -c 'pipenv run pip install dist/checkov-*.whl'\n - name: Run dogfood tests\n run: |\n pipenv run pytest\n working-directory: ${{ env.WORKING_DIRECTORY }}\n\n eval-keys-test:\n runs-on: ubuntu-latest\n steps:\n - name: Check out repository\n uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3\n\n - name: Get changed Python files\n id: changed-files\n uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v44\n with:\n files: checkov/**/*.py\n\n - name: Validate 'BaseResourceCheck' use contains eval keys\n if: steps.changed-files.outputs.any_changed == 'true'\n run: |\n # Define an array of exceptions (files to skip)\n EXCEPTIONS=(\n \"base_resource_check.py\" \n \"VPCDefaultNetwork.py\"\n \"IAMUserNotUsedForAccess.py\" # Whole Resource type check\n )\n \n echo \"Changed files:\"\n echo \"${{ steps.changed-files.outputs.all_changed_files }}\"\n \n EXIT_CODE=0\n IFS=$'\\n' # Change Internal Field Separator to handle spaces in filenames too\n for file in $(echo \"${{ steps.changed-files.outputs.all_changed_files }}\" | tr ',' '\\n'); do\n # Check if the file is in the list of exceptions\n SKIP_FILE=\"false\"\n for exception in \"${EXCEPTIONS[@]}\"; do\n # If the file ends with one of the exception file names, skip it\n if [[ \"$file\" == *\"$exception\" ]]; then\n echo \"Skipping $file (allowed exception)\"\n SKIP_FILE=\"true\"\n break\n fi\n done\n \n # Only run checks if not in exceptions list\n if [[ \"$SKIP_FILE\" == \"false\" ]]; then\n # If file contains 'BaseResourceCheck', check for 'get_inspected_key' or 'evaluated_keys'\n if grep -q \"BaseResourceCheck\" \"$file\"; then\n if ! grep -q \"get_inspected_key\" \"$file\" && ! grep -q \"evaluated_keys\" \"$file\"; then\n echo \"ERROR: $file has BaseResourceCheck but does NOT contain 'get_inspected_key' or 'evaluated_keys'\"\n EXIT_CODE=1\n fi\n fi\n fi\n done\n unset IFS # Restore IFS to default\n \n # Fail the job if any file violated the rule\n if [ \"$EXIT_CODE\" -ne 0 ]; then\n echo \"One or more files did not satisfy the requirement.\"\n exit 1\n fi\n"
},
{
"path": ".github/workflows/pr-title.yml",
"content": "name: PR Title\n\non:\n pull_request:\n branches:\n - main\n types: [opened, edited, reopened, synchronize]\n\npermissions:\n contents: read\n\njobs:\n validate:\n runs-on: [self-hosted, public, linux, x64]\n permissions:\n contents: write\n steps:\n - uses: thehanimo/pr-title-checker@7fbfe05602bdd86f926d3fb3bccb6f3aed43bc70 # v1\n with:\n GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n configuration_path: \".github/pr-title-checker-config.json\"\n"
},
{
"path": ".github/workflows/security-shared.yml",
"content": "# !!! Important !!!\n# This a reusable workflow and is used in the PR and push to main branch flow separately\n# to be able to protect it behind a manual approval in the PR flow\n\nname: security-shared\n\non:\n workflow_call:\n\npermissions:\n contents: read\n\njobs:\n bandit:\n runs-on: [self-hosted, public, linux, x64]\n steps:\n - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3\n with:\n ref: ${{ github.event.pull_request.head.sha }}\n - name: security test\n uses: jpetrucciani/bandit-check@74c5ecc4297e374c7e9283bc81f649287bb14f34 # v1\n with:\n path: 'checkov'\n trufflehog-secrets:\n runs-on: [self-hosted, public, linux, x64]\n steps:\n - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3\n with:\n ref: ${{ github.event.pull_request.head.sha }}\n - name: detect secrets\n uses: edplato/trufflehog-actions-scan@0af17d9dd1410283f740eb76b0b8f6b696cadefc # v0.9\n with:\n scanArguments: \"--regex --entropy=False --exclude_paths .github/exclude-patterns.txt --max_depth=1\"\n checkov-secrets:\n runs-on: [self-hosted, public, linux, x64]\n steps:\n - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3\n with:\n ref: ${{ github.event.pull_request.head.sha }}\n - name: Scan for secrets\n uses: bridgecrewio/checkov-action@master # use latest and greatest\n with:\n api-key: ${{ secrets.PRISMA_KEY_API2 }}\n prisma-api-url: ${{ secrets.PRISMA_API_URL_2 }}\n config_file: .github/checkov.yaml\n"
},
{
"path": ".github/workflows/security.yml",
"content": "# !!! Important !!!\n# any change to this workflow will not take into effect on the same PR and only after,\n# because of security implications from target 'pull_request_target'\n\nname: security\n\non:\n pull_request_target: # this is needed to use the API key in a PR\n branches:\n - main\n\npermissions:\n contents: read\n\njobs:\n start-security-scan:\n runs-on: ubuntu-latest\n environment: scan-security\n steps:\n - run: echo start security scan # just needs a simple step to better control the follow-up jobs\n security:\n needs: start-security-scan\n uses: ./.github/workflows/security-shared.yml\n secrets: inherit\n"
},
{
"path": ".gitignore",
"content": "# Created by .ignore support plugin (hsz.mobi)\n### Python template\n# Byte-compiled / optimized / DLL files\n__pycache__/\n*.py[cod]\n*$py.class\n*__pycache__/\n\n# Python tests residuals\ntests/sca_package_2/examples/obj*\n\n# Terraform\n*.tfstate*\n*.terraform*\n*.tfbackend\n\n# git\n*.orig\n\n# C extensions\n*.so\n\n# Distribution / packaging\n.Python\nenv/\nbuild/\ndevelop-eggs/\ndist/\ndownloads/\neggs/\n.eggs/\nlib/\nlib64/\nparts/\nsdist/\nvar/\n.vscode/\n*.egg-info/\n.installed.cfg\n*.egg\n.DS_Store\n\n# PyInstaller\n# Usually these files are written by a python script from a template\n# before PyInstaller builds the exe, so as to inject date/other infos into it.\n*.manifest\n*.spec\n\n# Installer logs\npip-log.txt\npip-delete-this-directory.txt\n\n# Unit test / coverage reports\nhtmlcov/\n.tox/\n.coverage\n.coverage.*\n.cache\nnosetests.xml\ncoverage.xml\n*,cover\n.hypothesis/\n.external_modules/\n\n# Translations\n*.mo\n*.pot\n\n# Django stuff:\n*.log\nlocal_settings.py\n\n# Flask stuff:\ninstance/\n.webassets-cache\n\n# Scrapy stuff:\n.scrapy\n\n# Sphinx documentation\ndocs/_build/\n\n# PyBuilder\ntarget/\n\n# IPython Notebook\n.ipynb_checkpoints\n\n# pyenv\n.python-version\n\n# celery beat schedule file\ncelerybeat-schedule\n\n# dotenv\n.env\n\n# virtualenv\nvenv/\nENV/\n\n# Spyder project settings\n.spyderproject\n\n# Rope project settings\n.ropeproject\n### VirtualEnv template\n# Virtualenv\n# http://iamzed.com/2009/05/07/a-primer-on-virtualenv/\n[Ii]nclude\n[Ll]ib\n[Ll]ib64\n[Ll]ocal\n[Ss]cripts\npyvenv.cfg\n.venv\npip-selfcheck.json\n### JetBrains template\n# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio and Webstorm\n# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839\n\n# User-specific stuff:\n.idea/workspace.xml\n.idea/tasks.xml\n.idea/dictionaries\n.idea/vcs.xml\n.idea/jsLibraryMappings.xml\n\n# Sensitive or high-churn files:\n.idea/dataSources.ids\n.idea/dataSources.xml\n.idea/dataSources.local.xml\n.idea/sqlDataSources.xml\n.idea/dynamic.xml\n.idea/uiDesigner.xml\n\n# Gradle:\n.idea/gradle.xml\n.idea/libraries\n\n# Mongo Explorer plugin:\n.idea/mongoSettings.xml\n\n.idea/\n\n## File-based project format:\n*.iws\n\n## Plugin-specific files:\n\n# IntelliJ\n/out/\n\n# mpeltonen/sbt-idea plugin\n.idea_modules/\n\n# JIRA plugin\natlassian-ide-plugin.xml\n\n# Crashlytics plugin (for Android Studio and IntelliJ)\ncom_crashlytics_export_strings.xml\ncrashlytics.properties\ncrashlytics-build.properties\nfabric.properties\n\n# Checkov baseline file\n.checkov.baseline\n\n# pytest-benchmarks output directory\n.benchmarks/\n\n# test assets that get created locally (20* refers to the start of a date, so this covers us for 78 years)\ntests/20*\n# vim\n.*.sw?\n.vim/\n.vimspector.json\n!tests/terraform/graph/variable_rendering/test_resources/tfvar_module_variables/modules/instance\ntests/common/runner_registry/packages_csv_results/\ntests/console\n\n# sast go mod\ncheckov/sast_core/vendor\n\n*.prof\n"
},
{
"path": ".gitmodules",
"content": "[submodule \"checkov/sast/sast_core\"]\n\tpath = checkov/sast/sast_core\n\turl = git@github.com:bridgecrewio/SAST-Core.git\n"
},
{
"path": ".gitpod.Dockerfile",
"content": "FROM gitpod/workspace-python\nRUN pyenv install 3.10.14\nRUN wget -q -O get_kustomize.sh https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh; \\\n chmod 700 get_kustomize.sh; \\\n mkdir -p /usr/local/bin; \\\n sudo sh -c './get_kustomize.sh 4.5.2 /usr/local/bin'; \\\n rm ./get_kustomize.sh\n"
},
{
"path": ".gitpod.yml",
"content": "# This configuration file was automatically generated by Gitpod.\n# Please adjust to your needs (see https://www.gitpod.io/docs/config-gitpod-file)\n# and commit this file to your remote git repository to share the goodness with others.\n\ntasks:\n - name: Pipenv Environment And Dev\n init: |\n pipenv sync --dev\n pipenv run python -m coverage run -m pytest tests\n\nimage:\n file: .gitpod.Dockerfile\n\ngithub:\n prebuilds:\n # enable for the master/default branch (defaults to true)\n master: true\n # enable for all branches in this repo (defaults to false)\n branches: true\n # enable for pull requests coming from this repo (defaults to true)\n pullRequests: true\n # enable for pull requests coming from forks (defaults to false)\n pullRequestsFromForks: true\n # add a \"Review in Gitpod\" button as a comment to pull requests (defaults to true)\n addComment: true\n # add a \"Review in Gitpod\" button to pull requests (defaults to false)\n addBadge: false\n # add a label once the prebuild is ready to pull requests (defaults to false)\n addLabel: prebuilt-in-gitpod\n"
},
{
"path": ".pre-commit-config.yaml",
"content": "repos:\n - repo: https://github.com/pre-commit/pre-commit-hooks\n rev: v4.5.0\n hooks:\n - id: debug-statements\n - repo: https://github.com/PyCQA/flake8\n rev: 6.1.0\n hooks:\n - id: flake8\n language_version: python3.9\n additional_dependencies:\n - dlint\n - flake8-bugbear\n - flake8-type-checking\n - repo: https://github.com/isidentical/teyit # unit test formatter\n rev: 0.4.3\n hooks:\n - id: teyit\n language_version: python3.9\n - repo: https://github.com/rhysd/actionlint\n rev: v1.6.26\n hooks:\n - id: actionlint-docker\n # SC2129 - Consider using { cmd1; cmd2; } >> file instead of individual redirects.\n args: [\"-ignore\", \"SC2129\"]\n - repo: https://github.com/Madoshakalaka/pipenv-setup # Pipfile to setup.py sync checker\n rev: v3.2.0\n hooks:\n - id: pipenv-setup\n language_version: python3.9\n entry: pipenv-setup check\n args: []\n additional_dependencies:\n - vistir<0.7.0 # can be removed, when v4.0.0 of pipenv-setup comes out\n - plette<1.0.0 # Solve issue of import error for plette.models\n - repo: https://github.com/seddonym/import-linter # checks the import dependencies between each other\n rev: v1.12.1\n hooks:\n - id: import-linter\n language_version: python3.9\n args: [\"--show-timings\"]\n"
},
{
"path": ".pre-commit-hooks.yaml",
"content": "---\n\n# For use with pre-commit.\n# See usage instructions at http://pre-commit.com\n\n- id: checkov\n name: Checkov\n description: This hook runs checkov.\n entry: checkov -d .\n language: python\n pass_filenames: false\n always_run: false\n files: \\.tf$\n exclude: \\.+.terraform\\/.*$\n require_serial: true\n\n- id: checkov_container\n name: Checkov\n description: This hook runs checkov.\n entry: --tty bridgecrew/checkov:latest -d .\n args: []\n language: docker_image\n pass_filenames: false\n always_run: false\n files: \\.tf$\n exclude: \\.+.terraform\\/.*$\n require_serial: true\n\n- id: checkov_diff\n name: Checkov Diff\n description: This hook runs checkov against all changed files.\n entry: checkov --enable-secret-scan-all-files\n args: [\"-f\"] # required and must come last\n language: python\n require_serial: true\n\n- id: checkov_diff_container\n name: Checkov Diff\n description: This hook runs checkov against all changed files.\n entry: --tty bridgecrew/checkov:latest --enable-secret-scan-all-files\n args: [\"-f\"] # required and must come last\n language: docker_image\n require_serial: true\n\n- id: checkov_secrets\n name: Checkov Secrets\n description: This hook looks for secrets with checkov.\n entry: checkov --framework secrets --enable-secret-scan-all-files\n args: [\"-f\"] # required and must come last\n language: python\n always_run: true\n require_serial: true\n\n- id: checkov_secrets_container\n name: Checkov Secrets\n description: This hook looks for secrets with checkov.\n entry: --tty bridgecrew/checkov:latest --framework secrets --enable-secret-scan-all-files\n args: [\"-f\"] # required and must come last\n language: docker_image\n always_run: true\n require_serial: true\n"
},
{
"path": ".swm/creating-a-solver.gm0ti.sw.md",
"content": "---\nid: gm0ti\nname: Creating a Solver\nfile_version: 1.0.2\napp_version: 0.9.4-0\nfile_blobs:\n checkov/common/checks_infra/solvers/complex_solvers/not_solver.py: 60e9301de2a35a51b0464babaf537104d82cf00a\n checkov/common/checks_infra/checks_parser.py: 50130edc6639275b43dbd287572972b826eee687\n checkov/common/checks_infra/solvers/complex_solvers/__init__.py: 2e25b8e1f51406fe5e2995019eb6046fdf3650f2\n checkov/common/graph/checks_infra/solvers/base_solver.py: e84d471f6fc2e8ef12d82fa061784c57a7915d5c\n checkov/common/checks_infra/solvers/complex_solvers/base_complex_solver.py: 186dd8805259132d32936fafc19c389d452869c4\n checkov/common/checks_infra/solvers/connections_solvers/or_connection_solver.py: 38df2db8112768f7ee10facc3feac82b84affc32\n checkov/common/checks_infra/solvers/attribute_solvers/any_attribute_solver.py: 5aa38478ce1174ea46d2cff94ec52358e8595369\n checkov/common/checks_infra/solvers/attribute_solvers/not_contains_attribute_solver.py: 0d44d643a7ba2f1fc78fa86ad53b46c47e546ee1\n checkov/common/checks_infra/solvers/attribute_solvers/not_ending_with_attribute_solver.py: 334cc79488dc5f5f52e3d66ef9b24e3ad89f1e99\n---\n\nA Solver is a major component in our system. This document will describe what it is and how to add a new one.\n\nA Solver is a graph operator that impelements a certain piece of logic, such as AttributeEquals, GreaterThan, Exists and more. There are also more complext solvers such as the `And` solver which implement logic between two or more solvers\n\nWhen we add a new Solver, we create a class that inherits from `BaseSolver`[↓](#f-2wxET6).\n\nSome examples of `BaseSolver`[↓](#f-2wxET6)s are `OrConnectionSolver`[↓](#f-Z1oapTp), `AnyResourceSolver`[↓](#f-Z7ghIg), `NotContainsAttributeSolver`[↓](#f-Z136myH), and `NotEndingWithAttributeSolver`[↓](#f-923Qq). Note: some of these examples inherit indirectly from `BaseSolver`[↓](#f-2wxET6).\n\n> **NOTE: Inherit from** `BaseComplexSolver`[↓](#f-10523X)\n> \n> Most `BaseSolver`[↓](#f-2wxET6)s inherit directly from `BaseComplexSolver`[↓](#f-10523X) and almost none inherit directly from `BaseSolver`[↓](#f-2wxET6). In this document we demonstrate inheriting from `BaseComplexSolver`[↓](#f-10523X).\n\n## TL;DR - How to Add a `BaseComplexSolver`[↓](#f-10523X)\n\n1. Create a new class inheriting from `BaseComplexSolver`[↓](#f-10523X) \n \n * Place the file under `📄 checkov/common/checks_infra/solvers/complex_solvers`, e.g. `NotSolver`[↓](#f-Z2wW09R) is defined in `📄 checkov/common/checks_infra/solvers/complex_solvers/not_solver.py`.\n \n2. Define `operator`[↓](#f-Z1HozjT).\n \n3. Implement `__init__`[↓](#f-ZDc3b7), `_get_operation`[↓](#f-Z1IWbj3), and `get_operation`[↓](#f-I3t5K).\n \n4. Update `📄 checkov/common/checks_infra/checks_parser.py`.\n \n5. Update `📄 checkov/common/checks_infra/solvers/complex_solvers/__init__.py`.\n \n6. **Profit** 💰\n \n\n## Example Walkthrough - `NotSolver`[↓](#f-Z2wW09R)\n\nWe'll follow the implementation of `NotSolver`[↓](#f-Z2wW09R) for this example.\n\nA `NotSolver`[↓](#f-Z2wW09R) is a solver that inverts the logic of the solvers within it\n\n## Steps to Adding a new `BaseComplexSolver`[↓](#f-10523X)\n\n### 1\\. Inherit from `BaseComplexSolver`[↓](#f-10523X).\n\nAll `BaseComplexSolver`[↓](#f-10523X)s are defined in files under `📄 checkov/common/checks_infra/solvers/complex_solvers`.\n\n
\n\nWe first need to define our class in the relevant file, and inherit from `BaseComplexSolver`[↓](#f-10523X):\n\n### 📄 checkov/common/checks_infra/solvers/complex_solvers/not_solver.py\n```python\n⬜ 5 from checkov.common.checks_infra.solvers.complex_solvers.base_complex_solver import BaseComplexSolver\n⬜ 6 \n⬜ 7 \n🟩 8 class NotSolver(BaseComplexSolver):\n⬜ 9 operator = Operators.NOT # noqa: CCE003 # a static attribute\n⬜ 10 \n⬜ 11 def __init__(self, solvers: List[BaseSolver], resource_types: List[str]) -> None:\n```\n\n
\n\n> **Note**: the class name should end with \"Solver\".\n\n### 2\\. Define `operator`[↓](#f-Z1HozjT)\n\n`BaseSolver`[↓](#f-2wxET6)s should define this variable:\n\n* `operator`[↓](#f-Z1HozjT)\n\n
\n\n\n\n\n### 📄 checkov/common/checks_infra/solvers/complex_solvers/not_solver.py\n```python\n⬜ 6 \n⬜ 7 \n⬜ 8 class NotSolver(BaseComplexSolver):\n🟩 9 operator = Operators.NOT # noqa: CCE003 # a static attribute\n⬜ 10 \n⬜ 11 def __init__(self, solvers: List[BaseSolver], resource_types: List[str]) -> None:\n⬜ 12 if len(solvers) != 1:\n```\n\n
\n\n### 3\\. Implement `__init__`[↓](#f-ZDc3b7), `_get_operation`[↓](#f-Z1IWbj3), and `get_operation`[↓](#f-I3t5K)\n\nHere is how we do it for `NotSolver`[↓](#f-Z2wW09R):\n\nImplement `__init__`[↓](#f-ZDc3b7).\n\n
\n\n\n\n\n### 📄 checkov/common/checks_infra/solvers/complex_solvers/not_solver.py\n```python\n⬜ 8 class NotSolver(BaseComplexSolver):\n⬜ 9 operator = Operators.NOT # noqa: CCE003 # a static attribute\n⬜ 10 \n🟩 11 def __init__(self, solvers: List[BaseSolver], resource_types: List[str]) -> None:\n🟩 12 if len(solvers) != 1:\n🟩 13 raise Exception('The \"not\" operator must have exactly one child')\n🟩 14 super().__init__(solvers, resource_types)\n⬜ 15 \n⬜ 16 def _get_operation(self, *args: Any, **kwargs: Any) -> Any:\n⬜ 17 if len(args) != 1:\n```\n\n
\n\n\n\n\n### 📄 checkov/common/checks_infra/solvers/complex_solvers/not_solver.py\n```python\n⬜ 13 raise Exception('The \"not\" operator must have exactly one child')\n⬜ 14 super().__init__(solvers, resource_types)\n⬜ 15 \n🟩 16 def _get_operation(self, *args: Any, **kwargs: Any) -> Any:\n🟩 17 if len(args) != 1:\n🟩 18 raise Exception('The \"not\" operator must have exactly one child')\n🟩 19 return not args[0]\n⬜ 20 \n⬜ 21 def get_operation(self, vertex: Dict[str, Any]) -> bool: # type:ignore[override]\n⬜ 22 return not self.solvers[0].get_operation(vertex)\n```\n\n
\n\n\n\n\n### 📄 checkov/common/checks_infra/solvers/complex_solvers/not_solver.py\n```python\n⬜ 18 raise Exception('The \"not\" operator must have exactly one child')\n⬜ 19 return not args[0]\n⬜ 20 \n🟩 21 def get_operation(self, vertex: Dict[str, Any]) -> bool: # type:ignore[override]\n🟩 22 return not self.solvers[0].get_operation(vertex)\n⬜ 23 \n```\n\n
\n\n## Update additional files with the new class\n\nEvery time we add new `BaseComplexSolver`[↓](#f-10523X)s, we reference them in a few locations.\n\nWe will still look at `NotSolver`[↓](#f-Z2wW09R) as our example.\n\n
\n\n4\\. Update `📄 checkov/common/checks_infra/checks_parser.py`, as we do with `NotSolver`[↓](#f-Z2wW09R) here:\n\n### 📄 checkov/common/checks_infra/checks_parser.py\n```python\n⬜ 19 NotEndingWithAttributeSolver,\n⬜ 20 AndSolver,\n⬜ 21 OrSolver,\n🟩 22 NotSolver,\n⬜ 23 ConnectionExistsSolver,\n⬜ 24 ConnectionNotExistsSolver,\n⬜ 25 AndConnectionSolver,\n```\n\n
\n\nIn addition, in the same file:\n\n### 📄 checkov/common/checks_infra/checks_parser.py\n```python\n⬜ 93 operators_to_complex_solver_classes: dict[str, Type[BaseComplexSolver]] = {\n⬜ 94 \"and\": AndSolver,\n⬜ 95 \"or\": OrSolver,\n🟩 96 \"not\": NotSolver,\n⬜ 97 }\n⬜ 98 \n⬜ 99 operator_to_connection_solver_classes: dict[str, Type[BaseConnectionSolver]] = {\n```\n\n
\n\n4\\. We modify `📄 checkov/common/checks_infra/solvers/complex_solvers/__init__.py`, for example:\n\n### 📄 checkov/common/checks_infra/solvers/complex_solvers/__init__.py\n```python\n⬜ 1 from checkov.common.checks_infra.solvers.complex_solvers.or_solver import OrSolver # noqa\n⬜ 2 from checkov.common.checks_infra.solvers.complex_solvers.and_solver import AndSolver # noqa\n🟩 3 from checkov.common.checks_infra.solvers.complex_solvers.not_solver import NotSolver # noqa\n⬜ 4 \n```\n\n
\n\n\n### Swimm Note\n\n__init__[^](#ZDc3b7) - \"checkov/common/checks_infra/solvers/complex_solvers/not_solver.py\" L11\n```python\n def __init__(self, solvers: List[BaseSolver], resource_types: List[str]) -> None:\n```\n\n_get_operation[^](#Z1IWbj3) - \"checkov/common/checks_infra/solvers/complex_solvers/not_solver.py\" L16\n```python\n def _get_operation(self, *args: Any, **kwargs: Any) -> Any:\n```\n\nAnyResourceSolver[^](#Z7ghIg) - \"checkov/common/checks_infra/solvers/attribute_solvers/any_attribute_solver.py\" L7\n```python\nclass AnyResourceSolver(BaseAttributeSolver):\n```\n\nBaseComplexSolver[^](#10523X) - \"checkov/common/checks_infra/solvers/complex_solvers/base_complex_solver.py\" L9\n```python\nclass BaseComplexSolver(BaseSolver):\n```\n\nBaseSolver[^](#2wxET6) - \"checkov/common/graph/checks_infra/solvers/base_solver.py\" L9\n```python\nclass BaseSolver:\n```\n\nget_operation[^](#I3t5K) - \"checkov/common/checks_infra/solvers/complex_solvers/not_solver.py\" L21\n```python\n def get_operation(self, vertex: Dict[str, Any]) -> bool: # type:ignore[override]\n```\n\nNotContainsAttributeSolver[^](#Z136myH) - \"checkov/common/checks_infra/solvers/attribute_solvers/not_contains_attribute_solver.py\" L7\n```python\nclass NotContainsAttributeSolver(ContainsAttributeSolver):\n```\n\nNotEndingWithAttributeSolver[^](#923Qq) - \"checkov/common/checks_infra/solvers/attribute_solvers/not_ending_with_attribute_solver.py\" L7\n```python\nclass NotEndingWithAttributeSolver(EndingWithAttributeSolver):\n```\n\nNotSolver[^](#Z2wW09R) - \"checkov/common/checks_infra/solvers/complex_solvers/not_solver.py\" L8\n```python\nclass NotSolver(BaseComplexSolver):\n```\n\noperator[^](#Z1HozjT) - \"checkov/common/checks_infra/solvers/complex_solvers/not_solver.py\" L9\n```python\n operator = Operators.NOT # noqa: CCE003 # a static attribute\n```\n\nOrConnectionSolver[^](#Z1oapTp) - \"checkov/common/checks_infra/solvers/connections_solvers/or_connection_solver.py\" L11\n```python\nclass OrConnectionSolver(ComplexConnectionSolver):\n```\n\n
\n\nThis file was generated by Swimm. [Click here to view it in the app](https://app.swimm.io/repos/Z2l0aHViJTNBJTNBY2hlY2tvdiUzQSUzQWJyaWRnZWNyZXdpbw==/docs/gm0ti)."
},
{
"path": ".swm/swimm.json",
"content": "{\n \"repo_id\": \"Z2l0aHViJTNBJTNBY2hlY2tvdiUzQSUzQWJyaWRnZWNyZXdpbw==\",\n \"configuration\": {\n \"swmd\": true\n }\n}\n"
},
{
"path": "CHANGELOG.md",
"content": "# CHANGELOG\n\n## [Unreleased](https://github.com/bridgecrewio/checkov/compare/3.2.510...HEAD)\n\n## [3.2.510](https://github.com/bridgecrewio/checkov/compare/3.2.508...3.2.510) - 2026-03-18\n\n### Bug Fix\n\n- **terraform:** support modern TLS security policies in CKV_AWS_206 - [#7466](https://github.com/bridgecrewio/checkov/pull/7466)\n- **terraform:** update CKV_AWS_339 supported EKS Kubernetes versions - [#7465](https://github.com/bridgecrewio/checkov/pull/7465)\n- **terraform:** update CKV_GCP_79 latest Postgres version from 17 to 18 - [#7464](https://github.com/bridgecrewio/checkov/pull/7464)\n\n## [3.2.508](https://github.com/bridgecrewio/checkov/compare/3.2.507...3.2.508) - 2026-03-08\n\n### Bug Fix\n\n- **secrets:** eliminate race condition in secrets scanner when running concurrently with other scanners - [#7456](https://github.com/bridgecrewio/checkov/pull/7456)\n\n## [3.2.507](https://github.com/bridgecrewio/checkov/compare/3.2.506...3.2.507) - 2026-03-05\n\n### Bug Fix\n\n- **secrets:** add _thread_safe_transient_settings( to secret runner - [#7455](https://github.com/bridgecrewio/checkov/pull/7455)\n\n## [3.2.506](https://github.com/bridgecrewio/checkov/compare/3.2.505...3.2.506) - 2026-02-23\n\n### Bug Fix\n\n- **terraform:** return inner module path when dest_dir already exists on Linux - [#7436](https://github.com/bridgecrewio/checkov/pull/7436)\n\n## [3.2.505](https://github.com/bridgecrewio/checkov/compare/3.2.504...3.2.505) - 2026-02-22\n\n### Feature\n\n- **bicep:** revert bump pycep to support better bicep syntax - [#7446](https://github.com/bridgecrewio/checkov/pull/7446)\n\n## [3.2.504](https://github.com/bridgecrewio/checkov/compare/3.2.502...3.2.504) - 2026-02-18\n\n### Feature\n\n- **bicep:** bump pycep to support better bicep syntax - [#7441](https://github.com/bridgecrewio/checkov/pull/7441)\n- **terraform:** deprecate dotnet v6 and support v9 and v10 - [#7442](https://github.com/bridgecrewio/checkov/pull/7442)\n\n## [3.2.502](https://github.com/bridgecrewio/checkov/compare/3.2.501...3.2.502) - 2026-02-16\n\n### Feature\n\n- **general:** better shell commands - [#7438](https://github.com/bridgecrewio/checkov/pull/7438)\n\n## [3.2.501](https://github.com/bridgecrewio/checkov/compare/3.2.500...3.2.501) - 2026-02-11\n\n### Bug Fix\n\n- **general:** secret detection in build log files with line prefixes - [#7431](https://github.com/bridgecrewio/checkov/pull/7431)\n\n## [3.2.500](https://github.com/bridgecrewio/checkov/compare/3.2.499...3.2.500) - 2026-02-01\n\n### Bug Fix\n\n- **cloudformation:** render variables in cfn vertices config - [#7423](https://github.com/bridgecrewio/checkov/pull/7423)\n\n## [3.2.499](https://github.com/bridgecrewio/checkov/compare/3.2.497...3.2.499) - 2026-01-25\n\n### Feature\n\n- **general:** Add BC_CA_BUNDLE environment variable support for custom CA certificates - [#7419](https://github.com/bridgecrewio/checkov/pull/7419)\n- **secrets:** Override AWS generic check with cortex specific checks - [#7420](https://github.com/bridgecrewio/checkov/pull/7420)\n\n### Bug Fix\n\n- **terraform:** test dates - [#7422](https://github.com/bridgecrewio/checkov/pull/7422)\n\n## [3.2.497](https://github.com/bridgecrewio/checkov/compare/3.2.496...3.2.497) - 2025-12-30\n\n### Bug Fix\n\n- **terraform:** handle file path instead of directory - [#7408](https://github.com/bridgecrewio/checkov/pull/7408)\n\n## [3.2.496](https://github.com/bridgecrewio/checkov/compare/3.2.495...3.2.496) - 2025-12-28\n\n### Bug Fix\n\n- **terraform:** CKV_GCP_6 - Added special handling for MSSQL SERVER database type - [#7405](https://github.com/bridgecrewio/checkov/pull/7405)\n\n## [3.2.495](https://github.com/bridgecrewio/checkov/compare/3.2.494...3.2.495) - 2025-11-23\n\n### Bug Fix\n\n- **kubernetes:** Fix CKV_K8S_21 - [#7378](https://github.com/bridgecrewio/checkov/pull/7378)\n\n## [3.2.494](https://github.com/bridgecrewio/checkov/compare/3.2.493...3.2.494) - 2025-11-18\n\n### Bug Fix\n\n- **general:** Fixed build workflows of integration test by locking helm version - [#7371](https://github.com/bridgecrewio/checkov/pull/7371)\n- **terraform:** Fixed variable rendering of complex variables to avoid changing type - [#7369](https://github.com/bridgecrewio/checkov/pull/7369)\n\n## [3.2.493](https://github.com/bridgecrewio/checkov/compare/3.2.492...3.2.493) - 2025-11-12\n\n### Feature\n\n- **general:** support skips for module for_each and count - [#7368](https://github.com/bridgecrewio/checkov/pull/7368)\n\n## [3.2.492](https://github.com/bridgecrewio/checkov/compare/3.2.491...3.2.492) - 2025-11-10\n\n### Bug Fix\n\n- **terraform:** get_resource_tags handles more cases - [#7365](https://github.com/bridgecrewio/checkov/pull/7365)\n\n## [3.2.491](https://github.com/bridgecrewio/checkov/compare/3.2.490...3.2.491) - 2025-11-09\n\n### Bug Fix\n\n- **terraform:** Graph report tags should be dict - [#7363](https://github.com/bridgecrewio/checkov/pull/7363)\n\n## [3.2.490](https://github.com/bridgecrewio/checkov/compare/3.2.489...3.2.490) - 2025-11-04\n\n### Feature\n\n- **general:** Fix downloading of the external modules when ref is a shortened Git hash - [#7278](https://github.com/bridgecrewio/checkov/pull/7278)\n\n## [3.2.489](https://github.com/bridgecrewio/checkov/compare/3.2.488...3.2.489) - 2025-10-29\n\n### Bug Fix\n\n- **helm:** Check HELM_NAMESPACE env var in CKV_K8S_21 - [#7355](https://github.com/bridgecrewio/checkov/pull/7355)\n\n## [3.2.488](https://github.com/bridgecrewio/checkov/compare/3.2.487...3.2.488) - 2025-10-27\n\n### Feature\n\n- **terraform_plan:** add new cases for foreach in the presence of skips - [#7351](https://github.com/bridgecrewio/checkov/pull/7351)\n\n## [3.2.487](https://github.com/bridgecrewio/checkov/compare/3.2.486...3.2.487) - 2025-10-23\n\n### Bug Fix\n\n- **general:** CKV_AWS_174 should-allow-higher-then-TLSv1.2 - terraform and cloudformation - [#7352](https://github.com/bridgecrewio/checkov/pull/7352)\n\n## [3.2.486](https://github.com/bridgecrewio/checkov/compare/3.2.485...3.2.486) - 2025-10-22\n\n### Feature\n\n- **general:** update setuptools version 78.1.1 - [#7347](https://github.com/bridgecrewio/checkov/pull/7347)\n\n## [3.2.485](https://github.com/bridgecrewio/checkov/compare/3.2.484...3.2.485) - 2025-10-20\n\n### Bug Fix\n\n- **general:** fix urllib3 dependency - [#7345](https://github.com/bridgecrewio/checkov/pull/7345)\n\n## [3.2.484](https://github.com/bridgecrewio/checkov/compare/3.2.483...3.2.484) - 2025-10-15\n\n### Bug Fix\n\n- **terraform_plan:** Correctly handle complex types for after_unknown - [#7333](https://github.com/bridgecrewio/checkov/pull/7333)\n\n## [3.2.483](https://github.com/bridgecrewio/checkov/compare/3.2.479...3.2.483) - 2025-10-12\n\n### Feature\n\n- **general:** anchor setuptools to fix metadata version - [#7330](https://github.com/bridgecrewio/checkov/pull/7330)\n- **general:** update our publishing job SHA to latest - [#7332](https://github.com/bridgecrewio/checkov/pull/7332)\n- **terraform_plan:** fix handling of resource_id for enrichment in tf_plan - [#7329](https://github.com/bridgecrewio/checkov/pull/7329)\n\n## [3.2.479](https://github.com/bridgecrewio/checkov/compare/3.2.477...3.2.479) - 2025-10-09\n\n### Feature\n\n- **general:** upgrade checkov python version 3.9 - [#7326](https://github.com/bridgecrewio/checkov/pull/7326)\n- **general:** upgrade checkvo python version - [#7303](https://github.com/bridgecrewio/checkov/pull/7303)\n- **terraform:** skip raw tf resource violation - [#7325](https://github.com/bridgecrewio/checkov/pull/7325)\n\n### Bug Fix\n\n- **general:** revert pipfile urllib3 change - [#7324](https://github.com/bridgecrewio/checkov/pull/7324)\n\n## [3.2.477](https://github.com/bridgecrewio/checkov/compare/3.2.474...3.2.477) - 2025-10-08\n\n### Bug Fix\n\n- **terraform_plan:** compute the longest common prefix between two optional vertex - [#7320](https://github.com/bridgecrewio/checkov/pull/7320)\n- **terraform_plan:** Don't add values to empty list values in after_unknown - [#7319](https://github.com/bridgecrewio/checkov/pull/7319)\n\n## [3.2.474](https://github.com/bridgecrewio/checkov/compare/3.2.473...3.2.474) - 2025-10-05\n\n### Documentation\n\n- **general:** Add JAVA_FULL_DT environment variable to CLI reference - [#7312](https://github.com/bridgecrewio/checkov/pull/7312)\n\n## [3.2.473](https://github.com/bridgecrewio/checkov/compare/3.2.472...3.2.473) - 2025-09-30\n\n- no noteworthy changes\n\n## [3.2.472](https://github.com/bridgecrewio/checkov/compare/3.2.471...3.2.472) - 2025-09-28\n\n### Feature\n\n- **terraform:** fix foreach module handling - [#7313](https://github.com/bridgecrewio/checkov/pull/7313)\n\n## [3.2.471](https://github.com/bridgecrewio/checkov/compare/3.2.470...3.2.471) - 2025-09-14\n\n### Bug Fix\n\n- **terraform_plan:** fix access to list by str in tf plan under _handle_complex_after_unknown - [#7299](https://github.com/bridgecrewio/checkov/pull/7299)\n\n## [3.2.470](https://github.com/bridgecrewio/checkov/compare/3.2.469...3.2.470) - 2025-09-08\n\n### Bug Fix\n\n- **helm:** Make Helm template detection less aggressive - [#7288](https://github.com/bridgecrewio/checkov/pull/7288)\n\n## [3.2.469](https://github.com/bridgecrewio/checkov/compare/3.2.467...3.2.469) - 2025-09-01\n\n### Feature\n\n- **general:** Control parallelism - [#7286](https://github.com/bridgecrewio/checkov/pull/7286)\n\n## [3.2.467](https://github.com/bridgecrewio/checkov/compare/3.2.466...3.2.467) - 2025-08-27\n\n### Bug Fix\n\n- **serverless:** Fixed bad entity code line generation - [#7285](https://github.com/bridgecrewio/checkov/pull/7285)\n\n## [3.2.466](https://github.com/bridgecrewio/checkov/compare/3.2.464...3.2.466) - 2025-08-25\n\n### Feature\n\n- **terraform:** add aws_vpc_endpoint to RESOURCE_TYPES_JSONIFY - [#7281](https://github.com/bridgecrewio/checkov/pull/7281)\n\n### Bug Fix\n\n- **general:** Add exclusion for plan_with_providers test files in security scanning - [#7282](https://github.com/bridgecrewio/checkov/pull/7282)\n\n## [3.2.464](https://github.com/bridgecrewio/checkov/compare/3.2.461...3.2.464) - 2025-08-20\n\n### Feature\n\n- **secrets:** support suppressions in JSON files - [#7275](https://github.com/bridgecrewio/checkov/pull/7275)\n\n## [3.2.461](https://github.com/bridgecrewio/checkov/compare/3.2.460...3.2.461) - 2025-08-12\n\n### Bug Fix\n\n- **terraform:** Handled git external module loading with sub-directory but without protocol - [#7272](https://github.com/bridgecrewio/checkov/pull/7272)\n\n## [3.2.460](https://github.com/bridgecrewio/checkov/compare/3.2.458...3.2.460) - 2025-08-10\n\n### Bug Fix\n\n- **general:** pin boto3 and botocore versions as failed test in Jenkins - [#7270](https://github.com/bridgecrewio/checkov/pull/7270)\n\n## [3.2.458](https://github.com/bridgecrewio/checkov/compare/3.2.457...3.2.458) - 2025-08-06\n\n### Bug Fix\n\n- **terraform:** Fix conditional expression evaluation - [#7265](https://github.com/bridgecrewio/checkov/pull/7265)\n- **terraform:** Update FunctionAppsAccessibleOverHttps - [#7078](https://github.com/bridgecrewio/checkov/pull/7078)\n\n## [3.2.457](https://github.com/bridgecrewio/checkov/compare/3.2.456...3.2.457) - 2025-07-28\n\n### Bug Fix\n\n- **dockerfile:** Use proxy env vars in aiohttp client requests - [#7260](https://github.com/bridgecrewio/checkov/pull/7260)\n\n## [3.2.456](https://github.com/bridgecrewio/checkov/compare/3.2.454...3.2.456) - 2025-07-27\n\n### Bug Fix\n\n- **terraform:** Parse continue as a string rather as a python object - [#7261](https://github.com/bridgecrewio/checkov/pull/7261)\n\n## [3.2.454](https://github.com/bridgecrewio/checkov/compare/3.2.452...3.2.454) - 2025-07-24\n\n### Bug Fix\n\n- **serverless:** Fixed extraction of code lines for serverless resources - [#7259](https://github.com/bridgecrewio/checkov/pull/7259)\n\n## [3.2.452](https://github.com/bridgecrewio/checkov/compare/3.2.451...3.2.452) - 2025-07-23\n\n### Feature\n\n- **general:** Support Py 3.13 on build workflow - [#7222](https://github.com/bridgecrewio/checkov/pull/7222)\n\n## [3.2.451](https://github.com/bridgecrewio/checkov/compare/3.2.450...3.2.451) - 2025-07-14\n\n### Feature\n\n- **terraform:** Support parsing of provider functions - [#7237](https://github.com/bridgecrewio/checkov/pull/7237)\n\n## [3.2.450](https://github.com/bridgecrewio/checkov/compare/3.2.449...3.2.450) - 2025-07-10\n\n### Bug Fix\n\n- **arm:** filter out failed checks with resource names containing un-rendered functions - [#7231](https://github.com/bridgecrewio/checkov/pull/7231)\n\n## [3.2.449](https://github.com/bridgecrewio/checkov/compare/3.2.447...3.2.449) - 2025-07-09\n\n### Bug Fix\n\n- **terraform:** fix cloning external modules from private regsitries - [#7229](https://github.com/bridgecrewio/checkov/pull/7229)\n- **terraform:** fix issue 7216 module version parsing issue - [#7224](https://github.com/bridgecrewio/checkov/pull/7224)\n\n## [3.2.447](https://github.com/bridgecrewio/checkov/compare/3.2.446...3.2.447) - 2025-06-26\n\n### Bug Fix\n\n- **terraform:** Added support in restricting to a specific GitHub organization for GithubActionsOIDCTrustPolicy - [#7221](https://github.com/bridgecrewio/checkov/pull/7221)\n\n## [3.2.446](https://github.com/bridgecrewio/checkov/compare/3.2.445...3.2.446) - 2025-06-24\n\n### Feature\n\n- **kubernetes:** include hidden folders in scan - [#7219](https://github.com/bridgecrewio/checkov/pull/7219)\n\n## [3.2.445](https://github.com/bridgecrewio/checkov/compare/3.2.443...3.2.445) - 2025-06-22\n\n### Bug Fix\n\n- **helm:** fix file paths to point to original files and not generated ones - [#7212](https://github.com/bridgecrewio/checkov/pull/7212)\n- **secrets:** fix omitting and masking - [#7218](https://github.com/bridgecrewio/checkov/pull/7218)\n\n## [3.2.443](https://github.com/bridgecrewio/checkov/compare/3.2.442...3.2.443) - 2025-06-19\n\n### Bug Fix\n\n- **secrets:** fix omit and masking - [#7213](https://github.com/bridgecrewio/checkov/pull/7213)\n\n## [3.2.442](https://github.com/bridgecrewio/checkov/compare/3.2.440...3.2.442) - 2025-06-15\n\n### Bug Fix\n\n- **secrets:** fix relative path secrets - [#7211](https://github.com/bridgecrewio/checkov/pull/7211)\n\n## [3.2.440](https://github.com/bridgecrewio/checkov/compare/3.2.439...3.2.440) - 2025-06-11\n\n### Feature\n\n- **secrets:** Bump detect secrets - [#7203](https://github.com/bridgecrewio/checkov/pull/7203)\n\n## [3.2.439](https://github.com/bridgecrewio/checkov/compare/3.2.437...3.2.439) - 2025-06-09\n\n### Bug Fix\n\n- **serverless:** Enhance yaml parsing, better support for file expansion - [#7115](https://github.com/bridgecrewio/checkov/pull/7115)\n- **terraform:** Better utilization of managed modules (if enabled) - [#7111](https://github.com/bridgecrewio/checkov/pull/7111)\n\n## [3.2.437](https://github.com/bridgecrewio/checkov/compare/3.2.436...3.2.437) - 2025-06-05\n\n### Bug Fix\n\n- **terraform:** Handle explicitly-specified tfvars explicitly - [#7107](https://github.com/bridgecrewio/checkov/pull/7107)\n\n## [3.2.436](https://github.com/bridgecrewio/checkov/compare/3.2.435...3.2.436) - 2025-05-30\n\n### Bug Fix\n\n- **terraform_plan:** Support count in terraform plan files - [#7195](https://github.com/bridgecrewio/checkov/pull/7195)\n\n## [3.2.435](https://github.com/bridgecrewio/checkov/compare/3.2.433...3.2.435) - 2025-05-27\n\n### Bug Fix\n\n- **kubernetes:** Only filter out files that contain Helm built-in variables and functions - [#6922](https://github.com/bridgecrewio/checkov/pull/6922)\n- **serverless:** check if start and end line in serverless definitions context - [#7189](https://github.com/bridgecrewio/checkov/pull/7189)\n\n## [3.2.433](https://github.com/bridgecrewio/checkov/compare/3.2.432...3.2.433) - 2025-05-26\n\n### Bug Fix\n\n- **terraform_plan:** add a check to avoid doing get on a none dict object in tfplan scan - [#7180](https://github.com/bridgecrewio/checkov/pull/7180)\n\n## [3.2.432](https://github.com/bridgecrewio/checkov/compare/3.2.429...3.2.432) - 2025-05-22\n\n### Bug Fix\n\n- **terraform:** Multiple fixes - [#7178](https://github.com/bridgecrewio/checkov/pull/7178)\n\n## [3.2.429](https://github.com/bridgecrewio/checkov/compare/3.2.427...3.2.429) - 2025-05-21\n\n### Bug Fix\n\n- **general:** Fix support for git external module syntax 'git::git@' - [#7175](https://github.com/bridgecrewio/checkov/pull/7175)\n- **general:** Remove asteval syntax error logs - [#7172](https://github.com/bridgecrewio/checkov/pull/7172)\n\n## [3.2.427](https://github.com/bridgecrewio/checkov/compare/3.2.426...3.2.427) - 2025-05-20\n\n### Feature\n\n- **secrets:** Revert - Bump detect secrets - [#7171](https://github.com/bridgecrewio/checkov/pull/7171)\n\n### Bug Fix\n\n- **terraform:** dont move clone to internal dir - [#7159](https://github.com/bridgecrewio/checkov/pull/7159)\n\n## [3.2.426](https://github.com/bridgecrewio/checkov/compare/3.2.424...3.2.426) - 2025-05-19\n\n### Feature\n\n- **secrets:** Bump detect secrets - [#7158](https://github.com/bridgecrewio/checkov/pull/7158)\n- **terraform:** 7 new policies - [#7056](https://github.com/bridgecrewio/checkov/pull/7056)\n\n## [3.2.424](https://github.com/bridgecrewio/checkov/compare/3.2.422...3.2.424) - 2025-05-15\n\n### Feature\n\n- **terraform:** Add SNS check and modify some - [#7154](https://github.com/bridgecrewio/checkov/pull/7154)\n\n### Bug Fix\n\n- **secrets:** Fix for git-history scan by commits - [#7160](https://github.com/bridgecrewio/checkov/pull/7160)\n\n## [3.2.422](https://github.com/bridgecrewio/checkov/compare/3.2.420...3.2.422) - 2025-05-14\n\n### Feature\n\n- **secrets:** git-history allow scan by commits list - [#7155](https://github.com/bridgecrewio/checkov/pull/7155)\n\n### Bug Fix\n\n- **general:** exclude **start_line** and **end_line** from is empty solver - [#7156](https://github.com/bridgecrewio/checkov/pull/7156)\n\n## [3.2.420](https://github.com/bridgecrewio/checkov/compare/3.2.417...3.2.420) - 2025-05-13\n\n### Feature\n\n- **kustomize:** export get kustomize resource id to a function - [#7153](https://github.com/bridgecrewio/checkov/pull/7153)\n\n### Bug Fix\n\n- **general:** Skip bc_api_key in output - [#7148](https://github.com/bridgecrewio/checkov/pull/7148)\n- **terraform:** Fixed crash when using variable rendering inside a list of len > 1 - [#7151](https://github.com/bridgecrewio/checkov/pull/7151)\n\n## [3.2.417](https://github.com/bridgecrewio/checkov/compare/3.2.416...3.2.417) - 2025-05-12\n\n### Breaking Change\n\n- **general:** Remove OpenAI - [#7146](https://github.com/bridgecrewio/checkov/pull/7146)\n\n## [3.2.416](https://github.com/bridgecrewio/checkov/compare/3.2.415...3.2.416) - 2025-05-06\n\n### Bug Fix\n\n- **terraform_plan:** use provider name not resource address to fix supported_provider matching - [#7119](https://github.com/bridgecrewio/checkov/pull/7119)\n\n## [3.2.415](https://github.com/bridgecrewio/checkov/compare/3.2.414...3.2.415) - 2025-05-05\n\n### Bug Fix\n\n- **general:** using asteval instead of using eval - [#7116](https://github.com/bridgecrewio/checkov/pull/7116)\n\n## [3.2.414](https://github.com/bridgecrewio/checkov/compare/3.2.413...3.2.414) - 2025-05-01\n\n### Bug Fix\n\n- **terraform:** Fix protocols for CKV2_AWS_74 and fix for CKV2_K8S_5 - [#7134](https://github.com/bridgecrewio/checkov/pull/7134)\n\n## [3.2.413](https://github.com/bridgecrewio/checkov/compare/3.2.411...3.2.413) - 2025-04-29\n\n### Feature\n\n- **terraform:** Add new check for overly permissive SQS policy - [#7125](https://github.com/bridgecrewio/checkov/pull/7125)\n\n### Bug Fix\n\n- **terraform:** support CLI notation in CKV_AZURE_228 for EventHub locations - [#7124](https://github.com/bridgecrewio/checkov/pull/7124)\n\n## [3.2.411](https://github.com/bridgecrewio/checkov/compare/3.2.408...3.2.411) - 2025-04-28\n\n### Feature\n\n- **secrets:** Add support in git history for producer consumer - [#7123](https://github.com/bridgecrewio/checkov/pull/7123)\n\n### Bug Fix\n\n- **general:** Make --download-external-modules Optional[bool] - [#7121](https://github.com/bridgecrewio/checkov/pull/7121)\n- **secrets:** Fix test directory tree race - [#7122](https://github.com/bridgecrewio/checkov/pull/7122)\n- **terraform:** add aws_elasticache_serverless_cache to CKV2_AWS_5 - [#7079](https://github.com/bridgecrewio/checkov/pull/7079)\n\n## [3.2.408](https://github.com/bridgecrewio/checkov/compare/3.2.407...3.2.408) - 2025-04-24\n\n### Feature\n\n- **terraform:** Over permissive Lambda Cors check (Terraform & Cloudformation) - [#7113](https://github.com/bridgecrewio/checkov/pull/7113)\n\n### Bug Fix\n\n- **general:** base_runner: Properly escape excluded directories that begin with '.' - [#7112](https://github.com/bridgecrewio/checkov/pull/7112)\n\n## [3.2.407](https://github.com/bridgecrewio/checkov/compare/3.2.406...3.2.407) - 2025-04-21\n\n### Feature\n\n- **terraform:** Add new check and update old around cipher suites - [#7108](https://github.com/bridgecrewio/checkov/pull/7108)\n\n## [3.2.406](https://github.com/bridgecrewio/checkov/compare/3.2.404...3.2.406) - 2025-04-17\n\n### Bug Fix\n\n- **kustomize:** handle kustomize file with empty resources section - [#7109](https://github.com/bridgecrewio/checkov/pull/7109)\n\n## [3.2.404](https://github.com/bridgecrewio/checkov/compare/3.2.403...3.2.404) - 2025-04-14\n\n### Bug Fix\n\n- **terraform:** Fix for multiple checks - [#7097](https://github.com/bridgecrewio/checkov/pull/7097)\n\n## [3.2.403](https://github.com/bridgecrewio/checkov/compare/3.2.402...3.2.403) - 2025-04-10\n\n### Feature\n\n- **cloudformation:** Update Lambda Runtime checks - [#7065](https://github.com/bridgecrewio/checkov/pull/7065)\n\n## [3.2.402](https://github.com/bridgecrewio/checkov/compare/3.2.400...3.2.402) - 2025-04-08\n\n### Bug Fix\n\n- **terraform:** Change to valid name - [#7089](https://github.com/bridgecrewio/checkov/pull/7089)\n- **terraform:** CKV2_IBM_1 - ignore case for load balancer of type private_path - [#7010](https://github.com/bridgecrewio/checkov/pull/7010)\n- **terraform:** rename test FunctionAppsAccessibleOverHttps - [#7085](https://github.com/bridgecrewio/checkov/pull/7085)\n\n### Documentation\n\n- **general:** Add install for debian - [#7083](https://github.com/bridgecrewio/checkov/pull/7083)\n\n## [3.2.400](https://github.com/bridgecrewio/checkov/compare/3.2.398...3.2.400) - 2025-04-07\n\n### Bug Fix\n\n- **general:** typos discovered by codespell - [#7012](https://github.com/bridgecrewio/checkov/pull/7012)\n- **terraform:** Update FunctionAppsAccessibleOverHttps - [#7084](https://github.com/bridgecrewio/checkov/pull/7084)\n\n## [3.2.398](https://github.com/bridgecrewio/checkov/compare/3.2.397...3.2.398) - 2025-04-06\n\n### Bug Fix\n\n- **general:** handle connected_node tuple in CustomJSONEncoder for json report (#7062) - [#7063](https://github.com/bridgecrewio/checkov/pull/7063)\n\n## [3.2.397](https://github.com/bridgecrewio/checkov/compare/3.2.396...3.2.397) - 2025-04-04\n\n- no noteworthy changes\n\n## [3.2.396](https://github.com/bridgecrewio/checkov/compare/3.2.395...3.2.396) - 2025-04-01\n\n### Bug Fix\n\n- **terraform:** Fix keeping range a range - [#7073](https://github.com/bridgecrewio/checkov/pull/7073)\n\n## [3.2.395](https://github.com/bridgecrewio/checkov/compare/3.2.394...3.2.395) - 2025-03-31\n\n### Feature\n\n- **serverless:** add check for empty resource attributes - [#7074](https://github.com/bridgecrewio/checkov/pull/7074)\n\n## [3.2.394](https://github.com/bridgecrewio/checkov/compare/3.2.393...3.2.394) - 2025-03-27\n\n### Bug Fix\n\n- **terraform:** Fix CKV2_GCP_12 and a few tests - [#7069](https://github.com/bridgecrewio/checkov/pull/7069)\n\n## [3.2.393](https://github.com/bridgecrewio/checkov/compare/3.2.392...3.2.393) - 2025-03-26\n\n### Bug Fix\n\n- **general:** Updated correct connected_node when creating graph report out of all options - [#7068](https://github.com/bridgecrewio/checkov/pull/7068)\n\n## [3.2.392](https://github.com/bridgecrewio/checkov/compare/3.2.391...3.2.392) - 2025-03-24\n\n### Bug Fix\n\n- **terraform_plan:** Run provider checks against all providers in plan - [#7061](https://github.com/bridgecrewio/checkov/pull/7061)\n\n## [3.2.391](https://github.com/bridgecrewio/checkov/compare/3.2.390...3.2.391) - 2025-03-23\n\n### Bug Fix\n\n- **secrets:** Bump detect-secrets to not flag AZ secrets in plan files - [#7064](https://github.com/bridgecrewio/checkov/pull/7064)\n\n## [3.2.390](https://github.com/bridgecrewio/checkov/compare/3.2.386...3.2.390) - 2025-03-19\n\n### Feature\n\n- **terraform:** add raw tf resource to graph - [#7047](https://github.com/bridgecrewio/checkov/pull/7047)\n\n### Bug Fix\n\n- **general:** Fix a few checks - [#7051](https://github.com/bridgecrewio/checkov/pull/7051)\n- **general:** Remove sneaky unicode characters that break a regex and console outputs on Windows - [#6987](https://github.com/bridgecrewio/checkov/pull/6987)\n- **terraform:** CKV_AWS_228 - support new AWS Opensearch TLS policy - [#7007](https://github.com/bridgecrewio/checkov/pull/7007)\n\n## [3.2.386](https://github.com/bridgecrewio/checkov/compare/3.2.385...3.2.386) - 2025-03-14\n\n- no noteworthy changes\n\n## [3.2.385](https://github.com/bridgecrewio/checkov/compare/3.2.384...3.2.385) - 2025-03-13\n\n### Bug Fix\n\n- **terraform:** Update all resources - [#7049](https://github.com/bridgecrewio/checkov/pull/7049)\n\n## [3.2.384](https://github.com/bridgecrewio/checkov/compare/3.2.383...3.2.384) - 2025-03-12\n\n### Bug Fix\n\n- **terraform:** Update CKV_ALI_1 - [#7040](https://github.com/bridgecrewio/checkov/pull/7040)\n\n## [3.2.383](https://github.com/bridgecrewio/checkov/compare/3.2.382...3.2.383) - 2025-03-11\n\n### Feature\n\n- **serverless:** add tags enrichment to serverless - [#7044](https://github.com/bridgecrewio/checkov/pull/7044)\n\n### Bug Fix\n\n- **sast:** Fix CKV_AWS_194 policy - [#7048](https://github.com/bridgecrewio/checkov/pull/7048)\n\n## [3.2.382](https://github.com/bridgecrewio/checkov/compare/3.2.381...3.2.382) - 2025-03-06\n\n### Feature\n\n- **secrets:** Bump detect-secrets to remove more lock files - [#7039](https://github.com/bridgecrewio/checkov/pull/7039)\n\n## [3.2.381](https://github.com/bridgecrewio/checkov/compare/3.2.379...3.2.381) - 2025-03-05\n\n### Bug Fix\n\n- **general:** prevent connected_node attribute from being overriden - [#7032](https://github.com/bridgecrewio/checkov/pull/7032)\n- **secrets:** ckv_secret_80 filtering fix - [#7037](https://github.com/bridgecrewio/checkov/pull/7037)\n\n## [3.2.379](https://github.com/bridgecrewio/checkov/compare/3.2.378...3.2.379) - 2025-03-03\n\n### Feature\n\n- **terraform:** Add azure DB checks for flexible server private endpoints - [#7030](https://github.com/bridgecrewio/checkov/pull/7030)\n\n## [3.2.378](https://github.com/bridgecrewio/checkov/compare/3.2.377...3.2.378) - 2025-02-27\n\n### Bug Fix\n\n- **secrets:** Remove CKV_SECRET_80 instead of CKV_SECRET_6 - [#7029](https://github.com/bridgecrewio/checkov/pull/7029)\n\n## [3.2.377](https://github.com/bridgecrewio/checkov/compare/3.2.373...3.2.377) - 2025-02-25\n\n### Feature\n\n- **terraform:** adding 3 policies & tests - [#7011](https://github.com/bridgecrewio/checkov/pull/7011)\n\n### Bug Fix\n\n- **cloudformation:** Handle subs in CKV_AWS_384 - [#7022](https://github.com/bridgecrewio/checkov/pull/7022)\n- **secrets:** Fix Duplicated Violation in line bug - [#7027](https://github.com/bridgecrewio/checkov/pull/7027)\n- **terraform:** Fixed CKV2_GCP_10 to exclude non http triggered cloud functions from security_level requirement - [#7008](https://github.com/bridgecrewio/checkov/pull/7008)\n- **terraform:** Handle new resource type for CKV_GCP_73 - [#7023](https://github.com/bridgecrewio/checkov/pull/7023)\n\n## [3.2.373](https://github.com/bridgecrewio/checkov/compare/3.2.372...3.2.373) - 2025-02-24\n\n### Bug Fix\n\n- **terraform:** CKV_GCP_74, CKV_GCP_76 incorrectly enforced for REGIONAL and GLOBAL managed proxy networks - [#7002](https://github.com/bridgecrewio/checkov/pull/7002)\n\n## [3.2.372](https://github.com/bridgecrewio/checkov/compare/3.2.370...3.2.372) - 2025-02-18\n\n### Feature\n\n- **terraform:** Add multiple checks - [#7016](https://github.com/bridgecrewio/checkov/pull/7016)\n\n### Bug Fix\n\n- **terraform:** Postgres latest stable version - [#7015](https://github.com/bridgecrewio/checkov/pull/7015)\n\n## [3.2.370](https://github.com/bridgecrewio/checkov/compare/3.2.369...3.2.370) - 2025-02-13\n\n### Bug Fix\n\n- **general:** Handle ECS enhanced container insights - [#7001](https://github.com/bridgecrewio/checkov/pull/7001)\n\n## [3.2.369](https://github.com/bridgecrewio/checkov/compare/3.2.368...3.2.369) - 2025-02-10\n\n### Bug Fix\n\n- **terraform:** Multiple check fixes - [#6999](https://github.com/bridgecrewio/checkov/pull/6999)\n\n## [3.2.368](https://github.com/bridgecrewio/checkov/compare/3.2.366...3.2.368) - 2025-02-06\n\n### Feature\n\n- **general:** fix proxy access from git and registry loader - [#6992](https://github.com/bridgecrewio/checkov/pull/6992)\n\n## [3.2.366](https://github.com/bridgecrewio/checkov/compare/3.2.364...3.2.366) - 2025-02-05\n\n### Bug Fix\n\n- **bicep:** Add bicep specific for CKV_AZURE_25 since ARM implementation fails - [#6996](https://github.com/bridgecrewio/checkov/pull/6996)\n- **terraform:** CKV_AZURE_249 & CKV_AWS_358 - better support for OIDC 'repo' detection regex and conditions order - [#6994](https://github.com/bridgecrewio/checkov/pull/6994)\n\n## [3.2.364](https://github.com/bridgecrewio/checkov/compare/3.2.362...3.2.364) - 2025-02-04\n\n### Bug Fix\n\n- **terraform:** CKV_AWS_339 - Add EKS platform version 1.32 to allowed lists of versions - [#6988](https://github.com/bridgecrewio/checkov/pull/6988)\n\n## [3.2.362](https://github.com/bridgecrewio/checkov/compare/3.2.358...3.2.362) - 2025-02-03\n\n### Bug Fix\n\n- **secrets:** Multiple matching groups are being caught as regex separated by | sign - [#6967](https://github.com/bridgecrewio/checkov/pull/6967)\n- **secrets:** Remove both random and base64 entropy secrets finding - [#6969](https://github.com/bridgecrewio/checkov/pull/6969)\n\n### Platform\n\n- **general:** Backfill more eval keys - [#6970](https://github.com/bridgecrewio/checkov/pull/6970)\n\n## [3.2.358](https://github.com/bridgecrewio/checkov/compare/3.2.357...3.2.358) - 2025-01-28\n\n### Feature\n\n- **general:** Add env var for policy metadata - [#6979](https://github.com/bridgecrewio/checkov/pull/6979)\n\n## [3.2.357](https://github.com/bridgecrewio/checkov/compare/3.2.355...3.2.357) - 2025-01-23\n\n### Feature\n\n- **general:** initial support for python 3.13 - [#6962](https://github.com/bridgecrewio/checkov/pull/6962)\n\n### Bug Fix\n\n- **terraform:** OIDC checks fixes - [#6964](https://github.com/bridgecrewio/checkov/pull/6964)\n\n## [3.2.355](https://github.com/bridgecrewio/checkov/compare/3.2.353...3.2.355) - 2025-01-22\n\n### Feature\n\n- **terraform:** Update CKV_AWS_358, add CKV_GCP_125 and CKV_AZURE_249 for OIDC claims analysis for GitHub - [#6960](https://github.com/bridgecrewio/checkov/pull/6960)\n\n### Bug Fix\n\n- **terraform:** Accept TLS 1.3 for Azure web apps and web app slots - [#6956](https://github.com/bridgecrewio/checkov/pull/6956)\n\n### Platform\n\n- **terraform:** Add eval keys - [#6929](https://github.com/bridgecrewio/checkov/pull/6929)\n\n## [3.2.353](https://github.com/bridgecrewio/checkov/compare/3.2.352...3.2.353) - 2025-01-15\n\n### Bug Fix\n\n- **general:** Support CVE suppressions with the root file in repo - [#6948](https://github.com/bridgecrewio/checkov/pull/6948)\n\n## [3.2.352](https://github.com/bridgecrewio/checkov/compare/3.2.351...3.2.352) - 2025-01-09\n\n### Feature\n\n- **terraform:** add option to add external_modules_content_cache to terraform build_graph - [#6942](https://github.com/bridgecrewio/checkov/pull/6942)\n\n## [3.2.351](https://github.com/bridgecrewio/checkov/compare/3.2.350...3.2.351) - 2025-01-08\n\n### Bug Fix\n\n- **terraform:** Skip tsconfig in terraform plan - [#6941](https://github.com/bridgecrewio/checkov/pull/6941)\n\n## [3.2.350](https://github.com/bridgecrewio/checkov/compare/3.2.347...3.2.350) - 2025-01-07\n\n### Feature\n\n- **terraform:** add CKV_AZURE_248 - Azure batch account network access restriction - [#6928](https://github.com/bridgecrewio/checkov/pull/6928)\n\n### Bug Fix\n\n- **terraform:** Revert feat(terraform): Add a terraform block check (#6904) - [#6937](https://github.com/bridgecrewio/checkov/pull/6937)\n\n## [3.2.347](https://github.com/bridgecrewio/checkov/compare/3.2.346...3.2.347) - 2025-01-06\n\n### Feature\n\n- **general:** Change behavior where if a config file is missing, run the scan as if there was no config file - [#6926](https://github.com/bridgecrewio/checkov/pull/6926)\n\n### Bug Fix\n\n- **terraform:** Fix for multiple checks - [#6933](https://github.com/bridgecrewio/checkov/pull/6933)\n\n## [3.2.346](https://github.com/bridgecrewio/checkov/compare/3.2.345...3.2.346) - 2025-01-01\n\n### Feature\n\n- **terraform:** add option to add proxy to request - [#6923](https://github.com/bridgecrewio/checkov/pull/6923)\n\n## [3.2.345](https://github.com/bridgecrewio/checkov/compare/3.2.344...3.2.345) - 2024-12-31\n\n### Feature\n\n- **cloudformation:** Add sensitive param check - [#6921](https://github.com/bridgecrewio/checkov/pull/6921)\n- **terraform:** add option to add proxy to request - [#6916](https://github.com/bridgecrewio/checkov/pull/6916)\n- **terraform:** check cognitive services restrict outbound network - [#6919](https://github.com/bridgecrewio/checkov/pull/6919)\n\n### Bug Fix\n\n- **terraform_json:** support CDKTF output in CKV_TF_3 - [#6918](https://github.com/bridgecrewio/checkov/pull/6918)\n\n## [3.2.344](https://github.com/bridgecrewio/checkov/compare/3.2.342...3.2.344) - 2024-12-21\n\n### Bug Fix\n\n- **kubernetes:** Add to nested resources on k8s graph inherit namespace - [#6912](https://github.com/bridgecrewio/checkov/pull/6912)\n\n## [3.2.342](https://github.com/bridgecrewio/checkov/compare/3.2.339...3.2.342) - 2024-12-18\n\n### Feature\n\n- **serverless:** serverless definitions context - [#6910](https://github.com/bridgecrewio/checkov/pull/6910)\n- **serverless:** Serverless graph integration - [#6911](https://github.com/bridgecrewio/checkov/pull/6911)\n- **terraform:** Add a terraform block check - [#6904](https://github.com/bridgecrewio/checkov/pull/6904)\n\n## [3.2.339](https://github.com/bridgecrewio/checkov/compare/3.2.336...3.2.339) - 2024-12-17\n\n### Bug Fix\n\n- **general:** Fix jsonpath-key handling for special characters like \"/\" and reduce log size - [#6907](https://github.com/bridgecrewio/checkov/pull/6907)\n- **serverless:** Fix serverless check crash - [#6909](https://github.com/bridgecrewio/checkov/pull/6909)\n\n## [3.2.336](https://github.com/bridgecrewio/checkov/compare/3.2.334...3.2.336) - 2024-12-16\n\n### Feature\n\n- **general:** add cortex:skip for suppressions - [#6908](https://github.com/bridgecrewio/checkov/pull/6908)\n\n### Bug Fix\n\n- **terraform:** fix CKV_AZURE_136 for replicas - [#6895](https://github.com/bridgecrewio/checkov/pull/6895)\n- **terraform:** Fix CKV_AZURE_227 for Azure V4 - [#6906](https://github.com/bridgecrewio/checkov/pull/6906)\n\n## [3.2.334](https://github.com/bridgecrewio/checkov/compare/3.2.332...3.2.334) - 2024-12-08\n\n### Feature\n\n- **serverless:** Serverless graph vertices - [#6894](https://github.com/bridgecrewio/checkov/pull/6894)\n\n### Bug Fix\n\n- **secrets:** fix indentation to remove duplications - [#6626](https://github.com/bridgecrewio/checkov/pull/6626)\n\n## [3.2.332](https://github.com/bridgecrewio/checkov/compare/3.2.328...3.2.332) - 2024-12-05\n\n### Feature\n\n- **terraform:** Add multi skip inline suppression - [#6860](https://github.com/bridgecrewio/checkov/pull/6860)\n- **terraform:** New bedrock check - [#6892](https://github.com/bridgecrewio/checkov/pull/6892)\n\n### Bug Fix\n\n- **kubernetes:** fix json file parsing - [#6891](https://github.com/bridgecrewio/checkov/pull/6891)\n- **terraform:** Fix CKV2_AZURE_31 - [#6893](https://github.com/bridgecrewio/checkov/pull/6893)\n\n## [3.2.328](https://github.com/bridgecrewio/checkov/compare/3.2.327...3.2.328) - 2024-12-04\n\n### Feature\n\n- **serverless:** Serverless refactor for graph implementation - [#6885](https://github.com/bridgecrewio/checkov/pull/6885)\n\n### Documentation\n\n- **general:** docs flags update - [#6888](https://github.com/bridgecrewio/checkov/pull/6888)\n\n## [3.2.327](https://github.com/bridgecrewio/checkov/compare/3.2.326...3.2.327) - 2024-12-03\n\n### Bug Fix\n\n- **terraform:** Convert to graph check - [#6875](https://github.com/bridgecrewio/checkov/pull/6875)\n\n## [3.2.326](https://github.com/bridgecrewio/checkov/compare/3.2.324...3.2.326) - 2024-12-02\n\n### Feature\n\n- **general:** add new CIDR operator - [#6877](https://github.com/bridgecrewio/checkov/pull/6877)\n\n### Bug Fix\n\n- **arm:** Fix resource ID generation to use variables - [#6884](https://github.com/bridgecrewio/checkov/pull/6884)\n\n## [3.2.324](https://github.com/bridgecrewio/checkov/compare/3.2.322...3.2.324) - 2024-12-01\n\n### Bug Fix\n\n- **terraform_plan:** run post_runner after get_enriched_resources for terraform_plan - [#6883](https://github.com/bridgecrewio/checkov/pull/6883)\n\n## [3.2.322](https://github.com/bridgecrewio/checkov/compare/3.2.320...3.2.322) - 2024-11-28\n\n### Feature\n\n- **general:** Update range includes to handle range values - [#6867](https://github.com/bridgecrewio/checkov/pull/6867)\n\n### Bug Fix\n\n- **general:** fix_memory error with adding new env - [#6879](https://github.com/bridgecrewio/checkov/pull/6879)\n- **general:** revert comment out ARM test - [#6882](https://github.com/bridgecrewio/checkov/pull/6882)\n\n## [3.2.320](https://github.com/bridgecrewio/checkov/compare/3.2.317...3.2.320) - 2024-11-27\n\n### Feature\n\n- **terraform:** Add new checks to match run checks - [#6868](https://github.com/bridgecrewio/checkov/pull/6868)\n\n### Bug Fix\n\n- **arm:** Fix arm root folder - [#6880](https://github.com/bridgecrewio/checkov/pull/6880)\n- **terraform:** Update CKV_AZURE_164 to correct check on trust policy - [#6757](https://github.com/bridgecrewio/checkov/pull/6757)\n\n## [3.2.317](https://github.com/bridgecrewio/checkov/compare/3.2.314...3.2.317) - 2024-11-26\n\n### Feature\n\n- **terraform:** support resource_type attribute - [#6872](https://github.com/bridgecrewio/checkov/pull/6872)\n\n### Bug Fix\n\n- **arm:** Fix arm report resource naming - [#6876](https://github.com/bridgecrewio/checkov/pull/6876)\n- **terraform:** Fix two checks and logs - [#6874](https://github.com/bridgecrewio/checkov/pull/6874)\n\n## [3.2.314](https://github.com/bridgecrewio/checkov/compare/3.2.312...3.2.314) - 2024-11-25\n\n### Feature\n\n- **general:** add logs for suppression - [#6873](https://github.com/bridgecrewio/checkov/pull/6873)\n\n### Bug Fix\n\n- **arm:** Fix arm resource naming on integration with Prisma - [#6870](https://github.com/bridgecrewio/checkov/pull/6870)\n\n## [3.2.312](https://github.com/bridgecrewio/checkov/compare/3.2.311...3.2.312) - 2024-11-24\n\n### Bug Fix\n\n- **arm:** Fix arm graph breadcrumbs - [#6869](https://github.com/bridgecrewio/checkov/pull/6869)\n\n## [3.2.311](https://github.com/bridgecrewio/checkov/compare/3.2.307...3.2.311) - 2024-11-21\n\n### Bug Fix\n\n- **cloudformation:** Fixed issue where Ref was not rendered correctly if the parameter name was identical to the default value - [#6856](https://github.com/bridgecrewio/checkov/pull/6856)\n- **secrets:** fix find line - [#6864](https://github.com/bridgecrewio/checkov/pull/6864)\n- **secrets:** masking test format - [#6859](https://github.com/bridgecrewio/checkov/pull/6859)\n- **secrets:** multiline matches show the secret and not the first line - [#6854](https://github.com/bridgecrewio/checkov/pull/6854)\n\n## [3.2.307](https://github.com/bridgecrewio/checkov/compare/3.2.305...3.2.307) - 2024-11-20\n\n### Bug Fix\n\n- **arm:** Change ARM graph creation log lvl to debug - [#6857](https://github.com/bridgecrewio/checkov/pull/6857)\n\n## [3.2.305](https://github.com/bridgecrewio/checkov/compare/3.2.301...3.2.305) - 2024-11-19\n\n### Feature\n\n- **sca:** support java full dependency tree scan - [#6834](https://github.com/bridgecrewio/checkov/pull/6834)\n- **terraform:** Add check - ensure AWS CodeGuru resource contains CMK - [#6851](https://github.com/bridgecrewio/checkov/pull/6851)\n\n### Bug Fix\n\n- **general:** Used jsonpath to update vertex attributes - [#6852](https://github.com/bridgecrewio/checkov/pull/6852)\n- **terraform:** Update EKS supported versions - [#6826](https://github.com/bridgecrewio/checkov/pull/6826)\n- **terraform:** Update CKV_AZURE_171 to check automatic_upgrade_channel - [#6756](https://github.com/bridgecrewio/checkov/pull/6756)\n\n## [3.2.301](https://github.com/bridgecrewio/checkov/compare/3.2.300...3.2.301) - 2024-11-18\n\n### Bug Fix\n\n- **secrets:** skip empty match - [#6849](https://github.com/bridgecrewio/checkov/pull/6849)\n\n## [3.2.300](https://github.com/bridgecrewio/checkov/compare/3.2.296...3.2.300) - 2024-11-17\n\n### Feature\n\n- **azure:** add new policies for Azure Synapse arm - [#6553](https://github.com/bridgecrewio/checkov/pull/6553)\n- **helm:** Made helm + kustomize use the Kubernetes graph registry - [#6847](https://github.com/bridgecrewio/checkov/pull/6847)\n- **secrets:** Adding check_id to EnrichedSecret class - [#6842](https://github.com/bridgecrewio/checkov/pull/6842)\n- **secrets:** Masking secrets files - [#6848](https://github.com/bridgecrewio/checkov/pull/6848)\n\n### Bug Fix\n\n- **secrets:** add prerun support for singleline - [#6846](https://github.com/bridgecrewio/checkov/pull/6846)\n- **terraform:** Update CKV_AZURE_167 to correct check on retention policy - [#6758](https://github.com/bridgecrewio/checkov/pull/6758)\n\n## [3.2.296](https://github.com/bridgecrewio/checkov/compare/3.2.293...3.2.296) - 2024-11-14\n\n### Feature\n\n- **cloudformation:** Support Fn::Sub in cases of using a pseudo parameter - [#6835](https://github.com/bridgecrewio/checkov/pull/6835)\n- **terraform:** support resource_type attribute - revert - [#6843](https://github.com/bridgecrewio/checkov/pull/6843)\n\n### Bug Fix\n\n- **terraform:** CKV_GCP_32 (GoogleComputeBlockProjectSSH) Add other common enabling values - [#6663](https://github.com/bridgecrewio/checkov/pull/6663)\n\n## [3.2.293](https://github.com/bridgecrewio/checkov/compare/3.2.291...3.2.293) - 2024-11-13\n\n### Feature\n\n- **terraform:** support resource_type attribute - [#6830](https://github.com/bridgecrewio/checkov/pull/6830)\n\n### Bug Fix\n\n- **general:** fixed mypy issue - [#6838](https://github.com/bridgecrewio/checkov/pull/6838)\n\n## [3.2.291](https://github.com/bridgecrewio/checkov/compare/3.2.287...3.2.291) - 2024-11-12\n\n### Feature\n\n- **general:** remove specific botocore version - [#6796](https://github.com/bridgecrewio/checkov/pull/6796)\n\n### Bug Fix\n\n- **arm:** fix ARM graph block types - [#6824](https://github.com/bridgecrewio/checkov/pull/6824)\n- **dockerfile:** Handle heredoc - [#6828](https://github.com/bridgecrewio/checkov/pull/6828)\n- **sast:** filter unsupported policies - [#6833](https://github.com/bridgecrewio/checkov/pull/6833)\n\n## [3.2.287](https://github.com/bridgecrewio/checkov/compare/3.2.286...3.2.287) - 2024-11-11\n\n### Bug Fix\n\n- **graph:** fix internal checks loading when adding custom policies in cli - [#6819](https://github.com/bridgecrewio/checkov/pull/6819)\n\n## [3.2.286](https://github.com/bridgecrewio/checkov/compare/3.2.282...3.2.286) - 2024-11-10\n\n### Feature\n\n- **secrets:** Add npm detector - [#6821](https://github.com/bridgecrewio/checkov/pull/6821)\n\n### Bug Fix\n\n- **secrets:** fix empty diff scan - [#6822](https://github.com/bridgecrewio/checkov/pull/6822)\n\n## [3.2.282](https://github.com/bridgecrewio/checkov/compare/3.2.281...3.2.282) - 2024-11-07\n\n### Bug Fix\n\n- **arm:** finish variable rendering and use definitions context - [#6814](https://github.com/bridgecrewio/checkov/pull/6814)\n\n## [3.2.281](https://github.com/bridgecrewio/checkov/compare/3.2.280...3.2.281) - 2024-11-06\n\n### Documentation\n\n- **general:** Update Python versions and add env vars to the docs - [#6812](https://github.com/bridgecrewio/checkov/pull/6812)\n\n## [3.2.280](https://github.com/bridgecrewio/checkov/compare/3.2.278...3.2.280) - 2024-11-05\n\n### Bug Fix\n\n- **arm:** add middleware function for platform integration for Arm definitions - [#6811](https://github.com/bridgecrewio/checkov/pull/6811)\n- **secrets:** Update CKV_SECRET_4 to duplication list GENERIC_PRIVATE_KEY - [#6810](https://github.com/bridgecrewio/checkov/pull/6810)\n- **terraform:** Add opensearch to CKV2_AWS_5 - [#6807](https://github.com/bridgecrewio/checkov/pull/6807)\n\n## [3.2.278](https://github.com/bridgecrewio/checkov/compare/3.2.277...3.2.278) - 2024-11-04\n\n### Bug Fix\n\n- **arm:** Align arm definitions function arguments - [#6808](https://github.com/bridgecrewio/checkov/pull/6808)\n\n## [3.2.277](https://github.com/bridgecrewio/checkov/compare/3.2.276...3.2.277) - 2024-11-03\n\n### Bug Fix\n\n- **secrets:** add detector for IbmCosHmac - [#6790](https://github.com/bridgecrewio/checkov/pull/6790)\n\n## [3.2.276](https://github.com/bridgecrewio/checkov/compare/3.2.275...3.2.276) - 2024-10-31\n\n### Bug Fix\n\n- **terraform:** Fix possible exception when for_each data has boolean values - [#6733](https://github.com/bridgecrewio/checkov/pull/6733)\n\n## [3.2.275](https://github.com/bridgecrewio/checkov/compare/3.2.271...3.2.275) - 2024-10-30\n\n### Feature\n\n- **arm:** Add arm definition context - [#6801](https://github.com/bridgecrewio/checkov/pull/6801)\n\n### Bug Fix\n\n- **cloudformation:** change parse log level - [#6794](https://github.com/bridgecrewio/checkov/pull/6794)\n- **general:** pipenv==2024.0.3 - [#6803](https://github.com/bridgecrewio/checkov/pull/6803)\n- **secrets:** omit all secrets value in line - [#6802](https://github.com/bridgecrewio/checkov/pull/6802)\n- **terraform:** Security group attached to aws_mskconnect_connector is not recognized - [#6780](https://github.com/bridgecrewio/checkov/pull/6780)\n\n## [3.2.271](https://github.com/bridgecrewio/checkov/compare/3.2.270...3.2.271) - 2024-10-29\n\n### Feature\n\n- **sca:** add enableDotnetCpm env var to sca scan request - [#6786](https://github.com/bridgecrewio/checkov/pull/6786)\n\n## [3.2.270](https://github.com/bridgecrewio/checkov/compare/3.2.269...3.2.270) - 2024-10-28\n\n### Feature\n\n- **arm:** add variable and parameters edges and rendering - [#6787](https://github.com/bridgecrewio/checkov/pull/6787)\n- **arm:** arm custom policy support - [#6769](https://github.com/bridgecrewio/checkov/pull/6769)\n\n## [3.2.269](https://github.com/bridgecrewio/checkov/compare/3.2.268...3.2.269) - 2024-10-23\n\n### Bug Fix\n\n- **terraform:** Fix crash when version isn't a float - [#6783](https://github.com/bridgecrewio/checkov/pull/6783)\n\n## [3.2.268](https://github.com/bridgecrewio/checkov/compare/3.2.267...3.2.268) - 2024-10-20\n\n### Feature\n\n- **terraform_plan:** Support after_unknown evaluation of complex attributes - [#6784](https://github.com/bridgecrewio/checkov/pull/6784)\n\n## [3.2.267](https://github.com/bridgecrewio/checkov/compare/3.2.266...3.2.267) - 2024-10-16\n\n- no noteworthy changes\n\n## [3.2.266](https://github.com/bridgecrewio/checkov/compare/3.2.262...3.2.266) - 2024-10-15\n\n### Feature\n\n- **arm:** unsupported module soft fail - [#6775](https://github.com/bridgecrewio/checkov/pull/6775)\n\n## [3.2.262](https://github.com/bridgecrewio/checkov/compare/3.2.258...3.2.262) - 2024-10-14\n\n### Feature\n\n- **terraform:** 2 new checks - [#6764](https://github.com/bridgecrewio/checkov/pull/6764)\n- **terraform:** Add s3 data transport check - [#6763](https://github.com/bridgecrewio/checkov/pull/6763)\n\n### Bug Fix\n\n- **helm:** Remove helm target dir after scanning - [#6767](https://github.com/bridgecrewio/checkov/pull/6767)\n- **kubernetes:** Handle non-sting params in command - [#6768](https://github.com/bridgecrewio/checkov/pull/6768)\n\n## [3.2.258](https://github.com/bridgecrewio/checkov/compare/3.2.257...3.2.258) - 2024-10-13\n\n### Bug Fix\n\n- **terraform:** Set timeout for parsing Terraform files with hcl2. - [#6759](https://github.com/bridgecrewio/checkov/pull/6759)\n\n## [3.2.257](https://github.com/bridgecrewio/checkov/compare/3.2.256...3.2.257) - 2024-10-06\n\n### Bug Fix\n\n- **ansible:** handle empty tasks - [#6751](https://github.com/bridgecrewio/checkov/pull/6751)\n\n## [3.2.256](https://github.com/bridgecrewio/checkov/compare/3.2.254...3.2.256) - 2024-10-01\n\n### Feature\n\n- **terraform:** New checks - [#6720](https://github.com/bridgecrewio/checkov/pull/6720)\n\n### Bug Fix\n\n- **general:** Fix operator docs - [#6735](https://github.com/bridgecrewio/checkov/pull/6735)\n- **sca:** add Pipfile and Pipfile.lock to supported package files list - [#6746](https://github.com/bridgecrewio/checkov/pull/6746)\n- **terraform:** extend CKV2_AWS_5 to include DMS Serverless (#6628) - [#6630](https://github.com/bridgecrewio/checkov/pull/6630)\n- **terraform:** Remove dataproc.admin from multiple checks - [#6725](https://github.com/bridgecrewio/checkov/pull/6725)\n- **terraform:** Security group attached to an Elastic DocumentDB cluster is not recognized by check CKV2_AWS_5 - [#6687](https://github.com/bridgecrewio/checkov/pull/6687)\n\n### Documentation\n\n- **general:** update README.md - [#6719](https://github.com/bridgecrewio/checkov/pull/6719)\n\n## [3.2.254](https://github.com/bridgecrewio/checkov/compare/3.2.253...3.2.254) - 2024-09-15\n\n### Bug Fix\n\n- **terraform:** Added ssl_mode attribute support to CKV_GCP_6 - [#6703](https://github.com/bridgecrewio/checkov/pull/6703)\n\n## [3.2.253](https://github.com/bridgecrewio/checkov/compare/3.2.251...3.2.253) - 2024-09-12\n\n### Feature\n\n- **general:** allow tool name field to be customised using cli arguments - [#6692](https://github.com/bridgecrewio/checkov/pull/6692)\n- **secrets:** Change log level - [#6716](https://github.com/bridgecrewio/checkov/pull/6716)\n- **terraform:** Add check for local user in storage - [#6715](https://github.com/bridgecrewio/checkov/pull/6715)\n\n### Bug Fix\n\n- **terraform:** Update CKV_AZURE_228 for automatic calculation - [#6714](https://github.com/bridgecrewio/checkov/pull/6714)\n\n## [3.2.251](https://github.com/bridgecrewio/checkov/compare/3.2.250...3.2.251) - 2024-09-11\n\n### Feature\n\n- **general:** add severity metadata to custom policy - [#6579](https://github.com/bridgecrewio/checkov/pull/6579)\n\n## [3.2.250](https://github.com/bridgecrewio/checkov/compare/3.2.249...3.2.250) - 2024-09-10\n\n### Bug Fix\n\n- **secrets:** fix suppressions and duplications - [#6710](https://github.com/bridgecrewio/checkov/pull/6710)\n\n## [3.2.249](https://github.com/bridgecrewio/checkov/compare/3.2.246...3.2.249) - 2024-09-08\n\n### Feature\n\n- **general:** revert packages read permissions - [#6706](https://github.com/bridgecrewio/checkov/pull/6706)\n- **terraform_plan:** remove secret - [#6705](https://github.com/bridgecrewio/checkov/pull/6705)\n\n### Bug Fix\n\n- **secrets:** fix suppression and duplication - [#6701](https://github.com/bridgecrewio/checkov/pull/6701)\n- **secrets:** Revert suppression and duplication - [#6708](https://github.com/bridgecrewio/checkov/pull/6708)\n- **terraform:** Fix foreach multi attributes in field - [#6707](https://github.com/bridgecrewio/checkov/pull/6707)\n\n## [3.2.246](https://github.com/bridgecrewio/checkov/compare/3.2.245...3.2.246) - 2024-09-05\n\n### Feature\n\n- **sast:** add log level when running sast in windows - [#6704](https://github.com/bridgecrewio/checkov/pull/6704)\n\n## [3.2.245](https://github.com/bridgecrewio/checkov/compare/3.2.242...3.2.245) - 2024-09-04\n\n### Feature\n\n- **kubernetes:** Add policy for git-sync code injection - [#6694](https://github.com/bridgecrewio/checkov/pull/6694)\n- **terraform_plan:** add support for provider in tf_plan framework - [#6690](https://github.com/bridgecrewio/checkov/pull/6690)\n\n## [3.2.242](https://github.com/bridgecrewio/checkov/compare/3.2.241...3.2.242) - 2024-09-02\n\n### Feature\n\n- **general:** add support for windows 10 for aiohttp - [#6696](https://github.com/bridgecrewio/checkov/pull/6696)\n\n## [3.2.241](https://github.com/bridgecrewio/checkov/compare/3.2.239...3.2.241) - 2024-09-01\n\n### Feature\n\n- **sast:** remove the env var for Go - [#6697](https://github.com/bridgecrewio/checkov/pull/6697)\n\n### Bug Fix\n\n- **secrets:** add edge case for policy that looks like uuid - [#6698](https://github.com/bridgecrewio/checkov/pull/6698)\n\n## [3.2.239](https://github.com/bridgecrewio/checkov/compare/3.2.238...3.2.239) - 2024-08-29\n\n### Feature\n\n- **general:** Add multiple checks to match runtime checks - [#6680](https://github.com/bridgecrewio/checkov/pull/6680)\n\n## [3.2.238](https://github.com/bridgecrewio/checkov/compare/3.2.236...3.2.238) - 2024-08-27\n\n### Feature\n\n- **terraform:** add support for TF cloudsplaining evaluated_keys - [#6677](https://github.com/bridgecrewio/checkov/pull/6677)\n\n### Bug Fix\n\n- **secrets:** change logs form info to debug - [#6685](https://github.com/bridgecrewio/checkov/pull/6685)\n\n## [3.2.236](https://github.com/bridgecrewio/checkov/compare/3.2.235...3.2.236) - 2024-08-26\n\n- no noteworthy changes\n\n## [3.2.235](https://github.com/bridgecrewio/checkov/compare/3.2.234...3.2.235) - 2024-08-21\n\n### Feature\n\n- **cloudformation:** SAM Globals support with CloudFormation - [#6657](https://github.com/bridgecrewio/checkov/pull/6657)\n\n## [3.2.234](https://github.com/bridgecrewio/checkov/compare/3.2.232...3.2.234) - 2024-08-20\n\n### Feature\n\n- **sast:** Adding support for sast in windows - [#6638](https://github.com/bridgecrewio/checkov/pull/6638)\n\n### Bug Fix\n\n- **secrets:** revert duplications suppressions for secrets - [#6674](https://github.com/bridgecrewio/checkov/pull/6674)\n\n## [3.2.232](https://github.com/bridgecrewio/checkov/compare/3.2.230...3.2.232) - 2024-08-19\n\n### Bug Fix\n\n- **general:** add try except to loads file - [#6668](https://github.com/bridgecrewio/checkov/pull/6668)\n- **secrets:** duplications suppressions for secrets - [#6665](https://github.com/bridgecrewio/checkov/pull/6665)\n\n## [3.2.230](https://github.com/bridgecrewio/checkov/compare/3.2.228...3.2.230) - 2024-08-18\n\n### Feature\n\n- **general:** Support multiple frameworks in custom policy - [#6666](https://github.com/bridgecrewio/checkov/pull/6666)\n\n### Bug Fix\n\n- **general:** revert support multiple frameworks in one custom policy - [#6664](https://github.com/bridgecrewio/checkov/pull/6664)\n\n## [3.2.228](https://github.com/bridgecrewio/checkov/compare/3.2.223...3.2.228) - 2024-08-15\n\n### Feature\n\n- **terraform:** Add build policy to match run policy for API Method without Auth or API - [#6637](https://github.com/bridgecrewio/checkov/pull/6637)\n\n### Bug Fix\n\n- **secrets:** remove dups logic - [#6655](https://github.com/bridgecrewio/checkov/pull/6655)\n- **secrets:** Revert remove dups - [#6656](https://github.com/bridgecrewio/checkov/pull/6656)\n- **terraform:** Don't pass existed resources in non_exists resource checks - [#6653](https://github.com/bridgecrewio/checkov/pull/6653)\n\n## [3.2.223](https://github.com/bridgecrewio/checkov/compare/3.2.221...3.2.223) - 2024-08-13\n\n### Bug Fix\n\n- **secrets:** remove duplications in secrets - [#6648](https://github.com/bridgecrewio/checkov/pull/6648)\n- **secrets:** revert fixing duplications - [#6652](https://github.com/bridgecrewio/checkov/pull/6652)\n\n## [3.2.221](https://github.com/bridgecrewio/checkov/compare/3.2.219...3.2.221) - 2024-08-12\n\n### Bug Fix\n\n- **terraform:** evaluate resource with double underscore - [#6642](https://github.com/bridgecrewio/checkov/pull/6642)\n\n## [3.2.219](https://github.com/bridgecrewio/checkov/compare/3.2.217...3.2.219) - 2024-08-05\n\n### Feature\n\n- **general:** support multiple frameworks in one custom policy - [#6587](https://github.com/bridgecrewio/checkov/pull/6587)\n- **terraform:** Add run policy for RDS encryption in transit - [#6631](https://github.com/bridgecrewio/checkov/pull/6631)\n\n### Documentation\n\n- **general:** Add OpenTofu - [#6627](https://github.com/bridgecrewio/checkov/pull/6627)\n\n## [3.2.217](https://github.com/bridgecrewio/checkov/compare/3.2.216...3.2.217) - 2024-07-31\n\n- no noteworthy changes\n\n## [3.2.216](https://github.com/bridgecrewio/checkov/compare/3.2.213...3.2.216) - 2024-07-30\n\n### Feature\n\n- **sast:** Verify that all sast policies are parsed correctly - [#6621](https://github.com/bridgecrewio/checkov/pull/6621)\n\n### Bug Fix\n\n- **secrets:** fix secrets duplication - [#6619](https://github.com/bridgecrewio/checkov/pull/6619)\n- **secrets:** fix secrets duplication - Revert - [#6623](https://github.com/bridgecrewio/checkov/pull/6623)\n\n## [3.2.213](https://github.com/bridgecrewio/checkov/compare/3.2.209...3.2.213) - 2024-07-29\n\n### Feature\n\n- **arm:** ARM AppServiceInstanceMinimum - CKV_AZURE_212 - [#6502](https://github.com/bridgecrewio/checkov/pull/6502)\n- **terraform:** - TF and CFN - Add a policy for ensuring AWS Bedrock Agent is encrypted with a CMK - [#6603](https://github.com/bridgecrewio/checkov/pull/6603)\n\n### Bug Fix\n\n- **ansible:** Fix CKV2_ANSIBLE_2 - [#6610](https://github.com/bridgecrewio/checkov/pull/6610)\n- **arm:** Support upper and lower disabled for CKV_AZURE_189 - [#6609](https://github.com/bridgecrewio/checkov/pull/6609)\n- **dockerfile:** Fix edge case with apt in domain - [#6611](https://github.com/bridgecrewio/checkov/pull/6611)\n- **terraform_plan:** Fix parsing other types of provisioners - [#6606](https://github.com/bridgecrewio/checkov/pull/6606)\n- **terraform:** add condition for CKV_AWS_353 - [#6607](https://github.com/bridgecrewio/checkov/pull/6607)\n- **terraform:** catch unknowns with WAF configs - [#6612](https://github.com/bridgecrewio/checkov/pull/6612)\n- **terraform:** Handle default for CKV_GCP_76 - [#6608](https://github.com/bridgecrewio/checkov/pull/6608)\n\n## [3.2.209](https://github.com/bridgecrewio/checkov/compare/3.2.208...3.2.209) - 2024-07-28\n\n### Feature\n\n- **cloudformation:** Enrich cloudsplaining eval keys - [#6602](https://github.com/bridgecrewio/checkov/pull/6602)\n\n### Documentation\n\n- **general:** add --repo-id to relevant examples with API key - [#6605](https://github.com/bridgecrewio/checkov/pull/6605)\n\n## [3.2.208](https://github.com/bridgecrewio/checkov/compare/3.2.204...3.2.208) - 2024-07-25\n\n### Feature\n\n- **general:** filter resource by provider for all resources types - [#6598](https://github.com/bridgecrewio/checkov/pull/6598)\n- **secrets:** add CKV_SECRET_192 to GENERIC_PRIVATE_KEY_CHECK_IDS - [#6600](https://github.com/bridgecrewio/checkov/pull/6600)\n- **terraform:** Update ckv-aws-8 policy - support unknown statement - [#6596](https://github.com/bridgecrewio/checkov/pull/6596)\n\n### Bug Fix\n\n- **terraform:** Fix resource type for CKV_AZURE_242 - [#6599](https://github.com/bridgecrewio/checkov/pull/6599)\n\n### Platform\n\n- **general:** handle multiple values for the same metadata filter - [#6604](https://github.com/bridgecrewio/checkov/pull/6604)\n\n## [3.2.204](https://github.com/bridgecrewio/checkov/compare/3.2.201...3.2.204) - 2024-07-24\n\n### Feature\n\n- **arm:** add CKV_AZURE_191 to ensure that Managed identity provider is enabled for Azure Event Grid Topic - [#6496](https://github.com/bridgecrewio/checkov/pull/6496)\n\n### Bug Fix\n\n- **sast:** BCE-36172 fix cdk policies - [#6588](https://github.com/bridgecrewio/checkov/pull/6588)\n\n## [3.2.201](https://github.com/bridgecrewio/checkov/compare/3.2.199...3.2.201) - 2024-07-23\n\n### Feature\n\n- **terraform:** add 14 rules for tencentcloud provider - [#6448](https://github.com/bridgecrewio/checkov/pull/6448)\n\n### Bug Fix\n\n- **secrets:** fix secrets prerun bug - [#6594](https://github.com/bridgecrewio/checkov/pull/6594)\n- **terraform:** Exclude String in CKV_AWS_337 - [#6592](https://github.com/bridgecrewio/checkov/pull/6592)\n\n## [3.2.199](https://github.com/bridgecrewio/checkov/compare/3.2.196...3.2.199) - 2024-07-22\n\n### Feature\n\n- **arm:** add CKV_AZURE_87 to ensure that Azure Defender is set to On for Key Vault - [#6418](https://github.com/bridgecrewio/checkov/pull/6418)\n- **arm:** ARM VnetSingleDNSServer - [#6379](https://github.com/bridgecrewio/checkov/pull/6379)\n- **secrets:** Adding the option to prerun before multiline pattern executing - [#6586](https://github.com/bridgecrewio/checkov/pull/6586)\n- **secrets:** If the prrun regex found but we already scanned file we already scann… - [#6591](https://github.com/bridgecrewio/checkov/pull/6591)\n\n## [3.2.196](https://github.com/bridgecrewio/checkov/compare/3.2.194...3.2.196) - 2024-07-21\n\n### Feature\n\n- **general:** Add metadata exception filter to GHA - [#6583](https://github.com/bridgecrewio/checkov/pull/6583)\n- **general:** Refactor all resource type handling in Checkov - [#6572](https://github.com/bridgecrewio/checkov/pull/6572)\n\n## [3.2.194](https://github.com/bridgecrewio/checkov/compare/3.2.193...3.2.194) - 2024-07-18\n\n### Feature\n\n- **arm:** AKSEncryptionAtHostEnable - [#6575](https://github.com/bridgecrewio/checkov/pull/6575)\n- **arm:** AKSEphemeralOSDisks - [#6578](https://github.com/bridgecrewio/checkov/pull/6578)\n- **arm:** CKV_AZURE_92 to Ensure that Virtual Machines use managed disks - [#6455](https://github.com/bridgecrewio/checkov/pull/6455)\n- **arm:** FrontDoorWAFACLCVE202144228 - Mitigates the Log4j2 vulnerability CVE-2021-44228. - [#6419](https://github.com/bridgecrewio/checkov/pull/6419)\n\n### Bug Fix\n\n- **general:** fix the right numbers in TestSkipJsonRegexPattern - [#6580](https://github.com/bridgecrewio/checkov/pull/6580)\n- **terraform:** Fix title of CKV_AZURE_238 - [#6570](https://github.com/bridgecrewio/checkov/pull/6570)\n\n## [3.2.193](https://github.com/bridgecrewio/checkov/compare/3.2.191...3.2.193) - 2024-07-17\n\n### Bug Fix\n\n- **terraform:** fix failures of no caller on definition context - [#6573](https://github.com/bridgecrewio/checkov/pull/6573)\n- **terraform:** TFPlan + TF fixes for google_project_iam_policy + google_iam_policy - [#6577](https://github.com/bridgecrewio/checkov/pull/6577)\n\n## [3.2.191](https://github.com/bridgecrewio/checkov/compare/3.2.190...3.2.191) - 2024-07-16\n\n### Bug Fix\n\n- **general:** fix sca unit tests for python 3.12 - [#6574](https://github.com/bridgecrewio/checkov/pull/6574)\n\n## [3.2.190](https://github.com/bridgecrewio/checkov/compare/3.2.189...3.2.190) - 2024-07-15\n\n- no noteworthy changes\n\n## [3.2.189](https://github.com/bridgecrewio/checkov/compare/3.2.186...3.2.189) - 2024-07-14\n\n### Feature\n\n- **arm:** add CKV_AZURE_169 to ensure that AKS use the Paid Sku for its SLA - [#6545](https://github.com/bridgecrewio/checkov/pull/6545)\n- **arm:** add CKV_AZURE_177 to ensure that Windows VM enables automatic updates - [#6484](https://github.com/bridgecrewio/checkov/pull/6484)\n- **cloudformation:** Update audit_logs valid values - [#6566](https://github.com/bridgecrewio/checkov/pull/6566)\n\n## [3.2.186](https://github.com/bridgecrewio/checkov/compare/3.2.183...3.2.186) - 2024-07-11\n\n### Feature\n\n- **azure:** add new policies for Azure Synapse (tf and arm) - [#6554](https://github.com/bridgecrewio/checkov/pull/6554)\n- **bicep:** support bicep custom policy - [#6561](https://github.com/bridgecrewio/checkov/pull/6561)\n\n### Bug Fix\n\n- **arm:** CKV_AZURE_56 just for authsettingsV2 name - [#6557](https://github.com/bridgecrewio/checkov/pull/6557)\n- **secrets:** filter secrets that have vault: in them - [#6565](https://github.com/bridgecrewio/checkov/pull/6565)\n\n## [3.2.183](https://github.com/bridgecrewio/checkov/compare/3.2.179...3.2.183) - 2024-07-10\n\n### Feature\n\n- **terraform_plan:** support tf_plan after_unknown enrichment - [#6517](https://github.com/bridgecrewio/checkov/pull/6517)\n\n### Bug Fix\n\n- **secrets:** small fix for filtering - [#6562](https://github.com/bridgecrewio/checkov/pull/6562)\n\n### Platform\n\n- **general:** pass repo ID to runconfig - [#6560](https://github.com/bridgecrewio/checkov/pull/6560)\n\n## [3.2.179](https://github.com/bridgecrewio/checkov/compare/3.2.177...3.2.179) - 2024-07-09\n\n### Feature\n\n- **arm:** add CKV_AZURE_206 to ensure that Storage Accounts use replication - [#6524](https://github.com/bridgecrewio/checkov/pull/6524)\n- **arm:** BCE-33785 Support Azure Synapse Analytics policies - [#6513](https://github.com/bridgecrewio/checkov/pull/6513)\n\n## [3.2.177](https://github.com/bridgecrewio/checkov/compare/3.2.175...3.2.177) - 2024-07-08\n\n### Bug Fix\n\n- **sast:** fix cdk policies - [#6552](https://github.com/bridgecrewio/checkov/pull/6552)\n\n## [3.2.175](https://github.com/bridgecrewio/checkov/compare/3.2.174...3.2.175) - 2024-07-07\n\n### Feature\n\n- **arm:** AzureSearchSQLQueryUpdates - [#6543](https://github.com/bridgecrewio/checkov/pull/6543)\n\n## [3.2.174](https://github.com/bridgecrewio/checkov/compare/3.2.171...3.2.174) - 2024-07-04\n\n### Feature\n\n- **arm:** add CKV_AZURE_172 to ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters - [#6533](https://github.com/bridgecrewio/checkov/pull/6533)\n- **arm:** add CKV_AZURE_173 to ensure that API management uses at least TLS 1.2 - [#6478](https://github.com/bridgecrewio/checkov/pull/6478)\n- **arm:** AppServicePlanZoneRedundant - [#6472](https://github.com/bridgecrewio/checkov/pull/6472)\n- **arm:** AzureSearchSLAIndex - [#6530](https://github.com/bridgecrewio/checkov/pull/6530)\n- **arm:** SQLDatabaseZoneRedundant - [#6515](https://github.com/bridgecrewio/checkov/pull/6515)\n- **azure:** add new policies for Azure Synapse - [#6520](https://github.com/bridgecrewio/checkov/pull/6520)\n- **general:** update detect secrets package - [#6535](https://github.com/bridgecrewio/checkov/pull/6535)\n\n## [3.2.171](https://github.com/bridgecrewio/checkov/compare/3.2.164...3.2.171) - 2024-07-03\n\n### Feature\n\n- **arm:** add CKV_AZURE_171 to ensure that AKS cluster upgrade channel is chosen - [#6532](https://github.com/bridgecrewio/checkov/pull/6532)\n- **arm:** add CKV_AZURE_175 to ensure that Web PubSub uses a SKU with an SLA - [#6523](https://github.com/bridgecrewio/checkov/pull/6523)\n- **arm:** add CKV_AZURE_178 to ensure that linux VM enables SSH with keys for secure communication - [#6486](https://github.com/bridgecrewio/checkov/pull/6486)\n- **arm:** add CKV_AZURE_85 to ensure that Azure Defender is set to On for Kubernetes - [#6279](https://github.com/bridgecrewio/checkov/pull/6279)\n- **arm:** CKV_AZURE_99 to Ensure Cosmos DB accounts have restricted access - [#6498](https://github.com/bridgecrewio/checkov/pull/6498)\n- **arm:** DataFactoryNoPublicNetworkAccess - [#6479](https://github.com/bridgecrewio/checkov/pull/6479)\n- **arm:** DataLakeStoreEncryption - [#6516](https://github.com/bridgecrewio/checkov/pull/6516)\n- **arm:** EventHubNamespaceMinTLS12 - [#6485](https://github.com/bridgecrewio/checkov/pull/6485)\n\n### Bug Fix\n\n- **openapi:** [CKV_OPENAPI_3] Prevent false-positive when checking for http+!basic - [#6406](https://github.com/bridgecrewio/checkov/pull/6406)\n- **terraform_json:** support locals block in CDKTF output - [#6452](https://github.com/bridgecrewio/checkov/pull/6452)\n- **terraform:** Deprecate CKV2_AWS_67 - [#6529](https://github.com/bridgecrewio/checkov/pull/6529)\n\n## [3.2.164](https://github.com/bridgecrewio/checkov/compare/3.2.163...3.2.164) - 2024-07-02\n\n### Documentation\n\n- **general:** Add Python note - [#6521](https://github.com/bridgecrewio/checkov/pull/6521)\n\n## [3.2.163](https://github.com/bridgecrewio/checkov/compare/3.2.159...3.2.163) - 2024-07-01\n\n### Feature\n\n- **arm:** add CKV_AZURE_174 to ensure that API management public access is disabled - [#6480](https://github.com/bridgecrewio/checkov/pull/6480)\n- **arm:** AppServicePHPVersion - [#6436](https://github.com/bridgecrewio/checkov/pull/6436)\n- **arm:** AppServicePublicAccessDisabled - [#6467](https://github.com/bridgecrewio/checkov/pull/6467)\n- **arm:** KeyVaultEnablesPurgeProtection - [#6465](https://github.com/bridgecrewio/checkov/pull/6465)\n- **arm:** PubsubSpecifyIdentity - [#6483](https://github.com/bridgecrewio/checkov/pull/6483)\n\n## [3.2.159](https://github.com/bridgecrewio/checkov/compare/3.2.156...3.2.159) - 2024-06-30\n\n### Bug Fix\n\n- **arm:** fix CKV_AZURE_78: `siteConfig` object should be under `properties` - [#6477](https://github.com/bridgecrewio/checkov/pull/6477)\n- **general:** Mypy issues - [#6510](https://github.com/bridgecrewio/checkov/pull/6510)\n- **terraform:** ignore comment out modules - [#6507](https://github.com/bridgecrewio/checkov/pull/6507)\n\n## [3.2.156](https://github.com/bridgecrewio/checkov/compare/3.2.145...3.2.156) - 2024-06-27\n\n### Feature\n\n- **arm:** add CKV_AZURE_129 Ensure that MariaDB server enables geo-redundant backups - [#6427](https://github.com/bridgecrewio/checkov/pull/6427)\n- **arm:** add CKV_AZURE_137 Ensure ACR admin account is disabled - [#6430](https://github.com/bridgecrewio/checkov/pull/6430)\n- **arm:** add CKV_AZURE_139 Ensure ACR set to disable public networking - [#6428](https://github.com/bridgecrewio/checkov/pull/6428)\n- **arm:** add CKV_AZURE_166 Ensure container image quarantine, scan, and mark images verified - [#6431](https://github.com/bridgecrewio/checkov/pull/6431)\n- **arm:** add CKV_AZURE_168 to ensure that Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods - [#6385](https://github.com/bridgecrewio/checkov/pull/6385)\n- **arm:** add CKV_AZURE_45 to ensure that no sensitive credentials are exposed in VM custom_data - [#6422](https://github.com/bridgecrewio/checkov/pull/6422)\n- **arm:** add CKV_AZURE_70 to ensure that Function apps is only accessible over HTTPS - [#6457](https://github.com/bridgecrewio/checkov/pull/6457)\n- **arm:** ARM AppServiceSlotDebugDisabled - CKV_AZURE_155 - [#6453](https://github.com/bridgecrewio/checkov/pull/6453)\n- **arm:** ARM AppServiceSlotHTTPSOnly - [#6454](https://github.com/bridgecrewio/checkov/pull/6454)\n- **arm:** ARM VnetLocalDNS - [#6424](https://github.com/bridgecrewio/checkov/pull/6424)\n- **arm:** PostgressSQLGeoBackupEnabled - [#6456](https://github.com/bridgecrewio/checkov/pull/6456)\n- **arm:** StorageAccountName - [#6426](https://github.com/bridgecrewio/checkov/pull/6426)\n- **secrets:** dont filter secrets - [#6508](https://github.com/bridgecrewio/checkov/pull/6508)\n\n### Bug Fix\n\n- **azure:** fix description of CKV_AZURE_236 - [#6503](https://github.com/bridgecrewio/checkov/pull/6503)\n- **kubernetes:** Fix CKV_K8S_31 for CronJobs - [#6506](https://github.com/bridgecrewio/checkov/pull/6506)\n- **sca:** fix parsing json with comments - [#6509](https://github.com/bridgecrewio/checkov/pull/6509)\n- **terraform:** CKV_AWS_339 add Kubernetes 1.30 to AWS EKS version checks - [#6353](https://github.com/bridgecrewio/checkov/pull/6353)\n- **terraform:** remove print from CKV_AWS_364 - [#6504](https://github.com/bridgecrewio/checkov/pull/6504)\n\n## [3.2.145](https://github.com/bridgecrewio/checkov/compare/3.2.144...3.2.145) - 2024-06-25\n\n### Documentation\n\n- **general:** Note for feature requests - [#6497](https://github.com/bridgecrewio/checkov/pull/6497)\n\n## [3.2.144](https://github.com/bridgecrewio/checkov/compare/3.2.141...3.2.144) - 2024-06-23\n\n### Bug Fix\n\n- **kubernetes:** ensure seccompProfile is set to RuntimeDefault for all containers in deployments and similar resources - [#6459](https://github.com/bridgecrewio/checkov/pull/6459)\n- **terraform:** Add more conditions for CKV_AWS_70 - [#6464](https://github.com/bridgecrewio/checkov/pull/6464)\n\n## [3.2.141](https://github.com/bridgecrewio/checkov/compare/3.2.140...3.2.141) - 2024-06-19\n\n### Bug Fix\n\n- **secrets:** dedup secrets history values - [#6462](https://github.com/bridgecrewio/checkov/pull/6462)\n\n## [3.2.140](https://github.com/bridgecrewio/checkov/compare/3.2.138...3.2.140) - 2024-06-18\n\n### Feature\n\n- **azure:** fix ckv_azure_189 according to docs - [#6413](https://github.com/bridgecrewio/checkov/pull/6413)\n\n### Bug Fix\n\n- **sca:** Support parsing json with comments - [#6466](https://github.com/bridgecrewio/checkov/pull/6466)\n\n### Documentation\n\n- **general:** fix pre-commit link - [#6433](https://github.com/bridgecrewio/checkov/pull/6433)\n\n## [3.2.138](https://github.com/bridgecrewio/checkov/compare/3.2.136...3.2.138) - 2024-06-17\n\n### Feature\n\n- **graph:** support creation of resource type allow/deny lists - [#6451](https://github.com/bridgecrewio/checkov/pull/6451)\n\n### Bug Fix\n\n- **terraform:** Fix name of CKV2_AWS_67 to be more clear - [#6434](https://github.com/bridgecrewio/checkov/pull/6434)\n- **terraform:** Fix when apt is in rm statement - [#6437](https://github.com/bridgecrewio/checkov/pull/6437)\n- **terraform:** Update CKV_AWS_224 title - [#6435](https://github.com/bridgecrewio/checkov/pull/6435)\n\n## [3.2.136](https://github.com/bridgecrewio/checkov/compare/3.2.133...3.2.136) - 2024-06-13\n\n### Bug Fix\n\n- **arm:** Correct AzureMLWorkspacePrivateEndpoint rule check logic - [#6432](https://github.com/bridgecrewio/checkov/pull/6432)\n- **general:** removed references Putin references - [#6445](https://github.com/bridgecrewio/checkov/pull/6445)\n\n## [3.2.133](https://github.com/bridgecrewio/checkov/compare/3.2.130...3.2.133) - 2024-06-10\n\n### Feature\n\n- **general:** add AI_AND_ML to CheckCategories - [#6423](https://github.com/bridgecrewio/checkov/pull/6423)\n\n### Bug Fix\n\n- **sast:** Update CKV IDs for CDK policies - [#6415](https://github.com/bridgecrewio/checkov/pull/6415)\n\n## [3.2.130](https://github.com/bridgecrewio/checkov/compare/3.2.128...3.2.130) - 2024-06-09\n\n### Feature\n\n- **arm:** add CKV_AZURE_135 to ensure Application Gateway WAF prevents message lookup in Log4j2. - [#6364](https://github.com/bridgecrewio/checkov/pull/6364)\n- **arm:** add CKV_AZURE_140 to ensure that Local Authentication is disabled on CosmosDB - [#6329](https://github.com/bridgecrewio/checkov/pull/6329)\n- **arm:** add CKV_AZURE_163 Enable vulnerability scanning for container images - [#6339](https://github.com/bridgecrewio/checkov/pull/6339)\n- **arm:** add MariaDbPublicAccessDisabled convert policy to arm - [#6246](https://github.com/bridgecrewio/checkov/pull/6246)\n- **arm:** AKSLocalAdminDisabled - [#6334](https://github.com/bridgecrewio/checkov/pull/6334)\n- **arm:** AppServiceFTPSState - [#6363](https://github.com/bridgecrewio/checkov/pull/6363)\n- **arm:** AzureServiceFabricClusterProtectionLevel - [#6366](https://github.com/bridgecrewio/checkov/pull/6366)\n- **arm:** ensure ACR disables anonymous pulling of images (CKV_AZURE_138) - [#6373](https://github.com/bridgecrewio/checkov/pull/6373)\n- **arm:** KeyVaultDisablesPublicNetworkAccess - [#6342](https://github.com/bridgecrewio/checkov/pull/6342)\n- **arm:** PostgreSQLServerPublicAccessDisabled - [#6330](https://github.com/bridgecrewio/checkov/pull/6330)\n- **terraform:** extract image referencers for AWS SageMaker - [#6408](https://github.com/bridgecrewio/checkov/pull/6408)\n\n### Bug Fix\n\n- **ansible:** add dict check in create_tasks_vertices - [#6417](https://github.com/bridgecrewio/checkov/pull/6417)\n\n## [3.2.128](https://github.com/bridgecrewio/checkov/compare/3.2.125...3.2.128) - 2024-06-06\n\n### Feature\n\n- **azure:** drop support for dotnet v7.0 - [#6383](https://github.com/bridgecrewio/checkov/pull/6383)\n- **general:** Image Referencer should not run for CI workflow files - [#6386](https://github.com/bridgecrewio/checkov/pull/6386)\n- **secrets:** Add _prioritise_secrets by 3 levels of severity - [#6390](https://github.com/bridgecrewio/checkov/pull/6390)\n- **terraform:** add 5 policies - [#6401](https://github.com/bridgecrewio/checkov/pull/6401)\n- **terraform:** add 6 policies - [#6396](https://github.com/bridgecrewio/checkov/pull/6396)\n- **terraform:** add fix for ckv_aws_300 - [#6404](https://github.com/bridgecrewio/checkov/pull/6404)\n- **terraform:** add fix for not contains solver - [#6389](https://github.com/bridgecrewio/checkov/pull/6389)\n\n### Bug Fix\n\n- **ansible:** filter conf if its int or float - [#6409](https://github.com/bridgecrewio/checkov/pull/6409)\n- **general:** add try except gihub_action read file - [#6411](https://github.com/bridgecrewio/checkov/pull/6411)\n- **general:** bitbucket integration test failure - [#6407](https://github.com/bridgecrewio/checkov/pull/6407)\n- **general:** CKV2_AZURE_50 generates false positive azurerm_storage_account violations - [#6391](https://github.com/bridgecrewio/checkov/pull/6391)\n- **sast:** add log for sast on windows - [#6397](https://github.com/bridgecrewio/checkov/pull/6397)\n\n## [3.2.125](https://github.com/bridgecrewio/checkov/compare/3.2.124...3.2.125) - 2024-06-03\n\n### Feature\n\n- **arm:** Add check for AzureML workspace not configured with private endpoint - [#6387](https://github.com/bridgecrewio/checkov/pull/6387)\n\n## [3.2.124](https://github.com/bridgecrewio/checkov/compare/3.2.122...3.2.124) - 2024-06-02\n\n### Feature\n\n- **azure:** Add policy to ensure proper AzureML Workspace network access - [#6362](https://github.com/bridgecrewio/checkov/pull/6362)\n- **azure:** Ensure Azure Storage Account storing Machine Learning workspace high business impact data is not publicly accessible - [#6368](https://github.com/bridgecrewio/checkov/pull/6368)\n\n## [3.2.122](https://github.com/bridgecrewio/checkov/compare/3.2.121...3.2.122) - 2024-06-01\n\n### Feature\n\n- **arm:** AppServicePythonVersion - 82 check the 'python version' is the latest, if used to run the web app - [#6282](https://github.com/bridgecrewio/checkov/pull/6282)\n\n## [3.2.121](https://github.com/bridgecrewio/checkov/compare/3.2.119...3.2.121) - 2024-05-31\n\n### Feature\n\n- **terraform:** AWS SageMaker notebook instance KMS Key - [#6374](https://github.com/bridgecrewio/checkov/pull/6374)\n- **terraform:** CognitiveServicesConfigureIdentity - new check - [#6378](https://github.com/bridgecrewio/checkov/pull/6378)\n- **terraform:** Ensure that Cognitive Services accounts enable local authentication - new check - [#6377](https://github.com/bridgecrewio/checkov/pull/6377)\n\n## [3.2.119](https://github.com/bridgecrewio/checkov/compare/3.2.112...3.2.119) - 2024-05-30\n\n### Feature\n\n- **arm:** add FunctionAppsEnableAuthentication - Checking if a certain field exists - [#6250](https://github.com/bridgecrewio/checkov/pull/6250)\n- **terraform:** Add more conditions to CKV_AWS_70 - [#6371](https://github.com/bridgecrewio/checkov/pull/6371)\n- **terraform:** Added the CKV2_AWS_68 Check for TF and CFN - [#6369](https://github.com/bridgecrewio/checkov/pull/6369)\n\n### Bug Fix\n\n- **ansible:** set task as ansible vertices config - [#6376](https://github.com/bridgecrewio/checkov/pull/6376)\n- **terraform:** for_each/count attribute wasn't rendering if referencing a dynamic variable of a higher level module - [#6372](https://github.com/bridgecrewio/checkov/pull/6372)\n\n## [3.2.112](https://github.com/bridgecrewio/checkov/compare/3.2.108...3.2.112) - 2024-05-29\n\n### Feature\n\n- **terraform:** Add provider address to resources - [#6266](https://github.com/bridgecrewio/checkov/pull/6266)\n- **terraform:** Support for count & for_each in data blocks - [#6359](https://github.com/bridgecrewio/checkov/pull/6359)\n\n### Bug Fix\n\n- **terraform:** Fix an issue for loading tfvars + issue in the dynamic rendering - [#6360](https://github.com/bridgecrewio/checkov/pull/6360)\n\n## [3.2.108](https://github.com/bridgecrewio/checkov/compare/3.2.107...3.2.108) - 2024-05-26\n\n### Bug Fix\n\n- **sast:** don't scan hidden files - [#6349](https://github.com/bridgecrewio/checkov/pull/6349)\n\n## [3.2.107](https://github.com/bridgecrewio/checkov/compare/3.2.106...3.2.107) - 2024-05-24\n\n### Bug Fix\n\n- **terraform:** Handle registry modules with a version in CKF_TF_2 - [#6354](https://github.com/bridgecrewio/checkov/pull/6354)\n\n## [3.2.106](https://github.com/bridgecrewio/checkov/compare/3.2.105...3.2.106) - 2024-05-23\n\n### Feature\n\n- **arm:** Ensure Databricks Workspace data plane to control plane co… - [#6319](https://github.com/bridgecrewio/checkov/pull/6319)\n- **general:** TF and ARM - Ensure that Databricks Workspaces enable… - [#6313](https://github.com/bridgecrewio/checkov/pull/6313)\n- **secrets:** Bump detect-secrets - [#6346](https://github.com/bridgecrewio/checkov/pull/6346)\n\n## [3.2.105](https://github.com/bridgecrewio/checkov/compare/3.2.100...3.2.105) - 2024-05-22\n\n### Feature\n\n- **arm:** add AppServiceJavaVersion - [#6258](https://github.com/bridgecrewio/checkov/pull/6258)\n- **arm:** add CKV_AZURE_145 to check that the function app uses the latest version of TLS encryption - [#6323](https://github.com/bridgecrewio/checkov/pull/6323)\n- **arm:** add CKV_AZURE_218 to ensure that Application Gateway defines secure protocols for in transit communicationApp gw defines secure protocols - [#6320](https://github.com/bridgecrewio/checkov/pull/6320)\n- **arm:** add CKV_AZURE_54 to ensure Enforce a minimal Tls version for the server - [#6270](https://github.com/bridgecrewio/checkov/pull/6270)\n- **arm:** add CKV_AZURE_71 to Ensure that Managed identity provider is enabled for web apps - [#6272](https://github.com/bridgecrewio/checkov/pull/6272)\n- **arm:** add CKV_AZURE_72 to ensure that remote debugging is not enabled for app services - [#6281](https://github.com/bridgecrewio/checkov/pull/6281)\n- **arm:** AzureDefenderOStorage - [#6269](https://github.com/bridgecrewio/checkov/pull/6269)\n- **arm:** MySQLPublicAccessDisabled-Azure MySQL: Restrict Public Access - [#6263](https://github.com/bridgecrewio/checkov/pull/6263)\n- **arm:** StorageSyncPublicAccessDisabled - [#6331](https://github.com/bridgecrewio/checkov/pull/6331)\n- **secrets:** eliminate false positives in entropy keyword combinator detector - [#6327](https://github.com/bridgecrewio/checkov/pull/6327)\n\n### Bug Fix\n\n- **ansible:** fix ansible resource id in local graph - [#6344](https://github.com/bridgecrewio/checkov/pull/6344)\n- **secrets:** fix entropy type - [#6347](https://github.com/bridgecrewio/checkov/pull/6347)\n\n## [3.2.100](https://github.com/bridgecrewio/checkov/compare/3.2.98...3.2.100) - 2024-05-21\n\n### Feature\n\n- **sast:** TS-legacy-checks - [#6311](https://github.com/bridgecrewio/checkov/pull/6311)\n- **secrets:** entropy limit as env variable - [#6332](https://github.com/bridgecrewio/checkov/pull/6332)\n\n## [3.2.98](https://github.com/bridgecrewio/checkov/compare/3.2.97...3.2.98) - 2024-05-20\n\n### Bug Fix\n\n- **terraform:** Remove invalid CIDRs in CKV2_AWS_44 - [#6301](https://github.com/bridgecrewio/checkov/pull/6301)\n\n## [3.2.97](https://github.com/bridgecrewio/checkov/compare/3.2.95...3.2.97) - 2024-05-19\n\n### Feature\n\n- **arm:** add CKV_AZURE_73 to ensure that Automation account variables are encrypted - [#6271](https://github.com/bridgecrewio/checkov/pull/6271)\n- **arm:** add CKV_AZURE_76 to ensure that Azure Batch account uses key vault to encrypt data - [#6280](https://github.com/bridgecrewio/checkov/pull/6280)\n- **arm:** add FunctionAppDisallowCORS - password correctness check - [#6248](https://github.com/bridgecrewio/checkov/pull/6248)\n- **arm:** ARM FunctionAppHttpVersionLatest policy - [#6244](https://github.com/bridgecrewio/checkov/pull/6244)\n- **arm:** CKV_AZURE_74 to Ensure that Azure Data Explorer (Kusto) uses disk encryption - [#6273](https://github.com/bridgecrewio/checkov/pull/6273)\n- **arm:** MSSQLServerMinTLSVersion - [#6245](https://github.com/bridgecrewio/checkov/pull/6245)\n\n## [3.2.95](https://github.com/bridgecrewio/checkov/compare/3.2.94...3.2.95) - 2024-05-17\n\n### Bug Fix\n\n- **terraform:** handle module source tag ref when it is not the first parameter - [#6314](https://github.com/bridgecrewio/checkov/pull/6314)\n\n## [3.2.94](https://github.com/bridgecrewio/checkov/compare/3.2.92...3.2.94) - 2024-05-16\n\n### Bug Fix\n\n- **sast:** fix random test sast js - [#6315](https://github.com/bridgecrewio/checkov/pull/6315)\n\n### Platform\n\n- **general:** Double-Encode URI for RelayState Parameter - [#6302](https://github.com/bridgecrewio/checkov/pull/6302)\n\n## [3.2.92](https://github.com/bridgecrewio/checkov/compare/3.2.91...3.2.92) - 2024-05-15\n\n### Feature\n\n- **sast:** CDK TypeScript policies - [#6161](https://github.com/bridgecrewio/checkov/pull/6161)\n- **terraform:** add check for tf module versioned tag - [#6213](https://github.com/bridgecrewio/checkov/pull/6213)\n\n### Bug Fix\n\n- **secrets:** secret_filter_block_list filter by file name and suffixes - [#6285](https://github.com/bridgecrewio/checkov/pull/6285)\n- **secrets:** secret_filter_block_list filter by file name and suffixes 2 - [#6306](https://github.com/bridgecrewio/checkov/pull/6306)\n\n### Platform\n\n- **general:** Fix policy.name to use the spaces as specified on CLI. - [#6296](https://github.com/bridgecrewio/checkov/pull/6296)\n\n## [3.2.91](https://github.com/bridgecrewio/checkov/compare/3.2.90...3.2.91) - 2024-05-12\n\n### Feature\n\n- **secrets:** bump bc-detect-secrets to 1.5.10 - [#6297](https://github.com/bridgecrewio/checkov/pull/6297)\n\n## [3.2.90](https://github.com/bridgecrewio/checkov/compare/3.2.85...3.2.90) - 2024-05-09\n\n### Feature\n\n- **general:** Add deep-analysis to GHA - [#6288](https://github.com/bridgecrewio/checkov/pull/6288)\n- **terraform:** Add more hype policies - [#6239](https://github.com/bridgecrewio/checkov/pull/6239)\n\n### Bug Fix\n\n- **ansible:** fix ansible definitions raw type - [#6292](https://github.com/bridgecrewio/checkov/pull/6292)\n\n### Platform\n\n- **ansible:** add set definitions raw to ansible runner - [#6286](https://github.com/bridgecrewio/checkov/pull/6286)\n- **general:** Handle SAST suppressions (suppressions V2) - [#6109](https://github.com/bridgecrewio/checkov/pull/6109)\n\n### Documentation\n\n- **general:** add RENDER_EDGES_DUPLICATE_ITER_COUNT to docs - [#6291](https://github.com/bridgecrewio/checkov/pull/6291)\n- **general:** Update README links for PyPi - [#6231](https://github.com/bridgecrewio/checkov/pull/6231)\n\n## [3.2.85](https://github.com/bridgecrewio/checkov/compare/3.2.84...3.2.85) - 2024-05-08\n\n### Platform\n\n- **ansible:** add missing arg to ansible runner - [#6276](https://github.com/bridgecrewio/checkov/pull/6276)\n\n## [3.2.84](https://github.com/bridgecrewio/checkov/compare/3.2.82...3.2.84) - 2024-05-07\n\n### Feature\n\n- **sast:** Enable cdk ts integraion test - [#6158](https://github.com/bridgecrewio/checkov/pull/6158)\n\n### Bug Fix\n\n- **secrets:** add files for secret to skip - [#6275](https://github.com/bridgecrewio/checkov/pull/6275)\n- **terraform:** Update CKV_AWS_31 for RBAC - [#6224](https://github.com/bridgecrewio/checkov/pull/6224)\n\n## [3.2.82](https://github.com/bridgecrewio/checkov/compare/3.2.79...3.2.82) - 2024-05-06\n\n### Feature\n\n- **github:** add summary message in github_failed_only output - [#6131](https://github.com/bridgecrewio/checkov/pull/6131)\n- **sast:** add ts checks to python pack - [#6261](https://github.com/bridgecrewio/checkov/pull/6261)\n- **sast:** run all cdk integration test - [#6256](https://github.com/bridgecrewio/checkov/pull/6256)\n\n### Bug Fix\n\n- **general:** fix changed serif path - [#6251](https://github.com/bridgecrewio/checkov/pull/6251)\n\n## [3.2.79](https://github.com/bridgecrewio/checkov/compare/3.2.74...3.2.79) - 2024-05-02\n\n### Feature\n\n- **sast:** Add 10 TS CDK - [#6194](https://github.com/bridgecrewio/checkov/pull/6194)\n- **sast:** add typescript - DONT MERGE - [#6193](https://github.com/bridgecrewio/checkov/pull/6193)\n- **sast:** Filter js files generate by ts - [#6220](https://github.com/bridgecrewio/checkov/pull/6220)\n- **secrets:** bump bc-detect-secrets 1.5.9 - [#6205](https://github.com/bridgecrewio/checkov/pull/6205)\n- **terraform:** Add GCP policy - [#6177](https://github.com/bridgecrewio/checkov/pull/6177)\n- **terraform:** Add resource attributes to jsonify - [#6203](https://github.com/bridgecrewio/checkov/pull/6203)\n- **terraform:** Ensure dedicated data endpoints are enabled - [#6188](https://github.com/bridgecrewio/checkov/pull/6188)\n- **terraform:** support provider in tf_plan graph - [#6195](https://github.com/bridgecrewio/checkov/pull/6195)\n- **terraform:** Update CloudArmorWAFACLCVE202144228.py - [#6217](https://github.com/bridgecrewio/checkov/pull/6217)\n\n### Bug Fix\n\n- **general:** add print to random test - [#6229](https://github.com/bridgecrewio/checkov/pull/6229)\n- **general:** fix integration test in build - [#6227](https://github.com/bridgecrewio/checkov/pull/6227)\n- **general:** fix integration tests - [#6207](https://github.com/bridgecrewio/checkov/pull/6207)\n- **kubernetes:** Update checkov-job.yaml - [#5985](https://github.com/bridgecrewio/checkov/pull/5985)\n- **sca:** remove old test for the depracated workflow github-action - [#6232](https://github.com/bridgecrewio/checkov/pull/6232)\n- **terraform_plan:** Edges not created because of indexing in resource[\"address\"] when resources in modules use count - [#6145](https://github.com/bridgecrewio/checkov/pull/6145)\n- **terraform:** CKV_AWS_23 rule description fixed for clarity - [#5993](https://github.com/bridgecrewio/checkov/pull/5993)\n- **terraform:** Fix CKV_AWS_358 to handle plan files - [#6202](https://github.com/bridgecrewio/checkov/pull/6202)\n\n### Platform\n\n- **ansible:** add create_definitions function for ansible framework - [#6225](https://github.com/bridgecrewio/checkov/pull/6225)\n\n### Documentation\n\n- **general:** Fix docs html brackets - [#6051](https://github.com/bridgecrewio/checkov/pull/6051)\n- **general:** Remove Python 3.7 - [#6200](https://github.com/bridgecrewio/checkov/pull/6200)\n\n## [3.2.74](https://github.com/bridgecrewio/checkov/compare/3.2.73...3.2.74) - 2024-04-22\n\n### Feature\n\n- **general:** Update range includes to handle lists of ranges and lists of values - [#6192](https://github.com/bridgecrewio/checkov/pull/6192)\n\n## [3.2.73](https://github.com/bridgecrewio/checkov/compare/3.2.72...3.2.73) - 2024-04-21\n\n### Feature\n\n- **sast:** TypeScript cdk policies p7 - [#6186](https://github.com/bridgecrewio/checkov/pull/6186)\n\n## [3.2.72](https://github.com/bridgecrewio/checkov/compare/3.2.71...3.2.72) - 2024-04-19\n\n### Feature\n\n- **bicep:** Add bicep version of policy - [#6191](https://github.com/bridgecrewio/checkov/pull/6191)\n\n## [3.2.71](https://github.com/bridgecrewio/checkov/compare/3.2.70...3.2.71) - 2024-04-18\n\n### Feature\n\n- **sca:** support licenses custom policies enforcement rules - [#6173](https://github.com/bridgecrewio/checkov/pull/6173)\n\n## [3.2.70](https://github.com/bridgecrewio/checkov/compare/3.2.68...3.2.70) - 2024-04-17\n\n### Feature\n\n- **sast:** Add 5 cdk for TS - [#6179](https://github.com/bridgecrewio/checkov/pull/6179)\n\n### Bug Fix\n\n- **sast:** fix skipped_checks paths before upload to the platform - [#6183](https://github.com/bridgecrewio/checkov/pull/6183)\n\n## [3.2.68](https://github.com/bridgecrewio/checkov/compare/3.2.65...3.2.68) - 2024-04-16\n\n### Feature\n\n- **sast:** adding extended code block - [#6178](https://github.com/bridgecrewio/checkov/pull/6178)\n- **sca:** using the new api license/get-licenses-violations instead of packages/get-licenses-violations (which is deprecated) - [#6174](https://github.com/bridgecrewio/checkov/pull/6174)\n\n### Bug Fix\n\n- **sca:** Revert \"feat(sca): using the new api license/get-licenses-violations … - [#6176](https://github.com/bridgecrewio/checkov/pull/6176)\n\n## [3.2.65](https://github.com/bridgecrewio/checkov/compare/3.2.63...3.2.65) - 2024-04-15\n\n### Bug Fix\n\n- **sast:** save suppress_comment for sast inline suppressions - [#6171](https://github.com/bridgecrewio/checkov/pull/6171)\n- **secrets:** Azure Storage Key detector updates in bc-detect-secrets 1.5.7 - [#6168](https://github.com/bridgecrewio/checkov/pull/6168)\n\n## [3.2.63](https://github.com/bridgecrewio/checkov/compare/3.2.60...3.2.63) - 2024-04-14\n\n### Feature\n\n- **sast:** CDK TS policies p2 - [#6165](https://github.com/bridgecrewio/checkov/pull/6165)\n\n## [3.2.60](https://github.com/bridgecrewio/checkov/compare/3.2.55...3.2.60) - 2024-04-10\n\n### Feature\n\n- **sast:** Add TS CDK policies 1 - [#6151](https://github.com/bridgecrewio/checkov/pull/6151)\n- **sast:** CDK TS policies p3 - [#6157](https://github.com/bridgecrewio/checkov/pull/6157)\n\n### Bug Fix\n\n- **terraform:** Fix conditional expression evaluation logic with compare - [#6160](https://github.com/bridgecrewio/checkov/pull/6160)\n- **terraform:** Fixed flaky test for CKV_AWS_356 - [#6162](https://github.com/bridgecrewio/checkov/pull/6162)\n\n## [3.2.55](https://github.com/bridgecrewio/checkov/compare/3.2.53...3.2.55) - 2024-04-08\n\n### Feature\n\n- **sast:** Adding typescript cdk part 6 paz - [#6149](https://github.com/bridgecrewio/checkov/pull/6149)\n\n### Bug Fix\n\n- **sca:** enabling suppression in the cli-output for IR-files and dockerfiles - [#6148](https://github.com/bridgecrewio/checkov/pull/6148)\n\n## [3.2.53](https://github.com/bridgecrewio/checkov/compare/3.2.52...3.2.53) - 2024-04-03\n\n### Feature\n\n- **terraform:** support s3 bucket name for references in graph - [#6134](https://github.com/bridgecrewio/checkov/pull/6134)\n\n## [3.2.52](https://github.com/bridgecrewio/checkov/compare/3.2.51...3.2.52) - 2024-04-03\n\n### Feature\n\n- **general:** Update the releases' zip file names to be generic - [#6141](https://github.com/bridgecrewio/checkov/pull/6141)\n\n## [3.2.51](https://github.com/bridgecrewio/checkov/compare/3.2.50...3.2.51) - 2024-04-02\n\n### Feature\n\n- **general:** add policy metadata filter exception flag - [#6132](https://github.com/bridgecrewio/checkov/pull/6132)\n\n## [3.2.50](https://github.com/bridgecrewio/checkov/compare/3.2.49...3.2.50) - 2024-03-31\n\n### Bug Fix\n\n- **general:** remove limitation of resource and provider in tf.json file - [#6133](https://github.com/bridgecrewio/checkov/pull/6133)\n\n## [3.2.49](https://github.com/bridgecrewio/checkov/compare/3.2.47...3.2.49) - 2024-03-28\n\n### Bug Fix\n\n- **general:** pin the version of schema to <=0.7.5 - [#6125](https://github.com/bridgecrewio/checkov/pull/6125)\n\n## [3.2.47](https://github.com/bridgecrewio/checkov/compare/3.2.45...3.2.47) - 2024-03-26\n\n### Feature\n\n- **secrets:** bump manually bc-detect-secrets - [#6120](https://github.com/bridgecrewio/checkov/pull/6120)\n- **terraform:** add fix for when tf_def is a string - [#6121](https://github.com/bridgecrewio/checkov/pull/6121)\n\n## [3.2.45](https://github.com/bridgecrewio/checkov/compare/3.2.44...3.2.45) - 2024-03-25\n\n### Feature\n\n- **terraform:** fix for_each resource handling - [#6119](https://github.com/bridgecrewio/checkov/pull/6119)\n\n## [3.2.44](https://github.com/bridgecrewio/checkov/compare/3.2.43...3.2.44) - 2024-03-24\n\n### Bug Fix\n\n- **sca:** Fix suppression integration crashing if licenseTypes is missing - [#6117](https://github.com/bridgecrewio/checkov/pull/6117)\n\n## [3.2.43](https://github.com/bridgecrewio/checkov/compare/3.2.42...3.2.43) - 2024-03-21\n\n### Bug Fix\n\n- **terraform:** Fixed bug in evaluate_conditional_expression and added zipmap support - [#6106](https://github.com/bridgecrewio/checkov/pull/6106)\n\n## [3.2.42](https://github.com/bridgecrewio/checkov/compare/3.2.39...3.2.42) - 2024-03-20\n\n### Feature\n\n- **sast:** support sast skipped checks - [#6095](https://github.com/bridgecrewio/checkov/pull/6095)\n\n### Bug Fix\n\n- **secrets:** ignore secret check in test file - [#6105](https://github.com/bridgecrewio/checkov/pull/6105)\n\n### Platform\n\n- **general:** handle API errors with more detail - [#6107](https://github.com/bridgecrewio/checkov/pull/6107)\n\n## [3.2.39](https://github.com/bridgecrewio/checkov/compare/3.2.38...3.2.39) - 2024-03-17\n\n### Feature\n\n- **secrets:** fix entropy detector FP - [#6090](https://github.com/bridgecrewio/checkov/pull/6090)\n\n## [3.2.38](https://github.com/bridgecrewio/checkov/compare/3.2.37...3.2.38) - 2024-03-14\n\n### Bug Fix\n\n- **terraform:** prevent side effects when updating variable rendering - [#6087](https://github.com/bridgecrewio/checkov/pull/6087)\n\n## [3.2.37](https://github.com/bridgecrewio/checkov/compare/3.2.36...3.2.37) - 2024-03-13\n\n### Feature\n\n- **terraform:** connect module resource to provider - [#6083](https://github.com/bridgecrewio/checkov/pull/6083)\n\n## [3.2.36](https://github.com/bridgecrewio/checkov/compare/3.2.35...3.2.36) - 2024-03-12\n\n### Bug Fix\n\n- **gha:** make sure to have prisma url - [#6084](https://github.com/bridgecrewio/checkov/pull/6084)\n\n## [3.2.35](https://github.com/bridgecrewio/checkov/compare/3.2.34...3.2.35) - 2024-03-11\n\n### Feature\n\n- **general:** add policy name and guidelines to CSV output - [#6082](https://github.com/bridgecrewio/checkov/pull/6082)\n\n### Bug Fix\n\n- **sast:** add attribute verification - [#6078](https://github.com/bridgecrewio/checkov/pull/6078)\n\n## [3.2.34](https://github.com/bridgecrewio/checkov/compare/3.2.33...3.2.34) - 2024-03-10\n\n### Bug Fix\n\n- **terraform:** Dont duplicate more vertices than needed for nested modules with large count/for each values + used cache to avoid extensive usage of os.path.realpath to drastically improve performance - [#6072](https://github.com/bridgecrewio/checkov/pull/6072)\n\n## [3.2.33](https://github.com/bridgecrewio/checkov/compare/3.2.32...3.2.33) - 2024-03-08\n\n### Platform\n\n- **general:** improve upload failure logging and log size of failed files - [#6076](https://github.com/bridgecrewio/checkov/pull/6076)\n\n## [3.2.32](https://github.com/bridgecrewio/checkov/compare/3.2.31...3.2.32) - 2024-03-06\n\n### Bug Fix\n\n- **sast:** do not log warning when using skip framework - [#6066](https://github.com/bridgecrewio/checkov/pull/6066)\n\n## [3.2.31](https://github.com/bridgecrewio/checkov/compare/3.2.28...3.2.31) - 2024-03-04\n\n### Bug Fix\n\n- **terraform:** better handling of interpolation rendering in conditional expressions - [#6062](https://github.com/bridgecrewio/checkov/pull/6062)\n- **terraform:** Changed a couple of checks from negative to positive check, behavior is the same - [#6063](https://github.com/bridgecrewio/checkov/pull/6063)\n\n## [3.2.28](https://github.com/bridgecrewio/checkov/compare/3.2.26...3.2.28) - 2024-02-28\n\n### Bug Fix\n\n- **sca:** handling unknown severity - [#6055](https://github.com/bridgecrewio/checkov/pull/6055)\n- **terraform:** Add Condition exceptions CKV_AWS_70 - [#6044](https://github.com/bridgecrewio/checkov/pull/6044)\n- **terraform:** Add k8s 1.29 to CKV_AWS_339 - [#6056](https://github.com/bridgecrewio/checkov/pull/6056)\n\n## [3.2.26](https://github.com/bridgecrewio/checkov/compare/3.2.25...3.2.26) - 2024-02-26\n\n### Bug Fix\n\n- **sast:** fetch sast custom policieis - [#6040](https://github.com/bridgecrewio/checkov/pull/6040)\n\n## [3.2.25](https://github.com/bridgecrewio/checkov/compare/3.2.24...3.2.25) - 2024-02-25\n\n### Feature\n\n- **terraform:** Added support for `try` function in evaluate_terraform - [#6043](https://github.com/bridgecrewio/checkov/pull/6043)\n\n## [3.2.24](https://github.com/bridgecrewio/checkov/compare/3.2.23...3.2.24) - 2024-02-22\n\n### Feature\n\n- **cloudformation:** add CFN policies for MSK - [#6021](https://github.com/bridgecrewio/checkov/pull/6021)\n\n## [3.2.23](https://github.com/bridgecrewio/checkov/compare/3.2.22...3.2.23) - 2024-02-21\n\n### Bug Fix\n\n- **terraform:** support vertex reference based on foreach key - [#6039](https://github.com/bridgecrewio/checkov/pull/6039)\n\n## [3.2.22](https://github.com/bridgecrewio/checkov/compare/3.2.21...3.2.22) - 2024-02-18\n\n### Bug Fix\n\n- **terraform:** CKV_AWS_308 - checked if caching was enabled and only then check for encryption of cache - [#6034](https://github.com/bridgecrewio/checkov/pull/6034)\n\n## [3.2.21](https://github.com/bridgecrewio/checkov/compare/3.2.20...3.2.21) - 2024-02-14\n\n### Bug Fix\n\n- **sast:** fix cdk checks path - [#6029](https://github.com/bridgecrewio/checkov/pull/6029)\n\n## [3.2.20](https://github.com/bridgecrewio/checkov/compare/3.2.19...3.2.20) - 2024-02-11\n\n### Bug Fix\n\n- **graph:** remove SCA runner v1 - re-enable - [#6024](https://github.com/bridgecrewio/checkov/pull/6024)\n\n## [3.2.19](https://github.com/bridgecrewio/checkov/compare/3.2.17...3.2.19) - 2024-02-08\n\n### Feature\n\n- **general:** Implement authentication retry mechanism - [#6022](https://github.com/bridgecrewio/checkov/pull/6022)\n- **sast:** add danger rule - [#6012](https://github.com/bridgecrewio/checkov/pull/6012)\n\n## [3.2.17](https://github.com/bridgecrewio/checkov/compare/3.2.12...3.2.17) - 2024-02-07\n\n### Bug Fix\n\n- **general:** downgrade botocore dependency - [#6016](https://github.com/bridgecrewio/checkov/pull/6016)\n- **graph:** remove SCA runner v1 - [#6005](https://github.com/bridgecrewio/checkov/pull/6005)\n- **terraform:** Deleted deprecated check CKV_GCP_19 - [#6010](https://github.com/bridgecrewio/checkov/pull/6010)\n\n## [3.2.12](https://github.com/bridgecrewio/checkov/compare/3.2.8...3.2.12) - 2024-02-06\n\n### Bug Fix\n\n- **general:** downgrade boto3 - [#6011](https://github.com/bridgecrewio/checkov/pull/6011)\n- **terraform:** fix check CKV2_AZURE_10 - [#6009](https://github.com/bridgecrewio/checkov/pull/6009)\n\n## [3.2.8](https://github.com/bridgecrewio/checkov/compare/3.2.7...3.2.8) - 2024-02-05\n\n### Feature\n\n- **secrets:** bump bc-detect-secrets to version 1.5.4 - [#5998](https://github.com/bridgecrewio/checkov/pull/5998)\n\n## [3.2.7](https://github.com/bridgecrewio/checkov/compare/3.2.3...3.2.7) - 2024-02-04\n\n### Feature\n\n- **azure:** create arm check StorageAccountMinimumTlsVersion CKV_AZURE_236 - [#5986](https://github.com/bridgecrewio/checkov/pull/5986)\n- **sast:** add dataflow to output - [#5987](https://github.com/bridgecrewio/checkov/pull/5987)\n\n### Bug Fix\n\n- **terraform:** Correctly relace foreach_value inside _update_attributes for complex cases - [#5994](https://github.com/bridgecrewio/checkov/pull/5994)\n\n## [3.2.3](https://github.com/bridgecrewio/checkov/compare/3.2.2...3.2.3) - 2024-01-31\n\n### Bug Fix\n\n- **terraform:** find explicit lockout fail actions for s3 - [#5943](https://github.com/bridgecrewio/checkov/pull/5943)\n\n## [3.2.2](https://github.com/bridgecrewio/checkov/compare/3.2.1...3.2.2) - 2024-01-30\n\n### Feature\n\n- **sca:** persist support logs for sub processes - [#5988](https://github.com/bridgecrewio/checkov/pull/5988)\n\n## [3.2.1](https://github.com/bridgecrewio/checkov/compare/3.2.0...3.2.1) - 2024-01-29\n\n### Bug Fix\n\n- **sast:** summarize errors - [#5977](https://github.com/bridgecrewio/checkov/pull/5977)\n\n## [3.2.0](https://github.com/bridgecrewio/checkov/compare/3.1.70...3.2.0) - 2024-01-28\n\n### Bug Fix\n\n- **terraform:** and cdk/cloudformation: inconsistent naming of AWS resources in checks - [#5966](https://github.com/bridgecrewio/checkov/pull/5966)\n\n### Platform\n\n- **general:** remove igraph - [#5781](https://github.com/bridgecrewio/checkov/pull/5781)\n\n## [3.1.70](https://github.com/bridgecrewio/checkov/compare/3.1.69...3.1.70) - 2024-01-24\n\n### Bug Fix\n\n- **terraform:** Manually fixed test for loading terraform registry to be with commit hash instead of version tag - [#5971](https://github.com/bridgecrewio/checkov/pull/5971)\n\n## [3.1.69](https://github.com/bridgecrewio/checkov/compare/3.1.67...3.1.69) - 2024-01-22\n\n### Bug Fix\n\n- **sast:** replaced TBD with owasp and removed \"sast engine\" - [#5959](https://github.com/bridgecrewio/checkov/pull/5959)\n- **terraform:** External module test - [#5963](https://github.com/bridgecrewio/checkov/pull/5963)\n\n## [3.1.67](https://github.com/bridgecrewio/checkov/compare/3.1.66...3.1.67) - 2024-01-18\n\n### Feature\n\n- **sast:** Add policies to executable - [#5955](https://github.com/bridgecrewio/checkov/pull/5955)\n\n## [3.1.66](https://github.com/bridgecrewio/checkov/compare/3.1.63...3.1.66) - 2024-01-17\n\n### Bug Fix\n\n- **sast:** change the path for taint mode match - [#5953](https://github.com/bridgecrewio/checkov/pull/5953)\n- **sast:** fix report with only reachability - [#5951](https://github.com/bridgecrewio/checkov/pull/5951)\n\n### Platform\n\n- **general:** Change SAST enforcement rule to weaknesses - [#5950](https://github.com/bridgecrewio/checkov/pull/5950)\n- **general:** handle weaknesses rename - [#5954](https://github.com/bridgecrewio/checkov/pull/5954)\n\n## [3.1.63](https://github.com/bridgecrewio/checkov/compare/3.1.61...3.1.63) - 2024-01-16\n\n### Bug Fix\n\n- **sast:** Fix serialize for sast report with taint mode - [#5949](https://github.com/bridgecrewio/checkov/pull/5949)\n\n## [3.1.61](https://github.com/bridgecrewio/checkov/compare/3.1.60...3.1.61) - 2024-01-15\n\n### Bug Fix\n\n- **general:** allow colorama version >=0.4.3,<0.5.0 in setup - [#5944](https://github.com/bridgecrewio/checkov/pull/5944)\n\n## [3.1.60](https://github.com/bridgecrewio/checkov/compare/3.1.57...3.1.60) - 2024-01-14\n\n### Bug Fix\n\n- **sast:** fix relative paths in sast cdk reports - [#5932](https://github.com/bridgecrewio/checkov/pull/5932)\n- **sast:** fix sast cdk code location paths - [#5938](https://github.com/bridgecrewio/checkov/pull/5938)\n- **terraform:** CKV_GCP_79 Upgrade CloudSQL SQLSERVER major version to 2022 - [#5936](https://github.com/bridgecrewio/checkov/pull/5936)\n- **terraform:** Improved bad performance pathlib check - [#5939](https://github.com/bridgecrewio/checkov/pull/5939)\n\n## [3.1.57](https://github.com/bridgecrewio/checkov/compare/3.1.55...3.1.57) - 2024-01-10\n\n### Bug Fix\n\n- **general:** fix multiprocess abilities - [#5887](https://github.com/bridgecrewio/checkov/pull/5887)\n- **general:** fixing hidden dependencies & state breaking tests - [#5911](https://github.com/bridgecrewio/checkov/pull/5911)\n- **general:** Reenabling cdk-integration-tests - [#5922](https://github.com/bridgecrewio/checkov/pull/5922)\n\n## [3.1.55](https://github.com/bridgecrewio/checkov/compare/3.1.54...3.1.55) - 2024-01-08\n\n### Bug Fix\n\n- **terraform:** Support \"pass_prefix_list\" for SG ingress rules correctly - [#5918](https://github.com/bridgecrewio/checkov/pull/5918)\n\n## [3.1.54](https://github.com/bridgecrewio/checkov/compare/3.1.53...3.1.54) - 2024-01-05\n\n### Bug Fix\n\n- **general:** temporary disable runtime config - [#5921](https://github.com/bridgecrewio/checkov/pull/5921)\n\n## [3.1.53](https://github.com/bridgecrewio/checkov/compare/3.1.51...3.1.53) - 2024-01-04\n\n### Feature\n\n- **terraform:** node pools should be configured separately from a cl… - [#5916](https://github.com/bridgecrewio/checkov/pull/5916)\n\n### Bug Fix\n\n- **terraform:** handle no action in aws_dlm_lifecycle_policy - [#5905](https://github.com/bridgecrewio/checkov/pull/5905)\n\n## [3.1.51](https://github.com/bridgecrewio/checkov/compare/3.1.50...3.1.51) - 2024-01-03\n\n- no noteworthy changes\n\n## [3.1.50](https://github.com/bridgecrewio/checkov/compare/3.1.46...3.1.50) - 2023-12-31\n\n### Feature\n\n- **sast:** Add sast metadata to sast report - [#5910](https://github.com/bridgecrewio/checkov/pull/5910)\n- **terraform:** Add various vertex related policies - [#5898](https://github.com/bridgecrewio/checkov/pull/5898)\n\n### Bug Fix\n\n- **sast:** persist empty sast report for cdk - [#5909](https://github.com/bridgecrewio/checkov/pull/5909)\n- **terraform:** Fix typo Customer Managed Key - [#5900](https://github.com/bridgecrewio/checkov/pull/5900)\n\n## [3.1.46](https://github.com/bridgecrewio/checkov/compare/3.1.44...3.1.46) - 2023-12-28\n\n### Feature\n\n- **terraform:** CLI output - add indication if repository was discovered In a running environment - [#5908](https://github.com/bridgecrewio/checkov/pull/5908)\n\n### Bug Fix\n\n- **sast:** add missing field in MatchMetadata - [#5907](https://github.com/bridgecrewio/checkov/pull/5907)\n\n## [3.1.44](https://github.com/bridgecrewio/checkov/compare/3.1.43...3.1.44) - 2023-12-26\n\n### Feature\n\n- **sast:** add dataflow to checkov report from sast - [#5892](https://github.com/bridgecrewio/checkov/pull/5892)\n\n## [3.1.43](https://github.com/bridgecrewio/checkov/compare/3.1.42...3.1.43) - 2023-12-24\n\n### Feature\n\n- **terraform:** add CKV2_AZURE_47, ensure storage account is configured without blob anonymous access - [#5888](https://github.com/bridgecrewio/checkov/pull/5888)\n- **terraform:** Ensure SES Configuration Set enforces TLS usage - [#5891](https://github.com/bridgecrewio/checkov/pull/5891)\n\n### Bug Fix\n\n- **terraform:** pod security policy removed in GKE 1.25 - [#5675](https://github.com/bridgecrewio/checkov/pull/5675)\n\n## [3.1.42](https://github.com/bridgecrewio/checkov/compare/3.1.40...3.1.42) - 2023-12-22\n\n### Feature\n\n- **sast:** Split sast and cdk reports - [#5889](https://github.com/bridgecrewio/checkov/pull/5889)\n\n### Bug Fix\n\n- **terraform:** Fix CKV_Azure_234 - [#5886](https://github.com/bridgecrewio/checkov/pull/5886)\n\n## [3.1.40](https://github.com/bridgecrewio/checkov/compare/3.1.38...3.1.40) - 2023-12-19\n\n### Feature\n\n- **terraform_plan:** Add PY graph checks for tf plan - [#5875](https://github.com/bridgecrewio/checkov/pull/5875)\n\n### Bug Fix\n\n- **terraform:** Remove CKV_AWS_188 as dupe - [#5884](https://github.com/bridgecrewio/checkov/pull/5884)\n\n## [3.1.38](https://github.com/bridgecrewio/checkov/compare/3.1.34...3.1.38) - 2023-12-13\n\n### Feature\n\n- **sast:** add integration test platform report - [#5856](https://github.com/bridgecrewio/checkov/pull/5856)\n- **sast:** python Cdk policies batch 3 - [#5820](https://github.com/bridgecrewio/checkov/pull/5820)\n- **sast:** python Cdk policies batch 4 - [#5857](https://github.com/bridgecrewio/checkov/pull/5857)\n\n### Bug Fix\n\n- **sast:** add save local sast report to run integration script - [#5863](https://github.com/bridgecrewio/checkov/pull/5863)\n\n## [3.1.34](https://github.com/bridgecrewio/checkov/compare/3.1.33...3.1.34) - 2023-12-12\n\n### Feature\n\n- **terraform:** Used parallel run to run all split_graph iterations - [#5840](https://github.com/bridgecrewio/checkov/pull/5840)\n\n## [3.1.33](https://github.com/bridgecrewio/checkov/compare/3.1.29...3.1.33) - 2023-12-11\n\n### Feature\n\n- **general:** anchor cyclonedx to last non breaking version - [#5846](https://github.com/bridgecrewio/checkov/pull/5846)\n- **general:** Revert pipfile lock changes - [#5848](https://github.com/bridgecrewio/checkov/pull/5848)\n- **sast:** add back commented checks - [#5851](https://github.com/bridgecrewio/checkov/pull/5851)\n\n### Bug Fix\n\n- **sast:** fix reachability with no regular matches - [#5847](https://github.com/bridgecrewio/checkov/pull/5847)\n- **sca:** not printing reachability data for lines without cves - [#5849](https://github.com/bridgecrewio/checkov/pull/5849)\n\n## [3.1.29](https://github.com/bridgecrewio/checkov/compare/3.1.27...3.1.29) - 2023-12-10\n\n### Feature\n\n- **terraform:** fix for check VPCPeeringRouteTableOverlyPermissive and add tests - [#5837](https://github.com/bridgecrewio/checkov/pull/5837)\n\n### Bug Fix\n\n- **sast:** fix sast report format - [#5811](https://github.com/bridgecrewio/checkov/pull/5811)\n\n## [3.1.27](https://github.com/bridgecrewio/checkov/compare/3.1.26...3.1.27) - 2023-12-07\n\n### Feature\n\n- **secrets:** used 10 characters in secret violation - [#5835](https://github.com/bridgecrewio/checkov/pull/5835)\n\n## [3.1.26](https://github.com/bridgecrewio/checkov/compare/3.1.24...3.1.26) - 2023-12-06\n\n### Bug Fix\n\n- **general:** check both path types for suppression - [#5834](https://github.com/bridgecrewio/checkov/pull/5834)\n- **terraform:** Fix range issue in OCI RDP check - [#5832](https://github.com/bridgecrewio/checkov/pull/5832)\n\n## [3.1.24](https://github.com/bridgecrewio/checkov/compare/3.1.21...3.1.24) - 2023-12-05\n\n### Bug Fix\n\n- **sca:** Update the log level of specific logs - [#5828](https://github.com/bridgecrewio/checkov/pull/5828)\n- **terraform:** CKV_GCP_26 Added additional google_compute_subnetwork purposes that do not support flow logs - [#5812](https://github.com/bridgecrewio/checkov/pull/5812)\n- **terraform:** Fix CKV_GCP_30 for unknown service account - [#5818](https://github.com/bridgecrewio/checkov/pull/5818)\n- **terraform:** Fixed to_dict of terraform block regarding source_module_object - [#5822](https://github.com/bridgecrewio/checkov/pull/5822)\n\n## [3.1.21](https://github.com/bridgecrewio/checkov/compare/3.1.20...3.1.21) - 2023-12-04\n\n### Feature\n\n- **ansible:** add CKV_PAN_17 - Check for src and dst zone any - [#5803](https://github.com/bridgecrewio/checkov/pull/5803)\n- **sast:** sast enabled from integration - [#5780](https://github.com/bridgecrewio/checkov/pull/5780)\n- **terraform:** Adding Python based build time policies for corresponding PC runtime policies - [#5762](https://github.com/bridgecrewio/checkov/pull/5762)\n- **terraform:** Adding YAML based build time policies for corresponding PC runtime policies - [#5810](https://github.com/bridgecrewio/checkov/pull/5810)\n\n## [3.1.20](https://github.com/bridgecrewio/checkov/compare/3.1.19...3.1.20) - 2023-11-30\n\n### Platform\n\n- **general:** handle the updated on prem response from the platform - [#5809](https://github.com/bridgecrewio/checkov/pull/5809)\n\n## [3.1.19](https://github.com/bridgecrewio/checkov/compare/3.1.18...3.1.19) - 2023-11-29\n\n### Feature\n\n- **sca:** Using alias data from assets.json for giving Package Used indication for aliased packages - [#5808](https://github.com/bridgecrewio/checkov/pull/5808)\n\n## [3.1.18](https://github.com/bridgecrewio/checkov/compare/3.1.17...3.1.18) - 2023-11-28\n\n### Bug Fix\n\n- **terraform:** Add source_module_object to blocks from_dict func - [#5806](https://github.com/bridgecrewio/checkov/pull/5806)\n\n## [3.1.17](https://github.com/bridgecrewio/checkov/compare/3.1.15...3.1.17) - 2023-11-27\n\n### Feature\n\n- **ansible:** PAN-OS IPsec checks - [#5802](https://github.com/bridgecrewio/checkov/pull/5802)\n\n## [3.1.15](https://github.com/bridgecrewio/checkov/compare/3.1.11...3.1.15) - 2023-11-26\n\n### Feature\n\n- **ansible:** add CKV_PAN_16 PAN-OS BPA Check for session log at start - [#5794](https://github.com/bridgecrewio/checkov/pull/5794)\n- **sast:** Add alias data to imports assets - [#5788](https://github.com/bridgecrewio/checkov/pull/5788)\n\n### Bug Fix\n\n- **bicep:** Update AppServiceHttps20Enabled to consider newer ApiVersion - [#5795](https://github.com/bridgecrewio/checkov/pull/5795)\n\n## [3.1.11](https://github.com/bridgecrewio/checkov/compare/3.1.9...3.1.11) - 2023-11-23\n\n### Bug Fix\n\n- **general:** Policy metadata API fixes - [#5761](https://github.com/bridgecrewio/checkov/pull/5761)\n\n## [3.1.9](https://github.com/bridgecrewio/checkov/compare/3.1.4...3.1.9) - 2023-11-21\n\n### Bug Fix\n\n- **gha:** Update GitHub Actions Workflow Schema #5742 - [#5759](https://github.com/bridgecrewio/checkov/pull/5759)\n- **terraform_plan:** load terraform registry checks when using terraform plan - [#5778](https://github.com/bridgecrewio/checkov/pull/5778)\n- **terraform:** Ensure HTTPS in Azure Function App and App Slots - [#5766](https://github.com/bridgecrewio/checkov/pull/5766)\n\n### Platform\n\n- **general:** do not display an auth error when the runconfig endpoint returns a 500 - [#5779](https://github.com/bridgecrewio/checkov/pull/5779)\n\n## [3.1.4](https://github.com/bridgecrewio/checkov/compare/3.0.40...3.1.4) - 2023-11-20\n\n### Breaking Change\n\n- **general:** set default parallelization type to spawn and leverage Terraform downloaded module by default - [#5760](https://github.com/bridgecrewio/checkov/pull/5760)\n\n### Feature\n\n- **terraform:** Ensure ACR is zone-redundant - [#5748](https://github.com/bridgecrewio/checkov/pull/5748)\n\n### Bug Fix\n\n- **general:** Revert parallelization commit - [#5777](https://github.com/bridgecrewio/checkov/pull/5777)\n- **sast:** remove SAST frameworks for OSS users - [#5773](https://github.com/bridgecrewio/checkov/pull/5773)\n- **secrets:** don't reinitialize the upload client without API key usage - [#5771](https://github.com/bridgecrewio/checkov/pull/5771)\n\n### Documentation\n\n- **general:** properly escape CLI flags in the CLI command docs - [#5768](https://github.com/bridgecrewio/checkov/pull/5768)\n\n## [3.0.40](https://github.com/bridgecrewio/checkov/compare/3.0.38...3.0.40) - 2023-11-19\n\n### Bug Fix\n\n- **terraform_plan:** TF plan resources connection fix - [#5767](https://github.com/bridgecrewio/checkov/pull/5767)\n\n## [3.0.38](https://github.com/bridgecrewio/checkov/compare/3.0.37...3.0.38) - 2023-11-16\n\n### Feature\n\n- **terraform:** Adding YAML based build time policies for corresponding PC runtime policies - [#5714](https://github.com/bridgecrewio/checkov/pull/5714)\n\n## [3.0.37](https://github.com/bridgecrewio/checkov/compare/3.0.36...3.0.37) - 2023-11-15\n\n### Bug Fix\n\n- **terraform:** fix valid value for aws keyspaces_table encryption_specification type - [#5756](https://github.com/bridgecrewio/checkov/pull/5756)\n\n## [3.0.36](https://github.com/bridgecrewio/checkov/compare/3.0.34...3.0.36) - 2023-11-14\n\n### Bug Fix\n\n- **terraform:** check min TLS version also on azure app slots - [#5753](https://github.com/bridgecrewio/checkov/pull/5753)\n\n## [3.0.34](https://github.com/bridgecrewio/checkov/compare/3.0.32...3.0.34) - 2023-11-12\n\n### Feature\n\n- **general:** add possibility to change parallelization type - [#5737](https://github.com/bridgecrewio/checkov/pull/5737)\n\n### Bug Fix\n\n- **cloudformation:** ignore unresolved references in CKV_AWS_45 - [#5747](https://github.com/bridgecrewio/checkov/pull/5747)\n\n## [3.0.32](https://github.com/bridgecrewio/checkov/compare/3.0.28...3.0.32) - 2023-11-09\n\n### Feature\n\n- **sast:** Python cdk policies batch 2 - [#5725](https://github.com/bridgecrewio/checkov/pull/5725)\n\n### Bug Fix\n\n- **general:** add option to pass `--skip-download` with github-action - [#5734](https://github.com/bridgecrewio/checkov/pull/5734)\n\n### Platform\n\n- **general:** print the log upload location if the --support flag is used - [#5738](https://github.com/bridgecrewio/checkov/pull/5738)\n\n## [3.0.28](https://github.com/bridgecrewio/checkov/compare/3.0.25...3.0.28) - 2023-11-08\n\n### Bug Fix\n\n- **terraform:** Adding both azurerm_linux_web_app_slot & azurerm_windows_web_app_slot in scope of the test CKV_AZURE_153 - [#5687](https://github.com/bridgecrewio/checkov/pull/5687)\n\n### Documentation\n\n- **general:** Switch references to Bridgecrew with Prisma Cloud - [#5704](https://github.com/bridgecrewio/checkov/pull/5704)\n\n## [3.0.25](https://github.com/bridgecrewio/checkov/compare/3.0.24...3.0.25) - 2023-11-07\n\n### Bug Fix\n\n- **general:** do not require a repo ID when using an API key and --list - [#5726](https://github.com/bridgecrewio/checkov/pull/5726)\n\n## [3.0.24](https://github.com/bridgecrewio/checkov/compare/3.0.21...3.0.24) - 2023-11-06\n\n### Feature\n\n- **sast:** add new python CDK policies - [#5706](https://github.com/bridgecrewio/checkov/pull/5706)\n- **terraform:** Ensure that only critical system pods run on system nodes - [#5665](https://github.com/bridgecrewio/checkov/pull/5665)\n\n## [3.0.21](https://github.com/bridgecrewio/checkov/compare/3.0.19...3.0.21) - 2023-11-05\n\n### Feature\n\n- **terraform:** Ensure App Service Environment is zone redundant - [#5662](https://github.com/bridgecrewio/checkov/pull/5662)\n- **terraform:** Ensure that Standard Replication is enabled - [#5649](https://github.com/bridgecrewio/checkov/pull/5649)\n\n### Bug Fix\n\n- **sca:** Setting only relevant cves for the extracted reachable functions with risk factor of ReachableFunction as True - [#5715](https://github.com/bridgecrewio/checkov/pull/5715)\n- **terraform:** CKV_AWS_208 valid Amazon MQ versions - [#5653](https://github.com/bridgecrewio/checkov/pull/5653)\n\n## [3.0.19](https://github.com/bridgecrewio/checkov/compare/3.0.16...3.0.19) - 2023-11-02\n\n### Feature\n\n- **sca:** adjusting the cli-output to support indicating of reachable functions - [#5713](https://github.com/bridgecrewio/checkov/pull/5713)\n- **terraform:** Adding YAML based build time policies for corresponding PC runtime policies - [#5637](https://github.com/bridgecrewio/checkov/pull/5637)\n- **terraform:** bigtable deletion protection [depends on #5625] - [#5626](https://github.com/bridgecrewio/checkov/pull/5626)\n- **terraform:** drop and deletion checks for spanner - [#5625](https://github.com/bridgecrewio/checkov/pull/5625)\n\n### Bug Fix\n\n- **sast:** add cveid to reachability report - [#5708](https://github.com/bridgecrewio/checkov/pull/5708)\n\n## [3.0.16](https://github.com/bridgecrewio/checkov/compare/3.0.15...3.0.16) - 2023-11-01\n\n### Feature\n\n- **sca:** Extending reachability post-runner in checkov and enriching cves with ReachableFunction data - [#5707](https://github.com/bridgecrewio/checkov/pull/5707)\n\n## [3.0.15](https://github.com/bridgecrewio/checkov/compare/3.0.14...3.0.15) - 2023-10-31\n\n### Bug Fix\n\n- **general:** fix duplicate components in CycloneDX report - [#5705](https://github.com/bridgecrewio/checkov/pull/5705)\n\n## [3.0.14](https://github.com/bridgecrewio/checkov/compare/3.0.13...3.0.14) - 2023-10-30\n\n### Bug Fix\n\n- **general:** address python 3.12 SyntaxWarning - [#5699](https://github.com/bridgecrewio/checkov/pull/5699)\n- **terraform:** fix variable rendering for foreach resources with dot included names - [#5701](https://github.com/bridgecrewio/checkov/pull/5701)\n\n## [3.0.13](https://github.com/bridgecrewio/checkov/compare/3.0.12...3.0.13) - 2023-10-29\n\n### Bug Fix\n\n- **sast:** comment out SAST JS integration test - [#5697](https://github.com/bridgecrewio/checkov/pull/5697)\n\n## [3.0.12](https://github.com/bridgecrewio/checkov/compare/3.0.7...3.0.12) - 2023-10-26\n\n### Bug Fix\n\n- **general:** Fix sast & cdk integration tests - [#5688](https://github.com/bridgecrewio/checkov/pull/5688)\n- **sast:** Adding exit code in sast integration test - [#5690](https://github.com/bridgecrewio/checkov/pull/5690)\n- **sast:** adjust SAST file pattern search - [#5694](https://github.com/bridgecrewio/checkov/pull/5694)\n- **sast:** fix sast reachability report format - [#5686](https://github.com/bridgecrewio/checkov/pull/5686)\n- **terraform:** Fixing the typo within the name of the Terraform check CKV_AZURE_158 - [#5696](https://github.com/bridgecrewio/checkov/pull/5696)\n\n### Platform\n\n- **general:** Do not crash the run if S3 integration fails during setup, upload, or finalize - [#5691](https://github.com/bridgecrewio/checkov/pull/5691)\n\n## [3.0.7](https://github.com/bridgecrewio/checkov/compare/3.0.4...3.0.7) - 2023-10-25\n\n### Bug Fix\n\n- **secrets:** fix secret FP of client_secret_setting_name - [#5679](https://github.com/bridgecrewio/checkov/pull/5679)\n\n### Platform\n\n- **general:** Add SAST enforcement rules and check severity thresholds - [#5684](https://github.com/bridgecrewio/checkov/pull/5684)\n- **general:** do not get fixes for on prem integrations - [#5668](https://github.com/bridgecrewio/checkov/pull/5668)\n\n## [3.0.4](https://github.com/bridgecrewio/checkov/compare/2.5.18...3.0.4) - 2023-10-24\n\n### Breaking Change\n\n- **general:** remove level up flow - [#5677](https://github.com/bridgecrewio/checkov/pull/5677)\n- **general:** remove multi_signature and adjust base check classes - [#5645](https://github.com/bridgecrewio/checkov/pull/5645)\n- **general:** v3 release - [#5681](https://github.com/bridgecrewio/checkov/pull/5681)\n\n### Bug Fix\n\n- **sast:** fix error logs coming from SAST - [#5685](https://github.com/bridgecrewio/checkov/pull/5685)\n\n### Documentation\n\n- **general:** add BC token deprecation notice and v3 migration guide - [#5644](https://github.com/bridgecrewio/checkov/pull/5644)\n\n## [2.5.18](https://github.com/bridgecrewio/checkov/compare/2.5.15...2.5.18) - 2023-10-22\n\n### Feature\n\n- **general:** Adds GHA support for skip-frameworks, skip-cve-package & output-bc-ids flags - [#5619](https://github.com/bridgecrewio/checkov/pull/5619)\n- **terraform:** Ensure that the SQL database is zone-redundant - [#5540](https://github.com/bridgecrewio/checkov/pull/5540)\n- **terraform:** Ensure the Azure Event Hub Namespace is zone redundant - [#5538](https://github.com/bridgecrewio/checkov/pull/5538)\n\n### Bug Fix\n\n- **bicep:** enforce encryption flag to be string for CKV_AZURE_97 - [#5669](https://github.com/bridgecrewio/checkov/pull/5669)\n- **terraform_plan:** Add provisioners to TF Plan parser - [#5622](https://github.com/bridgecrewio/checkov/pull/5622)\n\n## [2.5.15](https://github.com/bridgecrewio/checkov/compare/2.5.13...2.5.15) - 2023-10-19\n\n### Feature\n\n- **terraform:** Support for merge func inside jsondecode - [#5656](https://github.com/bridgecrewio/checkov/pull/5656)\n\n### Bug Fix\n\n- **sca:** make the abs path to be correcnt - [#5660](https://github.com/bridgecrewio/checkov/pull/5660)\n\n## [2.5.13](https://github.com/bridgecrewio/checkov/compare/2.5.11...2.5.13) - 2023-10-18\n\n### Feature\n\n- **arm:** implement CKV_AZURE_103 for ARM - [#5527](https://github.com/bridgecrewio/checkov/pull/5527)\n- **arm:** implement CKV_AZURE_96 for ARM - [#5506](https://github.com/bridgecrewio/checkov/pull/5506)\n- **arm:** implement CKV_AZURE_97 for ARM - [#5515](https://github.com/bridgecrewio/checkov/pull/5515)\n\n### Bug Fix\n\n- **terraform:** Added a check to make sure dynamic \"blocks\" are of the expected type - [#5642](https://github.com/bridgecrewio/checkov/pull/5642)\n- **terraform:** update CKV_AWS_339 valid EKS versions - [#5652](https://github.com/bridgecrewio/checkov/pull/5652)\n\n## [2.5.11](https://github.com/bridgecrewio/checkov/compare/2.5.10...2.5.11) - 2023-10-17\n\n### Feature\n\n- **sca:** giving file path on relative the the current dir for cases there is no either specified root_folder and the is no repo scan dir - [#5654](https://github.com/bridgecrewio/checkov/pull/5654)\n\n## [2.5.10](https://github.com/bridgecrewio/checkov/compare/2.5.9...2.5.10) - 2023-10-16\n\n### Feature\n\n- **terraform:** support scanning of Terraform managed modules instead of downloading them - [#5635](https://github.com/bridgecrewio/checkov/pull/5635)\n\n### Bug Fix\n\n- **terraform:** Fixing issues with checks CKV_AZURE_226 & CKV_AZURE_227 - [#5638](https://github.com/bridgecrewio/checkov/pull/5638)\n\n## [2.5.9](https://github.com/bridgecrewio/checkov/compare/2.5.8...2.5.9) - 2023-10-15\n\n### Feature\n\n- **sca:** support case where there are no cves suppressions - [#5636](https://github.com/bridgecrewio/checkov/pull/5636)\n\n## [2.5.8](https://github.com/bridgecrewio/checkov/compare/2.5.6...2.5.8) - 2023-10-12\n\n### Feature\n\n- **general:** Remove code upload for on-prem integrations - [#5624](https://github.com/bridgecrewio/checkov/pull/5624)\n\n## [2.5.6](https://github.com/bridgecrewio/checkov/compare/2.5.3...2.5.6) - 2023-10-05\n\n### Feature\n\n- **arm:** implement CKV_AZURE_95 for ARM - [#5500](https://github.com/bridgecrewio/checkov/pull/5500)\n- **general:** Added source and target to edge data - [#5621](https://github.com/bridgecrewio/checkov/pull/5621)\n\n### Bug Fix\n\n- **terraform_plan:** add azurerm_portal_dashboard to jsonify list - [#5618](https://github.com/bridgecrewio/checkov/pull/5618)\n- **terraform:** check if the dynamic name is one of the resources block - [#5607](https://github.com/bridgecrewio/checkov/pull/5607)\n\n## [2.5.3](https://github.com/bridgecrewio/checkov/compare/2.4.61...2.5.3) - 2023-10-04\n\n### Breaking Change\n\n- **general:** remove Python 3.7 - [#5605](https://github.com/bridgecrewio/checkov/pull/5605)\n- **graph:** remove CHECKOV_CREATE_GRAPH env var to control graph creation - [#5606](https://github.com/bridgecrewio/checkov/pull/5606)\n\n### Bug Fix\n\n- **dockerfile:** fix Docker image scan - [#5617](https://github.com/bridgecrewio/checkov/pull/5617)\n- **openapi:** Take into account that security is at the root level of your OpenAPI specification. - [#5603](https://github.com/bridgecrewio/checkov/pull/5603)\n- **terraform:** stop CKV_GCP_43 crashing when not a string - [#5561](https://github.com/bridgecrewio/checkov/pull/5561)\n\n## [2.4.61](https://github.com/bridgecrewio/checkov/compare/2.4.59...2.4.61) - 2023-10-03\n\n### Bug Fix\n\n- **terraform:** fix upload resource_subgraph_maps - [#5615](https://github.com/bridgecrewio/checkov/pull/5615)\n\n### Platform\n\n- **terraform:** Upload resource subgraph map - [#5612](https://github.com/bridgecrewio/checkov/pull/5612)\n\n## [2.4.59](https://github.com/bridgecrewio/checkov/compare/2.4.58...2.4.59) - 2023-10-02\n\n### Platform\n\n- **terraform:** fix in subgraphs uploads - [#5610](https://github.com/bridgecrewio/checkov/pull/5610)\n\n## [2.4.58](https://github.com/bridgecrewio/checkov/compare/2.4.57...2.4.58) - 2023-10-01\n\n### Platform\n\n- **terraform:** upload tf sub graphs - [#5596](https://github.com/bridgecrewio/checkov/pull/5596)\n\n## [2.4.57](https://github.com/bridgecrewio/checkov/compare/2.4.55...2.4.57) - 2023-09-29\n\n### Feature\n\n- **terraform:** Ensure ephemeral disks are used for OS disks - [#5584](https://github.com/bridgecrewio/checkov/pull/5584)\n- **terraform:** Ensure that App Service plan is zone redundant - [#5577](https://github.com/bridgecrewio/checkov/pull/5577)\n- **terraform:** Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources - [#5588](https://github.com/bridgecrewio/checkov/pull/5588)\n\n## [2.4.55](https://github.com/bridgecrewio/checkov/compare/2.4.51...2.4.55) - 2023-09-28\n\n### Feature\n\n- **general:** Add image referencer rustworkx support - [#5564](https://github.com/bridgecrewio/checkov/pull/5564)\n- **general:** Add rustworkx support - [#5595](https://github.com/bridgecrewio/checkov/pull/5595)\n- **terraform:** Adding 2 new AWS policies - [#5599](https://github.com/bridgecrewio/checkov/pull/5599)\n- **terraform:** simply IMDSv2 checks - [#5601](https://github.com/bridgecrewio/checkov/pull/5601)\n\n## [2.4.51](https://github.com/bridgecrewio/checkov/compare/2.4.50...2.4.51) - 2023-09-27\n\n### Feature\n\n- **arm:** CKV_AZURE_88 convert to arm check - [#5465](https://github.com/bridgecrewio/checkov/pull/5465)\n- **arm:** implement CKV_AZURE_149 for ARM - [#5496](https://github.com/bridgecrewio/checkov/pull/5496)\n\n### Bug Fix\n\n- **terraform:** Adding missing null checks - [#5589](https://github.com/bridgecrewio/checkov/pull/5589)\n\n## [2.4.50](https://github.com/bridgecrewio/checkov/compare/2.4.48...2.4.50) - 2023-09-26\n\n### Feature\n\n- **general:** add rustworkx (#5511) - [#5565](https://github.com/bridgecrewio/checkov/pull/5565)\n- **general:** Revert add rustworkx (#5565)\" - [#5594](https://github.com/bridgecrewio/checkov/pull/5594)\n\n## [2.4.48](https://github.com/bridgecrewio/checkov/compare/2.4.47...2.4.48) - 2023-09-21\n\n### Platform\n\n- **general:** expose retry and timeout configuration for interaction with the platform - [#5585](https://github.com/bridgecrewio/checkov/pull/5585)\n\n## [2.4.47](https://github.com/bridgecrewio/checkov/compare/2.4.39...2.4.47) - 2023-09-20\n\n### Feature\n\n- **sca:** creating alias mapping for javascript - [#5567](https://github.com/bridgecrewio/checkov/pull/5567)\n- **sca:** creating alias mapping for javascript - [#5582](https://github.com/bridgecrewio/checkov/pull/5582)\n- **sca:** revert creating alias mapping for javascript - [#5581](https://github.com/bridgecrewio/checkov/pull/5581)\n\n### Bug Fix\n\n- **general:** fix print to encode in windows - [#5572](https://github.com/bridgecrewio/checkov/pull/5572)\n- **terraform:** Nested source_module_objects with missing foreach key - [#5580](https://github.com/bridgecrewio/checkov/pull/5580)\n\n## [2.4.39](https://github.com/bridgecrewio/checkov/compare/2.4.36...2.4.39) - 2023-09-14\n\n### Feature\n\n- **arm:** implement CKV2_AZURE_27 for arm - [#5534](https://github.com/bridgecrewio/checkov/pull/5534)\n- **terraform:** Add new policy for deprecated runtimes - [#5555](https://github.com/bridgecrewio/checkov/pull/5555)\n- **terraform:** Ensure Event Hub Namespace uses at least TLS 1.2 - [#5535](https://github.com/bridgecrewio/checkov/pull/5535)\n- **terraform:** Ensure that the Ledger feature is enabled on database that requires cryptographic proof and nonrepudiation of data integrity - [#5541](https://github.com/bridgecrewio/checkov/pull/5541)\n\n## [2.4.36](https://github.com/bridgecrewio/checkov/compare/2.4.33...2.4.36) - 2023-09-13\n\n### Feature\n\n- **general:** add rustworkx - [#5511](https://github.com/bridgecrewio/checkov/pull/5511)\n\n### Bug Fix\n\n- **terraform:** Module from_dict func to static func - [#5562](https://github.com/bridgecrewio/checkov/pull/5562)\n\n## [2.4.33](https://github.com/bridgecrewio/checkov/compare/2.4.32...2.4.33) - 2023-09-12\n\n### Feature\n\n- **general:** attempt to fix overload in loaders and add tests - [#5549](https://github.com/bridgecrewio/checkov/pull/5549)\n- **general:** remove 3.7 integ. test - [#5556](https://github.com/bridgecrewio/checkov/pull/5556)\n- **general:** remove line to force code change - [#5558](https://github.com/bridgecrewio/checkov/pull/5558)\n- **terraform:** add check Neptune DB clusters should be configured to copy tags to snapshots - [#5552](https://github.com/bridgecrewio/checkov/pull/5552)\n- **terraform:** add CKV_AWS_361 to ensure Neptune DB cluster has adequate backup retention - [#5548](https://github.com/bridgecrewio/checkov/pull/5548)\n\n### Bug Fix\n\n- **terraform:** Fix external_modules_source_map serialization - [#5546](https://github.com/bridgecrewio/checkov/pull/5546)\n\n## [2.4.32](https://github.com/bridgecrewio/checkov/compare/2.4.30...2.4.32) - 2023-09-10\n\n### Feature\n\n- **terraform:** add check for Neptune DB clusters IAM database auth enabled - [#5545](https://github.com/bridgecrewio/checkov/pull/5545)\n- **terraform:** add CKV_AWS_360 to ensure backup retention period on AWS Document DB - [#5547](https://github.com/bridgecrewio/checkov/pull/5547)\n\n## [2.4.30](https://github.com/bridgecrewio/checkov/compare/2.4.29...2.4.30) - 2023-09-07\n\n### Feature\n\n- **terraform:** add public network checks for Azure Function and Web Apps - [#5533](https://github.com/bridgecrewio/checkov/pull/5533)\n\n## [2.4.29](https://github.com/bridgecrewio/checkov/compare/2.4.27...2.4.29) - 2023-09-06\n\n### Feature\n\n- **arm:** Implement CKV_AZURE_111 in ARM - [#5528](https://github.com/bridgecrewio/checkov/pull/5528)\n- **arm:** implement CKV_AZURE_134 for ARM - [#5518](https://github.com/bridgecrewio/checkov/pull/5518)\n- **arm:** implement CKV_AZURE_160 for arm - [#5526](https://github.com/bridgecrewio/checkov/pull/5526)\n- **arm:** implement CKV_AZURE_89 for ARM - [#5529](https://github.com/bridgecrewio/checkov/pull/5529)\n\n### Bug Fix\n\n- **terraform:** CKV_AWS_208 bug fix - [#5512](https://github.com/bridgecrewio/checkov/pull/5512)\n\n## [2.4.27](https://github.com/bridgecrewio/checkov/compare/2.4.25...2.4.27) - 2023-09-05\n\n### Feature\n\n- **general:** Check module download - [#5525](https://github.com/bridgecrewio/checkov/pull/5525)\n- **general:** Check module download and quit on failure - [#5523](https://github.com/bridgecrewio/checkov/pull/5523)\n\n## [2.4.25](https://github.com/bridgecrewio/checkov/compare/2.4.22...2.4.25) - 2023-09-03\n\n### Feature\n\n- **arm:** Implement CKV_AZURE_101 for ARM - [#5516](https://github.com/bridgecrewio/checkov/pull/5516)\n- **arm:** implement CKV_AZURE_107 for arm - [#5514](https://github.com/bridgecrewio/checkov/pull/5514)\n- **arm:** implement CKV_AZURE_113 for ARM - [#5510](https://github.com/bridgecrewio/checkov/pull/5510)\n\n## [2.4.22](https://github.com/bridgecrewio/checkov/compare/2.4.18...2.4.22) - 2023-08-31\n\n### Feature\n\n- **arm:** implement CKV_AZURE_112 for arm - [#5507](https://github.com/bridgecrewio/checkov/pull/5507)\n- **arm:** implement CKV_AZURE_40 for ARM - [#5499](https://github.com/bridgecrewio/checkov/pull/5499)\n- **arm:** implement CKV_AZURE_58 for ARM - [#5497](https://github.com/bridgecrewio/checkov/pull/5497)\n- **arm:** implement CKV_AZURE_94 for arm - [#5508](https://github.com/bridgecrewio/checkov/pull/5508)\n\n### Bug Fix\n\n- **helm:** Changed error message to failure to better differentiate problems - [#5517](https://github.com/bridgecrewio/checkov/pull/5517)\n- **terraform_json:** correctly parse data blocks in Terraform JSON - [#5509](https://github.com/bridgecrewio/checkov/pull/5509)\n- **terraform:** continue processing of TF modules in the same file - [#5503](https://github.com/bridgecrewio/checkov/pull/5503)\n- **terraform:** fix error type - [#5513](https://github.com/bridgecrewio/checkov/pull/5513)\n\n## [2.4.18](https://github.com/bridgecrewio/checkov/compare/2.4.14...2.4.18) - 2023-08-30\n\n### Feature\n\n- **arm:** implement CKV_AZURE_100 for arm - [#5490](https://github.com/bridgecrewio/checkov/pull/5490)\n- **arm:** implement CKV_AZURE_114 for arm - [#5489](https://github.com/bridgecrewio/checkov/pull/5489)\n- **arm:** implement CKV_AZURE_130 for arm - [#5485](https://github.com/bridgecrewio/checkov/pull/5485)\n- **arm:** implement CKV_AZURE_151 for arm - [#5484](https://github.com/bridgecrewio/checkov/pull/5484)\n\n### Bug Fix\n\n- **arm:** correctly handle json files with comments and output parsing errors - [#5495](https://github.com/bridgecrewio/checkov/pull/5495)\n\n## [2.4.14](https://github.com/bridgecrewio/checkov/compare/2.4.10...2.4.14) - 2023-08-27\n\n### Feature\n\n- **arm:** CKV_AZURE_66 implement config logging check for arm - [#5464](https://github.com/bridgecrewio/checkov/pull/5464)\n- **arm:** convert CKV_AZURE_65 to arm - [#5467](https://github.com/bridgecrewio/checkov/pull/5467)\n- **arm:** Implement CKV_AZURE_109 in arm - [#5483](https://github.com/bridgecrewio/checkov/pull/5483)\n- **arm:** implement CKV_AZURE_63 for arm - [#5475](https://github.com/bridgecrewio/checkov/pull/5475)\n- **arm:** implement CKV_AZURE_80 in arm - [#5476](https://github.com/bridgecrewio/checkov/pull/5476)\n- **secrets:** fix resource in git history scan - [#5482](https://github.com/bridgecrewio/checkov/pull/5482)\n\n### Bug Fix\n\n- **terraform:** extend CKV2_AWS_5 to include aws_appstream_fleet (#5487) - [#5491](https://github.com/bridgecrewio/checkov/pull/5491)\n\n## [2.4.10](https://github.com/bridgecrewio/checkov/compare/2.4.7...2.4.10) - 2023-08-24\n\n### Feature\n\n- **arm:** migrate check CKV_AZURE_50 to arm - [#5453](https://github.com/bridgecrewio/checkov/pull/5453)\n- **arm:** translate tf CKV_AZURE_93 check to arm - [#5450](https://github.com/bridgecrewio/checkov/pull/5450)\n- **kubernetes:** Added new endpoint for both helm and kustomize - [#5481](https://github.com/bridgecrewio/checkov/pull/5481)\n\n### Bug Fix\n\n- **dockerfile:** consider platform flag in CKV_DOCKER_7 - [#5468](https://github.com/bridgecrewio/checkov/pull/5468)\n- **kustomize:** support kubectl 1.28+ - [#5480](https://github.com/bridgecrewio/checkov/pull/5480)\n\n## [2.4.7](https://github.com/bridgecrewio/checkov/compare/2.4.6...2.4.7) - 2023-08-23\n\n### Feature\n\n- **secrets:** handle non iac secrets FP - [#5478](https://github.com/bridgecrewio/checkov/pull/5478)\n\n## [2.4.6](https://github.com/bridgecrewio/checkov/compare/2.4.5...2.4.6) - 2023-08-22\n\n### Bug Fix\n\n- **terraform:** Replaced / with os.pathsep to support windows better in terraform runner - [#5473](https://github.com/bridgecrewio/checkov/pull/5473)\n\n### Documentation\n\n- **terraform:** make jq default - [#5462](https://github.com/bridgecrewio/checkov/pull/5462)\n\n## [2.4.5](https://github.com/bridgecrewio/checkov/compare/2.4.4...2.4.5) - 2023-08-21\n\n### Bug Fix\n\n- **terraform:** Fix for-each/count updating inner for each index for every child resource - [#5463](https://github.com/bridgecrewio/checkov/pull/5463)\n\n## [2.4.4](https://github.com/bridgecrewio/checkov/compare/2.4.2...2.4.4) - 2023-08-20\n\n### Platform\n\n- **sca:** Filter IR FW upload results by supportedIrFw list - [#5448](https://github.com/bridgecrewio/checkov/pull/5448)\n\n## [2.4.2](https://github.com/bridgecrewio/checkov/compare/2.4.1...2.4.2) - 2023-08-17\n\n### Feature\n\n- **dockerfile:** Add CKV2_DOCKER_17 for chpasswd - [#5441](https://github.com/bridgecrewio/checkov/pull/5441)\n\n### Bug Fix\n\n- **kustomize:** Fix kustomize ignoring external policy dir command line options - [#5436](https://github.com/bridgecrewio/checkov/pull/5436)\n\n## [2.4.1](https://github.com/bridgecrewio/checkov/compare/2.3.365...2.4.1) - 2023-08-16\n\n### Feature\n\n- **terraform:** Remove old tf parser - [#5420](https://github.com/bridgecrewio/checkov/pull/5420)\n\n### Bug Fix\n\n- **terraform:** ensure TFModule is created properly in definition context - [#5446](https://github.com/bridgecrewio/checkov/pull/5446)\n\n## [2.3.365](https://github.com/bridgecrewio/checkov/compare/2.3.364...2.3.365) - 2023-08-14\n\n### Feature\n\n- **terraform:** Removed most usages of enable_nested_modules - [#5415](https://github.com/bridgecrewio/checkov/pull/5415)\n\n## [2.3.364](https://github.com/bridgecrewio/checkov/compare/2.3.361...2.3.364) - 2023-08-13\n\n### Feature\n\n- **sca:** update spdx-tools dep to version 0.8.0 and lower bound it - [#5431](https://github.com/bridgecrewio/checkov/pull/5431)\n- **terraform:** Add **address** field on vertices even if render_variables is set to False - [#5434](https://github.com/bridgecrewio/checkov/pull/5434)\n\n### Bug Fix\n\n- **terraform:** add new attached resource possibility to CKV2_AWS_23 #5424 - [#5429](https://github.com/bridgecrewio/checkov/pull/5429)\n- **terraform:** fix ordering issue in CKV_AWS_358 - [#5425](https://github.com/bridgecrewio/checkov/pull/5425)\n\n## [2.3.361](https://github.com/bridgecrewio/checkov/compare/2.3.360...2.3.361) - 2023-08-10\n\n### Bug Fix\n\n- **arm:** improve CKV_AZURE_24 check - [#5427](https://github.com/bridgecrewio/checkov/pull/5427)\n\n## [2.3.360](https://github.com/bridgecrewio/checkov/compare/2.3.358...2.3.360) - 2023-08-08\n\n### Bug Fix\n\n- **general:** Fix empty credentials file issue - [#5421](https://github.com/bridgecrewio/checkov/pull/5421)\n\n## [2.3.358](https://github.com/bridgecrewio/checkov/compare/2.3.356...2.3.358) - 2023-08-06\n\n### Feature\n\n- **secrets:** Make non-entropy signatures take precedence over entropy signatures - [#5412](https://github.com/bridgecrewio/checkov/pull/5412)\n\n### Bug Fix\n\n- **terraform:** Remove DMS S3 check CKV_AWS_299 - [#5413](https://github.com/bridgecrewio/checkov/pull/5413)\n\n## [2.3.356](https://github.com/bridgecrewio/checkov/compare/2.3.354...2.3.356) - 2023-08-03\n\n### Feature\n\n- **terraform:** Github Actions OIDC trust policy check - [#5402](https://github.com/bridgecrewio/checkov/pull/5402)\n\n## [2.3.354](https://github.com/bridgecrewio/checkov/compare/2.3.351...2.3.354) - 2023-08-02\n\n### Feature\n\n- **general:** allow `--var-file` to be passed as environment variable - [#5406](https://github.com/bridgecrewio/checkov/pull/5406)\n- **terraform:** Add new policy to ensure AWS Transfer server only allows secure protocols - [#5409](https://github.com/bridgecrewio/checkov/pull/5409)\n\n### Platform\n\n- **general:** remove obsolete run config fallback API call - [#5404](https://github.com/bridgecrewio/checkov/pull/5404)\n\n### Documentation\n\n- **gha:** Update setup-python version in GitHub Actions.md - [#5393](https://github.com/bridgecrewio/checkov/pull/5393)\n\n## [2.3.351](https://github.com/bridgecrewio/checkov/compare/2.3.349...2.3.351) - 2023-08-01\n\n### Feature\n\n- **terraform:** new serialization methods for module and block - [#5391](https://github.com/bridgecrewio/checkov/pull/5391)\n\n### Bug Fix\n\n- **terraform:** pr for upgrade-checkov - [#5400](https://github.com/bridgecrewio/checkov/pull/5400)\n\n## [2.3.349](https://github.com/bridgecrewio/checkov/compare/2.3.347...2.3.349) - 2023-07-31\n\n### Bug Fix\n\n- **terraform:** add TFDefinitionKey to get_entity_context_and_evaluations - [#5392](https://github.com/bridgecrewio/checkov/pull/5392)\n- **terraform:** consider new domain attribute in CKV2_AWS_19 - [#5383](https://github.com/bridgecrewio/checkov/pull/5383)\n\n## [2.3.347](https://github.com/bridgecrewio/checkov/compare/2.3.343...2.3.347) - 2023-07-27\n\n### Feature\n\n- **sca:** support composer.json - [#5382](https://github.com/bridgecrewio/checkov/pull/5382)\n- **terraform:** Use new function to create multi graph instead of single graph - [#5375](https://github.com/bridgecrewio/checkov/pull/5375)\n\n### Platform\n\n- **general:** Implement SSO Relay State Parameter in Checkov Output Links - [#5217](https://github.com/bridgecrewio/checkov/pull/5217)\n\n## [2.3.343](https://github.com/bridgecrewio/checkov/compare/2.3.338...2.3.343) - 2023-07-26\n\n### Feature\n\n- **sca:** fix package line numbers - [#5376](https://github.com/bridgecrewio/checkov/pull/5376)\n\n### Bug Fix\n\n- **terraform:** Fix CKV_AWS_104 to support new values - [#5377](https://github.com/bridgecrewio/checkov/pull/5377)\n\n## [2.3.338](https://github.com/bridgecrewio/checkov/compare/2.3.335...2.3.338) - 2023-07-23\n\n### Feature\n\n- **terraform:** add new function to create module and definitions with tests - [#5362](https://github.com/bridgecrewio/checkov/pull/5362)\n- **terraform:** GCP Ensure IAM Workload identity is restricted - [#5369](https://github.com/bridgecrewio/checkov/pull/5369)\n\n### Bug Fix\n\n- **general:** fix inline suppression collection inside lists - [#5370](https://github.com/bridgecrewio/checkov/pull/5370)\n\n## [2.3.335](https://github.com/bridgecrewio/checkov/compare/2.3.334...2.3.335) - 2023-07-20\n\n### Bug Fix\n\n- **terraform:** leverage read_file_with_any_encoding to safely look for modules - [#5360](https://github.com/bridgecrewio/checkov/pull/5360)\n\n## [2.3.334](https://github.com/bridgecrewio/checkov/compare/2.3.331...2.3.334) - 2023-07-19\n\n### Feature\n\n- **general:** Add resource code filter to all checkov loggers - [#5356](https://github.com/bridgecrewio/checkov/pull/5356)\n- **general:** Infrastructure for custom code logger filter - [#5346](https://github.com/bridgecrewio/checkov/pull/5346)\n\n### Bug Fix\n\n- **kustomize:** Avoid index error when calculating file path - [#5357](https://github.com/bridgecrewio/checkov/pull/5357)\n\n## [2.3.331](https://github.com/bridgecrewio/checkov/compare/2.3.329...2.3.331) - 2023-07-18\n\n### Feature\n\n- **openapi:** Add CKV_OPENAPI_21 - [#5268](https://github.com/bridgecrewio/checkov/pull/5268)\n\n### Bug Fix\n\n- **secrets:** handle regex error in custom secrets gracefully - [#5355](https://github.com/bridgecrewio/checkov/pull/5355)\n\n### Documentation\n\n- **general:** update docs about installation guidelines - [#5352](https://github.com/bridgecrewio/checkov/pull/5352)\n\n## [2.3.329](https://github.com/bridgecrewio/checkov/compare/2.3.326...2.3.329) - 2023-07-17\n\n### Feature\n\n- **github:** Add ability for External checks with git branch - [#5337](https://github.com/bridgecrewio/checkov/pull/5337)\n- **sca:** add fix command and code for indirect deps - [#5347](https://github.com/bridgecrewio/checkov/pull/5347)\n\n### Bug Fix\n\n- **kubernetes:** No dups when extracting images - [#5339](https://github.com/bridgecrewio/checkov/pull/5339)\n\n## [2.3.326](https://github.com/bridgecrewio/checkov/compare/2.3.324...2.3.326) - 2023-07-16\n\n### Feature\n\n- **sca:** add fix code and command to cve report - [#5333](https://github.com/bridgecrewio/checkov/pull/5333)\n- **sca:** fix code block array structure - [#5338](https://github.com/bridgecrewio/checkov/pull/5338)\n\n### Bug Fix\n\n- **general:** properly encode non supported chars in SARIF uri field - [#5336](https://github.com/bridgecrewio/checkov/pull/5336)\n\n### Documentation\n\n- **sca:** Add SCA skip comments to docs - [#5330](https://github.com/bridgecrewio/checkov/pull/5330)\n\n## [2.3.324](https://github.com/bridgecrewio/checkov/compare/2.3.321...2.3.324) - 2023-07-13\n\n### Bug Fix\n\n- **kustomize:** Added support for case where no parents are found for the relative fie path - [#5332](https://github.com/bridgecrewio/checkov/pull/5332)\n- **terraform:** Update CKV2_AWS_12 for the new defaults - [#5203](https://github.com/bridgecrewio/checkov/pull/5203)\n\n## [2.3.321](https://github.com/bridgecrewio/checkov/compare/2.3.320...2.3.321) - 2023-07-13\n\n### Feature\n\n- **kustomize:** Support child k8s resources inside kustomize origin annotations - [#5328](https://github.com/bridgecrewio/checkov/pull/5328)\n\n## [2.3.320](https://github.com/bridgecrewio/checkov/compare/2.3.318...2.3.320) - 2023-07-12\n\n### Bug Fix\n\n- **kustomize:** Checked for existence of caller_file_path in definitions_raw - [#5324](https://github.com/bridgecrewio/checkov/pull/5324)\n- **openapi:** Fix ws for CKV_OPENAPI_20 - [#5317](https://github.com/bridgecrewio/checkov/pull/5317)\n- **terraform:** CKV_AWS_342 - managed rules have predefined actions - [#5322](https://github.com/bridgecrewio/checkov/pull/5322)\n\n## [2.3.318](https://github.com/bridgecrewio/checkov/compare/2.3.316...2.3.318) - 2023-07-10\n\n### Feature\n\n- **general:** support UTF-16 and other encodings in multiple frameworks - [#5308](https://github.com/bridgecrewio/checkov/pull/5308)\n- **kustomize:** add back reverted kustomize annotations and update build github action to use github runners - [#5316](https://github.com/bridgecrewio/checkov/pull/5316)\n- **kustomize:** Add origin annotations to calculate bases of kustomize checks - [#5298](https://github.com/bridgecrewio/checkov/pull/5298)\n\n## [2.3.316](https://github.com/bridgecrewio/checkov/compare/2.3.314...2.3.316) - 2023-07-09\n\n### Feature\n\n- **secrets:** Improve the entropy keyword combinator secret scanner - [#5307](https://github.com/bridgecrewio/checkov/pull/5307)\n\n### Bug Fix\n\n- **openapi:** Fix CKV_OpenAPI_20 - [#5302](https://github.com/bridgecrewio/checkov/pull/5302)\n- **terraform:** fix invalid value in CKV_AWS_304 - [#5301](https://github.com/bridgecrewio/checkov/pull/5301)\n- **terraform:** support new field in CKV2_AWS_3 - [#5304](https://github.com/bridgecrewio/checkov/pull/5304)\n\n## [2.3.314](https://github.com/bridgecrewio/checkov/compare/2.3.312...2.3.314) - 2023-07-06\n\n### Feature\n\n- **dockerfile:** add ARM build for K8s container image - [#5293](https://github.com/bridgecrewio/checkov/pull/5293)\n- **general:** Add checkov.spec to enable PyInstaller - [#5281](https://github.com/bridgecrewio/checkov/pull/5281)\n\n### Bug Fix\n\n- **terraform:** remove CKV2_AZURE_18 check and improve CKV2_AZURE_1 - [#5294](https://github.com/bridgecrewio/checkov/pull/5294)\n\n## [2.3.312](https://github.com/bridgecrewio/checkov/compare/2.3.311...2.3.312) - 2023-07-05\n\n### Platform\n\n- **general:** use sca inline suppressions - [#5285](https://github.com/bridgecrewio/checkov/pull/5285)\n\n## [2.3.311](https://github.com/bridgecrewio/checkov/compare/2.3.310...2.3.311) - 2023-07-04\n\n### Feature\n\n- **openapi:** New OpenAPI check CKV_OPENAPI_20 - [#5253](https://github.com/bridgecrewio/checkov/pull/5253)\n\n## [2.3.310](https://github.com/bridgecrewio/checkov/compare/2.3.309...2.3.310) - 2023-07-02\n\n### Bug Fix\n\n- **terraform:** remove deprecated check CKV_GCP_67 - [#5275](https://github.com/bridgecrewio/checkov/pull/5275)\n\n### Documentation\n\n- **general:** Add csv to output - [#5273](https://github.com/bridgecrewio/checkov/pull/5273)\n\n## [2.3.309](https://github.com/bridgecrewio/checkov/compare/2.3.306...2.3.309) - 2023-06-29\n\n### Feature\n\n- **graph:** add experimental debug output for graph check evaluation - [#5257](https://github.com/bridgecrewio/checkov/pull/5257)\n\n### Bug Fix\n\n- **general:** revert add composer files to supported package files - [#5269](https://github.com/bridgecrewio/checkov/pull/5269)\n\n### Platform\n\n- **general:** add composer files to supported package files - [#5263](https://github.com/bridgecrewio/checkov/pull/5263)\n\n## [2.3.306](https://github.com/bridgecrewio/checkov/compare/2.3.303...2.3.306) - 2023-06-27\n\n### Feature\n\n- **terraform:** add module check for commit hash revision usage - [#5261](https://github.com/bridgecrewio/checkov/pull/5261)\n\n### Bug Fix\n\n- **openapi:** add security definition type validation into CKV_OPENAPI_9 - [#5262](https://github.com/bridgecrewio/checkov/pull/5262)\n- **secrets:** fix secrets omit crash when value is not string - [#5260](https://github.com/bridgecrewio/checkov/pull/5260)\n- **terraform:** ignore local modules in CKV_TF_1 - [#5264](https://github.com/bridgecrewio/checkov/pull/5264)\n\n## [2.3.303](https://github.com/bridgecrewio/checkov/compare/2.3.302...2.3.303) - 2023-06-26\n\n### Bug Fix\n\n- **arm:** consider encryption property in CKV_AZURE_2 - [#5254](https://github.com/bridgecrewio/checkov/pull/5254)\n\n## [2.3.302](https://github.com/bridgecrewio/checkov/compare/2.3.301...2.3.302) - 2023-06-25\n\n### Bug Fix\n\n- **terraform:** add missing AWS RDS CA certificate identifiers for aws_db_instance resource - [#5247](https://github.com/bridgecrewio/checkov/pull/5247)\n\n## [2.3.301](https://github.com/bridgecrewio/checkov/compare/2.3.299...2.3.301) - 2023-06-22\n\n### Feature\n\n- **general:** remove log from parallel common - [#5244](https://github.com/bridgecrewio/checkov/pull/5244)\n\n### Platform\n\n- **general:** Fix local repo generated name if ends with / - [#5243](https://github.com/bridgecrewio/checkov/pull/5243)\n\n## [2.3.299](https://github.com/bridgecrewio/checkov/compare/2.3.296...2.3.299) - 2023-06-21\n\n### Feature\n\n- **terraform:** ensure kms key policy is defined - [#5235](https://github.com/bridgecrewio/checkov/pull/5235)\n\n### Bug Fix\n\n- **sca:** fix wrongly invoked Image Referencer scanning when scanning a single file - [#5237](https://github.com/bridgecrewio/checkov/pull/5237)\n- **terraform_plan:** add terraform plan vertices to terraform graph if not exist - [#5230](https://github.com/bridgecrewio/checkov/pull/5230)\n\n## [2.3.296](https://github.com/bridgecrewio/checkov/compare/2.3.294...2.3.296) - 2023-06-19\n\n### Bug Fix\n\n- **dockerfile:** negative `is_dockerfile()` lookup on `.dockerignore` suffix - [#5219](https://github.com/bridgecrewio/checkov/pull/5219)\n- **terraform:** fix empty value issue for CKV_GIT_4 - [#5222](https://github.com/bridgecrewio/checkov/pull/5222)\n\n### Documentation\n\n- **graph:** add jsonpath custom policy example - [#5221](https://github.com/bridgecrewio/checkov/pull/5221)\n\n## [2.3.294](https://github.com/bridgecrewio/checkov/compare/2.3.292...2.3.294) - 2023-06-15\n\n### Feature\n\n- **gha:** add skip_path flag to GHA and allow multiple values in var_file - [#5213](https://github.com/bridgecrewio/checkov/pull/5213)\n- **sca:** add root package name and version to csv sbom - [#5211](https://github.com/bridgecrewio/checkov/pull/5211)\n\n## [2.3.292](https://github.com/bridgecrewio/checkov/compare/2.3.289...2.3.292) - 2023-06-14\n\n### Feature\n\n- **arm:** Handle another structure for SQL retention policy - [#5210](https://github.com/bridgecrewio/checkov/pull/5210)\n\n### Bug Fix\n\n- **secrets:** limit line length for custom secrets - [#5208](https://github.com/bridgecrewio/checkov/pull/5208)\n- **terraform:** Update GCP checks for plan files - [#5197](https://github.com/bridgecrewio/checkov/pull/5197)\n\n## [2.3.289](https://github.com/bridgecrewio/checkov/compare/2.3.287...2.3.289) - 2023-06-13\n\n### Feature\n\n- **sca:** removing the using of the constant CHECKOV_DISPLAY_REGISTRY_URL - [#5204](https://github.com/bridgecrewio/checkov/pull/5204)\n\n## [2.3.287](https://github.com/bridgecrewio/checkov/compare/2.3.285...2.3.287) - 2023-06-11\n\n### Feature\n\n- **general:** add checkov_diff pre-commit hook for scanning all changed files - [#5192](https://github.com/bridgecrewio/checkov/pull/5192)\n\n### Bug Fix\n\n- **cloudformation:** fix CKV_AWS_33 to consider deny statements - [#5193](https://github.com/bridgecrewio/checkov/pull/5193)\n\n### Documentation\n\n- **general:** Update pre-commit.md - [#5190](https://github.com/bridgecrewio/checkov/pull/5190)\n\n## [2.3.285](https://github.com/bridgecrewio/checkov/compare/2.3.283...2.3.285) - 2023-06-08\n\n### Feature\n\n- **arm:** and bicep: Ensure that Azure Front Door uses WAF in \"Detection\" or \"Prevention\" modes CKV_AZURE_123 - [#5049](https://github.com/bridgecrewio/checkov/pull/5049)\n\n### Bug Fix\n\n- **general:** handle cloned checks filtered via labels - [#5188](https://github.com/bridgecrewio/checkov/pull/5188)\n- **terraform:** adjust CKV_AZURE_6 to comply with new provider version - [#5189](https://github.com/bridgecrewio/checkov/pull/5189)\n\n## [2.3.283](https://github.com/bridgecrewio/checkov/compare/2.3.281...2.3.283) - 2023-06-07\n\n### Feature\n\n- **arm:** Handle arm db servers 2021 05 01 - [#5187](https://github.com/bridgecrewio/checkov/pull/5187)\n- **terraform:** Mark unresolved tf function calls as unresolved - [#5186](https://github.com/bridgecrewio/checkov/pull/5186)\n\n### Documentation\n\n- **general:** Add Enforcement CLI Command - [#5185](https://github.com/bridgecrewio/checkov/pull/5185)\n\n## [2.3.281](https://github.com/bridgecrewio/checkov/compare/2.3.278...2.3.281) - 2023-06-06\n\n### Feature\n\n- **terraform_plan:** Expose field changes to python checks - [#5112](https://github.com/bridgecrewio/checkov/pull/5112)\n\n### Bug Fix\n\n- **general:** Check that the result is not None before extracting vars in cli multiprocess runs - [#5183](https://github.com/bridgecrewio/checkov/pull/5183)\n- **general:** Correctly handle cli graphs in case we run with multiprocessing - [#5177](https://github.com/bridgecrewio/checkov/pull/5177)\n\n## [2.3.278](https://github.com/bridgecrewio/checkov/compare/2.3.276...2.3.278) - 2023-06-05\n\n### Bug Fix\n\n- **kubernetes:** dont' fail if spec is missing and default value is set to the fix value. - [#5167](https://github.com/bridgecrewio/checkov/pull/5167)\n\n## [2.3.276](https://github.com/bridgecrewio/checkov/compare/2.3.273...2.3.276) - 2023-06-04\n\n### Feature\n\n- **arm:** ARM and bicep checks for CKV_AZURE_121 - [#5029](https://github.com/bridgecrewio/checkov/pull/5029)\n- **terraform:** Ensure Application Gateway defines secure SSL protocols CKV_AZURE_217, 218 - [#5027](https://github.com/bridgecrewio/checkov/pull/5027)\n- **terraform:** Ensure Azure firewall sets threatintelMode to Deny - [#5013](https://github.com/bridgecrewio/checkov/pull/5013)\n- **terraform:** Ensure firewall defines a policy - [#5038](https://github.com/bridgecrewio/checkov/pull/5038)\n- **terraform:** Ensure Firewall policy has IDPS mode as deny - [#5039](https://github.com/bridgecrewio/checkov/pull/5039)\n\n### Bug Fix\n\n- **dockerfile:** support platform flag in CKV_DOCKER_11 - [#5170](https://github.com/bridgecrewio/checkov/pull/5170)\n- **terraform:** support condition in IAM policy data blocks - [#5171](https://github.com/bridgecrewio/checkov/pull/5171)\n- **terraform:** Unable to download Terraform modules from JFrog Artifactory - [#5155](https://github.com/bridgecrewio/checkov/pull/5155)\n\n## [2.3.273](https://github.com/bridgecrewio/checkov/compare/2.3.267...2.3.273) - 2023-06-01\n\n### Feature\n\n- **ansible:** add support of inline suppression for Ansible graph checks - [#5143](https://github.com/bridgecrewio/checkov/pull/5143)\n- **terraform:** Use just AWS regex to check EC2Credentials - [#5159](https://github.com/bridgecrewio/checkov/pull/5159)\n\n### Bug Fix\n\n- **cloudformation:** fix evaluate_default_refs func in cfn - [#5164](https://github.com/bridgecrewio/checkov/pull/5164)\n- **general:** fix SARIF output related to security-severity field - [#5160](https://github.com/bridgecrewio/checkov/pull/5160)\n- **terraform:** adjust CKV_AWS_85 to only look for one log type to pass - [#5162](https://github.com/bridgecrewio/checkov/pull/5162)\n- **terraform:** update latest major version of Postgres to v15 - [#5163](https://github.com/bridgecrewio/checkov/pull/5163)\n\n### Platform\n\n- **general:** Add no upload flag and report contributors for all API key runs - [#5052](https://github.com/bridgecrewio/checkov/pull/5052)\n\n## [2.3.267](https://github.com/bridgecrewio/checkov/compare/2.3.264...2.3.267) - 2023-05-31\n\n### Bug Fix\n\n- **kubernetes:** fix extracting k8s nested resources - [#5146](https://github.com/bridgecrewio/checkov/pull/5146)\n- **sca:** suppression - fix unit testing - [#5158](https://github.com/bridgecrewio/checkov/pull/5158)\n- **sca:** suppression is not working on SCA packages - [#5156](https://github.com/bridgecrewio/checkov/pull/5156)\n\n## [2.3.264](https://github.com/bridgecrewio/checkov/compare/2.3.261...2.3.264) - 2023-05-30\n\n### Feature\n\n- **terraform:** don't fail CKV_AWS_2 on un-rendered value - [#5147](https://github.com/bridgecrewio/checkov/pull/5147)\n- **terraform:** Foreach support resources edges - [#5145](https://github.com/bridgecrewio/checkov/pull/5145)\n\n### Bug Fix\n\n- **terraform:** exclude unrestrictable actions in CKV_AWS_355 and CKV_AWS_356 - [#5135](https://github.com/bridgecrewio/checkov/pull/5135)\n\n### Documentation\n\n- **general:** Update operators with examples - [#5137](https://github.com/bridgecrewio/checkov/pull/5137)\n\n## [2.3.261](https://github.com/bridgecrewio/checkov/compare/2.3.259...2.3.261) - 2023-05-28\n\n### Feature\n\n- **general:** Added computation of git_root_path to igraph serialization - [#5107](https://github.com/bridgecrewio/checkov/pull/5107)\n- **sca:** adding validation for the file_line_number - [#5132](https://github.com/bridgecrewio/checkov/pull/5132)\n- **terraform:** foreach remove error from info log. - [#5139](https://github.com/bridgecrewio/checkov/pull/5139)\n\n### Bug Fix\n\n- **terraform:** Should use UNKNOWN rather than skipped - [#5136](https://github.com/bridgecrewio/checkov/pull/5136)\n\n## [2.3.259](https://github.com/bridgecrewio/checkov/compare/2.3.257...2.3.259) - 2023-05-24\n\n### Feature\n\n- **terraform:** extend CKV2_AWS_5 with new resources - [#5129](https://github.com/bridgecrewio/checkov/pull/5129)\n- **terraform:** IAM limit resource access - [#5015](https://github.com/bridgecrewio/checkov/pull/5015)\n\n### Bug Fix\n\n- **kustomize:** fix empty kustomize file crash - [#5131](https://github.com/bridgecrewio/checkov/pull/5131)\n\n### Platform\n\n- **general:** SBOM lines numbers adjusting - [#5127](https://github.com/bridgecrewio/checkov/pull/5127)\n\n## [2.3.257](https://github.com/bridgecrewio/checkov/compare/2.3.251...2.3.257) - 2023-05-23\n\n### Feature\n\n- **sca:** adding the risk factor v2 to the vulnerability details - [#5108](https://github.com/bridgecrewio/checkov/pull/5108)\n- **sca:** dockerfile image-referencer fixes - [#5120](https://github.com/bridgecrewio/checkov/pull/5120)\n- **secrets:** Add new pre-commit hook for secrets - [#5103](https://github.com/bridgecrewio/checkov/pull/5103)\n- **terraform:** add check to look at star resources - [#4996](https://github.com/bridgecrewio/checkov/pull/4996)\n\n### Bug Fix\n\n- **gitlab:** Skipping image blocks without name attribute - [#5126](https://github.com/bridgecrewio/checkov/pull/5126)\n- **terraform:** fix terraform variable rendering for provider alias - [#5124](https://github.com/bridgecrewio/checkov/pull/5124)\n\n### Platform\n\n- **general:** Enhancing Sarif output with Security Severity Level - [#5074](https://github.com/bridgecrewio/checkov/pull/5074)\n\n## [2.3.251](https://github.com/bridgecrewio/checkov/compare/2.3.247...2.3.251) - 2023-05-21\n\n### Feature\n\n- **secrets:** add jwt detector to the secret runner - [#5116](https://github.com/bridgecrewio/checkov/pull/5116)\n- **terraform:** Adding yaml based build time policies for corresponding PC runtime policies - [#5089](https://github.com/bridgecrewio/checkov/pull/5089)\n- **terraform:** AWS Ensure RDS performance insights uses a CMK - [#4985](https://github.com/bridgecrewio/checkov/pull/4985)\n- **terraform:** NACL should restrict port ingress - [#4976](https://github.com/bridgecrewio/checkov/pull/4976)\n- **terraform:** RDS Enable Performance insights - [#4983](https://github.com/bridgecrewio/checkov/pull/4983)\n\n### Bug Fix\n\n- **dockerfile:** improve update searching in CKV_DOCKER_5 - [#5115](https://github.com/bridgecrewio/checkov/pull/5115)\n\n### Documentation\n\n- **general:** Update CLI Command Reference.md - [#5114](https://github.com/bridgecrewio/checkov/pull/5114)\n\n## [2.3.247](https://github.com/bridgecrewio/checkov/compare/2.3.245...2.3.247) - 2023-05-18\n\n### Feature\n\n- **general:** add SPDX output - [#5104](https://github.com/bridgecrewio/checkov/pull/5104)\n- **kubernetes:** seperate service acoount builder to improve performance - [#5093](https://github.com/bridgecrewio/checkov/pull/5093)\n- **sca:** showing line numbers in the cli output for csv - [#5096](https://github.com/bridgecrewio/checkov/pull/5096)\n- **sca:** showing line numbers in the cli output for licenses - [#5098](https://github.com/bridgecrewio/checkov/pull/5098)\n\n## [2.3.245](https://github.com/bridgecrewio/checkov/compare/2.3.243...2.3.245) - 2023-05-16\n\n### Feature\n\n- **dockerfile:** Support docker graph check skips - [#5085](https://github.com/bridgecrewio/checkov/pull/5085)\n- **sca:** using the lines in the directly in the record, rather than in the \"vulnerability_details\" + having it in ExtraResources - [#5092](https://github.com/bridgecrewio/checkov/pull/5092)\n\n## [2.3.243](https://github.com/bridgecrewio/checkov/compare/2.3.240...2.3.243) - 2023-05-15\n\n### Feature\n\n- **kubernetes:** Improve k8s perf - [#5083](https://github.com/bridgecrewio/checkov/pull/5083)\n- **terraform:** EMR - At rest local disk, EBS and in transit encryption checks - [#4968](https://github.com/bridgecrewio/checkov/pull/4968)\n\n### Bug Fix\n\n- **kubernetes:** add mini k8s parser for invalid templates - [#5088](https://github.com/bridgecrewio/checkov/pull/5088)\n- **terraform:** handle false-positives for Route53ZoneEnableDNSSECSigning - [#5084](https://github.com/bridgecrewio/checkov/pull/5084)\n\n### Platform\n\n- **general:** Add lines to SBOM - [#5078](https://github.com/bridgecrewio/checkov/pull/5078)\n- **graph:** upload graphs to the platform - [#5073](https://github.com/bridgecrewio/checkov/pull/5073)\n\n## [2.3.240](https://github.com/bridgecrewio/checkov/compare/2.3.239...2.3.240) - 2023-05-14\n\n### Bug Fix\n\n- **terraform:** skip invalid multiple modules names - [#5079](https://github.com/bridgecrewio/checkov/pull/5079)\n\n## [2.3.239](https://github.com/bridgecrewio/checkov/compare/2.3.238...2.3.239) - 2023-05-12\n\n### Bug Fix\n\n- **sca:** only run image referencer with sca_image framework - [#5081](https://github.com/bridgecrewio/checkov/pull/5081)\n\n## [2.3.238](https://github.com/bridgecrewio/checkov/compare/2.3.237...2.3.238) - 2023-05-11\n\n### Feature\n\n- **kustomize:** Support inline skips for Kubernetes graph checks - [#5070](https://github.com/bridgecrewio/checkov/pull/5070)\n\n## [2.3.237](https://github.com/bridgecrewio/checkov/compare/2.3.234...2.3.237) - 2023-05-10\n\n### Bug Fix\n\n- **secrets:** add filter for suppressed custom secret checks - [#5068](https://github.com/bridgecrewio/checkov/pull/5068)\n- **secrets:** exclude Kubernetes secretName from secret scanning - [#5071](https://github.com/bridgecrewio/checkov/pull/5071)\n- **secrets:** omit the code line - [#5075](https://github.com/bridgecrewio/checkov/pull/5075)\n\n## [2.3.234](https://github.com/bridgecrewio/checkov/compare/2.3.231...2.3.234) - 2023-05-09\n\n### Feature\n\n- **terraform:** Added caller_file_path and caller_file_line_range to reduced report - [#5062](https://github.com/bridgecrewio/checkov/pull/5062)\n- **terraform:** AWS IAM don't generate root credentials 348 - [#4966](https://github.com/bridgecrewio/checkov/pull/4966)\n- **terraform:** Ensure Neptune cluster is encrypted with a CMK CKV_AWS_347 - [#4965](https://github.com/bridgecrewio/checkov/pull/4965)\n\n### Bug Fix\n\n- **terraform:** fix SQS encryption check CKV_AWS_27 - [#5065](https://github.com/bridgecrewio/checkov/pull/5065)\n\n### Documentation\n\n- **general:** Fix some links - [#5064](https://github.com/bridgecrewio/checkov/pull/5064)\n- **general:** update Python custom checks docs - [#5054](https://github.com/bridgecrewio/checkov/pull/5054)\n\n## [2.3.231](https://github.com/bridgecrewio/checkov/compare/2.3.227...2.3.231) - 2023-05-08\n\n### Feature\n\n- **terraform:** aws ensure delete protection for firewalls 344 - [#4870](https://github.com/bridgecrewio/checkov/pull/4870)\n- **terraform:** check that WAF rules have an action 342 - [#4806](https://github.com/bridgecrewio/checkov/pull/4806)\n- **terraform:** Ensure encryption for firewall uses a CMK CKV_AWS_345 - [#4871](https://github.com/bridgecrewio/checkov/pull/4871)\n- **terraform:** Ensure Network firewall policy defines a encryption configuration that uses a CMK - CKV_AWS_346 - [#4877](https://github.com/bridgecrewio/checkov/pull/4877)\n\n### Bug Fix\n\n- **kubernetes:** Update ckv_k8s_31 - [#4991](https://github.com/bridgecrewio/checkov/pull/4991)\n\n## [2.3.227](https://github.com/bridgecrewio/checkov/compare/2.3.224...2.3.227) - 2023-05-07\n\n### Feature\n\n- **general:** include missing files in save repository - [#5056](https://github.com/bridgecrewio/checkov/pull/5056)\n- **terraform:** launch config/template Ensure metadata hop =1 341 - [#4817](https://github.com/bridgecrewio/checkov/pull/4817)\n- **terraform:** Update CKV_AZURE_43 StorageAccountName.py VARIABLE_REFS - [#5045](https://github.com/bridgecrewio/checkov/pull/5045)\n\n### Bug Fix\n\n- **arm:** enabled is not true - [#5051](https://github.com/bridgecrewio/checkov/pull/5051)\n- **cloudformation:** Enable ALB to support tls1.3 policies #4962 - [#5035](https://github.com/bridgecrewio/checkov/pull/5035)\n- **secrets:** add handling of unicode error - [#5055](https://github.com/bridgecrewio/checkov/pull/5055)\n\n## [2.3.224](https://github.com/bridgecrewio/checkov/compare/2.3.223...2.3.224) - 2023-05-05\n\n### Platform\n\n- **general:** Catch None responses from BE - [#5033](https://github.com/bridgecrewio/checkov/pull/5033)\n\n## [2.3.223](https://github.com/bridgecrewio/checkov/compare/2.3.220...2.3.223) - 2023-05-04\n\n### Feature\n\n- **terraform:** Elastic beanstalk uses managed updates and fixes the EB check while i… 340 - [#4816](https://github.com/bridgecrewio/checkov/pull/4816)\n\n### Bug Fix\n\n- **secrets:** don't scan images in git history - [#5040](https://github.com/bridgecrewio/checkov/pull/5040)\n- **terraform:** fix foreach render value for lookup - [#5037](https://github.com/bridgecrewio/checkov/pull/5037)\n- **terraform:** Handle entity context for for_each resources - [#5036](https://github.com/bridgecrewio/checkov/pull/5036)\n\n## [2.3.220](https://github.com/bridgecrewio/checkov/compare/2.3.214...2.3.220) - 2023-05-03\n\n### Feature\n\n- **secrets:** open the feature - scan git history - [#5022](https://github.com/bridgecrewio/checkov/pull/5022)\n- **terraform:** Set TF Modules for_each env var to true - [#5021](https://github.com/bridgecrewio/checkov/pull/5021)\n- **terraform:** Set TF modules for_each env vars as True - [#4794](https://github.com/bridgecrewio/checkov/pull/4794)\n\n### Bug Fix\n\n- **secrets:** add filter for suppressed custom secret checks - [#5016](https://github.com/bridgecrewio/checkov/pull/5016)\n- **terraform:** improve attribute performance - [#5014](https://github.com/bridgecrewio/checkov/pull/5014)\n- **terraform:** Update CKV_AWS_338 message and retention check for 0 - [#5018](https://github.com/bridgecrewio/checkov/pull/5018)\n- **terraform:** Update CKV2_AZURE_33 to remove checks on unrelated conditions - [#5020](https://github.com/bridgecrewio/checkov/pull/5020)\n\n## [2.3.214](https://github.com/bridgecrewio/checkov/compare/2.3.212...2.3.214) - 2023-05-02\n\n### Bug Fix\n\n- **secrets:** Adding quote to required secret in case needed - [#5008](https://github.com/bridgecrewio/checkov/pull/5008)\n- **secrets:** change color of invalid secret message - [#5007](https://github.com/bridgecrewio/checkov/pull/5007)\n\n### Platform\n\n- **general:** upload checks code_block to report - [#5001](https://github.com/bridgecrewio/checkov/pull/5001)\n\n## [2.3.212](https://github.com/bridgecrewio/checkov/compare/2.3.205...2.3.212) - 2023-04-30\n\n### Feature\n\n- **kubernetes:** support suppressing custom K8s policies - [#4990](https://github.com/bridgecrewio/checkov/pull/4990)\n- **terraform:** AWS EKS Use only platform supported versions 339 - [#4810](https://github.com/bridgecrewio/checkov/pull/4810)\n- **terraform:** Azure APIm backend uses only HTTPS - [#4811](https://github.com/bridgecrewio/checkov/pull/4811)\n- **terraform:** Ensure Cloudwatch retention is a year or more 338 - [#4799](https://github.com/bridgecrewio/checkov/pull/4799)\n- **terraform:** remove redundant foreach deepcopy - [#4982](https://github.com/bridgecrewio/checkov/pull/4982)\n\n### Bug Fix\n\n- **secrets:** fix missing history results when history store is used - [#4992](https://github.com/bridgecrewio/checkov/pull/4992)\n- **terraform:** secret- also check user data in launch config and template - [#4969](https://github.com/bridgecrewio/checkov/pull/4969)\n\n## [2.3.205](https://github.com/bridgecrewio/checkov/compare/2.3.204...2.3.205) - 2023-04-28\n\n### Bug Fix\n\n- **gitlab:** fix resource id parsing recursive - [#4987](https://github.com/bridgecrewio/checkov/pull/4987)\n\n### Documentation\n\n- **terraform:** fix docs formatting - [#4988](https://github.com/bridgecrewio/checkov/pull/4988)\n\n## [2.3.204](https://github.com/bridgecrewio/checkov/compare/2.3.199...2.3.204) - 2023-04-27\n\n### Feature\n\n- **terraform:** add support for private terraform registries - [#4964](https://github.com/bridgecrewio/checkov/pull/4964)\n- **terraform:** remove cross varaibles bad list comprehension - [#4948](https://github.com/bridgecrewio/checkov/pull/4948)\n\n### Bug Fix\n\n- **general:** log all returned enforcement rules for debugging - [#4989](https://github.com/bridgecrewio/checkov/pull/4989)\n- **general:** remove invalid URLs in GitLab SAST output - [#4960](https://github.com/bridgecrewio/checkov/pull/4960)\n- **secrets:** change default value of secret values to empty strings - [#4973](https://github.com/bridgecrewio/checkov/pull/4973)\n- **terraform:** Added a condition to not override source module object for old parser - [#4975](https://github.com/bridgecrewio/checkov/pull/4975)\n\n## [2.3.199](https://github.com/bridgecrewio/checkov/compare/2.3.194...2.3.199) - 2023-04-24\n\n### Feature\n\n- **terraform:** Ensure container defines a readonly root drive 336 - [#4788](https://github.com/bridgecrewio/checkov/pull/4788)\n- **terraform:** ensure pidmode is not set to host 335 - [#4786](https://github.com/bridgecrewio/checkov/pull/4786)\n- **terraform:** Ensure SSM params are encrypted using a CMK 337 - [#4789](https://github.com/bridgecrewio/checkov/pull/4789)\n- **terraform:** Network firewall must define a logging configuration CKV2_AWS_63 - [#4872](https://github.com/bridgecrewio/checkov/pull/4872)\n- **terraform:** Reduce module loading in TF Parser - [#4959](https://github.com/bridgecrewio/checkov/pull/4959)\n\n### Bug Fix\n\n- **kustomize:** fix image_referencer paths - [#4898](https://github.com/bridgecrewio/checkov/pull/4898)\n- **terraform:** support TF provider v3 for lifecycle existence check - [#4952](https://github.com/bridgecrewio/checkov/pull/4952)\n\n### Documentation\n\n- **terraform_plan:** Add Deep Analysis to docs - [#4950](https://github.com/bridgecrewio/checkov/pull/4950)\n\n## [2.3.194](https://github.com/bridgecrewio/checkov/compare/2.3.192...2.3.194) - 2023-04-23\n\n### Feature\n\n- **general:** deserialize report & record from json - [#4947](https://github.com/bridgecrewio/checkov/pull/4947)\n- **sca:** fix extract fix version in sbom report - [#4936](https://github.com/bridgecrewio/checkov/pull/4936)\n- **terraform:** cross variable performance improvement - [#4946](https://github.com/bridgecrewio/checkov/pull/4946)\n\n### Bug Fix\n\n- **github:** make GH Actions delimiter unique in multiline env vars - [#4938](https://github.com/bridgecrewio/checkov/pull/4938)\n\n## [2.3.192](https://github.com/bridgecrewio/checkov/compare/2.3.187...2.3.192) - 2023-04-20\n\n### Feature\n\n- **general:** add policy-metadata-filter to gh action - [#4941](https://github.com/bridgecrewio/checkov/pull/4941)\n- **secrets:** support first commit results - [#4927](https://github.com/bridgecrewio/checkov/pull/4927)\n- **terraform:** Used generator instead of list comprehension to improve performance for large graphs - [#4939](https://github.com/bridgecrewio/checkov/pull/4939)\n\n### Bug Fix\n\n- **terraform:** make the ECS cluster logging check more resilient - [#4942](https://github.com/bridgecrewio/checkov/pull/4942)\n- **terraform:** remove invalid Terraform module reference support - [#4931](https://github.com/bridgecrewio/checkov/pull/4931)\n- **terraform:** support null values in list of dicts - [#4937](https://github.com/bridgecrewio/checkov/pull/4937)\n\n### Documentation\n\n- **bitbucket:** Update Bitbucket documentation to match the code. - [#4934](https://github.com/bridgecrewio/checkov/pull/4934)\n- **sca:** Add more ways to skip CVEs - [#4928](https://github.com/bridgecrewio/checkov/pull/4928)\n\n## [2.3.187](https://github.com/bridgecrewio/checkov/compare/2.3.183...2.3.187) - 2023-04-19\n\n### Feature\n\n- **general:** 3D policies syntax refactor - [#4865](https://github.com/bridgecrewio/checkov/pull/4865)\n- **secrets:** support scanning of secrets in hidden paths - [#4925](https://github.com/bridgecrewio/checkov/pull/4925)\n\n### Bug Fix\n\n- **secrets:** Revert timeout in unix to work with signals - [#4932](https://github.com/bridgecrewio/checkov/pull/4932)\n- **secrets:** timeout in unix to work with signals - [#4933](https://github.com/bridgecrewio/checkov/pull/4933)\n\n### Documentation\n\n- **secrets:** Add readme file for Git History - [#4913](https://github.com/bridgecrewio/checkov/pull/4913)\n\n## [2.3.183](https://github.com/bridgecrewio/checkov/compare/2.3.176...2.3.183) - 2023-04-18\n\n### Feature\n\n- **sca:** add is public fix version to sbom report - [#4915](https://github.com/bridgecrewio/checkov/pull/4915)\n- **secrets:** add more files to ignore list in git history - [#4912](https://github.com/bridgecrewio/checkov/pull/4912)\n- **terraform:** Ensure that container definition is not privileged 334 - [#4779](https://github.com/bridgecrewio/checkov/pull/4779)\n- **terraform:** TF provider check support - [#4911](https://github.com/bridgecrewio/checkov/pull/4911)\n\n### Bug Fix\n\n- **general:** Dedup results contain multiple identical images if using template syntax - [#4924](https://github.com/bridgecrewio/checkov/pull/4924)\n- **general:** fix wrong abs path in IR record - [#4919](https://github.com/bridgecrewio/checkov/pull/4919)\n- **secrets:** Save fetched policy destination from current work dir to temp - [#4914](https://github.com/bridgecrewio/checkov/pull/4914)\n- **secrets:** timeout in unix to work with signals - [#4920](https://github.com/bridgecrewio/checkov/pull/4920)\n- **terraform:** Fix for_each flow conditions - [#4918](https://github.com/bridgecrewio/checkov/pull/4918)\n- **terraform:** make sure K8s volume is a dict - [#4917](https://github.com/bridgecrewio/checkov/pull/4917)\n\n## [2.3.176](https://github.com/bridgecrewio/checkov/compare/2.3.171...2.3.176) - 2023-04-17\n\n### Feature\n\n- **arm:** add Storage accounts disallow public access check for ARM - [#4906](https://github.com/bridgecrewio/checkov/pull/4906)\n- **dockerfile:** Add CKV2_DOCKER_16 for PIP_TRUSTED_HOST - [#4893](https://github.com/bridgecrewio/checkov/pull/4893)\n- **sca:** add is private fix version to sca output - [#4891](https://github.com/bridgecrewio/checkov/pull/4891)\n\n### Bug Fix\n\n- **secrets:** fix absolute file path cases - [#4901](https://github.com/bridgecrewio/checkov/pull/4901)\n- **terraform:** fix foreach count is none bug - [#4907](https://github.com/bridgecrewio/checkov/pull/4907)\n- **terraform:** limit RDS cluster audit logging to MySQL engine - [#4897](https://github.com/bridgecrewio/checkov/pull/4897)\n- **terraform:** remove duplicate call to convert graph vertices - [#4909](https://github.com/bridgecrewio/checkov/pull/4909)\n- **terraform:** remove local blocks with just line number - [#4902](https://github.com/bridgecrewio/checkov/pull/4902)\n\n## [2.3.171](https://github.com/bridgecrewio/checkov/compare/2.3.165...2.3.171) - 2023-04-16\n\n### Feature\n\n- **secrets:** improve timing git history - [#4890](https://github.com/bridgecrewio/checkov/pull/4890)\n- **terraform:** add support for list of dicts in for loop - [#4895](https://github.com/bridgecrewio/checkov/pull/4895)\n\n### Bug Fix\n\n- **cloudformation:** fix invalid fn sub param in cfn - [#4900](https://github.com/bridgecrewio/checkov/pull/4900)\n- **secrets:** fix error if writing to file when don't have access - [#4896](https://github.com/bridgecrewio/checkov/pull/4896)\n- **secrets:** fix None in file name - [#4899](https://github.com/bridgecrewio/checkov/pull/4899)\n- **secrets:** reduce false positives in yaml files - case of serverless and secretmanager - [#4892](https://github.com/bridgecrewio/checkov/pull/4892)\n\n## [2.3.165](https://github.com/bridgecrewio/checkov/compare/2.3.160...2.3.165) - 2023-04-13\n\n### Feature\n\n- **terraform:** ECS Service should not auto assign public IPs 333 - [#4777](https://github.com/bridgecrewio/checkov/pull/4777)\n- **terraform:** EFS access points should define a user and a path 329-330 - [#4768](https://github.com/bridgecrewio/checkov/pull/4768)\n- **terraform:** Ensure ECS Fargate uses latest version 332 - [#4775](https://github.com/bridgecrewio/checkov/pull/4775)\n- **terraform:** Transit gateway should not be set up to autoaccept any VPC 331 - [#4770](https://github.com/bridgecrewio/checkov/pull/4770)\n\n### Bug Fix\n\n- **general:** fix duplicate sarif output - [#4886](https://github.com/bridgecrewio/checkov/pull/4886)\n- **secrets:** fix slicing in githistory - [#4889](https://github.com/bridgecrewio/checkov/pull/4889)\n- **terraform:** exclude GCP asymmetric keys from key rotation - [#4879](https://github.com/bridgecrewio/checkov/pull/4879)\n- **terraform:** Paid is now standard - [#4880](https://github.com/bridgecrewio/checkov/pull/4880)\n- **terraform:** support empty filter in S3 lifecycle config - [#4875](https://github.com/bridgecrewio/checkov/pull/4875)\n\n## [2.3.160](https://github.com/bridgecrewio/checkov/compare/2.3.158...2.3.160) - 2023-04-11\n\n### Bug Fix\n\n- **general:** catch unexpected errors when querying OpenAI - [#4883](https://github.com/bridgecrewio/checkov/pull/4883)\n\n## [2.3.158](https://github.com/bridgecrewio/checkov/compare/2.3.155...2.3.158) - 2023-04-10\n\n### Feature\n\n- **secrets:** Add fields to record of secrets in git history - [#4838](https://github.com/bridgecrewio/checkov/pull/4838)\n\n### Bug Fix\n\n- **terraform_plan:** Handled TFDefinitionKey in plan runner as well - [#4864](https://github.com/bridgecrewio/checkov/pull/4864)\n\n## [2.3.155](https://github.com/bridgecrewio/checkov/compare/2.3.152...2.3.155) - 2023-04-09\n\n### Feature\n\n- **cloudformation:** support inline suppression of CFN graph checks - [#4843](https://github.com/bridgecrewio/checkov/pull/4843)\n- **terraform:** Aurora DB should enable backtrack - [#4739](https://github.com/bridgecrewio/checkov/pull/4739)\n- **terraform:** Desync must be set to defensive or strictest - [#4766](https://github.com/bridgecrewio/checkov/pull/4766)\n- **terraform:** Ensure that RDS clusters are encrypted using a CMK - [#4742](https://github.com/bridgecrewio/checkov/pull/4742)\n- **terraform:** RDS Cluster - make sure rds cluster defined defaults for logging and audit logging - [#4736](https://github.com/bridgecrewio/checkov/pull/4736)\n\n### Bug Fix\n\n- **general:** be more forgiving of skipped checks without comment - [#4844](https://github.com/bridgecrewio/checkov/pull/4844)\n- **terraform:** default case should pass for auto updates - [#4847](https://github.com/bridgecrewio/checkov/pull/4847)\n- **terraform:** False negative for CKV_AZURE_179 - [#4846](https://github.com/bridgecrewio/checkov/pull/4846)\n- **terraform:** Only update config if len is bigger than 0 - [#4855](https://github.com/bridgecrewio/checkov/pull/4855)\n\n## [2.3.152](https://github.com/bridgecrewio/checkov/compare/2.3.150...2.3.152) - 2023-04-04\n\n### Feature\n\n- **dockerfile:** Add CKV2_DOCKER_15 for yum-config-manager sslverify - [#4622](https://github.com/bridgecrewio/checkov/pull/4622)\n\n### Bug Fix\n\n- **cloudformation:** Security Group check now work for ranges and strings - [#4797](https://github.com/bridgecrewio/checkov/pull/4797)\n- **terraform:** Ensure APPService default action is to ignore not fail - [#4790](https://github.com/bridgecrewio/checkov/pull/4790)\n- **terraform:** Subnetworks with internal purpose can have private_ipv6_google_access… - [#4804](https://github.com/bridgecrewio/checkov/pull/4804)\n\n## [2.3.150](https://github.com/bridgecrewio/checkov/compare/2.3.148...2.3.150) - 2023-04-03\n\n### Feature\n\n- **terraform:** Adding yaml based build time policies for corresponding PC runtime policies - [#4800](https://github.com/bridgecrewio/checkov/pull/4800)\n\n### Bug Fix\n\n- **terraform:** Fix for edge cases in for_each modules - [#4831](https://github.com/bridgecrewio/checkov/pull/4831)\n\n## [2.3.148](https://github.com/bridgecrewio/checkov/compare/2.3.140...2.3.148) - 2023-04-02\n\n### Feature\n\n- **kubernetes:** support non-utf-8 encoded Kubernetes manifest files - [#4820](https://github.com/bridgecrewio/checkov/pull/4820)\n- **terraform:** ElasticCache for Redis cluster should automatically take minor updates - [#4726](https://github.com/bridgecrewio/checkov/pull/4726)\n- **terraform:** Ensure opensearch is configured for HA - [#4717](https://github.com/bridgecrewio/checkov/pull/4717)\n- **terraform:** Ensure Redshift specifies a DB name - [#4723](https://github.com/bridgecrewio/checkov/pull/4723)\n- **terraform:** Ensure Redshift uses enhanced vpc routing - [#4724](https://github.com/bridgecrewio/checkov/pull/4724)\n- **terraform:** Fix up ES logging check - [#4720](https://github.com/bridgecrewio/checkov/pull/4720)\n\n### Bug Fix\n\n- **general:** don't add an invalid URL to helpUri field in SARIF output - [#4814](https://github.com/bridgecrewio/checkov/pull/4814)\n- **graph:** support string values for resource_types in graph checks properly - [#4819](https://github.com/bridgecrewio/checkov/pull/4819)\n- **kubernetes:** Don't require ImagePullPolicy when digest (#4776) - [#4781](https://github.com/bridgecrewio/checkov/pull/4781)\n- **secrets:** catch errors in middle of process of getting commit diffs - [#4823](https://github.com/bridgecrewio/checkov/pull/4823)\n- **terraform:** Fix add_to_block condition to support more edge cases - [#4822](https://github.com/bridgecrewio/checkov/pull/4822)\n- **terraform:** fix false positive CKV2_GCP_20 (fails for any non-MySQL instance) - [#4813](https://github.com/bridgecrewio/checkov/pull/4813)\n- **terraform:** Length resolvers evaluate length of `dict` as 1. - [#4808](https://github.com/bridgecrewio/checkov/pull/4808)\n\n### Platform\n\n- **general:** Save error lines in IR records - [#4821](https://github.com/bridgecrewio/checkov/pull/4821)\n\n## [2.3.140](https://github.com/bridgecrewio/checkov/compare/2.3.134...2.3.140) - 2023-03-30\n\n### Feature\n\n- **general:** add OpenAI integration - [#4782](https://github.com/bridgecrewio/checkov/pull/4782)\n- **terraform:** Ensure that cloudwatch alarms are set on - [#4805](https://github.com/bridgecrewio/checkov/pull/4805)\n\n### Bug Fix\n\n- **general:** fix scan all files entrypoint - [#4801](https://github.com/bridgecrewio/checkov/pull/4801)\n- **terraform:** Set back CHECKOV_ENABLE_FOREACH_HANDLING to False to check perfomence - [#4798](https://github.com/bridgecrewio/checkov/pull/4798)\n- **terraform:** TF new parser - Check for tfvars block - [#4796](https://github.com/bridgecrewio/checkov/pull/4796)\n\n## [2.3.134](https://github.com/bridgecrewio/checkov/compare/2.3.128...2.3.134) - 2023-03-29\n\n### Feature\n\n- **ansible:** PAN-OS policy and zone checks - [#4737](https://github.com/bridgecrewio/checkov/pull/4737)\n- **terraform_plan:** support data blocks in Terraform plan files - [#4758](https://github.com/bridgecrewio/checkov/pull/4758)\n- **terraform:** Set CHECKOV_ENABLE_FOREACH_HANDLING as True - [#4774](https://github.com/bridgecrewio/checkov/pull/4774)\n\n### Bug Fix\n\n- **terraform:** Correctly serialize/deserialize TFModule object - [#4780](https://github.com/bridgecrewio/checkov/pull/4780)\n- **terraform:** Fix nested `each.value` replacement in for_each handler - [#4787](https://github.com/bridgecrewio/checkov/pull/4787)\n\n## [2.3.128](https://github.com/bridgecrewio/checkov/compare/2.3.124...2.3.128) - 2023-03-28\n\n### Feature\n\n- **secrets:** make git history scan run in parallel - [#4769](https://github.com/bridgecrewio/checkov/pull/4769)\n- **terraform:** Add source_module_object_ to block attributes - [#4773](https://github.com/bridgecrewio/checkov/pull/4773)\n- **terraform:** codebuild dont enable privilege mode - [#4714](https://github.com/bridgecrewio/checkov/pull/4714)\n\n### Bug Fix\n\n- **terraform:** Fix nested statements in _is_static_foreach_statement - [#4772](https://github.com/bridgecrewio/checkov/pull/4772)\n\n## [2.3.124](https://github.com/bridgecrewio/checkov/compare/2.3.121...2.3.124) - 2023-03-27\n\n### Feature\n\n- **terraform:** AWS Use Launch templates in ASG - [#4698](https://github.com/bridgecrewio/checkov/pull/4698)\n- **terraform:** Codebuild defines and uses logs - [#4696](https://github.com/bridgecrewio/checkov/pull/4696)\n\n### Bug Fix\n\n- **terraform:** Foreach - Fix regex on an empty list - [#4765](https://github.com/bridgecrewio/checkov/pull/4765)\n\n## [2.3.121](https://github.com/bridgecrewio/checkov/compare/2.3.115...2.3.121) - 2023-03-26\n\n### Feature\n\n- **general:** Add scan all files to entrypoint - [#4746](https://github.com/bridgecrewio/checkov/pull/4746)\n- **terraform:** check routes are authorised - [#4682](https://github.com/bridgecrewio/checkov/pull/4682)\n- **terraform:** CloudDistribution set Failover origin - [#4686](https://github.com/bridgecrewio/checkov/pull/4686)\n- **terraform:** code build s3 logs are encrypted - [#4687](https://github.com/bridgecrewio/checkov/pull/4687)\n- **terraform:** Elasticbeanstalk should use enhanced health reporting - [#4692](https://github.com/bridgecrewio/checkov/pull/4692)\n- **terraform:** RDS cluster copy tags to snapshot - [#4693](https://github.com/bridgecrewio/checkov/pull/4693)\n- **terraform:** Support for_each/count statements in TF Modules - [#4708](https://github.com/bridgecrewio/checkov/pull/4708)\n\n### Bug Fix\n\n- **secrets:** Don't show stack trace in failures when uploading secrets to verify - [#4734](https://github.com/bridgecrewio/checkov/pull/4734)\n- **secrets:** Compare abs paths in SecretsOmitter - [#4756](https://github.com/bridgecrewio/checkov/pull/4756)\n- **terraform:** refine IAM assume role check CKV_AWS_61 - [#4749](https://github.com/bridgecrewio/checkov/pull/4749)\n- **terraform:** refine S3 lifecycle check CKV_AWS_300 - [#4750](https://github.com/bridgecrewio/checkov/pull/4750)\n\n### Platform\n\n- **terraform:** external module from git fail - log warning - [#4755](https://github.com/bridgecrewio/checkov/pull/4755)\n\n### Documentation\n\n- **terraform:** Document no private registry - [#4745](https://github.com/bridgecrewio/checkov/pull/4745)\n\n## [2.3.115](https://github.com/bridgecrewio/checkov/compare/2.3.114...2.3.115) - 2023-03-24\n\n### Bug Fix\n\n- **general:** fix default log levels for support stream - [#4741](https://github.com/bridgecrewio/checkov/pull/4741)\n\n## [2.3.114](https://github.com/bridgecrewio/checkov/compare/2.3.110...2.3.114) - 2023-03-23\n\n### Feature\n\n- **ansible:** Ansible panos int mgmt checks - [#4683](https://github.com/bridgecrewio/checkov/pull/4683)\n- **terraform:** api gateway ensure api cache is encrypted - [#4681](https://github.com/bridgecrewio/checkov/pull/4681)\n- **terraform:** AWS ensure Sagemaker Notebook users are not Root - [#4676](https://github.com/bridgecrewio/checkov/pull/4676)\n- **terraform:** Sagemaker Notebook In Custom VPC - [#4675](https://github.com/bridgecrewio/checkov/pull/4675)\n- **terraform:** Terraform runner with the new TF parser - [#4728](https://github.com/bridgecrewio/checkov/pull/4728)\n\n### Bug Fix\n\n- **gitlab:** fixing include scope that predominant all others - [#4735](https://github.com/bridgecrewio/checkov/pull/4735)\n\n### Documentation\n\n- **general:** fix small typo - [#4725](https://github.com/bridgecrewio/checkov/pull/4725)\n\n## [2.3.110](https://github.com/bridgecrewio/checkov/compare/2.3.108...2.3.110) - 2023-03-22\n\n### Bug Fix\n\n- **graph:** Fix an issue in and connection solver - [#4719](https://github.com/bridgecrewio/checkov/pull/4719)\n\n## [2.3.108](https://github.com/bridgecrewio/checkov/compare/2.3.105...2.3.108) - 2023-03-21\n\n### Feature\n\n- **secrets:** add option to get and set the secret store - [#4707](https://github.com/bridgecrewio/checkov/pull/4707)\n\n### Platform\n\n- **graph:** Ignore SyntaxWarning in variable rendering - [#4718](https://github.com/bridgecrewio/checkov/pull/4718)\n\n## [2.3.105](https://github.com/bridgecrewio/checkov/compare/2.3.102...2.3.105) - 2023-03-20\n\n### Feature\n\n- **general:** add flag to skip cert verification - [#4641](https://github.com/bridgecrewio/checkov/pull/4641)\n- **secrets:** Override secrets validation flag with tenant config - [#4701](https://github.com/bridgecrewio/checkov/pull/4701)\n\n## [2.3.102](https://github.com/bridgecrewio/checkov/compare/2.3.96...2.3.102) - 2023-03-19\n\n### Feature\n\n- **terraform:** AWS Ensure cloudfront has a default root - [#4673](https://github.com/bridgecrewio/checkov/pull/4673)\n- **terraform:** AWS ensure secret rotation is less than 90 days - [#4672](https://github.com/bridgecrewio/checkov/pull/4672)\n- **terraform:** AWS Secrets are rotated - [#4671](https://github.com/bridgecrewio/checkov/pull/4671)\n- **terraform:** ensure DB snapshots arent public - [#4667](https://github.com/bridgecrewio/checkov/pull/4667)\n- **terraform:** ensure SSM docs are private - [#4668](https://github.com/bridgecrewio/checkov/pull/4668)\n- **terraform:** lambda permission is not public - [#4666](https://github.com/bridgecrewio/checkov/pull/4666)\n\n### Bug Fix\n\n- **general:** Custom policies integration correct check IDs filtering - [#4700](https://github.com/bridgecrewio/checkov/pull/4700)\n- **sca:** return empty result when using BC API key in IDE - [#4694](https://github.com/bridgecrewio/checkov/pull/4694)\n- **terraform:** add extra handling around private GitHub Terraform modules - [#4699](https://github.com/bridgecrewio/checkov/pull/4699)\n\n## [2.3.96](https://github.com/bridgecrewio/checkov/compare/2.3.95...2.3.96) - 2023-03-16\n\n### Feature\n\n- **ansible:** Ansible panos security policy checks - [#4639](https://github.com/bridgecrewio/checkov/pull/4639)\n- **terraform:** s3 bucket has event notifications - [#4660](https://github.com/bridgecrewio/checkov/pull/4660)\n- **terraform:** s3 ensure failed uploads are deleted id=300!!!! - [#4662](https://github.com/bridgecrewio/checkov/pull/4662)\n\n### Bug Fix\n\n- **gitlab:** index_out_of_range - [#4677](https://github.com/bridgecrewio/checkov/pull/4677)\n- **terraform:** Revert \"feat(terraform): support provider blocks yaml policy checks (… - [#4680](https://github.com/bridgecrewio/checkov/pull/4680)\n\n## [2.3.95](https://github.com/bridgecrewio/checkov/compare/2.3.92...2.3.95) - 2023-03-15\n\n### Feature\n\n- **sca:** filter twistcli results with empty package name and version - [#4670](https://github.com/bridgecrewio/checkov/pull/4670)\n- **terraform:** Support new TFParser in the local graph (under env var) - [#4664](https://github.com/bridgecrewio/checkov/pull/4664)\n- **terraform:** support provider blocks yaml policy checks - [#4656](https://github.com/bridgecrewio/checkov/pull/4656)\n\n## [2.3.92](https://github.com/bridgecrewio/checkov/compare/2.3.85...2.3.92) - 2023-03-14\n\n### Feature\n\n- **sca:** fix unexpected maven packageName - cycloneDX - [#4663](https://github.com/bridgecrewio/checkov/pull/4663)\n- **sca:** skipping finding IsPrivateFixVersion by default - [#4648](https://github.com/bridgecrewio/checkov/pull/4648)\n- **sca:** support inline CVE suppression in requirements.txt - [#4630](https://github.com/bridgecrewio/checkov/pull/4630)\n- **secrets:** allow scanning just partial history of commits - [#4659](https://github.com/bridgecrewio/checkov/pull/4659)\n- **terraform:** Refactor Module mapping objects - [#4661](https://github.com/bridgecrewio/checkov/pull/4661)\n- **terraform:** s3 to have lifecycle policy - [#4658](https://github.com/bridgecrewio/checkov/pull/4658)\n\n### Bug Fix\n\n- **secrets:** fix git history partial scan - [#4665](https://github.com/bridgecrewio/checkov/pull/4665)\n\n## [2.3.85](https://github.com/bridgecrewio/checkov/compare/2.3.79...2.3.85) - 2023-03-13\n\n### Feature\n\n- **secrets:** support git history scan in multiline parsers - [#4637](https://github.com/bridgecrewio/checkov/pull/4637)\n- **terraform:** Definitions serialization with new definitions key/module objects - [#4655](https://github.com/bridgecrewio/checkov/pull/4655)\n- **terraform:** support variable rendering for default objects in vars - [#4650](https://github.com/bridgecrewio/checkov/pull/4650)\n\n### Bug Fix\n\n- **arm:** Fix resource type check in SQLServerAuditingRetention90Days - [#4657](https://github.com/bridgecrewio/checkov/pull/4657)\n- **general:** check suppression id instead of policy id - [#4646](https://github.com/bridgecrewio/checkov/pull/4646)\n- **gitlab:** Modify GitLab CI resource ids - [#4647](https://github.com/bridgecrewio/checkov/pull/4647)\n\n## [2.3.79](https://github.com/bridgecrewio/checkov/compare/2.3.75...2.3.79) - 2023-03-12\n\n### Feature\n\n- **terraform:** Fix for foreach subgraph rendering - [#4649](https://github.com/bridgecrewio/checkov/pull/4649)\n- **terraform:** new checks on new resources - [#4491](https://github.com/bridgecrewio/checkov/pull/4491)\n\n### Platform\n\n- **general:** skip uploading repo for VSCode source - [#4643](https://github.com/bridgecrewio/checkov/pull/4643)\n\n## [2.3.75](https://github.com/bridgecrewio/checkov/compare/2.3.71...2.3.75) - 2023-03-09\n\n### Feature\n\n- **general:** add Terraform JSON support - [#4626](https://github.com/bridgecrewio/checkov/pull/4626)\n- **terraform:** Adding yaml based build time policies for corresponding PC runtime policies - [#4605](https://github.com/bridgecrewio/checkov/pull/4605)\n\n### Bug Fix\n\n- **arm:** ignore incomplete resource in ARM templates - [#4636](https://github.com/bridgecrewio/checkov/pull/4636)\n- **terraform:** stop handle resource `for_each` as dynamic attribute - [#4632](https://github.com/bridgecrewio/checkov/pull/4632)\n\n## [2.3.71](https://github.com/bridgecrewio/checkov/compare/2.3.70...2.3.71) - 2023-03-08\n\n### Bug Fix\n\n- **terraform:** v2 settings valid for windows and linux web apps - [#4628](https://github.com/bridgecrewio/checkov/pull/4628)\n\n## [2.3.70](https://github.com/bridgecrewio/checkov/compare/2.3.66...2.3.70) - 2023-03-07\n\n### Feature\n\n- **ansible:** add Ansible check for CKV_PAN_4 for PAN-OS DSRI - [#4608](https://github.com/bridgecrewio/checkov/pull/4608)\n- **dockerfile:** Add tdnf support for CKV2_DOCKER_9 - [#4620](https://github.com/bridgecrewio/checkov/pull/4620)\n- **terraform:** Check added for AWS Database instance deletion protection - [#4616](https://github.com/bridgecrewio/checkov/pull/4616)\n- **terraform:** CloudtrailEventDataStoreUsesCMK - [#4621](https://github.com/bridgecrewio/checkov/pull/4621)\n\n### Bug Fix\n\n- **bicep:** handle malformed files in bicep parser - [#4629](https://github.com/bridgecrewio/checkov/pull/4629)\n- **cloudformation:** KMSKeyWildCardPrincipal modification - Check for wildcards inside of lists - [#4590](https://github.com/bridgecrewio/checkov/pull/4590)\n- **terraform:** in sg rules ignore self referencing - [#4603](https://github.com/bridgecrewio/checkov/pull/4603)\n\n## [2.3.66](https://github.com/bridgecrewio/checkov/compare/2.3.59...2.3.66) - 2023-03-06\n\n### Feature\n\n- **gitlab:** fix wrong resource in gitlab-ci - [#4610](https://github.com/bridgecrewio/checkov/pull/4610)\n- **terraform:** Support the -1 protocol on SG checks - [#4611](https://github.com/bridgecrewio/checkov/pull/4611)\n- **terraform:** TF Parser support of new modules keys - [#4601](https://github.com/bridgecrewio/checkov/pull/4601)\n\n### Bug Fix\n\n- **bicep:** extend CKV_AZURE_4 to consider omsAgent to be written in camelCase - [#4614](https://github.com/bridgecrewio/checkov/pull/4614)\n- **general:** refactor SARIF output - [#4606](https://github.com/bridgecrewio/checkov/pull/4606)\n- **general:** skip scanning invalid resources - [#4617](https://github.com/bridgecrewio/checkov/pull/4617)\n- **sca:** Added an error log for Twistcli failures - [#4613](https://github.com/bridgecrewio/checkov/pull/4613)\n- **terraform:** stop evaluating a string ... to the Ellipsis object - [#4623](https://github.com/bridgecrewio/checkov/pull/4623)\n\n## [2.3.59](https://github.com/bridgecrewio/checkov/compare/2.3.57...2.3.59) - 2023-03-05\n\n### Bug Fix\n\n- **general:** do not stop getting fixes if one attempt results in a 403 - [#4607](https://github.com/bridgecrewio/checkov/pull/4607)\n- **gha:** skip schema validity check if parsing returned None - [#4609](https://github.com/bridgecrewio/checkov/pull/4609)\n- **secrets:** Adjust output to include the additional Git History info - [#4566](https://github.com/bridgecrewio/checkov/pull/4566)\n\n## [2.3.57](https://github.com/bridgecrewio/checkov/compare/2.3.53...2.3.57) - 2023-03-02\n\n### Feature\n\n- **ansible:** Add checks for the ansible builtin dnf module - [#4570](https://github.com/bridgecrewio/checkov/pull/4570)\n- **dockerfile:** Add new dockerfile checks - [#4569](https://github.com/bridgecrewio/checkov/pull/4569)\n- **terraform:** Create a new TF parser - [#4584](https://github.com/bridgecrewio/checkov/pull/4584)\n\n### Bug Fix\n\n- **secrets:** only check secrets framework when scanning history - [#4592](https://github.com/bridgecrewio/checkov/pull/4592)\n- **terraform:** AWS - there's a new sg vpc ingress rule - [#4575](https://github.com/bridgecrewio/checkov/pull/4575)\n- **terraform:** Azurerm NSG UDP check should work for old style but still valid tf - [#4454](https://github.com/bridgecrewio/checkov/pull/4454)\n\n## [2.3.53](https://github.com/bridgecrewio/checkov/compare/2.3.50...2.3.53) - 2023-03-01\n\n### Feature\n\n- **terraform:** Add foreach_attrs in saved graph - [#4587](https://github.com/bridgecrewio/checkov/pull/4587)\n- **terraform:** Set foreach_attrs directly under the block - [#4586](https://github.com/bridgecrewio/checkov/pull/4586)\n- **terraform:** TF foreach - Support updating each.value in nested dict - [#4588](https://github.com/bridgecrewio/checkov/pull/4588)\n\n### Bug Fix\n\n- **sca:** Set prisma token and scan packages by v2 for IDE scans - [#4580](https://github.com/bridgecrewio/checkov/pull/4580)\n- **terraform:** fix CKV_AWS_70 test and add graph for coverage of data source - [#4542](https://github.com/bridgecrewio/checkov/pull/4542)\n- **terraform:** TF foreach - Avoid rendering in static statements - [#4583](https://github.com/bridgecrewio/checkov/pull/4583)\n\n### Documentation\n\n- **ansible:** add Ansible policy docs generation - [#4582](https://github.com/bridgecrewio/checkov/pull/4582)\n\n## [2.3.50](https://github.com/bridgecrewio/checkov/compare/2.3.48...2.3.50) - 2023-02-28\n\n### Bug Fix\n\n- **terraform:** add not exists conditional to CKV2_AWS_16 to account for defaults - [#4578](https://github.com/bridgecrewio/checkov/pull/4578)\n\n## [2.3.48](https://github.com/bridgecrewio/checkov/compare/2.3.44...2.3.48) - 2023-02-27\n\n### Feature\n\n- **secrets:** track complete file deletion and renaming - [#4551](https://github.com/bridgecrewio/checkov/pull/4551)\n- **terraform:** Adding yaml based build time policies for corresponding PC runtime policies - [#4529](https://github.com/bridgecrewio/checkov/pull/4529)\n\n### Bug Fix\n\n- **ansible:** support skip check for Ansible Python-based checks - [#4556](https://github.com/bridgecrewio/checkov/pull/4556)\n- **terraform:** Handle unescaped lookup values - [#4565](https://github.com/bridgecrewio/checkov/pull/4565)\n\n## [2.3.44](https://github.com/bridgecrewio/checkov/compare/2.3.39...2.3.44) - 2023-02-26\n\n### Feature\n\n- **dockerfile:** Add check for the environment variable NPM_CONFIG_STRICT_SSL - [#4553](https://github.com/bridgecrewio/checkov/pull/4553)\n- **terraform:** TF Parser - Move funcs and consts to utils file - [#4550](https://github.com/bridgecrewio/checkov/pull/4550)\n\n### Bug Fix\n\n- **terraform_plan:** Fix tf plan nested modules - [#4562](https://github.com/bridgecrewio/checkov/pull/4562)\n- **terraform:** fix for #4518 - [#4528](https://github.com/bridgecrewio/checkov/pull/4528)\n- **terraform:** Move get_module back to parser - [#4560](https://github.com/bridgecrewio/checkov/pull/4560)\n- **terraform:** remove dynamic warning exc_info - [#4563](https://github.com/bridgecrewio/checkov/pull/4563)\n\n## [2.3.39](https://github.com/bridgecrewio/checkov/compare/2.3.36...2.3.39) - 2023-02-23\n\n### Feature\n\n- **dockerfile:** Add checks for disabling signature checks for apk, apt-get, rpm, yum, dnf - [#4404](https://github.com/bridgecrewio/checkov/pull/4404)\n- **terraform:** New classes for the TF module model - [#4546](https://github.com/bridgecrewio/checkov/pull/4546)\n\n### Bug Fix\n\n- **gha:** Align GHA resource ids (Graph vs Python checks) - [#4549](https://github.com/bridgecrewio/checkov/pull/4549)\n\n## [2.3.36](https://github.com/bridgecrewio/checkov/compare/2.3.33...2.3.36) - 2023-02-22\n\n### Feature\n\n- **arm:** add graph capabilities to ARM framework - [#4526](https://github.com/bridgecrewio/checkov/pull/4526)\n- **secrets:** add timeout for scan history checks - [#4523](https://github.com/bridgecrewio/checkov/pull/4523)\n- **secrets:** Support secret findings in git history - [#4525](https://github.com/bridgecrewio/checkov/pull/4525)\n\n## [2.3.33](https://github.com/bridgecrewio/checkov/compare/2.3.29...2.3.33) - 2023-02-21\n\n### Feature\n\n- **gitlab:** fix gitlab ci yaml file processing - [#4536](https://github.com/bridgecrewio/checkov/pull/4536)\n- **sca:** adding is_registry_url and printing in the cyclonedx only private registries urls - [#4533](https://github.com/bridgecrewio/checkov/pull/4533)\n- **sca:** support also the key \"registryUrl\" when extracting registry_url for the report - [#4535](https://github.com/bridgecrewio/checkov/pull/4535)\n\n### Bug Fix\n\n- **terraform:** Optional module content path - [#4537](https://github.com/bridgecrewio/checkov/pull/4537)\n\n## [2.3.29](https://github.com/bridgecrewio/checkov/compare/2.3.28...2.3.29) - 2023-02-20\n\n### Bug Fix\n\n- **cloudformation:** Update CKV_AWS_46 to handle base64 encoded userdata - [#4530](https://github.com/bridgecrewio/checkov/pull/4530)\n\n## [2.3.28](https://github.com/bridgecrewio/checkov/compare/2.3.23...2.3.28) - 2023-02-19\n\n### Feature\n\n- **secrets:** add flag for scan secrets history - [#4513](https://github.com/bridgecrewio/checkov/pull/4513)\n- **terraform:** Used parentheses in key for foreach attributes but not count - [#4520](https://github.com/bridgecrewio/checkov/pull/4520)\n\n### Bug Fix\n\n- **gha:** fix output flag for usage in checkov-action - [#4517](https://github.com/bridgecrewio/checkov/pull/4517)\n- **terraform:** add datasource option for headers check - [#4496](https://github.com/bridgecrewio/checkov/pull/4496)\n- **terraform:** optimize check CKV2_AWS_60 - [#4512](https://github.com/bridgecrewio/checkov/pull/4512)\n\n### Platform\n\n- **general:** Use new enforcement categories (#4456) - [#4519](https://github.com/bridgecrewio/checkov/pull/4519)\n\n## [2.3.23](https://github.com/bridgecrewio/checkov/compare/2.3.22...2.3.23) - 2023-02-18\n\n### Feature\n\n- **ansible:** Add checks for the ansible builtin apt module - [#4500](https://github.com/bridgecrewio/checkov/pull/4500)\n\n### Bug Fix\n\n- **gha:** now looks for GHA on windows - [#4515](https://github.com/bridgecrewio/checkov/pull/4515)\n\n## [2.3.22](https://github.com/bridgecrewio/checkov/compare/2.3.18...2.3.22) - 2023-02-16\n\n### Feature\n\n- **sca:** adding registry-url to the cyclonedx output report - [#4511](https://github.com/bridgecrewio/checkov/pull/4511)\n- **secrets:** Add capability to iterate over git history - [#4469](https://github.com/bridgecrewio/checkov/pull/4469)\n- **terraform:** Adding yaml based build time policies for corresponding PC run time policies - [#4425](https://github.com/bridgecrewio/checkov/pull/4425)\n\n### Bug Fix\n\n- **secrets:** import git - [#4514](https://github.com/bridgecrewio/checkov/pull/4514)\n\n## [2.3.18](https://github.com/bridgecrewio/checkov/compare/2.3.14...2.3.18) - 2023-02-15\n\n### Feature\n\n- **sca:** add registry urls and description to the output report and to the csv report - [#4485](https://github.com/bridgecrewio/checkov/pull/4485)\n\n### Bug Fix\n\n- **ansible:** skip unsupported Ansible resources - [#4504](https://github.com/bridgecrewio/checkov/pull/4504)\n- **terraform:** Fix an str split edge case in function - [#4507](https://github.com/bridgecrewio/checkov/pull/4507)\n- **terraform:** fix enforcement rules mapping - [#4509](https://github.com/bridgecrewio/checkov/pull/4509)\n\n## [2.3.14](https://github.com/bridgecrewio/checkov/compare/2.3.7...2.3.14) - 2023-02-14\n\n### Feature\n\n- **secrets:** log and filter potential uuid case - [#4486](https://github.com/bridgecrewio/checkov/pull/4486)\n- **terraform:** Assign/override main vertices by the first new vertice. - [#4493](https://github.com/bridgecrewio/checkov/pull/4493)\n- **terraform:** Support for loops in foreach statements - [#4483](https://github.com/bridgecrewio/checkov/pull/4483)\n\n### Bug Fix\n\n- **terraform:** Handle KeyError in hadle_for_loop func - [#4501](https://github.com/bridgecrewio/checkov/pull/4501)\n- **terraform:** Handle type error in `_handle_for_loop_in_dict` - [#4495](https://github.com/bridgecrewio/checkov/pull/4495)\n- **terraform:** skip loading module that calls to the same dir - [#4499](https://github.com/bridgecrewio/checkov/pull/4499)\n\n### Platform\n\n- **general:** Use new enforcement categories - [#4456](https://github.com/bridgecrewio/checkov/pull/4456)\n\n### Documentation\n\n- **general:** update installation on Alpine docs - [#4474](https://github.com/bridgecrewio/checkov/pull/4474)\n\n## [2.3.7](https://github.com/bridgecrewio/checkov/compare/2.3.3...2.3.7) - 2023-02-13\n\n### Feature\n\n- **graph:** Add UT as an example of not-exists for the nested list. - [#4484](https://github.com/bridgecrewio/checkov/pull/4484)\n- **secrets:** Save secrets line number - [#4488](https://github.com/bridgecrewio/checkov/pull/4488)\n- **terraform:** AWS:check global DocDB cluster is encrypted - [#4405](https://github.com/bridgecrewio/checkov/pull/4405)\n- **terraform:** check msk nodes are private - [#4392](https://github.com/bridgecrewio/checkov/pull/4392)\n- **terraform:** support more json encoded objects as part of terraform resource and fix evaluation of true/false in json - [#4487](https://github.com/bridgecrewio/checkov/pull/4487)\n\n### Bug Fix\n\n- **ansible:** support nested blocks and empty module values - [#4479](https://github.com/bridgecrewio/checkov/pull/4479)\n- **cloudformation:** Updated AWS_CKV_7 to not require rotation on asymmetric keys - [#4476](https://github.com/bridgecrewio/checkov/pull/4476)\n\n## [2.3.3](https://github.com/bridgecrewio/checkov/compare/2.3.0...2.3.3) - 2023-02-09\n\n### Feature\n\n- **secrets:** limit multiline regex detector run - [#4453](https://github.com/bridgecrewio/checkov/pull/4453)\n- **terraform:** Add foreach_attrs to config objects + UTs - [#4463](https://github.com/bridgecrewio/checkov/pull/4463)\n- **terraform:** GCP: Ensure Basic role are not used at Org/Folder/Project level (CKV_GCP_115, CKV_GCP_116, CKV_GCP_117) - [#4390](https://github.com/bridgecrewio/checkov/pull/4390)\n\n### Bug Fix\n\n- **kustomize:** fix kustomize file path cli - [#4466](https://github.com/bridgecrewio/checkov/pull/4466)\n- **terraform:** Allow different type of value in BaseResourceValueCheck - [#4470](https://github.com/bridgecrewio/checkov/pull/4470)\n- **terraform:** deny statements with wildcards are valid - [#4440](https://github.com/bridgecrewio/checkov/pull/4440)\n\n## [2.3.0](https://github.com/bridgecrewio/checkov/compare/2.2.356...2.3.0) - 2023-02-09\n\n### Breaking Change\n\n- **gha:** adjust the attribute reference for GitHub Actions graph checks - [#4445](https://github.com/bridgecrewio/checkov/pull/4445)\n- **terraform:** enable nested modules by default - [#4448](https://github.com/bridgecrewio/checkov/pull/4448)\n\n### Feature\n\n- **general:** Create 3d combinations post runner - [#4353](https://github.com/bridgecrewio/checkov/pull/4353)\n\n### Bug Fix\n\n- **gha:** fix GHA _get_jobs edge case (string step) - [#4444](https://github.com/bridgecrewio/checkov/pull/4444)\n- **graph:** added graph init to igraph db connector - [#4455](https://github.com/bridgecrewio/checkov/pull/4455)\n\n## [2.2.356](https://github.com/bridgecrewio/checkov/compare/2.2.348...2.2.356) - 2023-02-08\n\n### Feature\n\n- **sca:** Add support for Dotnet files - [#4189](https://github.com/bridgecrewio/checkov/pull/4189)\n- **terraform:** Create new resources for count/foreach resources - [#4427](https://github.com/bridgecrewio/checkov/pull/4427)\n- **terraform:** extend CKV2_AWS_5 to support aws_ec2_spot_fleet_request - [#4438](https://github.com/bridgecrewio/checkov/pull/4438)\n\n### Bug Fix\n\n- **general:** Correct BigQueryDatasetEncryptedWithCMK name field - [#4443](https://github.com/bridgecrewio/checkov/pull/4443)\n- **kubernetes:** Fix empty spec in k8s file - [#4452](https://github.com/bridgecrewio/checkov/pull/4452)\n- **kustomize:** Fix kustomize cli file path - [#4447](https://github.com/bridgecrewio/checkov/pull/4447)\n- **secrets:** remove CKV_SECRET_78 from SECRET_TYPE_TO_ID - [#4446](https://github.com/bridgecrewio/checkov/pull/4446)\n- **terraform:** change module index separator in full path - [#4437](https://github.com/bridgecrewio/checkov/pull/4437)\n\n## [2.2.348](https://github.com/bridgecrewio/checkov/compare/2.2.341...2.2.348) - 2023-02-07\n\n### Feature\n\n- **cloudformation:** support new default s3 encryption - [#4429](https://github.com/bridgecrewio/checkov/pull/4429)\n- **graph:** added indices to igraph nodes - [#4433](https://github.com/bridgecrewio/checkov/pull/4433)\n- **secrets:** Add args to analyze line is added and is removed for git history scan - [#4426](https://github.com/bridgecrewio/checkov/pull/4426)\n\n### Bug Fix\n\n- **secrets:** Comment out checkob multiline regex detectors - [#4441](https://github.com/bridgecrewio/checkov/pull/4441)\n- **terraform:** Fix updating resource config - [#4432](https://github.com/bridgecrewio/checkov/pull/4432)\n\n### Platform\n\n- **secrets:** Add secrets custom regex on file - [#4430](https://github.com/bridgecrewio/checkov/pull/4430)\n\n## [2.2.341](https://github.com/bridgecrewio/checkov/compare/2.2.335...2.2.341) - 2023-02-06\n\n### Feature\n\n- **ansible:** add support for Ansible blocks - [#4419](https://github.com/bridgecrewio/checkov/pull/4419)\n- **general:** Control check failure logging level - [#4431](https://github.com/bridgecrewio/checkov/pull/4431)\n- **graph:** add validation for graph checks - [#4352](https://github.com/bridgecrewio/checkov/pull/4352)\n- **kubernetes:** support inline skips for Kubernetes graph checks - [#4412](https://github.com/bridgecrewio/checkov/pull/4412)\n- **secrets:** remove secrets dependency in generic record - [#4424](https://github.com/bridgecrewio/checkov/pull/4424)\n\n### Bug Fix\n\n- **kustomize:** remove redundant error in kustomize runner - [#4428](https://github.com/bridgecrewio/checkov/pull/4428)\n\n### Documentation\n\n- **general:** fix graph check link in docs - [#4420](https://github.com/bridgecrewio/checkov/pull/4420)\n\n## [2.2.335](https://github.com/bridgecrewio/checkov/compare/2.2.332...2.2.335) - 2023-02-05\n\n### Feature\n\n- **kustomize:** support kustomize v5 - [#4411](https://github.com/bridgecrewio/checkov/pull/4411)\n- **terraform:** [Foreach/Count Handling] Render dynamic foreach/count statement - [#4398](https://github.com/bridgecrewio/checkov/pull/4398)\n\n### Bug Fix\n\n- **general:** Checks edge-cases fixes in terraform and openapi - [#4414](https://github.com/bridgecrewio/checkov/pull/4414)\n- **general:** Skip resources with no 'Type' defined + Checks containing wildcards for resource types leads to crash - [#4408](https://github.com/bridgecrewio/checkov/pull/4408)\n- **terraform:** fix getting the module for resource named 'module' - [#4418](https://github.com/bridgecrewio/checkov/pull/4418)\n- **terraform:** retire CKV_AWS_128 in favour of CKV_AWS_162 - [#4350](https://github.com/bridgecrewio/checkov/pull/4350)\n- **terraform:** SQS check was all types of wrong - [#4382](https://github.com/bridgecrewio/checkov/pull/4382)\n\n## [2.2.332](https://github.com/bridgecrewio/checkov/compare/2.2.331...2.2.332) - 2023-02-04\n\n### Bug Fix\n\n- **cloudformation:** Don't fail Aurora instances for MultiAZ not being set - [#4316](https://github.com/bridgecrewio/checkov/pull/4316)\n\n## [2.2.331](https://github.com/bridgecrewio/checkov/compare/2.2.330...2.2.331) - 2023-02-03\n\n### Bug Fix\n\n- **general:** fix compact json output - [#4406](https://github.com/bridgecrewio/checkov/pull/4406)\n\n## [2.2.330](https://github.com/bridgecrewio/checkov/compare/2.2.327...2.2.330) - 2023-02-02\n\n### Feature\n\n- **sca:** Add a --support flag - [#4397](https://github.com/bridgecrewio/checkov/pull/4397)\n- **sca:** Add a --support flag --revert - [#4396](https://github.com/bridgecrewio/checkov/pull/4396)\n- **secrets:** add workdir info to secrets scanner - [#4400](https://github.com/bridgecrewio/checkov/pull/4400)\n- **secrets:** extract new detector_utils file from entropy keyword combinator - [#4385](https://github.com/bridgecrewio/checkov/pull/4385)\n\n### Bug Fix\n\n- **general:** Remove empty links from GitLab SAST output - [#4393](https://github.com/bridgecrewio/checkov/pull/4393)\n\n## [2.2.327](https://github.com/bridgecrewio/checkov/compare/2.2.320...2.2.327) - 2023-02-01\n\n### Feature\n\n- **gha:** add gha permissions lines - [#4372](https://github.com/bridgecrewio/checkov/pull/4372)\n- **sca:** add extract nodes igraph - [#4359](https://github.com/bridgecrewio/checkov/pull/4359)\n- **sca:** create bom report when extra_resources is not empty - [#4388](https://github.com/bridgecrewio/checkov/pull/4388)\n- **secrets:** add support for runnable secrets plugins - [#4368](https://github.com/bridgecrewio/checkov/pull/4368)\n- **terraform:** add CKV_GCP_114 to ensure that Public Access Prevention is enforced on GoogleCloudStorage bucket. - [#4347](https://github.com/bridgecrewio/checkov/pull/4347)\n- **terraform:** Add cloudsplaining checks to tf aws_iam_policy CKV_AWS_287-290 - [#4386](https://github.com/bridgecrewio/checkov/pull/4386)\n- **terraform:** get static foreach/count values of resources - [#4374](https://github.com/bridgecrewio/checkov/pull/4374)\n\n## [2.2.320](https://github.com/bridgecrewio/checkov/compare/2.2.316...2.2.320) - 2023-01-31\n\n### Feature\n\n- **sca:** Add a --support flag - [#4323](https://github.com/bridgecrewio/checkov/pull/4323)\n- **sca:** added extra supported package files to find_scannable_files - [#4378](https://github.com/bridgecrewio/checkov/pull/4378)\n- **terraform:** add reset edges function to terraform local graph - [#4373](https://github.com/bridgecrewio/checkov/pull/4373)\n- **terraform:** Added base class for cloudsplaining iam checks to be integrated between data and resource objects - [#4338](https://github.com/bridgecrewio/checkov/pull/4338)\n- **terraform:** Added basic check with test for tf resource with IAM privilege escalation - [#4376](https://github.com/bridgecrewio/checkov/pull/4376)\n\n### Bug Fix\n\n- **cloudformation:** Skip SAM Global Tags propagation - [#4383](https://github.com/bridgecrewio/checkov/pull/4383)\n- **sca:** extend image name validation - [#4377](https://github.com/bridgecrewio/checkov/pull/4377)\n- **terraform:** simple check naming fix - [#4371](https://github.com/bridgecrewio/checkov/pull/4371)\n\n## [2.2.316](https://github.com/bridgecrewio/checkov/compare/2.2.312...2.2.316) - 2023-01-30\n\n### Feature\n\n- **sca:** ignore package.json file when yarn.lock exists - [#4370](https://github.com/bridgecrewio/checkov/pull/4370)\n- **terraform:** GCP check kms policy does not define public access - [#4190](https://github.com/bridgecrewio/checkov/pull/4190)\n- **terraform:** GCP check policy isn't public - [#4194](https://github.com/bridgecrewio/checkov/pull/4194)\n\n### Bug Fix\n\n- **sca:** support BC_VUL_X IDs in GitLab SAST output - [#4360](https://github.com/bridgecrewio/checkov/pull/4360)\n\n## [2.2.312](https://github.com/bridgecrewio/checkov/compare/2.2.305...2.2.312) - 2023-01-29\n\n### Feature\n\n- **azure:** fix container latest tag missing results - [#4337](https://github.com/bridgecrewio/checkov/pull/4337)\n\n### Bug Fix\n\n- **azure:** Add `.*.` in azure checks to check in lists as well - [#4355](https://github.com/bridgecrewio/checkov/pull/4355)\n- **azure:** Azure checks fixes - [#4342](https://github.com/bridgecrewio/checkov/pull/4342)\n- **azure:** Azure checks fixes - [#4354](https://github.com/bridgecrewio/checkov/pull/4354)\n- **azure:** Support string function_app min_tls_version as well - [#4357](https://github.com/bridgecrewio/checkov/pull/4357)\n- **kubernetes:** k8s checks fixes - [#4343](https://github.com/bridgecrewio/checkov/pull/4343)\n- **sca:** Fix multiple issues related to IR - [#4358](https://github.com/bridgecrewio/checkov/pull/4358)\n- **terraform:** Terraform checks fixes - [#4344](https://github.com/bridgecrewio/checkov/pull/4344)\n\n## [2.2.305](https://github.com/bridgecrewio/checkov/compare/2.2.304...2.2.305) - 2023-01-28\n\n### Feature\n\n- **general:** Add GitLab SAST output - [#4315](https://github.com/bridgecrewio/checkov/pull/4315)\n\n## [2.2.304](https://github.com/bridgecrewio/checkov/compare/2.2.302...2.2.304) - 2023-01-26\n\n### Bug Fix\n\n- **kubernetes:** skip extracting pods for custom resources - [#4334](https://github.com/bridgecrewio/checkov/pull/4334)\n- **sca:** require requests 2.27.0 - [#4339](https://github.com/bridgecrewio/checkov/pull/4339)\n\n### Documentation\n\n- **general:** fix env var name to `CKV_IGNORE_HIDDEN_DIRECTORIES` - [#4335](https://github.com/bridgecrewio/checkov/pull/4335)\n\n## [2.2.302](https://github.com/bridgecrewio/checkov/compare/2.2.299...2.2.302) - 2023-01-25\n\n### Feature\n\n- **general:** igraph library support - [#4327](https://github.com/bridgecrewio/checkov/pull/4327)\n\n### Bug Fix\n\n- **general:** add missing header in --list output - [#4329](https://github.com/bridgecrewio/checkov/pull/4329)\n- **kubernetes:** extract pods only for supported resources - [#4330](https://github.com/bridgecrewio/checkov/pull/4330)\n- **sca:** catch exceptional error during SCA results polling - [#4331](https://github.com/bridgecrewio/checkov/pull/4331)\n- **terraform:** change terraform nested modules path separators - [#4319](https://github.com/bridgecrewio/checkov/pull/4319)\n- **terraform:** handle unexpected container definition type - [#4328](https://github.com/bridgecrewio/checkov/pull/4328)\n\n## [2.2.299](https://github.com/bridgecrewio/checkov/compare/2.2.292...2.2.299) - 2023-01-24\n\n### Feature\n\n- **azure:** change detect image source - [#4320](https://github.com/bridgecrewio/checkov/pull/4320)\n- **general:** add empty azure image check - [#4308](https://github.com/bridgecrewio/checkov/pull/4308)\n- **general:** add logs for async license and image retrieval - [#4317](https://github.com/bridgecrewio/checkov/pull/4317)\n- **sca:** Support the new --image flag along the --docker-image flag - [#4314](https://github.com/bridgecrewio/checkov/pull/4314)\n\n### Bug Fix\n\n- **general:** ignore repo_id setting when list flag is set - [#4313](https://github.com/bridgecrewio/checkov/pull/4313)\n- **kubernetes:** handle k8s resource with missing required data - [#4318](https://github.com/bridgecrewio/checkov/pull/4318)\n- **secrets:** Change s3 path for enriched secrets upload - [#4275](https://github.com/bridgecrewio/checkov/pull/4275)\n- **terraform:** handle unexpected container type - [#4311](https://github.com/bridgecrewio/checkov/pull/4311)\n\n### Documentation\n\n- **general:** Update README for supported Python versions - [#4305](https://github.com/bridgecrewio/checkov/pull/4305)\n\n## [2.2.292](https://github.com/bridgecrewio/checkov/compare/2.2.289...2.2.292) - 2023-01-23\n\n### Feature\n\n- **terraform:** new app service checks for azurerm - [#4072](https://github.com/bridgecrewio/checkov/pull/4072)\n\n### Bug Fix\n\n- **general:** In case of a non-JSON response, log the response - [#4304](https://github.com/bridgecrewio/checkov/pull/4304)\n- **terraform_plan:** fix in deep analysis - [#4306](https://github.com/bridgecrewio/checkov/pull/4306)\n- **terraform:** fix default behaviour of CKV_GCP_19 - [#4289](https://github.com/bridgecrewio/checkov/pull/4289)\n\n## [2.2.289](https://github.com/bridgecrewio/checkov/compare/2.2.281...2.2.289) - 2023-01-22\n\n### Feature\n\n- **general:** add Ansible framework - [#4244](https://github.com/bridgecrewio/checkov/pull/4244)\n- **general:** Allow using `--repo-root-for-plan-enrichment` flag in GitHub Actions - [#4292](https://github.com/bridgecrewio/checkov/pull/4292)\n- **secrets:** add new sanity test files for base64 entropy detector - [#4298](https://github.com/bridgecrewio/checkov/pull/4298)\n- **terraform:** Adding yaml based build time policies for corresponding PC run time policies - [#4265](https://github.com/bridgecrewio/checkov/pull/4265)\n\n### Bug Fix\n\n- **sca:** fix dependency tree cli print - [#4282](https://github.com/bridgecrewio/checkov/pull/4282)\n- **terraform:** fix Exception in image ref - [#4297](https://github.com/bridgecrewio/checkov/pull/4297)\n- **terraform:** fix in variable rendering - [#4296](https://github.com/bridgecrewio/checkov/pull/4296)\n- **terraform:** Fix policy str in graph checks - [#4286](https://github.com/bridgecrewio/checkov/pull/4286)\n\n## [2.2.281](https://github.com/bridgecrewio/checkov/compare/2.2.278...2.2.281) - 2023-01-19\n\n### Feature\n\n- **general:** add Image referencer igraph support - [#4277](https://github.com/bridgecrewio/checkov/pull/4277)\n- **general:** Support aiohttp for IR API calls - [#4274](https://github.com/bridgecrewio/checkov/pull/4274)\n\n### Bug Fix\n\n- **general:** Enable running cloned policies in case the OOTB policy is suppressed - [#4281](https://github.com/bridgecrewio/checkov/pull/4281)\n- **secrets:** change default secret validation status to unavailable - [#4284](https://github.com/bridgecrewio/checkov/pull/4284)\n- **terraform:** fix error for push_skipped_checks_down with definition that not in the definition context - [#4272](https://github.com/bridgecrewio/checkov/pull/4272)\n\n## [2.2.278](https://github.com/bridgecrewio/checkov/compare/2.2.274...2.2.278) - 2023-01-18\n\n### Feature\n\n- **azure:** Add image referencer in azure pipelines - [#4234](https://github.com/bridgecrewio/checkov/pull/4234)\n- **gha:** fix yaml parsing of multi files - [#4270](https://github.com/bridgecrewio/checkov/pull/4270)\n- **secrets:** fix to keyword combinator to reduce FPs - [#4260](https://github.com/bridgecrewio/checkov/pull/4260)\n\n### Bug Fix\n\n- **secrets:** add guideline and severity to custom secret check metadata - [#4276](https://github.com/bridgecrewio/checkov/pull/4276)\n\n## [2.2.274](https://github.com/bridgecrewio/checkov/compare/2.2.271...2.2.274) - 2023-01-17\n\n### Feature\n\n- **gha:** fix failing image retrieval in GHA IR - [#4268](https://github.com/bridgecrewio/checkov/pull/4268)\n\n### Bug Fix\n\n- **cloudformation:** fix CloudFormation checks related to number values - [#4243](https://github.com/bridgecrewio/checkov/pull/4243)\n- **general:** Add normalization to change the name of nuget to dotNet lang - [#4271](https://github.com/bridgecrewio/checkov/pull/4271)\n\n## [2.2.271](https://github.com/bridgecrewio/checkov/compare/2.2.264...2.2.271) - 2023-01-16\n\n### Feature\n\n- **dockerfile:** Add checks for PYTHONHTTPSVERIFY and NODE_TLS_REJECT_UNAUTHORIZED - [#4223](https://github.com/bridgecrewio/checkov/pull/4223)\n- **secrets:** Skip invalid secrets checks + soft/hard fails - [#4247](https://github.com/bridgecrewio/checkov/pull/4247)\n- **terraform:** Azure search service checks - [#4064](https://github.com/bridgecrewio/checkov/pull/4064)\n- **terraform:** GCP checks for definition of a firewall resource for a network - [#4188](https://github.com/bridgecrewio/checkov/pull/4188)\n\n### Bug Fix\n\n- **general:** Support encoding of function object - [#4259](https://github.com/bridgecrewio/checkov/pull/4259)\n- **kubernetes:** handle missing subjects in k8s cluster role binding - [#4262](https://github.com/bridgecrewio/checkov/pull/4262)\n- **kubernetes:** handle resources with incompatible selector - [#4257](https://github.com/bridgecrewio/checkov/pull/4257)\n- **secrets:** Change secret validation status message - [#4250](https://github.com/bridgecrewio/checkov/pull/4250)\n- **terraform:** default value for CKV_AZURE_5 - [#4237](https://github.com/bridgecrewio/checkov/pull/4237)\n- **terraform:** fix get_current_module_index for path that contain .tf in them - [#4261](https://github.com/bridgecrewio/checkov/pull/4261)\n\n## [2.2.264](https://github.com/bridgecrewio/checkov/compare/2.2.258...2.2.264) - 2023-01-15\n\n### Feature\n\n- **general:** fix circleci crash when cannot find image - [#4249](https://github.com/bridgecrewio/checkov/pull/4249)\n- **general:** fix circleci yaml-doc - [#4246](https://github.com/bridgecrewio/checkov/pull/4246)\n- **kubernetes:** set default k8s graph env vars to true - [#4225](https://github.com/bridgecrewio/checkov/pull/4225)\n- **terraform:** Add new checks for ensuring execution history logging and Xray for State Machine is enabled - [#4240](https://github.com/bridgecrewio/checkov/pull/4240)\n\n### Bug Fix\n\n- **cloudformation:** Fix edge-cases in checks - [#4251](https://github.com/bridgecrewio/checkov/pull/4251)\n- **kubernetes:** removed env vars from tests - [#4252](https://github.com/bridgecrewio/checkov/pull/4252)\n- **secrets:** Change secret validation status message - [#4238](https://github.com/bridgecrewio/checkov/pull/4238)\n- **secrets:** Revert \"fix(secrets): Change secret validation status message\" - [#4248](https://github.com/bridgecrewio/checkov/pull/4248)\n\n## [2.2.258](https://github.com/bridgecrewio/checkov/compare/2.2.257...2.2.258) - 2023-01-12\n\n### Feature\n\n- **terraform:** PC-Policy-Team - GCP PostgreSQL Instance Database Policies - [#4090](https://github.com/bridgecrewio/checkov/pull/4090)\n\n## [2.2.257](https://github.com/bridgecrewio/checkov/compare/2.2.254...2.2.257) - 2023-01-11\n\n### Bug Fix\n\n- **secrets:** Change verify secrets key to include relative path - [#4232](https://github.com/bridgecrewio/checkov/pull/4232)\n- **terraform:** improve cross-variable edges performance - [#4231](https://github.com/bridgecrewio/checkov/pull/4231)\n\n## [2.2.254](https://github.com/bridgecrewio/checkov/compare/2.2.252...2.2.254) - 2023-01-10\n\n### Feature\n\n- **general:** Add resource attributes to omit arg - [#4193](https://github.com/bridgecrewio/checkov/pull/4193)\n- **terraform:** enable cross variable edges - [#4224](https://github.com/bridgecrewio/checkov/pull/4224)\n\n### Bug Fix\n\n- **secrets:** add function to add the custom policies to the metadata integration not in the multiprocess - [#4221](https://github.com/bridgecrewio/checkov/pull/4221)\n\n## [2.2.252](https://github.com/bridgecrewio/checkov/compare/2.2.246...2.2.252) - 2023-01-09\n\n### Feature\n\n- **kubernetes:** support more types of k8s pod template containers - [#4208](https://github.com/bridgecrewio/checkov/pull/4208)\n- **secrets:** Add secret validation status to reduced report - [#4219](https://github.com/bridgecrewio/checkov/pull/4219)\n- **secrets:** fix unquoted secret value - [#4214](https://github.com/bridgecrewio/checkov/pull/4214)\n- **terraform_plan:** support multiple references in one resource - [#4206](https://github.com/bridgecrewio/checkov/pull/4206)\n\n### Bug Fix\n\n- **kubernetes:** allow filtering of custom with built-in Kubernetes check IDs - [#4204](https://github.com/bridgecrewio/checkov/pull/4204)\n- **secrets:** add long to see metadata_integration - [#4220](https://github.com/bridgecrewio/checkov/pull/4220)\n- **terraform_plan:** fix module resources ids - [#4211](https://github.com/bridgecrewio/checkov/pull/4211)\n\n## [2.2.246](https://github.com/bridgecrewio/checkov/compare/2.2.239...2.2.246) - 2023-01-08\n\n### Feature\n\n- **dockerfile:** Add checks for unsafe wget and pip usages - [#4202](https://github.com/bridgecrewio/checkov/pull/4202)\n- **secrets:** Implement lower entropy threshold on a line with keyword - [#4210](https://github.com/bridgecrewio/checkov/pull/4210)\n- **terraform:** add CKV2_AWS_51 to Ensure AWS Managed IAMFullAccess IAM policy is not used. - [#4174](https://github.com/bridgecrewio/checkov/pull/4174)\n- **terraform:** CDN and service bus checks for azure - [#4059](https://github.com/bridgecrewio/checkov/pull/4059)\n\n### Bug Fix\n\n- **secrets:** add logs - [#4215](https://github.com/bridgecrewio/checkov/pull/4215)\n- **secrets:** add logs to secrets - [#4213](https://github.com/bridgecrewio/checkov/pull/4213)\n- **secrets:** Disable verify secrets if skip_download is specified - [#4209](https://github.com/bridgecrewio/checkov/pull/4209)\n- **secrets:** fix relative file path in secrets saved to coordinator - [#4212](https://github.com/bridgecrewio/checkov/pull/4212)\n\n## [2.2.239](https://github.com/bridgecrewio/checkov/compare/2.2.238...2.2.239) - 2023-01-06\n\n### Bug Fix\n\n- **general:** fix incorrect billing message when frameworks are removed from --framework list - [#4201](https://github.com/bridgecrewio/checkov/pull/4201)\n\n## [2.2.238](https://github.com/bridgecrewio/checkov/compare/2.2.234...2.2.238) - 2023-01-05\n\n### Feature\n\n- **dockerfile:** Add check for unsafe curl usages - [#4186](https://github.com/bridgecrewio/checkov/pull/4186)\n- **general:** add logic to vcs scanning to prevent empty repo collabs failing check - [#4199](https://github.com/bridgecrewio/checkov/pull/4199)\n- **terraform:** Adding yaml based build time policies for corresponding PC run time policies - [#4113](https://github.com/bridgecrewio/checkov/pull/4113)\n\n### Bug Fix\n\n- **general:** handle variable dependent values in policy - [#4200](https://github.com/bridgecrewio/checkov/pull/4200)\n- **secrets:** Fix api key condition in verify_secrets - [#4195](https://github.com/bridgecrewio/checkov/pull/4195)\n- **secrets:** Remove raw string modifier from re.compile - [#4197](https://github.com/bridgecrewio/checkov/pull/4197)\n\n## [2.2.234](https://github.com/bridgecrewio/checkov/compare/2.2.230...2.2.234) - 2023-01-04\n\n### Feature\n\n- **sca:** enable CHECKOV_RUN_SCA_PACKAGE_SCAN_V2 env var - [#4192](https://github.com/bridgecrewio/checkov/pull/4192)\n- **secrets:** Call secrets verify API - [#4181](https://github.com/bridgecrewio/checkov/pull/4181)\n\n### Bug Fix\n\n- **general:** set newer jsonschema dependency bound- solves #2227 - [#4183](https://github.com/bridgecrewio/checkov/pull/4183)\n- **general:** Update exclude-patterns.txt - [#4187](https://github.com/bridgecrewio/checkov/pull/4187)\n\n### Documentation\n\n- **general:** fix links in contributing docs - [#4184](https://github.com/bridgecrewio/checkov/pull/4184)\n\n## [2.2.230](https://github.com/bridgecrewio/checkov/compare/2.2.229...2.2.230) - 2023-01-03\n\n### Feature\n\n- **general:** Skip check in json file - [#4172](https://github.com/bridgecrewio/checkov/pull/4172)\n\n## [2.2.229](https://github.com/bridgecrewio/checkov/compare/2.2.220...2.2.229) - 2023-01-01\n\n### Feature\n\n- **gha:** add support for gha existing graph - [#4175](https://github.com/bridgecrewio/checkov/pull/4175)\n- **secrets:** change secretsCoordinator to dict format - [#4169](https://github.com/bridgecrewio/checkov/pull/4169)\n- **terraform:** added aws_ssoadmin_managed_policy_attachment resource to CKV_AWS_274 - [#4173](https://github.com/bridgecrewio/checkov/pull/4173)\n\n### Bug Fix\n\n- **general:** add link to BaseGraphRegistry checks - [#4177](https://github.com/bridgecrewio/checkov/pull/4177)\n- **general:** change CODE_LINK_BASE from master to main - [#4178](https://github.com/bridgecrewio/checkov/pull/4178)\n- **kubernetes:** remove unneeded context check - [#4171](https://github.com/bridgecrewio/checkov/pull/4171)\n- **kustomize:** fixed kustomize abs_file_path - [#4159](https://github.com/bridgecrewio/checkov/pull/4159)\n- **terraform:** out of range error by checking if list is empty - [#4176](https://github.com/bridgecrewio/checkov/pull/4176)\n\n## [2.2.220](https://github.com/bridgecrewio/checkov/compare/2.2.217...2.2.220) - 2022-12-29\n\n### Feature\n\n- **sca:** remove report_results from checkov, as it is not used at all - [#4161](https://github.com/bridgecrewio/checkov/pull/4161)\n\n### Bug Fix\n\n- **general:** fix f-string log message - [#4170](https://github.com/bridgecrewio/checkov/pull/4170)\n\n### Documentation\n\n- **general:** fix reference link in Contributing docs page - [#4164](https://github.com/bridgecrewio/checkov/pull/4164)\n\n## [2.2.217](https://github.com/bridgecrewio/checkov/compare/2.2.212...2.2.217) - 2022-12-28\n\n### Feature\n\n- **general:** Make code blocks for json check results focused on the relevant part - [#4130](https://github.com/bridgecrewio/checkov/pull/4130)\n- **openapi:** Add v2 openAPI new checks - [#4112](https://github.com/bridgecrewio/checkov/pull/4112)\n- **terraform:** new azure storage checks - [#4021](https://github.com/bridgecrewio/checkov/pull/4021)\n\n### Bug Fix\n\n- **github:** Handle entity configurations of type list - [#4160](https://github.com/bridgecrewio/checkov/pull/4160)\n- **sca:** Fix extra space in output of dependencies - [#4162](https://github.com/bridgecrewio/checkov/pull/4162)\n\n## [2.2.212](https://github.com/bridgecrewio/checkov/compare/2.2.207...2.2.212) - 2022-12-27\n\n### Feature\n\n- **azure:** Add check - azure keyvalut public network access - [#4155](https://github.com/bridgecrewio/checkov/pull/4155)\n\n### Bug Fix\n\n- **terraform:** fix edge-case in CKV_AZURE_183 check - [#4154](https://github.com/bridgecrewio/checkov/pull/4154)\n- **terraform:** fix graph checks nested modules - [#4157](https://github.com/bridgecrewio/checkov/pull/4157)\n- **terraform:** fix or connection graph checks nested modules - [#4158](https://github.com/bridgecrewio/checkov/pull/4158)\n\n## [2.2.207](https://github.com/bridgecrewio/checkov/compare/2.2.201...2.2.207) - 2022-12-26\n\n### Feature\n\n- **kubernetes:** Support graph edges for nested (related) Pod resources. - [#4100](https://github.com/bridgecrewio/checkov/pull/4100)\n- **secrets:** Keep original secrets data in runtime for further validation - [#4144](https://github.com/bridgecrewio/checkov/pull/4144)\n- **secrets:** Keep original secrets data in runtime for further validation - [#4149](https://github.com/bridgecrewio/checkov/pull/4149)\n\n### Bug Fix\n\n- **general:** fix excluded paths for path with special characters - [#4152](https://github.com/bridgecrewio/checkov/pull/4152)\n- **terraform:** add test path to exclude-patterns - [#4150](https://github.com/bridgecrewio/checkov/pull/4150)\n- **terraform:** fix edge-case in CKV_AZURE_37 check - [#4153](https://github.com/bridgecrewio/checkov/pull/4153)\n- **terraform:** fix getting graph entity config in terraform runner - [#4146](https://github.com/bridgecrewio/checkov/pull/4146)\n- **terraform:** remove redundant nested definitions - [#4147](https://github.com/bridgecrewio/checkov/pull/4147)\n\n## [2.2.201](https://github.com/bridgecrewio/checkov/compare/2.2.199...2.2.201) - 2022-12-25\n\n### Bug Fix\n\n- **secrets:** add support to conditionQuery - [#4086](https://github.com/bridgecrewio/checkov/pull/4086)\n- **terraform:** fix edge-case in CKV_AZURE_183 check - [#4145](https://github.com/bridgecrewio/checkov/pull/4145)\n\n## [2.2.199](https://github.com/bridgecrewio/checkov/compare/2.2.191...2.2.199) - 2022-12-22\n\n### Feature\n\n- **gha:** support on directive in workflow files - [#4125](https://github.com/bridgecrewio/checkov/pull/4125)\n- **sca:** run old package scanning for IDE scan - [#4133](https://github.com/bridgecrewio/checkov/pull/4133)\n- **secrets:** expose maximum 6 characters of secret values - [#4140](https://github.com/bridgecrewio/checkov/pull/4140)\n\n### Bug Fix\n\n- **circleci:** add resource to ir - [#4135](https://github.com/bridgecrewio/checkov/pull/4135)\n- **general:** Reformat PR template - [#4139](https://github.com/bridgecrewio/checkov/pull/4139)\n- **kubernetes:** move Kubernetes context error message - [#4132](https://github.com/bridgecrewio/checkov/pull/4132)\n- **terraform:** add aws_transfer_server to CKV2_AWS_5 check - [#4137](https://github.com/bridgecrewio/checkov/pull/4137)\n- **terraform:** Add some more supported keys to bigquery public acl check ignore list to avoid false positive - [#3969](https://github.com/bridgecrewio/checkov/pull/3969)\n- **terraform:** fix azure network address invalid value - [#4131](https://github.com/bridgecrewio/checkov/pull/4131)\n\n## [2.2.191](https://github.com/bridgecrewio/checkov/compare/2.2.186...2.2.191) - 2022-12-21\n\n### Feature\n\n- **general:** add the stack trace to the error message when caught by main.py - [#4121](https://github.com/bridgecrewio/checkov/pull/4121)\n- **sca:** add GCP Terraform resources for Image Referencer - [#4094](https://github.com/bridgecrewio/checkov/pull/4094)\n- **sca:** protecting checkov with try/catch wrapping - [#4104](https://github.com/bridgecrewio/checkov/pull/4104)\n\n### Bug Fix\n\n- **kubernetes:** removed obsolete error logging - [#4126](https://github.com/bridgecrewio/checkov/pull/4126)\n- **terraform:** fix azure dns invalid ip - [#4128](https://github.com/bridgecrewio/checkov/pull/4128)\n\n## [2.2.186](https://github.com/bridgecrewio/checkov/compare/2.2.180...2.2.186) - 2022-12-20\n\n### Feature\n\n- **general:** move the jsonpath try/catch up a level to catch more errors - [#3911](https://github.com/bridgecrewio/checkov/pull/3911)\n- **sca:** returning exit code 2 in case of error for downloading twistcli - [#4105](https://github.com/bridgecrewio/checkov/pull/4105)\n\n### Bug Fix\n\n- **dockerfile:** adjust the file abs path for Dockerfile graph results - [#4118](https://github.com/bridgecrewio/checkov/pull/4118)\n- **openapi:** fix an open API CKV_OPENAPI_6 check - [#4109](https://github.com/bridgecrewio/checkov/pull/4109)\n- **sca:** fixing integration tests - [#4117](https://github.com/bridgecrewio/checkov/pull/4117)\n- **terraform_plan:** use abs path for repo_root_for_plan_enrichment - [#4115](https://github.com/bridgecrewio/checkov/pull/4115)\n- **terraform:** CKV2_AZURE_21 changed blob access type to private - [#3898](https://github.com/bridgecrewio/checkov/pull/3898)\n- **terraform:** fix support for getting module-referenced resources context - [#4110](https://github.com/bridgecrewio/checkov/pull/4110)\n\n### Platform\n\n- **terraform:** add previous get_tf_definition_key function - [#4114](https://github.com/bridgecrewio/checkov/pull/4114)\n\n## [2.2.180](https://github.com/bridgecrewio/checkov/compare/2.2.172...2.2.180) - 2022-12-19\n\n### Feature\n\n- **general:** Use --no-fail-on-crash to gracefully exit commit_repository and setup_bridgecrew_credentials - [#4099](https://github.com/bridgecrewio/checkov/pull/4099)\n- **terraform_plan:** add check details to TF plan scan results - [#4091](https://github.com/bridgecrewio/checkov/pull/4091)\n- **terraform:** new azurerm checks - App config - [#3988](https://github.com/bridgecrewio/checkov/pull/3988)\n- **terraform:** Omit values from graph checks - [#4076](https://github.com/bridgecrewio/checkov/pull/4076)\n\n### Bug Fix\n\n- **general:** change env var name for no-fail-on-crash flag - [#4107](https://github.com/bridgecrewio/checkov/pull/4107)\n- **github:** Fix GHA IR resource names in case of 2 identical images - [#4108](https://github.com/bridgecrewio/checkov/pull/4108)\n- **terraform:** azurerm storage defaults - fix for storage case #3516 - [#4083](https://github.com/bridgecrewio/checkov/pull/4083)\n- **terraform:** fix nested module resources ids in the report - [#4098](https://github.com/bridgecrewio/checkov/pull/4098)\n\n## [2.2.172](https://github.com/bridgecrewio/checkov/compare/2.2.168...2.2.172) - 2022-12-18\n\n### Feature\n\n- **general:** Add no-fail-on-crash flag - [#4097](https://github.com/bridgecrewio/checkov/pull/4097)\n- **gha:** add fix for gha graphs and UT - [#4084](https://github.com/bridgecrewio/checkov/pull/4084)\n- **kubernetes:** inject k8s FF flags to instance instead of constructor - [#4096](https://github.com/bridgecrewio/checkov/pull/4096)\n\n### Bug Fix\n\n- **terraform:** add a method for get the entity definition path from the entity itself - [#4095](https://github.com/bridgecrewio/checkov/pull/4095)\n- **terraform:** add address attribute to all scanned terraform blocks - [#4074](https://github.com/bridgecrewio/checkov/pull/4074)\n\n## [2.2.168](https://github.com/bridgecrewio/checkov/compare/2.2.158...2.2.168) - 2022-12-15\n\n### Feature\n\n- **kubernetes:** Add kubernetes YAML checks to checkov packaging - [#4073](https://github.com/bridgecrewio/checkov/pull/4073)\n- **kubernetes:** move whorf to dedicated repo - [#4062](https://github.com/bridgecrewio/checkov/pull/4062)\n- **terraform_plan:** add Image Referencer for Terraform plan files - [#4063](https://github.com/bridgecrewio/checkov/pull/4063)\n- **terraform:** add CKV NCP rules about AutoScalingGroup, Load Balancer - [#3821](https://github.com/bridgecrewio/checkov/pull/3821)\n- **terraform:** add CKV NCP rules about Nat Gateways and Route - [#3854](https://github.com/bridgecrewio/checkov/pull/3854)\n- **terraform:** combine tf plan and tf graphs for nested modules - [#4066](https://github.com/bridgecrewio/checkov/pull/4066)\n- **terraform:** More azurerm checks for terraform - [#3970](https://github.com/bridgecrewio/checkov/pull/3970)\n\n### Bug Fix\n\n- **openapi:** Fix in PathSchemeDefineHTTP opeAPI check - [#4079](https://github.com/bridgecrewio/checkov/pull/4079)\n- **terraform:** CKV_AZURE_43 add new test case - [#4082](https://github.com/bridgecrewio/checkov/pull/4082)\n\n## [2.2.158](https://github.com/bridgecrewio/checkov/compare/2.2.155...2.2.158) - 2022-12-14\n\n### Feature\n\n- **github:** more CIS checks- part3 - [#4057](https://github.com/bridgecrewio/checkov/pull/4057)\n- **terraform:** Adding yaml based build time policies for corresponding PC run time policies - [#3962](https://github.com/bridgecrewio/checkov/pull/3962)\n\n### Bug Fix\n\n- **secrets:** fix secrets crash when secret is non string - [#4077](https://github.com/bridgecrewio/checkov/pull/4077)\n\n## [2.2.155](https://github.com/bridgecrewio/checkov/compare/2.2.148...2.2.155) - 2022-12-13\n\n### Feature\n\n- **github:** more CIS checks- part2 - [#4017](https://github.com/bridgecrewio/checkov/pull/4017)\n- **kubernetes:** added CKV2_K8S_EXAMPLE_1 only in tests as an example for k8s graph check for pod which is publicly accessible - [#4060](https://github.com/bridgecrewio/checkov/pull/4060)\n- **kubernetes:** added deployment name to pod resource id - [#4040](https://github.com/bridgecrewio/checkov/pull/4040)\n- **sca:** fix root packages fixed version - [#4070](https://github.com/bridgecrewio/checkov/pull/4070)\n\n### Bug Fix\n\n- **sca:** invoke packaging.Version instead of parse - [#4065](https://github.com/bridgecrewio/checkov/pull/4065)\n- **secrets:** fix error when secret is None - [#4071](https://github.com/bridgecrewio/checkov/pull/4071)\n- **terraform:** checkov fix as resource container_group modified - [#4061](https://github.com/bridgecrewio/checkov/pull/4061)\n- **terraform:** fixed unexpected data for IAMPublicActionsPolicy - [#4067](https://github.com/bridgecrewio/checkov/pull/4067)\n- **terraform:** fixed unexpected data for MonitorLogProfileRetentionDays - [#4068](https://github.com/bridgecrewio/checkov/pull/4068)\n\n### Platform\n\n- **general:** Apply licensing from platform - [#3961](https://github.com/bridgecrewio/checkov/pull/3961)\n\n## [2.2.148](https://github.com/bridgecrewio/checkov/compare/2.2.139...2.2.148) - 2022-12-12\n\n### Feature\n\n- **gha:** Add gha graph infra - [#4058](https://github.com/bridgecrewio/checkov/pull/4058)\n- **gha:** add infra for gha graphs - [#4052](https://github.com/bridgecrewio/checkov/pull/4052)\n- **sca:** fixed dependencies default value - [#4056](https://github.com/bridgecrewio/checkov/pull/4056)\n- **sca:** added indirect cves fix versions - [#4023](https://github.com/bridgecrewio/checkov/pull/4023)\n- **secrets:** Inject secrets omitter to runner registry - [#4054](https://github.com/bridgecrewio/checkov/pull/4054)\n- **terraform_plan:** support jsonpath queries in AWS IAM policy strings for Terraform plan - [#4033](https://github.com/bridgecrewio/checkov/pull/4033)\n- **terraform:** Extend secret attributes to omit mapping - [#4028](https://github.com/bridgecrewio/checkov/pull/4028)\n- **terraform:** tf plan combine graphs pass params - [#4051](https://github.com/bridgecrewio/checkov/pull/4051)\n\n### Bug Fix\n\n- **terraform:** add missing resource aws_route53_resolver_endpoint #3968 - [#3995](https://github.com/bridgecrewio/checkov/pull/3995)\n- **terraform:** fix getting local dest module path - [#4055](https://github.com/bridgecrewio/checkov/pull/4055)\n- **terraform:** Fix some errors in Dynamic Blocks rendering - [#4050](https://github.com/bridgecrewio/checkov/pull/4050)\n\n## [2.2.139](https://github.com/bridgecrewio/checkov/compare/2.2.130...2.2.139) - 2022-12-11\n\n### Feature\n\n- **graph:** Added `not_within` attribute solver for graph checks - [#4041](https://github.com/bridgecrewio/checkov/pull/4041)\n- **kubernetes:** Add CKV2_K8S_2 graph check for potential privilege escalation in `nodes/proxy` or `pods/exec` with `create` permissions - [#4034](https://github.com/bridgecrewio/checkov/pull/4034)\n- **kubernetes:** Add CKV2_K8S_3 no `impersonate` permissions for `ServiceAccount/Node` - [#4037](https://github.com/bridgecrewio/checkov/pull/4037)\n- **kubernetes:** Added CKV2_K8S_4 check to not allow modifying of services/status - [#4038](https://github.com/bridgecrewio/checkov/pull/4038)\n- **kubernetes:** Added CKV2_K8S_5 check that no service account or node can read all secrets - [#4042](https://github.com/bridgecrewio/checkov/pull/4042)\n- **secrets:** Accepting json reports from bucket in secrets_omitter - [#4039](https://github.com/bridgecrewio/checkov/pull/4039)\n- **terraform:** add CKV NCP rules about Route Table Association - [#3856](https://github.com/bridgecrewio/checkov/pull/3856)\n\n### Bug Fix\n\n- **kubernetes:** Corrected list format for yaml files in new k8s graph check tests - [#4035](https://github.com/bridgecrewio/checkov/pull/4035)\n- **secrets:** custom secret add support for value str and not only list - [#4024](https://github.com/bridgecrewio/checkov/pull/4024)\n- **terraform:** Fix in dot separator in the dynamic argument - [#4036](https://github.com/bridgecrewio/checkov/pull/4036)\n\n## [2.2.130](https://github.com/bridgecrewio/checkov/compare/2.2.124...2.2.130) - 2022-12-08\n\n### Feature\n\n- **general:** Apply policy-level suppressions as skipped checks - [#4020](https://github.com/bridgecrewio/checkov/pull/4020)\n- **github:** Add 3 CIS checks: 1.1.3, 1.1.8, 1.1.10 - [#4003](https://github.com/bridgecrewio/checkov/pull/4003)\n- **kubernetes:** Added CKV2_K8S_1 to ensure RoleBinding do not allow privilege escalation to a ServiceAccount/Node - [#4004](https://github.com/bridgecrewio/checkov/pull/4004)\n- **secrets:** Omit secrets from reports based on secrets reports - [#3991](https://github.com/bridgecrewio/checkov/pull/3991)\n- **secrets:** Omit secrets from reports based on secrets reports - [#4015](https://github.com/bridgecrewio/checkov/pull/4015)\n\n### Bug Fix\n\n- **github:** remove secrets from schema example - [#4019](https://github.com/bridgecrewio/checkov/pull/4019)\n- **terraform:** fix resource block address - [#4018](https://github.com/bridgecrewio/checkov/pull/4018)\n\n## [2.2.124](https://github.com/bridgecrewio/checkov/compare/2.2.116...2.2.124) - 2022-12-07\n\n### Feature\n\n- **sca:** change sca packages output to include dependencies structure - [#3957](https://github.com/bridgecrewio/checkov/pull/3957)\n- **secrets:** Adding check length for secret - [#3985](https://github.com/bridgecrewio/checkov/pull/3985)\n- **terraform:** nested modules support in graph - [#3935](https://github.com/bridgecrewio/checkov/pull/3935)\n\n### Bug Fix\n\n- **circleci:** fix executors in resource_id - [#4008](https://github.com/bridgecrewio/checkov/pull/4008)\n- **secrets:** Bump detect secrets version - [#3997](https://github.com/bridgecrewio/checkov/pull/3997)\n- **terraform:** Fix an issue in dynamic blocks - [#4006](https://github.com/bridgecrewio/checkov/pull/4006)\n- **terraform:** fix CKV_AWS_283 check - [#4005](https://github.com/bridgecrewio/checkov/pull/4005)\n- **terraform:** Fix CKV_AZURE_168 check - [#4000](https://github.com/bridgecrewio/checkov/pull/4000)\n- **terraform:** Fix some issues in dynamic blocks flow - [#4002](https://github.com/bridgecrewio/checkov/pull/4002)\n- **terraform:** Fix TF checks crashes - [#3992](https://github.com/bridgecrewio/checkov/pull/3992)\n\n## [2.2.116](https://github.com/bridgecrewio/checkov/compare/2.2.114...2.2.116) - 2022-12-06\n\n### Feature\n\n- **general:** Report failed attempts at reporting contributor metrics - [#3984](https://github.com/bridgecrewio/checkov/pull/3984)\n- **kubernetes:** create simple resources id for pods; allow enabling k8s graph features using env vars - [#3975](https://github.com/bridgecrewio/checkov/pull/3975)\n- **terraform:** check for insecure protocols - [#3958](https://github.com/bridgecrewio/checkov/pull/3958)\n- **terraform:** Check resource-based policies for public access - [#3989](https://github.com/bridgecrewio/checkov/pull/3989)\n- **terraform:** Dynamic Blocks support for loop in for_each attribute - [#3982](https://github.com/bridgecrewio/checkov/pull/3982)\n- **terraform:** new aks checks for Azure - [#3951](https://github.com/bridgecrewio/checkov/pull/3951)\n\n### Bug Fix\n\n- **dockerfile:** fix Dockerfile inline skip handling - [#3976](https://github.com/bridgecrewio/checkov/pull/3976)\n- **secrets:** fix_Record_code_block_secrets - [#3987](https://github.com/bridgecrewio/checkov/pull/3987)\n- **terraform:** azurerm kusto cluster encryption - wrong attribute tested for - [#3972](https://github.com/bridgecrewio/checkov/pull/3972)\n\n## [2.2.114](https://github.com/bridgecrewio/checkov/compare/2.2.112...2.2.114) - 2022-12-04\n\n### Feature\n\n- **terraform:** add CKV NCP rules about ncloud access control group rule - [#3860](https://github.com/bridgecrewio/checkov/pull/3860)\n\n### Bug Fix\n\n- **secrets:** fix Issue with 'NoneType' error in the custom detectors load_detectors - [#3973](https://github.com/bridgecrewio/checkov/pull/3973)\n\n### Platform\n\n- **terraform:** remove redundant exc_info for module without source - [#3974](https://github.com/bridgecrewio/checkov/pull/3974)\n\n## [2.2.112](https://github.com/bridgecrewio/checkov/compare/2.2.106...2.2.112) - 2022-12-01\n\n### Feature\n\n- **dockerfile:** add graph to Dockerfile - [#3948](https://github.com/bridgecrewio/checkov/pull/3948)\n- **terraform:** add CKV NCP rules about access control group Inbound rule. - [#3859](https://github.com/bridgecrewio/checkov/pull/3859)\n- **terraform:** Implement relative file path standard for tf plan file runs - [#3918](https://github.com/bridgecrewio/checkov/pull/3918)\n\n### Bug Fix\n\n- **general:** fix doc links on windows - [#3959](https://github.com/bridgecrewio/checkov/pull/3959)\n- **secrets:** Fix omitting of secrets that are json encoded - [#3964](https://github.com/bridgecrewio/checkov/pull/3964)\n- **terraform_plan:** Fix k8s checks edgecases for terraform plan - [#3966](https://github.com/bridgecrewio/checkov/pull/3966)\n- **terraform:** OCI Security Group Control Problem - [#3933](https://github.com/bridgecrewio/checkov/pull/3933)\n\n### Platform\n\n- **secrets:** remove the use of enable_secret_scan_all_files for custom secrets - [#3954](https://github.com/bridgecrewio/checkov/pull/3954)\n\n### Documentation\n\n- **terraform:** update Terraform modules docs - [#3965](https://github.com/bridgecrewio/checkov/pull/3965)\n\n## [2.2.106](https://github.com/bridgecrewio/checkov/compare/2.2.105...2.2.106) - 2022-11-30\n\n- no noteworthy changes\n\n## [2.2.105](https://github.com/bridgecrewio/checkov/compare/2.2.99...2.2.105) - 2022-11-29\n\n### Feature\n\n- **terraform:** add CKV NCP rules about Load Balancer Listener Using HTTPS - [#3858](https://github.com/bridgecrewio/checkov/pull/3858)\n- **terraform:** add CKV NCP rules about server instance and public IP - [#3857](https://github.com/bridgecrewio/checkov/pull/3857)\n- **terraform:** azurerm ACR check for retention policy - [#3927](https://github.com/bridgecrewio/checkov/pull/3927)\n\n## [2.2.99](https://github.com/bridgecrewio/checkov/compare/2.2.96...2.2.99) - 2022-11-27\n\n### Feature\n\n- **github:** add CIS checks part 1. Most of the 1.1.x - [#3937](https://github.com/bridgecrewio/checkov/pull/3937)\n- **terraform:** Azure ACR Enable Image Quarantine - [#3925](https://github.com/bridgecrewio/checkov/pull/3925)\n- **terraform:** Azure use signed image in ACR - [#3923](https://github.com/bridgecrewio/checkov/pull/3923)\n\n### Bug Fix\n\n- **bicep:** ignore unresolvable properties for Bicep storage account checks - [#3946](https://github.com/bridgecrewio/checkov/pull/3946)\n- **gha:** added test for step with no step name - [#3945](https://github.com/bridgecrewio/checkov/pull/3945)\n\n## [2.2.96](https://github.com/bridgecrewio/checkov/compare/2.2.95...2.2.96) - 2022-11-26\n\n- no noteworthy changes\n\n## [2.2.95](https://github.com/bridgecrewio/checkov/compare/2.2.86...2.2.95) - 2022-11-24\n\n### Feature\n\n- **circleci:** add check for detecting images without check resource - [#3930](https://github.com/bridgecrewio/checkov/pull/3930)\n- **terraform:** ACR container scanning - [#3922](https://github.com/bridgecrewio/checkov/pull/3922)\n- **terraform:** add CKV NCP check about NKS(kubernetes) logging - [#3855](https://github.com/bridgecrewio/checkov/pull/3855)\n- **terraform:** Adding yaml based build time policies for corresponding PC run time policies - [#3900](https://github.com/bridgecrewio/checkov/pull/3900)\n\n### Bug Fix\n\n- **general:** update checks_metadata structure - [#3929](https://github.com/bridgecrewio/checkov/pull/3929)\n- **gha:** and circleci resource names - [#3914](https://github.com/bridgecrewio/checkov/pull/3914)\n- **kubernetes:** Handle invalid helm chart meta - [#3939](https://github.com/bridgecrewio/checkov/pull/3939)\n- **sca:** fix related resource id for helm and kustomize - [#3931](https://github.com/bridgecrewio/checkov/pull/3931)\n- **terraform:** better check names to avoid confusion - addresses #3912 - [#3921](https://github.com/bridgecrewio/checkov/pull/3921)\n- **terraform:** CKV_AZURE_144 passes on defaults - [#3938](https://github.com/bridgecrewio/checkov/pull/3938)\n- **terraform:** Removed duplicate check CKV_AZURE_60 - [#3928](https://github.com/bridgecrewio/checkov/pull/3928)\n\n### Platform\n\n- **secrets:** Support custom detectors from the platform - [#3926](https://github.com/bridgecrewio/checkov/pull/3926)\n\n## [2.2.86](https://github.com/bridgecrewio/checkov/compare/2.2.84...2.2.86) - 2022-11-23\n\n### Feature\n\n- **terraform:** add CKV_AWS_282 to ensure that Redshift Serverless namespace is encrypted by KMS - [#3915](https://github.com/bridgecrewio/checkov/pull/3915)\n\n### Bug Fix\n\n- **terraform:** Remove cross variables edges duplications - [#3920](https://github.com/bridgecrewio/checkov/pull/3920)\n\n## [2.2.84](https://github.com/bridgecrewio/checkov/compare/2.2.80...2.2.84) - 2022-11-22\n\n### Feature\n\n- **general:** sign and push checkov image to GitHub registry - [#3906](https://github.com/bridgecrewio/checkov/pull/3906)\n- **secrets:** Add Terraform multiline secrets handling - [#3907](https://github.com/bridgecrewio/checkov/pull/3907)\n- **terraform:** ensure snapshots use encryption - [#3899](https://github.com/bridgecrewio/checkov/pull/3899)\n- **terraform:** support cross-modules edges - [#3909](https://github.com/bridgecrewio/checkov/pull/3909)\n\n## [2.2.80](https://github.com/bridgecrewio/checkov/compare/2.2.78...2.2.80) - 2022-11-21\n\n### Feature\n\n- **terraform:** add nested module address attribute - [#3904](https://github.com/bridgecrewio/checkov/pull/3904)\n\n## [2.2.78](https://github.com/bridgecrewio/checkov/compare/2.2.75...2.2.78) - 2022-11-20\n\n### Feature\n\n- **general:** add output format cyclonedx_json - [#3902](https://github.com/bridgecrewio/checkov/pull/3902)\n- **general:** add source to contributor metrics report - [#3905](https://github.com/bridgecrewio/checkov/pull/3905)\n\n### Bug Fix\n\n- **terraform:** Fix an edge case in AbsRDSParameter check - [#3903](https://github.com/bridgecrewio/checkov/pull/3903)\n\n## [2.2.75](https://github.com/bridgecrewio/checkov/compare/2.2.72...2.2.75) - 2022-11-17\n\n### Feature\n\n- **github:** add output-file-path flag to checkov-action - [#3897](https://github.com/bridgecrewio/checkov/pull/3897)\n\n### Bug Fix\n\n- **terraform:** Dynamic blocks - added support for lookup null/true/false values - [#3893](https://github.com/bridgecrewio/checkov/pull/3893)\n\n### Platform\n\n- **sca:** added dependency tree format - [#3892](https://github.com/bridgecrewio/checkov/pull/3892)\n\n## [2.2.72](https://github.com/bridgecrewio/checkov/compare/2.2.65...2.2.72) - 2022-11-16\n\n### Feature\n\n- **terraform:** add CKV NCP rules about NKSPublicAccess - [#3822](https://github.com/bridgecrewio/checkov/pull/3822)\n- **terraform:** Censor secrets from tfplan graph - [#3894](https://github.com/bridgecrewio/checkov/pull/3894)\n- **terraform:** create cross-variable edges between resources from the same module - [#3881](https://github.com/bridgecrewio/checkov/pull/3881)\n\n### Bug Fix\n\n- **general:** remove filter value validation - [#3896](https://github.com/bridgecrewio/checkov/pull/3896)\n- **terraform:** Fix dynamic blocks nested module - [#3890](https://github.com/bridgecrewio/checkov/pull/3890)\n- **terraform:** handle empty enabled_cluster_log_types list - [#3891](https://github.com/bridgecrewio/checkov/pull/3891)\n\n### Platform\n\n- **sca:** add scaCliScanId parameter - [#3789](https://github.com/bridgecrewio/checkov/pull/3789)\n\n## [2.2.65](https://github.com/bridgecrewio/checkov/compare/2.2.58...2.2.65) - 2022-11-15\n\n### Feature\n\n- **terraform:** test checks for any port access - [#3882](https://github.com/bridgecrewio/checkov/pull/3882)\n\n### Bug Fix\n\n- **terraform:** Fixing some broke flow in dynamic blocks rendering - [#3879](https://github.com/bridgecrewio/checkov/pull/3879)\n- **terraform:** Not adding dynamic blocks attributes to attributes - [#3872](https://github.com/bridgecrewio/checkov/pull/3872)\n\n### Platform\n\n- **general:** Support s3 client config for govcloud - [#3880](https://github.com/bridgecrewio/checkov/pull/3880)\n- **sca:** Add repoId to GET request - [#3876](https://github.com/bridgecrewio/checkov/pull/3876)\n- **sca:** Fix bom report - [#3867](https://github.com/bridgecrewio/checkov/pull/3867)\n- **sca:** Poll sca scan results using Polling API - [#3841](https://github.com/bridgecrewio/checkov/pull/3841)\n- **sca:** remove src from repo path - [#3884](https://github.com/bridgecrewio/checkov/pull/3884)\n\n## [2.2.58](https://github.com/bridgecrewio/checkov/compare/2.2.50...2.2.58) - 2022-11-14\n\n### Feature\n\n- **general:** number of words larger/less than or equal operators - [#3827](https://github.com/bridgecrewio/checkov/pull/3827)\n- **general:** remove env var for running contributor metrics report and add logs - [#3873](https://github.com/bridgecrewio/checkov/pull/3873)\n- **terraform:** add CKV NCP rules about Load Balancer Exposed to Internet - [#3819](https://github.com/bridgecrewio/checkov/pull/3819)\n- **terraform:** Mask secret values in Terraform plan file reports by resource - [#3868](https://github.com/bridgecrewio/checkov/pull/3868)\n- **terraform:** Support dynamic blocks with nested attributes - [#3869](https://github.com/bridgecrewio/checkov/pull/3869)\n\n### Bug Fix\n\n- **general:** Fixed operator name for number_of_words_derivaties - [#3875](https://github.com/bridgecrewio/checkov/pull/3875)\n- **terraform:** Fix dynamic attributes override each other - [#3866](https://github.com/bridgecrewio/checkov/pull/3866)\n\n## [2.2.50](https://github.com/bridgecrewio/checkov/compare/2.2.44...2.2.50) - 2022-11-13\n\n### Feature\n\n- **general:** add reporting contributor metrics - [#3823](https://github.com/bridgecrewio/checkov/pull/3823)\n- **terraform:** add CKV NCP rules about access key hard coding - [#3820](https://github.com/bridgecrewio/checkov/pull/3820)\n- **terraform:** NSGRulePortAccessRestricted - Remove the condition for dynamic blocks - [#3862](https://github.com/bridgecrewio/checkov/pull/3862)\n\n### Bug Fix\n\n- **kubernetes:** handle empty spec object in k8s templates - [#3865](https://github.com/bridgecrewio/checkov/pull/3865)\n- **openapi:** fixed error in invalid openapi template - [#3863](https://github.com/bridgecrewio/checkov/pull/3863)\n- **terraform:** app_service Upgrade tests and add web app resources - [#3838](https://github.com/bridgecrewio/checkov/pull/3838)\n- **terraform:** Handled nested unrendered vars - [#3853](https://github.com/bridgecrewio/checkov/pull/3853)\n\n## [2.2.44](https://github.com/bridgecrewio/checkov/compare/2.2.43...2.2.44) - 2022-11-11\n\n### Bug Fix\n\n- **terraform:** fix an issue with dynamics replacing a whole block - [#3846](https://github.com/bridgecrewio/checkov/pull/3846)\n\n## [2.2.43](https://github.com/bridgecrewio/checkov/compare/2.2.38...2.2.43) - 2022-11-10\n\n### Feature\n\n- **terraform:** Wrap render dynamic blocks flow with try except - [#3837](https://github.com/bridgecrewio/checkov/pull/3837)\n\n### Bug Fix\n\n- **bicep:** make ARM AKS checks compatible with Bicep - [#3836](https://github.com/bridgecrewio/checkov/pull/3836)\n- **cloudformation:** only parse valid tag key-pairs in CloudFormation - [#3835](https://github.com/bridgecrewio/checkov/pull/3835)\n- **general:** Clear details before next check run to avoid duplications in output - [#3711](https://github.com/bridgecrewio/checkov/pull/3711)\n\n## [2.2.38](https://github.com/bridgecrewio/checkov/compare/2.2.35...2.2.38) - 2022-11-09\n\n### Feature\n\n- **secrets:** add abstract multiline parser + implement multiline json parser - [#3799](https://github.com/bridgecrewio/checkov/pull/3799)\n- **terraform:** Support for nested dynamic modules - [#3813](https://github.com/bridgecrewio/checkov/pull/3813)\n\n### Bug Fix\n\n- **kubernetes:** fixed unexpected list object - [#3833](https://github.com/bridgecrewio/checkov/pull/3833)\n\n## [2.2.35](https://github.com/bridgecrewio/checkov/compare/2.2.31...2.2.35) - 2022-11-08\n\n### Feature\n\n- **general:** Added Number of Words operator - [#3801](https://github.com/bridgecrewio/checkov/pull/3801)\n- **terraform:** add CKV NCP rules about LBTargetGroupUsingHTTPS - [#3797](https://github.com/bridgecrewio/checkov/pull/3797)\n- **terraform:** add CKV NCP rules about NASEncrytionEnabled - [#3796](https://github.com/bridgecrewio/checkov/pull/3796)\n- **terraform:** Add Env Var for rendering Dynamic Blocks - [#3816](https://github.com/bridgecrewio/checkov/pull/3816)\n- **terraform:** Dynamic blocks breadcrumbs support - [#3814](https://github.com/bridgecrewio/checkov/pull/3814)\n- **terraform:** PC Policy Team Yaml Policies Check-in - [#3785](https://github.com/bridgecrewio/checkov/pull/3785)\n- **terraform:** PC-Policy-Team: Ensure GCP compute firewall ingress does not allow unrestricted access to all ports - [#3786](https://github.com/bridgecrewio/checkov/pull/3786)\n\n### Platform\n\n- **sca:** Run package scan using API - [#3812](https://github.com/bridgecrewio/checkov/pull/3812)\n\n## [2.2.31](https://github.com/bridgecrewio/checkov/compare/2.2.22...2.2.31) - 2022-11-07\n\n### Feature\n\n- **azure:** Add get resource names for azure_pipelines - [#3798](https://github.com/bridgecrewio/checkov/pull/3798)\n- **github:** add graph to GitHub Actions - [#3672](https://github.com/bridgecrewio/checkov/pull/3672)\n- **terraform:** add CKV NCP rules about LBListenerUsesSecureProtocols - [#3782](https://github.com/bridgecrewio/checkov/pull/3782)\n- **terraform:** Dynamic Modules Support map type - [#3800](https://github.com/bridgecrewio/checkov/pull/3800)\n- **terraform:** include pods of kubernetes_deployment in kubernetes_pod checks (1/4) - [#3691](https://github.com/bridgecrewio/checkov/pull/3691)\n- **terraform:** include pods of kubernetes_deployment in kubernetes_pod checks (2/4) - [#3702](https://github.com/bridgecrewio/checkov/pull/3702)\n- **terraform:** include pods of kubernetes_deployment in kubernetes_pod checks (3/4) - [#3703](https://github.com/bridgecrewio/checkov/pull/3703)\n- **terraform:** include pods of kubernetes_deployment in kubernetes_pod checks (4/4) - [#3738](https://github.com/bridgecrewio/checkov/pull/3738)\n\n### Bug Fix\n\n- **arm:** CKV_AZURE_9 & CKV_AZURE_10 - Scan fails if protocol value is a wildcard - [#3750](https://github.com/bridgecrewio/checkov/pull/3750)\n- **azure:** Remove redundant file path from resource name in azure pipelines - [#3818](https://github.com/bridgecrewio/checkov/pull/3818)\n- **secrets:** fix slow secrets scan in yaml files - [#3803](https://github.com/bridgecrewio/checkov/pull/3803)\n- **secrets:** fixed path of secrets tests to exclude - [#3817](https://github.com/bridgecrewio/checkov/pull/3817)\n- **terraform:** fix gke resource name not string - [#3811](https://github.com/bridgecrewio/checkov/pull/3811)\n\n### Platform\n\n- **general:** rationalize policy metadata error handling behavior - [#3795](https://github.com/bridgecrewio/checkov/pull/3795)\n- **sca:** add new sca package scan - [#3802](https://github.com/bridgecrewio/checkov/pull/3802)\n- **sca:** Extract checkov check links - [#3790](https://github.com/bridgecrewio/checkov/pull/3790)\n\n## [2.2.22](https://github.com/bridgecrewio/checkov/compare/2.2.21...2.2.22) - 2022-11-06\n\n### Feature\n\n- **kubernetes:** Create keyword and network policy edge builders - [#3763](https://github.com/bridgecrewio/checkov/pull/3763)\n\n## [2.2.21](https://github.com/bridgecrewio/checkov/compare/2.2.17...2.2.21) - 2022-11-03\n\n### Feature\n\n- **general:** add range_includes and inverted operator - [#3752](https://github.com/bridgecrewio/checkov/pull/3752)\n- **secrets:** Add multiline detection to entropy keyword combinator - [#3788](https://github.com/bridgecrewio/checkov/pull/3788)\n\n### Bug Fix\n\n- **terraform:** render list entries via modules correctly - [#3781](https://github.com/bridgecrewio/checkov/pull/3781)\n\n## [2.2.17](https://github.com/bridgecrewio/checkov/compare/2.2.15...2.2.17) - 2022-11-02\n\n### Feature\n\n- **terraform:** Add CKV_AWS_276 to ensure that API Gateway Method Settings data_trace_enabled is not set to True - [#3761](https://github.com/bridgecrewio/checkov/pull/3761)\n\n### Bug Fix\n\n- **terraform:** Fix `related_resource_id` for ImageReferencer in `external_module` - [#3780](https://github.com/bridgecrewio/checkov/pull/3780)\n\n### Documentation\n\n- **general:** Fix typo in docs - [#3694](https://github.com/bridgecrewio/checkov/pull/3694)\n\n## [2.2.15](https://github.com/bridgecrewio/checkov/compare/2.2.8...2.2.15) - 2022-10-31\n\n### Feature\n\n- **github:** split repo and org webhooks to separate files - [#3764](https://github.com/bridgecrewio/checkov/pull/3764)\n- **gitlab:** Adding image detection check to gitlab ci - [#3774](https://github.com/bridgecrewio/checkov/pull/3774)\n- **openapi:** pre-validate OpenAPI JSON files - [#3760](https://github.com/bridgecrewio/checkov/pull/3760)\n\n### Bug Fix\n\n- **azure:** Support .yaml extension - [#3767](https://github.com/bridgecrewio/checkov/pull/3767)\n- **github:** print the result again in GHA - [#3751](https://github.com/bridgecrewio/checkov/pull/3751)\n- **terraform:** reduce parsing time for large TF plan files - [#3757](https://github.com/bridgecrewio/checkov/pull/3757)\n\n## [2.2.8](https://github.com/bridgecrewio/checkov/compare/2.2.5...2.2.8) - 2022-10-30\n\n### Feature\n\n- **terraform:** add CKV2_AWS_40 to Ensure AWS IAM policy does not allow full IAM privileges - [#3712](https://github.com/bridgecrewio/checkov/pull/3712)\n\n### Platform\n\n- **general:** Get resources from platform and filter taggable resources for policies - [#3621](https://github.com/bridgecrewio/checkov/pull/3621)\n\n## [2.2.5](https://github.com/bridgecrewio/checkov/compare/2.2.0...2.2.5) - 2022-10-27\n\n### Feature\n\n- **graph:** add support for modules in graph checks - [#3635](https://github.com/bridgecrewio/checkov/pull/3635)\n- **terraform:** add CKV NCP rules about Network ACL. - [#3668](https://github.com/bridgecrewio/checkov/pull/3668)\n- **terraform:** TF Dynamic Blocks support - `for_each` lists type - [#3737](https://github.com/bridgecrewio/checkov/pull/3737)\n\n### Bug Fix\n\n- **terraform:** fix a TF plan issue with CKV_AWS_274 - [#3747](https://github.com/bridgecrewio/checkov/pull/3747)\n- **terraform:** fix false positive for write ACL yaml check - [#3745](https://github.com/bridgecrewio/checkov/pull/3745)\n\n### Documentation\n\n- **general:** Update Jenkins page to use Checkov image - [#3725](https://github.com/bridgecrewio/checkov/pull/3725)\n\n## [2.2.0](https://github.com/bridgecrewio/checkov/compare/2.1.294...2.2.0) - 2022-10-26\n\n### Breaking Change\n\n- **github:** Change github_failed_only output suffix to .md - [#3595](https://github.com/bridgecrewio/checkov/pull/3595)\n- **terraform:** adjust the check result return for dependant variables to unknown in Python based checks - [#3743](https://github.com/bridgecrewio/checkov/pull/3743)\n- **terraform:** return UNKNOWN for unrendered values in graph checks - [#3689](https://github.com/bridgecrewio/checkov/pull/3689)\n\n### Feature\n\n- **terraform:** add CKV NCP rule about block storage encryption. - [#3628](https://github.com/bridgecrewio/checkov/pull/3628)\n- **terraform:** add CKV NCP rule about vpc volume encryption. - [#3629](https://github.com/bridgecrewio/checkov/pull/3629)\n- **terraform:** add CKV NCP rules about Network ACL. - [#3630](https://github.com/bridgecrewio/checkov/pull/3630)\n- **terraform:** Create checks for aws managed admin policy - [#3741](https://github.com/bridgecrewio/checkov/pull/3741)\n\n### Bug Fix\n\n- **terraform:** local_authentication_disabled - cosmodb check to look at SQL Api only CKV_AZURE_140 - [#3648](https://github.com/bridgecrewio/checkov/pull/3648)\n\n## [2.1.294](https://github.com/bridgecrewio/checkov/compare/2.1.290...2.1.294) - 2022-10-25\n\n### Feature\n\n- **kubernetes:** Create label selector edge builder - [#3715](https://github.com/bridgecrewio/checkov/pull/3715)\n- **terraform:** add CKV NCP rules about access control group Inbound rule. - [#3627](https://github.com/bridgecrewio/checkov/pull/3627)\n- **terraform:** add versioned kubernetes resources to terraform kubernetes checks (5/5) - [#3657](https://github.com/bridgecrewio/checkov/pull/3657)\n\n### Bug Fix\n\n- **general:** skip scanning VCS configuration if only files are passed in - [#3729](https://github.com/bridgecrewio/checkov/pull/3729)\n\n## [2.1.290](https://github.com/bridgecrewio/checkov/compare/2.1.288...2.1.290) - 2022-10-24\n\n### Feature\n\n- **circleci:** CircleCI Image Reference using Mixin class - [#3707](https://github.com/bridgecrewio/checkov/pull/3707)\n\n### Bug Fix\n\n- **kubernetes:** fix in CPURequests check - [#3727](https://github.com/bridgecrewio/checkov/pull/3727)\n\n## [2.1.288](https://github.com/bridgecrewio/checkov/compare/2.1.286...2.1.288) - 2022-10-24\n\n### Bug Fix\n\n- **github:** fix GITHUB_OUTPUT and GITHUB_ENV issues of checkov-action - [#3726](https://github.com/bridgecrewio/checkov/pull/3726)\n- **gitlab:** Modify gitlab ci resource id - [#3706](https://github.com/bridgecrewio/checkov/pull/3706)\n\n## [2.1.286](https://github.com/bridgecrewio/checkov/compare/2.1.282...2.1.286) - 2022-10-23\n\n### Feature\n\n- **graph:** equals/not_equals_ignore_case operators (solvers) - [#3698](https://github.com/bridgecrewio/checkov/pull/3698)\n\n### Bug Fix\n\n- **github:** Fix GHA off value error resulting in checkov hanging - [#3713](https://github.com/bridgecrewio/checkov/pull/3713)\n- **gitlab:** vcs gitlab groups retrieval - [#3716](https://github.com/bridgecrewio/checkov/pull/3716)\n- **kubernetes:** fix in ServiceAccountTokens check - [#3717](https://github.com/bridgecrewio/checkov/pull/3717)\n- **terraform:** Add debug logs to yaml parsing logic - [#3718](https://github.com/bridgecrewio/checkov/pull/3718)\n\n## [2.1.282](https://github.com/bridgecrewio/checkov/compare/2.1.277...2.1.282) - 2022-10-20\n\n### Bug Fix\n\n- **general:** Custom Policies integration must run before Suppresion integration - [#3701](https://github.com/bridgecrewio/checkov/pull/3701)\n- **terraform:** Add or condition for TLS 1.3 policy, supporting CKV_AWS_103 - [#3700](https://github.com/bridgecrewio/checkov/pull/3700)\n- **terraform:** Fix TF AbsGoogleComputeFirewallUnrestrictedIngress check - [#3704](https://github.com/bridgecrewio/checkov/pull/3704)\n\n## [2.1.277](https://github.com/bridgecrewio/checkov/compare/2.1.273...2.1.277) - 2022-10-19\n\n### Feature\n\n- **terraform:** add CKV NCP rules about access control group outbound rule. - [#3624](https://github.com/bridgecrewio/checkov/pull/3624)\n- **terraform:** add versioned kubernetes resources to terraform kubernetes checks (2/5) - [#3654](https://github.com/bridgecrewio/checkov/pull/3654)\n- **terraform:** add versioned kubernetes resources to terraform kubernetes checks (3/5) - [#3655](https://github.com/bridgecrewio/checkov/pull/3655)\n- **terraform:** add versioned kubernetes resources to terraform kubernetes checks (4/5) - [#3656](https://github.com/bridgecrewio/checkov/pull/3656)\n\n### Bug Fix\n\n- **cloudformation:** Fix ALBListenerTLS12 check - [#3697](https://github.com/bridgecrewio/checkov/pull/3697)\n- **helm:** undo file_abs_path manipulation for helm files - [#3692](https://github.com/bridgecrewio/checkov/pull/3692)\n- **kubernetes:** Couple of fixes in Checks - [#3686](https://github.com/bridgecrewio/checkov/pull/3686)\n- **terraform:** Fix CloudArmorWAFACLCVE202144228 check - [#3696](https://github.com/bridgecrewio/checkov/pull/3696)\n\n## [2.1.273](https://github.com/bridgecrewio/checkov/compare/2.1.270...2.1.273) - 2022-10-18\n\n### Feature\n\n- **kustomize:** stop kustomize run, if there is nothing to process - [#3681](https://github.com/bridgecrewio/checkov/pull/3681)\n- **sca:** Enable multiple image referencer framework results in the same scan - [#3652](https://github.com/bridgecrewio/checkov/pull/3652)\n- **terraform:** add versioned kubernetes resources to terraform kubernetes checks (1/5) - [#3653](https://github.com/bridgecrewio/checkov/pull/3653)\n\n### Documentation\n\n- **general:** Fix broken links - [#3685](https://github.com/bridgecrewio/checkov/pull/3685)\n\n## [2.1.270](https://github.com/bridgecrewio/checkov/compare/2.1.269...2.1.270) - 2022-10-13\n\n### Bug Fix\n\n- **terraform:** Outdated check for google_container_cluster binary authorization - [#3612](https://github.com/bridgecrewio/checkov/pull/3612)\n\n## [2.1.269](https://github.com/bridgecrewio/checkov/compare/2.1.266...2.1.269) - 2022-10-12\n\n### Feature\n\n- **terraform:** Added new Terraform-AWS python IAMUserNotUsedForAccess(CKV_AWS_273) policy - [#3574](https://github.com/bridgecrewio/checkov/pull/3574)\n\n### Bug Fix\n\n- **argo:** only scan Argo Workflows files - [#3644](https://github.com/bridgecrewio/checkov/pull/3644)\n- **kubernetes:** minor fix for getting entity type from template - [#3645](https://github.com/bridgecrewio/checkov/pull/3645)\n- **kustomize:** add --client=true to kubectl version command, to prevent checkov waiting for timeout if cluster is unreachable - [#3641](https://github.com/bridgecrewio/checkov/pull/3641)\n- **terraform:** update CKV_AWS_213 to also cover AWS predefined security policies - [#3615](https://github.com/bridgecrewio/checkov/pull/3615)\n\n## [2.1.266](https://github.com/bridgecrewio/checkov/compare/2.1.258...2.1.266) - 2022-10-11\n\n### Feature\n\n- **general:** add Azure Pipelines framework - [#3579](https://github.com/bridgecrewio/checkov/pull/3579)\n\n### Bug Fix\n\n- **dockerfile:** handle quoted absolute path in CKV_DOCKER_10 - [#3626](https://github.com/bridgecrewio/checkov/pull/3626)\n- **kubernetes:** handled missing field secretKeyRef in template - [#3639](https://github.com/bridgecrewio/checkov/pull/3639)\n- **kubernetes:** handled missing key in k8s templates - [#3640](https://github.com/bridgecrewio/checkov/pull/3640)\n- **terraform:** extend CKV2_AWS_15 to support aws_lb_target_group - [#3617](https://github.com/bridgecrewio/checkov/pull/3617)\n- **terraform:** handle unexpected value for enabled_cloudwatch_logs_exports - [#3638](https://github.com/bridgecrewio/checkov/pull/3638)\n\n## [2.1.258](https://github.com/bridgecrewio/checkov/compare/2.1.255...2.1.258) - 2022-10-06\n\n### Feature\n\n- **dockerfile:** add Image Referencer for Dockerfile - [#3571](https://github.com/bridgecrewio/checkov/pull/3571)\n\n### Bug Fix\n\n- **cloudformation:** Fixed unexpected null properties for LaunchConfigurationEBSEncryption - [#3620](https://github.com/bridgecrewio/checkov/pull/3620)\n\n## [2.1.255](https://github.com/bridgecrewio/checkov/compare/2.1.254...2.1.255) - 2022-10-04\n\n### Feature\n\n- **general:** allow file destination mapping via output-file-path flag - [#3593](https://github.com/bridgecrewio/checkov/pull/3593)\n\n## [2.1.254](https://github.com/bridgecrewio/checkov/compare/2.1.247...2.1.254) - 2022-10-03\n\n### Feature\n\n- **github:** GHA Image Referencer using IR Mixin class - [#3583](https://github.com/bridgecrewio/checkov/pull/3583)\n- **graph:** add support for guideline field to custom graph checks - [#3600](https://github.com/bridgecrewio/checkov/pull/3600)\n- **sca:** Add root path references to shorten file paths in Image Referencer results - [#3609](https://github.com/bridgecrewio/checkov/pull/3609)\n- **sca:** support Image referencer in CLI - [#3601](https://github.com/bridgecrewio/checkov/pull/3601)\n\n### Bug Fix\n\n- **github:** bug fixes in CKV_GITHUB_6, CKV_GITHUB_7, CKV_GITHUB_9 - [#3605](https://github.com/bridgecrewio/checkov/pull/3605)\n- **github:** Fix resource id and file path for GHA IR - [#3610](https://github.com/bridgecrewio/checkov/pull/3610)\n- **terraform:** extend check for google cloud functions 2nd generation - [#3607](https://github.com/bridgecrewio/checkov/pull/3607)\n- **terraform:** fix port is bool ingress rule - [#3606](https://github.com/bridgecrewio/checkov/pull/3606)\n\n## [2.1.247](https://github.com/bridgecrewio/checkov/compare/2.1.242...2.1.247) - 2022-10-02\n\n### Feature\n\n- **general:** added cli argument for extra resources in report - [#3588](https://github.com/bridgecrewio/checkov/pull/3588)\n- **serverless:** added extra resources for serverless and dockerfile - [#3576](https://github.com/bridgecrewio/checkov/pull/3576)\n- **terraform:** add CKV_NCP_1 about lb target group health check, CKV_NCP_2 about access control group description - [#3569](https://github.com/bridgecrewio/checkov/pull/3569)\n\n### Bug Fix\n\n- **cloudformation:** fix lc ebs encryption - [#3598](https://github.com/bridgecrewio/checkov/pull/3598)\n- **github:** changed the schema to accept no description for org - [#3589](https://github.com/bridgecrewio/checkov/pull/3589)\n- **secrets:** Skip secrets from files encoded with special codecs - [#3597](https://github.com/bridgecrewio/checkov/pull/3597)\n\n## [2.1.242](https://github.com/bridgecrewio/checkov/compare/2.1.236...2.1.242) - 2022-09-29\n\n### Breaking Change\n\n- **general:** switch from black-list to block-list - [#3581](https://github.com/bridgecrewio/checkov/pull/3581)\n\n### Feature\n\n- **kubernetes:** added resources mappings for roles objects - [#3582](https://github.com/bridgecrewio/checkov/pull/3582)\n\n### Bug Fix\n\n- **github:** fix variables initialization - [#3585](https://github.com/bridgecrewio/checkov/pull/3585)\n- **kubernetes:** Handle templates without name for PeerClientCertAuthTrue check - [#3577](https://github.com/bridgecrewio/checkov/pull/3577)\n- **openapi:** fix openapi schema bug - [#3587](https://github.com/bridgecrewio/checkov/pull/3587)\n- **sca:** fix CycloneDX output for Docker images - [#3586](https://github.com/bridgecrewio/checkov/pull/3586)\n- **secrets:** change entropy limit in Combinator plugin - [#3575](https://github.com/bridgecrewio/checkov/pull/3575)\n- **terraform:** fix external modules ids in graph report - [#3584](https://github.com/bridgecrewio/checkov/pull/3584)\n- **terraform:** Handle malformed database_flags for GCP DB checks - [#3578](https://github.com/bridgecrewio/checkov/pull/3578)\n\n## [2.1.236](https://github.com/bridgecrewio/checkov/compare/2.1.229...2.1.236) - 2022-09-28\n\n### Feature\n\n- **general:** Add enforcement rules to entrypoint.sh - [#3573](https://github.com/bridgecrewio/checkov/pull/3573)\n- **openapi:** add CKV_OPENAPI_7 to ensure http is not used in path definition - [#3547](https://github.com/bridgecrewio/checkov/pull/3547)\n- **sca:** add Image Referencer for Kubernetes, Helm and Kustomize - [#3505](https://github.com/bridgecrewio/checkov/pull/3505)\n- **terraform:** add CKV_AWS_272 to validate Lambda function code-signing - [#3556](https://github.com/bridgecrewio/checkov/pull/3556)\n- **terraform:** add new gcp postgresql checks - [#3532](https://github.com/bridgecrewio/checkov/pull/3532)\n- **terraform:** allow resources without values in TF plan - [#3563](https://github.com/bridgecrewio/checkov/pull/3563)\n\n## [2.1.229](https://github.com/bridgecrewio/checkov/compare/2.1.228...2.1.229) - 2022-09-27\n\n### Bug Fix\n\n- **kubernetes:** [CKV_K8S_68] Remove unnecessary condition check from ApiServerAnonymousAuth.py - [#3543](https://github.com/bridgecrewio/checkov/pull/3543)\n\n## [2.1.228](https://github.com/bridgecrewio/checkov/compare/2.1.227...2.1.228) - 2022-09-26\n\n### Bug Fix\n\n- **general:** use current branch name instead of master for the checkov-action - [#3568](https://github.com/bridgecrewio/checkov/pull/3568)\n\n## [2.1.227](https://github.com/bridgecrewio/checkov/compare/2.1.226...2.1.227) - 2022-09-23\n\n### Documentation\n\n- **general:** Multi skip docs - [#3561](https://github.com/bridgecrewio/checkov/pull/3561)\n\n## [2.1.226](https://github.com/bridgecrewio/checkov/compare/2.1.223...2.1.226) - 2022-09-22\n\n### Feature\n\n- **gitlab:** GitlabCI ImageReferencer - [#3544](https://github.com/bridgecrewio/checkov/pull/3544)\n\n### Bug Fix\n\n- **secrets:** Bump bc-detect-secrets - [#3555](https://github.com/bridgecrewio/checkov/pull/3555)\n- **terraform:** fix check CKV2_AZURE_8 - [#3554](https://github.com/bridgecrewio/checkov/pull/3554)\n\n### Documentation\n\n- **general:** Fix TOC rendering issue on checkov.io - [#3551](https://github.com/bridgecrewio/checkov/pull/3551)\n\n## [2.1.223](https://github.com/bridgecrewio/checkov/compare/2.1.219...2.1.223) - 2022-09-21\n\n### Feature\n\n- **general:** Improve ComplexSolver run time - [#3548](https://github.com/bridgecrewio/checkov/pull/3548)\n- **kubernetes:** create complex k8s vertices - [#3549](https://github.com/bridgecrewio/checkov/pull/3549)\n\n### Bug Fix\n\n- **general:** only add `helpUri` to SARIF if it is non-empty - [#3542](https://github.com/bridgecrewio/checkov/pull/3542)\n- **kubernetes:** [CKV_K8S_140] Update ApiServerTlsCertAndKey.py to check RHS values - [#3506](https://github.com/bridgecrewio/checkov/pull/3506)\n- **kubernetes:** [CKV_K8S_90] Remove unnecessary condition check from ApiServerProfiling.py - [#3541](https://github.com/bridgecrewio/checkov/pull/3541)\n\n## [2.1.219](https://github.com/bridgecrewio/checkov/compare/2.1.214...2.1.219) - 2022-09-20\n\n### Feature\n\n- **cloudformation:** add CKV_AWS_197 for CFN - [#3536](https://github.com/bridgecrewio/checkov/pull/3536)\n- **sca:** Split `PRESENT_CACHED_RESULTS` env var to 2 feature flag like vars - [#3518](https://github.com/bridgecrewio/checkov/pull/3518)\n\n### Bug Fix\n\n- **general:** handle fixes for cloned OOTB policies - [#3535](https://github.com/bridgecrewio/checkov/pull/3535)\n- **helm:** fix helm signal abort handler - [#3539](https://github.com/bridgecrewio/checkov/pull/3539)\n- **terraform:** APIGatewayAuthorization check missing authorization - [#3545](https://github.com/bridgecrewio/checkov/pull/3545)\n- **terraform:** fix tfvars rendering - [#3533](https://github.com/bridgecrewio/checkov/pull/3533)\n\n## [2.1.214](https://github.com/bridgecrewio/checkov/compare/2.1.212...2.1.214) - 2022-09-19\n\n### Feature\n\n- **general:** leverage SARIF helpUri for guideline and SCA link - [#3492](https://github.com/bridgecrewio/checkov/pull/3492)\n- **github:** Improving GHA schema validation - [#3513](https://github.com/bridgecrewio/checkov/pull/3513)\n- **kubernetes:** added base class K8SEdgeBuilder - [#3530](https://github.com/bridgecrewio/checkov/pull/3530)\n- **terraform:** GCP Cloud functions should not be public - [#3477](https://github.com/bridgecrewio/checkov/pull/3477)\n\n### Bug Fix\n\n- **github:** add missing schema files to distribution package - [#3537](https://github.com/bridgecrewio/checkov/pull/3537)\n- **sca:** changes on cve suppressions to match package and image scan - [#3502](https://github.com/bridgecrewio/checkov/pull/3502)\n- **sca:** send exception log when exceeded retries - [#3534](https://github.com/bridgecrewio/checkov/pull/3534)\n- **terraform:** make test case insensitive for CKV_ALI_35,CKV_ALI_36,CKV_ALI_37 - [#3507](https://github.com/bridgecrewio/checkov/pull/3507)\n- **terraform:** do not evaluate OCI policy statements - [#3411](https://github.com/bridgecrewio/checkov/pull/3411)\n\n## [2.1.212](https://github.com/bridgecrewio/checkov/compare/2.1.210...2.1.212) - 2022-09-18\n\n### Bug Fix\n\n- **helm:** helm add timeout to dependencies command - [#3525](https://github.com/bridgecrewio/checkov/pull/3525)\n- **helm:** Helm fix logs - [#3524](https://github.com/bridgecrewio/checkov/pull/3524)\n\n## [2.1.210](https://github.com/bridgecrewio/checkov/compare/2.1.207...2.1.210) - 2022-09-15\n\n### Feature\n\n- **sca:** add Image Referencer for CloudFormation - [#3501](https://github.com/bridgecrewio/checkov/pull/3501)\n\n### Bug Fix\n\n- **helm:** add try catch to helm cmd run - [#3508](https://github.com/bridgecrewio/checkov/pull/3508)\n\n### Platform\n\n- **general:** upload run metadata to S3 - [#3461](https://github.com/bridgecrewio/checkov/pull/3461)\n\n## [2.1.207](https://github.com/bridgecrewio/checkov/compare/2.1.205...2.1.207) - 2022-09-14\n\n### Feature\n\n- **general:** fix format of cli command reference table - [#3504](https://github.com/bridgecrewio/checkov/pull/3504)\n\n### Bug Fix\n\n- **sca:** skip old CVE suppressions (without 'accountIds') - [#3503](https://github.com/bridgecrewio/checkov/pull/3503)\n\n## [2.1.205](https://github.com/bridgecrewio/checkov/compare/2.1.204...2.1.205) - 2022-09-13\n\n### Feature\n\n- **general:** add flag for summary position - [#3497](https://github.com/bridgecrewio/checkov/pull/3497)\n\n## [2.1.204](https://github.com/bridgecrewio/checkov/compare/2.1.201...2.1.204) - 2022-09-12\n\n### Feature\n\n- **sca:** licenses suppressions by type - [#3491](https://github.com/bridgecrewio/checkov/pull/3491)\n\n### Bug Fix\n\n- **arm:** unexpected data type in ACRAnonymousPullDisabled - [#3496](https://github.com/bridgecrewio/checkov/pull/3496)\n- **general:** remove duplicated reports - [#3495](https://github.com/bridgecrewio/checkov/pull/3495)\n\n## [2.1.201](https://github.com/bridgecrewio/checkov/compare/2.1.196...2.1.201) - 2022-09-08\n\n### Feature\n\n- **general:** `intersects/not_intersects` operators (solvers) - [#3482](https://github.com/bridgecrewio/checkov/pull/3482)\n\n### Bug Fix\n\n- **gha:** Gracefully handle bad GHA job definitions - [#3489](https://github.com/bridgecrewio/checkov/pull/3489)\n- **sca:** do not skip the scan if BC_LIC is used with --check - [#3488](https://github.com/bridgecrewio/checkov/pull/3488)\n\n## [2.1.196](https://github.com/bridgecrewio/checkov/compare/2.1.193...2.1.196) - 2022-09-07\n\n### Bug Fix\n\n- **kubernetes:** Validate k8s spec type - [#3483](https://github.com/bridgecrewio/checkov/pull/3483)\n- **terraform:** removed duplicate check CKV_ALI_34 - [#3467](https://github.com/bridgecrewio/checkov/pull/3467)\n\n## [2.1.193](https://github.com/bridgecrewio/checkov/compare/2.1.188...2.1.193) - 2022-09-06\n\n### Bug Fix\n\n- **cloudformation:** fix bug in cfn parser - [#3473](https://github.com/bridgecrewio/checkov/pull/3473)\n\n### Platform\n\n- **sca:** Add images data to image_cached_results for ImageReferencer scan - [#3468](https://github.com/bridgecrewio/checkov/pull/3468)\n- **secrets:** modify checkov secrets scanner to scan all files based on ff - [#3474](https://github.com/bridgecrewio/checkov/pull/3474)\n\n## [2.1.188](https://github.com/bridgecrewio/checkov/compare/2.1.184...2.1.188) - 2022-09-05\n\n## Feature\n\n- **cloudformation:** json parser support triple quote string - [#3463](https://github.com/bridgecrewio/checkov/pull/3463)\n\n## Bug Fix\n\n- **terraform:** gcp postgresql default values - [#3457](https://github.com/bridgecrewio/checkov/pull/3457)\n\n## [2.1.184](https://github.com/bridgecrewio/checkov/compare/2.1.182...2.1.184) - 2022-09-04\n\n## Platform\n\n- **general:** trim API urls - [#3460](https://github.com/bridgecrewio/checkov/pull/3460)\n\n## Documentation\n\n- **general:** adjust example for custom check with guideline - [#3459](https://github.com/bridgecrewio/checkov/pull/3459)\n\n## [2.1.182](https://github.com/bridgecrewio/checkov/compare/2.1.179...2.1.182) - 2022-09-02\n\n## Feature\n\n- **sca:** Added fix details to junitxml - [#3456](https://github.com/bridgecrewio/checkov/pull/3456)\n- **terraform:** Added 5 python (CKV_AWS_267-271) and 2 yaml (CKV2_AWS_38-39) policies. - [#3438](https://github.com/bridgecrewio/checkov/pull/3438)\n\n## [2.1.179](https://github.com/bridgecrewio/checkov/compare/2.1.176...2.1.179) - 2022-09-01\n\n## Bug Fix\n\n- **graph:** cache jsonpath attributes parser results - [#3451](https://github.com/bridgecrewio/checkov/pull/3451)\n\n## Platform\n\n- **general:** revert dropping checks metadata for empty reports - [#3453](https://github.com/bridgecrewio/checkov/pull/3453)\n"
},
{
"path": "CNAME",
"content": "checkov.io"
},
{
"path": "CODE_OF_CONDUCT.md",
"content": "# Contributor Covenant Code of Conduct\n\n## Our Pledge\n\nIn the interest of fostering an open and welcoming environment, we as\ncontributors and maintainers pledge to making participation in our project and\nour community a harassment-free experience for everyone, regardless of age, body\nsize, disability, ethnicity, sex characteristics, gender identity and expression,\nlevel of experience, education, socio-economic status, nationality, personal\nappearance, race, religion, or sexual identity and orientation.\n\n## Our Standards\n\nExamples of behavior that contributes to creating a positive environment\ninclude:\n\n* Using welcoming and inclusive language\n* Being respectful of differing viewpoints and experiences\n* Gracefully accepting constructive criticism\n* Focusing on what is best for the community\n* Showing empathy towards other community members\n\nExamples of unacceptable behavior by participants include:\n\n* The use of sexualized language or imagery and unwelcome sexual attention or\n advances\n* Trolling, insulting/derogatory comments, and personal or political attacks\n* Public or private harassment\n* Publishing others' private information, such as a physical or electronic\n address, without explicit permission\n* Other conduct which could reasonably be considered inappropriate in a\n professional setting\n\n## Our Responsibilities\n\nProject maintainers are responsible for clarifying the standards of acceptable\nbehavior and are expected to take appropriate and fair corrective action in\nresponse to any instances of unacceptable behavior.\n\nProject maintainers have the right and responsibility to remove, edit, or\nreject comments, commits, code, wiki edits, issues, and other contributions\nthat are not aligned to this Code of Conduct, or to ban temporarily or\npermanently any contributor for other behaviors that they deem inappropriate,\nthreatening, offensive, or harmful.\n\n## Scope\n\nThis Code of Conduct applies both within project spaces and in public spaces\nwhen an individual is representing the project or its community. Examples of\nrepresenting a project or community include using an official project e-mail\naddress, posting via an official social media account, or acting as an appointed\nrepresentative at an online or offline event. Representation of a project may be\nfurther defined and clarified by project maintainers.\n\n## Enforcement\n\nInstances of abusive, harassing, or otherwise unacceptable behavior may be\nreported by contacting the project team on our community slack. All\ncomplaints will be reviewed and investigated and will result in a response that\nis deemed necessary and appropriate to the circumstances. The project team is\nobligated to maintain confidentiality with regard to the reporter of an incident.\nFurther details of specific enforcement policies may be posted separately.\n\nProject maintainers who do not follow or enforce the Code of Conduct in good\nfaith may face temporary or permanent repercussions as determined by other\nmembers of the project's leadership.\n\n## Attribution\n\nThis Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,\navailable at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html\n\n[homepage]: https://www.contributor-covenant.org\n\nFor answers to common questions about this code of conduct, see\nhttps://www.contributor-covenant.org/faq\n"
},
{
"path": "CONTRIBUTING.md",
"content": "# Contributing\n\nThe developer guide is for anyone wanting to contribute directly to the Checkov project. \n\nIf you've already developed new checks we'd be happy to take a look at them and merge them as part of the [fast-lane](https://github.com/bridgecrewio/checkov/issues?q=is%3Aopen+is%3Aissue+label%3Afast-lane). \n\n\n\n## Open an issue\n\nCheckov is an open source project maintained by \n[Prisma Cloud by Palo Alto Networks](https://www.prismacloud.io/?utm_source=github&utm_medium=organic_oss&utm_campaign=checkov). \nOur team of maintainers continuously works on developing new features and enhancing existing features. If you encounter \na bug or have a suggestion, please start by opening an Issue. When reporting, provide a detailed description with examples \nto help us understand the context and specifics. Please note that while we review every issue, non-critical or \nnon-blocking issues may be prioritized based on their popularity or frequency. We appreciate your contributions and \nengagement in helping us improve Checkov.\n\n## Developing and contributing code\n\nDedicated Prisma Cloud maintainers are actively developing new content and adding more features. We would be delighted to \nchat and look at your code. Here are a few guidelines we follow. Hopefully, these will ensure your contribution could \nquickly be added to the project. \n\n### Work locally\n\nMost Checkov users run their own local instances of Checkov and either run it manually or routinely using Jenkins or \nCircleCI. As Checkov is a non-intrusive library we recommend developing against a local repository and ensuring you are \nable to add your contributions successfully on your local fork/repo. \n\nIf you are developing against remote libraries or repositories - that's great! We'd love to hear how you're doing with it.\nIn the meantime, before you open a PR, deploy and test your contributions locally.\n\n### Keep your fork in sync\n\nCheckov is usually updated on a weekly basis. Syncing your fork weekly ensures you are working on an updated version that will not break your PR. \n\n### Rationalize your commits\n\nTry to work on structured and well-defined contributions. If you are building a new feature try to build a unified \nfeature block that can be easily reviewed and tested.\n\nIf you are fixing or patching changing existing code break changes into logical blocks which individually make sense \nand in aggregate solve a broader issue. \n\n### Test where it matters\n\n1. Unit: Unit tests, including check tests, are stored in checkov/tests/. \n2. E2E: End-to-end tests will help us establish if the feature is in high readiness. They are not required for simple \nor straight forward features but will help us in evaluating the PR.\n\n#### Tests for new checks\n\nWhen you add a new check, please write a test for it. While there are many different ways that tests have been written in the past, we have standardized on [this](https://github.com/bridgecrewio/checkov/blob/main/tests/terraform/checks/resource/aws/test_IAMAdminPolicyDocument.py) format. The key points are:\n\n* The test defines templates as strings (in this case, in separate files, but hardcoding a string is also acceptable) and parses them using the runner. The configuration should NOT be hard-coded as an object, as in [this](https://github.com/bridgecrewio/checkov/blob/main/tests/terraform/checks/resource/aws/test_ALBListenerHTTPS.py) example. The reason is that parsers sometimes produce unexpected object structures, so it is quite common that hardcoding the object allows the test to pass but causes the check to be incorrect in practice.\n* The test explicitly lists which resources should pass and which should fail. Merely checking the count of passes and failures is not enough. While rare, in the past this has resulted in tests that pass but checks that are incorrect in practice.\n\n#### Running tests\n\nContinuous integration will run these tests either as pre-submits on PRs and post-submits against master branch. \nResults will appear under [actions](https://github.com/bridgecrewio/checkov/actions).\n\nTo run tests locally use the following commands (install dev dependencies, run tests and compute tests coverage):\nIf you are using conda, create a new environment with Python 3.10.14 version:\n```sh\nconda create -n python310 python=3.10.17\nconda activate python310\n```\nThen, we need pipenv installation and run the tests and coverage modules \n```sh\npip install pipenv\npipenv install --dev\npipenv run python -m coverage run -m pytest tests\n```\n\n### Build package locally\nChange the version number on the file with your version : `/checkov/version.py`\nTo build package locally run the following on `` root folder:\n\n```sh\npipenv run python setup.py sdist bdist_wheel\n```\n- This will create a `*.whl` package under a new folder named `dist`\n\nTo install package from local directory, update the release version value and run the installation:\n```sh\nRELEASE_VERSION='xxx'\npip install dist/checkov-${RELEASE_VERSION}-py3-none-any.whl\n```\n\n### Test the package\nFirst verify you have the right version installed:\n```sh\ncheckov --version\n```\nThen, optionally, you can run on a terraform file/directory with your success and failure test scenarios.\n\n### Setting up the pre-commit hooks\n\nAfter setting up your Python environment simply run \n```shell\npre-commit install\n```\n\nTo check the code base against the pre-commit hooks just run\n```shell\npre-commit run -a\n```\n\n### Using regex\n\nUse re.compile for all regex in order to scan them in flake8.\n\n### Documentation is awesome\n\nContributing to the documentation is not mandatory but it will ensure people are aware of your important contribution. \nThe best way to add documentation is by including suggestions to the [docs](https://github.com/bridgecrewio/checkov/tree/main/docs) \nlibrary as part of your PR. If you'd rather send us a short blurb on slack that's also fine.\n\n## Creating a pull-request\n\nIf a trivial fix such as a broken link, typo or grammar mistake, review the entire document for other potential mistakes. \nTry not to open multiple PRs for small fixes in the same document.\nReference any issues related to your PR, or issues that PR may solve.\nComment on your own PR where you believe something may need further explanation.\nNo need to assign explicit reviewers. We have maintainers reviewing contributions on a daily basis\nIf your PR is considered a \"Work in progress\" prefix the name with [WIP] or use the /hold command. This will prevent \nthe PR from being merged till the [WIP] or hold is lifted.\nIf your PR isn't getting enough attention, don't hesitate to ping one of the maintainers on Slack to find additional reviewers.\n\n## Fast-lane for new checks\n\nIf you would like to contribute a new check, please label your issue or PR with a `fast-lane` label. This ensures your \ninputs are seen and reviewed quickly and get distributed back to the entire community.\n"
},
{
"path": "Dockerfile",
"content": "FROM python:3.11-slim\n\nENV RUN_IN_DOCKER=True\n\nRUN set -eux; \\\n apt-get update; \\\n apt-get -y upgrade; \\\n apt-get install -y --no-install-recommends \\\n ca-certificates \\\n git \\\n curl \\\n openssh-client \\\n ; \\\n \\\n pip install setuptools==78.1.1 urllib3==2.2.2; \\\n curl -sSLo get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3; \\\n chmod 700 get_helm.sh; \\\n VERIFY_CHECKSUM=true ./get_helm.sh; \\\n rm ./get_helm.sh; \\\n \\\n curl -sSLo get_kustomize.sh https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh; \\\n chmod 700 get_kustomize.sh; \\\n ./get_kustomize.sh; mv /kustomize /usr/bin/kustomize; \\\n rm ./get_kustomize.sh; \\\n \\\n apt-get remove -y curl; \\\n apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \\\n rm -rf /var/lib/apt/lists/*\n\nRUN pip install --no-cache-dir -U checkov\n\nCOPY ./github_action_resources/entrypoint.sh /entrypoint.sh\nCOPY ./github_action_resources/checkov-problem-matcher.json /usr/local/lib/checkov-problem-matcher.json\nCOPY ./github_action_resources/checkov-problem-matcher-softfail.json /usr/local/lib/checkov-problem-matcher-softfail.json\n\n# Code file to execute when the docker container starts up (`entrypoint.sh`)\nENTRYPOINT [\"/entrypoint.sh\"]\n"
},
{
"path": "INTHEWILD.md",
"content": "# Who uses checkov?\n\nAs the checkov community grows, we'd like to keep track of who is using the OSS tool. \nPlease send a PR with your company name and @githubhandle.\n\n## Currently, officially using Checkov:\n\n1. [Nationwide Building Society](https://www.nationwide.co.uk/) [[@njgibbon](https://github.com/njgibbon)]\n1. [globaldatanet](https://globaldatanet.com/) [[@gruebel](https://github.com/gruebel)]\n1. [Steamhaus](https://www.steamhaus.co.uk/) [[@bilco105](https://github.com/bilco105)]\n1. [Jim Smith](https://www.linkedin.com/in/mr-j-smith/) [[@jimsmith](https://github.com/jimsmith)]\n1. [Chaser Systems](https://chasersystems.com/) [[@new23d](https://github.com/new23d)]\n1. [Palo Alto Networks](https://www.paloaltonetworks.com/) [[@jameswoolfenden](https://github.com/JamesWoolfenden)]\n1. [Appvia](https://www.appvia.io/) [[@abdelhegazi](https://github.com/abdelhegazi)]\n1. [Square](https://squareup.com/) [[@ac-square](https://github.com/ac-square), [@santoshankr](https://github.com/santoshankr)]\n1. [Madhu Akula](https://madhuakula.com/) [[@madhuakula](https://github.com/madhuakula)]\n1. [Royal Vopak N.V.](https://vopak.com/) [[@xmariopereira](https://github.com/xmariopereira)]\n1. [Punk Security (UK)](https://punksecurity.co.uk/) [[@punksecurity](https://github.com/punk-security)]\n"
},
{
"path": "LICENSE",
"content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright 2019 Palo Alto Networks\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n"
},
{
"path": "Pipfile",
"content": "[[source]]\nname = \"pypi\"\nurl = \"https://pypi.org/simple\"\nverify_ssl = true\n\n[dev-packages]\npytest = \"<8.0.0\"\npytest-xdist = \"*\"\npytest-asyncio = \"*\"\npytest-cov = \"*\"\npytest-mock = \"*\"\npytest-benchmark = \"*\"\nexceptiongroup = {version = \"*\", markers=\"python_version < '3.11'\"}\ncoverage =\"==7.6.1\"\ncoverage-badge = \"*\"\nbandit = \"*\"\nurllib3-mock = \"*\"\njsonschema = \"*\"\nimportlib-resources = \">=1.3\"\nresponses = \"*\"\naioresponses = \"*\"\ntypes-cachetools = \">=5.2.0,<6.0.0\"\ntypes-jmespath = \">=1.0.0,<2.0.0\"\ntypes-jsonschema = \">=4.17.0,<5.0.0\"\ntypes-pyyaml = \">=6.0.0,<7.0.0\"\ntypes-requests = \">=2.28.0,<3.0.0\"\ntypes-tabulate = \">=0.9.0,<0.10.0\"\ntypes-tqdm = \">=4.65.0,<5.0.0\"\ntypes-urllib3 = \"*\"\npre-commit = \"*\"\nflake8 = \"*\"\ndlint = \"*\"\nmypy = \"*\"\nflake8-bugbear = \"*\"\nparameterized = \"*\"\ntime-machine = \"*\"\nboto3-stubs-lite = {extras = [\"s3\"], version = \"*\"}\ntypes-colorama = \"<0.5.0,>=0.4.3\"\ntomli = \"*\"\nsetuptools = \"==78.1.1\"\niniconfig = \"*\"\n\n[packages]\nbc-jsonpath-ng = \"==1.6.1\"\npycep-parser = \"==0.5.1\"\ntabulate = \">=0.9.0,<0.10.0\"\ncolorama = \">=0.4.3,<0.5.0\"\ntermcolor=\">=1.1.0,<2.4.0\"\njunit-xml = \">=1.9,<2.0\"\ndpath = \"==2.1.3\"\npyyaml = \">=6.0.0,<7.0.0\"\nboto3 = \"==1.35.49\"\ngitpython = \">=3.1.30,<4.0.0\"\njmespath = \">=1.0.0,<2.0.0\"\ntqdm = \">=4.65.0,<5.0.0\"\npackaging = \">=23.0,<24.0\"\ncloudsplaining = \">=0.7.0,<0.8.0\"\nnetworkx = \"<2.7\"\ndockerfile-parse =\">=2.0.0,<3.0.0\"\ndocker = \">=6.0.1,<8.0.0\"\nconfigargparse = \">=1.5.3,<2.0.0\"\nargcomplete = \">=3.0.0,<4.0.0\"\ntyping-extensions = \">=4.5.0,<5.0.0\"\nimportlib-metadata = \">=6.0.0,<8.0.0\"\ncachetools = \">=5.2.0,<6.0.0\"\ncyclonedx-python-lib = \">=6.0.0,<8.0.0\"\npackageurl-python = \">=0.11.1,<0.14.0\"\nclick = \">=8.1.0,<9.0.0\"\naiohttp = \">=3.8.0,<4.0.0\"\naiodns = \">=3.0.0,<4.0.0\"\naiomultiprocess = \">=0.9.0,<0.10.0\"\nschema = \"<=0.7.5\"\njsonschema = \">=4.17.0,<5.0.0\"\nprettytable = \">=3.6.0,<4.0.0\"\ncharset-normalizer = \">=3.1.0,<4.0.0\"\npyston-autoload = {version = \"==2.3.5\", markers=\"python_version < '3.11' and (sys_platform == 'linux' or sys_platform == 'darwin') and platform_machine == 'x86_64' and implementation_name == 'cpython'\", index=\"pypi\"}\npyston = {version = \"==2.3.5\", markers=\"python_version < '3.11' and (sys_platform == 'linux' or sys_platform == 'darwin') and platform_machine == 'x86_64' and implementation_name == 'cpython'\", index=\"pypi\"}\nrequests = \">=2.28.0,<3.0.0\"\nyarl = \">=1.9.1,<2.0.0\"\nspdx-tools = \">=0.8.0,<0.9.0\"\nlicense-expression = \">=30.1.0,<31.0.0\"\nrustworkx = \">=0.13.0,<1.0.0\"\npydantic = \">=2.0.0,<3.0.0\"\nasteval = \"==1.0.6\"\nbc-detect-secrets = \"==1.5.47\"\nurllib3 = \">=1.26.20\"\nbc-python-hcl2 = \"==0.4.3\"\n\n[requires]\npython_version = \"3.9\"\n"
},
{
"path": "README.md",
"content": "[](#)\n \n[](https://prismacloud.io/?utm_source=github&utm_medium=organic_oss&utm_campaign=checkov)\n[](https://github.com/bridgecrewio/checkov/actions?query=workflow%3Abuild)\n[](https://github.com/bridgecrewio/checkov/actions?query=event%3Apush+branch%3Amaster+workflow%3Asecurity)\n[](https://github.com/bridgecrewio/checkov/actions?query=workflow%3Acoverage)\n[](https://www.checkov.io/1.Welcome/What%20is%20Checkov.html?utm_source=github&utm_medium=organic_oss&utm_campaign=checkov)\n[](https://pypi.org/project/checkov/)\n[](#)\n[](#)\n[](https://pepy.tech/project/checkov)\n[](https://hub.docker.com/r/bridgecrew/checkov)\n[](https://codifiedsecurity.slack.com/)\n\n\n**Checkov** is a static code analysis tool for infrastructure as code (IaC) and also a software composition analysis (SCA) tool for images and open source packages.\n\nIt scans cloud infrastructure provisioned using [Terraform](https://terraform.io/), [Terraform plan](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Terraform%20Plan%20Scanning.md), [Cloudformation](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Cloudformation.md), [AWS SAM](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/AWS%20SAM.md), [Kubernetes](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Kubernetes.md), [Helm charts](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Helm.md), [Kustomize](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Kustomize.md), [Dockerfile](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Dockerfile.md), [Serverless](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Serverless%20Framework.md), [Bicep](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Bicep.md), [OpenAPI](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/OpenAPI.md), [ARM Templates](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Azure%20ARM%20templates.md), or [OpenTofu](https://opentofu.org/) and detects security and compliance misconfigurations using graph-based scanning.\n\nIt performs [Software Composition Analysis (SCA) scanning](docs/7.Scan%20Examples/Sca.md) which is a scan of open source packages and images for Common Vulnerabilities and Exposures (CVEs).\n \nCheckov also powers [**Prisma Cloud Application Security**](https://www.prismacloud.io/prisma/cloud/cloud-code-security/?utm_source=github&utm_medium=organic_oss&utm_campaign=checkov), the developer-first platform that codifies and streamlines cloud security throughout the development lifecycle. Prisma Cloud identifies, fixes, and prevents misconfigurations in cloud resources and infrastructure-as-code files. \n\n\n ![](\"https://dabuttonfactory.com/button.png?t=Try+Prisma+Cloud&f=Open+Sans-Bold&ts=26&tc=fff&hp=45&vp=20&c=round&bgt=unicolored&bgc=00c0e8\")
\n\n\n\n\n ![](\"https://dabuttonfactory.com/button.png?t=Read+the+Docs&f=Open+Sans-Bold&ts=26&tc=fff&hp=45&vp=20&c=round&bgt=unicolored&bgc=00c0e8\")
\n\n\n## **Table of contents**\n\n- [Features](#features)\n- [Screenshots](#screenshots)\n- [Getting Started](#getting-started)\n- [Disclaimer](#disclaimer)\n- [Support](#support)\n- [Migration - v2 to v3](https://github.com/bridgecrewio/checkov/blob/main/docs/1.Welcome/Migration.md)\n\n ## Features\n\n * [Over 1000 built-in policies](https://github.com/bridgecrewio/checkov/blob/main/docs/5.Policy%20Index/all.md) cover security and compliance best practices for AWS, Azure and Google Cloud.\n * Scans Terraform, Terraform Plan, Terraform JSON, CloudFormation, AWS SAM, Kubernetes, Helm, Kustomize, Dockerfile, Serverless framework, Ansible, Bicep, ARM, and OpenTofu template files.\n * Scans Argo Workflows, Azure Pipelines, BitBucket Pipelines, Circle CI Pipelines, GitHub Actions and GitLab CI workflow files\n * Supports Context-awareness policies based on in-memory graph-based scanning.\n * Supports Python format for attribute policies and YAML format for both attribute and composite policies.\n * Detects [AWS credentials](https://github.com/bridgecrewio/checkov/blob/main/docs/2.Basics/Scanning%20Credentials%20and%20Secrets.md) in EC2 Userdata, Lambda environment variables and Terraform providers.\n * [Identifies secrets](https://www.prismacloud.io/prisma/cloud/secrets-security) using regular expressions, keywords, and entropy based detection.\n * Evaluates [Terraform Provider](https://registry.terraform.io/browse/providers) settings to regulate the creation, management, and updates of IaaS, PaaS or SaaS managed through Terraform.\n * Policies support evaluation of [variables](https://github.com/bridgecrewio/checkov/blob/main/docs/2.Basics/Handling%20Variables.md) to their optional default value.\n * Supports in-line [suppression](https://github.com/bridgecrewio/checkov/blob/main/docs/2.Basics/Suppressing%20and%20Skipping%20Policies.md) of accepted risks or false-positives to reduce recurring scan failures. Also supports global skip from using CLI.\n * [Output](https://github.com/bridgecrewio/checkov/blob/main/docs/2.Basics/Reviewing%20Scan%20Results.md) currently available as CLI, [CycloneDX](https://cyclonedx.org), JSON, JUnit XML, CSV, SARIF and github markdown and link to remediation [guides](https://docs.prismacloud.io/en/enterprise-edition/policy-reference/).\n \n## Screenshots\n\nScan results in CLI\n\n\n\nScheduled scan result in Jenkins\n\n\n\n## Getting started\n\n### Requirements\n * Python >= 3.9, <=3.12\n * Terraform >= 0.12\n\n### Installation\n\nTo install pip follow the official [docs](https://pip.pypa.io/en/stable/cli/pip_install/)\n\n```sh\npip3 install checkov\n```\n\nCertain environments (e.g., Debian 12) may require you to install Checkov in a virtual environment\n\n```sh\n# Create and activate a virtual environment\npython3 -m venv /path/to/venv/checkov\ncd /path/to/venv/checkov\nsource ./bin/activate\n\n# Install Checkov with pip\npip install checkov\n\n# Optional: Create a symlink for easy access\nsudo ln -s /path/to/venv/checkov/bin/checkov /usr/local/bin/checkov\n```\n\nor with [Homebrew](https://formulae.brew.sh/formula/checkov) (macOS or Linux)\n\n```sh\nbrew install checkov\n```\n\n### Enabling bash autocomplete\n```sh\nsource <(register-python-argcomplete checkov)\n```\n### Upgrade\n\nif you installed checkov with pip3\n```sh\npip3 install -U checkov\n```\n\nor with Homebrew\n\n```sh\nbrew upgrade checkov\n```\n\n### Configure an input folder or file\n\n```sh\ncheckov --directory /user/path/to/iac/code\n```\n\nOr a specific file or files\n\n```sh\ncheckov --file /user/tf/example.tf\n```\nOr\n```sh\ncheckov -f /user/cloudformation/example1.yml -f /user/cloudformation/example2.yml\n```\n\nOr a terraform plan file in json format\n```sh\nterraform init\nterraform plan -out tf.plan\nterraform show -json tf.plan > tf.json\ncheckov -f tf.json\n```\n\nNote: `terraform show` output file `tf.json` will be a single line. \nFor that reason all findings will be reported line number 0 by Checkov\n\n\n```sh\ncheck: CKV_AWS_21: \"Ensure all data stored in the S3 bucket have versioning enabled\"\n\tFAILED for resource: aws_s3_bucket.customer\n\tFile: /tf/tf.json:0-0\n\tGuide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning\n ```\n\nIf you have installed `jq` you can convert json file into multiple lines with the following command:\n```sh\nterraform show -json tf.plan | jq '.' > tf.json\n```\nScan result would be much user friendly.\n```sh\ncheckov -f tf.json\nCheck: CKV_AWS_21: \"Ensure all data stored in the S3 bucket have versioning enabled\"\n\tFAILED for resource: aws_s3_bucket.customer\n\tFile: /tf/tf1.json:224-268\n\tGuide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning\n\n\t\t225 | \"values\": {\n\t\t226 | \"acceleration_status\": \"\",\n\t\t227 | \"acl\": \"private\",\n\t\t228 | \"arn\": \"arn:aws:s3:::mybucket\",\n\n```\n\nAlternatively, specify the repo root of the hcl files used to generate the plan file, using the `--repo-root-for-plan-enrichment` flag, to enrich the output with the appropriate file path, line numbers, and codeblock of the resource(s). An added benefit is that check suppressions will be handled accordingly.\n```sh\ncheckov -f tf.json --repo-root-for-plan-enrichment /user/path/to/iac/code\n```\n\n\n### Scan result sample (CLI)\n\n```sh\nPassed Checks: 1, Failed Checks: 1, Suppressed Checks: 0\nCheck: \"Ensure all data stored in the S3 bucket is securely encrypted at rest\"\n/main.tf:\n\t Passed for resource: aws_s3_bucket.template_bucket\nCheck: \"Ensure all data stored in the S3 bucket is securely encrypted at rest\"\n/../regionStack/main.tf:\n\t Failed for resource: aws_s3_bucket.sls_deployment_bucket_name\n```\n\nStart using Checkov by reading the [Getting Started](https://github.com/bridgecrewio/checkov/blob/main/docs/1.Welcome/Quick%20Start.md) page.\n\n### Using Docker\n\n\n```sh\ndocker pull bridgecrew/checkov\ndocker run --tty --rm --volume /user/tf:/tf --workdir /tf bridgecrew/checkov --directory /tf\n```\nNote: if you are using Python 3.6(Default version in Ubuntu 18.04) checkov will not work, and it will fail with `ModuleNotFoundError: No module named 'dataclasses'` error message. In this case, you can use the docker version instead.\n\nNote that there are certain cases where redirecting `docker run --tty` output to a file - for example, if you want to save the Checkov JUnit output to a file - will cause extra control characters to be printed. This can break file parsing. If you encounter this, remove the `--tty` flag.\n\nThe `--workdir /tf` flag is optional to change the working directory to the mounted volume. If you are using the SARIF output `-o sarif` this will output the results.sarif file to the mounted volume (`/user/tf` in the example above). If you do not include that flag, the working directory will be \"/\".\n\n### Running or skipping checks\n\nBy using command line flags, you can specify to run only named checks (allow list) or run all checks except\nthose listed (deny list). If you are using the platform integration via API key, you can also specify a severity threshold to skip and / or include.\nMoreover, as json files can't contain comments, one can pass regex pattern to skip json file secret scan.\n\nSee the docs for more detailed information about how these flags work together.\n\n\n## Examples\n\nAllow only the two specified checks to run:\n```sh\ncheckov --directory . --check CKV_AWS_20,CKV_AWS_57\n```\n\nRun all checks except the one specified:\n```sh\ncheckov -d . --skip-check CKV_AWS_20\n```\n\nRun all checks except checks with specified patterns:\n```sh\ncheckov -d . --skip-check CKV_AWS*\n```\n\nRun all checks that are MEDIUM severity or higher (requires API key):\n```sh\ncheckov -d . --check MEDIUM --bc-api-key ...\n```\n\nRun all checks that are MEDIUM severity or higher, as well as check CKV_123 (assume this is a LOW severity check):\n```sh\ncheckov -d . --check MEDIUM,CKV_123 --bc-api-key ...\n```\n\nSkip all checks that are MEDIUM severity or lower:\n```sh\ncheckov -d . --skip-check MEDIUM --bc-api-key ...\n```\n\nSkip all checks that are MEDIUM severity or lower, as well as check CKV_789 (assume this is a high severity check):\n```sh\ncheckov -d . --skip-check MEDIUM,CKV_789 --bc-api-key ...\n```\n\nRun all checks that are MEDIUM severity or higher, but skip check CKV_123 (assume this is a medium or higher severity check):\n```sh\ncheckov -d . --check MEDIUM --skip-check CKV_123 --bc-api-key ...\n```\n\nRun check CKV_789, but skip it if it is a medium severity (the --check logic is always applied before --skip-check)\n```sh\ncheckov -d . --skip-check MEDIUM --check CKV_789 --bc-api-key ...\n```\n\nFor Kubernetes workloads, you can also use allow/deny namespaces. For example, do not report any results for the\nkube-system namespace:\n```sh\ncheckov -d . --skip-check kube-system\n```\n\nRun a scan of a container image. First pull or build the image then refer to it by the hash, ID, or name:tag:\n```sh\ncheckov --framework sca_image --docker-image sha256:1234example --dockerfile-path /Users/path/to/Dockerfile --repo-id ... --bc-api-key ...\n\ncheckov --docker-image :tag --dockerfile-path /User/path/to/Dockerfile --repo-id ... --bc-api-key ...\n```\n\nYou can use --image flag also to scan container image instead of --docker-image for shortener:\n```sh\ncheckov --image :tag --dockerfile-path /User/path/to/Dockerfile --repo-id ... --bc-api-key ...\n```\n\nRun an SCA scan of packages in a repo:\n```sh\ncheckov -d . --framework sca_package --bc-api-key ... --repo-id \n```\n\nRun a scan of a directory with environment variables removing buffering, adding debug level logs:\n```sh\nPYTHONUNBUFFERED=1 LOG_LEVEL=DEBUG checkov -d .\n```\nOR enable the environment variables for multiple runs\n```sh\nexport PYTHONUNBUFFERED=1 LOG_LEVEL=DEBUG\ncheckov -d .\n```\n\nRun secrets scanning on all files in MyDirectory. Skip CKV_SECRET_6 check on json files that their suffix is DontScan\n```sh\ncheckov -d /MyDirectory --framework secrets --repo-id ... --bc-api-key ... --skip-check CKV_SECRET_6:.*DontScan.json$\n```\n\nRun secrets scanning on all files in MyDirectory. Skip CKV_SECRET_6 check on json files that contains \"skip_test\" in path\n```sh\ncheckov -d /MyDirectory --framework secrets --repo-id ... --bc-api-key ... --skip-check CKV_SECRET_6:.*skip_test.*json$\n```\n\nOne can mask values from scanning results by supplying a configuration file (using --config-file flag) with mask entry.\nThe masking can apply on resource & value (or multiple values, separated with a comma).\nExamples:\n```sh\nmask:\n- aws_instance:user_data\n- azurerm_key_vault_secret:admin_password,user_passwords\n```\nIn the example above, the following values will be masked:\n- user_data for aws_instance resource\n- both admin_password &user_passwords for azurerm_key_vault_secret\n\n\n### Suppressing/Ignoring a check\n\nLike any static-analysis tool it is limited by its analysis scope.\nFor example, if a resource is managed manually, or using subsequent configuration management tooling,\nsuppression can be inserted as a simple code annotation.\n\n#### Suppression comment format\n\nTo skip a check on a given Terraform definition block or CloudFormation resource, apply the following comment pattern inside it's scope:\n\n`checkov:skip=:`\n\n* `` is one of the [available check scanners](docs/5.Policy Index/all.md)\n* `` is an optional suppression reason to be included in the output\n\n#### Example\n\nThe following comment skips the `CKV_AWS_20` check on the resource identified by `foo-bucket`, where the scan checks if an AWS S3 bucket is private.\nIn the example, the bucket is configured with public read access; Adding the suppress comment would skip the appropriate check instead of the check to fail.\n\n```hcl-terraform\nresource \"aws_s3_bucket\" \"foo-bucket\" {\n region = var.region\n #checkov:skip=CKV_AWS_20:The bucket is a public static content host\n bucket = local.bucket_name\n force_destroy = true\n acl = \"public-read\"\n}\n```\n\nThe output would now contain a ``SKIPPED`` check result entry:\n\n```bash\n...\n...\nCheck: \"S3 Bucket has an ACL defined which allows public access.\"\n\tSKIPPED for resource: aws_s3_bucket.foo-bucket\n\tSuppress comment: The bucket is a public static content host\n\tFile: /example_skip_acl.tf:1-25\n\n...\n```\nTo skip multiple checks, add each as a new line.\n\n```\n #checkov:skip=CKV2_AWS_6\n #checkov:skip=CKV_AWS_20:The bucket is a public static content host\n```\n\nTo suppress checks in Kubernetes manifests, annotations are used with the following format:\n`checkov.io/skip#: =`\n\nFor example:\n\n```bash\napiVersion: v1\nkind: Pod\nmetadata:\n name: mypod\n annotations:\n checkov.io/skip1: CKV_K8S_20=I don't care about Privilege Escalation :-O\n checkov.io/skip2: CKV_K8S_14\n checkov.io/skip3: CKV_K8S_11=I have not set CPU limits as I want BestEffort QoS\nspec:\n containers:\n...\n```\n\n#### Logging\n\nFor detailed logging to stdout set up the environment variable `LOG_LEVEL` to `DEBUG`.\n\nDefault is `LOG_LEVEL=WARNING`.\n\n#### Skipping directories\nTo skip files or directories, use the argument `--skip-path`, which can be specified multiple times. This argument accepts regular expressions for paths relative to the current working directory. You can use it to skip entire directories and / or specific files.\n\nBy default, all directories named `node_modules`, `.terraform`, and `.serverless` will be skipped, in addition to any files or directories beginning with `.`.\nTo cancel skipping directories beginning with `.` override `CKV_IGNORE_HIDDEN_DIRECTORIES` environment variable `export CKV_IGNORE_HIDDEN_DIRECTORIES=false`\n\nYou can override the default set of directories to skip by setting the environment variable `CKV_IGNORED_DIRECTORIES`.\n Note that if you want to preserve this list and add to it, you must include these values. For example, `CKV_IGNORED_DIRECTORIES=mynewdir` will skip only that directory, but not the others mentioned above. This variable is legacy functionality; we recommend using the `--skip-file` flag.\n\n#### Console Output\n\nThe console output is in colour by default, to switch to a monochrome output, set the environment variable:\n`ANSI_COLORS_DISABLED`\n\n#### VS Code Extension\n\nIf you want to use Checkov within VS Code, give the [Prisma Cloud extension](https://marketplace.visualstudio.com/items?itemName=PrismaCloud.prisma-cloud) a try.\n\n### Configuration using a config file\n\nCheckov can be configured using a YAML configuration file. By default, checkov looks for a `.checkov.yaml` or `.checkov.yml` file in the following places in order of precedence:\n* Directory against which checkov is run. (`--directory`)\n* Current working directory where checkov is called.\n* User's home directory.\n\n**Attention**: it is a best practice for checkov configuration file to be loaded from a trusted source composed by a verified identity, so that scanned files, check ids and loaded custom checks are as desired.\n\nUsers can also pass in the path to a config file via the command line. In this case, the other config files will be ignored. For example:\n```sh\ncheckov --config-file path/to/config.yaml\n```\nUsers can also create a config file using the `--create-config` command, which takes the current command line args and writes them out to a given path. For example:\n```sh\ncheckov --compact --directory test-dir --docker-image sample-image --dockerfile-path Dockerfile --download-external-modules True --external-checks-dir sample-dir --quiet --repo-id prisma-cloud/sample-repo --skip-check CKV_DOCKER_3,CKV_DOCKER_2 --skip-framework dockerfile secrets --soft-fail --branch develop --check CKV_DOCKER_1 --create-config /Users/sample/config.yml\n```\nWill create a `config.yaml` file which looks like this:\n```yaml\nbranch: develop\ncheck:\n - CKV_DOCKER_1\ncompact: true\ndirectory:\n - test-dir\ndocker-image: sample-image\ndockerfile-path: Dockerfile\ndownload-external-modules: true\nevaluate-variables: true\nexternal-checks-dir:\n - sample-dir\nexternal-modules-download-path: .external_modules\nframework:\n - all \noutput: cli \nquiet: true \nrepo-id: prisma-cloud/sample-repo \nskip-check: \n - CKV_DOCKER_3 \n - CKV_DOCKER_2 \nskip-framework:\n - dockerfile\n - secrets\nsoft-fail: true\n```\n\nUsers can also use the `--show-config` flag to view all the args and settings and where they came from i.e. commandline, config file, environment variable or default. For example:\n```sh\ncheckov --show-config\n```\nWill display:\n```sh\nCommand Line Args: --show-config\nEnvironment Variables:\n BC_API_KEY: your-api-key\nConfig File (/Users/sample/.checkov.yml):\n soft-fail: False\n branch: master\n skip-check: ['CKV_DOCKER_3', 'CKV_DOCKER_2']\nDefaults:\n --output: cli\n --framework: ['all']\n --download-external-modules:False\n --external-modules-download-path:.external_modules\n --evaluate-variables:True\n```\n\n## Contributing\n\nContribution is welcomed!\n\nStart by reviewing the [contribution guidelines](https://github.com/bridgecrewio/checkov/blob/main/CONTRIBUTING.md). After that, take a look at a [good first issue](https://github.com/bridgecrewio/checkov/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22).\n\nYou can even start this with one-click dev in your browser through Gitpod at the following link:\n\n[](https://gitpod.io/#https://github.com/bridgecrewio/checkov)\n\nLooking to contribute new checks? Learn how to write a new check (AKA policy) [here](https://github.com/bridgecrewio/checkov/blob/main/docs/6.Contribution/Contribution%20Overview.md).\n\n## Disclaimer\n`checkov` does not save, publish or share with anyone any identifiable customer information. \nNo identifiable customer information is used to query Prisma Cloud's publicly accessible guides.\n`checkov` uses Prisma Cloud's API to enrich the results with links to remediation guides.\nTo skip this API call use the flag `--skip-download`.\n\n## Support\n\n[Prisma Cloud](https://www.prismacloud.io/?utm_source=github&utm_medium=organic_oss&utm_campaign=checkov) builds and maintains Checkov to make policy-as-code simple and accessible. \n\nStart with our [Documentation](https://www.checkov.io/1.Welcome/Quick%20Start.html) for quick tutorials and examples.\n\n## Python Version Support\nWe follow the official support cycle of Python, and we use automated tests for supported versions of Python.\nThis means we currently support Python 3.9 - 3.13, inclusive.\nNote that Python 3.8 reached EOL on October 2024 and Python 3.9 will reach EOL in October 2025.\nIf you run into any issues with any non-EOL Python version, please open an Issue.\n"
},
{
"path": "SECURITY.md",
"content": "# Security\n\n## Reporting a Vulnerability\n\nIf you think you have found a potential security vulnerability in `checkov`,\nplease email psirt@paloaltonetworks.com directly. Do not file a public issue. If\nEnglish is not your first language, please try to describe the problem\nand its impact to the best of your ability. For greater detail, please\nuse your native language and we will try our best to translate it using\nonline services.\n\nPlease also include the code you used to find the problem and the\nshortest amount of code necessary to reproduce it.\n\nPlease do not disclose this to anyone else. We will retrieve a CVE\nidentifier if necessary and give you full credit under whatever name or\nalias you provide. We will only request an identifier when we have a fix\nand can publish it in a release.\n\nWe will respect your privacy and will only publicize your involvement if\nyou grant us permission.\n\n## Process\n\nThis following information discusses the process the `checkov` project\nfollows in response to vulnerability disclosures. If you are disclosing\na vulnerability, this section of the documentation lets you know how we\nwill respond to your disclosure.\n\n### Timeline\n\nWhen you report an issue, one of the project members will respond to you\nwithin few days. This initial response will at the very least confirm\nreceipt of the report.\n\nIf we were able to rapidly reproduce the issue, the initial response\nwill also contain confirmation of the issue. If we are not, we will\noften ask for more information about the reproduction scenario.\n\nOur goal is to have a fix for any vulnerability released within two\nweeks of the initial disclosure. This may potentially involve shipping\nan interim release that simply disables function while a more mature fix\ncan be prepared, but will in the vast majority of cases mean shipping a\ncomplete release as soon as possible.\n\nThroughout the fix process we will keep you up to speed with how the fix\nis progressing. Once the fix is prepared, we will notify you that we\nbelieve we have a fix. Often we will ask you to confirm the fix resolves\nthe problem in your environment, especially if we are not confident of\nour reproduction scenario.\n\nAt this point, we will prepare for the release. We will obtain a CVE\nnumber if one is required, providing you with full credit for the\ndiscovery. We will also decide on a planned release date, and let you\nknow when it is.\n\nOn release day, we will push the patch to our public repository, along\nwith an updated changelog that describes the issue. The change log is\ngenerated automatically from commit messages. We will then issue a \nPyPI release containing the patch.\n\nAt this point, we will publicise the release. This will involve\nannouncement on our Slack channel (https://codifiedsecurity.slack.com)\nand all other communication mechanisms available to the core team.\n\nWe will also explicitly mention which commits contain the fix to make it\neasier for other distributors and users to easily patch their own\nversions of `checkov` if upgrading is not an option.\n"
},
{
"path": "bin/checkov",
"content": "#!/usr/bin/env python\nfrom checkov.main import Checkov\nimport warnings\nimport sys\n\nif __name__ == '__main__':\n with warnings.catch_warnings():\n warnings.simplefilter(\"ignore\", category=SyntaxWarning)\n sys.exit(Checkov().run())\n"
},
{
"path": "bin/checkov.cmd",
"content": "@echo OFF\nREM=\"\"\"\nsetlocal\nset PythonExe=\"\"\nset PythonExeFlags=\n\nfor %%i in (cmd bat exe) do (\n for %%j in (python.%%i) do (\n call :SetPythonExe \"%%~$PATH:j\"\n )\n)\nfor /f \"tokens=2 delims==\" %%i in ('assoc .py') do (\n for /f \"tokens=2 delims==\" %%j in ('ftype %%i') do (\n for /f \"tokens=1\" %%k in (\"%%j\") do (\n call :SetPythonExe %%k\n )\n )\n)\n%PythonExe% -x %PythonExeFlags% \"%~f0\" %*\nexit /B %ERRORLEVEL%\ngoto :EOF\n\n:SetPythonExe\nif not [\"%~1\"]==[\"\"] (\n if [%PythonExe%]==[\"\"] (\n set PythonExe=\"%~1\"\n )\n)\ngoto :EOF\n\"\"\"\n\n# ===================================================\n# Python script starts here\n# ===================================================\n\n#!/usr/bin/env python\nfrom checkov.main import Checkov\nimport warnings\nimport sys\n\nif __name__ == '__main__':\n with warnings.catch_warnings():\n warnings.simplefilter(\"ignore\", category=SyntaxWarning)\n sys.exit(Checkov().run())\n"
},
{
"path": "cdk_integration_tests/__init__.py",
"content": ""
},
{
"path": "cdk_integration_tests/prepare_data.sh",
"content": "#!/bin/bash\n\n# iterate over all the cdk python checks\n#for file in \"checkov/cdk/checks/python\"/*; do\n# # Ensure it's a yaml file\n# if [[ -f \"$file\" && \"$file\" == *.yaml ]]; then\n# basename=$(basename -- \"$file\")\n# filename=\"${basename%.*}\"\n# check_id=$(grep 'id:' $file | awk '{print $2}')\n# if [[ $check_id != CKV* ]]; then\n# #expects only CKV check ids\n# continue\n# fi\n# # create a report for this check\n# echo \"creating report for check: $filename, id: $check_id\"\n# pipenv run checkov -s --framework cdk --repo-id cli/cdk -o json --check $check_id \\\n# -d \"cdk_integration_tests/src/python/$filename\" --external-checks-dir \"checkov/cdk/checks/python\" \\\n# > \"checkov_report_cdk_python_$filename.json\"\n# fi\n#done\n\necho \"creating report for CDK\"\npipenv run checkov -s --framework cdk --repo-id cli/cdk -o json \\\n -d \"cdk_integration_tests/src\" > \"checkov_report_cdk.json\"\n\n#todo: iterate over all the cdk typescript checks - when ts supported in sast\n"
},
{
"path": "cdk_integration_tests/run_integration_tests.sh",
"content": "#!/bin/bash\n\n# In order to run this script set the following environment variables:\n# BC_API_URL - your API url.\n# BC_KEY - generate API key via Platform.\n# You can also add the local SAST_ARTIFACT_PATH and LOG_LEVEL.\n\n# You can also set those vars in the set_env_vars() function, and uncomment the call to it.\n\n# The working dir should be the checkov project dir.\n# For example: on /Users/ajbara/dev2/checkov dir run BC_API_URL=https://ws342vj2ze.execute-api.us-west-2.amazonaws.com/v1 BC_KEY=xyz LOG_LEVEL=Info /Users/ajbara/dev2/checkov/sast_integration_tests/run_integration_tests.sh\n\nset_env_vars() {\n export SAST_ARTIFACT_PATH=\"\"\n export BC_API_KEY=\"\"\n export LOG_LEVEL=DEBUG\n export PRISMA_API_URL=\"https://api0.prismacloud.io\"\n}\n\nprepare_data () {\n echo \"creating report for CDK\"\n python checkov/main.py -s --framework cdk --repo-id prisma/cdk -o json \\\n -d \"cdk_integration_tests/src\" > \"checkov_report_cdk.json\"\n\n}\n\ndelete_reports () {\n rm -r checkov_report*\n rm results.sarif\n rm checkov_checks_list.txt\n}\n\n#echo \"calling set_env_vars\"\n#set_env_vars\n\nif [[ -z \"BC_API_KEY\" ]]; then\n echo \"BC_API_KEY is missing.\"\n exit 1\nfi\n\necho $PRISMA_API_URL\nif [[ -z \"PRISMA_API_URL\" ]]; then\n echo \"PRISMA_API_URL is missing.\"\n exit 1\nfi\n\ncd ..\n\necho $VIRTUAL_ENV\nif [ ! -z \"$VIRTUAL_ENV\" ]; then\n deactivate\nfi\n\n#activate virtual env\nENV_PATH=$(pipenv --venv)\necho $ENV_PATH\nsource $ENV_PATH/bin/activate\n\necho $(pwd)\nworking_dir=$(pwd) # should be the path of local checkov project\nexport PYTHONPATH=\"$working_dir/checkov:$PYTHONPATH\"\n\nprepare_data\n\n#Run integration tests.\necho \"running integration tests\"\npytest cdk_integration_tests\n\ndeactivate\n\necho \"Deleting reports\"\ndelete_reports\n\n"
},
{
"path": "cdk_integration_tests/src/python/ALBDropHttpHeaders/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_elasticloadbalancingv2 as elbv2\n\nclass MyALBStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define ALB with Load Balancer Attributes\n alb = elbv2.CfnLoadBalancer(\n self, 'MyALB',\n name='my-alb',\n type='application',\n load_balancer_attributes=[\n {\n 'key': 'routing.http.drop_invalid_header_fields.enabled',\n 'value': 'false'\n }\n ]\n # Other properties for your ALB\n )\n\napp = core.App()\nMyALBStack(app, \"MyALBStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/ALBDropHttpHeaders/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_elasticloadbalancingv2 as elbv2\n\nclass MyALBStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define ALB with Load Balancer Attributes\n alb = elbv2.CfnLoadBalancer(\n self, 'MyALB',\n name='my-alb',\n type='application',\n load_balancer_attributes=[\n {\n 'key': 'routing.http.drop_invalid_header_fields.enabled',\n 'value': 'true'\n }\n ]\n # Other properties for your ALB\n )\n\napp = core.App()\nMyALBStack(app, \"MyALBStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/ALBListenerHTTPS/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_elasticloadbalancingv2 as elbv2\n\nclass MyListenerStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define HTTPS Redirect Listener\n listener = elbv2.CfnListener(\n self, 'MyHTTPSRedirectListener',\n load_balancer_arn='your-load-balancer-arn', # Replace with your ALB ARN\n protocol='HTTP',\n port=80,\n default_actions=[{\n 'type': 'abc',\n 'redirectConfig': {\n 'protocol': 'HTTP',\n }\n }]\n # Other properties for your Redirect Listener\n )\n\napp = core.App()\nMyListenerStack(app, \"MyListenerStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/ALBListenerHTTPS/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_elasticloadbalancingv2 as elbv2\n\nclass MyListenerStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define HTTPS Listener\n listener = elbv2.CfnListener(\n self, 'MyHTTPSListener',\n load_balancer_arn='your-load-balancer-arn', # Replace with your ALB ARN\n protocol='HTTPS',\n # Other properties for your Listener\n )\n\napp = core.App()\nMyListenerStack(app, \"MyListenerStack\")\napp.synth()\n\n\nclass MyListenerStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define HTTPS Redirect Listener\n listener = elbv2.CfnListener(\n self, 'MyHTTPSRedirectListener',\n load_balancer_arn='your-load-balancer-arn', # Replace with your ALB ARN\n protocol='HTTP',\n port=80,\n default_actions=[{\n 'type': 'redirect',\n 'redirectConfig': {\n 'protocol': 'HTTPS',\n }\n }]\n # Other properties for your Redirect Listener\n )\n\napp = core.App()\nMyListenerStack(app, \"MyListenerStack\")\napp.synth()\n\n"
},
{
"path": "cdk_integration_tests/src/python/APIGatewayAccessLogging/fail__2__.py",
"content": "from aws_cdk import aws_apigateway as apigateway\n\ncfn_stage = apigateway.CfnStage(self, \"MyCfnStage\",\n rest_api_id=\"restApiId\",\n\n # the properties below are optional\n\n cache_cluster_enabled=False,\n cache_cluster_size=\"cacheClusterSize\",\n canary_setting=apigateway.CfnStage.CanarySettingProperty(\n deployment_id=\"deploymentId\",\n percent_traffic=123,\n stage_variable_overrides={\n \"stage_variable_overrides_key\": \"stageVariableOverrides\"\n },\n use_stage_cache=False\n ),\n client_certificate_id=\"clientCertificateId\",\n deployment_id=\"deploymentId\",\n description=\"description\",\n documentation_version=\"documentationVersion\",\n method_settings=[apigateway.CfnStage.MethodSettingProperty(\n cache_data_encrypted=False,\n cache_ttl_in_seconds=123,\n caching_enabled=False,\n data_trace_enabled=False,\n http_method=\"httpMethod\",\n logging_level=\"loggingLevel\",\n metrics_enabled=False,\n resource_path=\"resourcePath\",\n throttling_burst_limit=123,\n throttling_rate_limit=123\n )],\n stage_name=\"stageName\",\n tags=[CfnTag(\n key=\"key\",\n value=\"value\"\n )],\n tracing_enabled=False,\n variables={\n \"variables_key\": \"variables\"\n }\n)\n\nfrom aws_cdk import core\nfrom aws_cdk import aws_serverless as serverless\n\nclass ServerlessApiWithAccessLogStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create a Serverless API\n serverless.Api(\n self, \"MyApi\",\n default_stage={\n \"stage_name\": \"prod\",\n \"access_log_setting\": serverless.AccessLogSetting(\n format=serverless.AccessLogFormat.json_with_standard_fields()\n )\n }\n )\n\napp = core.App()\nServerlessApiWithAccessLogStack(app, \"ServerlessApiWithAccessLogStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/APIGatewayAccessLogging/pass.py",
"content": "from aws_cdk import aws_apigateway as apigateway\n\ncfn_stage = apigateway.CfnStage(self, \"MyCfnStage\",\n rest_api_id=\"restApiId\",\n\n # the properties below are optional\n access_log_setting=apigateway.CfnStage.AccessLogSettingProperty(\n destination_arn=\"destinationArn\",\n format=\"format\"\n ),\n cache_cluster_enabled=False,\n cache_cluster_size=\"cacheClusterSize\",\n canary_setting=apigateway.CfnStage.CanarySettingProperty(\n deployment_id=\"deploymentId\",\n percent_traffic=123,\n stage_variable_overrides={\n \"stage_variable_overrides_key\": \"stageVariableOverrides\"\n },\n use_stage_cache=False\n ),\n client_certificate_id=\"clientCertificateId\",\n deployment_id=\"deploymentId\",\n description=\"description\",\n documentation_version=\"documentationVersion\",\n method_settings=[apigateway.CfnStage.MethodSettingProperty(\n cache_data_encrypted=False,\n cache_ttl_in_seconds=123,\n caching_enabled=False,\n data_trace_enabled=False,\n http_method=\"httpMethod\",\n logging_level=\"loggingLevel\",\n metrics_enabled=False,\n resource_path=\"resourcePath\",\n throttling_burst_limit=123,\n throttling_rate_limit=123\n )],\n stage_name=\"stageName\",\n tags=[CfnTag(\n key=\"key\",\n value=\"value\"\n )],\n tracing_enabled=False,\n variables={\n \"variables_key\": \"variables\"\n }\n)\n\nfrom aws_cdk import core\nfrom aws_cdk import aws_serverless as serverless\n\nclass ServerlessApiWithAccessLogStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create a Serverless API\n serverless.Api(\n self, \"MyApi\",\n default_stage={\n \"stage_name\": \"prod\",\n \"access_log_setting\": serverless.AccessLogSetting(\n destination_arn=\"arn:aws:logs:us-east-1:123456789012:log-group/MyLogGroup\",\n format=serverless.AccessLogFormat.json_with_standard_fields()\n )\n }\n )\n\napp = core.App()\nServerlessApiWithAccessLogStack(app, \"ServerlessApiWithAccessLogStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/APIGatewayAuthorization/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_apigateway as apigw\n\nclass MyApiGatewayMethodStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create the API Gateway Method based on the conditions\n api_method = apigw.Method(\n self, 'MyApiGatewayMethod',\n http_method='GET', # Replace with your desired HTTP method\n resource=self.node.try_get_context('resource'), # Replace with your API resource\n rest_api=self.node.try_get_context('rest_api'), # Replace with your REST API\n authorization_type=apigw.AuthorizationType.NONE, # Set the AuthorizationType to NONE\n api_key_required=False # Set ApiKeyRequired to false\n # You can add other properties as needed for your method\n )\n\napp = core.App()\nMyApiGatewayMethodStack(app, \"MyApiGatewayMethodStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/APIGatewayAuthorization/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_apigateway as apigw\n\nclass MyApiGatewayMethodStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create the API Gateway Method based on the conditions\n api_method = apigw.Method(\n self, 'MyApiGatewayMethod',\n http_method='OPTIONS', # Replace with your desired HTTP method\n resource=self.node.try_get_context('resource'), # Replace with your API resource\n rest_api=self.node.try_get_context('rest_api'), # Replace with your REST API\n authorization_type=apigw.AuthorizationType.NONE, # Set the AuthorizationType to NONE\n api_key_required=True # Set ApiKeyRequired to false\n # You can add other properties as needed for your method\n )\n\napp = core.App()\nMyApiGatewayMethodStack(app, \"MyApiGatewayMethodStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/APIGatewayCacheEnable/fail__2__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_apigateway as apigateway\nfrom aws_cdk import aws_sam as sam\nclass MyApiGatewayStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create an API Gateway stage with cache cluster enabled\n api = apigateway.RestApi(\n self,\n \"MyApi\",\n rest_api_name=\"MyApiName\",\n )\n\n stage = apigateway.Stage(\n self,\n \"MyApiStage\",\n stage_name=\"prod\", # Replace with your desired stage name\n deployment=api.latest_deployment,\n )\n\nclass MySAMApiStack2(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create a Serverless API with cache cluster enabled\n sam_api = sam.CfnApi(\n self,\n \"MySAMApi\",\n stage_name=\"prod\", # Specify the stage name\n definition_body={\n \"openapi\": \"3.0.1\",\n \"info\": {\n \"title\": \"MyAPI\",\n },\n \"paths\": {\n \"/example\": {\n \"get\": {\n \"responses\": {\n \"200\": {\n \"description\": \"A sample response\",\n },\n },\n },\n },\n },\n },\n )\n"
},
{
"path": "cdk_integration_tests/src/python/APIGatewayCacheEnable/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_apigateway as apigateway\nfrom aws_cdk import aws_sam as sam\nclass MyApiGatewayStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create an API Gateway stage with cache cluster enabled\n api = apigateway.RestApi(\n self,\n \"MyApi\",\n rest_api_name=\"MyApiName\",\n )\n\n stage = apigateway.Stage(\n self,\n \"MyApiStage\",\n stage_name=\"prod\", # Replace with your desired stage name\n deployment=api.latest_deployment,\n cache_cluster_enabled=True, # Enable cache cluster\n cache_cluster_size=\"0.5\", # Specify the cache cluster size\n )\n\nclass MySAMApiStack2(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create a Serverless API with cache cluster enabled\n sam_api = sam.CfnApi(\n self,\n \"MySAMApi\",\n cacheClusterEnabled=True, # Enable cache cluster\n cacheClusterSize=\"0.5\", # Specify the cache cluster size\n stage_name=\"prod\", # Specify the stage name\n definition_body={\n \"openapi\": \"3.0.1\",\n \"info\": {\n \"title\": \"MyAPI\",\n },\n \"paths\": {\n \"/example\": {\n \"get\": {\n \"responses\": {\n \"200\": {\n \"description\": \"A sample response\",\n },\n },\n },\n },\n },\n },\n )\n"
},
{
"path": "cdk_integration_tests/src/python/APIGatewayV2AccessLogging/fail__2__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_apigatewayv2 as apigatewayv2\n\nclass MyApiGatewayV2StageStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define API Gateway V2 Stage with AccessLogSettings/DestinationArn set\n api_stage = apigatewayv2.CfnStage(\n self, 'MyApiGatewayV2Stage',\n api_id='api_id_here', # Replace with your API ID\n stage_name='myStage',\n # Add other properties as needed for your stage\n )\n\napp = core.App()\nMyApiGatewayV2StageStack(app, \"MyApiGatewayV2StageStack\")\napp.synth()\n\nfrom aws_cdk import core\nfrom aws_cdk import aws_apigatewayv2 as apigatewayv2\n\nclass MyServerlessHttpApiStack2(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define a Serverless HTTP API with access log settings\n serverless_api = apigatewayv2.CfnApi(\n self, 'MyServerlessHttpApi',\n name='MyHTTPAPI',\n protocol_type='HTTP',\n # Add other properties as needed for your HTTP API\n )\n\napp = core.App()\nMyServerlessHttpApiStack2(app, \"MyServerlessHttpApiStack2\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/APIGatewayV2AccessLogging/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_apigatewayv2 as apigatewayv2\n\nclass MyApiGatewayV2StageStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define API Gateway V2 Stage with AccessLogSettings/DestinationArn set\n api_stage = apigatewayv2.CfnStage(\n self, 'MyApiGatewayV2Stage',\n api_id='api_id_here', # Replace with your API ID\n stage_name='myStage',\n access_log_settings=apigatewayv2.CfnStage.AccessLogSettingsProperty(\n destination_arn='arn:aws:logs:REGION:ACCOUNT_ID:log-group:LOG_GROUP_NAME'\n # Replace with the actual DestinationArn value\n )\n # Add other properties as needed for your stage\n )\n\napp = core.App()\nMyApiGatewayV2StageStack(app, \"MyApiGatewayV2StageStack\")\napp.synth()\n\nfrom aws_cdk import core\nfrom aws_cdk import aws_apigatewayv2 as apigatewayv2\n\nclass MyServerlessHttpApiStack2(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define a Serverless HTTP API with access log settings\n serverless_api = apigatewayv2.CfnApi(\n self, 'MyServerlessHttpApi',\n name='MyHTTPAPI',\n protocol_type='HTTP',\n access_log_settings=apigatewayv2.CfnApi.AccessLogSettingsProperty(\n destination_arn='arn:aws:logs:REGION:ACCOUNT_ID:log-group:LOG_GROUP_NAME'\n # Replace with the actual DestinationArn value\n )\n # Add other properties as needed for your HTTP API\n )\n\napp = core.App()\nMyServerlessHttpApiStack2(app, \"MyServerlessHttpApiStack2\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/APIGatewayXray/fail__2__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_apigateway as apigateway\nfrom aws_cdk import aws_apigatewayv2 as apigatewayv2\n\nclass MyApiGatewayStageStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define API Gateway Stage with Tracing Enabled\n apigateway.CfnStage(\n self, 'MyApiGatewayStage',\n stage_name='my-stage',\n rest_api_id='your-rest-api-id', # Replace with your RestApi Id\n tracing_enabled=False\n # Other properties for your API Gateway Stage\n )\n\napp = core.App()\nMyApiGatewayStageStack(app, \"MyApiGatewayStageStack\")\napp.synth()\n\nclass MyServerlessApiStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define Serverless API with Tracing Enabled\n api = apigatewayv2.CfnApi(\n self, 'MyServerlessApi',\n name='my-serverless-api',\n protocol_type='HTTP'\n # Other properties for your Serverless API\n )\n\n stage = apigatewayv2.CfnStage(\n self, 'MyServerlessApiStage',\n api_id=api.ref,\n stage_name='my-stage',\n tracing_enabled=False\n # Other properties for your API Gatewayv2 Stage\n )\n\napp = core.App()\nMyServerlessApiStack(app, \"MyServerlessApiStack\")\napp.synth()"
},
{
"path": "cdk_integration_tests/src/python/APIGatewayXray/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_apigateway as apigateway\nfrom aws_cdk import aws_apigatewayv2 as apigatewayv2\n\nclass MyApiGatewayStageStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define API Gateway Stage with Tracing Enabled\n apigateway.CfnStage(\n self, 'MyApiGatewayStage',\n stage_name='my-stage',\n rest_api_id='your-rest-api-id', # Replace with your RestApi Id\n tracing_enabled=True\n # Other properties for your API Gateway Stage\n )\n\napp = core.App()\nMyApiGatewayStageStack(app, \"MyApiGatewayStageStack\")\napp.synth()\n\nclass MyServerlessApiStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define Serverless API with Tracing Enabled\n api = apigatewayv2.CfnApi(\n self, 'MyServerlessApi',\n name='my-serverless-api',\n protocol_type='HTTP'\n # Other properties for your Serverless API\n )\n\n stage = apigatewayv2.CfnStage(\n self, 'MyServerlessApiStage',\n api_id=api.ref,\n stage_name='my-stage',\n tracing_enabled=True\n # Other properties for your API Gatewayv2 Stage\n )\n\napp = core.App()\nMyServerlessApiStack(app, \"MyServerlessApiStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/AmazonMQBrokerPublicAccess/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_amazonmq as amazonmq\n\nclass AmazonMQStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create an Amazon MQ broker with PubliclyAccessible set to false\n amazonmq_broker = amazonmq.CfnBroker(\n self,\n \"MyAmazonMQBroker\",\n broker_name=\"my-amazon-mq-broker\",\n engine_type=\"ACTIVEMQ\",\n host_instance_type=\"mq.t2.micro\",\n publicly_accessible=True, # Set PubliclyAccessible to false\n )\n\napp = core.App()\nAmazonMQStack(app, \"AmazonMQStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/AmazonMQBrokerPublicAccess/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_amazonmq as amazonmq\n\nclass AmazonMQStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create an Amazon MQ broker with PubliclyAccessible set to false\n amazonmq_broker = amazonmq.CfnBroker(\n self,\n \"MyAmazonMQBroker\",\n broker_name=\"my-amazon-mq-broker\",\n engine_type=\"ACTIVEMQ\",\n host_instance_type=\"mq.t2.micro\",\n publicly_accessible=False, # Set PubliclyAccessible to false\n )\n\napp = core.App()\nAmazonMQStack(app, \"AmazonMQStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/AppSyncFieldLevelLogs/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_appsync as appsync\n\nclass AppSyncStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define the GraphQL API using CfnGraphQLApi\n graphql_api = appsync.CfnGraphQLApi(\n self,\n \"AppSyncGraphQLApi\",\n name=\"MyAppSyncAPI\",\n authentication_type=\"API_KEY\", # You can change the authentication type\n log_config=appsync.CfnGraphQLApi.LogConfigProperty(\n cloud_watch_logs_role_arn=\"cloudWatchLogsRoleArn\",\n exclude_verbose_content=False,\n ),\n )\n\n\napp = core.App()\nAppSyncStack(app, \"AppSyncStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/AppSyncFieldLevelLogs/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_appsync as appsync\n\nclass AppSyncStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define the GraphQL API using CfnGraphQLApi\n graphql_api = appsync.CfnGraphQLApi(\n self,\n \"AppSyncGraphQLApi\",\n name=\"MyAppSyncAPI\",\n authentication_type=\"API_KEY\", # You can change the authentication type\n log_config=appsync.CfnGraphQLApi.LogConfigProperty(\n cloud_watch_logs_role_arn=\"cloudWatchLogsRoleArn\",\n exclude_verbose_content=False,\n field_log_level=appsync.FieldLogLevel.ALL\n ),\n )\n\n\napp = core.App()\nAppSyncStack(app, \"AppSyncStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/AppSyncLogging/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_appsync as appsync\n\nclass AppSyncStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define the GraphQL API using CfnGraphQLApi\n graphql_api = appsync.CfnGraphQLApi(\n self,\n \"AppSyncGraphQLApi\",\n name=\"MyAppSyncAPI\",\n authentication_type=\"API_KEY\", # You can change the authentication type\n log_config=appsync.CfnGraphQLApi.LogConfigProperty(\n exclude_verbose_content=False,\n field_log_level=\"fieldLogLevel\"\n ),\n )\n\n\napp = core.App()\nAppSyncStack(app, \"AppSyncStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/AppSyncLogging/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_appsync as appsync\n\nclass AppSyncStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define the GraphQL API using CfnGraphQLApi\n graphql_api = appsync.CfnGraphQLApi(\n self,\n \"AppSyncGraphQLApi\",\n name=\"MyAppSyncAPI\",\n authentication_type=\"API_KEY\", # You can change the authentication type\n log_config=appsync.CfnGraphQLApi.LogConfigProperty(\n cloud_watch_logs_role_arn=\"cloudWatchLogsRoleArn\",\n exclude_verbose_content=False,\n field_log_level=\"fieldLogLevel\"\n ),\n )\n\n\napp = core.App()\nAppSyncStack(app, \"AppSyncStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/AthenaWorkgroupConfiguration/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_athena as athena\n\nclass AthenaStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create an Athena WorkGroup\n workgroup = athena.CfnWorkGroup(\n self,\n \"MyAthenaWorkGroup\",\n name=\"my-workgroup\",\n description=\"My Athena WorkGroup\",\n state=\"ENABLED\", # You can change the state\n work_group_configuration=athena.CfnWorkGroup.WorkGroupConfigurationProperty(\n additional_configuration=\"additionalConfiguration\",\n bytes_scanned_cutoff_per_query=123,\n customer_content_encryption_configuration=athena.CfnWorkGroup.CustomerContentEncryptionConfigurationProperty(\n kms_key=\"kmsKey\"\n ),\n enforce_work_group_configuration=False,\n )\n )\n\napp = core.App()\nAthenaStack(app, \"AthenaStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/AthenaWorkgroupConfiguration/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_athena as athena\n\nclass AthenaStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create an Athena WorkGroup\n workgroup = athena.CfnWorkGroup(\n self,\n \"MyAthenaWorkGroup\",\n name=\"my-workgroup\",\n description=\"My Athena WorkGroup\",\n state=\"ENABLED\", # You can change the state\n work_group_configuration=athena.CfnWorkGroup.WorkGroupConfigurationProperty(\n additional_configuration=\"additionalConfiguration\",\n bytes_scanned_cutoff_per_query=123,\n customer_content_encryption_configuration=athena.CfnWorkGroup.CustomerContentEncryptionConfigurationProperty(\n kms_key=\"kmsKey\"\n ),\n enforce_work_group_configuration=True,\n )\n )\n\napp = core.App()\nAthenaStack(app, \"AthenaStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/AuroraEncryption/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_rds as rds\n\nclass MyDBClusterStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define RDS Aurora Serverless DB cluster\n my_db_cluster = rds.CfnDBCluster(\n self, 'MyDBCluster',\n engine='aurora', # Change this to your desired engine type\n engine_mode='serverless',\n storage_encrypted=False,\n # Other properties for your DB cluster\n )\n\napp = core.App()\nMyDBClusterStack(app, \"MyDBClusterStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/AuroraEncryption/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_rds as rds\n\nclass MyDBClusterStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define RDS Aurora Serverless DB cluster\n my_db_cluster = rds.CfnDBCluster(\n self, 'MyDBCluster',\n engine='aurora', # Change this to your desired engine type\n engine_mode='serverless',\n storage_encrypted=True,\n # Other properties for your DB cluster\n )\n\napp = core.App()\nMyDBClusterStack(app, \"MyDBClusterStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/BackupVaultEncrypted/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_backup as backup\n\nclass MyBackupStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create a Backup Vault with the specified encryption key ARN\n backup_vault = backup.CfnBackupVault(\n self,\n \"MyBackupVault\",\n name=\"MyBackupVault\",\n )\n"
},
{
"path": "cdk_integration_tests/src/python/BackupVaultEncrypted/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_backup as backup\n\nclass MyBackupStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Replace 'your-encryption-key-arn' with the actual KMS key ARN you want to use\n encryption_key_arn = 'your-encryption-key-arn'\n\n # Create a Backup Vault with the specified encryption key ARN\n backup_vault = backup.CfnBackupVault(\n self,\n \"MyBackupVault\",\n name=\"MyBackupVault\",\n encryption_key_arn=encryption_key_arn,\n )\n"
},
{
"path": "cdk_integration_tests/src/python/CloudFrontTLS12/fail__2__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_cloudfront as cloudfront\n\nclass MyCloudFrontDistributionStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n distribution = cloudfront.CfnDistribution(\n self, 'MyCloudFrontDistribution',\n distribution_config=cloudfront.CfnDistribution.DistributionConfigProperty(\n viewer_certificate=cloudfront.CfnDistribution.ViewerCertificateProperty(\n cloudfront_default_certificate=False,\n minimum_protocol_version='TLSv1.1' # Define the minimum supported TLS version\n ),\n # Other distribution configuration properties\n )\n )\n\napp = core.App()\nMyCloudFrontDistributionStack(app, \"MyCloudFrontDistributionStack\")\napp.synth()\n\nclass MyCloudFrontDistributionStack2(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n distribution = cloudfront.CfnDistribution(\n self, 'MyCloudFrontDistribution',\n distribution_config=cloudfront.CfnDistribution.DistributionConfigProperty(\n viewer_certificate=cloudfront.CfnDistribution.ViewerCertificateProperty(\n cloudfront_default_certificate=False,\n minimum_protocol_version='TLSv1.0' # Define the minimum supported TLS version\n ),\n # Other distribution configuration properties\n )\n )\n\napp = core.App()\nMyCloudFrontDistributionStack2(app, \"MyCloudFrontDistributionStack2\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/CloudFrontTLS12/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_cloudfront as cloudfront\n\nclass MyCloudFrontDistributionStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n distribution = cloudfront.CfnDistribution(\n self, 'MyCloudFrontDistribution',\n distribution_config=cloudfront.CfnDistribution.DistributionConfigProperty(\n viewer_certificate=cloudfront.CfnDistribution.ViewerCertificateProperty(\n cloudfront_default_certificate=False,\n minimum_protocol_version='TLSv1.2' # Define the minimum supported TLS version\n ),\n # Other distribution configuration properties\n )\n )\n\napp = core.App()\nMyCloudFrontDistributionStack(app, \"MyCloudFrontDistributionStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/CloudTrailLogValidation/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_cloudtrail as cloudtrail\nfrom aws_cdk import aws_iam as iam\n\nclass CloudTrailStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create an AWS CloudTrail trail using CfnTrail\n trail = cloudtrail.CfnTrail(\n self,\n \"MyCloudTrail\",\n is_logging=True,\n enable_log_file_validation=False,\n management_events=[\n cloudtrail.ReadWriteType.WRITE_ONLY,\n ],\n include_global_service_events=True,\n )\n\napp = core.App()\nCloudTrailStack(app, \"CloudTrailStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/CloudTrailLogValidation/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_cloudtrail as cloudtrail\nfrom aws_cdk import aws_iam as iam\n\nclass CloudTrailStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create an AWS CloudTrail trail using CfnTrail\n trail = cloudtrail.CfnTrail(\n self,\n \"MyCloudTrail\",\n is_logging=True,\n enable_log_file_validation=True, # Enable log file validation\n management_events=[\n cloudtrail.ReadWriteType.WRITE_ONLY,\n ],\n include_global_service_events=True,\n )\n\napp = core.App()\nCloudTrailStack(app, \"CloudTrailStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/CloudWatchLogGroupKMSKey/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_logs as logs\n\nclass MyBadLogGroupStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create a CloudWatch Logs log group without specifying KMS key\n log_group = logs.LogGroup(\n self,\n \"MyBadLogGroup\",\n log_group_name=\"MyLogGroupName\",\n retention=logs.RetentionDays.ONE_MONTH, # Set the retention policy as needed\n # KMS key is not specified\n )\n"
},
{
"path": "cdk_integration_tests/src/python/CloudWatchLogGroupKMSKey/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_logs as logs\n\nclass MyLogGroupStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create a CloudWatch Logs log group with KMS key ID\n log_group = logs.LogGroup(\n self,\n \"MyLogGroup\",\n log_group_name=\"MyLogGroupName\",\n retention=logs.RetentionDays.ONE_MONTH, # Set the retention policy as needed\n kms_key=1, # Specify the KMS key\n )\n"
},
{
"path": "cdk_integration_tests/src/python/CloudWatchLogGroupRetention/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_logs as logs\n\nclass MyLogGroupStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define CloudWatch Logs Log Group with Retention Period\n logs.CfnLogGroup(\n self, 'MyLogGroup',\n log_group_name='my-log-group',\n )\n\napp = core.App()\nMyLogGroupStack(app, \"MyLogGroupStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/CloudWatchLogGroupRetention/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_logs as logs\n\nclass MyLogGroupStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define CloudWatch Logs Log Group with Retention Period\n logs.CfnLogGroup(\n self, 'MyLogGroup',\n log_group_name='my-log-group',\n retention_in_days=30 # Replace with your desired retention period in days\n # Other properties for your Log Group\n )\n\napp = core.App()\nMyLogGroupStack(app, \"MyLogGroupStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/CloudfrontDistributionEncryption/fail__2__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_cloudfront as cloudfront\n\nclass MyCloudFrontDistributionStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define CloudFront Distribution with ViewerProtocolPolicy set to allow_all\n distribution = cloudfront.CfnDistribution(\n self, 'MyCloudFrontDistribution',\n distribution_config=cloudfront.CfnDistribution.DistributionConfigProperty(\n default_cache_behavior=cloudfront.CfnDistribution.DefaultCacheBehaviorProperty(\n viewer_protocol_policy='allow-all'\n ),\n # Add other properties for the distribution config as needed\n )\n )\n\napp = core.App()\nMyCloudFrontDistributionStack(app, \"MyCloudFrontDistributionStack\")\napp.synth()\n\nclass MyCloudFrontDistributionStack2(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define CloudFront Distribution with CacheBehavior and ViewerProtocolPolicy\n distribution = cloudfront.CfnDistribution(\n self, 'MyCloudFrontDistribution',\n distribution_config=cloudfront.CfnDistribution.DistributionConfigProperty(\n cache_behaviors=[\n cloudfront.CfnDistribution.CacheBehaviorProperty(\n path_pattern='/path-to-cache',\n target_origin_id='my-target-origin-id',\n viewer_protocol_policy='allow-all'\n )\n ],\n # Other distribution configuration properties\n )\n )\n\napp = core.App()\nMyCloudFrontDistributionStack2(app, \"MyCloudFrontDistributionStack2\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/CloudfrontDistributionEncryption/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_cloudfront as cloudfront\n\nclass MyCloudFrontDistributionStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define CloudFront Distribution with ViewerProtocolPolicy set to allow_all\n distribution = cloudfront.CfnDistribution(\n self, 'MyCloudFrontDistribution',\n distribution_config=cloudfront.CfnDistribution.DistributionConfigProperty(\n default_cache_behavior=cloudfront.CfnDistribution.DefaultCacheBehaviorProperty(\n viewer_protocol_policy='abc'\n ),\n # Add other properties for the distribution config as needed\n )\n )\n\napp = core.App()\nMyCloudFrontDistributionStack(app, \"MyCloudFrontDistributionStack\")\napp.synth()\n\nclass MyCloudFrontDistributionStack2(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define CloudFront Distribution with CacheBehavior and ViewerProtocolPolicy\n distribution = cloudfront.CfnDistribution(\n self, 'MyCloudFrontDistribution',\n distribution_config=cloudfront.CfnDistribution.DistributionConfigProperty(\n cache_behaviors=[\n cloudfront.CfnDistribution.CacheBehaviorProperty(\n path_pattern='/path-to-cache',\n target_origin_id='my-target-origin-id',\n )\n ],\n # Other distribution configuration properties\n )\n )\n\napp = core.App()\nMyCloudFrontDistributionStack2(app, \"MyCloudFrontDistributionStack2\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/CloudfrontDistributionLogging/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_cloudfront as cloudfront\n\nclass MyCloudFrontDistributionStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define CloudFront Distribution with logging settings\n distribution = cloudfront.CfnDistribution(\n self, 'MyCloudFrontDistribution',\n )\n\napp = core.App()\nMyCloudFrontDistributionStack(app, \"MyCloudFrontDistributionStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/CloudfrontDistributionLogging/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_cloudfront as cloudfront\n\nclass MyCloudFrontDistributionStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define CloudFront Distribution with logging settings\n distribution = cloudfront.CfnDistribution(\n self, 'MyCloudFrontDistribution',\n distribution_config=cloudfront.CfnDistribution.DistributionConfigProperty(\n logging=cloudfront.CfnDistribution.LoggingProperty(\n bucket='arn:aws:s3:::my-cloudfront-logs-bucket' # Replace with your S3 bucket ARN\n ),\n # Other distribution configuration properties\n )\n )\n\napp = core.App()\nMyCloudFrontDistributionStack(app, \"MyCloudFrontDistributionStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/CloudtrailEncryption/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_cloudtrail as cloudtrail\n\nclass MyCloudTrailTrailStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define CloudTrail Trail with a specific KMS Key ID\n cloudtrail.CfnTrail(\n self, 'MyCloudTrail',\n )\n\napp = core.App()\nMyCloudTrailTrailStack(app, \"MyCloudTrailTrailStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/CloudtrailEncryption/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_cloudtrail as cloudtrail\n\nclass MyCloudTrailTrailStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define CloudTrail Trail with a specific KMS Key ID\n cloudtrail.CfnTrail(\n self, 'MyCloudTrail',\n kms_key_id='arn:aws:kms:REGION:ACCOUNT_ID:key/KMS_KEY_ID', # Replace with your KMS Key ID ARN\n # Other properties for your CloudTrail Trail\n )\n\napp = core.App()\nMyCloudTrailTrailStack(app, \"MyCloudTrailTrailStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/CloudtrailMultiRegion/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_cloudtrail as cloudtrail\n\nclass MyCloudTrailStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define CloudTrail Trail with IsMultiRegionTrail set to true\n cloudtrail.Trail(\n self, 'MyCloudTrail',\n is_multi_region_trail=False,\n # Other properties as needed for your CloudTrail Trail\n )\n\napp = core.App()\nMyCloudTrailStack(app, \"MyCloudTrailStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/CloudtrailMultiRegion/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_cloudtrail as cloudtrail\n\nclass MyCloudTrailStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define CloudTrail Trail with IsMultiRegionTrail set to true\n cloudtrail.Trail(\n self, 'MyCloudTrail',\n is_multi_region_trail=True,\n # Other properties as needed for your CloudTrail Trail\n )\n\napp = core.App()\nMyCloudTrailStack(app, \"MyCloudTrailStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/CodeBuildProjectEncryption/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_codebuild as codebuild\n\nclass MyCodeBuildProjectStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define a CodeBuild project with S3 artifacts and encryption disabled\n my_project = codebuild.Project(\n self, 'MyCodeBuildProject',\n project_name='MyProject',\n source=codebuild.Source.git_hub(owner='owner', repo='repo'),\n artifacts=codebuild.Artifacts(\n type=codebuild.ArtifactsType.S3,\n encryption_disabled=True\n ),\n environment=codebuild.BuildEnvironment(build_image=codebuild.LinuxBuildImage.STANDARD_5_0),\n )\n\napp = core.App()\nMyCodeBuildProjectStack(app, \"MyCodeBuildProjectStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/CodeBuildProjectEncryption/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_codebuild as codebuild\n\nclass MyCodeBuildProjectStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define a CodeBuild project with S3 artifacts and encryption disabled\n my_project = codebuild.Project(\n self, 'MyCodeBuildProject',\n project_name='MyProject',\n source=codebuild.Source.git_hub(owner='owner', repo='repo'),\n artifacts=codebuild.Artifacts(\n type=codebuild.ArtifactsType.S3,\n encryption_disabled=False\n ),\n environment=codebuild.BuildEnvironment(build_image=codebuild.LinuxBuildImage.STANDARD_5_0),\n )\n\napp = core.App()\nMyCodeBuildProjectStack(app, \"MyCodeBuildProjectStack\")\napp.synth()\n\nclass MyCodeBuildProjectStack2(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define a CodeBuild project with S3 artifacts and encryption disabled\n my_project = codebuild.Project(\n self, 'MyCodeBuildProject',\n project_name='MyProject',\n source=codebuild.Source.git_hub(owner='owner', repo='repo'),\n artifacts=codebuild.Artifacts(\n encryption_disabled=True\n ),\n environment=codebuild.BuildEnvironment(build_image=codebuild.LinuxBuildImage.STANDARD_5_0),\n )\n\napp = core.App()\nMyCodeBuildProjectStack2(app, \"MyCodeBuildProjectStack2\")\napp.synth()"
},
{
"path": "cdk_integration_tests/src/python/DAXEncryption/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_dax as dax\n\nclass DAXClusterStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create a DAX cluster\n dax_cluster = dax.CfnCluster(\n self, \"MyDAXCluster\",\n cluster_name=\"MyDAXCluster\",\n description=\"My DAX Cluster\",\n iam_role_arn=\"arn:aws:iam::123456789012:role/DAXServiceRole\",\n node_type=\"dax.r5.large\",\n replication_factor=2,\n )\n\napp = core.App()\nDAXClusterStack(app, \"DAXClusterStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/DAXEncryption/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_dax as dax\n\nclass DAXClusterStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create a DAX cluster\n dax_cluster = dax.CfnCluster(\n self, \"MyDAXCluster\",\n cluster_name=\"MyDAXCluster\",\n description=\"My DAX Cluster\",\n iam_role_arn=\"arn:aws:iam::123456789012:role/DAXServiceRole\",\n node_type=\"dax.r5.large\",\n replication_factor=2,\n sse_specification=dax.CfnCluster.SSESpecificationProperty(\n enabled=True, # Enable server-side encryption\n kms_key_id=\"arn:aws:kms:us-east-1:123456789012:key/your-kms-key-id\"\n )\n )\n\napp = core.App()\nDAXClusterStack(app, \"DAXClusterStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/DMSReplicationInstancePubliclyAccessible/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_dms as dms\n\nclass MyDMSReplicationInstanceStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define DMS Replication Instance with PubliclyAccessible set to False\n dms.ReplicationInstance(\n self, 'MyDMSReplicationInstance',\n replication_instance_identifier='MyReplicationInstance',\n allocated_storage=100,\n engine_version='3.4.3',\n publicly_accessible=True # Set PubliclyAccessible to False\n # Add other properties as needed for your replication instance\n )\n\napp = core.App()\nMyDMSReplicationInstanceStack(app, \"MyDMSReplicationInstanceStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/DMSReplicationInstancePubliclyAccessible/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_dms as dms\n\nclass MyDMSReplicationInstanceStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define DMS Replication Instance with PubliclyAccessible set to False\n dms.ReplicationInstance(\n self, 'MyDMSReplicationInstance',\n replication_instance_identifier='MyReplicationInstance',\n allocated_storage=100,\n engine_version='3.4.3',\n publicly_accessible=False # Set PubliclyAccessible to False\n # Add other properties as needed for your replication instance\n )\n\napp = core.App()\nMyDMSReplicationInstanceStack(app, \"MyDMSReplicationInstanceStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/DocDBAuditLogs/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_docdb as docdb\n\nclass DocDBStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define the DocDB Cluster Parameter Group\n db_parameter_group = docdb.CfnDBClusterParameterGroup(\n self,\n \"DocDBClusterParameterGroup\",\n description=\"Custom DocDB Cluster Parameter Group\",\n family=\"docdb4.0\",\n parameters={\n \"audit_logs\": \"disabled\",\n }\n )\n\napp = core.App()\nDocDBStack(app, \"DocDBStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/DocDBAuditLogs/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_docdb as docdb\n\nclass DocDBStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define the DocDB Cluster Parameter Group\n db_parameter_group = docdb.CfnDBClusterParameterGroup(\n self,\n \"DocDBClusterParameterGroup\",\n description=\"Custom DocDB Cluster Parameter Group\",\n family=\"docdb4.0\",\n parameters={\n \"audit_logs\": \"enabled\",\n }\n )\n\napp = core.App()\nDocDBStack(app, \"DocDBStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/DocDBEncryption/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_docdb as docdb\n\nclass MyDocDBClusterStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create an Amazon DocumentDB cluster with storage encryption disabled\n docdb_cluster = docdb.CfnDBCluster(\n self,\n \"MyDocDBCluster\",\n db_cluster_identifier=\"my-docdb-cluster\",\n master_username=\"admin\",\n master_user_password=\"mypassword\", # checkov:skip=CKV_SECRET_6 test secret\n availability_zones=[\"us-east-1a\", \"us-east-1b\"], # Specify the availability zones\n port=27017, # Specify the port as needed\n )\n"
},
{
"path": "cdk_integration_tests/src/python/DocDBEncryption/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_docdb as docdb\n\nclass MyDocDBClusterStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create an Amazon DocumentDB cluster with storage encryption enabled\n docdb_cluster = docdb.CfnDBCluster(\n self,\n \"MyDocDBCluster\",\n db_cluster_identifier=\"my-docdb-cluster\",\n master_username=\"admin\",\n master_user_password=\"mypassword\", # checkov:skip=CKV_SECRET_6 test secret\n storage_encrypted=True, # Enable storage encryption\n availability_zones=[\"us-east-1a\", \"us-east-1b\"], # Specify the availability zones\n port=27017, # Specify the port as needed\n )\n"
},
{
"path": "cdk_integration_tests/src/python/DocDBTLS/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_docdb as docdb\n\nclass MyDocDBParameterGroupStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define DocDB Cluster Parameter Group with 'tls' parameter set to 'disabled'\n docdb.CfnDBClusterParameterGroup(\n self, 'MyDocDBClusterParameterGroup',\n description='My DocDB Parameter Group',\n family='docdb4.0',\n parameters={\n 'tls': 'disabled'\n }\n # Other properties as needed\n )\n\napp = core.App()\nMyDocDBParameterGroupStack(app, \"MyDocDBParameterGroupStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/DocDBTLS/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_docdb as docdb\n\nclass MyDocDBParameterGroupStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define DocDB Cluster Parameter Group with 'tls' parameter set to 'disabled'\n docdb.CfnDBClusterParameterGroup(\n self, 'MyDocDBClusterParameterGroup',\n description='My DocDB Parameter Group',\n family='docdb4.0',\n parameters={\n 'tls': 'enabled'\n }\n # Other properties as needed\n )\n\napp = core.App()\nMyDocDBParameterGroupStack(app, \"MyDocDBParameterGroupStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/DynamodbGlobalTableRecovery/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_dynamodb as dynamodb\n\nclass DynamoDBGlobalTableStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create a DynamoDB Global Table\n global_table = dynamodb.CfnGlobalTable(\n self, \"MyGlobalTable\",\n replication_group=[{\"region_name\": \"us-east-1\"}, {\"region_name\": \"us-west-2\"}],\n table_name=\"MyGlobalTable\",\n replicas=[\n dynamodb.CfnGlobalTable.ReplicaSpecificationProperty(\n point_in_time_recovery_specification=dynamodb.CfnGlobalTable.PointInTimeRecoverySpecificationProperty(\n point_in_time_recovery_enabled=False\n )\n )\n ]\n )\n"
},
{
"path": "cdk_integration_tests/src/python/DynamodbGlobalTableRecovery/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_dynamodb as dynamodb\n\nclass DynamoDBGlobalTableStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create a DynamoDB Global Table\n global_table = dynamodb.CfnGlobalTable(\n self, \"MyGlobalTable\",\n replication_group=[{\"region_name\": \"us-east-1\"}, {\"region_name\": \"us-west-2\"}],\n table_name=\"MyGlobalTable\",\n replicas=[\n dynamodb.CfnGlobalTable.ReplicaSpecificationProperty(\n point_in_time_recovery_specification=dynamodb.CfnGlobalTable.PointInTimeRecoverySpecificationProperty(\n point_in_time_recovery_enabled=True\n )\n )\n ]\n )"
},
{
"path": "cdk_integration_tests/src/python/DynamodbRecovery/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_dynamodb as dynamodb\n\nclass MyDynamoDBStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create a DynamoDB table with PointInTimeRecoveryEnabled set to True\n dynamodb_table = dynamodb.Table(\n self,\n \"MyDynamoDBTable\",\n table_name=\"MyTableName\",\n partition_key=dynamodb.Attribute(name=\"PartitionKey\", type=dynamodb.AttributeType.STRING),\n point_in_time_recovery=False, # Set PointInTimeRecoveryEnabled to True\n removal_policy=core.RemovalPolicy.DESTROY, # Specify the removal policy as needed\n )\n"
},
{
"path": "cdk_integration_tests/src/python/DynamodbRecovery/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_dynamodb as dynamodb\n\nclass MyDynamoDBStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create a DynamoDB table with PointInTimeRecoveryEnabled set to True\n dynamodb_table = dynamodb.Table(\n self,\n \"MyDynamoDBTable\",\n table_name=\"MyTableName\",\n partition_key=dynamodb.Attribute(name=\"PartitionKey\", type=dynamodb.AttributeType.STRING),\n point_in_time_recovery=True, # Set PointInTimeRecoveryEnabled to True\n removal_policy=core.RemovalPolicy.DESTROY, # Specify the removal policy as needed\n )\n"
},
{
"path": "cdk_integration_tests/src/python/EBSEncryption/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_ec2 as ec2\n\nclass MyVolumeStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create an EBS volume without encryption\n ebs_volume = ec2.Volume(\n self,\n \"MyEBSVolume\",\n availability_zone=\"us-east-1a\", # Replace with your desired availability zone\n size=100, # Set the size of the volume as needed\n encrypted=False, # Disable encryption (default is False)\n volume_type=ec2.EbsDeviceVolumeType.GP2, # Specify the volume type\n )\n"
},
{
"path": "cdk_integration_tests/src/python/EBSEncryption/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_ec2 as ec2\n\nclass MyVolumeStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create an EBS volume with encryption enabled\n ebs_volume = ec2.Volume(\n self,\n \"MyEBSVolume\",\n availability_zone=\"us-east-1a\", # Replace with your desired availability zone\n size=100, # Set the size of the volume as needed\n encrypted=True, # Enable encryption\n volume_type=ec2.EbsDeviceVolumeType.GP2, # Specify the volume type\n )\n"
},
{
"path": "cdk_integration_tests/src/python/EC2PublicIP/fail__2__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_ec2 as ec2\n\nclass MyEC2InstanceStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define VPC for the EC2 Instance\n vpc = ec2.Vpc(\n self, 'MyVpc',\n max_azs=2 # Replace with the desired number of Availability Zones\n )\n\n # Define EC2 Instance with Network Interface having Public IP\n instance = ec2.CfnInstance(\n self, 'MyEC2Instance',\n image_id='ami-12345678', # Replace with your desired AMI ID\n instance_type='t2.micro', # Replace with your desired instance type\n network_interfaces=[{\n 'associate_public_ip_address': True\n }]\n # Other properties for your EC2 Instance\n )\n\napp = core.App()\nMyEC2InstanceStack(app, \"MyEC2InstanceStack\")\napp.synth()\n\nclass MyEC2LaunchTemplateStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define Launch Template for the EC2 Instance\n launch_template = ec2.CfnLaunchTemplate(\n self, 'MyLaunchTemplate',\n launch_template_name='my-launch-template',\n launch_template_data={\n 'network_interfaces': [{\n 'associate_public_ip_address': True\n }]\n # Other properties for your Launch Template Data\n }\n )\n\napp = core.App()\nMyEC2LaunchTemplateStack(app, \"MyEC2LaunchTemplateStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/EC2PublicIP/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_ec2 as ec2\n\nclass MyEC2InstanceStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define VPC for the EC2 Instance\n vpc = ec2.Vpc(\n self, 'MyVpc',\n max_azs=2 # Replace with the desired number of Availability Zones\n )\n\n # Define EC2 Instance with Network Interface having Public IP\n instance = ec2.CfnInstance(\n self, 'MyEC2Instance',\n image_id='ami-12345678', # Replace with your desired AMI ID\n instance_type='t2.micro', # Replace with your desired instance type\n network_interfaces=[{\n 'deviceIndex': '0',\n 'subnet_id': vpc.public_subnets[0].subnet_id,\n 'associate_public_ip_address': False\n }]\n # Other properties for your EC2 Instance\n )\n\napp = core.App()\nMyEC2InstanceStack(app, \"MyEC2InstanceStack\")\napp.synth()\n\nclass MyEC2LaunchTemplateStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define Launch Template for the EC2 Instance\n launch_template = ec2.CfnLaunchTemplate(\n self, 'MyLaunchTemplate',\n launch_template_name='my-launch-template',\n launch_template_data={\n 'network_interfaces': [{\n 'deviceIndex': '0',\n 'associate_public_ip_address': False\n }]\n # Other properties for your Launch Template Data\n }\n )\n\napp = core.App()\nMyEC2LaunchTemplateStack(app, \"MyEC2LaunchTemplateStack\")\napp.synth()\n\n"
},
{
"path": "cdk_integration_tests/src/python/ECRImageScanning/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_ecr as ecr\n\nclass MyECRStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create an ECR repository with image scanning on push enabled\n ecr_repository = ecr.Repository(\n self,\n \"MyECRRepository\",\n repository_name=\"my-ecr-repo\",\n )\n"
},
{
"path": "cdk_integration_tests/src/python/ECRImageScanning/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_ecr as ecr\n\nclass MyECRStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create an ECR repository with image scanning on push enabled\n ecr_repository = ecr.Repository(\n self,\n \"MyECRRepository\",\n repository_name=\"my-ecr-repo\",\n image_scan_on_push=True, # Enable image scanning on push\n )\n"
},
{
"path": "cdk_integration_tests/src/python/ECRImmutableTags/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_ecr as ecr\n\nclass MyECRStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create an ECR repository with immutable image tags\n ecr_repository = ecr.Repository(\n self,\n \"MyECRRepository\",\n repository_name=\"my-ecr-repo\",\n image_tag_mutability=ecr.TagMutability.MUTABLE, # Set image tag mutability to IMMUTABLE\n )\n"
},
{
"path": "cdk_integration_tests/src/python/ECRImmutableTags/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_ecr as ecr\n\nclass MyECRStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create an ECR repository with immutable image tags\n ecr_repository = ecr.Repository(\n self,\n \"MyECRRepository\",\n repository_name=\"my-ecr-repo\",\n image_tag_mutability=ecr.TagMutability.IMMUTABLE, # Set image tag mutability to IMMUTABLE\n )\n"
},
{
"path": "cdk_integration_tests/src/python/ECRRepositoryEncrypted/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_ecr as ecr\n\nclass MyECRRepositoryStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define ECR Repository with Encryption Configuration\n ecr.CfnRepository(\n self, 'MyECRRepository',\n repository_name='my-ecr-repo',\n )\n\napp = core.App()\nMyECRRepositoryStack(app, \"MyECRRepositoryStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/ECRRepositoryEncrypted/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_ecr as ecr\n\nclass MyECRRepositoryStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define ECR Repository with Encryption Configuration\n ecr.CfnRepository(\n self, 'MyECRRepository',\n repository_name='my-ecr-repo',\n encryption_configuration={\n 'encryptionType': 'KMS'\n }\n # Other properties for your ECR Repository\n )\n\napp = core.App()\nMyECRRepositoryStack(app, \"MyECRRepositoryStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/ECSClusterContainerInsights/fail__1__.py",
"content": "import aws_cdk as core\nfrom constructs import Construct\nfrom aws_cdk import aws_ecs as ecs\nfrom aws_cdk import aws_ec2 as ec2\n\nclass MyECSClusterStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n vpc = ec2.Vpc(self, \"Vpc\",\n ip_protocol=ec2.IpProtocol.DUAL_STACK\n )\n\n cluster = ecs.Cluster(self, \"EcsCluster\", vpc=vpc, container_insights=False)\n cluster2 = ecs.Cluster(self, \"EcsCluster2\", vpc=vpc)\n cluster3 = ecs.Cluster(self, \"EcsCluster3\", vpc=vpc, container_insights_v2=ecs.ContainerInsights.DISABLED)\n\n cluster4 = ecs.CfnCluster(\n self, 'MyECSCluster4',\n cluster_name='my-ecs-cluster',\n cluster_settings=[{\n 'name': 'containerInsights',\n 'value': 'disabled'\n }]\n # Other properties for your ECS Cluster\n )\n\n cluster5 = ecs.CfnCluster(\n self, 'MyECSCluster5',\n cluster_name='my-ecs-cluster'\n # Other properties for your ECS Cluster\n )\n\napp = core.App()\nMyECSClusterStack(app, \"MyECSClusterStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/ECSClusterContainerInsights/pass.py",
"content": "import aws_cdk as core\nfrom constructs import Construct\nfrom aws_cdk import aws_ecs as ecs\nfrom aws_cdk import aws_ec2 as ec2\n\nclass MyECSClusterStack(core.Stack):\n def __init__(self, scope: Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n vpc = ec2.Vpc(self, \"Vpc\",\n ip_protocol=ec2.IpProtocol.DUAL_STACK\n )\n\n cluster = ecs.Cluster(self, \"EcsCluster\", vpc=vpc, container_insights=True)\n cluster2 = ecs.Cluster(self, \"EcsCluster2\", vpc=vpc, container_insights_v2=ecs.ContainerInsights.ENHANCED)\n cluster3 = ecs.Cluster(self, \"EcsCluster3\", vpc=vpc, container_insights_v2=ecs.ContainerInsights.ENABLED)\n\n cluster4 = ecs.CfnCluster(\n self, 'MyECSCluster4',\n cluster_name='my-ecs-cluster',\n cluster_settings=[{\n 'name': 'containerInsights',\n 'value': 'enabled'\n }]\n # Other properties for your ECS Cluster\n )\n\n cluster5 = ecs.CfnCluster(\n self, 'MyECSCluster5',\n cluster_name='my-ecs-cluster',\n cluster_settings=[{\n 'name': 'containerInsights',\n 'value': 'enhanced'\n }]\n # Other properties for your ECS Cluster\n )\n\napp = core.App()\nMyECSClusterStack(app, \"MyECSClusterStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/ECSTaskDefinitionEFSVolumeEncryption/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_ecs as ecs\n\nclass MyECSTaskDefinitionStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define ECS Task Definition with an EFS volume configuration and transit encryption disabled\n task_definition = ecs.CfnTaskDefinition(\n self, 'MyTaskDefinition',\n volumes=[\n {\n 'efs_volume_configuration': {\n 'transit_encryption': 'DISABLED'\n }\n }\n ]\n # Other properties for your ECS Task Definition\n )\n\napp = core.App()\nMyECSTaskDefinitionStack(app, \"MyECSTaskDefinitionStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/ECSTaskDefinitionEFSVolumeEncryption/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_ecs as ecs\n\nclass MyECSTaskDefinitionStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define ECS Task Definition with an EFS volume configuration and transit encryption disabled\n task_definition = ecs.CfnTaskDefinition(\n self, 'MyTaskDefinition',\n volumes=[\n {\n 'efs_volume_configuration': {\n 'transit_encryption': 'ENABLED'\n }\n }\n ]\n # Other properties for your ECS Task Definition\n )\n\napp = core.App()\nMyECSTaskDefinitionStack(app, \"MyECSTaskDefinitionStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/EFSEncryptionEnabled/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_efs as efs\n\nclass EfsStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n efs_file_system = efs.FileSystem(\n self,\n \"EfsFileSystem\",\n encrypted=False, # Set Encrypted property to False\n lifecycle_policy=efs.LifecyclePolicy.AFTER_7_DAYS,\n )\n\napp = core.App()\nEfsStack(app, \"EfsStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/EFSEncryptionEnabled/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_efs as efs\n\nclass EfsStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create an EFS file system with the Encrypted property set to True\n efs_file_system = efs.FileSystem(\n self,\n \"EfsFileSystem\",\n encrypted=True, # Set Encrypted property to True\n lifecycle_policy=efs.LifecyclePolicy.AFTER_7_DAYS,\n )\n\napp = core.App()\nEfsStack(app, \"EfsStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/EKSSecretsEncryption/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_eks as eks\n\nclass MyEKSClusterStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define EKS Cluster with Encryption Configuration\n cluster = eks.CfnCluster(\n self, 'MyEKSCluster',\n name='my-eks-cluster',\n encryption_config=[{\n 'resources': ['abc']\n }]\n # Other properties for your EKS Cluster\n )\n\napp = core.App()\nMyEKSClusterStack(app, \"MyEKSClusterStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/EKSSecretsEncryption/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_eks as eks\n\nclass MyEKSClusterStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define EKS Cluster with Encryption Configuration\n cluster = eks.CfnCluster(\n self, 'MyEKSCluster',\n name='my-eks-cluster',\n encryption_config=[{\n 'resources': ['secrets']\n }]\n # Other properties for your EKS Cluster\n )\n\napp = core.App()\nMyEKSClusterStack(app, \"MyEKSClusterStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/ELBAccessLogs/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_elasticloadbalancing as elb\n\nclass MyLoadBalancerStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define Elastic Load Balancer with access logging policy enabled\n load_balancer = elb.CfnLoadBalancer(\n self, 'MyLoadBalancer',\n listeners=[\n {\n 'instancePort': '80',\n 'instanceProtocol': 'HTTP',\n 'loadBalancerPort': '80',\n 'protocol': 'HTTP'\n }\n ],\n access_logging_policy=elb.CfnLoadBalancer.AccessLoggingPolicyProperty(\n enabled=False,\n s3_bucket_name='my-access-logs-bucket', # Replace with your S3 bucket name\n emit_interval=5 # Adjust the interval as needed\n )\n # Other properties as needed for your Load Balancer\n )\n\napp = core.App()\nMyLoadBalancerStack(app, \"MyLoadBalancerStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/ELBAccessLogs/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_elasticloadbalancing as elb\n\nclass MyLoadBalancerStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define Elastic Load Balancer with access logging policy enabled\n load_balancer = elb.CfnLoadBalancer(\n self, 'MyLoadBalancer',\n listeners=[\n {\n 'instancePort': '80',\n 'instanceProtocol': 'HTTP',\n 'loadBalancerPort': '80',\n 'protocol': 'HTTP'\n }\n ],\n access_logging_policy=elb.CfnLoadBalancer.AccessLoggingPolicyProperty(\n enabled=True,\n s3_bucket_name='my-access-logs-bucket', # Replace with your S3 bucket name\n emit_interval=5 # Adjust the interval as needed\n )\n # Other properties as needed for your Load Balancer\n )\n\napp = core.App()\nMyLoadBalancerStack(app, \"MyLoadBalancerStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/ELBv2AccessLogs/fail__2__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_elasticloadbalancingv2 as elbv2\n\nclass MyALBWithAccessLogs(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define Elastic Load Balancer V2 with access logs enabled\n alb = elbv2.CfnLoadBalancer(\n self, 'MyALB',\n load_balancer_attributes=[\n elbv2.CfnLoadBalancer.LoadBalancerAttributeProperty(\n key=\"access_logs.s3.enabled\",\n value=\"false\"\n )\n ],\n # Other properties for your Application Load Balancer\n )\n\napp = core.App()\nMyALBWithAccessLogs(app, \"MyALBWithAccessLogs\")\napp.synth()\n\nclass MyALBWithAccessLogs2(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define Elastic Load Balancer V2 with access logs enabled\n alb = elbv2.CfnLoadBalancer(\n self, 'MyALB'\n )\n\napp = core.App()\nMyALBWithAccessLogs2(app, \"MyALBWithAccessLogs2\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/ELBv2AccessLogs/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_elasticloadbalancingv2 as elbv2\n\nclass MyALBWithAccessLogs(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define Elastic Load Balancer V2 with access logs enabled\n alb = elbv2.CfnLoadBalancer(\n self, 'MyALB',\n load_balancer_attributes=[\n elbv2.CfnLoadBalancer.LoadBalancerAttributeProperty(\n key=\"access_logs.s3.enabled\",\n value=\"true\"\n )\n ],\n # Other properties for your Application Load Balancer\n )\n\napp = core.App()\nMyALBWithAccessLogs(app, \"MyALBWithAccessLogs\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtRest/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_elasticache as elasticache\n\nclass ElastiCacheReplicationGroupStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create an Amazon ElastiCache replication group\n replication_group = elasticache.CfnReplicationGroup(\n self,\n \"MyElastiCacheReplicationGroup\",\n replication_group_description=\"My Replication Group\",\n automatic_failover_enabled=True,\n replication_group_id=\"my-replication-group\",\n cache_node_type=\"cache.m4.large\",\n engine=\"redis\",\n engine_version=\"5.0.6\",\n num_node_groups=2,\n cache_subnet_group_name=\"my-subnet-group\",\n security_group_ids=[\"sg-0123456789abcdef0\"],\n )\n\napp = core.App()\nElastiCacheReplicationGroupStack(app, \"ElastiCacheReplicationGroupStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtRest/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_elasticache as elasticache\n\nclass ElastiCacheReplicationGroupStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create an Amazon ElastiCache replication group\n replication_group = elasticache.CfnReplicationGroup(\n self,\n \"MyElastiCacheReplicationGroup\",\n replication_group_description=\"My Replication Group\",\n automatic_failover_enabled=True,\n replication_group_id=\"my-replication-group\",\n cache_node_type=\"cache.m4.large\",\n engine=\"redis\",\n engine_version=\"5.0.6\",\n num_node_groups=2,\n cache_subnet_group_name=\"my-subnet-group\",\n security_group_ids=[\"sg-0123456789abcdef0\"],\n at_rest_encryption_enabled=True # Enable encryption at rest\n )\n\napp = core.App()\nElastiCacheReplicationGroupStack(app, \"ElastiCacheReplicationGroupStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtTransit/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_elasticache as elasticache\n\nclass ElastiCacheReplicationGroupStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create an AWS ElastiCache Replication Group\n replication_group = elasticache.CfnReplicationGroup(\n self,\n \"MyElastiCacheReplicationGroup\",\n replication_group_id=\"my-replication-group\",\n replication_group_description=\"My ElastiCache Replication Group\",\n cache_node_type=\"cache.m4.large\",\n engine=\"redis\",\n engine_version=\"5.0.6\",\n port=6379,\n num_cache_clusters=2,\n automatic_failover_enabled=True,\n )\n\napp = core.App()\nElastiCacheReplicationGroupStack(app, \"ElastiCacheReplicationGroupStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtTransit/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_elasticache as elasticache\n\nclass ElastiCacheReplicationGroupStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create an AWS ElastiCache Replication Group\n replication_group = elasticache.CfnReplicationGroup(\n self,\n \"MyElastiCacheReplicationGroup\",\n replication_group_id=\"my-replication-group\",\n replication_group_description=\"My ElastiCache Replication Group\",\n cache_node_type=\"cache.m4.large\",\n engine=\"redis\",\n engine_version=\"5.0.6\",\n port=6379,\n num_cache_clusters=2,\n automatic_failover_enabled=True,\n transit_encryption_enabled=True # Enable transit encryption\n )\n\napp = core.App()\nElastiCacheReplicationGroupStack(app, \"ElastiCacheReplicationGroupStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtTransitAuthToken/fail__2__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_elasticache as elasticache\n\nclass MyElastiCacheReplicationGroupStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define ElastiCache Replication Group with encryption and auth token\n elasticache.CfnReplicationGroup(\n self, 'MyElastiCacheReplicationGroup',\n replication_group_description='MyReplicationGroup',\n cache_node_type='cache.t2.small',\n engine='redis',\n engine_version='6.x',\n num_node_groups=1,\n automatic_failover_enabled=True,\n transit_encryption_enabled=False, # Enable transit encryption\n auth_token='YourAuthTokenHere' # Provide the auth token\n # ... other properties as needed\n )\n\napp = core.App()\nMyElastiCacheReplicationGroupStack(app, \"MyElastiCacheReplicationGroupStack\")\napp.synth()\n\nclass MyElastiCacheReplicationGroupStack2(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define ElastiCache Replication Group with encryption and auth token\n elasticache.CfnReplicationGroup(\n self, 'MyElastiCacheReplicationGroup',\n replication_group_description='MyReplicationGroup',\n cache_node_type='cache.t2.small',\n engine='redis',\n engine_version='6.x',\n num_node_groups=1,\n automatic_failover_enabled=True,\n transit_encryption_enabled=True, # Enable transit encryption\n # ... other properties as needed\n )\n\napp = core.App()\nMyElastiCacheReplicationGroupStack2(app, \"MyElastiCacheReplicationGroupStack2\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtTransitAuthToken/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_elasticache as elasticache\n\nclass MyElastiCacheReplicationGroupStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define ElastiCache Replication Group with encryption and auth token\n elasticache.CfnReplicationGroup(\n self, 'MyElastiCacheReplicationGroup',\n replication_group_description='MyReplicationGroup',\n cache_node_type='cache.t2.small',\n engine='redis',\n engine_version='6.x',\n num_node_groups=1,\n automatic_failover_enabled=True,\n transit_encryption_enabled=True, # Enable transit encryption\n auth_token='YourAuthTokenHere' # Provide the auth token\n # ... other properties as needed\n )\n\napp = core.App()\nMyElastiCacheReplicationGroupStack(app, \"MyElastiCacheReplicationGroupStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/ElasticsearchDomainEnforceHTTPS/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_elasticsearch as elasticsearch\n\nclass ElasticsearchStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create an Amazon Elasticsearch domain\n elasticsearch_domain = elasticsearch.CfnDomain(\n self, \"MyElasticsearchDomain\",\n domain_name=\"my-elasticsearch-domain\",\n elasticsearch_version=\"7.10\",\n node_to_node_encryption_options={\n \"enabled\": True\n },\n ebs_options={\n \"ebsEnabled\": True,\n \"volumeSize\": 10\n },\n )\n\n# Create the CDK app and stack\napp = core.App()\nElasticsearchStack(app, \"ElasticsearchStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/ElasticsearchDomainEnforceHTTPS/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_elasticsearch as elasticsearch\n\nclass ElasticsearchStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create an Amazon Elasticsearch domain\n elasticsearch_domain = elasticsearch.CfnDomain(\n self, \"MyElasticsearchDomain\",\n domain_name=\"my-elasticsearch-domain\",\n elasticsearch_version=\"7.10\",\n node_to_node_encryption_options={\n \"enabled\": True\n },\n domain_endpoint_options=elasticsearch.CfnDomain.DomainEndpointOptionsProperty(\n custom_endpoint=\"customEndpoint\",\n custom_endpoint_certificate_arn=\"customEndpointCertificateArn\",\n custom_endpoint_enabled=False,\n enforce_https=True,\n tls_security_policy=\"tlsSecurityPolicy\"\n ),\n ebs_options={\n \"ebsEnabled\": True,\n \"volumeSize\": 10\n },\n )\n\n# Create the CDK app and stack\napp = core.App()\nElasticsearchStack(app, \"ElasticsearchStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/ElasticsearchDomainLogging/fail__2__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_elasticsearch as elasticsearch\nfrom aws_cdk import aws_opensearchservice as opensearchservice\n\nclass MyElasticsearchDomainStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define Elasticsearch Domain with LogPublishingOptions for different log types\n elasticsearch.CfnDomain(\n self, 'MyElasticsearchDomain',\n domain_name='my-elasticsearch-domain',\n elasticsearch_version='7.10', # Replace with your desired Elasticsearch version\n node_to_node_encryption_options={\n 'enabled': True\n },\n log_publishing_options={\n 'logPublishingOptionsKey': elasticsearch.CfnDomain.LogPublishingOptionProperty(\n cloud_watch_logs_log_group_arn='arn:aws:logs:REGION:ACCOUNT_ID:log-group:LOG_GROUP_NAME',\n enabled=False\n )\n }\n # Other properties for your Elasticsearch Domain\n )\n\napp = core.App()\nMyElasticsearchDomainStack(app, \"MyElasticsearchDomainStack\")\napp.synth()\n\nclass MyOpenSearchDomainStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define OpenSearch Service Domain with LogPublishingOptions for different log types\n opensearchservice.CfnDomain(\n self, 'MyOpenSearchDomain',\n domain_name='my-opensearch-domain',\n elasticsearch_version='7.10', # Replace with your desired OpenSearch version\n node_to_node_encryption_options={\n 'enabled': True\n },\n log_publishing_options={\n 'logPublishingOptionsKey': opensearchservice.CfnDomain.LogPublishingOptionProperty(\n cloud_watch_logs_log_group_arn='arn:aws:logs:REGION:ACCOUNT_ID:log-group:LOG_GROUP_NAME',\n enabled=True\n )\n }\n # Other properties for your OpenSearch Service Domain\n )\n\napp = core.App()\nMyOpenSearchDomainStack(app, \"MyOpenSearchDomainStack\")\napp.synth()"
},
{
"path": "cdk_integration_tests/src/python/ElasticsearchDomainLogging/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_elasticsearch as elasticsearch\nfrom aws_cdk import aws_opensearchservice as opensearchservice\n\nclass MyElasticsearchDomainStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define Elasticsearch Domain with LogPublishingOptions for different log types\n elasticsearch.CfnDomain(\n self, 'MyElasticsearchDomain',\n domain_name='my-elasticsearch-domain',\n elasticsearch_version='7.10', # Replace with your desired Elasticsearch version\n node_to_node_encryption_options={\n 'enabled': True\n },\n log_publishing_options={\n 'logPublishingOptionsKey': elasticsearch.CfnDomain.LogPublishingOptionProperty(\n cloud_watch_logs_log_group_arn='arn:aws:logs:REGION:ACCOUNT_ID:log-group:LOG_GROUP_NAME',\n enabled=True\n )\n }\n # Other properties for your Elasticsearch Domain\n )\n\napp = core.App()\nMyElasticsearchDomainStack(app, \"MyElasticsearchDomainStack\")\napp.synth()\n\nclass MyOpenSearchDomainStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define OpenSearch Service Domain with LogPublishingOptions for different log types\n opensearchservice.CfnDomain(\n self, 'MyOpenSearchDomain',\n domain_name='my-opensearch-domain',\n elasticsearch_version='7.10', # Replace with your desired OpenSearch version\n node_to_node_encryption_options={\n 'enabled': True\n },\n log_publishing_options={\n 'logPublishingOptionsKey': opensearchservice.CfnDomain.LogPublishingOptionProperty(\n cloud_watch_logs_log_group_arn='arn:aws:logs:REGION:ACCOUNT_ID:log-group:LOG_GROUP_NAME',\n enabled=True\n )\n }\n # Other properties for your OpenSearch Service Domain\n )\n\napp = core.App()\nMyOpenSearchDomainStack(app, \"MyOpenSearchDomainStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/ElasticsearchEncryption/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_elasticsearch as elasticsearch\n\nclass MyElasticsearchDomainStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define Elasticsearch Domain with Encryption At Rest Enabled\n elasticsearch.CfnDomain(\n self, 'MyElasticsearchDomain',\n domain_name='my-elasticsearch-domain',\n elasticsearch_version='7.10', # Replace with your desired Elasticsearch version\n encryption_at_rest_options={\n 'enabled': False\n }\n # Other properties for your Elasticsearch Domain\n )\n\napp = core.App()\nMyElasticsearchDomainStack(app, \"MyElasticsearchDomainStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/ElasticsearchEncryption/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_elasticsearch as elasticsearch\n\nclass MyElasticsearchDomainStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define Elasticsearch Domain with Encryption At Rest Enabled\n elasticsearch.CfnDomain(\n self, 'MyElasticsearchDomain',\n domain_name='my-elasticsearch-domain',\n elasticsearch_version='7.10', # Replace with your desired Elasticsearch version\n encryption_at_rest_options={\n 'enabled': True\n }\n # Other properties for your Elasticsearch Domain\n )\n\napp = core.App()\nMyElasticsearchDomainStack(app, \"MyElasticsearchDomainStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/ElasticsearchNodeToNodeEncryption/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_elasticsearch as elasticsearch\n\nclass MyElasticsearchDomainStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define Elasticsearch Domain with Node-to-Node Encryption Enabled\n elasticsearch.CfnDomain(\n self, 'MyElasticsearchDomain',\n domain_name='my-elasticsearch-domain',\n elasticsearch_version='7.10', # Replace with your desired Elasticsearch version\n node_to_node_encryption_options={\n 'enabled': False\n }\n # Other properties for your Elasticsearch Domain\n )\n\napp = core.App()\nMyElasticsearchDomainStack(app, \"MyElasticsearchDomainStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/ElasticsearchNodeToNodeEncryption/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_elasticsearch as elasticsearch\n\nclass MyElasticsearchDomainStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define Elasticsearch Domain with Node-to-Node Encryption Enabled\n elasticsearch.CfnDomain(\n self, 'MyElasticsearchDomain',\n domain_name='my-elasticsearch-domain',\n elasticsearch_version='7.10', # Replace with your desired Elasticsearch version\n node_to_node_encryption_options={\n 'enabled': True\n }\n # Other properties for your Elasticsearch Domain\n )\n\napp = core.App()\nMyElasticsearchDomainStack(app, \"MyElasticsearchDomainStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/GlueDataCatalogEncryption/fail__2__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_glue as glue\n\nclass MyGlueDataCatalogEncryptionSettingsStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define Data Catalog encryption settings\n data_catalog_encryption_settings = glue.CfnDataCatalogEncryptionSettings(\n self, 'MyGlueDataCatalogEncryptionSettings',\n data_catalog_encryption_settings={\n 'ConnectionPasswordEncryption': {\n 'ReturnConnectionPasswordEncrypted': False\n },\n 'EncryptionAtRest': {\n 'CatalogEncryptionMode': 'SSE-KMS'\n }\n }\n )\n\napp = core.App()\nMyGlueDataCatalogEncryptionSettingsStack(app, \"MyGlueDataCatalogEncryptionSettingsStack\")\napp.synth()\n\nclass MyGlueDataCatalogEncryptionSettingsStack2(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define Data Catalog encryption settings\n data_catalog_encryption_settings = glue.CfnDataCatalogEncryptionSettings(\n self, 'MyGlueDataCatalogEncryptionSettings',\n data_catalog_encryption_settings={\n 'ConnectionPasswordEncryption': {\n 'ReturnConnectionPasswordEncrypted': True\n },\n }\n )\n\napp = core.App()\nMyGlueDataCatalogEncryptionSettingsStack2(app, \"MyGlueDataCatalogEncryptionSettingsStack2\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/GlueDataCatalogEncryption/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_glue as glue\n\nclass MyGlueDataCatalogEncryptionSettingsStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define Data Catalog encryption settings\n data_catalog_encryption_settings = glue.CfnDataCatalogEncryptionSettings(\n self, 'MyGlueDataCatalogEncryptionSettings',\n data_catalog_encryption_settings={\n 'ConnectionPasswordEncryption': {\n 'ReturnConnectionPasswordEncrypted': True\n },\n 'EncryptionAtRest': {\n 'CatalogEncryptionMode': 'SSE-KMS'\n }\n }\n )\n\napp = core.App()\nMyGlueDataCatalogEncryptionSettingsStack(app, \"MyGlueDataCatalogEncryptionSettingsStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/GlueSecurityConfiguration/fail__2__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_glue as glue\n\nclass MyGlueSecurityConfigurationStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define the security configuration with encryption settings\n security_configuration = glue.CfnSecurityConfiguration(\n self, 'MyGlueSecurityConfiguration',\n encryption_configuration={\n 'CloudWatchEncryption': {\n 'CloudWatchEncryptionMode': 'SSE-KMS'\n },\n 'JobBookmarksEncryption': {\n 'JobBookmarksEncryptionMode': 'DISABLED'\n },\n 'S3Encryptions': [\n {\n 'S3EncryptionMode': 'SSE-KMS'\n }\n ]\n }\n )\n\napp = core.App()\nMyGlueSecurityConfigurationStack(app, \"MyGlueSecurityConfigurationStack\")\napp.synth()\n\nclass MyGlueSecurityConfigurationStack2(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define the security configuration with encryption settings\n security_configuration = glue.CfnSecurityConfiguration(\n self, 'MyGlueSecurityConfiguration',\n encryption_configuration={\n 'JobBookmarksEncryption': {\n 'JobBookmarksEncryptionMode': 'CSE-KMS'\n },\n 'S3Encryptions': [\n {\n 'S3EncryptionMode': 'SSE-KMS'\n }\n ]\n }\n )\n\napp = core.App()\nMyGlueSecurityConfigurationStack2(app, \"MyGlueSecurityConfigurationStack2\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/GlueSecurityConfiguration/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_glue as glue\n\nclass MyGlueSecurityConfigurationStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define the security configuration with encryption settings\n security_configuration = glue.CfnSecurityConfiguration(\n self, 'MyGlueSecurityConfiguration',\n encryption_configuration={\n 'CloudWatchEncryption': {\n 'CloudWatchEncryptionMode': 'SSE-KMS'\n },\n 'JobBookmarksEncryption': {\n 'JobBookmarksEncryptionMode': 'CSE-KMS'\n },\n 'S3Encryptions': [\n {\n 'S3EncryptionMode': 'SSE-KMS'\n }\n ]\n }\n )\n\napp = core.App()\nMyGlueSecurityConfigurationStack(app, \"MyGlueSecurityConfigurationStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/GlueSecurityConfigurationEnabled/fail__3__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_glue as glue\n\nclass GlueCrawlerStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n crawler = glue.CfnCrawler(\n self,\n \"MyCrawler\",\n name=\"MyCrawler\",\n database_name=\"mydatabase\",\n role=crawler_role.role_arn,\n targets={\n \"s3Targets\": [\n {\n \"path\": \"s3://your-s3-bucket/path/to/crawl\",\n }\n ]\n },\n )\n\napp = core.App()\nGlueCrawlerStack(app, \"GlueCrawlerStack\")\napp.synth()\n\n\nclass GlueDevEndpointStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create an AWS Glue DevEndpoint\n dev_endpoint = glue.CfnDevEndpoint(\n self,\n \"MyDevEndpoint\",\n role_arn=\"arn:aws:iam::YOUR_ACCOUNT_ID:role/YourGlueDevEndpointRole\",\n worker_type=\"Standard\",\n glue_version=\"1.0\",\n )\n\napp = core.App()\nGlueDevEndpointStack(app, \"GlueDevEndpointStack\")\napp.synth()\n\nclass GlueJobStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create an AWS Glue Job\n job = glue.CfnJob(\n self,\n \"MyGlueJob\",\n command={\n \"name\": \"glueetl\",\n \"pythonVersion\": \"3\"\n },\n default_arguments={\n \"--job-language\": \"python\"\n },\n max_capacity=10,\n glue_version=\"1.0\"\n )\n\napp = core.App()\nGlueJobStack(app, \"GlueJobStack\")\napp.synth()\n\n"
},
{
"path": "cdk_integration_tests/src/python/GlueSecurityConfigurationEnabled/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_glue as glue\nfrom aws_cdk import aws_iam as iam\n\nclass GlueCrawlerStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n crawler = glue.CfnCrawler(\n self,\n \"MyCrawler\",\n name=\"MyCrawler\",\n database_name=\"mydatabase\",\n role=crawler_role.role_arn,\n targets={\n \"s3Targets\": [\n {\n \"path\": \"s3://your-s3-bucket/path/to/crawl\",\n }\n ]\n },\n crawler_security_configuration=\"aaa\"\n )\n\napp = core.App()\nGlueCrawlerStack(app, \"GlueCrawlerStack\")\napp.synth()\n\n\nclass GlueDevEndpointStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create an AWS Glue Security Configuration (You need to create one separately)\n security_configuration_name = \"MySecurityConfiguration\" # Replace with your security config name\n\n # Create an AWS Glue DevEndpoint\n dev_endpoint = glue.CfnDevEndpoint(\n self,\n \"MyDevEndpoint\",\n role_arn=\"arn:aws:iam::YOUR_ACCOUNT_ID:role/YourGlueDevEndpointRole\",\n security_configuration=security_configuration_name,\n worker_type=\"Standard\",\n glue_version=\"1.0\",\n )\n\napp = core.App()\nGlueDevEndpointStack(app, \"GlueDevEndpointStack\")\napp.synth()\n\nclass GlueJobStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create an AWS Glue Security Configuration (You need to create one separately)\n security_configuration_name = \"MySecurityConfiguration\" # Replace with your security config name\n\n # Create an AWS Glue Job\n job = glue.CfnJob(\n self,\n \"MyGlueJob\",\n command={\n \"name\": \"glueetl\",\n \"pythonVersion\": \"3\"\n },\n default_arguments={\n \"--job-language\": \"python\"\n },\n security_configuration=security_configuration_name,\n max_capacity=10,\n glue_version=\"1.0\"\n )\n\napp = core.App()\nGlueJobStack(app, \"GlueJobStack\")\napp.synth()\n\n"
},
{
"path": "cdk_integration_tests/src/python/IAMPolicyAttachedToGroupOrRoles/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_iam as iam\n\nclass IAMStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create an IAM policy\n custom_policy = iam.Policy(\n self,\n \"CustomPolicy\",\n policy_name=\"MyCustomPolicy\",\n statements=[\n iam.PolicyStatement(\n effect=iam.Effect.ALLOW,\n actions=[\"s3:GetObject\"],\n resources=[\"arn:aws:s3:::my-bucket/*\"],\n ),\n ],\n users=[\"a\"]\n )\n\n\napp = core.App()\nIAMStack(app, \"IAMStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/IAMPolicyAttachedToGroupOrRoles/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_iam as iam\n\nclass IAMStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create an IAM policy\n custom_policy = iam.Policy(\n self,\n \"CustomPolicy\",\n policy_name=\"MyCustomPolicy\",\n statements=[\n iam.PolicyStatement(\n effect=iam.Effect.ALLOW,\n actions=[\"s3:GetObject\"],\n resources=[\"arn:aws:s3:::my-bucket/*\"],\n ),\n ],\n )\n\n\napp = core.App()\nIAMStack(app, \"IAMStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/KinesisStreamEncryptionType/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_kinesis as kinesis\n\nclass KinesisStreamStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create an Amazon Kinesis stream\n kinesis_stream = kinesis.CfnStream(\n self,\n \"MyKinesisStream\",\n name=\"my-kinesis-stream\",\n shard_count=2, # The number of shards in the stream\n stream_encryption={\n \"encryption_type\": \"ABC\",\n \"key_id\": \"YOUR_KMS_KEY_ID\" # Replace with your KMS key ID\n }\n )\n\napp = core.App()\nKinesisStreamStack(app, \"KinesisStreamStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/KinesisStreamEncryptionType/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_kinesis as kinesis\n\nclass KinesisStreamStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create an Amazon Kinesis stream\n kinesis_stream = kinesis.CfnStream(\n self,\n \"MyKinesisStream\",\n name=\"my-kinesis-stream\",\n shard_count=2, # The number of shards in the stream\n stream_encryption={\n \"encryption_type\": \"KMS\", # Use KMS encryption\n \"key_id\": \"YOUR_KMS_KEY_ID\" # Replace with your KMS key ID\n }\n )\n\napp = core.App()\nKinesisStreamStack(app, \"KinesisStreamStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/LambdaDLQConfigured/fail__2__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_lambda as _lambda\nfrom aws_cdk import aws_sqs as sqs\nfrom aws_cdk import aws_sam as sam\nclass MyLambdaStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create the Dead Letter Queue\n dlq = sqs.Queue(\n self,\n \"MyDeadLetterQueue\",\n visibility_timeout=core.Duration.seconds(300), # Adjust as needed\n )\n\n # Create the Lambda function with a DLQ\n my_lambda_function = _lambda.Function(\n self,\n \"MyLambdaFunction\",\n runtime=_lambda.Runtime.PYTHON_3_8,\n handler=\"index.handler\",\n code=_lambda.Code.from_asset(\"path/to/your/code\"),\n function_name=\"my-function-name\",\n )\n\n\n\nclass MySAMLambdaStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create the Dead Letter Queue\n dlq = sqs.Queue(\n self,\n \"MyDeadLetterQueue\",\n visibility_timeout=core.Duration.seconds(300), # Adjust as needed\n )\n\n # Create the SAM Lambda function with a DLQ\n my_sam_lambda_function = sam.CfnFunction(\n self,\n \"MySAMLambdaFunction\",\n handler=\"index.handler\",\n runtime=\"nodejs14.x\",\n code_uri=\"./my-code\",\n function_name=\"my-function-name\",\n )\n\n\n"
},
{
"path": "cdk_integration_tests/src/python/LambdaDLQConfigured/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_lambda as _lambda\nfrom aws_cdk import aws_sqs as sqs\nfrom aws_cdk import aws_sam as sam\nclass MyLambdaStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create the Dead Letter Queue\n dlq = sqs.Queue(\n self,\n \"MyDeadLetterQueue\",\n visibility_timeout=core.Duration.seconds(300), # Adjust as needed\n )\n\n # Create the Lambda function with a DLQ\n my_lambda_function = _lambda.Function(\n self,\n \"MyLambdaFunction\",\n runtime=_lambda.Runtime.PYTHON_3_8,\n handler=\"index.handler\",\n code=_lambda.Code.from_asset(\"path/to/your/code\"),\n function_name=\"my-function-name\",\n dead_letter_queue=dlq,\n )\n\n\n\nclass MySAMLambdaStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create the Dead Letter Queue\n dlq = sqs.Queue(\n self,\n \"MyDeadLetterQueue\",\n visibility_timeout=core.Duration.seconds(300), # Adjust as needed\n )\n\n # Create the SAM Lambda function with a DLQ\n my_sam_lambda_function = sam.CfnFunction(\n self,\n \"MySAMLambdaFunction\",\n handler=\"index.handler\",\n runtime=\"nodejs14.x\",\n code_uri=\"./my-code\",\n function_name=\"my-function-name\",\n dead_letter_queue=sam.CfnFunction.DeadLetterQueueProperty(\n target_arn=dlq.queue_arn\n ),\n )\n\n\n"
},
{
"path": "cdk_integration_tests/src/python/LambdaEnvironmentCredentials/fail__2__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_lambda as _lambda\nfrom aws_cdk import aws_sam as sam\n\nclass MyLambdaFunctionStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define Lambda Function\n my_lambda = _lambda.Function(\n self, 'MyLambdaFunction',\n runtime=_lambda.Runtime.PYTHON_3_8,\n handler='index.handler',\n code=_lambda.Code.from_asset('lambda'), # Replace 'lambda' with your function code directory\n environment={\n 'MY_VARIABLE': 'pass'\n }\n )\n\napp = core.App()\nMyLambdaFunctionStack(app, \"MyLambdaFunctionStack\")\napp.synth()\n\n\nclass MyServerlessFunctionStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define Serverless Lambda Function\n my_lambda = sam.CfnFunction(\n self, 'MyServerlessFunction',\n code_uri='lambda/', # Replace 'lambda/' with your function code directory\n handler='index.handler',\n runtime='python3.9',\n environment={\n 'MY_VARIABLE': 'pass'\n }\n # Other properties for your Serverless Lambda Function\n )\n\napp = core.App()\nMyServerlessFunctionStack(app, \"MyServerlessFunctionStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/LambdaEnvironmentCredentials/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_lambda as _lambda\nfrom aws_cdk import aws_sam as sam\n\nclass MyLambdaFunctionStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define Lambda Function\n my_lambda = _lambda.Function(\n self, 'MyLambdaFunction',\n runtime=_lambda.Runtime.PYTHON_3_8,\n handler='index.handler',\n code=_lambda.Code.from_asset('lambda'), # Replace 'lambda' with your function code directory\n environment={\n 'MY_VARIABLE': {'a':'b'}\n }\n )\n\napp = core.App()\nMyLambdaFunctionStack(app, \"MyLambdaFunctionStack\")\napp.synth()\n\n\nclass MyServerlessFunctionStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define Serverless Lambda Function\n my_lambda = sam.CfnFunction(\n self, 'MyServerlessFunction',\n code_uri='lambda/', # Replace 'lambda/' with your function code directory\n handler='index.handler',\n runtime='python3.9',\n environment={\n 'MY_VARIABLE': {'a':'b'}\n }\n # Other properties for your Serverless Lambda Function\n )\n\napp = core.App()\nMyServerlessFunctionStack(app, \"MyServerlessFunctionStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/LambdaEnvironmentEncryptionSettings/fail__2__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_lambda as _lambda\nfrom aws_cdk import aws_sam as sam\nclass MyLambdaFunctionStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define Lambda function\n my_lambda_function = _lambda.Function(\n self, 'MyLambdaFunction',\n runtime=_lambda.Runtime.PYTHON_3_8,\n handler='index.handler',\n code=_lambda.Code.from_asset('path/to/your/function/code'),\n environment={\n 'MY_VARIABLE_1': 'Value1',\n 'MY_VARIABLE_2': 'Value2'\n },\n )\n\napp = core.App()\nMyLambdaFunctionStack(app, \"MyLambdaFunctionStack\")\napp.synth()\n\n\nclass MyServerlessFunctionStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define SAM Function\n my_sam_function = sam.CfnFunction(\n self, 'MySAMFunction',\n handler='index.handler',\n runtime='python3.9',\n code_uri='./path/to/your/function/code',\n environment={\n 'MY_VARIABLE_1': 'Value1',\n 'MY_VARIABLE_2': 'Value2'\n },\n )\n\napp = core.App()\nMyServerlessFunctionStack(app, \"MyServerlessFunctionStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/LambdaEnvironmentEncryptionSettings/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_lambda as _lambda\nfrom aws_cdk import aws_sam as sam\nclass MyLambdaFunctionStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define Lambda function\n my_lambda_function = _lambda.Function(\n self, 'MyLambdaFunction',\n runtime=_lambda.Runtime.PYTHON_3_8,\n handler='index.handler',\n code=_lambda.Code.from_asset('path/to/your/function/code'),\n environment={\n 'MY_VARIABLE_1': 'Value1',\n 'MY_VARIABLE_2': 'Value2'\n },\n kms_key=_lambda.Key.from_key_arn(self, 'MyKmsKey', 'arn:aws:kms:region:account-id:key/key-id')\n )\n\napp = core.App()\nMyLambdaFunctionStack(app, \"MyLambdaFunctionStack\")\napp.synth()\n\n\nclass MyServerlessFunctionStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define SAM Function\n my_sam_function = sam.CfnFunction(\n self, 'MySAMFunction',\n handler='index.handler',\n runtime='python3.9',\n code_uri='./path/to/your/function/code',\n environment={\n 'MY_VARIABLE_1': 'Value1',\n 'MY_VARIABLE_2': 'Value2'\n },\n kms_key_arn='arn:aws:kms:region:account-id:key/key-id'\n )\n\napp = core.App()\nMyServerlessFunctionStack(app, \"MyServerlessFunctionStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/LambdaFunctionLevelConcurrentExecutionLimit/fail__2__.py",
"content": "from aws_cdk import core\nfrom aws_cdk.aws_lambda import Function, Runtime, Code\nfrom aws_cdk.aws_sam import CfnFunction\n\nclass MyLambdaStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n my_lambda_function = Function(\n self,\n \"MyLambdaFunction\",\n runtime=Runtime.PYTHON_3_8, # Set the Lambda function's runtime\n handler=\"index.handler\", # Specify the Lambda handler\n code=Code.from_asset(\"path/to/your/code\"), # Define the code location\n function_name=\"my-function-name\", # Optionally set the function name\n role=my_lambda_execution_role, # Provide an IAM role for the function\n timeout=core.Duration.seconds(10), # Set the function timeout\n )\nclass MyLambdaStack2(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n my_lambda_function = CfnFunction(\n self,\n \"MyLambdaFunction\",\n handler=\"index.handler\", # Specify the Lambda handler\n runtime=\"nodejs14.x\", # Set the Lambda function's runtime\n code_uri=\"./my-code\", # Specify the location of your code\n function_name=\"my-function-name\", # Optionally set the function name\n role=my_lambda_execution_role, # Provide an IAM role for the function\n timeout=10, # Set the function timeout\n )\n\n # You can add other configurations and permissions for your Lambda function here\n\n"
},
{
"path": "cdk_integration_tests/src/python/LambdaFunctionLevelConcurrentExecutionLimit/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk.aws_lambda import Function, Runtime, Code\nfrom aws_cdk.aws_sam import CfnFunction\n\nclass MyLambdaStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n my_lambda_function = Function(\n self,\n \"MyLambdaFunction\",\n runtime=Runtime.PYTHON_3_8, # Set the Lambda function's runtime\n handler=\"index.handler\", # Specify the Lambda handler\n code=Code.from_asset(\"path/to/your/code\"), # Define the code location\n function_name=\"my-function-name\", # Optionally set the function name\n role=my_lambda_execution_role, # Provide an IAM role for the function\n timeout=core.Duration.seconds(10), # Set the function timeout\n reserved_concurrent_executions=5\n )\nclass MyLambdaStack2(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n my_lambda_function = CfnFunction(\n self,\n \"MyLambdaFunction\",\n handler=\"index.handler\", # Specify the Lambda handler\n runtime=\"nodejs14.x\", # Set the Lambda function's runtime\n code_uri=\"./my-code\", # Specify the location of your code\n function_name=\"my-function-name\", # Optionally set the function name\n role=my_lambda_execution_role, # Provide an IAM role for the function\n timeout=10, # Set the function timeout\n reserved_concurrent_executions=5\n )\n\n # You can add other configurations and permissions for your Lambda function here\n\n"
},
{
"path": "cdk_integration_tests/src/python/LambdaInVPC/fail__2__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_lambda as _lambda\nfrom aws_cdk import aws_ec2 as ec2\nfrom aws_cdk import aws_sam as sam\n\nclass MyLambdaStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create a Lambda function in the VPC\n my_lambda_function = _lambda.Function(\n self,\n \"MyLambdaFunction\",\n runtime=_lambda.Runtime.PYTHON_3_8,\n handler=\"index.handler\",\n code=_lambda.Code.from_asset(\"path/to/your/code\"),\n function_name=\"my-function-name\",\n security_group=my_vpc.vpc_default_security_group,\n allow_public_subnet=False, # Set to True if you want public subnets\n )\n\nclass MySAMLambdaStack2(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create a custom VPC\n my_vpc = ec2.Vpc(\n self,\n \"MyVPC\",\n max_azs=2, # Set the number of Availability Zones as needed\n )\n\n # Define the Serverless::Function within the VPC\n my_sam_lambda_function = sam.CfnFunction(\n self,\n \"MySAMLambdaFunction\",\n handler=\"index.handler\",\n runtime=\"nodejs14.x\",\n code_uri=\"./my-code\",\n )\n\n"
},
{
"path": "cdk_integration_tests/src/python/LambdaInVPC/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_lambda as _lambda\nfrom aws_cdk import aws_ec2 as ec2\nfrom aws_cdk import aws_sam as sam\n\nclass MyLambdaStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create a VPC\n my_vpc = ec2.Vpc(\n self,\n \"MyVPC\",\n max_azs=2, # Set the number of Availability Zones as needed\n )\n\n # Create a Lambda function in the VPC\n my_lambda_function = _lambda.Function(\n self,\n \"MyLambdaFunction\",\n runtime=_lambda.Runtime.PYTHON_3_8,\n handler=\"index.handler\",\n code=_lambda.Code.from_asset(\"path/to/your/code\"),\n function_name=\"my-function-name\",\n vpc=my_vpc,\n security_group=my_vpc.vpc_default_security_group,\n allow_public_subnet=False, # Set to True if you want public subnets\n )\n\nclass MySAMLambdaStack2(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create a custom VPC\n my_vpc = ec2.Vpc(\n self,\n \"MyVPC\",\n max_azs=2, # Set the number of Availability Zones as needed\n )\n\n # Define the Serverless::Function within the VPC\n my_sam_lambda_function = sam.CfnFunction(\n self,\n \"MySAMLambdaFunction\",\n handler=\"index.handler\",\n runtime=\"nodejs14.x\",\n code_uri=\"./my-code\",\n function_name=\"my-function-name\",\n vpc_config=sam.CfnFunction.VpcConfigProperty(\n security_group_ids=[my_vpc.vpc_default_security_group],\n subnet_ids=my_vpc.select_subnets(\n subnet_group_name=\"your-subnet-group-name\"\n ).subnet_ids,\n ),\n )\n\n"
},
{
"path": "cdk_integration_tests/src/python/LaunchConfigurationEBSEncryption/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_autoscaling as autoscaling\n\nclass MyAutoScalingLaunchConfig(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define Launch Configuration\n launch_config = autoscaling.CfnLaunchConfiguration(\n self, 'MyLaunchConfiguration',\n image_id='ami-12345678', # Replace with your desired AMI ID\n instance_type='t2.micro', # Replace with your desired instance type\n block_device_mappings=[{\n 'ebs': {\n 'encrypted': False\n }\n }]\n # Other properties for your Launch Configuration\n )\n\napp = core.App()\nMyAutoScalingLaunchConfig(app, \"MyAutoScalingLaunchConfig\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/LaunchConfigurationEBSEncryption/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_autoscaling as autoscaling\n\nclass MyAutoScalingLaunchConfig(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define Launch Configuration\n launch_config = autoscaling.CfnLaunchConfiguration(\n self, 'MyLaunchConfiguration',\n image_id='ami-12345678', # Replace with your desired AMI ID\n instance_type='t2.micro', # Replace with your desired instance type\n block_device_mappings=[{\n 'deviceName': '/dev/xvda',\n 'ebs': {\n 'encrypted': True\n }\n }]\n # Other properties for your Launch Configuration\n )\n\napp = core.App()\nMyAutoScalingLaunchConfig(app, \"MyAutoScalingLaunchConfig\")\napp.synth()\n\nclass MyAutoScalingLaunchConfig(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define Launch Configuration\n launch_config = autoscaling.CfnLaunchConfiguration(\n self, 'MyLaunchConfiguration',\n image_id='ami-12345678', # Replace with your desired AMI ID\n instance_type='t2.micro', # Replace with your desired instance type\n block_device_mappings=[{\n 'deviceName': '/dev/xvda',\n }]\n # Other properties for your Launch Configuration\n )\n\napp = core.App()\nMyAutoScalingLaunchConfig(app, \"MyAutoScalingLaunchConfig\")\napp.synth()\n\n"
},
{
"path": "cdk_integration_tests/src/python/NeptuneClusterStorageEncrypted/fail__2__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_neptune as neptune\n\nclass MyNeptuneStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create a Neptune DB cluster with storage encryption enabled\n neptune_cluster = neptune.CfnDBCluster(\n self,\n \"MyNeptuneCluster\",\n engine=\"neptune\",\n db_cluster_identifier=\"my-neptune-cluster\",\n master_username=\"admin\",\n master_user_password=\"mypassword\", # checkov:skip=CKV_SECRET_6 test secret\n storage_encrypted=False, # Enable storage encryption\n port=8182, # Specify the port as needed\n availability_zones=[\"us-east-1a\", \"us-east-1b\"], # Specify the availability zones\n )\n\nclass MyNeptuneStack2(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create a Neptune DB cluster with storage encryption enabled\n neptune_cluster = neptune.DatabaseCluster(\n self,\n \"MyNeptuneCluster\",\n engine=neptune.DatabaseClusterEngine.NEPTUNE,\n master_user=neptune.Login(\n username=\"admin\",\n password=\"mypassword\", # checkov:skip=CKV_SECRET_6 test secret\n ),\n default_database_name=\"mydb\",\n removal_policy=core.RemovalPolicy.DESTROY, # Set the removal policy as needed\n vpc=your_vpc, # Specify the VPC where the cluster should be deployed\n instances=1, # Specify the number of instances\n )\n\n"
},
{
"path": "cdk_integration_tests/src/python/NeptuneClusterStorageEncrypted/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_neptune as neptune\n\nclass MyNeptuneStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create a Neptune DB cluster with storage encryption enabled\n neptune_cluster = neptune.CfnDBCluster(\n self,\n \"MyNeptuneCluster\",\n engine=\"neptune\",\n db_cluster_identifier=\"my-neptune-cluster\",\n master_username=\"admin\",\n master_user_password=\"mypassword\", # checkov:skip=CKV_SECRET_6 test secret\n storage_encrypted=True, # Enable storage encryption\n port=8182, # Specify the port as needed\n availability_zones=[\"us-east-1a\", \"us-east-1b\"], # Specify the availability zones\n )\n\nclass MyNeptuneStack2(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create a Neptune DB cluster with storage encryption enabled\n neptune_cluster = neptune.DatabaseCluster(\n self,\n \"MyNeptuneCluster\",\n engine=neptune.DatabaseClusterEngine.NEPTUNE,\n master_user=neptune.Login(\n username=\"admin\",\n password=\"mypassword\", # checkov:skip=CKV_SECRET_6 test secret\n ),\n default_database_name=\"mydb\",\n storage_encrypted=True, # Enable storage encryption\n removal_policy=core.RemovalPolicy.DESTROY, # Set the removal policy as needed\n vpc=your_vpc, # Specify the VPC where the cluster should be deployed\n instances=1, # Specify the number of instances\n )\n\n"
},
{
"path": "cdk_integration_tests/src/python/RDSEnhancedMonitorEnabled/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_rds as rds\n\nclass RDSStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create an RDS DB instance with a custom MonitoringInterval\n rds_instance = rds.DatabaseInstance(\n self,\n \"MyRDSInstance\",\n engine=rds.DatabaseInstanceEngine.mysql(\n version=rds.MysqlEngineVersion.VER_8_0\n ),\n instance_type=core.Fn.select(0, core.Fn.split(\" \", \"db.m5.large\")),\n allocated_storage=20,\n max_allocated_storage=100,\n vpc_subnets={\n \"subnetType\": core.Fn.select(0, core.Fn.split(\",\", \"private\")),\n },\n storage_type=rds.StorageType.GP2,\n removal_policy=core.RemovalPolicy.DESTROY,\n )\n\napp = core.App()\nRDSStack(app, \"RDSStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/RDSEnhancedMonitorEnabled/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_rds as rds\n\nclass RDSStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create an RDS DB instance with a custom MonitoringInterval\n rds_instance = rds.DatabaseInstance(\n self,\n \"MyRDSInstance\",\n engine=rds.DatabaseInstanceEngine.mysql(\n version=rds.MysqlEngineVersion.VER_8_0\n ),\n instance_type=core.Fn.select(0, core.Fn.split(\" \", \"db.m5.large\")),\n monitoring_interval=60, # Set MonitoringInterval to 60 seconds\n allocated_storage=20,\n max_allocated_storage=100,\n vpc_subnets={\n \"subnetType\": core.Fn.select(0, core.Fn.split(\",\", \"private\")),\n },\n storage_type=rds.StorageType.GP2,\n removal_policy=core.RemovalPolicy.DESTROY,\n )\n\napp = core.App()\nRDSStack(app, \"RDSStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/RDSMultiAZEnabled/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_rds as rds\n\nclass MyDBInstanceStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define RDS DB instance\n my_db_instance = rds.CfnDBInstance(\n self, 'MyDBInstance',\n engine='mysql', # Change this to your desired engine type\n db_instance_class='db.t2.micro',\n allocated_storage=20,\n multi_az=False,\n # Other properties for your DB instance\n )\n\napp = core.App()\nMyDBInstanceStack(app, \"MyDBInstanceStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/RDSMultiAZEnabled/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_rds as rds\n\nclass MyDBInstanceStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define RDS DB instance\n my_db_instance = rds.CfnDBInstance(\n self, 'MyDBInstance',\n engine='mysql', # Change this to your desired engine type\n db_instance_class='db.t2.micro',\n allocated_storage=20,\n multi_az=True,\n # Other properties for your DB instance\n )\n\napp = core.App()\nMyDBInstanceStack(app, \"MyDBInstanceStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/RDSPubliclyAccessible/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_rds as rds\n\nclass RDSStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create an RDS DB instance with PubliclyAccessible set to True\n rds_instance = rds.DatabaseInstance(\n self,\n \"MyRDSInstance\",\n engine=rds.DatabaseInstanceEngine.mysql(\n version=rds.MysqlEngineVersion.VER_8_0\n ),\n instance_type=core.Fn.select(0, core.Fn.split(\" \", \"db.m5.large\")),\n publicly_accessible=True, # Set PubliclyAccessible to True\n allocated_storage=20,\n max_allocated_storage=100,\n vpc_subnets={\n \"subnetType\": core.Fn.select(0, core.Fn.split(\",\", \"private\")),\n },\n storage_type=rds.StorageType.GP2,\n removal_policy=core.RemovalPolicy.DESTROY,\n )\n\napp = core.App()\nRDSStack(app, \"RDSStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/RDSPubliclyAccessible/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_rds as rds\n\nclass RDSStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create an RDS DB instance with PubliclyAccessible set to false\n rds_instance = rds.DatabaseInstance(\n self,\n \"MyRDSInstance\",\n engine=rds.DatabaseInstanceEngine.mysql(\n version=rds.MysqlEngineVersion.VER_8_0\n ),\n instance_type=core.Fn.select(0, core.Fn.split(\" \", \"db.m5.large\")),\n publicly_accessible=False, # Set PubliclyAccessible to false\n allocated_storage=20,\n max_allocated_storage=100,\n vpc_subnets={\n \"subnetType\": core.Fn.select(0, core.Fn.split(\",\", \"private\")),\n },\n storage_type=rds.StorageType.GP2,\n removal_policy=core.RemovalPolicy.DESTROY,\n )\n\napp = core.App()\nRDSStack(app, \"RDSStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/RedShiftSSL/fail__2__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_redshift as redshift\n\nclass MyRedshiftClusterParameterGroupStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define Redshift Cluster Parameter Group with require_ssl parameter\n redshift.CfnClusterParameterGroup(\n self, 'MyRedshiftClusterParameterGroup',\n description='My Redshift Parameter Group',\n parameter_group_family='redshift-1.0',\n parameters=[\n redshift.CfnClusterParameterGroup.ParameterProperty(\n parameter_name='require_ssl',\n parameter_value='false'\n )\n # Add other parameters if needed\n ]\n )\n\napp = core.App()\nMyRedshiftClusterParameterGroupStack(app, \"MyRedshiftClusterParameterGroupStack\")\napp.synth()\n\nclass MyRedshiftClusterParameterGroupStack2(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define Redshift Cluster Parameter Group with require_ssl parameter\n redshift.CfnClusterParameterGroup(\n self, 'MyRedshiftClusterParameterGroup',\n description='My Redshift Parameter Group',\n parameter_group_family='redshift-1.0',\n parameters=[\n redshift.CfnClusterParameterGroup.ParameterProperty(\n parameter_name='abc',\n parameter_value='true'\n )\n # Add other parameters if needed\n ]\n )\n\napp = core.App()\nMyRedshiftClusterParameterGroupStack2(app, \"MyRedshiftClusterParameterGroupStack2\")\napp.synth()"
},
{
"path": "cdk_integration_tests/src/python/RedShiftSSL/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_redshift as redshift\n\nclass MyRedshiftClusterParameterGroupStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define Redshift Cluster Parameter Group with require_ssl parameter\n redshift.CfnClusterParameterGroup(\n self, 'MyRedshiftClusterParameterGroup',\n description='My Redshift Parameter Group',\n parameter_group_family='redshift-1.0',\n parameters=[\n redshift.CfnClusterParameterGroup.ParameterProperty(\n parameter_name='require_ssl',\n parameter_value='true'\n )\n # Add other parameters if needed\n ]\n )\n\napp = core.App()\nMyRedshiftClusterParameterGroupStack(app, \"MyRedshiftClusterParameterGroupStack\")\napp.synth()\n\n\nclass MyRedshiftClusterParameterGroupStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define Redshift Cluster Parameter Group with require_ssl parameter\n redshift.CfnClusterParameterGroup(\n self, 'MyRedshiftClusterParameterGroup',\n description='My Redshift Parameter Group',\n parameter_group_family='redshift-1.0',\n parameters=[\n redshift.CfnClusterParameterGroup.ParameterProperty(\n parameter_value='true',\n parameter_name='require_ssl'\n )\n # Add other parameters if needed\n ]\n )\n\napp = core.App()\nMyRedshiftClusterParameterGroupStack(app, \"MyRedshiftClusterParameterGroupStack\")\napp.synth()\n\n\nclass MyRedshiftClusterParameterGroupStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define Redshift Cluster Parameter Group with require_ssl parameter\n redshift.CfnClusterParameterGroup(\n self, 'MyRedshiftClusterParameterGroup',\n description='My Redshift Parameter Group',\n parameter_group_family='redshift-1.0',\n parameters=[\n {'parameterName': 'require_ssl','parameterValue': 'true'}\n # Add other parameters if needed\n ]\n )\n\napp = core.App()\nMyRedshiftClusterParameterGroupStack(app, \"MyRedshiftClusterParameterGroupStack\")\napp.synth()\n\n\nclass MyRedshiftClusterParameterGroupStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define Redshift Cluster Parameter Group with require_ssl parameter\n redshift.CfnClusterParameterGroup(\n self, 'MyRedshiftClusterParameterGroup',\n description='My Redshift Parameter Group',\n parameter_group_family='redshift-1.0',\n parameters=[\n {'parameterValue': 'true','parameterName': 'require_ssl'}\n # Add other parameters if needed\n ]\n )\n\napp = core.App()\nMyRedshiftClusterParameterGroupStack(app, \"MyRedshiftClusterParameterGroupStack\")\napp.synth()\n\n\n"
},
{
"path": "cdk_integration_tests/src/python/RedshiftClusterEncryption/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_redshift as redshift\n\nclass RedshiftClusterStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create an Amazon Redshift cluster\n redshift_cluster = redshift.CfnCluster(\n self,\n \"MyRedshiftCluster\",\n cluster_identifier=\"my-redshift-cluster\",\n master_username=\"admin\",\n master_user_password=\"MySecurePassword123\", # checkov:skip=CKV_SECRET_6 test secret\n node_type=\"dc2.large\",\n cluster_type=\"single-node\",\n )\n\napp = core.App()\nRedshiftClusterStack(app, \"RedshiftClusterStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/RedshiftClusterEncryption/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_redshift as redshift\n\nclass RedshiftClusterStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create an Amazon Redshift cluster\n redshift_cluster = redshift.CfnCluster(\n self,\n \"MyRedshiftCluster\",\n cluster_identifier=\"my-redshift-cluster\",\n master_username=\"admin\",\n master_user_password=\"MySecurePassword123\", # checkov:skip=CKV_SECRET_6 test secret\n node_type=\"dc2.large\",\n cluster_type=\"single-node\",\n encrypted=True # Enable encryption\n )\n\napp = core.App()\nRedshiftClusterStack(app, \"RedshiftClusterStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/RedshiftClusterLogging/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_redshift as redshift\n\nclass MyRedshiftClusterStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define Redshift Cluster with logging properties\n redshift.CfnCluster(\n self, 'MyRedshiftCluster',\n cluster_type='single-node', # Or 'multi-node' based on your configuration\n db_name='mydb',\n master_username='admin',\n master_user_password='password',\n # Other properties as needed for your Redshift cluster\n )\n\napp = core.App()\nMyRedshiftClusterStack(app, \"MyRedshiftClusterStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/RedshiftClusterLogging/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_redshift as redshift\n\nclass MyRedshiftClusterStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define Redshift Cluster with logging properties\n redshift.CfnCluster(\n self, 'MyRedshiftCluster',\n cluster_type='single-node', # Or 'multi-node' based on your configuration\n db_name='mydb',\n master_username='admin',\n master_user_password='password',\n logging_properties=redshift.CfnCluster.LoggingPropertiesProperty(\n bucket_name='my-redshift-logs-bucket' # Replace with your S3 bucket name\n )\n # Other properties as needed for your Redshift cluster\n )\n\napp = core.App()\nMyRedshiftClusterStack(app, \"MyRedshiftClusterStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/RedshiftClusterPubliclyAccessible/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_redshift as redshift\n\nclass RedshiftStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create a Redshift cluster with PubliclyAccessible set to true\n redshift_cluster = redshift.CfnCluster(\n self,\n \"MyRedshiftCluster\",\n cluster_identifier=\"my-redshift-cluster\",\n node_type=\"dc2.large\",\n publicly_accessible=True, # Set PubliclyAccessible to true\n master_username=\"admin\",\n master_user_password=\"MyPassword123\", # checkov:skip=CKV_SECRET_6 test secret\n )\n\napp = core.App()\nRedshiftStack(app, \"RedshiftStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/RedshiftClusterPubliclyAccessible/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_redshift as redshift\n\nclass RedshiftStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create a Redshift cluster with PubliclyAccessible set to False\n redshift_cluster = redshift.CfnCluster(\n self,\n \"MyRedshiftCluster\",\n cluster_identifier=\"my-redshift-cluster\",\n node_type=\"dc2.large\",\n publicly_accessible=False, # Set PubliclyAccessible to False\n master_username=\"admin\",\n master_user_password=\"MyPassword123\", # checkov:skip=CKV_SECRET_6 test secret\n )\n\napp = core.App()\nRedshiftStack(app, \"RedshiftStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/RedshiftInEc2ClassicMode/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_redshift as redshift\n\nclass MyRedshiftClusterStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define Redshift Cluster with a specific Cluster Subnet Group name\n redshift.CfnCluster(\n self, 'MyRedshiftCluster',\n )\n\napp = core.App()\nMyRedshiftClusterStack(app, \"MyRedshiftClusterStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/RedshiftInEc2ClassicMode/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_redshift as redshift\n\nclass MyRedshiftClusterStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define Redshift Cluster with a specific Cluster Subnet Group name\n redshift.CfnCluster(\n self, 'MyRedshiftCluster',\n cluster_subnet_group_name='my-redshift-subnet-group', # Replace with your Cluster Subnet Group name\n # Other properties for your Redshift Cluster\n )\n\napp = core.App()\nMyRedshiftClusterStack(app, \"MyRedshiftClusterStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/S3BlockPublicACLs/fail__2__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_s3 as s3\n\nclass S3BucketWithBlockPublicAclsStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n s3.Bucket(\n self,\n \"MyBucket\",\n block_public_access=s3.BlockPublicAccess(block_public_acls=False)\n )\n\napp = core.App()\nS3BucketWithBlockPublicAclsStack(app, \"S3BucketWithBlockPublicAclsStack\")\napp.synth()\n\nclass S3BucketWithBlockPublicAclsStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n s3.CfnBucket(\n self,\n \"MyBucket\",\n public_access_block_configuration={\n \"blockPublicAcls\": False,\n \"blockPublicPolicy\": True,\n \"ignorePublicAcls\": True,\n \"restrictPublicBuckets\": True\n }\n )\n\napp = core.App()\nS3BucketWithBlockPublicAclsStack(app, \"S3BucketWithBlockPublicAclsStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/S3BlockPublicACLs/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_s3 as s3\n\nclass S3BucketWithBlockPublicAclsStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n s3.CfnBucket(\n self,\n \"MyBucket\",\n public_access_block_configuration={\n \"blockPublicAcls\": True,\n \"blockPublicPolicy\": True,\n \"ignorePublicAcls\": True,\n \"restrictPublicBuckets\": True\n }\n )\n\napp = core.App()\nS3BucketWithBlockPublicAclsStack(app, \"S3BucketWithBlockPublicAclsStack\")\napp.synth()\n\n\n\nclass S3BucketWithBlockPublicAclsStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n s3.Bucket(\n self,\n \"MyBucket\",\n block_public_access=s3.BlockPublicAccess(block_public_acls=True)\n )\n\napp = core.App()\nS3BucketWithBlockPublicAclsStack(app, \"S3BucketWithBlockPublicAclsStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/S3BlockPublicPolicy/fail__2__.py",
"content": "from constructs import Construct\nfrom aws_cdk import App, Stack \nfrom aws_cdk import (\n aws_s3 as s4\n)\n\nclass MyS3Stack(Stack):\n\n def __init__(self, scope: Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n bucket = s4.Bucket(self, \"MyBlockedBucket\",\n block_public_access=s4.BlockPublicAccess(block_public_policy=False)\n )\n\n bucket2 = s4.Bucket(self, \"MyBlockedBucket2\"\n )\n\napp = App()\nMyS3Stack(app, \"MyS3Stack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/S3BlockPublicPolicy/pass.py",
"content": "from constructs import Construct\nfrom aws_cdk import App, Stack \nfrom aws_cdk import (\n aws_s3 as s4\n)\n\n\nclass MyS3Stack(Stack):\n\n def __init__(self, scope: Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n bucket = s4.Bucket(self, \"MyBlockedBucket\",\n block_public_access=s4.BlockPublicAccess(block_public_policy=True)\n )\n\n bucket2 = s4.Bucket(self, \"MyBlockedBucket2\",\n block_public_access=s4.BlockPublicAccess.BLOCK_ALL\n )\n\napp = App()\nMyS3Stack(app, \"MyS3Stack\")\napp.synth()"
},
{
"path": "cdk_integration_tests/src/python/S3BucketEncryption/fail__2__.py",
"content": "from aws_cdk import App, Stack, aws_s3 as s3\n\n\nclass AppStack(Stack):\n def __init__(self, app: App, id: str) -> None:\n super().__init__(app, id)\n\n fail_1 = s3.Bucket(\n self,\n \"example\",\n )\n\n fail_2 = s3.Bucket(\n self,\n \"example\",\n encryption=s3.BucketEncryption.UNENCRYPTED,\n )\n\n\napp = App()\nAppStack(app, \"example-stack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/S3BucketEncryption/pass.py",
"content": "from aws_cdk import App, Stack, aws_s3 as s3\n\n\nclass AppStack(Stack):\n def __init__(self, app: App, id: str) -> None:\n super().__init__(app, id)\n\n pass_1 = s3.Bucket(\n self,\n \"example\",\n encryption=s3.BucketEncryption.S3_MANAGED,\n )\n\n\napp = App()\nAppStack(app, \"example-stack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/S3BucketKMSEncryption/fail__3__.py",
"content": "from aws_cdk import App, Stack, aws_s3 as s3\n\n\nclass AppStack(Stack):\n def __init__(self, app: App, id: str) -> None:\n super().__init__(app, id)\n\n fail_1 = s3.Bucket(\n self,\n \"example\",\n )\n\n fail_2 = s3.Bucket(\n self,\n \"example\",\n encryption=s3.BucketEncryption.UNENCRYPTED,\n )\n\n fail_3 = s3.Bucket(\n self,\n \"example\",\n encryption=s3.BucketEncryption.S3_MANAGED,\n )\n\n\napp = App()\nAppStack(app, \"example-stack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/S3BucketKMSEncryption/pass.py",
"content": "from aws_cdk import App, Stack, aws_s3 as s3\n\n\nclass AppStack(Stack):\n def __init__(self, app: App, id: str) -> None:\n super().__init__(app, id)\n\n pass_1 = s3.Bucket(\n self,\n \"example\",\n encryption=s3.BucketEncryption.KMS_MANAGED,\n )\n\n\napp = App()\nAppStack(app, \"example-stack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/S3BucketLogging/fail.py",
"content": "from aws_cdk import App, Stack, aws_s3 as s3\n\n\nclass AppStack(Stack):\n def __init__(self, app: App, id: str) -> None:\n super().__init__(app, id)\n\n fail_1 = s3.Bucket(\n self,\n \"example\",\n )\n\n\napp = App()\nAppStack(app, \"example-stack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/S3BucketLogging/pass.py",
"content": "from aws_cdk import App, Stack, aws_s3 as s3\n\n\nclass AppStack(Stack):\n def __init__(self, app: App, id: str) -> None:\n super().__init__(app, id)\n\n pass_1 = s3.Bucket(\n self,\n \"example\",\n # this would normally reference another bucket, but then I can't separate the tests\n server_access_logs_bucket=bucket,\n )\n\n\napp = App()\nAppStack(app, \"example-stack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/S3BucketPublicAccessBlock/fail.py",
"content": "from aws_cdk import App, Stack, aws_s3 as s3\n\n\nclass AppStack(Stack):\n def __init__(self, app: App, id: str) -> None:\n super().__init__(app, id)\n\n fail_1 = s3.Bucket(\n self,\n \"example\",\n )\n\n\napp = App()\nAppStack(app, \"example-stack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/S3BucketPublicAccessBlock/pass.py",
"content": "from aws_cdk import App, Stack, aws_s3 as s3\n\n\nclass AppStack(Stack):\n def __init__(self, app: App, id: str) -> None:\n super().__init__(app, id)\n\n pass_1 = s3.Bucket(\n self,\n \"example\",\n block_public_access=s3.BlockPublicAccess.BLOCK_ALL,\n )\n\n\napp = App()\nAppStack(app, \"example-stack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/S3BucketVersioning/fail__2__.py",
"content": "from aws_cdk import App, Stack, aws_s3 as s3\n\n\nclass AppStack(Stack):\n def __init__(self, app: App, id: str) -> None:\n super().__init__(app, id)\n\n fail_1 = s3.Bucket(\n self,\n \"example\",\n )\n fail_2 = s3.Bucket(\n self,\n \"example\",\n versioned=False,\n )\n\n\napp = App()\nAppStack(app, \"example-stack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/S3BucketVersioning/pass.py",
"content": "from aws_cdk import App, Stack, aws_s3 as s3\n\n\nclass AppStack(Stack):\n def __init__(self, app: App, id: str) -> None:\n super().__init__(app, id)\n\n pass_1 = s3.Bucket(\n self,\n \"example\",\n versioned=True,\n )\n\n\napp = App()\nAppStack(app, \"example-stack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/S3IgnorePublicACLs/fail__2__.py",
"content": "from constructs import Construct\nfrom aws_cdk import App, Stack \nfrom aws_cdk import (\n aws_s3 as s4\n)\n\nclass MyStack(Stack):\n\n def __init__(self, scope: Construct, id: str, **kwargs):\n super().__init__(scope, id, **kwargs)\n\n\t\t# fail\n bucket = s4.Bucket(self, \"MyS3Bucket\",\n bucket_name='my-s3-bucket',\n public_read_access=False,\n block_public_access=s4.BlockPublicAccess(\n ignore_public_acls=False\n )\n )\n\n value = False\n\t\t# fail\n bucket2 = s4.Bucket(self, \"MyS3Bucket2\",\n bucket_name='my-s3-bucket2',\n public_read_access=False,\n block_public_access=s4.BlockPublicAccess(\n ignore_public_acls=value\n )\n )\n\napp = App()\nMyStack(app, \"my-stack-name\")\n\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/S3IgnorePublicACLs/pass.py",
"content": "from constructs import Construct\nfrom aws_cdk import App, Stack \nfrom aws_cdk import (\n aws_s3 as s4\n)\n\n\nclass MyStac2(Stack):\n\n def __init__(self, scope: Construct, id: str, **kwargs):\n super().__init__(scope, id, **kwargs)\n\n\t\t# pass\n bucket = s4.Bucket(self, \"MyS3Bucket\",\n bucket_name='my-s3-bucket',\n public_read_access=False,\n block_public_access=s4.BlockPublicAccess(\n ignore_public_acls=True\n )\n )\n\n # pass\n bucket2 = s4.Bucket(self, \"MyS3Bucket2\",\n bucket_name='my-s3-bucket2',\n public_read_access=False,\n block_public_access=s4.BlockPublicAccess(\n ignore_public_acls=True\n )\n )\n\napp = App()\nMyStack(app, \"my-stack-name\")\n\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/S3PublicACLRead/fail__3__.py",
"content": "from constructs import Construct\nfrom aws_cdk import App, Stack \nfrom aws_cdk import (\n aws_s3 as s3\n)\n\n\nclass MyS3Stack(Stack):\n\n def __init__(self, scope: Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n bucket = s3.Bucket(self, \"MyPublicReadBucket\",\n bucket_name=\"my-public-read-bucket\",\n access_control=s3.BucketAccessControl.PUBLIC_READ\n )\n \n bucket2 = s3.Bucket(self, \"MyPublicReadBucket2\",\n bucket_name=\"my-public-read-bucket2\", \n access_control=s3.BucketAccessControl.PUBLIC_READ_WRITE\n )\n \n bucket3 = s3.Bucket(self, \"MyPublicReadBucket3\",\n bucket_name=\"my-public-read-bucket3\",\n public_read_access=True\n )\n\napp = App()\nMyS3Stack(app, \"MyS3Stack\")\napp.synth()"
},
{
"path": "cdk_integration_tests/src/python/S3PublicACLRead/pass.py",
"content": "from constructs import Construct\nfrom aws_cdk import App, Stack \nfrom aws_cdk import (\n aws_s3 as s3\n)\n\n\nclass MyS3Stack(Stack):\n\n def __init__(self, scope: Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n bucket = s3.Bucket(self, \"MyPublicReadBucket\",\n bucket_name=\"my-public-read-bucket\"\n )\n \n bucket2 = s3.Bucket(self, \"MyPublicReadBucket2\",\n bucket_name=\"my-public-read-bucket2\",\n access_control=s3.BucketAccessControl.PRIVATE\n )\n\napp = App()\nMyS3Stack(app, \"MyS3Stack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/S3PublicACLWrite/fail__2__.py",
"content": "from constructs import Construct\nfrom aws_cdk import App, Stack \nfrom aws_cdk import (\n aws_s3 as s3\n)\n\n\nclass MyS3Stack(Stack):\n\n def __init__(self, scope: Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n \n bucket2 = s3.Bucket(self, \"MyPublicReadBucket2\",\n bucket_name=\"my-public-read-bucket2\", \n access_control=s3.BucketAccessControl.PUBLIC_READ_WRITE\n )\n \n bucket3 = s3.Bucket(self, \"MyPublicReadBucket3\",\n bucket_name=\"my-public-read-bucket3\",\n public_read_access=True\n )\n\napp = App()\nMyS3Stack(app, \"MyS3Stack\")\napp.synth()"
},
{
"path": "cdk_integration_tests/src/python/S3PublicACLWrite/pass.py",
"content": "from constructs import Construct\nfrom aws_cdk import App, Stack \nfrom aws_cdk import (\n aws_s3 as s3\n)\n\n\nclass MyS3Stack(Stack):\n\n def __init__(self, scope: Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n bucket = s3.Bucket(self, \"MyPublicReadBucket\",\n bucket_name=\"my-public-read-bucket\"\n )\n \n bucket2 = s3.Bucket(self, \"MyPublicReadBucket2\",\n bucket_name=\"my-public-read-bucket2\",\n access_control=s3.BucketAccessControl.PRIVATE\n )\n\napp = App()\nMyS3Stack(app, \"MyS3Stack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/S3RestrictPublicBuckets/fail__2__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_s3 as s3\n\nclass S3BucketWithPublicAccessStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n s3.Bucket(\n self,\n \"aaa\",\n versioned=False, # You can enable versioning if needed\n removal_policy=core.RemovalPolicy.DESTROY, # Change this according to your retention policy\n block_public_acls=True,\n block_public_policy=True,\n ignore_public_acls=True,\n restrict_public_buckets=False\n )\n\napp = core.App()\nS3BucketWithPublicAccessStack(app, \"S3BucketWithPublicAccessStack\")\napp.synth()\n\nclass PublicS3BucketStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create a CloudFormation S3 bucket resource\n public_bucket = s3.CfnBucket(\n self,\n \"PublicBucket\",\n versioning_configuration={\n \"status\": \"Suspended\" # You can enable versioning if needed\n },\n public_access_block_configuration={\n \"blockPublicAcls\": True,\n \"blockPublicPolicy\": True,\n \"ignorePublicAcls\": True,\n \"restrictPublicBuckets\": False\n }\n )\n\napp = core.App()\nPublicS3BucketStack(app, \"PublicS3BucketStack\")\napp.synth()\n\n"
},
{
"path": "cdk_integration_tests/src/python/S3RestrictPublicBuckets/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_s3 as s3\n\nclass S3BucketWithPublicAccessStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n s3.Bucket(\n self,\n \"aaa\",\n versioned=False, # You can enable versioning if needed\n removal_policy=core.RemovalPolicy.DESTROY, # Change this according to your retention policy\n block_public_acls=True,\n block_public_policy=True,\n ignore_public_acls=True,\n restrict_public_buckets=True\n )\n\napp = core.App()\nS3BucketWithPublicAccessStack(app, \"S3BucketWithPublicAccessStack\")\napp.synth()\n\nclass PublicS3BucketStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create a CloudFormation S3 bucket resource\n public_bucket = s3.CfnBucket(\n self,\n \"PublicBucket\",\n versioning_configuration={\n \"status\": \"Suspended\" # You can enable versioning if needed\n },\n public_access_block_configuration={\n \"blockPublicAcls\": True,\n \"blockPublicPolicy\": True,\n \"ignorePublicAcls\": True,\n \"restrictPublicBuckets\": True\n }\n )\n\napp = core.App()\nPublicS3BucketStack(app, \"PublicS3BucketStack\")\napp.synth()\n\n"
},
{
"path": "cdk_integration_tests/src/python/SNSTopicEncryption/fail.py",
"content": "from constructs import Construct\nfrom aws_cdk import (\n App, \n Stack,\n aws_sns as sns,\n aws_kms as kms\n)\n\n\nclass MyStack(Stack):\n\n def __init__(self, scope: Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n topic = sns.Topic(self, \"Topic\",\n topic_name=\"my-topic\",\n )\n\napp = App()\nMyStack(app, \"MyStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/SNSTopicEncryption/pass.py",
"content": "from constructs import Construct\nfrom aws_cdk import (\n App, \n Stack,\n aws_sns as sns,\n aws_kms as kms\n)\n\n\nclass MyStack(Stack):\n\n def __init__(self, scope: Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n key = kms.Key(self, \"MyKey\")\n\n topic = sns.Topic(self, \"Topic\",\n topic_name=\"my-topic\",\n master_key=key)\n\n\napp = App()\nMyStack(app, \"MyStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/SQSQueueEncryption/fail__2__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_sqs as sqs\nclass SqsQueueWithKmsKeyStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create an SQS queue with KMS encryption\n queue = sqs.Queue(self, \"MySqsQueue\",\n encryption=sqs.QueueEncryption.KMS,\n visibility_timeout=300 # Other properties for the queue\n )\n\napp = core.App()\nSqsQueueWithKmsKeyStack(app, \"SqsQueueWithKmsKeyStack\")\napp.synth()\n\n\n\nclass SqsQueueWithKmsKeyIdStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define an SQS queue with a specific KmsMasterKeyId\n queue = sqs.CfnQueue(self, \"MySqsQueue\",\n visibility_timeout=300 # Other properties for the queue\n )\n\napp = core.App()\nSqsQueueWithKmsKeyIdStack(app, \"SqsQueueWithKmsKeyIdStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/SQSQueueEncryption/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_sqs as sqs\nfrom aws_cdk import aws_kms as kms\nfrom aws_cdk import aws_cloudformation as cfn\nclass SqsQueueWithKmsKeyStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create a KMS key for encryption\n kms_key = kms.Key(self, \"MyKmsKey\", enable_key_rotation=True)\n\n # Create an SQS queue with KMS encryption\n queue = sqs.Queue(self, \"MySqsQueue\",\n encryption=sqs.QueueEncryption.KMS,\n encryption_master_key=kms_key,\n visibility_timeout=300 # Other properties for the queue\n )\n\napp = core.App()\nSqsQueueWithKmsKeyStack(app, \"SqsQueueWithKmsKeyStack\")\napp.synth()\n\n\n\nclass SqsQueueWithKmsKeyIdStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define a custom KMS key\n kms_key = cfn.CfnCustomResource(self, \"MyKmsKeyResource\",\n service_token=\"arn:aws:lambda:::function/\",\n # Add other properties as needed\n )\n\n # Define an SQS queue with a specific KmsMasterKeyId\n queue = sqs.CfnQueue(self, \"MySqsQueue\",\n kms_master_key_id=kms_key.get_att(\"KmsKeyId\"),\n visibility_timeout=300 # Other properties for the queue\n )\n\napp = core.App()\nSqsQueueWithKmsKeyIdStack(app, \"SqsQueueWithKmsKeyIdStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/SecretManagerSecretEncrypted/fail__2__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_secretsmanager as secretsmanager\n\nclass MySecretsStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define a SecretsManager secret with KMS key ID containing \"aws/\"\n my_secret = secretsmanager.Secret(\n self, 'MySecret',\n secret_name='MySecretName',\n kms_key_id='arn:aws:kms:REGION:ACCOUNT_ID:key/aws/KMS_KEY_ID'\n )\n\nclass MySecretsStack2(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n my_secret = secretsmanager.Secret(\n self, 'MySecret',\n secret_name='MySecretName',\n )\n\napp = core.App()\nMySecretsStack(app, \"MySecretsStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/SecretManagerSecretEncrypted/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_secretsmanager as secretsmanager\n\nclass MySecretsStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define a SecretsManager secret with KMS key ID containing \"aws/\"\n my_secret = secretsmanager.Secret(\n self, 'MySecret',\n secret_name='MySecretName',\n kms_key_id='arn:aws:kms:REGION:ACCOUNT_ID:key/KMS_KEY_ID'\n )\n\napp = core.App()\nMySecretsStack(app, \"MySecretsStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/SecurityGroupRuleDescription/fail__4__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_ec2 as ec2\n\nclass MySecurityGroupStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define EC2 Security Group\n security_group = ec2.CfnSecurityGroup(\n self, 'MySecurityGroup',\n group_description='My security group',\n security_group_ingress=[\n {\n 'description': 'False',\n 'ipProtocol': 'tcp',\n 'fromPort': 80,\n 'toPort': 80,\n 'cidrIp': '0.0.0.0/0'\n }\n ],\n # Other properties for your Security Group\n )\n\napp = core.App()\nMySecurityGroupStack(app, \"MySecurityGroupStack\")\napp.synth()\n\n\n\nclass MySecurityGroupStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define EC2 Security Group\n security_group = ec2.CfnSecurityGroup(\n self, 'MySecurityGroup',\n group_description='My security group',\n security_group_egress=[\n {\n 'description': 'False',\n 'ipProtocol': 'tcp',\n 'fromPort': 80,\n 'toPort': 80,\n 'cidrIp': '0.0.0.0/0'\n }\n ],\n # Other properties for your Security Group\n )\n\napp = core.App()\nMySecurityGroupStack(app, \"MySecurityGroupStack\")\napp.synth()\n\n\nclass MySecurityGroupIngressStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define EC2 Security Group Ingress\n security_group_ingress = ec2.CfnSecurityGroupIngress(\n self, 'MySecurityGroupIngress',\n group_id='your-security-group-id', # Replace with your Security Group ID\n ip_protocol='tcp',\n from_port=80,\n to_port=80,\n cidr_ip='0.0.0.0/0',\n # Other properties for your Security Group Ingress\n )\n\napp = core.App()\nMySecurityGroupIngressStack(app, \"MySecurityGroupIngressStack\")\napp.synth()\n\nclass MySecurityGroupEgressStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define EC2 Security Group Ingress\n security_group_ingress = ec2.CfnSecurityGroupEgress(\n self, 'MySecurityGroupIngress',\n group_id='your-security-group-id', # Replace with your Security Group ID\n ip_protocol='tcp',\n from_port=80,\n to_port=80,\n cidr_ip='0.0.0.0/0',\n # Other properties for your Security Group Ingress\n )\n\napp = core.App()\nMySecurityGroupEgressStack(app, \"MySecurityGroupEgressStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/SecurityGroupRuleDescription/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_ec2 as ec2\n\nclass MySecurityGroupStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define EC2 Security Group\n security_group = ec2.CfnSecurityGroup(\n self, 'MySecurityGroup',\n group_description='My security group',\n security_group_ingress=[\n {\n 'description': 'True',\n 'ipProtocol': 'tcp',\n 'fromPort': 80,\n 'toPort': 80,\n 'cidrIp': '0.0.0.0/0'\n }\n ],\n # Other properties for your Security Group\n )\n\napp = core.App()\nMySecurityGroupStack(app, \"MySecurityGroupStack\")\napp.synth()\n\n\n\nclass MySecurityGroupStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define EC2 Security Group\n security_group = ec2.CfnSecurityGroup(\n self, 'MySecurityGroup',\n group_description='My security group',\n security_group_egress=[\n {\n 'description': 'True',\n 'ipProtocol': 'tcp',\n 'fromPort': 80,\n 'toPort': 80,\n 'cidrIp': '0.0.0.0/0'\n }\n ],\n # Other properties for your Security Group\n )\n\napp = core.App()\nMySecurityGroupStack(app, \"MySecurityGroupStack\")\napp.synth()\n\n\nclass MySecurityGroupIngressStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define EC2 Security Group Ingress\n security_group_ingress = ec2.CfnSecurityGroupIngress(\n self, 'MySecurityGroupIngress',\n group_id='your-security-group-id', # Replace with your Security Group ID\n ip_protocol='tcp',\n from_port=80,\n to_port=80,\n cidr_ip='0.0.0.0/0',\n description='abc'\n # Other properties for your Security Group Ingress\n )\n\napp = core.App()\nMySecurityGroupIngressStack(app, \"MySecurityGroupIngressStack\")\napp.synth()\n\nclass MySecurityGroupEgressStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define EC2 Security Group Ingress\n security_group_ingress = ec2.CfnSecurityGroupEgress(\n self, 'MySecurityGroupIngress',\n group_id='your-security-group-id', # Replace with your Security Group ID\n ip_protocol='tcp',\n from_port=80,\n to_port=80,\n cidr_ip='0.0.0.0/0',\n description='abc'\n # Other properties for your Security Group Ingress\n )\n\napp = core.App()\nMySecurityGroupEgressStack(app, \"MySecurityGroupEgressStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/TransferServerIsPublic/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_transfer as transfer\n\nclass MyTransferServerStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define Transfer Server with EndpointType set to VPC\n transfer.CfnServer(\n self, 'MyTransferServer',\n endpoint_type='abc',\n # Other properties as needed for your Transfer Server\n )\n\napp = core.App()\nMyTransferServerStack(app, \"MyTransferServerStack\")\napp.synth()"
},
{
"path": "cdk_integration_tests/src/python/TransferServerIsPublic/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_transfer as transfer\n\nclass MyTransferServerStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define Transfer Server with EndpointType set to VPC\n transfer.CfnServer(\n self, 'MyTransferServer',\n endpoint_type='VPC',\n # Other properties as needed for your Transfer Server\n )\n\napp = core.App()\nMyTransferServerStack(app, \"MyTransferServerStack\")\napp.synth()\n\n\nclass MyTransferServerStack2(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define Transfer Server with EndpointType set to VPC\n transfer.CfnServer(\n self, 'MyTransferServer',\n endpoint_type='VPC_ENDPOINT',\n # Other properties as needed for your Transfer Server\n )\n\napp = core.App()\nMyTransferServerStack2(app, \"MyTransferServerStack2\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/VPCEndpointAcceptanceConfigured/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_ec2 as ec2\n\nclass MyVpcEndpointServiceStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define VPC Endpoint Service with acceptance required\n vpc_endpoint_service = ec2.CfnVPCEndpointService(\n self, 'MyVPCEndpointService',\n acceptance_required=False,\n # Other properties for your VPC Endpoint Service\n )\n\napp = core.App()\nMyVpcEndpointServiceStack(app, \"MyVpcEndpointServiceStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/VPCEndpointAcceptanceConfigured/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_ec2 as ec2\n\nclass MyVpcEndpointServiceStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Define VPC Endpoint Service with acceptance required\n vpc_endpoint_service = ec2.CfnVPCEndpointService(\n self, 'MyVPCEndpointService',\n acceptance_required=True,\n # Other properties for your VPC Endpoint Service\n )\n\napp = core.App()\nMyVpcEndpointServiceStack(app, \"MyVpcEndpointServiceStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/WAFEnabled/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_cloudfront as cloudfront\n\nclass CloudFrontDistributionStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create a CloudFront distribution\n distribution = cloudfront.CfnDistribution(\n self,\n \"MyCloudFrontDistribution\",\n distribution_config={\n \"defaultCacheBehavior\": {\n # Configure your cache behavior as needed\n },\n \"enabled\": True,\n }\n )\n\napp = core.App()\nCloudFrontDistributionStack(app, \"CloudFrontDistributionStack\")\napp.synth()"
},
{
"path": "cdk_integration_tests/src/python/WAFEnabled/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_cloudfront as cloudfront\nfrom aws_cdk import aws_wafv2 as wafv2\n\nclass CloudFrontDistributionStack(core.Stack):\n\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create a WebACL\n web_acl = wafv2.CfnWebACL(\n self,\n \"MyWebACL\",\n default_action={\n \"allow\": {}\n },\n # Configure your WebACL as needed\n )\n\n # Create a CloudFront distribution\n distribution = cloudfront.CfnDistribution(\n self,\n \"MyCloudFrontDistribution\",\n distribution_config={\n \"defaultCacheBehavior\": {\n # Configure your cache behavior as needed\n },\n \"enabled\": True,\n \"webAclId\": web_acl.attr_arn # Set the WebACL association\n }\n )\n\napp = core.App()\nCloudFrontDistributionStack(app, \"CloudFrontDistributionStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/WorkspaceRootVolumeEncrypted/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_workspaces as workspaces\n\nclass WorkSpacesStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create a WorkSpaces directory\n directory = workspaces.CfnWorkspaceDirectory(\n self, \"MyWorkspaceDirectory\",\n directory_name=\"my-workspace-directory\",\n subnet_ids=[\"subnet-12345678\"], # Replace with your subnet IDs\n self_service_permissions=\"ENABLED\",\n )\n\n # Create a WorkSpaces workspace with root volume encryption enabled\n workspace = workspaces.CfnWorkspace(\n self, \"MyWorkspace\",\n bundle_id=\"wsb-12345678\", # Replace with your bundle ID\n user_name=\"my-user\",\n root_volume_encryption_enabled=False,\n user_volume_encryption_enabled=False, # Set to True if you want user volume encryption\n workspace_properties={\"directoryId\": directory.ref},\n )\n\napp = core.App()\nWorkSpacesStack(app, \"WorkSpacesStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/WorkspaceRootVolumeEncrypted/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_workspaces as workspaces\n\nclass WorkSpacesStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create a WorkSpaces directory\n directory = workspaces.CfnWorkspaceDirectory(\n self, \"MyWorkspaceDirectory\",\n directory_name=\"my-workspace-directory\",\n subnet_ids=[\"subnet-12345678\"], # Replace with your subnet IDs\n self_service_permissions=\"ENABLED\",\n )\n\n # Create a WorkSpaces workspace with root volume encryption enabled\n workspace = workspaces.CfnWorkspace(\n self, \"MyWorkspace\",\n bundle_id=\"wsb-12345678\", # Replace with your bundle ID\n user_name=\"my-user\",\n root_volume_encryption_enabled=True,\n user_volume_encryption_enabled=False, # Set to True if you want user volume encryption\n workspace_properties={\"directoryId\": directory.ref},\n )\n\napp = core.App()\nWorkSpacesStack(app, \"WorkSpacesStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/WorkspaceUserVolumeEncrypted/fail__1__.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_workspaces as workspaces\n\nclass WorkSpacesStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create a WorkSpaces directory\n directory = workspaces.CfnWorkspaceDirectory(\n self, \"MyWorkspaceDirectory\",\n directory_name=\"my-workspace-directory\",\n subnet_ids=[\"subnet-12345678\"], # Replace with your subnet IDs\n self_service_permissions=\"ENABLED\",\n )\n\n # Create a WorkSpaces workspace with root volume encryption enabled\n workspace = workspaces.CfnWorkspace(\n self, \"MyWorkspace\",\n bundle_id=\"wsb-12345678\", # Replace with your bundle ID\n user_name=\"my-user\",\n root_volume_encryption_enabled=False,\n user_volume_encryption_enabled=False,\n workspace_properties={\"directoryId\": directory.ref},\n )\n\napp = core.App()\nWorkSpacesStack(app, \"WorkSpacesStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/WorkspaceUserVolumeEncrypted/pass.py",
"content": "from aws_cdk import core\nfrom aws_cdk import aws_workspaces as workspaces\n\nclass WorkSpacesStack(core.Stack):\n def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:\n super().__init__(scope, id, **kwargs)\n\n # Create a WorkSpaces directory\n directory = workspaces.CfnWorkspaceDirectory(\n self, \"MyWorkspaceDirectory\",\n directory_name=\"my-workspace-directory\",\n subnet_ids=[\"subnet-12345678\"], # Replace with your subnet IDs\n self_service_permissions=\"ENABLED\",\n )\n\n # Create a WorkSpaces workspace with root volume encryption enabled\n workspace = workspaces.CfnWorkspace(\n self, \"MyWorkspace\",\n bundle_id=\"wsb-12345678\", # Replace with your bundle ID\n user_name=\"my-user\",\n root_volume_encryption_enabled=True,\n user_volume_encryption_enabled=True,\n workspace_properties={\"directoryId\": directory.ref},\n )\n\napp = core.App()\nWorkSpacesStack(app, \"WorkSpacesStack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/python/s3.py",
"content": "from aws_cdk import App, Stack, aws_s3\n\n\nclass AppStack(Stack):\n def __init__(self, app: App, id: str) -> None:\n super().__init__(app, id)\n\n bucket = aws_s3.Bucket(\n self,\n \"example\",\n encryption=aws_s3.BucketEncryption.S3_MANAGED,\n )\n\n\napp = App()\nAppStack(app, \"example-stack\")\napp.synth()\n"
},
{
"path": "cdk_integration_tests/src/typescript/ALBDropHttpHeaders/fail.ts",
"content": "import { App, Stack, StackProps } from 'aws-cdk-lib';\nimport { Construct } from 'constructs';\nimport { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';\n\nclass ALBDropHttpHeadersStack extends Stack {\n constructor(scope: Construct, id: string, props?: StackProps) {\n super(scope, id, props);\n\n new elbv2.CfnLoadBalancer(this, { type: 'not_application', loadBalancerAttributes: [{'key': 'routing.http.drop_invalid_header_fields.enabled', 'value': 'true'}] })\n new elbv2.CfnLoadBalancer(this, { type: 'application', loadBalancerAttributes: [{'value': 'false', 'key': 'routing.http.drop_invalid_header_fields.enabled'}] })\n new elbv2.CfnLoadBalancer(this, { loadBalancerAttributes: [{'key': 'routing.http.drop_invalid_header_fields.disable', 'value': 'true'}], type: 'application' })\n new elbv2.CfnLoadBalancer(this, { loadBalancerAttributes: [], type: 'application' })\n }\n}\n\nconst app = new App();\nnew ALBDropHttpHeadersStack(app, 'ALBDropHttpHeadersStack');\n"
},
{
"path": "cdk_integration_tests/src/typescript/ALBDropHttpHeaders/pass.ts",
"content": "import { App, Stack, StackProps } from 'aws-cdk-lib';\nimport { Construct } from 'constructs';\nimport { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';\n\nclass ALBDropHttpHeadersStack extends Stack {\n constructor(scope: Construct, id: string, props?: StackProps) {\n super(scope, id, props);\n\n new elbv2.CfnLoadBalancer(this, { type: 'application', loadBalancerAttributes: [{'key': 'routing.http.drop_invalid_header_fields.enabled', 'value': 'true'}] })\n new elbv2.CfnLoadBalancer(this, { type: 'application', loadBalancerAttributes: [{'value': 'true', 'key': 'routing.http.drop_invalid_header_fields.enabled'}] })\n new elbv2.CfnLoadBalancer(this, { loadBalancerAttributes: [{'key': 'routing.http.drop_invalid_header_fields.enabled', 'value': 'true'}], type: 'application' })\n new elbv2.CfnLoadBalancer(this, { loadBalancerAttributes: [{'value': 'true', 'key': 'routing.http.drop_invalid_header_fields.enabled'}], type: 'application' })\n }\n}\n\nconst app = new App();\nnew ALBDropHttpHeadersStack(app, 'ALBDropHttpHeadersStack');\n"
},
{
"path": "cdk_integration_tests/src/typescript/ALBListenerHTTPS/fail.ts",
"content": "import { App, Stack, StackProps } from 'aws-cdk-lib';\nimport { Construct } from 'constructs';\nimport { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';\n\nclass ALBListenerHTTPSStack extends Stack {\n constructor(scope: Construct, id: string, props?: StackProps) {\n super(scope, id, props);\n\n new elbv2.CfnListener(this, {})\n }\n}\n\nconst app = new App();\nnew ALBListenerHTTPSStack(app, 'ALBListenerHTTPSStack');\n"
},
{
"path": "cdk_integration_tests/src/typescript/ALBListenerHTTPS/pass.ts",
"content": "import { App, Stack, StackProps } from 'aws-cdk-lib';\nimport { Construct } from 'constructs';\nimport { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';\n\nclass ALBListenerHTTPSStack extends Stack {\n constructor(scope: Construct, id: string, props?: StackProps) {\n super(scope, id, props);\n\n new elbv2.CfnListener(this, {protocol: 'HTTPS'})\n new elbv2.CfnListener(this, {protocol: 'TLS'})\n new elbv2.CfnListener(this, {protocol: 'TCP'})\n new elbv2.CfnListener(this, {protocol: 'UDP'})\n new elbv2.CfnListener(this, {protocol: 'TCP_UDP'})\n new elbv2.CfnListener(this, {defaultActions: [{type: 'redirect', redirectConfig:{protocol: 'HTTPS'}}]})\n }\n}\n\nconst app = new App();\nnew ALBListenerHTTPSStack(app, 'ALBListenerHTTPSStack');\n"
},
{
"path": "cdk_integration_tests/src/typescript/APIGatewayAccessLogging/fail.ts",
"content": "import { App, Stack, StackProps } from 'aws-cdk-lib';\nimport { Construct } from 'constructs';\nimport { apigateway as api } from 'aws-cdk-lib';\n\nclass APIGatewayAccessLoggingStack extends Stack {\n constructor(scope: Construct, id: string, props?: StackProps) {\n super(scope, id, props);\n\n new api.CfnStage(this, {})\n }\n}\n\nconst app = new App();\nnew APIGatewayAccessLoggingStack(app, 'APIGatewayAccessLoggingStack');\n"
},
{
"path": "cdk_integration_tests/src/typescript/APIGatewayAccessLogging/pass.ts",
"content": "import { App, Stack, StackProps } from 'aws-cdk-lib';\nimport { Construct } from 'constructs';\nimport { apigateway as api } from 'aws-cdk-lib';\n\nclass APIGatewayAccessLoggingStack extends Stack {\n constructor(scope: Construct, id: string, props?: StackProps) {\n super(scope, id, props);\n\n new api.CfnStage(this, { accessLogSetting: { destinationArn: \"1\" }} )\n }\n}\n\nconst app = new App();\nnew APIGatewayAccessLoggingStack(app, 'APIGatewayAccessLoggingStack');\n"
},
{
"path": "cdk_integration_tests/src/typescript/APIGatewayAuthorization/fail.ts",
"content": "// Import necessary AWS CDK packages\nimport * as apigateway from '@aws-cdk/aws-apigateway';\nimport { Resource } from '@aws-cdk/core';\n\n// Example resource and method declarations\nconst resource: Resource = new Resource(); // Placeholder for actual resource initialization\n\n// Test cases for the policy patterns\n\n// This should match the first pattern and not be sanitized by the second pattern\n// SOURCE\nconst method1 = resource.addMethod('GET', new apigateway.MockIntegration(), {\n apiKeyRequired: false\n});\n"
},
{
"path": "cdk_integration_tests/src/typescript/APIGatewayAuthorization/fail__2__.ts",
"content": "// Import necessary AWS CDK packages\nimport * as apigateway from '@aws-cdk/aws-apigateway';\nimport { Resource } from '@aws-cdk/core';\n\n// Example resource and method declarations\nconst resource: Resource = new Resource(); // Placeholder for actual resource initialization\n\n// Test cases for the policy patterns\n\n// This should match the second pattern\n// SINK\nconst method2 = resource.addMethod('POST', new apigateway.MockIntegration(), {\n authorizationType: apigateway.AuthorizationType.NONE\n});\n"
},
{
"path": "cdk_integration_tests/src/typescript/APIGatewayAuthorization/pass.ts",
"content": "// Import necessary AWS CDK packages\nimport * as apigateway from '@aws-cdk/aws-apigateway';\nimport { Resource } from '@aws-cdk/core';\n\n// Example resource and method declarations\nconst resource: Resource = new Resource(); // Placeholder for actual resource initialization\n\n// Test cases for the policy patterns\n\n// This should not match any pattern as it includes an authorization type\n// SANITIZER\nconst method3 = resource.addMethod('PUT', new apigateway.MockIntegration(), {\n authorizationType: apigateway.AuthorizationType.COGNITO,\n apiKeyRequired: true\n});\n"
},
{
"path": "cdk_integration_tests/src/typescript/APIGatewayAuthorization/pass__2__.ts",
"content": "// Import necessary AWS CDK packages\nimport * as apigateway from '@aws-cdk/aws-apigateway';\nimport { Resource } from '@aws-cdk/core';\n\n// Example resource and method declarations\nconst resource: Resource = new Resource(); // Placeholder for actual resource initialization\n\n// Test cases for the policy patterns\n\n// This should not match any pattern as it includes an authorization type and is not open\nconst method4 = resource.addMethod('DELETE', new apigateway.MockIntegration(), {\n authorizationType: apigateway.AuthorizationType.IAM\n});\n"
},
{
"path": "cdk_integration_tests/src/typescript/APIGatewayCacheEnable/fail.ts",
"content": "import { App, Stack, StackProps } from 'aws-cdk-lib';\nimport { Construct } from 'constructs';\nimport { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';\n\nclass APIGatewayCacheEnableStack extends Stack {\n constructor(scope: Construct, id: string, props?: StackProps) {\n super(scope, id, props);\n\n new elbv2.Stage(this, {})\n }\n}\n\nconst app = new App();\nnew APIGatewayCacheEnableStack(app, 'APIGatewayCacheEnableStack');\n"
},
{
"path": "cdk_integration_tests/src/typescript/APIGatewayCacheEnable/pass.ts",
"content": "import { App, Stack, StackProps } from 'aws-cdk-lib';\nimport { Construct } from 'constructs';\nimport { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';\n\nclass APIGatewayCacheEnableStack extends Stack {\n constructor(scope: Construct, id: string, props?: StackProps) {\n super(scope, id, props);\n new elbv2.Stage(this, { cacheClusterEnabled: true} )\n }\n}\n\nconst app = new App();\nnew APIGatewayCacheEnableStack(app, 'APIGatewayCacheEnableStack');\n"
},
{
"path": "cdk_integration_tests/src/typescript/APIGatewayV2AccessLogging/fail.ts",
"content": "import { App, Stack, StackProps } from 'aws-cdk-lib';\nimport { Construct } from 'constructs';\nimport { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';\n\nclass APIGatewayV2AccessLoggingStack extends Stack {\n constructor(scope: Construct, id: string, props?: StackProps) {\n super(scope, id, props);\n\n new elbv2.CfnApi(this, {})\n }\n}\n\nconst app = new App();\nnew APIGatewayV2AccessLoggingStack(app, 'APIGatewayV2AccessLoggingStack');\n"
},
{
"path": "cdk_integration_tests/src/typescript/APIGatewayV2AccessLogging/pass.ts",
"content": "import { App, Stack, StackProps } from 'aws-cdk-lib';\nimport { Construct } from 'constructs';\nimport { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';\n\nclass APIGatewayV2AccessLoggingStack extends Stack {\n constructor(scope: Construct, id: string, props?: StackProps) {\n super(scope, id, props);\n\n new elbv2.CfnApi(this, {accessLogSettings: {destinationArn: \"1\"}})\n }\n}\n\nconst app = new App();\nnew APIGatewayV2AccessLoggingStack(app, 'APIGatewayV2AccessLoggingStack');\n"
},
{
"path": "cdk_integration_tests/src/typescript/APIGatewayXray/fail.ts",
"content": "import { App, Stack, StackProps } from 'aws-cdk-lib';\nimport { Construct } from 'constructs';\nimport { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';\n\nclass APIGatewayXrayStack extends Stack {\n constructor(scope: Construct, id: string, props?: StackProps) {\n super(scope, id, props);\n\n new elbv2.CfnStage(this, {})\n new elbv2.CfnStage(this, {tracingEnabled: false})\n }\n}\n\nconst app = new App();\nnew APIGatewayXrayStack(app, 'APIGatewayXrayStack');\n"
},
{
"path": "cdk_integration_tests/src/typescript/APIGatewayXray/pass.ts",
"content": "import { App, Stack, StackProps } from 'aws-cdk-lib';\nimport { Construct } from 'constructs';\nimport { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';\n\nclass APIGatewayXrayStack extends Stack {\n constructor(scope: Construct, id: string, props?: StackProps) {\n super(scope, id, props);\n\n new elbv2.CfnStage(this, {tracingEnabled: true})\n }\n}\n\nconst app = new App();\nnew APIGatewayXrayStack(app, 'APIGatewayXrayStack');\n"
},
{
"path": "cdk_integration_tests/src/typescript/AmazonMQBrokerPublicAccess/fail.ts",
"content": "import { App, Stack, StackProps } from 'aws-cdk-lib';\nimport { Construct } from 'constructs';\nimport { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';\n\nclass AmazonMQBrokerPublicAccessStack extends Stack {\n constructor(scope: Construct, id: string, props?: StackProps) {\n super(scope, id, props);\n new elbv2.CfnBroker(this, {publiclyAccessible: true})\n }\n}\n\nconst app = new App();\nnew AmazonMQBrokerPublicAccessStack(app, 'AmazonMQBrokerPublicAccessStack');\n"
},
{
"path": "cdk_integration_tests/src/typescript/AmazonMQBrokerPublicAccess/pass.ts",
"content": "import { App, Stack, StackProps } from 'aws-cdk-lib';\nimport { Construct } from 'constructs';\nimport { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';\n\nclass AmazonMQBrokerPublicAccessStack extends Stack {\n constructor(scope: Construct, id: string, props?: StackProps) {\n super(scope, id, props);\n new elbv2.CfnBroker(this, {})\n new elbv2.CfnBroker(this, {publiclyAccessible: false})\n }\n}\n\nconst app = new App();\nnew AmazonMQBrokerPublicAccessStack(app, 'AmazonMQBrokerPublicAccessStack');\n"
},
{
"path": "cdk_integration_tests/src/typescript/AppSyncFieldLevelLogs/fail.ts",
"content": "// Import necessary AWS CDK packages\nimport * as appsync from '@aws-cdk/aws-appsync';\n\n// Example of a log configuration that does not enable field-level logging\n// FINDING\nconst logConfig: appsync.LogConfig = {\n // log configuration details\n};\n\n// This should match the pattern and be flagged as a vulnerability\n// SINK\nconst graphqlApiWithoutLogs = new appsync.GraphqlApi(this, 'apiWithoutLogs', {\n // other configuration details\n logConfig: {\n // Incorrect or missing fieldLogLevel configuration\n }\n});\n\n// The SAST engine should flag 1 vulnerability: `graphqlApiWithoutLogs`.\n"
},
{
"path": "cdk_integration_tests/src/typescript/AppSyncFieldLevelLogs/pass.ts",
"content": "// Import necessary AWS CDK packages\nimport * as appsync from '@aws-cdk/aws-appsync';\n\n// Example of a log configuration that does not enable field-level logging\n// FINDING\nconst logConfig: appsync.LogConfig = {\n fieldLogLevel: appsync.FieldLogLevel.ALL\n};\n\n// This should not match the pattern as it includes a logConfig with FieldLogLevel\nconst graphqlApiWithLogs = new appsync.GraphqlApi(this, 'apiWithLogs', {\n // other configuration details\n logConfig: {\n fieldLogLevel: appsync.FieldLogLevel.ALL // This is the correct configuration\n }\n});\n"
},
{
"path": "cdk_integration_tests/src/typescript/AppSyncLogging/fail.ts",
"content": "// Import necessary AWS CDK packages\nimport * as appsync from '@aws-cdk/aws-appsync';\n\n// Example of a log configuration\n// FINDING\nconst logConfig: appsync.LogConfig = {\n // log configuration details\n};\n\n// This should match the pattern and be flagged as a vulnerability\n// SINK\nconst graphqlApiWithoutRole = new appsync.GraphqlApi(this, 'apiWithoutRole', {\n // other configuration details\n logConfig: {\n // log configuration details without role\n }\n});\n\n// The SAST engine should flag 1 vulnerability: `graphqlApiWithoutRole`.\n"
},
{
"path": "cdk_integration_tests/src/typescript/AppSyncLogging/pass.ts",
"content": "// Import necessary AWS CDK packages\nimport * as appsync from '@aws-cdk/aws-appsync';\n\n// Example of a log configuration\n// FINDING\nconst logConfig: appsync.LogConfig = {\n // log configuration details\n};\n\n// This should match the pattern and be flagged as a vulnerability\n// SINK\nconst graphqlApiWithoutRole = new appsync.GraphqlApi(this, 'apiWithoutRole', {\n // other configuration details\n logConfig: {\n // log configuration details without role\n }\n});\n\n// The SAST engine should flag 1 vulnerability: `graphqlApiWithoutRole`.\n"
},
{
"path": "cdk_integration_tests/src/typescript/AthenaWorkgroupConfiguration/fail.ts",
"content": "// Import necessary AWS CDK packages\nimport * as athena from '@aws-cdk/aws-athena';\n\n// This should match the pattern and be flagged as a vulnerability\n// SINK\nconst workgroupWithoutEnforcement = new athena.CfnWorkGroup(this, 'workgroupWithoutEnforcement', {\n // other configuration details\n workGroupConfiguration: {\n // Workgroup configuration details without enforceWorkGroupConfiguration\n }\n});\n"
},
{
"path": "cdk_integration_tests/src/typescript/AthenaWorkgroupConfiguration/fail__2__.ts",
"content": "// Import necessary AWS CDK packages\nimport * as athena from '@aws-cdk/aws-athena';\n\n// Example of a Workgroup configuration\n// FINDING\nconst workgroupConfig: athena.CfnWorkGroup.WorkGroupConfigurationProperty = {\n // Workgroup configuration details\n};\n\n\nconst workgroupWithoutEnforcement2 = new athena.CfnWorkGroup(this, 'workgroupWithoutEnforcement', {\n // other configuration details\n workGroupConfiguration: workgroupConfig\n});\n"
},
{
"path": "cdk_integration_tests/src/typescript/AthenaWorkgroupConfiguration/pass.ts",
"content": "// Import necessary AWS CDK packages\nimport * as athena from '@aws-cdk/aws-athena';\n\n// Example of a Workgroup configuration\n// FINDING\nconst workgroupConfig: athena.CfnWorkGroup.WorkGroupConfigurationProperty = {\n enforceWorkGroupConfiguration: true\n};\n\n// This should not match the pattern as it includes enforceWorkGroupConfiguration set to true\nconst workgroupWithEnforcement = new athena.CfnWorkGroup(this, 'workgroupWithEnforcement', {\n // other configuration details\n enforceWorkGroupConfiguration: true\n});\n\n\n// This should not match the pattern as it includes enforceWorkGroupConfiguration set to true\nconst workgroupWithEnforcement2 = new athena.CfnWorkGroup(this, 'workgroupWithEnforcement', workgroupConfig);\n"
},
{
"path": "cdk_integration_tests/src/typescript/AuroraEncryption/fail.ts",
"content": "import { App, Stack, StackProps } from 'aws-cdk-lib';\nimport { Construct } from 'constructs';\nimport { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';\n\nclass AuroraEncryptionStack extends Stack {\n constructor(scope: Construct, id: string, props?: StackProps) {\n super(scope, id, props);\n\n new elbv2.CfnDBCluster(this, {})\n new elbv2.CfnDBCluster(this, {storageEncrypted: false})\n }\n}\n\nconst app = new App();\nnew AuroraEncryptionStack(app, 'AuroraEncryptionStack');\n"
},
{
"path": "cdk_integration_tests/src/typescript/AuroraEncryption/pass.ts",
"content": "import { App, Stack, StackProps } from 'aws-cdk-lib';\nimport { Construct } from 'constructs';\nimport { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';\n\nclass AuroraEncryptionStack extends Stack {\n constructor(scope: Construct, id: string, props?: StackProps) {\n super(scope, id, props);\n\n new elbv2.CfnDBCluster(this, {storageEncrypted: true})\n }\n}\n\nconst app = new App();\nnew AuroraEncryptionStack(app, 'AuroraEncryptionStack');\n"
},
{
"path": "cdk_integration_tests/src/typescript/BackupVaultEncrypted/fail.ts",
"content": "import { App, Stack, StackProps } from 'aws-cdk-lib';\nimport { Construct } from 'constructs';\nimport { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';\n\nclass BackupVaultEncryptedStack extends Stack {\n constructor(scope: Construct, id: string, props?: StackProps) {\n super(scope, id, props);\n\n new elbv2.CfnBackupVault(this, {})\n new elbv2.CfnBackupVault(this, {encryptionKeyArn: false})\n }\n}\n\nconst app = new App();\nnew BackupVaultEncryptedStack(app, 'BackupVaultEncryptedStack');\n"
},
{
"path": "cdk_integration_tests/src/typescript/BackupVaultEncrypted/pass.ts",
"content": "import { App, Stack, StackProps } from 'aws-cdk-lib';\nimport { Construct } from 'constructs';\nimport { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';\n\nclass BackupVaultEncryptedStack extends Stack {\n constructor(scope: Construct, id: string, props?: StackProps) {\n super(scope, id, props);\n\n new elbv2.CfnBackupVault(this, {encryptionKeyArn: true})\n }\n}\n\nconst app = new App();\nnew BackupVaultEncryptedStack(app, 'BackupVaultEncryptedStack');\n"
},
{
"path": "cdk_integration_tests/src/typescript/CloudFrontTLS12/fail.ts",
"content": "// Import necessary AWS CDK packages\nimport * as cloudfront from '@aws-cdk/aws-cloudfront';\nimport { Construct } from '@aws-cdk/core';\n\n// Example of a ViewerCertificateProperty that does not specify TLS v1.2\n// FINDING\nconst viewerCertificateConfig: cloudfront.CfnDistribution.ViewerCertificateProperty = {\n // Viewer certificate configuration details\n};\n\n// This should match the pattern and be flagged as a vulnerability\n// SINK\nconst distributionWithoutTLSv12 = new cloudfront.CfnDistribution(new Construct(), 'distributionWithoutTLSv12', {\n // other configuration details\n viewerCertificate: {\n // Incorrect or missing minimumProtocolVersion configuration\n }\n});\n\n// The SAST engine should flag 1 vulnerability: `distributionWithoutTLSv12`.\n"
},
{
"path": "cdk_integration_tests/src/typescript/CloudFrontTLS12/pass.ts",
"content": "// Import necessary AWS CDK packages\nimport * as cloudfront from '@aws-cdk/aws-cloudfront';\nimport { Construct } from '@aws-cdk/core';\n\n// Example of a ViewerCertificateProperty that does not specify TLS v1.2\n// FINDING\nconst viewerCertificateConfig: cloudfront.CfnDistribution.ViewerCertificateProperty = {\n // Viewer certificate configuration details\n};\n\n// This should not match the pattern as it includes a ViewerCertificate with TLSv1.2\nconst distributionWithTLSv12 = new cloudfront.CfnDistribution(new Construct(), 'distributionWithTLSv12', {\n // other configuration details\n viewerCertificate: {\n minimumProtocolVersion: 'TLSv1.2' // This is the correct configuration\n }\n});\n"
},
{
"path": "cdk_integration_tests/src/typescript/CloudTrailLogValidation/fail.ts",
"content": "import { App, Stack, StackProps } from 'aws-cdk-lib';\nimport { Construct } from 'constructs';\nimport { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';\n\nclass CloudTrailLogValidationStack extends Stack {\n constructor(scope: Construct, id: string, props?: StackProps) {\n super(scope, id, props);\n\n new elbv2.CfnTrail(this, {})\n new elbv2.CfnTrail(this, {enableLogFileValidation: false})\n }\n}\n\nconst app = new App();\nnew CloudTrailLogValidationStack(app, 'CloudTrailLogValidationStack');\n"
},
{
"path": "cdk_integration_tests/src/typescript/CloudTrailLogValidation/pass.ts",
"content": "import { App, Stack, StackProps } from 'aws-cdk-lib';\nimport { Construct } from 'constructs';\nimport { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';\n\nclass CloudTrailLogValidationStack extends Stack {\n constructor(scope: Construct, id: string, props?: StackProps) {\n super(scope, id, props);\n\n new elbv2.CfnTrail(this, {enableLogFileValidation: true})\n }\n}\n\nconst app = new App();\nnew CloudTrailLogValidationStack(app, 'CloudTrailLogValidationStack');\n"
},
{
"path": "cdk_integration_tests/src/typescript/CloudWatchLogGroupKMSKey/fail.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as logs from 'aws-cdk-lib/aws-logs';\n\nexport class MyLogGroupStack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n new logs.LogGroup(this, 'MyLogGroup', {\n logGroupName: 'MyLogGroupName', // Name of the log group\n removalPolicy: cdk.RemovalPolicy.DESTROY, // Setting removal policy\n retention: logs.RetentionDays.ONE_MONTH, // Set the retention policy as needed\n });\n\n // You can add other resources or configurations to the stack here\n }\n}\n\n// Example usage\nconst app = new cdk.App();\nnew MyLogGroupStack(app, 'MyLogGroupStack');\n"
},
{
"path": "cdk_integration_tests/src/typescript/CloudWatchLogGroupKMSKey/pass.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as logs from 'aws-cdk-lib/aws-logs';\nimport * as kms from 'aws-cdk-lib/aws-kms';\n\nexport class MyLogGroupStack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n new logs.LogGroup(this, 'MyLogGroup', {\n logGroupName: 'MyLogGroupName', // Name of the log group\n removalPolicy: cdk.RemovalPolicy.DESTROY, // Setting removal policy\n retention: logs.RetentionDays.ONE_MONTH, // Set the retention policy as needed\n encryptionKey: new kms.Key(this, 'Key'),\n });\n\n // You can add other resources or configurations to the stack here\n }\n}\n\n// Example usage\nconst app = new cdk.App();\nnew MyLogGroupStack(app, 'MyLogGroupStack');\n"
},
{
"path": "cdk_integration_tests/src/typescript/CloudWatchLogGroupRetention/fail.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as logs from 'aws-cdk-lib/aws-logs';\n\nexport class MyLogGroupStack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n // Creating a CloudFormation LogGroup resource\n const logGroup = new logs.CfnLogGroup(this, 'MyLogGroup', {\n logGroupName: 'MyLogGroupName', // Name of the log group\n kmsKeyId: '1', // Specify the KMS key ID\n });\n\n // Optionally set removal policy\n logGroup.applyRemovalPolicy(cdk.RemovalPolicy.DESTROY);\n }\n}\n\n// Example usage\nconst app = new cdk.App();\nnew MyLogGroupStack(app, 'MyLogGroupStack');\n"
},
{
"path": "cdk_integration_tests/src/typescript/CloudWatchLogGroupRetention/pass.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as logs from 'aws-cdk-lib/aws-logs';\n\nexport class MyLogGroupStack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n // Creating a CloudFormation LogGroup resource\n const logGroup = new logs.CfnLogGroup(this, 'MyLogGroup', {\n logGroupName: 'MyLogGroupName', // Name of the log group\n retentionInDays: 30, // Set the retention policy as needed\n kmsKeyId: '1', // Specify the KMS key ID\n });\n\n // Optionally set removal policy\n logGroup.applyRemovalPolicy(cdk.RemovalPolicy.DESTROY);\n }\n}\n\n// Example usage\nconst app = new cdk.App();\nnew MyLogGroupStack(app, 'MyLogGroupStack');\n"
},
{
"path": "cdk_integration_tests/src/typescript/CloudfrontDistributionEncryption/fail__2__.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as cloudfront from 'aws-cdk-lib/aws-cloudfront';\nimport * as origins from 'aws-cdk-lib/aws-cloudfront-origins';\n\nexport class CloudFrontStack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n // Creating an origin for the CloudFront distribution\n const myOrigin = new origins.S3Origin({ domainName: 'my-bucket.s3.amazonaws.com' });\n\n // Creating a CloudFront distribution\n const distribution = new cloudfront.CfnDistribution(this, 'MyDistribution', {\n distributionConfig: {\n defaultCacheBehavior: {\n targetOriginId: 'myOrigin1',\n viewerProtocolPolicy: 'allow-all',\n },\n origins: [\n {\n id: 'myOrigin1',\n domainName: 'my-bucket.s3.amazonaws.com',\n s3OriginConfig: {},\n },\n ],\n enabled: true,\n },\n });\n }\n}\n\n// Example usage\nconst app = new cdk.App();\nnew CloudFrontStack(app, 'CloudFrontStack');\n\n\nexport class CloudFrontStack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n // Creating an origin for the CloudFront distribution\n const myOrigin = new origins.S3Origin({ domainName: 'my-bucket.s3.amazonaws.com' });\n\n // Creating a CloudFront distribution using the Distribution construct\n const distribution = new cloudfront.Distribution(this, 'MyDistribution', {\n defaultBehavior: {\n origin: myOrigin,\n viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.ALLOW_ALL, // Allow all protocols\n },\n });\n }\n}\n\n// Example usage\nconst app = new cdk.App();\nnew CloudFrontStack(app, 'CloudFrontStack');\n\n"
},
{
"path": "cdk_integration_tests/src/typescript/CloudfrontDistributionEncryption/pass.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as cloudfront from 'aws-cdk-lib/aws-cloudfront';\nimport * as origins from 'aws-cdk-lib/aws-cloudfront-origins';\n\nexport class CloudFrontStack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n // Creating an origin for the CloudFront distribution\n const myOrigin = new origins.S3Origin({ domainName: 'my-bucket.s3.amazonaws.com' });\n\n // Creating a CloudFront distribution\n const distribution = new cloudfront.CfnDistribution(this, 'MyDistribution', {\n distributionConfig: {\n defaultCacheBehavior: {\n targetOriginId: 'myOrigin1',\n viewerProtocolPolicy: 'redirect-to-https',\n },\n origins: [\n {\n id: 'myOrigin1',\n domainName: 'my-bucket.s3.amazonaws.com',\n s3OriginConfig: {},\n },\n ],\n enabled: true,\n },\n });\n }\n}\n\n// Example usage\nconst app = new cdk.App();\nnew CloudFrontStack(app, 'CloudFrontStack');\n\nexport class CloudFrontStack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n // Creating an origin for the CloudFront distribution\n const myOrigin = new origins.S3Origin({ domainName: 'my-bucket.s3.amazonaws.com' });\n\n // Creating a CloudFront distribution using the Distribution construct\n const distribution = new cloudfront.Distribution(this, 'MyDistribution', {\n defaultBehavior: {\n origin: myOrigin,\n viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS, // Allow all protocols\n },\n });\n }\n}\n\n// Example usage\nconst app = new cdk.App();\nnew CloudFrontStack(app, 'CloudFrontStack');"
},
{
"path": "cdk_integration_tests/src/typescript/CloudfrontDistributionLogging/fail__2__.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as cloudfront from 'aws-cdk-lib/aws-cloudfront';\nimport * as s3 from 'aws-cdk-lib/aws-s3';\nimport * as logs from 'aws-cdk-lib/aws-logs';\n\nexport class CloudFrontStack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n // S3 bucket for storing CloudFront access logs\n const logBucket = new s3.Bucket(this, 'LogBucket');\n\n // Creating an origin for the CloudFront distribution\n const myOrigin = new cloudfront.Origins.S3Origin({ domainName: 'my-bucket.s3.amazonaws.com' });\n\n // Creating a CloudFront distribution using the Distribution construct\n const distribution = new cloudfront.Distribution(this, 'MyDistribution', {\n defaultBehavior: {\n origin: myOrigin,\n viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.ALLOW_ALL,\n },\n enableLogging: false, // Enable access logging\n logBucket: logBucket,\n logFilePrefix: 'cf-access-logs/', // Optional: prefix for log file names\n });\n\n // Optionally grant CloudFront permission to write access logs to the S3 bucket\n logBucket.grantWrite(distribution.logBucketDelivery);\n }\n}\n\n// Example usage\nconst app = new cdk.App();\nnew CloudFrontStack(app, 'CloudFrontStack');\n\n\n\nexport class CloudFrontStack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n // S3 bucket for storing CloudFront access logs\n const logBucket = new s3.Bucket(this, 'LogBucket');\n\n // Creating an origin for the CloudFront distribution\n const myOrigin = new cloudfront.CfnDistribution.OriginProperty({\n domainName: 'my-bucket.s3.amazonaws.com',\n id: 'myOrigin',\n s3OriginConfig: {},\n });\n\n // Creating a CloudFront distribution using the CfnDistribution construct\n const distribution = new cloudfront.CfnDistribution(this, 'MyDistribution', {\n distributionConfig: {\n defaultCacheBehavior: {\n targetOriginId: 'myOrigin',\n viewerProtocolPolicy: 'allow-all',\n },\n origins: [myOrigin],\n enabled: true,\n },\n });\n\n // Optionally grant CloudFront permission to write access logs to the S3 bucket\n logBucket.grantWrite(distribution.logBucketDeliveryWrite);\n }\n}\n\n// Example usage\nconst app = new cdk.App();\nnew CloudFrontStack(app, 'CloudFrontStack');\n\n"
},
{
"path": "cdk_integration_tests/src/typescript/CloudfrontDistributionLogging/pass.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as cloudfront from 'aws-cdk-lib/aws-cloudfront';\nimport * as s3 from 'aws-cdk-lib/aws-s3';\nimport * as logs from 'aws-cdk-lib/aws-logs';\n\nexport class CloudFrontStack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n // S3 bucket for storing CloudFront access logs\n const logBucket = new s3.Bucket(this, 'LogBucket');\n\n // Creating an origin for the CloudFront distribution\n const myOrigin = new cloudfront.Origins.S3Origin({ domainName: 'my-bucket.s3.amazonaws.com' });\n\n // Creating a CloudFront distribution using the Distribution construct\n const distribution = new cloudfront.Distribution(this, 'MyDistribution', {\n defaultBehavior: {\n origin: myOrigin,\n viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.ALLOW_ALL,\n },\n enableLogging: true, // Enable access logging\n logBucket: logBucket,\n logFilePrefix: 'cf-access-logs/', // Optional: prefix for log file names\n });\n\n // Optionally grant CloudFront permission to write access logs to the S3 bucket\n logBucket.grantWrite(distribution.logBucketDelivery);\n }\n}\n\n// Example usage\nconst app = new cdk.App();\nnew CloudFrontStack(app, 'CloudFrontStack');\n\nexport class CloudFrontStack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n // S3 bucket for storing CloudFront access logs\n const logBucket = new s3.Bucket(this, 'LogBucket');\n\n // Creating an origin for the CloudFront distribution\n const myOrigin = new cloudfront.CfnDistribution.OriginProperty({\n domainName: 'my-bucket.s3.amazonaws.com',\n id: 'myOrigin',\n s3OriginConfig: {},\n });\n\n // Creating a CloudFront distribution using the CfnDistribution construct\n const distribution = new cloudfront.CfnDistribution(this, 'MyDistribution', {\n distributionConfig: {\n defaultCacheBehavior: {\n targetOriginId: 'myOrigin',\n viewerProtocolPolicy: 'allow-all',\n },\n origins: [myOrigin],\n enabled: true,\n logging: {\n bucket: logBucket.bucketName,\n prefix: 'cf-access-logs/', // Optional: prefix for log file names\n includeCookies: false, // Optional: whether to include cookies in access logs\n },\n },\n });\n\n // Optionally grant CloudFront permission to write access logs to the S3 bucket\n logBucket.grantWrite(distribution.logBucketDeliveryWrite);\n }\n}\n\n// Example usage\nconst app = new cdk.App();\nnew CloudFrontStack(app, 'CloudFrontStack');\n"
},
{
"path": "cdk_integration_tests/src/typescript/CloudtrailEncryption/fail.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as cloudtrail from 'aws-cdk-lib/aws-cloudtrail';\nimport * as kms from 'aws-cdk-lib/aws-kms';\n\nexport class CloudTrailStack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n // Define a KMS key for CloudTrail encryption\n const kmsKey = new kms.Key(this, 'CloudTrailKmsKey');\n\n // Create a CloudTrail trail with the specified KMS key ID\n const trail = new cloudtrail.CfnTrail(this, 'MyTrail', {\n enableLogFileValidation: true,\n includeGlobalServiceEvents: true,\n isMultiRegionTrail: true,\n trailName: 'MyCloudTrail',\n });\n }\n}\n\n// Example usage\nconst app = new cdk.App();\nnew CloudTrailStack(app, 'CloudTrailStack');"
},
{
"path": "cdk_integration_tests/src/typescript/CloudtrailEncryption/pass.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as cloudtrail from 'aws-cdk-lib/aws-cloudtrail';\nimport * as kms from 'aws-cdk-lib/aws-kms';\n\nexport class CloudTrailStack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n // Define a KMS key for CloudTrail encryption\n const kmsKey = new kms.Key(this, 'CloudTrailKmsKey');\n\n // Create a CloudTrail trail with the specified KMS key ID\n const trail = new cloudtrail.CfnTrail(this, 'MyTrail', {\n enableLogFileValidation: true,\n includeGlobalServiceEvents: true,\n isMultiRegionTrail: true,\n kmsKeyId: kmsKey.keyId, // Use the KMS key ID\n trailName: 'MyCloudTrail',\n });\n }\n}\n\n// Example usage\nconst app = new cdk.App();\nnew CloudTrailStack(app, 'CloudTrailStack');\n\nexport class CloudTrailStack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n\n // Create a CloudTrail trail with the specified KMS key ID\n const trail = new cloudtrail.CfnTrail(this, 'MyTrail', {\n enableLogFileValidation: true,\n includeGlobalServiceEvents: true,\n isMultiRegionTrail: true,\n kmsKeyId: new kms.Key(this, 'CloudTrailKmsKey').keyId,\n trailName: 'MyCloudTrail',\n });\n }\n}\n\n// Example usage\nconst app = new cdk.App();\nnew CloudTrailStack(app, 'CloudTrailStack');\n"
},
{
"path": "cdk_integration_tests/src/typescript/CloudtrailMultiRegion/fail__2__.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as cloudtrail from 'aws-cdk-lib/aws-cloudtrail';\nimport * as kms from 'aws-cdk-lib/aws-kms';\n\nexport class CloudTrailStack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n // Define a KMS key for CloudTrail encryption\n const kmsKey = new kms.Key(this, 'CloudTrailKmsKey');\n\n // Create a CloudTrail trail using CfnTrail\n const trail = new cloudtrail.CfnTrail(this, 'MyCfnTrail', {\n isMultiRegionTrail: false,\n enableLogFileValidation: true,\n includeGlobalServiceEvents: true,\n kmsKeyId: kmsKey.keyId,\n trailName: 'MyCloudTrail',\n });\n }\n}\n\n\nexport class CloudTrailStack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n // Define a KMS key for CloudTrail encryption\n const kmsKey = new kms.Key(this, 'CloudTrailKmsKey');\n\n // Create a CloudTrail trail using Trail construct\n const trail = new cloudtrail.Trail(this, 'MyTrail', {\n enableFileValidation: true,\n includeGlobalServiceEvents: true,\n encryptionKey: kmsKey,\n trailName: 'MyCloudTrail',\n });\n }\n}\n"
},
{
"path": "cdk_integration_tests/src/typescript/CloudtrailMultiRegion/pass.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as cloudtrail from 'aws-cdk-lib/aws-cloudtrail';\nimport * as kms from 'aws-cdk-lib/aws-kms';\n\nexport class CloudTrailStack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n // Define a KMS key for CloudTrail encryption\n const kmsKey = new kms.Key(this, 'CloudTrailKmsKey');\n\n // Create a CloudTrail trail using CfnTrail\n const trail = new cloudtrail.CfnTrail(this, 'MyCfnTrail', {\n isMultiRegionTrail: true,\n enableLogFileValidation: true,\n includeGlobalServiceEvents: true,\n kmsKeyId: kmsKey.keyId,\n trailName: 'MyCloudTrail',\n });\n }\n}\n\n\nexport class CloudTrailStack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n // Define a KMS key for CloudTrail encryption\n const kmsKey = new kms.Key(this, 'CloudTrailKmsKey');\n\n // Create a CloudTrail trail using Trail construct\n const trail = new cloudtrail.Trail(this, 'MyTrail', {\n isMultiRegionTrail: true,\n enableFileValidation: true,\n includeGlobalServiceEvents: true,\n encryptionKey: kmsKey,\n trailName: 'MyCloudTrail',\n });\n }\n}\n"
},
{
"path": "cdk_integration_tests/src/typescript/CodeBuildProjectEncryption/fail.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as codebuild from 'aws-cdk-lib/aws-codebuild';\n\nexport class CodeBuildStack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n // Create a CodeBuild project\n const project = new codebuild.Project(this, 'MyCodeBuildProject', {\n projectName: 'MyCodeBuildProject',\n environment: {\n buildImage: codebuild.LinuxBuildImage.STANDARD_4_0,\n environmentVariables: {\n 'EXAMPLE_ENV_VARIABLE': { value: 'example-value' },\n },\n },\n buildSpec: codebuild.BuildSpec.fromObject({\n version: '0.2',\n phases: {\n install: {\n commands: [\n 'npm install',\n ],\n },\n build: {\n commands: [\n 'npm run build',\n ],\n },\n },\n }),\n });\n\n // Ensure that encryption is not disabled\n project.node.addDependency(kmsKey);\n }\n}\n\n// Example usage\nconst app = new cdk.App();\nnew CodeBuildStack(app, 'CodeBuildStack');\n"
},
{
"path": "cdk_integration_tests/src/typescript/CodeBuildProjectEncryption/pass.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as codebuild from 'aws-cdk-lib/aws-codebuild';\nimport * as kms from 'aws-cdk-lib/aws-kms';\n\nexport class CodeBuildStack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n // Define a KMS key for CodeBuild encryption\n const kmsKey = new kms.Key(this, 'CodeBuildKmsKey');\n\n // Create a CodeBuild project\n const project = new codebuild.Project(this, 'MyCodeBuildProject', {\n projectName: 'MyCodeBuildProject',\n encryptionKey: kmsKey, // Specify the KMS key\n environment: {\n buildImage: codebuild.LinuxBuildImage.STANDARD_4_0,\n environmentVariables: {\n 'EXAMPLE_ENV_VARIABLE': { value: 'example-value' },\n },\n },\n buildSpec: codebuild.BuildSpec.fromObject({\n version: '0.2',\n phases: {\n install: {\n commands: [\n 'npm install',\n ],\n },\n build: {\n commands: [\n 'npm run build',\n ],\n },\n },\n }),\n });\n\n // Ensure that encryption is not disabled\n project.node.addDependency(kmsKey);\n }\n}\n\n// Example usage\nconst app = new cdk.App();\nnew CodeBuildStack(app, 'CodeBuildStack');\n\nexport class CodeBuildStack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n // Create a CodeBuild project\n const project = new codebuild.Project(this, 'MyCodeBuildProject', {\n projectName: 'MyCodeBuildProject',\n encryptionKey: new kms.Key(this, 'CodeBuildKmsKey'), // Specify the KMS key\n environment: {\n buildImage: codebuild.LinuxBuildImage.STANDARD_4_0,\n environmentVariables: {\n 'EXAMPLE_ENV_VARIABLE': { value: 'example-value' },\n },\n },\n buildSpec: codebuild.BuildSpec.fromObject({\n version: '0.2',\n phases: {\n install: {\n commands: [\n 'npm install',\n ],\n },\n build: {\n commands: [\n 'npm run build',\n ],\n },\n },\n }),\n });\n\n // Ensure that encryption is not disabled\n project.node.addDependency(kmsKey);\n }\n}\n\n// Example usage\nconst app = new cdk.App();\nnew CodeBuildStack(app, 'CodeBuildStack');\n"
},
{
"path": "cdk_integration_tests/src/typescript/DAXEncryption/fail__2__.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as dax from 'aws-cdk-lib/aws-dax';\n\nexport class DAXClusterStack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n // Create a DAX cluster\n const daxCluster = new dax.CfnCluster(this, 'MyDAXCluster', {\n clusterName: 'MyDAXCluster',\n description: 'My DAX Cluster',\n iamRoleArn: 'arn:aws:iam::123456789012:role/DAXServiceRole',\n nodeType: 'dax.r5.large',\n replicationFactor: 2,\n sseSpecification: {\n enabled: false, // Disable server-side encryption\n },\n });\n }\n}\n\n// Example usage\nconst app = new cdk.App();\nnew DAXClusterStack(app, 'DAXClusterStack');\napp.synth();\n\nexport class DAXClusterStack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n // Create a DAX cluster\n const daxCluster = new dax.CfnCluster(this, 'MyDAXCluster', {\n clusterName: 'MyDAXCluster',\n description: 'My DAX Cluster',\n iamRoleArn: 'arn:aws:iam::123456789012:role/DAXServiceRole',\n nodeType: 'dax.r5.large',\n replicationFactor: 2,\n });\n }\n}\n\n// Example usage\nconst app = new cdk.App();\nnew DAXClusterStack(app, 'DAXClusterStack');\napp.synth();"
},
{
"path": "cdk_integration_tests/src/typescript/DAXEncryption/pass.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as dax from 'aws-cdk-lib/aws-dax';\n\nexport class DAXClusterStack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n // Create a DAX cluster\n const daxCluster = new dax.CfnCluster(this, 'MyDAXCluster', {\n clusterName: 'MyDAXCluster',\n description: 'My DAX Cluster',\n iamRoleArn: 'arn:aws:iam::123456789012:role/DAXServiceRole',\n nodeType: 'dax.r5.large',\n replicationFactor: 2,\n sseSpecification: {\n enabled: true, // Enable server-side encryption\n },\n });\n }\n}\n\n// Example usage\nconst app = new cdk.App();\nnew DAXClusterStack(app, 'DAXClusterStack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/DMSReplicationInstancePubliclyAccessible/fail.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as dms from 'aws-cdk-lib/aws-dms';\n\nexport class DMSStack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n // Create a DMS replication instance\n const replicationInstance = new dms.CfnReplicationInstance(this, 'MyCfnReplicationInstance', {\n replicationInstanceClass: 'replicationInstanceClass',\n\n // Optional properties\n allocatedStorage: 123,\n allowMajorVersionUpgrade: false,\n autoMinorVersionUpgrade: false,\n availabilityZone: 'availabilityZone',\n engineVersion: 'engineVersion',\n kmsKeyId: 'kmsKeyId',\n multiAz: false,\n preferredMaintenanceWindow: 'preferredMaintenanceWindow',\n publiclyAccessible: true, // Set publiclyAccessible to true\n replicationInstanceIdentifier: 'replicationInstanceIdentifier',\n replicationSubnetGroupIdentifier: 'replicationSubnetGroupIdentifier',\n resourceIdentifier: 'resourceIdentifier',\n tags: [{ key: 'key', value: 'value' }],\n vpcSecurityGroupIds: ['vpcSecurityGroupIds'],\n });\n }\n}\n\n// Example usage\nconst app = new cdk.App();\nnew DMSStack(app, 'DMSStack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/DMSReplicationInstancePubliclyAccessible/pass.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as dms from 'aws-cdk-lib/aws-dms';\n\nexport class DMSStack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n // Create a DMS replication instance\n const replicationInstance = new dms.CfnReplicationInstance(this, 'MyCfnReplicationInstance', {\n replicationInstanceClass: 'replicationInstanceClass',\n\n // Optional properties\n allocatedStorage: 123,\n allowMajorVersionUpgrade: false,\n autoMinorVersionUpgrade: false,\n availabilityZone: 'availabilityZone',\n engineVersion: 'engineVersion',\n kmsKeyId: 'kmsKeyId',\n multiAz: false,\n preferredMaintenanceWindow: 'preferredMaintenanceWindow',\n publiclyAccessible: false, // Set publiclyAccessible to true\n replicationInstanceIdentifier: 'replicationInstanceIdentifier',\n replicationSubnetGroupIdentifier: 'replicationSubnetGroupIdentifier',\n resourceIdentifier: 'resourceIdentifier',\n tags: [{ key: 'key', value: 'value' }],\n vpcSecurityGroupIds: ['vpcSecurityGroupIds'],\n });\n }\n}\n\n// Example usage\nconst app = new cdk.App();\nnew DMSStack(app, 'DMSStack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/DocDBAuditLogs/fail__2__.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as docdb from 'aws-cdk-lib/aws-docdb';\n\nexport class DocDBStack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n // Define the DocDB Cluster Parameter Group\n const dbParameterGroup = new docdb.CfnDBClusterParameterGroup(this, 'DocDBClusterParameterGroup', {\n description: 'Custom DocDB Cluster Parameter Group',\n family: 'docdb4.0',\n parameters: {\n audit_logs: 'disabled',\n },\n });\n }\n}\n\n// Example usage\nconst app = new cdk.App();\nnew DocDBStack(app, 'DocDBStack');\napp.synth();\n\n\nexport class DocDBStack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n // Define the DocDB Cluster Parameter Group\n const dbParameterGroup = new docdb.CfnDBClusterParameterGroup(this, 'DocDBClusterParameterGroup', {\n description: 'Custom DocDB Cluster Parameter Group',\n family: 'docdb4.0',\n });\n }\n}\n\n// Example usage\nconst app = new cdk.App();\nnew DocDBStack(app, 'DocDBStack');\napp.synth();"
},
{
"path": "cdk_integration_tests/src/typescript/DocDBAuditLogs/pass.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as docdb from 'aws-cdk-lib/aws-docdb';\n\nexport class DocDBStack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n // Define the DocDB Cluster Parameter Group\n const dbParameterGroup = new docdb.CfnDBClusterParameterGroup(this, 'DocDBClusterParameterGroup', {\n description: 'Custom DocDB Cluster Parameter Group',\n family: 'docdb4.0',\n parameters: {\n audit_logs: 'enabled',\n },\n });\n }\n}\n\n// Example usage\nconst app = new cdk.App();\nnew DocDBStack(app, 'DocDBStack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/DocDBEncryption/fail__2__.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as docdb from 'aws-cdk-lib/aws-docdb';\nimport * as kms from 'aws-cdk-lib/aws-kms';\n\nexport class DocDBStack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n // Define a KMS key for DocumentDB storage encryption\n const kmsKey = new kms.Key(this, 'DocDBEncryptionKey');\n\n // Create an Amazon DocumentDB cluster\n const cluster = new docdb.CfnDBCluster(this, 'MyCluster', {\n dbClusterIdentifier: 'MyCluster',\n masterUsername: 'admin',\n masterUserPassword: 'mysecretpassword',\n dbSubnetGroupName: 'MySubnetGroup',\n engineVersion: '4.0.0',\n storageEncrypted: false, // Enable storage encryption\n kmsKeyId: kmsKey.keyArn,\n vpcSecurityGroupIds: ['sg-12345678'],\n });\n }\n}\n\n// Example usage\nconst app = new cdk.App();\nnew DocDBStack(app, 'DocDBStack');\napp.synth();\n\n\nexport class DocDBStack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n // Define a KMS key for DocumentDB storage encryption\n const kmsKey = new kms.Key(this, 'DocDBEncryptionKey');\n\n // Create an Amazon DocumentDB cluster\n const cluster = new docdb.CfnDBCluster(this, 'MyCluster', {\n dbClusterIdentifier: 'MyCluster',\n masterUsername: 'admin',\n masterUserPassword: 'mysecretpassword',\n dbSubnetGroupName: 'MySubnetGroup',\n engineVersion: '4.0.0',\n kmsKeyId: kmsKey.keyArn,\n vpcSecurityGroupIds: ['sg-12345678'],\n });\n }\n}\n\n// Example usage\nconst app = new cdk.App();\nnew DocDBStack(app, 'DocDBStack');\napp.synth();"
},
{
"path": "cdk_integration_tests/src/typescript/DocDBEncryption/pass.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as docdb from 'aws-cdk-lib/aws-docdb';\nimport * as kms from 'aws-cdk-lib/aws-kms';\n\nexport class DocDBStack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n // Define a KMS key for DocumentDB storage encryption\n const kmsKey = new kms.Key(this, 'DocDBEncryptionKey');\n\n // Create an Amazon DocumentDB cluster\n const cluster = new docdb.CfnDBCluster(this, 'MyCluster', {\n dbClusterIdentifier: 'MyCluster',\n masterUsername: 'admin',\n masterUserPassword: 'mysecretpassword',\n dbSubnetGroupName: 'MySubnetGroup',\n engineVersion: '4.0.0',\n storageEncrypted: true, // Enable storage encryption\n kmsKeyId: kmsKey.keyArn,\n vpcSecurityGroupIds: ['sg-12345678'],\n });\n }\n}\n\n// Example usage\nconst app = new cdk.App();\nnew DocDBStack(app, 'DocDBStack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/DocDBTLS/fail.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as docdb from 'aws-cdk-lib/aws-docdb';\n\nexport class DocDBStack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n // Define the DocDB Cluster Parameter Group\n const dbParameterGroup = new docdb.CfnDBClusterParameterGroup(this, 'DocDBClusterParameterGroup', {\n description: 'Custom DocDB Cluster Parameter Group',\n family: 'docdb4.0',\n parameters: {\n tls: 'disabled',\n },\n });\n }\n}\n\n// Example usage\nconst app = new cdk.App();\nnew DocDBStack(app, 'DocDBStack');\napp.synth();"
},
{
"path": "cdk_integration_tests/src/typescript/DocDBTLS/pass.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as docdb from 'aws-cdk-lib/aws-docdb';\n\nexport class DocDBStack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n // Define the DocDB Cluster Parameter Group\n const dbParameterGroup = new docdb.CfnDBClusterParameterGroup(this, 'DocDBClusterParameterGroup', {\n description: 'Custom DocDB Cluster Parameter Group',\n family: 'docdb4.0',\n parameters: {\n tls: 'enabled',\n },\n });\n }\n}\n\n// Example usage\nconst app = new cdk.App();\nnew DocDBStack(app, 'DocDBStack');\napp.synth();"
},
{
"path": "cdk_integration_tests/src/typescript/DynamodbGlobalTableRecovery/fail.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as dynamodb from 'aws-cdk-lib/aws-dynamodb';\n\nexport class DynamoDBStack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n // Define the DynamoDB table\n const table = new dynamodb.CfnTable(this, 'MyTable', {\n tableName: 'MyTable',\n attributeDefinitions: [{ attributeName: 'id', attributeType: 'S' }],\n keySchema: [{ attributeName: 'id', keyType: 'HASH' }],\n provisionedThroughput: {\n readCapacityUnits: 5,\n writeCapacityUnits: 5,\n },\n });\n\n // Define the DynamoDB global table\n const globalTable = new dynamodb.CfnGlobalTable(this, 'MyGlobalTable', {\n globalTableName: 'MyGlobalTable',\n replicationGroup: [{\n region: 'us-east-1', // Replace with your preferred region\n }],\n sourceTableName: table.ref,\n pointInTimeRecoverySpecification: {\n pointInTimeRecoveryEnabled: false, // Enable point-in-time recovery for the global table\n },\n });\n }\n}\n\n// Example usage\nconst app = new cdk.App();\nnew DynamoDBStack(app, 'DynamoDBStack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/DynamodbGlobalTableRecovery/pass.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as dynamodb from 'aws-cdk-lib/aws-dynamodb';\n\nexport class DynamoDBStack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n // Define the DynamoDB table\n const table = new dynamodb.CfnTable(this, 'MyTable', {\n tableName: 'MyTable',\n attributeDefinitions: [{ attributeName: 'id', attributeType: 'S' }],\n keySchema: [{ attributeName: 'id', keyType: 'HASH' }],\n provisionedThroughput: {\n readCapacityUnits: 5,\n writeCapacityUnits: 5,\n },\n });\n\n // Define the DynamoDB global table\n const globalTable = new dynamodb.CfnGlobalTable(this, 'MyGlobalTable', {\n globalTableName: 'MyGlobalTable',\n replicationGroup: [{\n region: 'us-east-1', // Replace with your preferred region\n }],\n sourceTableName: table.ref,\n pointInTimeRecoverySpecification: {\n pointInTimeRecoveryEnabled: true, // Enable point-in-time recovery for the global table\n },\n });\n }\n}\n\n// Example usage\nconst app = new cdk.App();\nnew DynamoDBStack(app, 'DynamoDBStack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/DynamodcRecovery/fail__2__.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as dynamodb from 'aws-cdk-lib/aws-dynamodb';\n\nexport class DynamoDBStack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n // Define the DynamoDB table\n const table = new dynamodb.CfnTable(this, 'MyTable', {\n tableName: 'MyTable',\n attributeDefinitions: [{ attributeName: 'id', attributeType: 'S' }],\n keySchema: [{ attributeName: 'id', keyType: 'HASH' }],\n provisionedThroughput: {\n readCapacityUnits: 5,\n writeCapacityUnits: 5,\n },\n pointInTimeRecoverySpecification: {\n pointInTimeRecoveryEnabled: false, // disable point-in-time recovery for the table\n },\n });\n }\n}\n\n// Example usage\nconst app = new cdk.App();\nnew DynamoDBStack(app, 'DynamoDBStack');\napp.synth();\n\n\nexport class DynamoDBStack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n // Define the DynamoDB table with point-in-time recovery enabled\n const table = new dynamodb.Table(this, 'MyTable', {\n tableName: 'MyTable',\n partitionKey: { name: 'id', type: dynamodb.AttributeType.STRING },\n readCapacity: 5,\n writeCapacity: 5,\n removalPolicy: cdk.RemovalPolicy.DESTROY, // Optional: specify removal policy\n timeToLiveAttribute: 'ttlAttribute', // Enable point-in-time recovery\n pointInTimeRecovery: false, // Enable point-in-time recovery\n });\n }\n}\n\n// Example usage\nconst app = new cdk.App();\nnew DynamoDBStack(app, 'DynamoDBStack');\napp.synth();\n\n"
},
{
"path": "cdk_integration_tests/src/typescript/DynamodcRecovery/pass.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as dynamodb from 'aws-cdk-lib/aws-dynamodb';\n\nexport class DynamoDBStack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n // Define the DynamoDB table\n const table = new dynamodb.CfnTable(this, 'MyTable', {\n tableName: 'MyTable',\n attributeDefinitions: [{ attributeName: 'id', attributeType: 'S' }],\n keySchema: [{ attributeName: 'id', keyType: 'HASH' }],\n provisionedThroughput: {\n readCapacityUnits: 5,\n writeCapacityUnits: 5,\n },\n pointInTimeRecoverySpecification: {\n pointInTimeRecoveryEnabled: true, // Enable point-in-time recovery for the table\n },\n });\n }\n}\n\n// Example usage\nconst app = new cdk.App();\nnew DynamoDBStack(app, 'DynamoDBStack');\napp.synth();\n\n\nexport class DynamoDBStack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n // Define the DynamoDB table with point-in-time recovery enabled\n const table = new dynamodb.Table(this, 'MyTable', {\n tableName: 'MyTable',\n partitionKey: { name: 'id', type: dynamodb.AttributeType.STRING },\n readCapacity: 5,\n writeCapacity: 5,\n removalPolicy: cdk.RemovalPolicy.DESTROY, // Optional: specify removal policy\n timeToLiveAttribute: 'ttlAttribute', // Enable point-in-time recovery\n pointInTimeRecovery: true, // Enable point-in-time recovery\n });\n }\n}\n\n// Example usage\nconst app = new cdk.App();\nnew DynamoDBStack(app, 'DynamoDBStack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/EBSEncryption/fail__2__.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as ec2 from 'aws-cdk-lib/aws-ec2';\n\nexport class EC2Stack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n // Create an EC2 instance\n const instance = new ec2.Instance(this, 'MyInstance', {\n instanceType: ec2.InstanceType.of(ec2.InstanceClass.T2, ec2.InstanceSize.MICRO),\n machineImage: ec2.MachineImage.latestAmazonLinux(),\n vpc: new ec2.Vpc(this, 'MyVpc'),\n });\n\n // Create an EBS volume with encryption enabled\n const volume = new ec2.Volume(this, 'MyVolume', {\n availabilityZone: instance.instanceAvailabilityZone,\n size: ec2.Size.gibibytes(10), // Specify the volume size\n encrypted: false, // Disable encryption for the volume\n });\n\n // Attach the volume to the instance\n instance.instance.addVolumeAttachment('MyVolumeAttachment', {\n volume,\n device: '/dev/sdf', // Specify the device name\n });\n }\n}\n\n// Example usage\nconst app = new cdk.App();\nnew EC2Stack(app, 'EC2Stack');\napp.synth();\n\n\nexport class EC2Stack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n // Create an EC2 instance\n const instance = new ec2.Instance(this, 'MyInstance', {\n instanceType: ec2.InstanceType.of(ec2.InstanceClass.T2, ec2.InstanceSize.MICRO),\n machineImage: ec2.MachineImage.latestAmazonLinux(),\n vpc: new ec2.Vpc(this, 'MyVpc'),\n });\n\n // Create an EBS volume with encryption enabled\n const volume = new ec2.CfnVolume(this, 'MyVolume', {\n availabilityZone: instance.instanceAvailabilityZone,\n size: 10, // Specify the volume size in GiB\n encrypted: false, // Enable encryption for the volume\n });\n\n // Attach the volume to the instance\n new ec2.CfnVolumeAttachment(this, 'MyVolumeAttachment', {\n instanceId: instance.instanceId,\n volumeId: volume.ref,\n device: '/dev/sdf', // Specify the device name\n });\n }\n}\n\n// Example usage\nconst app = new cdk.App();\nnew EC2Stack(app, 'EC2Stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/EBSEncryption/pass.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as ec2 from 'aws-cdk-lib/aws-ec2';\n\nexport class EC2Stack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n // Create an EC2 instance\n const instance = new ec2.Instance(this, 'MyInstance', {\n instanceType: ec2.InstanceType.of(ec2.InstanceClass.T2, ec2.InstanceSize.MICRO),\n machineImage: ec2.MachineImage.latestAmazonLinux(),\n vpc: new ec2.Vpc(this, 'MyVpc'),\n });\n\n // Create an EBS volume with encryption enabled\n const volume = new ec2.Volume(this, 'MyVolume', {\n availabilityZone: instance.instanceAvailabilityZone,\n size: ec2.Size.gibibytes(10), // Specify the volume size\n encrypted: true, // Enable encryption for the volume\n });\n\n // Attach the volume to the instance\n instance.instance.addVolumeAttachment('MyVolumeAttachment', {\n volume,\n device: '/dev/sdf', // Specify the device name\n });\n }\n}\n\n// Example usage\nconst app = new cdk.App();\nnew EC2Stack(app, 'EC2Stack');\napp.synth();\n\n\n\nexport class EC2Stack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n // Create an EC2 instance\n const instance = new ec2.Instance(this, 'MyInstance', {\n instanceType: ec2.InstanceType.of(ec2.InstanceClass.T2, ec2.InstanceSize.MICRO),\n machineImage: ec2.MachineImage.latestAmazonLinux(),\n vpc: new ec2.Vpc(this, 'MyVpc'),\n });\n\n // Create an EBS volume with encryption enabled\n const volume = new ec2.CfnVolume(this, 'MyVolume', {\n availabilityZone: instance.instanceAvailabilityZone,\n size: 10, // Specify the volume size in GiB\n encrypted: true, // Enable encryption for the volume\n });\n\n // Attach the volume to the instance\n new ec2.CfnVolumeAttachment(this, 'MyVolumeAttachment', {\n instanceId: instance.instanceId,\n volumeId: volume.ref,\n device: '/dev/sdf', // Specify the device name\n });\n }\n}\n\n// Example usage\nconst app = new cdk.App();\nnew EC2Stack(app, 'EC2Stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/EC2PublicIP/fail.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as ec2 from 'aws-cdk-lib/aws-ec2';\nimport {Construct} from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n const vpc = new ec2.Vpc(this, 'VPC', {\n cidr: '10.0.0.0/16',\n natGateways: 0,\n maxAzs: 2,\n subnetConfiguration: [\n {\n name: 'public-subnet-1',\n subnetType: ec2.SubnetType.PUBLIC,\n cidrMask: 24,\n },\n ],\n });\n\n const instance = new ec2.Instance(this, 'Instance', {\n vpc,\n vpcSubnets: {subnetGroupName: 'public-subnet-1'},\n instanceType: ec2.InstanceType.of(ec2.InstanceClass.T3, ec2.InstanceSize.NANO),\n machineImage: new ec2.AmazonLinuxImage({generation: ec2.AmazonLinuxGeneration.AMAZON_LINUX_2}),\n detailedMonitoring: true,\n associatePublicIpAddress: true\n });\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/EC2PublicIP/fail_2.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as ec2 from 'aws-cdk-lib/aws-ec2';\nimport {Construct} from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n const vpc = new ec2.Vpc(this, 'VPC', {\n cidr: '10.0.0.0/16',\n natGateways: 0,\n maxAzs: 2,\n subnetConfiguration: [\n {\n name: 'public-subnet-1',\n subnetType: ec2.SubnetType.PUBLIC,\n cidrMask: 24,\n },\n ],\n });\n\n const sg1 = new ec2.SecurityGroup(this, 'sg1', {\n vpc: vpc,\n });\n\n const launchTemplate = new ec2.LaunchTemplate(this, 'LaunchTemplate', {\n machineImage: ec2.MachineImage.latestAmazonLinux2023(),\n securityGroup: sg1,\n associatePublicIpAddress: true\n });\n\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/EC2PublicIP/pass.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as ec2 from 'aws-cdk-lib/aws-ec2';\nimport {Construct} from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n const vpc = new ec2.Vpc(this, 'VPC', {\n cidr: '10.0.0.0/16',\n natGateways: 0,\n maxAzs: 2,\n subnetConfiguration: [\n {\n name: 'public-subnet-1',\n subnetType: ec2.SubnetType.PUBLIC,\n cidrMask: 24,\n },\n ],\n });\n\n const instance = new ec2.Instance(this, 'Instance', {\n vpc,\n vpcSubnets: {subnetGroupName: 'public-subnet-1'},\n instanceType: ec2.InstanceType.of(ec2.InstanceClass.T3, ec2.InstanceSize.NANO),\n machineImage: new ec2.AmazonLinuxImage({generation: ec2.AmazonLinuxGeneration.AMAZON_LINUX_2}),\n detailedMonitoring: true,\n associatePublicIpAddress: false\n });\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/ECRImageScanning/fail.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as ecr from 'aws-cdk-lib/aws-ecr';\nimport {Construct} from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n const repository = new ecr.Repository(this, 'Repo', {} );\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/ECRImageScanning/pass.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as ecr from 'aws-cdk-lib/aws-ecr';\nimport {Construct} from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n const repository = new ecr.Repository(this, 'Repo', {\n imageScanOnPush: true\n } );\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/ECRImmutableTags/fail.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as ecr from 'aws-cdk-lib/aws-ecr';\nimport {Construct} from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n const repository = new ecr.Repository(this, 'Repo', {} );\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/ECRImmutableTags/pass.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as ecr from 'aws-cdk-lib/aws-ecr';\nimport {Construct} from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n const repository = new ecr.Repository(this, 'Repo', {\n imageTagMutability: ecr.TagMutability.IMMUTABLE\n });\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/ECRRepositoryEncrypted/fail.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as ecr from 'aws-cdk-lib/aws-ecr';\nimport {Construct} from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n const repository = new ecr.Repository(this, 'Repo', {} );\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/ECRRepositoryEncrypted/pass.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as ecr from 'aws-cdk-lib/aws-ecr';\nimport {Construct} from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n const repository = new ecr.Repository(this, 'Repo', {\n encryption: ecr.RepositoryEncryption.KMS\n });\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/ECRRepositoryEncrypted/pass_2.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as ecr from 'aws-cdk-lib/aws-ecr';\nimport {Construct} from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n const repository = new ecr.Repository(this, 'Repo', {\n encryptionKey: new kms.Key(this, 'Key')\n });\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/ECSClusterContainerInsights/fail.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as ecs from 'aws-cdk-lib/aws-ecs';\nimport * as ec2 from 'aws-cdk-lib/aws-ec2';\nimport {Construct} from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n const vpc = new ec2.Vpc(this, 'Vpc', {maxAzs: 1});\n const cluster = new ecs.Cluster(this, 'EcsCluster', {vpc});\n const cluster2 = new ecs.Cluster(this, 'EcsCluster2', {vpc, containerInsights: false});\n const cluster3 = new ecs.Cluster(this, 'EcsCluster3', {vpc, containerInsightsV2: ecs.ContainerInsights.DISABLED});\n\n const cluster4 = new ecs.CfnCluster(this, 'EcsCluster4', {clusterSettings: []});\n const cluster5 = new ecs.CfnCluster(this, 'EcsCluster5', {clusterSettings: [{name: 'containerInsights', value: 'disabled'}]});\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/ECSClusterContainerInsights/pass.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as ecs from 'aws-cdk-lib/aws-ecs';\nimport * as ec2 from 'aws-cdk-lib/aws-ec2';\nimport {Construct} from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n const vpc = new ec2.Vpc(this, 'Vpc', {maxAzs: 1});\n const cluster = new ecs.Cluster(this, 'EcsCluster', {vpc, containerInsights: true});\n const cluster2 = new ecs.Cluster(this, 'EcsCluster2', {vpc, containerInsightsV2: ecs.ContainerInsights.ENABLED});\n const cluster3 = new ecs.Cluster(this, 'EcsCluster6', {vpc, containerInsightsV2: ecs.ContainerInsights.ENHANCED});\n\n const cluster4 = new ecs.CfnCluster(this, 'EcsCluster4', {clusterSettings: [{name: 'containerInsights', value: 'enabled'}]});\n const cluster5 = new ecs.CfnCluster(this, 'EcsCluster5', {clusterSettings: [{value: 'enhanced', name: 'containerInsights'}]});\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/ECSTaskDefinitionEFSVolumeEncryption/fail.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as ecs from 'aws-cdk-lib/aws-ecs';\nimport {Construct} from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n const taskDefinition = new ecs.Ec2TaskDefinition(this, 'TaskDef', {\n volumes:\n [\n {\n name:\"my-volume\",\n efsVolumeConfiguration:{\n transitEncryption: \"DISABLED\"\n }\n }\n ]\n });\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/ECSTaskDefinitionEFSVolumeEncryption/fail_2.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as ecs from 'aws-cdk-lib/aws-ecs';\nimport {Construct} from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n const taskDefinition = new ecs.FargateTaskDefinition(this, 'TaskDef', {\n volumes:\n [\n {\n name:\"my-volume\",\n efsVolumeConfiguration:{\n transitEncryption: \"DISABLED\"\n }\n }\n ]\n });\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/ECSTaskDefinitionEFSVolumeEncryption/pass.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as ecs from 'aws-cdk-lib/aws-ecs';\nimport {Construct} from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n const taskDefinition = new ecs.Ec2TaskDefinition(this, 'TaskDef', {\n volumes:\n [\n {\n name:\"my-volume\",\n efsVolumeConfiguration:{\n transitEncryption: \"ENABLED\"\n }\n }\n ]\n });\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/EFSEncryptionEnabled/fail.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as ec2 from 'aws-cdk-lib/aws-ec2';\nimport * as efs from 'aws-cdk-lib/aws-efs';\nimport {Construct} from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n const fileSystem = new efs.FileSystem(this, 'MyEfsFileSystem', {\n vpc: new ec2.Vpc(this, 'VPC')\n });\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/EFSEncryptionEnabled/pass.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as ec2 from 'aws-cdk-lib/aws-ec2';\nimport * as efs from 'aws-cdk-lib/aws-efs';\nimport {Construct} from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n const fileSystem = new efs.FileSystem(this, 'MyEfsFileSystem', {\n vpc: new ec2.Vpc(this, 'VPC'),\n encrypted: true\n });\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/EKSSecretsEncryption/fail.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport {aws_eks as eks} from 'aws-cdk-lib';\nimport {Construct} from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n const cfnCluster = new eks.CfnCluster(this, 'MyCfnCluster', {\n resourcesVpcConfig: {\n subnetIds: ['subnetIds']\n },\n roleArn: 'roleArn',\n name: 'name',\n version: 'version'\n });\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/EKSSecretsEncryption/pass.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport {aws_eks as eks} from 'aws-cdk-lib';\nimport {Construct} from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n const cfnCluster = new eks.CfnCluster(this, 'MyCfnCluster', {\n resourcesVpcConfig: {\n subnetIds: ['subnetIds']\n },\n roleArn: 'roleArn',\n encryptionConfig: [{\n resources: ['secrets']\n }],\n name: 'name',\n version: 'version'\n });\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/ELBAccessLogs/fail.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as ec2 from 'aws-cdk-lib/aws-ec2';\nimport * as elb from 'aws-cdk-lib/aws-elasticloadbalancing';\nimport {Construct} from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n const vpc = new ec2.Vpc(this, 'VPC')\n const lb = new elb.LoadBalancer(this, 'LB', {\n vpc\n });\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/ELBAccessLogs/pass.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as ec2 from 'aws-cdk-lib/aws-ec2';\nimport * as elb from 'aws-cdk-lib/aws-elasticloadbalancing';\nimport {Construct} from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n const vpc = new ec2.Vpc(this, 'VPC')\n const lb = new elb.LoadBalancer(this, 'LB', {\n vpc, accessLoggingPolicy: {\n enabled: true\n }\n });\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/ELBv2AccessLogs/fail.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as ec2 from 'aws-cdk-lib/aws-ec2';\nimport * as s3 from 'aws-cdk-lib/aws-s3';\nimport * as elbv2 from 'aws-cdk-lib/aws-elasticloadbalancingv2';\nimport {Construct} from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n const vpc = new ec2.Vpc(this, 'VPC')\n const lb = new elbv2.ApplicationLoadBalancer(this, 'LB', {\n vpc\n });\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/ELBv2AccessLogs/pass.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as ec2 from 'aws-cdk-lib/aws-ec2';\nimport * as s3 from 'aws-cdk-lib/aws-s3';\nimport * as elbv2 from 'aws-cdk-lib/aws-elasticloadbalancingv2';\nimport {Construct} from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n const vpc = new ec2.Vpc(this, 'VPC')\n const loggingBucket = new s3.Bucket(this, 'loggingBucket', {\n encryption: s3.BucketEncryption.S3_MANAGED,\n });\n const lb = new elbv2.ApplicationLoadBalancer(this, 'LB', {\n vpc\n });\n\n lb.logAccessLogs(loggingBucket);\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/ElasticacheReplicationGroupEncryptionAtRest/fail.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport {aws_elasticache as elasticache} from 'aws-cdk-lib';\nimport {Construct} from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n const cfnReplicationGroup = new elasticache.CfnReplicationGroup(this, 'MyCfnReplicationGroup', {\n replicationGroupDescription: 'replicationGroupDescription',\n });\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/ElasticacheReplicationGroupEncryptionAtRest/pass.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport {aws_elasticache as elasticache} from 'aws-cdk-lib';\nimport {Construct} from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n const cfnReplicationGroup = new elasticache.CfnReplicationGroup(this, 'MyCfnReplicationGroup', {\n replicationGroupDescription: 'replicationGroupDescription',\n atRestEncryptionEnabled: true,\n });\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/ElasticacheReplicationGroupEncryptionAtTransit/fail.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport {aws_elasticache as elasticache} from 'aws-cdk-lib';\nimport {Construct} from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n const cfnReplicationGroup = new elasticache.CfnReplicationGroup(this, 'MyCfnReplicationGroup', {\n replicationGroupDescription: 'replicationGroupDescription',\n });\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/ElasticacheReplicationGroupEncryptionAtTransit/pass.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport {aws_elasticache as elasticache} from 'aws-cdk-lib';\nimport {Construct} from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n const cfnReplicationGroup = new elasticache.CfnReplicationGroup(this, 'MyCfnReplicationGroup', {\n replicationGroupDescription: 'replicationGroupDescription',\n transitEncryptionEnabled: true\n });\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/ElasticacheReplicationGroupEncryptionAtTransitAuthToken/fail.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport {aws_elasticache as elasticache} from 'aws-cdk-lib';\nimport {Construct} from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n const cfnReplicationGroup = new elasticache.CfnReplicationGroup(this, 'MyCfnReplicationGroup', {\n replicationGroupDescription: 'replicationGroupDescription',\n });\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/ElasticacheReplicationGroupEncryptionAtTransitAuthToken/pass.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport {aws_elasticache as elasticache} from 'aws-cdk-lib';\nimport {Construct} from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n const cfnReplicationGroup = new elasticache.CfnReplicationGroup(this, 'MyCfnReplicationGroup', {\n replicationGroupDescription: 'replicationGroupDescription',\n transitEncryptionEnabled: true,\n authToken: 'token'\n });\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/ElasticacheReplicationGroupEncryptionAtTransitAuthToken/pass_2.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport {aws_elasticache as elasticache} from 'aws-cdk-lib';\nimport {Construct} from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n const cfnReplicationGroup = new elasticache.CfnReplicationGroup(this, 'MyCfnReplicationGroup', {\n replicationGroupDescription: 'replicationGroupDescription',\n authToken: 'token',\n transitEncryptionEnabled: true,\n });\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/ElasticsearchDomainEnforceHTTPS/fail.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as es from 'aws-cdk-lib/aws-elasticsearch';\nimport * as opensearch from 'aws-cdk-lib/aws-opensearchservice';\nimport {Construct} from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n const domain = new es.Domain(this, 'Domain', {\n version: es.ElasticsearchVersion.V7_4\n });\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/ElasticsearchDomainEnforceHTTPS/fail_2.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as opensearch from 'aws-cdk-lib/aws-opensearchservice';\nimport {Construct} from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n const domain = new opensearch.Domain(this, 'Domain', {\n version: es.ElasticsearchVersion.V7_4\n });\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/ElasticsearchDomainEnforceHTTPS/pass.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as es from 'aws-cdk-lib/aws-elasticsearch';\nimport {Construct} from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n const domain = new es.Domain(this, 'Domain', {\n version: es.ElasticsearchVersion.V7_4,\n enforceHttps: true\n });\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/ElasticsearchDomainEnforceHTTPS/pass_2.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as opensearch from 'aws-cdk-lib/aws-opensearchservice';\nimport {Construct} from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n const domain = new opensearch.Domain(this, 'Domain', {\n version: es.ElasticsearchVersion.V7_4,\n enforceHttps: true\n });\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/ElasticsearchDomainLogging/fail.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as es from 'aws-cdk-lib/aws-elasticsearch';\nimport * as opensearch from 'aws-cdk-lib/aws-opensearchservice';\nimport {Construct} from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n const domain = new es.Domain(this, 'Domain', {\n version: es.ElasticsearchVersion.V7_4\n });\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/ElasticsearchDomainLogging/fail_2.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as opensearch from 'aws-cdk-lib/aws-opensearchservice';\nimport {Construct} from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n const domain = new opensearch.Domain(this, 'Domain', {\n version: es.ElasticsearchVersion.V7_4\n });\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/ElasticsearchDomainLogging/pass.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as es from 'aws-cdk-lib/aws-elasticsearch';\nimport {Construct} from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n const domain = new es.Domain(this, 'Domain', {\n version: es.ElasticsearchVersion.V7_4,\n logging: {\n appLogEnabled: true\n }\n });\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/ElasticsearchDomainLogging/pass_2.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as opensearch from 'aws-cdk-lib/aws-opensearchservice';\nimport {Construct} from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n const domain = new opensearch.Domain(this, 'Domain', {\n version: es.ElasticsearchVersion.V7_4,\n logging: {\n appLogEnabled: true\n }\n });\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/ElasticsearchEncryption/fail.ts",
"content": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport {aws_elasticsearch as elasticsearch} from 'aws-cdk-lib';\n\nconst encryptionAtRestOptionsProperty1: elasticsearch.CfnDomain.EncryptionAtRestOptionsProperty = {\n enabled: false,\n kmsKeyId: 'kmsKeyId',\n};\n\nlet encryptionAtRestOptionsProperty2: elasticsearch.CfnDomain.EncryptionAtRestOptionsProperty = {\n enabled: false,\n};\n\n"
},
{
"path": "cdk_integration_tests/src/typescript/ElasticsearchEncryption/fail2.ts",
"content": "import {aws_elasticsearch as elasticsearch} from 'aws-cdk-lib';\n\nconst domain = new elasticsearch.CfnDomain(this, 'MyElasticsearchDomain', {\n encryptionAtRestOptions: {\n enabled: false, // Enable encryption at rest\n kmsKeyId: 'your-KMS-key-ID', // Specify your KMS key ID\n }\n});\n\nconst domain2 = new elasticsearch.CfnDomain(this, 'MyElasticsearchDomain', {\n encryptionAtRestOptions: {\n enabled: false, // Enable encryption at rest\n }\n});\n\n"
},
{
"path": "cdk_integration_tests/src/typescript/ElasticsearchEncryption/pass.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as elasticsearch from 'aws-cdk-lib/aws-elasticsearch';\n\n\nconst domain = new elasticsearch.CfnDomain(this, 'MyElasticsearchDomain', {\n encryptionAtRestOptions: {\n enabled: true, // Enable encryption at rest\n kmsKeyId: 'your-KMS-key-ID', // Specify your KMS key ID\n },\n});\n\nconst domain3 = new elasticsearch.CfnDomain(this, 'MyElasticsearchDomain', {\n encryptionAtRestOptions: {\n enabled: true, // Enable encryption at rest\n }\n});\n\nconst encryptionAtRestOptionsProperty3: elasticsearch.CfnDomain.EncryptionAtRestOptionsProperty = {\n enabled: true,\n};\n"
},
{
"path": "cdk_integration_tests/src/typescript/ElasticsearchNodeToNodeEncryption/fail.ts",
"content": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport { aws_elasticsearch as elasticsearch } from 'aws-cdk-lib';\n\nconst encryptionAtRestOptionsProperty1: elasticsearch.CfnDomain.NodeToNodeEncryptionOptionsProperty = {\n enabled: false,\n};\n\nlet encryptionAtRestOptionsProperty2: elasticsearch.CfnDomain.NodeToNodeEncryptionOptionsProperty = {\n enabled: false,\n};\n\n"
},
{
"path": "cdk_integration_tests/src/typescript/ElasticsearchNodeToNodeEncryption/fail2.ts",
"content": "import { aws_elasticsearch as elasticsearch } from 'aws-cdk-lib';\n\nconst domain = new elasticsearch.CfnDomain(this, 'MyElasticsearchDomain', {\n nodeToNodeEncryptionOptions: {\n enabled: false, // Enable encryption at rest\n kmsKeyId: 'your-KMS-key-ID', // Specify your KMS key ID\n }\n});\n\nconst domain2 = new elasticsearch.CfnDomain(this, 'MyElasticsearchDomain', {\n nodeToNodeEncryptionOptions: {\n enabled: false, // Enable encryption at rest\n }\n});\n\n"
},
{
"path": "cdk_integration_tests/src/typescript/ElasticsearchNodeToNodeEncryption/pass.ts",
"content": "import { aws_elasticsearch as elasticsearch } from 'aws-cdk-lib';\n\nconst domain = new elasticsearch.CfnDomain(this, 'MyElasticsearchDomain', {\n nodeToNodeEncryptionOptions: {\n enabled: true, // Enable encryption at rest\n },\n});\n\nconst domain3 = new elasticsearch.CfnDomain(this, 'MyElasticsearchDomain', {\n nodeToNodeEncryptionOptions: {\n enabled: true, // Enable encryption at rest\n }\n});\n\nconst encryptionAtRestOptionsProperty3: elasticsearch.CfnDomain.NodeToNodeEncryptionOptionsProperty = {\n enabled: true,\n};\n"
},
{
"path": "cdk_integration_tests/src/typescript/GlueDataCatalogEncryption/fail.ts",
"content": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport {aws_glue as glue} from 'aws-cdk-lib';\n\nconst cfnDataCatalogEncryptionSettingsProps1: glue.CfnDataCatalogEncryptionSettingsProps = {\n catalogId: 'catalogId',\n dataCatalogEncryptionSettings: {\n connectionPasswordEncryption: {\n kmsKeyId: 'kmsKeyId',\n returnConnectionPasswordEncrypted: false,\n },\n encryptionAtRest: {\n catalogEncryptionMode: 'DISABLED',\n catalogEncryptionServiceRole: 'catalogEncryptionServiceRole',\n sseAwsKmsKeyId: 'sseAwsKmsKeyId',\n },\n },\n};\n\nlet cfnDataCatalogEncryptionSettingsProps2: glue.CfnDataCatalogEncryptionSettingsProps = {\n catalogId: 'catalogId',\n dataCatalogEncryptionSettings: {\n connectionPasswordEncryption: {\n returnConnectionPasswordEncrypted: true,\n },\n },\n encryptionAtRest: {\n catalogEncryptionMode: 'DISABLED',\n catalogEncryptionServiceRole: 'catalogEncryptionServiceRole',\n sseAwsKmsKeyId: 'sseAwsKmsKeyId',\n },\n};"
},
{
"path": "cdk_integration_tests/src/typescript/GlueDataCatalogEncryption/fail2.ts",
"content": "import { aws_glue as glue } from 'aws-cdk-lib';\n\nconst cfnDataCatalogEncryptionSettings = new glue.CfnDataCatalogEncryptionSettings(this, 'MyCfnDataCatalogEncryptionSettings', {\n catalogId: 'catalogId',\n dataCatalogEncryptionSettings: {\n connectionPasswordEncryption: {\n kmsKeyId: 'kmsKeyId',\n returnConnectionPasswordEncrypted: false,\n },\n encryptionAtRest: {\n catalogEncryptionMode: 'SSE-KMS',\n catalogEncryptionServiceRole: 'catalogEncryptionServiceRole',\n sseAwsKmsKeyId: 'sseAwsKmsKeyId',\n },\n },\n});\n\nconst cfnDataCatalogEncryptionSettings2 = new glue.CfnDataCatalogEncryptionSettings(this, 'MyCfnDataCatalogEncryptionSettings', {\n catalogId: 'catalogId',\n dataCatalogEncryptionSettings: {\n connectionPasswordEncryption: {\n returnConnectionPasswordEncrypted: true,\n },\n encryptionAtRest: {\n catalogEncryptionMode: 'DISABLED',\n catalogEncryptionServiceRole: 'catalogEncryptionServiceRole',\n sseAwsKmsKeyId: 'sseAwsKmsKeyId',\n },\n },\n});\n\n"
},
{
"path": "cdk_integration_tests/src/typescript/GlueDataCatalogEncryption/pass.ts",
"content": "import { aws_glue as glue } from 'aws-cdk-lib';\n\nconst cfnDataCatalogEncryptionSettings = new glue.CfnDataCatalogEncryptionSettings(this, 'MyCfnDataCatalogEncryptionSettings', {\n catalogId: 'catalogId',\n dataCatalogEncryptionSettings: {\n connectionPasswordEncryption: {\n kmsKeyId: 'kmsKeyId',\n returnConnectionPasswordEncrypted: true,\n },\n encryptionAtRest: {\n catalogEncryptionMode: \"SSE-KMS\",\n catalogEncryptionServiceRole: 'catalogEncryptionServiceRole',\n sseAwsKmsKeyId: 'sseAwsKmsKeyId',\n },\n },\n});\n\nconst cfnDataCatalogEncryptionSettingsProps: glue.CfnDataCatalogEncryptionSettingsProps = {\n catalogId: 'catalogId',\n dataCatalogEncryptionSettings: {\n connectionPasswordEncryption: {\n kmsKeyId: 'kmsKeyId',\n returnConnectionPasswordEncrypted: true,\n },\n encryptionAtRest: {\n catalogEncryptionMode : \"SSE-KMS\",\n catalogEncryptionServiceRole: 'catalogEncryptionServiceRole',\n sseAwsKmsKeyId: 'sseAwsKmsKeyId',\n },\n },\n};"
},
{
"path": "cdk_integration_tests/src/typescript/GlueSecurityConfiguration/fail.ts",
"content": "import { aws_glue as glue } from 'aws-cdk-lib';\n\nconst cfnSecurityConfigurationProps1: glue.CfnSecurityConfigurationProps = {\n encryptionConfiguration: {\n cloudWatchEncryption: {\n cloudWatchEncryptionMode: 'SSE-KMS',\n kmsKeyArn: 'kmsKeyArn',\n },\n jobBookmarksEncryption: {\n jobBookmarksEncryptionMode: 'DISABLE',\n kmsKeyArn: 'kmsKeyArn',\n },\n s3Encryptions: [],\n },\n name: 'name',\n};\n\nconst cfnSecurityConfigurationProps2: glue.CfnSecurityConfigurationProps = {\n encryptionConfiguration: {\n cloudWatchEncryption: {\n cloudWatchEncryptionMode: 'SSE-KMS',\n kmsKeyArn: 'kmsKeyArn',\n },\n jobBookmarksEncryption: {\n jobBookmarksEncryptionMode: 'DISABLE',\n kmsKeyArn: 'kmsKeyArn',\n },\n s3Encryptions: [{ s3EncryptionMode: \"SSE-S3\" }],\n },\n name: 'name',\n};\n\nconst cfnSecurityConfigurationProps3: glue.CfnSecurityConfigurationProps = {\n encryptionConfiguration: {\n cloudWatchEncryption: {\n cloudWatchEncryptionMode: 'SSE-KMS',\n kmsKeyArn: 'kmsKeyArn',\n },\n jobBookmarksEncryption: {\n jobBookmarksEncryptionMode: 'DISABLE',\n kmsKeyArn: 'kmsKeyArn',\n },\n s3Encryptions: [{ s3EncryptionMode: \"SSE-KMS\" }],\n },\n name: 'name',\n};\n\nconst cfnSecurityConfigurationProps4: glue.CfnSecurityConfigurationProps = {\n encryptionConfiguration: {\n cloudWatchEncryption: {\n cloudWatchEncryptionMode: 'SSE-KMS',\n kmsKeyArn: 'kmsKeyArn',\n },\n jobBookmarksEncryption: {\n jobBookmarksEncryptionMode: 'DISABLE',\n kmsKeyArn: 'kmsKeyArn',\n },\n s3Encryptions: [{ s3EncryptionMode: \"DISABLE\" }],\n },\n name: 'name',\n};\n\nconst cfnSecurityConfigurationProps5: glue.CfnSecurityConfigurationProps = {\n encryptionConfiguration: {\n cloudWatchEncryption: {\n cloudWatchEncryptionMode: 'DISABLE',\n kmsKeyArn: 'kmsKeyArn',\n },\n jobBookmarksEncryption: {\n jobBookmarksEncryptionMode: 'CSE-KMS',\n kmsKeyArn: 'kmsKeyArn',\n },\n s3Encryptions: [{ s3EncryptionMode: \"DISABLE\" }],\n },\n name: 'name',\n};\n\nconst cfnSecurityConfigurationProps6: glue.CfnSecurityConfigurationProps = {\n encryptionConfiguration: {\n cloudWatchEncryption: {\n cloudWatchEncryptionMode: 'DISABLE',\n kmsKeyArn: 'kmsKeyArn',\n },\n jobBookmarksEncryption: {\n jobBookmarksEncryptionMode: 'CSE-KMS',\n kmsKeyArn: 'kmsKeyArn',\n },\n s3Encryptions: [{ s3EncryptionMode: \"SSE-S3\" }],\n },\n name: 'name',\n};\n\nconst cfnSecurityConfigurationProps7: glue.CfnSecurityConfigurationProps = {\n encryptionConfiguration: {\n cloudWatchEncryption: {\n cloudWatchEncryptionMode: 'DISABLE',\n kmsKeyArn: 'kmsKeyArn',\n },\n jobBookmarksEncryption: {\n jobBookmarksEncryptionMode: 'CSE-KMS',\n kmsKeyArn: 'kmsKeyArn',\n },\n s3Encryptions: [{ s3EncryptionMode: \"SSE-KMS\" }],\n },\n name: 'name',\n};\n\nconst cfnSecurityConfigurationProps8: glue.CfnSecurityConfigurationProps = {\n encryptionConfiguration: {\n cloudWatchEncryption: {\n cloudWatchEncryptionMode: 'SSE-KMS',\n kmsKeyArn: 'kmsKeyArn',\n },\n jobBookmarksEncryption: {\n jobBookmarksEncryptionMode: 'CSE-KMS',\n kmsKeyArn: 'kmsKeyArn',\n },\n s3Encryptions: [{ s3EncryptionMode: \"DISABLE\" }],\n },\n name: 'name',\n};\n\nconst cfnSecurityConfigurationProps9: glue.CfnSecurityConfigurationProps = {\n encryptionConfiguration: {\n cloudWatchEncryption: {\n cloudWatchEncryptionMode: 'SSE-KMS',\n kmsKeyArn: 'kmsKeyArn',\n },\n jobBookmarksEncryption: {\n jobBookmarksEncryptionMode: 'CSE-KMS',\n kmsKeyArn: 'kmsKeyArn',\n },\n s3Encryptions: [{ s3EncryptionMode: \"SSE-KMS\" }],\n },\n name: 'name',\n};\n\nconst cfnSecurityConfigurationProps10: glue.CfnSecurityConfigurationProps = {\n encryptionConfiguration: {\n cloudWatchEncryption: {\n cloudWatchEncryptionMode: 'SSE-KMS',\n kmsKeyArn: 'kmsKeyArn',\n },\n jobBookmarksEncryption: {\n jobBookmarksEncryptionMode: 'CSE-KMS',\n kmsKeyArn: 'kmsKeyArn',\n },\n s3Encryptions: [{ s3EncryptionMode: \"SSE-S3\" }],\n },\n name: 'name',\n};\n\n\n"
},
{
"path": "cdk_integration_tests/src/typescript/GlueSecurityConfiguration/fail2.ts",
"content": "import { aws_glue as glue } from 'aws-cdk-lib';\n\nconst cfnSecurityConfiguration1 = new glue.CfnSecurityConfiguration(this, 'MyCfnSecurityConfiguration', {\n encryptionConfiguration: {\n cloudWatchEncryption: {\n cloudWatchEncryptionMode: 'SSE-KMS',\n kmsKeyArn: 'kmsKeyArn',\n },\n jobBookmarksEncryption: {\n jobBookmarksEncryptionMode: 'DISABLE',\n kmsKeyArn: 'kmsKeyArn',\n },\n s3Encryptions: [],\n },\n name: 'name',\n});\n\nconst cfnSecurityConfiguration2 = new glue.CfnSecurityConfiguration(this, 'MyCfnSecurityConfiguration', {\n encryptionConfiguration: {\n cloudWatchEncryption: {\n cloudWatchEncryptionMode: 'SSE-KMS',\n kmsKeyArn: 'kmsKeyArn',\n },\n jobBookmarksEncryption: {\n jobBookmarksEncryptionMode: 'DISABLE',\n kmsKeyArn: 'kmsKeyArn',\n },\n s3Encryptions: [{ s3EncryptionMode: \"SSE-S3\" }],\n },\n name: 'name',\n});\n\nconst cfnSecurityConfiguration3 = new glue.CfnSecurityConfiguration(this, 'MyCfnSecurityConfiguration', {\n encryptionConfiguration: {\n cloudWatchEncryption: {\n cloudWatchEncryptionMode: 'SSE-KMS',\n kmsKeyArn: 'kmsKeyArn',\n },\n jobBookmarksEncryption: {\n jobBookmarksEncryptionMode: 'DISABLE',\n kmsKeyArn: 'kmsKeyArn',\n },\n s3Encryptions: [{ s3EncryptionMode: \"SSE-KMS\" }],\n },\n name: 'name',\n});\n\nconst cfnSecurityConfiguration4 = new glue.CfnSecurityConfiguration(this, 'MyCfnSecurityConfiguration', {\n encryptionConfiguration: {\n cloudWatchEncryption: {\n cloudWatchEncryptionMode: 'SSE-KMS',\n kmsKeyArn: 'kmsKeyArn',\n },\n jobBookmarksEncryption: {\n jobBookmarksEncryptionMode: 'DISABLE',\n kmsKeyArn: 'kmsKeyArn',\n },\n s3Encryptions: [{ s3EncryptionMode: \"DISABLE\" }],\n },\n name: 'name',\n});\n\nconst cfnSecurityConfiguration5 = new glue.CfnSecurityConfiguration(this, 'MyCfnSecurityConfiguration', {\n encryptionConfiguration: {\n cloudWatchEncryption: {\n cloudWatchEncryptionMode: 'DISABLE',\n kmsKeyArn: 'kmsKeyArn',\n },\n jobBookmarksEncryption: {\n jobBookmarksEncryptionMode: 'CSE-KMS',\n kmsKeyArn: 'kmsKeyArn',\n },\n s3Encryptions: [{ s3EncryptionMode: \"DISABLE\" }],\n },\n name: 'name',\n});\n\nconst cfnSecurityConfiguration6 = new glue.CfnSecurityConfiguration(this, 'MyCfnSecurityConfiguration', {\n encryptionConfiguration: {\n cloudWatchEncryption: {\n cloudWatchEncryptionMode: 'DISABLE',\n kmsKeyArn: 'kmsKeyArn',\n },\n jobBookmarksEncryption: {\n jobBookmarksEncryptionMode: 'CSE-KMS',\n kmsKeyArn: 'kmsKeyArn',\n },\n s3Encryptions: [{ s3EncryptionMode: \"SSE-S3\" }],\n },\n name: 'name',\n});\n\nconst cfnSecurityConfiguration7 = new glue.CfnSecurityConfiguration(this, 'MyCfnSecurityConfiguration', {\n encryptionConfiguration: {\n cloudWatchEncryption: {\n cloudWatchEncryptionMode: 'DISABLE',\n kmsKeyArn: 'kmsKeyArn',\n },\n jobBookmarksEncryption: {\n jobBookmarksEncryptionMode: 'CSE-KMS',\n kmsKeyArn: 'kmsKeyArn',\n },\n s3Encryptions: [{ s3EncryptionMode: \"SSE-KMS\" }],\n },\n name: 'name',\n});\n\nconst cfnSecurityConfiguration8 = new glue.CfnSecurityConfiguration(this, 'MyCfnSecurityConfiguration', {\n encryptionConfiguration: {\n cloudWatchEncryption: {\n cloudWatchEncryptionMode: 'SSE-KMS',\n kmsKeyArn: 'kmsKeyArn',\n },\n jobBookmarksEncryption: {\n jobBookmarksEncryptionMode: 'CSE-KMS',\n kmsKeyArn: 'kmsKeyArn',\n },\n s3Encryptions: [{ s3EncryptionMode: \"DISABLE\" }],\n },\n name: 'name',\n});\n\nconst cfnSecurityConfiguration9 = new glue.CfnSecurityConfiguration(this, 'MyCfnSecurityConfiguration', {\n encryptionConfiguration: {\n cloudWatchEncryption: {\n cloudWatchEncryptionMode: 'SSE-KMS',\n kmsKeyArn: 'kmsKeyArn',\n },\n jobBookmarksEncryption: {\n jobBookmarksEncryptionMode: 'CSE-KMS',\n kmsKeyArn: 'kmsKeyArn',\n },\n s3Encryptions: [{ s3EncryptionMode: \"SSE-KMS\" }],\n },\n name: 'name',\n});\n\nconst cfnSecurityConfiguration10 = new glue.CfnSecurityConfiguration(this, 'MyCfnSecurityConfiguration', {\n encryptionConfiguration: {\n cloudWatchEncryption: {\n cloudWatchEncryptionMode: 'SSE-KMS',\n kmsKeyArn: 'kmsKeyArn',\n },\n jobBookmarksEncryption: {\n jobBookmarksEncryptionMode: 'CSE-KMS',\n kmsKeyArn: 'kmsKeyArn',\n },\n s3Encryptions: [{ s3EncryptionMode: \"SSE-S3\" }],\n },\n name: 'name',\n});\n\n\n"
},
{
"path": "cdk_integration_tests/src/typescript/GlueSecurityConfiguration/pass.ts",
"content": "import { aws_glue as glue } from 'aws-cdk-lib';\n\nconst cfnSecurityConfiguration = new glue.CfnSecurityConfiguration(this, 'MyCfnSecurityConfiguration', {\n encryptionConfiguration: {\n cloudWatchEncryption: {\n cloudWatchEncryptionMode: 'SSE-KMS',\n kmsKeyArn: 'kmsKeyArn',\n },\n jobBookmarksEncryption: {\n jobBookmarksEncryptionMode: 'CSE-KMS',\n kmsKeyArn: 'kmsKeyArn',\n },\n s3Encryptions: [{\n kmsKeyArn: 'kmsKeyArn',\n s3EncryptionMode: 'SSE-KMS',\n }],\n },\n name: 'name',\n});\n\nconst cfnSecurityConfiguration2 = new glue.CfnSecurityConfiguration(this, 'MyCfnSecurityConfiguration', {\n encryptionConfiguration: {\n cloudWatchEncryption: {\n cloudWatchEncryptionMode: 'SSE-KMS',\n kmsKeyArn: 'kmsKeyArn',\n },\n jobBookmarksEncryption: {\n jobBookmarksEncryptionMode: 'CSE-KMS',\n kmsKeyArn: 'kmsKeyArn',\n },\n s3Encryptions: [{\n kmsKeyArn: 'kmsKeyArn',\n s3EncryptionMode: 'SSE-S3',\n }],\n },\n name: 'name',\n});\n\nconst cfnDataCatalogEncryptionSettingsProps: glue.CfnDataCatalogEncryptionSettingsProps = {\n catalogId: 'catalogId',\n dataCatalogEncryptionSettings: {\n connectionPasswordEncryption: {\n kmsKeyId: 'kmsKeyId',\n returnConnectionPasswordEncrypted: true,\n },\n encryptionAtRest: {\n catalogEncryptionMode : \"SSE-KMS\",\n catalogEncryptionServiceRole: 'catalogEncryptionServiceRole',\n sseAwsKmsKeyId: 'sseAwsKmsKeyId',\n },\n },\n};\n"
},
{
"path": "cdk_integration_tests/src/typescript/GlueSecurityConfigurationEnabled/fail.ts",
"content": "import { aws_glue as glue } from 'aws-cdk-lib';\n\nconst cfnSecurityConfigurationProps1: glue.CfnCrawlerProps = {\n name: 'name',\n};\n\nconst cfnSecurityConfigurationProps2: glue.CfnDevEndpointProps = {\n name: 'name',\n};\n\nconst cfnSecurityConfigurationProps3: glue.CfnJobProps = {\n name: 'name',\n};\n"
},
{
"path": "cdk_integration_tests/src/typescript/GlueSecurityConfigurationEnabled/fail2.ts",
"content": "import { aws_glue as glue } from 'aws-cdk-lib';\n\nconst cfnSecurityConfiguration1 = new glue.CfnCrawler(this, 'MyCfnSecurityConfiguration', {\n name: 'name',\n});\n\nconst cfnSecurityConfiguration2 = new glue.CfnDevEndpoint(this, 'MyCfnSecurityConfiguration', {\n name: 'name',\n});\n\nconst cfnSecurityConfiguration3 = new glue.CfnJob(this, 'MyCfnSecurityConfiguration', {\n name: 'name',\n});\n"
},
{
"path": "cdk_integration_tests/src/typescript/GlueSecurityConfigurationEnabled/pass.ts",
"content": "import {aws_glue as glue} from 'aws-cdk-lib';\n\nconst cfnSecurityConfiguration1 = new glue.CfnCrawler(this, 'MyCfnSecurityConfiguration', {\n crawlerSecurityConfiguration: 'securityConfiguration',\n name: 'name',\n});\n\nconst cfnSecurityConfiguration2 = new glue.CfnDevEndpoint(this, 'MyCfnSecurityConfiguration', {\n securityConfiguration: 'securityConfiguration',\n name: 'name',\n});\n\nconst cfnSecurityConfiguration3 = new glue.CfnJob(this, 'MyCfnSecurityConfiguration', {\n securityConfiguration: 'securityConfiguration',\n name: 'name',\n});\n\nconst cfnSecurityConfigurationProps1: glue.CfnCrawlerProps = {\n name: 'name',\n crawlerSecurityConfiguration: 'securityConfiguration',\n};\n\nconst cfnSecurityConfigurationProps2: glue.CfnDevEndpointProps = {\n name: 'name',\n securityConfiguration: 'securityConfiguration',\n};\n\nconst cfnSecurityConfigurationProps3: glue.CfnJobProps = {\n name: 'name',\n securityConfiguration: 'securityConfiguration',\n};\n\n"
},
{
"path": "cdk_integration_tests/src/typescript/IAMPolicyAttachedToGroupOrRoles/fail.ts",
"content": "import { aws_iam as iam } from 'aws-cdk-lib';\n\nconst cfnSecurityConfigurationProps1: iam.PolicyProps = {\n statements: [{}],\n users: [{}]\n};\n"
},
{
"path": "cdk_integration_tests/src/typescript/IAMPolicyAttachedToGroupOrRoles/fail2.ts",
"content": "import { aws_iam as iam } from 'aws-cdk-lib';\n\nconst a = new iam.Policy(this, 'userpool-policy', {\n statements: [new iam.PolicyStatement({\n actions: ['cognito-idp:DescribeUserPool'],\n resources: ['Arn'],\n })],\n users: ['sdsd']\n});\n\nconst b = new iam.Policy(this, 'userpool-policy', {\n statements: [new iam.PolicyStatement({\n actions: ['cognito-idp:DescribeUserPool'],\n resources: ['Arn'],\n })],\n});\nconsole.log('dsd')\nb.attachToUser({})\n\nconst c = new iam.Policy(this, 'userpool-policy', {\n statements: [new iam.PolicyStatement({\n actions: ['cognito-idp:DescribeUserPool'],\n resources: ['Arn'],\n })],\n});\nc.attachToUser({})"
},
{
"path": "cdk_integration_tests/src/typescript/IAMPolicyAttachedToGroupOrRoles/pass.ts",
"content": "import { aws_iam as iam } from 'aws-cdk-lib';\n\nconst a = new iam.Policy(this, 'userpool-policy', {\n statements: [new iam.PolicyStatement({\n actions: ['cognito-idp:DescribeUserPool'],\n resources: ['Arn'],\n })],\n});\n\nconst cfnSecurityConfigurationProps1: iam.PolicyProps = {\n statements: [new iam.PolicyStatement({\n actions: ['cognito-idp:DescribeUserPool'],\n resources: ['Arn'],\n })],\n};\n"
},
{
"path": "cdk_integration_tests/src/typescript/KinesisStreamEncryptionType/fail.ts",
"content": "import { aws_kinesis as kinesis } from 'aws-cdk-lib';\n\nconst cfnSecurityConfigurationProps1: kinesis.CfnStreamProps = {\n streamEncryption: { encryptionType: \"None\", keyId: \"dfdf\"},\n name: 'name',\n};\n\nconst cfnSecurityConfigurationProps2: kinesis.CfnStreamProps = {\n name: 'name',\n};\n"
},
{
"path": "cdk_integration_tests/src/typescript/KinesisStreamEncryptionType/fail2.ts",
"content": "import { aws_kinesis as kinesis } from 'aws-cdk-lib';\n\nconst cfnSecurityConfiguration1 = new kinesis.CfnStream(this, 'MyCfnSecurityConfiguration', {\n streamEncryption: { encryptionType: \"None\", keyId: \"dfdf\"},\n name: 'name',\n});\n\nconst cfnSecurityConfiguration2 = new kinesis.CfnStream(this, 'MyCfnSecurityConfiguration', {\n name: 'name',\n});\n"
},
{
"path": "cdk_integration_tests/src/typescript/KinesisStreamEncryptionType/pass.ts",
"content": "import { aws_kinesis as kinesis } from 'aws-cdk-lib';\n\nconst cfnSecurityConfigurationProps1: kinesis.CfnStreamProps = {\n streamEncryption: { encryptionType: \"KMS\", keyId: \"dfdf\"},\n name: 'name',\n};\n"
},
{
"path": "cdk_integration_tests/src/typescript/LambdaDLQConfigured/fail.ts",
"content": "import { aws_lambda as lambda } from 'aws-cdk-lib';\nimport { aws_sam as sam } from 'aws-cdk-lib';\n\nconst cfnSecurityConfigurationProps1: lambda.FunctionProps = {\n name: 'name',\n role: \"\",\n};\n\nconst cfnSecurityConfigurationProps1: lambda.CfnFunctionProps = {\n name: 'name',\n role: \"\",\n};\n\nconst cfnSecurityConfigurationProps2: sam.CfnFunctionProps = {\n name: 'name',\n};\n"
},
{
"path": "cdk_integration_tests/src/typescript/LambdaDLQConfigured/fail2.ts",
"content": "import { aws_lambda as lambda } from 'aws-cdk-lib';\nimport { aws_sam as sam } from 'aws-cdk-lib';\n\nconst cfnSecurityConfiguration1 = new lambda.Function(this, 'MyCfnSecurityConfiguration', {\n role: \"\",\n name: 'name',\n});\n\nconst cfnSecurityConfiguration2 = new lambda.CfnFunction(this, 'MyCfnSecurityConfiguration', {\n role: \"\",\n name: 'name',\n});\n\nconst cfnSecurityConfiguration3 = new sam.CfnFunction(this, 'MyCfnSecurityConfiguration', {\n role: \"\",\n name: 'name',\n});\n"
},
{
"path": "cdk_integration_tests/src/typescript/LambdaDLQConfigured/pass.ts",
"content": "import {aws_lambda as lambda} from 'aws-cdk-lib';\nimport {aws_sam as sam} from 'aws-cdk-lib';\n\nconst cfnSecurityConfiguration1 = new lambda.Function(this, 'MyCfnSecurityConfiguration', {\n role: \"\",\n name: 'name',\n deadLetterQueue: {},\n deadLetterQueueEnabled: true,\n});\n\nconst cfnSecurityConfiguration2 = new lambda.CfnFunction(this, 'MyCfnSecurityConfiguration', {\n role: \"\",\n name: 'name',\n deadLetterConfig: {},\n});\n\nconst cfnSecurityConfiguration2 = new sam.CfnFunction(this, 'MyCfnSecurityConfiguration', {\n role: \"\",\n name: 'name',\n deadLetterQueue: {},\n});"
},
{
"path": "cdk_integration_tests/src/typescript/LambdaEnvironmentCredentials/fail.ts",
"content": "import {aws_lambda as lambda} from 'aws-cdk-lib';\nimport {aws_sam as sam} from 'aws-cdk-lib';\n\nconst cfnSecurityConfigurationProps1: lambda.FunctionProps = {\n name: 'name',\n role: \"\",\n environment: {\n \"bla\": \"bla\",\n }\n};\n\nconst cfnSecurityConfigurationProps2: lambda.CfnFunctionProps = {\n name: 'name',\n role: \"\",\n environment: {\n variables: {\n \"bla\": \"bla\",\n }\n }\n};\n\nconst cfnSecurityConfigurationProps3: sam.CfnFunctionProps = {\n name: 'name',\n environment: {\n variables: {\n bla: \"bla\",\n }\n }\n};\n"
},
{
"path": "cdk_integration_tests/src/typescript/LambdaEnvironmentCredentials/fail2.ts",
"content": "import { aws_lambda as lambda } from 'aws-cdk-lib';\nimport { aws_sam as sam } from 'aws-cdk-lib';\n\nconst cfnSecurityConfiguration1 = new lambda.Function(this, 'MyCfnSecurityConfiguration', {\n role: \"\",\n name: 'name',\n environment: {\n \"bla\": \"bla\",\n }\n});\n\nconst cfnSecurityConfiguration2 = new lambda.CfnFunction(this, 'MyCfnSecurityConfiguration', {\n role: \"\",\n name: 'name',\n environment: {\n variables: {\n \"bla\": \"bla\",\n }\n }\n});\n\nconst cfnSecurityConfiguration3 = new sam.CfnFunction(this, 'MyCfnSecurityConfiguration', {\n role: \"\",\n name: 'name',\n environment: {\n variables: {\n bla: \"bla\",\n }\n }\n});\n"
},
{
"path": "cdk_integration_tests/src/typescript/LambdaEnvironmentCredentials/pass.ts",
"content": "import {aws_lambda as lambda} from 'aws-cdk-lib';\nimport {aws_sam as sam} from 'aws-cdk-lib';\n\nconst cfnSecurityConfiguration1 = new lambda.Function(this, 'MyCfnSecurityConfiguration', {\n role: \"\",\n name: 'name',\n environment: {\n \"bla\": \"bla\",\n },\n environmentEncryption: {}\n});\n\nconst cfnSecurityConfiguration2 = new lambda.CfnFunction(this, 'MyCfnSecurityConfiguration', {\n role: \"\",\n name: 'name',\n environment: {\n variables: {\n \"bla\": \"bla\",\n }\n },\n kmsKeyArn: \"arn\"\n});\n\nconst cfnSecurityConfiguration3 = new sam.CfnFunction(this, 'MyCfnSecurityConfiguration', {\n role: \"\",\n name: 'name',\n environment: {\n variables: {\n bla: \"bla\",\n }\n },\n kmsKeyArn: \"arn\"\n});\n\nconst cfnSecurityConfigurationProps1: lambda.FunctionProps = {\n name: 'name',\n role: \"\",\n environment: {\n \"bla\": \"bla\",\n },\n environmentEncryption: {}\n};\n\nconst cfnSecurityConfigurationProps2: lambda.CfnFunctionProps = {\n name: 'name',\n role: \"\",\n environment: {\n variables: {\n \"bla\": \"bla\",\n }\n },\n kmsKeyArn: \"arn\"\n};\n\nconst cfnSecurityConfigurationProps3: sam.CfnFunctionProps = {\n name: 'name',\n environment: {\n variables: {\n bla: \"bla\",\n }\n },\n kmsKeyArn: \"arn\"\n};\n"
},
{
"path": "cdk_integration_tests/src/typescript/LambdaEnvironmentEncryptionSettings/fail.ts",
"content": "import {aws_lambda as lambda} from 'aws-cdk-lib';\nimport {aws_sam as sam} from 'aws-cdk-lib';\n\nconst cfnSecurityConfigurationProps1: lambda.FunctionProps = {\n name: 'name',\n role: \"\",\n environment: {\n \"bla\": \"bla\",\n }\n};\n\nconst cfnSecurityConfigurationProps2: lambda.CfnFunctionProps = {\n name: 'name',\n role: \"\",\n environment: {\n variables: {\n \"bla\": \"bla\",\n }\n }\n};\n\nconst cfnSecurityConfigurationProps3: sam.CfnFunctionProps = {\n name: 'name',\n environment: {\n variables: {\n bla: \"bla\",\n }\n }\n};\n"
},
{
"path": "cdk_integration_tests/src/typescript/LambdaEnvironmentEncryptionSettings/fail2.ts",
"content": "import { aws_lambda as lambda } from 'aws-cdk-lib';\nimport { aws_sam as sam } from 'aws-cdk-lib';\n\nconst cfnSecurityConfiguration1 = new lambda.Function(this, 'MyCfnSecurityConfiguration', {\n role: \"\",\n name: 'name',\n environment: {\n \"bla\": \"bla\",\n },\n});\n\nconst cfnSecurityConfiguration2 = new lambda.CfnFunction(this, 'MyCfnSecurityConfiguration', {\n role: \"\",\n name: 'name',\n environment: {\n variables: {\n \"bla\": \"bla\",\n }\n }\n});\n\nconst cfnSecurityConfiguration3 = new sam.CfnFunction(this, 'MyCfnSecurityConfiguration', {\n role: \"\",\n name: 'name',\n environment: {\n variables: {\n bla: \"bla\",\n }\n }\n});\n"
},
{
"path": "cdk_integration_tests/src/typescript/LambdaEnvironmentEncryptionSettings/pass.ts",
"content": "import {aws_lambda as lambda} from 'aws-cdk-lib';\nimport {aws_sam as sam} from 'aws-cdk-lib';\n\nconst cfnSecurityConfiguration1 = new lambda.Function(this, 'MyCfnSecurityConfiguration', {\n role: \"\",\n name: 'name',\n});\n\nconst cfnSecurityConfiguration2 = new lambda.CfnFunction(this, 'MyCfnSecurityConfiguration', {\n role: \"\",\n name: 'name',\n});\n\nconst cfnSecurityConfiguration3 = new sam.CfnFunction(this, 'MyCfnSecurityConfiguration', {\n role: \"\",\n name: 'name',\n});\n\nconst cfnSecurityConfigurationProps1: lambda.FunctionProps = {\n name: 'name',\n role: \"\",\n};\n\nconst cfnSecurityConfigurationProps2: lambda.CfnFunctionProps = {\n name: 'name',\n role: \"\",\n};\n\nconst cfnSecurityConfigurationProps3: sam.CfnFunctionProps = {\n name: 'name',\n};\n"
},
{
"path": "cdk_integration_tests/src/typescript/LambdaFunctionLevelConcurrentExecutionLimit/fail.ts",
"content": "import {aws_lambda as lambda} from 'aws-cdk-lib';\nimport {aws_sam as sam} from 'aws-cdk-lib';\n\nconst cfnSecurityConfigurationProps1: lambda.FunctionProps = {\n name: 'name',\n role: \"\",\n environment: {\n \"bla\": \"bla\",\n }\n};\n\nconst cfnSecurityConfigurationProps2: lambda.CfnFunctionProps = {\n name: 'name',\n role: \"\",\n environment: {\n variables: {\n \"bla\": \"bla\",\n }\n }\n};\n\nconst cfnSecurityConfigurationProps3: sam.CfnFunctionProps = {\n name: 'name',\n environment: {\n variables: {\n bla: \"bla\",\n }\n }\n};\n"
},
{
"path": "cdk_integration_tests/src/typescript/LambdaFunctionLevelConcurrentExecutionLimit/fail2.ts",
"content": "import { aws_lambda as lambda } from 'aws-cdk-lib';\nimport { aws_sam as sam } from 'aws-cdk-lib';\n\nconst cfnSecurityConfiguration1 = new lambda.Function(this, 'MyCfnSecurityConfiguration', {\n role: \"\",\n name: 'name',\n environment: {\n \"bla\": \"bla\",\n }\n});\n\nconst cfnSecurityConfiguration2 = new lambda.CfnFunction(this, 'MyCfnSecurityConfiguration', {\n role: \"\",\n name: 'name',\n environment: {\n variables: {\n \"bla\": \"bla\",\n }\n }\n});\n\nconst cfnSecurityConfiguration3 = new sam.CfnFunction(this, 'MyCfnSecurityConfiguration', {\n role: \"\",\n name: 'name',\n environment: {\n variables: {\n bla: \"bla\",\n }\n }\n});\n"
},
{
"path": "cdk_integration_tests/src/typescript/LambdaFunctionLevelConcurrentExecutionLimit/pass.ts",
"content": "import {aws_lambda as lambda} from 'aws-cdk-lib';\nimport {aws_sam as sam} from 'aws-cdk-lib';\n\nconst cfnSecurityConfiguration1 = new lambda.Function(this, 'MyCfnSecurityConfiguration', {\n role: \"\",\n name: 'name',\n environment: {\n \"bla\": \"bla\",\n },\n environmentEncryption: {},\n \"reservedConcurrentExecutions\": 1,\n});\n\nconst cfnSecurityConfiguration2 = new lambda.CfnFunction(this, 'MyCfnSecurityConfiguration', {\n role: \"\",\n name: 'name',\n environment: {\n variables: {\n \"bla\": \"bla\",\n }\n },\n kmsKeyArn: \"arn\",\n reservedConcurrentExecutions: 1,\n});\n\nconst cfnSecurityConfiguration3 = new sam.CfnFunction(this, 'MyCfnSecurityConfiguration', {\n role: \"\",\n name: 'name',\n environment: {\n variables: {\n bla: \"bla\",\n }\n },\n kmsKeyArn: \"arn\",\n reservedConcurrentExecutions: 1,\n});\n\nconst cfnSecurityConfigurationProps1: lambda.FunctionProps = {\n name: 'name',\n role: \"\",\n environment: {\n \"bla\": \"bla\",\n },\n environmentEncryption: {},\n reservedConcurrentExecutions: 1,\n};\n\nconst cfnSecurityConfigurationProps2: lambda.CfnFunctionProps = {\n name: 'name',\n role: \"\",\n environment: {\n variables: {\n \"bla\": \"bla\",\n }\n },\n kmsKeyArn: \"arn\",\n reservedConcurrentExecutions: 1,\n};\n\nconst cfnSecurityConfigurationProps3: sam.CfnFunctionProps = {\n name: 'name',\n environment: {\n variables: {\n bla: \"bla\",\n }\n },\n kmsKeyArn: \"arn\",\n reservedConcurrentExecutions: 1,\n};\n"
},
{
"path": "cdk_integration_tests/src/typescript/LambdaInVPC/fail.ts",
"content": "import {aws_lambda as lambda} from 'aws-cdk-lib';\nimport {aws_sam as sam} from 'aws-cdk-lib';\n\nconst cfnSecurityConfigurationProps1: lambda.FunctionProps = {\n name: 'name',\n role: \"\",\n environment: {\n \"bla\": \"bla\",\n }\n};\n\nconst cfnSecurityConfigurationProps2: lambda.CfnFunctionProps = {\n name: 'name',\n role: \"\",\n environment: {\n variables: {\n \"bla\": \"bla\",\n }\n }\n};\n\nconst cfnSecurityConfigurationProps3: sam.CfnFunctionProps = {\n name: 'name',\n environment: {\n variables: {\n bla: \"bla\",\n }\n }\n};\n"
},
{
"path": "cdk_integration_tests/src/typescript/LambdaInVPC/fail2.ts",
"content": "import { aws_lambda as lambda } from 'aws-cdk-lib';\nimport { aws_sam as sam } from 'aws-cdk-lib';\n\nconst cfnSecurityConfiguration1 = new lambda.Function(this, 'MyCfnSecurityConfiguration', {\n role: \"\",\n name: 'name',\n});\n\nconst cfnSecurityConfiguration2 = new lambda.CfnFunction(this, 'MyCfnSecurityConfiguration', {\n role: \"\",\n name: 'name',\n environment: {\n variables: {\n \"bla\": \"bla\",\n }\n }\n});\n\nconst cfnSecurityConfiguration3 = new sam.CfnFunction(this, 'MyCfnSecurityConfiguration', {\n role: \"\",\n name: 'name',\n environment: {\n variables: {\n bla: \"bla\",\n }\n }\n});\n"
},
{
"path": "cdk_integration_tests/src/typescript/LambdaInVPC/pass.ts",
"content": "import {aws_lambda as lambda} from 'aws-cdk-lib';\nimport {aws_sam as sam} from 'aws-cdk-lib';\n\nconst cfnSecurityConfiguration1 = new lambda.Function(this, 'MyCfnSecurityConfiguration', {\n role: \"\",\n name: 'name',\n environment: {\n \"bla\": \"bla\",\n },\n environmentEncryption: {},\n \"vpc\": {},\n});\n\nconst cfnSecurityConfiguration2 = new lambda.CfnFunction(this, 'MyCfnSecurityConfiguration', {\n role: \"\",\n name: 'name',\n environment: {\n variables: {\n \"bla\": \"bla\",\n }\n },\n kmsKeyArn: \"arn\",\n vpcConfig: {},\n});\n\nconst cfnSecurityConfiguration3 = new sam.CfnFunction(this, 'MyCfnSecurityConfiguration', {\n role: \"\",\n name: 'name',\n environment: {\n variables: {\n bla: \"bla\",\n }\n },\n kmsKeyArn: \"arn\",\n vpcConfig: {},\n});\n\nconst cfnSecurityConfigurationProps1: lambda.FunctionProps = {\n name: 'name',\n role: \"\",\n environment: {\n \"bla\": \"bla\",\n },\n environmentEncryption: {},\n reservedConcurrentExecutions: 1,\n};\n\nconst cfnSecurityConfigurationProps2: lambda.CfnFunctionProps = {\n name: 'name',\n role: \"\",\n environment: {\n variables: {\n \"bla\": \"bla\",\n }\n },\n kmsKeyArn: \"arn\",\n reservedConcurrentExecutions: 1,\n};\n\nconst cfnSecurityConfigurationProps3: sam.CfnFunctionProps = {\n name: 'name',\n environment: {\n variables: {\n bla: \"bla\",\n }\n },\n kmsKeyArn: \"arn\",\n reservedConcurrentExecutions: 1,\n};\n"
},
{
"path": "cdk_integration_tests/src/typescript/LaunchConfigurationEBSEncryption/fail.ts",
"content": "import {aws_autoscaling as autoscaling} from 'aws-cdk-lib';\n\nconst cfnSecurityConfigurationProps1: autoscaling.CfnLaunchConfigurationProps = {\n imageId: 'imageId',\n instanceType: 'instanceType',\n\n // the properties below are optional\n associatePublicIpAddress: false,\n blockDeviceMappings: [{\n deviceName: 'deviceName',\n\n // the properties below are optional\n ebs: {\n deleteOnTermination: false,\n encrypted: false,\n iops: 123,\n snapshotId: 'snapshotId',\n throughput: 123,\n volumeSize: 123,\n volumeType: 'volumeType',\n },\n noDevice: false,\n virtualName: 'virtualName',\n }],\n classicLinkVpcId: 'classicLinkVpcId',\n classicLinkVpcSecurityGroups: ['classicLinkVpcSecurityGroups'],\n ebsOptimized: false,\n iamInstanceProfile: 'iamInstanceProfile',\n instanceId: 'instanceId',\n instanceMonitoring: false,\n kernelId: 'kernelId',\n keyName: 'keyName',\n launchConfigurationName: 'launchConfigurationName',\n metadataOptions: {\n httpEndpoint: 'httpEndpoint',\n httpPutResponseHopLimit: 123,\n httpTokens: 'httpTokens',\n },\n placementTenancy: 'placementTenancy',\n ramDiskId: 'ramDiskId',\n securityGroups: ['securityGroups'],\n spotPrice: 'spotPrice',\n userData: 'userData',\n};\n"
},
{
"path": "cdk_integration_tests/src/typescript/LaunchConfigurationEBSEncryption/fail2.ts",
"content": "import {aws_autoscaling as autoscaling} from 'aws-cdk-lib';\n\nconst cfnSecurityConfiguration1 = new autoscaling.CfnLaunchConfiguration(this, 'MyCfnSecurityConfiguration', {\n imageId: 'imageId',\n instanceType: 'instanceType',\n blockDeviceMappings: [{\n deviceName: 'deviceName',\n\n // the properties below are optional\n ebs: {\n deleteOnTermination: false,\n encrypted: false,\n iops: 123,\n snapshotId: 'snapshotId',\n throughput: 123,\n volumeSize: 123,\n volumeType: 'volumeType',\n },\n noDevice: false,\n virtualName: 'virtualName',\n }],\n});\n\nconst cfnSecurityConfiguration2 = new autoscaling.CfnLaunchConfiguration(this, 'MyCfnSecurityConfiguration', {\n blockDeviceMappings: [{\n ebs: {\n encrypted: false,\n },\n }],\n});\n"
},
{
"path": "cdk_integration_tests/src/typescript/LaunchConfigurationEBSEncryption/pass.ts",
"content": "import { aws_autoscaling as autoscaling } from 'aws-cdk-lib';\n\nconst cfnSecurityConfiguration1 = new autoscaling.CfnLaunchConfiguration(this, 'MyCfnSecurityConfiguration', {\n imageId: 'imageId',\n instanceType: 'instanceType',\n blockDeviceMappings: [{\n deviceName: 'deviceName',\n\n // the properties below are optional\n ebs: {\n deleteOnTermination: false,\n encrypted: true,\n iops: 123,\n snapshotId: 'snapshotId',\n throughput: 123,\n volumeSize: 123,\n volumeType: 'volumeType',\n },\n noDevice: false,\n virtualName: 'virtualName',\n }],\n});\n\nconst cfnSecurityConfiguration2 = new autoscaling.CfnLaunchConfiguration(this, 'MyCfnSecurityConfiguration', {\n imageId: 'imageId',\n instanceType: 'instanceType',\n blockDeviceMappings: [{\n deviceName: 'deviceName',\n\n // the properties below are optional\n ebs: {\n deleteOnTermination: false,\n iops: 123,\n snapshotId: 'snapshotId',\n throughput: 123,\n volumeSize: 123,\n volumeType: 'volumeType',\n },\n noDevice: false,\n virtualName: 'virtualName',\n }],\n});\n\nconst cfnSecurityConfiguration3 = new autoscaling.CfnLaunchConfiguration(this, 'MyCfnSecurityConfiguration', {\n imageId: 'imageId',\n instanceType: 'instanceType',\n blockDeviceMappings: [{\n deviceName: 'deviceName',\n noDevice: false,\n virtualName: 'virtualName',\n }],\n});\n\nconst cfnSecurityConfigurationProps1: autoscaling.CfnLaunchConfigurationProps = {\n imageId: 'imageId',\n instanceType: 'instanceType',\n\n // the properties below are optional\n associatePublicIpAddress: false,\n blockDeviceMappings: [{\n deviceName: 'deviceName',\n\n // the properties below are optional\n ebs: {\n deleteOnTermination: false,\n encrypted: true,\n iops: 123,\n snapshotId: 'snapshotId',\n throughput: 123,\n volumeSize: 123,\n volumeType: 'volumeType',\n },\n noDevice: false,\n virtualName: 'virtualName',\n }],\n classicLinkVpcId: 'classicLinkVpcId',\n classicLinkVpcSecurityGroups: ['classicLinkVpcSecurityGroups'],\n ebsOptimized: false,\n iamInstanceProfile: 'iamInstanceProfile',\n instanceId: 'instanceId',\n instanceMonitoring: false,\n kernelId: 'kernelId',\n keyName: 'keyName',\n launchConfigurationName: 'launchConfigurationName',\n metadataOptions: {\n httpEndpoint: 'httpEndpoint',\n httpPutResponseHopLimit: 123,\n httpTokens: 'httpTokens',\n },\n placementTenancy: 'placementTenancy',\n ramDiskId: 'ramDiskId',\n securityGroups: ['securityGroups'],\n spotPrice: 'spotPrice',\n userData: 'userData',\n};\n\nconst cfnSecurityConfigurationProps2: autoscaling.CfnLaunchConfigurationProps = {\n imageId: 'imageId',\n instanceType: 'instanceType',\n\n // the properties below are optional\n associatePublicIpAddress: false,\n blockDeviceMappings: [{\n deviceName: 'deviceName',\n noDevice: false,\n virtualName: 'virtualName',\n }],\n classicLinkVpcId: 'classicLinkVpcId',\n classicLinkVpcSecurityGroups: ['classicLinkVpcSecurityGroups'],\n ebsOptimized: false,\n iamInstanceProfile: 'iamInstanceProfile',\n instanceId: 'instanceId',\n instanceMonitoring: false,\n kernelId: 'kernelId',\n keyName: 'keyName',\n launchConfigurationName: 'launchConfigurationName',\n metadataOptions: {\n httpEndpoint: 'httpEndpoint',\n httpPutResponseHopLimit: 123,\n httpTokens: 'httpTokens',\n },\n placementTenancy: 'placementTenancy',\n ramDiskId: 'ramDiskId',\n securityGroups: ['securityGroups'],\n spotPrice: 'spotPrice',\n userData: 'userData',\n};\n\nconst cfnSecurityConfigurationProps3: autoscaling.CfnLaunchConfigurationProps = {\n imageId: 'imageId',\n instanceType: 'instanceType',\n\n // the properties below are optional\n associatePublicIpAddress: false,\n classicLinkVpcId: 'classicLinkVpcId',\n classicLinkVpcSecurityGroups: ['classicLinkVpcSecurityGroups'],\n ebsOptimized: false,\n iamInstanceProfile: 'iamInstanceProfile',\n instanceId: 'instanceId',\n instanceMonitoring: false,\n kernelId: 'kernelId',\n keyName: 'keyName',\n launchConfigurationName: 'launchConfigurationName',\n metadataOptions: {\n httpEndpoint: 'httpEndpoint',\n httpPutResponseHopLimit: 123,\n httpTokens: 'httpTokens',\n },\n placementTenancy: 'placementTenancy',\n ramDiskId: 'ramDiskId',\n securityGroups: ['securityGroups'],\n spotPrice: 'spotPrice',\n userData: 'userData',\n};\n\n"
},
{
"path": "cdk_integration_tests/src/typescript/NeptuneClusterStorageEncrypted/fail.ts",
"content": "import { aws_neptune as neptune } from 'aws-cdk-lib';\n\nconst cfnDBCluster1: neptune.CfnDBClusterProps = {\n associatedRoles: [{\n roleArn: 'roleArn',\n\n // the properties below are optional\n featureName: 'featureName',\n }],\n availabilityZones: ['availabilityZones'],\n backupRetentionPeriod: 123,\n copyTagsToSnapshot: false,\n dbClusterIdentifier: 'dbClusterIdentifier',\n dbClusterParameterGroupName: 'dbClusterParameterGroupName',\n dbInstanceParameterGroupName: 'dbInstanceParameterGroupName',\n dbPort: 123,\n dbSubnetGroupName: 'dbSubnetGroupName',\n deletionProtection: false,\n enableCloudwatchLogsExports: ['enableCloudwatchLogsExports'],\n engineVersion: 'engineVersion',\n iamAuthEnabled: false,\n kmsKeyId: 'kmsKeyId',\n preferredBackupWindow: 'preferredBackupWindow',\n preferredMaintenanceWindow: 'preferredMaintenanceWindow',\n restoreToTime: 'restoreToTime',\n restoreType: 'restoreType',\n serverlessScalingConfiguration: {\n maxCapacity: 123,\n minCapacity: 123,\n },\n snapshotIdentifier: 'snapshotIdentifier',\n sourceDbClusterIdentifier: 'sourceDbClusterIdentifier',\n storageEncrypted: false,\n tags: [{\n key: 'key',\n value: 'value',\n }],\n useLatestRestorableTime: false,\n vpcSecurityGroupIds: ['vpcSecurityGroupIds'],\n});\n\nconst cfnDBCluster2: neptune.CfnDBClusterProps = {\n storageEncrypted: false,\n};\n"
},
{
"path": "cdk_integration_tests/src/typescript/NeptuneClusterStorageEncrypted/fail2.ts",
"content": "import { aws_neptune as neptune } from 'aws-cdk-lib';\n\nconst cfnDBCluster1 = new neptune.CfnDBCluster(this, 'MyCfnDBCluster', /* all optional props */ {\n associatedRoles: [{\n roleArn: 'roleArn',\n\n // the properties below are optional\n featureName: 'featureName',\n }],\n availabilityZones: ['availabilityZones'],\n backupRetentionPeriod: 123,\n copyTagsToSnapshot: false,\n dbClusterIdentifier: 'dbClusterIdentifier',\n dbClusterParameterGroupName: 'dbClusterParameterGroupName',\n dbInstanceParameterGroupName: 'dbInstanceParameterGroupName',\n dbPort: 123,\n dbSubnetGroupName: 'dbSubnetGroupName',\n deletionProtection: false,\n enableCloudwatchLogsExports: ['enableCloudwatchLogsExports'],\n engineVersion: 'engineVersion',\n iamAuthEnabled: false,\n kmsKeyId: 'kmsKeyId',\n preferredBackupWindow: 'preferredBackupWindow',\n preferredMaintenanceWindow: 'preferredMaintenanceWindow',\n restoreToTime: 'restoreToTime',\n restoreType: 'restoreType',\n serverlessScalingConfiguration: {\n maxCapacity: 123,\n minCapacity: 123,\n },\n snapshotIdentifier: 'snapshotIdentifier',\n sourceDbClusterIdentifier: 'sourceDbClusterIdentifier',\n storageEncrypted: false,\n tags: [{\n key: 'key',\n value: 'value',\n }],\n useLatestRestorableTime: false,\n vpcSecurityGroupIds: ['vpcSecurityGroupIds'],\n});\n\nconst cfnDBCluster2 = new neptune.CfnDBCluster(this, 'MyCfnDBCluster', /* all optional props */ {\n storageEncrypted: false,\n});"
},
{
"path": "cdk_integration_tests/src/typescript/NeptuneClusterStorageEncrypted/pass.ts",
"content": "import {aws_neptune as neptune} from 'aws-cdk-lib';\n\nconst cfnDBCluster1 = new neptune.CfnDBCluster(this, 'MyCfnDBCluster', /* all optional props */ {\n associatedRoles: [{\n roleArn: 'roleArn',\n\n // the properties below are optional\n featureName: 'featureName',\n }],\n availabilityZones: ['availabilityZones'],\n backupRetentionPeriod: 123,\n copyTagsToSnapshot: false,\n dbClusterIdentifier: 'dbClusterIdentifier',\n dbClusterParameterGroupName: 'dbClusterParameterGroupName',\n dbInstanceParameterGroupName: 'dbInstanceParameterGroupName',\n dbPort: 123,\n dbSubnetGroupName: 'dbSubnetGroupName',\n deletionProtection: false,\n enableCloudwatchLogsExports: ['enableCloudwatchLogsExports'],\n engineVersion: 'engineVersion',\n iamAuthEnabled: false,\n kmsKeyId: 'kmsKeyId',\n preferredBackupWindow: 'preferredBackupWindow',\n preferredMaintenanceWindow: 'preferredMaintenanceWindow',\n restoreToTime: 'restoreToTime',\n restoreType: 'restoreType',\n serverlessScalingConfiguration: {\n maxCapacity: 123,\n minCapacity: 123,\n },\n snapshotIdentifier: 'snapshotIdentifier',\n sourceDbClusterIdentifier: 'sourceDbClusterIdentifier',\n storageEncrypted: true,\n tags: [{\n key: 'key',\n value: 'value',\n }],\n useLatestRestorableTime: false,\n vpcSecurityGroupIds: ['vpcSecurityGroupIds'],\n});\n\nconst cfnDBCluster2 = new neptune.CfnDBCluster(this, 'MyCfnDBCluster', /* all optional props */ {\n storageEncrypted: true,\n});\n\nconst cfnDBCluster4: neptune.CfnDBClusterProps = {\n associatedRoles: [{\n roleArn: 'roleArn',\n\n // the properties below are optional\n featureName: 'featureName',\n }],\n availabilityZones: ['availabilityZones'],\n backupRetentionPeriod: 123,\n copyTagsToSnapshot: false,\n dbClusterIdentifier: 'dbClusterIdentifier',\n dbClusterParameterGroupName: 'dbClusterParameterGroupName',\n dbInstanceParameterGroupName: 'dbInstanceParameterGroupName',\n dbPort: 123,\n dbSubnetGroupName: 'dbSubnetGroupName',\n deletionProtection: false,\n enableCloudwatchLogsExports: ['enableCloudwatchLogsExports'],\n engineVersion: 'engineVersion',\n iamAuthEnabled: false,\n kmsKeyId: 'kmsKeyId',\n preferredBackupWindow: 'preferredBackupWindow',\n preferredMaintenanceWindow: 'preferredMaintenanceWindow',\n restoreToTime: 'restoreToTime',\n restoreType: 'restoreType',\n serverlessScalingConfiguration: {\n maxCapacity: 123,\n minCapacity: 123,\n },\n snapshotIdentifier: 'snapshotIdentifier',\n sourceDbClusterIdentifier: 'sourceDbClusterIdentifier',\n storageEncrypted: true,\n tags: [{\n key: 'key',\n value: 'value',\n }],\n useLatestRestorableTime: false,\n vpcSecurityGroupIds: ['vpcSecurityGroupIds'],\n});\n\nconst cfnDBCluster5: neptune.CfnDBClusterProps = {\n storageEncrypted: true,\n};\n"
},
{
"path": "cdk_integration_tests/src/typescript/RDSEnhancedMonitorEnabled/fail2.ts",
"content": "import {aws_rds as rds} from 'aws-cdk-lib';\n\nconst instance2 = new rds.DatabaseInstance(this, \"PostgresInstance2\", {\n engine: rds.DatabaseInstanceEngine.POSTGRES,\n credentials: {\n username: 'username',\n password: 'password'\n },\n monitoringInterval: 0,\n});\n\nconst instance1 = new rds.DatabaseInstance(this, \"PostgresInstance2\", {\n engine: rds.DatabaseInstanceEngine.POSTGRES,\n credentials: {\n username: 'username',\n password: 'password'\n },\n monitoringInterval: -1,\n});\n\nconst instance3 = new rds.DatabaseInstance(this, \"PostgresInstance2\", {\n engine: rds.DatabaseInstanceEngine.POSTGRES,\n credentials: {\n username: 'username',\n password: 'password'\n },\n});\n"
},
{
"path": "cdk_integration_tests/src/typescript/RDSEnhancedMonitorEnabled/pass.ts",
"content": "import {aws_rds as rds} from 'aws-cdk-lib';\n\nconst instance2 = new rds.DatabaseInstance(this, \"PostgresInstance2\", {\n engine: rds.DatabaseInstanceEngine.POSTGRES,\n credentials: {\n username: 'username',\n password: 'password'\n },\n monitoringInterval: 1,\n});\n\nconst instance1 = new rds.DatabaseInstance(this, \"PostgresInstance2\", {\n engine: rds.DatabaseInstanceEngine.POSTGRES,\n credentials: {\n username: 'username',\n password: 'password'\n },\n monitoringInterval: 322424,\n});\n\n"
},
{
"path": "cdk_integration_tests/src/typescript/RDSMultiAZEnabled/fail.ts",
"content": "// SOURCE\nimport { DatabaseInstance } from '@aws-cdk/aws-rds';\n\n// SINK\n// SINK: Vulnerability found due to missing Multi-AZ setting\nnew DatabaseInstance(stack, 'MyDatabaseInstance', {\n instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.MICRO),\n vpc\n // missing Multi-AZ setting\n});\n"
},
{
"path": "cdk_integration_tests/src/typescript/RDSMultiAZEnabled/pass.ts",
"content": "// SOURCE\nimport { DatabaseInstance } from '@aws-cdk/aws-rds';\n\n// SINK\n// SINK: Vulnerability found due to missing Multi-AZ setting\nnew DatabaseInstance(stack, 'MyDatabaseInstance', {\n instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.MICRO),\n vpc,\n multiAZ: true\n});\n"
},
{
"path": "cdk_integration_tests/src/typescript/RDSPubliclyAccessible/fail.ts",
"content": "// SOURCE\nimport { DatabaseInstance } from '@aws-cdk/aws-rds';\n\n// SINK\n// SINK: Vulnerability found due to publicly accessible setting\nnew DatabaseInstance(stack, 'MyDatabaseInstance', {\n instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.MICRO),\n vpc\n // publicly accessible setting missing\n});\n"
},
{
"path": "cdk_integration_tests/src/typescript/RDSPubliclyAccessible/pass.ts",
"content": "// SOURCE\nimport { DatabaseInstance } from '@aws-cdk/aws-rds';\n\n// SINK\nnew DatabaseInstance(stack, 'MyDatabaseInstance', {\n instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.MICRO),\n vpc, publicly_accessible: true\n});\n"
},
{
"path": "cdk_integration_tests/src/typescript/RedShiftSSL/fail__2__.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as redshift from 'aws-cdk-lib/aws-redshift';\n\nclass MyRedshiftClusterParameterGroupStack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n // Define Redshift Cluster Parameter Group with require_ssl parameter\n new redshift.CfnClusterParameterGroup(this, 'MyRedshiftClusterParameterGroup', {\n description: 'My Redshift Parameter Group',\n parameterGroupFamily: 'redshift-1.0',\n parameters: [\n {\n parameterName: 'require_ssl',\n parameterValue: 'false',\n },\n // Add other parameters if needed\n ],\n });\n }\n}\n\nconst app = new cdk.App();\nnew MyRedshiftClusterParameterGroupStack(app, 'MyRedshiftClusterParameterGroupStack');\napp.synth();\n\nclass MyRedshiftClusterParameterGroupStack2 extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n // Define Redshift Cluster Parameter Group with abc parameter\n new redshift.CfnClusterParameterGroup(this, 'MyRedshiftClusterParameterGroup2', {\n description: 'My Redshift Parameter Group 2',\n parameterGroupFamily: 'redshift-1.0',\n });\n }\n}\n\nnew MyRedshiftClusterParameterGroupStack2(app, 'MyRedshiftClusterParameterGroupStack2');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/RedShiftSSL/pass.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as redshift from 'aws-cdk-lib/aws-redshift';\n\nclass MyRedshiftClusterParameterGroupStack extends cdk.Stack {\n constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n // Define Redshift Cluster Parameter Group with require_ssl parameter\n new redshift.CfnClusterParameterGroup(this, 'MyRedshiftClusterParameterGroup', {\n description: 'My Redshift Parameter Group',\n parameterGroupFamily: 'redshift-1.0',\n parameters: [\n {\n parameterName: 'require_ssl',\n parameterValue: 'true',\n },\n // Add other parameters if needed\n ],\n });\n }\n}\n\nconst app = new cdk.App();\nnew MyRedshiftClusterParameterGroupStack(app, 'MyRedshiftClusterParameterGroupStack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/RedshiftClusterEncryption/fail__2__.ts",
"content": "import * as redshift from '@aws-cdk/aws-redshift-alpha';\nimport * as kms from 'aws-cdk-lib/aws-kms';\nimport * as ec2 from 'aws-cdk-lib/aws-ec2';\nimport { Stack, App } from 'aws-cdk-lib';\n\nconst app = new App();\nconst stack = new Stack(app, 'RedshiftStack');\n\n// Create a VPC\nconst vpc = new ec2.Vpc(stack, 'Vpc', {\n maxAzs: 2\n});\n\n// Create a KMS key for encryption\nconst kmsKey = new kms.Key(stack, 'KmsKey');\n\nconst cluster = new redshift.Cluster(stack, 'MyCluster', {\n masterUser: {\n masterUsername: 'admin',\n },\n vpc,\n});\n\nimport * as redshift from 'aws-cdk-lib/aws_redshift';\nimport * as kms from 'aws-cdk-lib/aws-kms';\nimport * as ec2 from 'aws-cdk-lib/aws-ec2';\nimport { Stack, App } from 'aws-cdk-lib';\n\nconst app = new App();\nconst stack = new Stack(app, 'RedshiftStack');\n\n// Create a VPC\nconst vpc = new ec2.Vpc(stack, 'Vpc', {\n maxAzs: 2\n});\n\n// Create a KMS key for encryption\nconst kmsKey = new kms.Key(stack, 'KmsKey');\n\nconst cfnCluster = new redshift.CfnCluster(stack, 'MyCfnCluster', {\n clusterType: 'multi-node',\n dbName: 'mydatabase',\n masterUsername: 'admin',\n masterUserPassword: 'password',\n nodeType: 'ds2.xlarge',\n numberOfNodes: 3,\n kmsKeyId: kmsKey.keyArn, // Use the specific KMS key\n vpcSecurityGroupIds: [ /* security group IDs */ ],\n clusterSubnetGroupName: vpc.selectSubnets({ subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS }).subnetIds[0],\n});\n\n"
},
{
"path": "cdk_integration_tests/src/typescript/RedshiftClusterEncryption/pass.ts",
"content": "import * as redshift from '@aws-cdk/aws-redshift-alpha';\nimport * as kms from 'aws-cdk-lib/aws-kms';\nimport * as ec2 from 'aws-cdk-lib/aws-ec2';\nimport { Stack, App } from 'aws-cdk-lib';\n\nconst app = new App();\nconst stack = new Stack(app, 'RedshiftStack');\n\n// Create a VPC\nconst vpc = new ec2.Vpc(stack, 'Vpc', {\n maxAzs: 2\n});\n\n// Create a KMS key for encryption\nconst kmsKey = new kms.Key(stack, 'KmsKey');\n\nconst cluster = new redshift.Cluster(stack, 'MyCluster', {\n masterUser: {\n masterUsername: 'admin',\n },\n vpc,\n encryption: true,\n});\n\nimport * as redshift from 'aws-cdk-lib/aws_redshift';\nimport * as kms from 'aws-cdk-lib/aws-kms';\nimport * as ec2 from 'aws-cdk-lib/aws-ec2';\nimport { Stack, App } from 'aws-cdk-lib';\n\nconst app = new App();\nconst stack = new Stack(app, 'RedshiftStack');\n\n// Create a VPC\nconst vpc = new ec2.Vpc(stack, 'Vpc', {\n maxAzs: 2\n});\n\n// Create a KMS key for encryption\nconst kmsKey = new kms.Key(stack, 'KmsKey');\n\nconst cfnCluster = new redshift.CfnCluster(stack, 'MyCfnCluster', {\n clusterType: 'multi-node',\n dbName: 'mydatabase',\n masterUsername: 'admin',\n masterUserPassword: 'password',\n nodeType: 'ds2.xlarge',\n numberOfNodes: 3,\n encryption: true,\n kmsKeyId: kmsKey.keyArn, // Use the specific KMS key\n vpcSecurityGroupIds: [ /* security group IDs */ ],\n clusterSubnetGroupName: vpc.selectSubnets({ subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS }).subnetIds[0],\n});\n\n"
},
{
"path": "cdk_integration_tests/src/typescript/RedshiftClusterLogging/fail.ts",
"content": "// SOURCE\nimport { Cluster } from '@aws-cdk/aws-redshift';\n\n// SINK\n// SINK: Vulnerability found due to missing logging enabled\nnew Cluster(stack, 'MyRedshiftCluster', {\n masterUser: {\n masterUsername: 'admin',\n masterPassword: 'password',\n },\n vpc\n // logging enabled missing\n});\n"
},
{
"path": "cdk_integration_tests/src/typescript/RedshiftClusterLogging/pass.ts",
"content": "// SOURCE\nimport { Cluster } from '@aws-cdk/aws-redshift';\n\n// SINK\n// SINK: Vulnerability found due to missing logging enabled\nlet bucketName;\nlet stack;\nnew Cluster(stack, 'MyRedshiftCluster', {\n masterUser: {\n masterUsername: 'admin',\n masterPassword: 'password',\n },\n logging_properties: Cluster.LoggingPropertiesProperty = {bucketName: 'name'}\n // logging enabled missing\n});"
},
{
"path": "cdk_integration_tests/src/typescript/RedshiftClusterPubliclyAccessible/fail.ts",
"content": "// SOURCE\nimport { Cluster } from '@aws-cdk/aws-redshift';\n\n// SINK\n// SINK: Vulnerability found due to publicly accessible cluster\nnew Cluster(stack, 'MyRedshiftCluster', {\n masterUser: {\n masterUsername: 'admin',\n masterPassword: 'password',\n },\n vpc,\n publiclyAccessible: true, // publicly accessible cluster\n});\n"
},
{
"path": "cdk_integration_tests/src/typescript/RedshiftClusterPubliclyAccessible/pass.ts",
"content": "// SOURCE\nimport { Cluster } from '@aws-cdk/aws-redshift';\n\n// SINK\n// SINK: Vulnerability found due to publicly accessible cluster\nnew Cluster(stack, 'MyRedshiftCluster', {\n masterUser: {\n masterUsername: 'admin',\n masterPassword: 'password',\n },\n vpc,\n publiclyAccessible: false,\n});\nnew Cluster(stack, 'MyRedshiftCluster', {\n masterUser: {\n masterUsername: 'admin',\n masterPassword: 'password',\n },\n vpc\n});\n"
},
{
"path": "cdk_integration_tests/src/typescript/RedshiftInEc2ClassicMode/fail.ts",
"content": "// SOURCE\nimport { Cluster } from '@aws-cdk/aws-redshift';\n\n// SINK\n// SINK: Vulnerability found due to Redshift cluster deployed outside of a VPC\nnew Cluster(stack, 'MyRedshiftCluster', {\n masterUser: {\n masterUsername: 'admin',\n masterPassword: 'password',\n },\n vpc: vpc\n});\n"
},
{
"path": "cdk_integration_tests/src/typescript/RedshiftInEc2ClassicMode/pass.ts",
"content": "// SOURCE\nimport { Cluster } from '@aws-cdk/aws-redshift';\n\n// SINK\nnew Cluster(stack, 'MyRedshiftCluster', {\n masterUser: {\n masterUsername: 'admin',\n masterPassword: 'password',\n },\n vpc: vpc,\n clusterSubnetGroupName: 'name'\n});\n"
},
{
"path": "cdk_integration_tests/src/typescript/S3BlockPublicACLs/fail.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport { Stack, App } from 'aws-cdk-lib';\nimport * as s3 from 'aws-cdk-lib/aws-s3';\n\nconst app = new App();\nconst stack = new Stack(app, 'S3BucketStack');\n\n// Create an S3 bucket with blockPublicAcls enabled\nconst bucket = new s3.Bucket(stack, 'MyBucket', {\n blockPublicAccess: s3.BlockPublicAccess.IGNORE_ACLS,\n versioned: true,\n removalPolicy: cdk.RemovalPolicy.DESTROY,\n autoDeleteObjects: true,\n});\n\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/S3BlockPublicACLs/fail__3__.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport { Stack, App } from 'aws-cdk-lib';\nimport { Bucket, BlockPublicAccess } from 'aws-cdk-lib/aws-s3';\n\nconst app = new App();\nconst stack = new Stack(app, 'S3BucketStack');\n\n// Create an S3 bucket with blockPublicAcls enabled\nconst bucket = new Bucket(stack, 'MyBucket', {\n blockPublicAccess: BlockPublicAccess.IGNORE_ACLS,\n versioned: true,\n removalPolicy: cdk.RemovalPolicy.DESTROY,\n autoDeleteObjects: true,\n});\n\nconst bucket2 = new Bucket(stack, 'MyBucket', {\n versioned: true,\n removalPolicy: cdk.RemovalPolicy.DESTROY,\n autoDeleteObjects: true,\n});\n\napp.synth();\n\nimport * as cdk from 'aws-cdk-lib';\nimport { Stack, App } from 'aws-cdk-lib';\nimport * as s3 from 'aws-cdk-lib/aws-s3';\n\nconst app = new App();\nconst stack = new Stack(app, 'S3BucketStack');\n\n// Create an S3 bucket with blockPublicAcls enabled\nconst bucket = new s3.CfnBucket(stack, 'MyBucket', {\n bucketName: 'my-bucket-name', // Optional: Specify a bucket name\n versioningConfiguration: {\n status: 'Enabled',\n },\n publicAccessBlockConfiguration: {\n blockPublicAcls: false, // Only block public ACLs\n ignorePublicAcls: true,\n },\n});\n\nbucket.applyRemovalPolicy(cdk.RemovalPolicy.DESTROY);\n\napp.synth();\n\n"
},
{
"path": "cdk_integration_tests/src/typescript/S3BlockPublicACLs/pass.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport { Stack, App } from 'aws-cdk-lib';\nimport * as s3 from 'aws-cdk-lib/aws-s3';\n\nconst app = new App();\nconst stack = new Stack(app, 'S3BucketStack');\n\n// Create an S3 bucket with blockPublicAcls enabled\nconst bucket = new s3.Bucket(stack, 'MyBucket', {\n blockPublicAccess: s3.BlockPublicAccess.BLOCK_ACLS, // Only block public ACLs\n versioned: true,\n removalPolicy: cdk.RemovalPolicy.DESTROY, // NOT recommended for production code\n autoDeleteObjects: true, // NOT recommended for production code\n});\n\nconst bucket2 = new s3.Bucket(stack, 'MyBucket', {\n blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL, // Only block public ACLs\n versioned: true,\n removalPolicy: cdk.RemovalPolicy.DESTROY, // NOT recommended for production code\n autoDeleteObjects: true, // NOT recommended for production code\n});\n\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/S3BlockPublicACLs/pass2.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport { Stack, App } from 'aws-cdk-lib';\nimport { Bucket, BlockPublicAccess } from 'aws-cdk-lib/aws-s3';\n\nconst app = new App();\nconst stack = new Stack(app, 'S3BucketStack');\n\n// Create an S3 bucket with blockPublicAcls enabled\nconst bucket = new Bucket(stack, 'MyBucket', {\n blockPublicAccess: BlockPublicAccess.BLOCK_ACLS, // Only block public ACLs\n versioned: true,\n removalPolicy: cdk.RemovalPolicy.DESTROY, // NOT recommended for production code\n autoDeleteObjects: true, // NOT recommended for production code\n});\n\nconst bucket2 = new Bucket(stack, 'MyBucket', {\n blockPublicAccess: BlockPublicAccess.BLOCK_ALL, // Only block public ACLs\n versioned: true,\n removalPolicy: cdk.RemovalPolicy.DESTROY, // NOT recommended for production code\n autoDeleteObjects: true, // NOT recommended for production code\n});\n\napp.synth();\n\n"
},
{
"path": "cdk_integration_tests/src/typescript/S3BlockPublicACLs/pass3.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport { Stack, App } from 'aws-cdk-lib';\nimport * as s3 from 'aws-cdk-lib/aws-s3';\n\nconst app = new App();\nconst stack = new Stack(app, 'S3BucketStack');\n\n// Create an S3 bucket with blockPublicAcls enabled\nconst bucket = new s3.CfnBucket(stack, 'MyBucket', {\n bucketName: 'my-bucket-name', // Optional: Specify a bucket name\n versioningConfiguration: {\n status: 'Enabled',\n },\n publicAccessBlockConfiguration: {\n blockPublicAcls: true, // Only block public ACLs\n ignorePublicAcls: true,\n },\n});\n\n// Add deletion policy to the bucket\nbucket.applyRemovalPolicy(cdk.RemovalPolicy.DESTROY); // NOT recommended for production code\n\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/S3BlockPublicPolicy/fail.ts",
"content": "// FINDING\nimport { Bucket } from '@aws-cdk/aws-s3';\n\n// SINK\n// SINK: Vulnerability found due to S3 bucket missing block public policy\nnew Bucket(stack, 'MyBucket', {\n publicReadAccess: true, // This should be 'false' to block public policy\n});\n"
},
{
"path": "cdk_integration_tests/src/typescript/S3BlockPublicPolicy/pass.ts",
"content": "// FINDING\nimport { Bucket } from '@aws-cdk/aws-s3';\n\n// SINK\n// SINK: Vulnerability found due to S3 bucket missing block public policy\nnew Bucket(stack, 'MyBucket', {\n publicReadAccess: false, // This should be 'false' to block public policy\n});\nnew Bucket(stack, 'MyBucket', {\n random_param: false,\n});\n"
},
{
"path": "cdk_integration_tests/src/typescript/S3BucketEncryption/fail2__2__.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport { Bucket, BucketEncryption } from 'aws-cdk-lib/aws-s3';\nimport { Construct } from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n const fail = new Bucket(this, 'example', {});\n\n const fail2 = new Bucket(this, 'example', {\n encryption: BucketEncryption.UNENCRYPTED\n });\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/S3BucketEncryption/fail__2__.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as s3 from 'aws-cdk-lib/aws-s3';\nimport { Construct } from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n const fail = new s3.Bucket(this, 'example', {});\n\n const fail2 = new s3.Bucket(this, 'example', {\n encryption: s3.BucketEncryption.UNENCRYPTED\n });\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/S3BucketEncryption/pass.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as s3 from 'aws-cdk-lib/aws-s3';\nimport { Construct } from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n const pass = new s3.Bucket(this, 'example', {\n encryption: s3.BucketEncryption.S3_MANAGED,\n });\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();"
},
{
"path": "cdk_integration_tests/src/typescript/S3BucketEncryption/pass2.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport { Bucket, BucketEncryption } from 'aws-cdk-lib/aws-s3';\nimport { Construct } from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n const pass = new Bucket(this, 'example', {\n encryption: BucketEncryption.KMS\n });\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/S3BucketKMSEncryption/fail2__3__.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport { Bucket, BucketEncryption } from 'aws-cdk-lib/aws-s3';\nimport { Construct } from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n const fail = new Bucket(this, 'example', {});\n\n const fail2 = new Bucket(this, 'example', {\n encryption: BucketEncryption.UNENCRYPTED\n });\n\n const fail3 = new Bucket(this, 'example', {\n encryption: BucketEncryption.S3_MANAGED\n });\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/S3BucketKMSEncryption/fail__3__.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as s3 from 'aws-cdk-lib/aws-s3';\nimport { Construct } from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n const fail = new s3.Bucket(this, 'example', {});\n\n const fail2 = new s3.Bucket(this, 'example', {\n encryption: s3.BucketEncryption.UNENCRYPTED\n });\n\n const fail3 = new s3.Bucket(this, 'example', {\n encryption: s3.BucketEncryption.S3_MANAGED\n });\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/S3BucketKMSEncryption/pass.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as s3 from 'aws-cdk-lib/aws-s3';\nimport { Construct } from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n const pass = new s3.Bucket(this, 'example', {\n encryption: s3.BucketEncryption.KMS_MANAGED\n });\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();"
},
{
"path": "cdk_integration_tests/src/typescript/S3BucketKMSEncryption/pass2.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport { Bucket, BucketEncryption } from 'aws-cdk-lib/aws-s3';\nimport { Construct } from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n const pass = new Bucket(this, 'example', {\n encryption: BucketEncryption.KMS\n });\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/S3BucketLogging/fail.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as s3 from 'aws-cdk-lib/aws-s3';\nimport { Construct } from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n const fail = new s3.Bucket(this, 'example', {});\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/S3BucketLogging/fail2.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport { Bucket } from 'aws-cdk-lib/aws-s3';\nimport { Construct } from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n const fail = new Bucket(this, 'example', {});\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/S3BucketLogging/pass.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as s3 from 'aws-cdk-lib/aws-s3';\nimport { Construct } from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n const pass = new s3.Bucket(this, 'example', {\n // this would normally reference another bucket, but then I can't separate the tests\n serverAccessLogsBucket: bucket\n });\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/S3BucketLogging/pass2.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport { Bucket } from 'aws-cdk-lib/aws-s3';\nimport { Construct } from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n const pass = new Bucket(this, 'example', {\n // this would normally reference another bucket, but then I can't separate the tests\n serverAccessLogsBucket: bucket\n });\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/S3BucketPublicAccessBlock/fail.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as s3 from 'aws-cdk-lib/aws-s3';\nimport { Construct } from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n const fail = new s3.Bucket(this, 'example', {});\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/S3BucketPublicAccessBlock/fail2.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport { Bucket } from 'aws-cdk-lib/aws-s3';\nimport { Construct } from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n const fail = new Bucket(this, 'example', {});\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/S3BucketPublicAccessBlock/pass.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as s3 from 'aws-cdk-lib/aws-s3';\nimport { Construct } from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n const pass = new s3.Bucket(this, 'example', {\n blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL\n });\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/S3BucketPublicAccessBlock/pass2.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport { Bucket, BlockPublicAccess } from 'aws-cdk-lib/aws-s3';\nimport { Construct } from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n const pass = new Bucket(this, 'example', {\n blockPublicAccess: BlockPublicAccess.BLOCK_ALL\n });\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/S3BucketVersioning/fail2__2__.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport { Bucket } from 'aws-cdk-lib/aws-s3';\nimport { Construct } from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n const fail = new Bucket(this, 'example', {});\n\n const fail2 = new Bucket(this, 'example', {\n versioned: false\n });\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/S3BucketVersioning/fail__2__.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as s3 from 'aws-cdk-lib/aws-s3';\nimport { Construct } from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n const fail = new s3.Bucket(this, 'example', {});\n\n const fail2 = new s3.Bucket(this, 'example', {\n versioned: false\n });\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/S3BucketVersioning/pass.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport * as s3 from 'aws-cdk-lib/aws-s3';\nimport { Construct } from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n const pass = new s3.Bucket(this, 'example', {\n versioned: true\n });\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/S3BucketVersioning/pass2.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport { Bucket } from 'aws-cdk-lib/aws-s3';\nimport { Construct } from 'constructs';\n\nexport class exampleStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n const pass = new Bucket(this, 'example', {\n versioned: true\n });\n }\n}\n\nconst app = new cdk.App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/S3PublicACLRead/fail__3__.ts",
"content": "import { App, Stack, StackProps } from 'aws-cdk-lib';\nimport { Construct } from 'constructs';\nimport * as s3 from 'aws-cdk-lib/aws-s3';\n\nclass S3BucketExampleStack extends Stack {\n constructor(scope: Construct, id: string, props?: StackProps) {\n super(scope, id, props);\n\n // Bucket with PUBLIC_READ access - Match\n new s3.Bucket(this, 'MyPublicReadBucket', {\n accessControl: s3.BucketAccessControl.PUBLIC_READ,\n });\n\n new s3.Bucket(this, 'MyPrivateReadBucket');\n\n // Bucket with PUBLIC_READ_WRITE access\n new s3.Bucket(this, 'MyPublicReadWriteBucket', {\n accessControl: s3.BucketAccessControl.PUBLIC_READ_WRITE,\n });\n\n // Bucket with publicReadAccess set to true\n new s3.Bucket(this, 'MyPublicReadAccessBucket', {\n publicReadAccess: true,\n });\n\n // Bucket with publicReadAccess set to true\n new s3.Bucket(this, 'MyPublicReadAccessBucket', {\n publicReadAccess: false,\n });\n }\n}\n\nconst app = new App();\nnew S3BucketExampleStack(app, 'S3BucketExampleStack');\n"
},
{
"path": "cdk_integration_tests/src/typescript/S3PublicACLRead/pass.ts",
"content": "import { App, Stack, StackProps } from 'aws-cdk-lib';\nimport { Construct } from 'constructs';\nimport * as s3 from 'aws-cdk-lib/aws-s3';\n\nclass S3BucketExampleStack extends Stack {\n constructor(scope: Construct, id: string, props?: StackProps) {\n super(scope, id, props);\n\n // Bucket with PUBLIC_READ access - Match\n new s3.Bucket(this, 'MyPublicReadBucket');\n\n new s3.Bucket(this, 'MyPrivateReadBucket');\n\n // Bucket with PUBLIC_READ_WRITE access\n new s3.Bucket(this, 'MyPublicReadWriteBucket', {\n accessControl: s3.BucketAccessControl.Private,\n });\n\n // Bucket with publicReadAccess set to true\n new s3.Bucket(this, 'MyPublicReadAccessBucket', {});\n\n // Bucket with publicReadAccess set to true\n new s3.Bucket(this, 'MyPublicReadAccessBucket', {\n publicReadAccess: false,\n });\n }\n}\n\nconst app = new App();\nnew S3BucketExampleStack(app, 'S3BucketExampleStack');\n"
},
{
"path": "cdk_integration_tests/src/typescript/S3RestrictPublicBuckets/fail__2__.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport { Construct } from 'constructs';\nimport * as s3 from 'aws-cdk-lib/aws-s3';\n\nclass S3BucketWithPublicAccessStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n new s3.Bucket(this, 'aaa', {\n versioned: false, // You can enable versioning if needed\n removalPolicy: cdk.RemovalPolicy.DESTROY, // Change this according to your retention policy\n blockPublicAccess: new s3.BlockPublicAccess({\n blockPublicAcls: true,\n blockPublicPolicy: true,\n ignorePublicAcls: true,\n restrictPublicBuckets: false,\n }),\n });\n }\n}\n\nclass PublicS3BucketStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n new s3.CfnBucket(this, 'PublicBucket', {\n versioningConfiguration: {\n status: 'Suspended', // You can enable versioning if needed\n },\n publicAccessBlockConfiguration: {\n blockPublicAcls: true,\n blockPublicPolicy: true,\n ignorePublicAcls: true,\n restrictPublicBuckets: false,\n },\n });\n }\n}\n\nconst app = new cdk.App();\nnew S3BucketWithPublicAccessStack(app, 'S3BucketWithPublicAccessStack');\nnew PublicS3BucketStack(app, 'PublicS3BucketStack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/S3RestrictPublicBuckets/pass.ts",
"content": "import * as cdk from 'aws-cdk-lib';\nimport { Construct } from 'constructs';\nimport * as s3 from 'aws-cdk-lib/aws-s3';\n\nclass S3BucketWithPublicAccessStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n new s3.Bucket(this, 'aaa', {\n versioned: false, // You can enable versioning if needed\n removalPolicy: cdk.RemovalPolicy.DESTROY, // Change this according to your retention policy\n blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL, // Enforce all public access restrictions\n });\n }\n}\n\nclass PublicS3BucketStack extends cdk.Stack {\n constructor(scope: Construct, id: string, props?: cdk.StackProps) {\n super(scope, id, props);\n\n new s3.CfnBucket(this, 'PublicBucket', {\n versioningConfiguration: {\n status: 'Suspended', // You can enable versioning if needed\n },\n publicAccessBlockConfiguration: {\n blockPublicAcls: true,\n blockPublicPolicy: true,\n ignorePublicAcls: true,\n restrictPublicBuckets: true,\n },\n });\n }\n}\n\nconst app = new cdk.App();\nnew S3BucketWithPublicAccessStack(app, 'S3BucketWithPublicAccessStack');\nnew PublicS3BucketStack(app, 'PublicS3BucketStack');\napp.synth();"
},
{
"path": "cdk_integration_tests/src/typescript/SNSTopicEncryption/fail.ts",
"content": "import { App, Stack } from 'aws-cdk-lib';\nimport * as sns from 'aws-cdk-lib/aws-sns';\nimport { Construct } from 'constructs';\n\nclass MyStack extends Stack {\n constructor(scope: Construct, id: string, props?: {}) {\n super(scope, id, props);\n\n new sns.Topic(this, 'Topic', {\n topicName: 'my-topic',\n });\n }\n}\n\nconst app = new App();\nnew MyStack(app, 'MyStack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/SNSTopicEncryption/pass.ts",
"content": "import { App, Stack } from 'aws-cdk-lib';\nimport * as sns from 'aws-cdk-lib/aws-sns';\nimport * as kms from 'aws-cdk-lib/aws-kms';\nimport { Construct } from 'constructs';\n\nclass MyStack extends Stack {\n constructor(scope: Construct, id: string, props?: {}) {\n super(scope, id, props);\n\n // Create a new KMS Key\n const key = new kms.Key(this, 'MyKey');\n\n // Create a new SNS Topic using the KMS Key for encryption\n new sns.Topic(this, 'Topic', {\n topicName: 'my-topic',\n masterKey: key,\n });\n }\n}\n\nconst app = new App();\nnew MyStack(app, 'MyStack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/SQSQueueEncryption/fail__2__.ts",
"content": "import { App, Stack } from 'aws-cdk-lib';\nimport { Construct } from 'constructs';\nimport * as sqs from 'aws-cdk-lib/aws-sqs';\n\nclass SqsQueueWithKmsKeyStack extends Stack {\n constructor(scope: Construct, id: string, props?: {}) {\n super(scope, id, props);\n\n new sqs.Queue(this, \"MySqsQueue\", {\n encryption: sqs.QueueEncryption.KMS,\n visibilityTimeout: cdk.Duration.seconds(300) // Other properties for the queue\n });\n }\n}\n\nconst app = new App();\nnew SqsQueueWithKmsKeyStack(app, \"SqsQueueWithKmsKeyStack\");\napp.synth();\n\nclass SqsQueueWithKmsKeyIdStack extends Stack {\n constructor(scope: Construct, id: string, props?: {}) {\n super(scope, id, props);\n\n var mySqs = new sqs.CfnQueue(this, \"MySqsQueue\", {\n visibilityTimeout: 300 // Other properties for the queue\n // Specify the KMS key ID if needed here, e.g., kmsMasterKeyId: 'alias/aws/sqs'\n });\n }\n}\n\nconst app2 = new App();\nnew SqsQueueWithKmsKeyIdStack(app2, \"SqsQueueWithKmsKeyIdStack\");\napp2.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/SQSQueueEncryption/pass.ts",
"content": "import { App, Stack } from 'aws-cdk-lib';\nimport * as sqs from 'aws-cdk-lib/aws-sqs';\nimport * as kms from 'aws-cdk-lib/aws-kms';\nimport * as cfn from 'aws-cdk-lib/aws-cloudformation';\nimport { Construct } from 'constructs';\n\nclass SqsQueueWithKmsKeyStack extends Stack {\n constructor(scope: Construct, id: string, props?: {}) {\n super(scope, id, props);\n\n // Create a KMS key for encryption\n const kmsKey = new kms.Key(this, 'MyKmsKey', {\n enableKeyRotation: true,\n });\n\n // Create an SQS queue with KMS encryption\n new sqs.Queue(this, 'MySqsQueue', {\n encryption: sqs.QueueEncryption.KMS,\n encryptionMasterKey: kmsKey,\n visibilityTimeout: cdk.Duration.seconds(300), // Other properties for the queue\n });\n }\n}\n\nconst app = new App();\nnew SqsQueueWithKmsKeyStack(app, 'SqsQueueWithKmsKeyStack');\napp.synth();\n\n\nclass SqsQueueWithKmsKeyIdStack extends Stack {\n constructor(scope: Construct, id: string, props?: {}) {\n super(scope, id, props);\n\n // Define a custom KMS key\n const kmsKey = new cfn.CfnCustomResource(this, 'MyKmsKeyResource', {\n serviceToken: 'arn:aws:lambda:::function/',\n // Add other properties as needed\n });\n\n // Define an SQS queue with a specific KmsMasterKeyId\n new sqs.CfnQueue(this, 'MySqsQueue', {\n kmsMasterKeyId: kmsKey.getAtt('KmsKeyId').toString(),\n visibilityTimeout: 300, // Other properties for the queue\n });\n }\n}\n\nconst app2 = new App();\nnew SqsQueueWithKmsKeyIdStack(app2, 'SqsQueueWithKmsKeyIdStack');\napp2.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/SecretManagerSecretEncrypted/fail__2__.ts",
"content": "import { App, Stack } from 'aws-cdk-lib';\nimport * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager';\nimport * as kms from 'aws-cdk-lib/aws-kms';\nimport { Construct } from 'constructs';\n\nclass MySecretsStack extends Stack {\n constructor(scope: Construct, id: string, props?: {}) {\n super(scope, id, props);\n\n // Define a SecretsManager secret with KMS key ID\n const mySecret = new secretsmanager.Secret(this, 'MySecret', {\n secretName: 'MySecretName',\n encryptionKey: kms.Key.fromKeyArn(this, 'MyKmsKey', 'arn:aws:kms:REGION:ACCOUNT_ID:key/aws/KMS_KEY_ID'),\n });\n }\n}\n\nclass MySecretsStack2 extends Stack {\n constructor(scope: Construct, id: string, props?: {}) {\n super(scope, id, props);\n\n // Define a SecretsManager secret without specifying KMS key ID\n const mySecret = new secretsmanager.Secret(this, 'MySecret', {\n secretName: 'MySecretName',\n });\n }\n}\n\nconst app = new App();\nnew MySecretsStack(app, \"MySecretsStack\");\nnew MySecretsStack2(app, \"MySecretsStack2\");\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/SecretManagerSecretEncrypted/pass.ts",
"content": "import { App, Stack } from 'aws-cdk-lib';\nimport * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager';\nimport * as kms from 'aws-cdk-lib/aws-kms';\nimport { Construct } from 'constructs';\n\nclass MySecretsStack extends Stack {\n constructor(scope: Construct, id: string, props?: {}) {\n super(scope, id, props);\n\n // Define a SecretsManager secret with KMS key ID\n const mySecret = new secretsmanager.Secret(this, 'MySecret', {\n secretName: 'MySecretName',\n encryptionKey: kms.Key.fromKeyArn(this, 'MyKmsKey', 'arn:aws:kms:REGION:ACCOUNT_ID:key/KMS_KEY_ID'),\n });\n }\n}\n\n\nconst app = new App();\nnew MySecretsStack(app, \"MySecretsStack\");\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/SecurityGroupRuleDescription/fail__4__.ts",
"content": "import { App, Stack } from 'aws-cdk-lib';\nimport * as ec2 from 'aws-cdk-lib/aws-ec2';\nimport { Construct } from 'constructs';\n\nclass MySecurityGroupStack extends Stack {\n constructor(scope: Construct, id: string, props?: {}) {\n super(scope, id, props);\n\n // Define EC2 Security Group with Ingress\n const securityGroup = new ec2.CfnSecurityGroup(this, 'MySecurityGroup', {\n groupDescription: 'My security group',\n securityGroupIngress: [\n {\n description: 'Allow HTTP inbound',\n ipProtocol: 'tcp',\n fromPort: 80,\n toPort: 80,\n cidrIp: '0.0.0.0/0',\n },\n ],\n // Other properties for your Security Group\n });\n }\n}\n\nclass MySecurityGroupEgressStack extends Stack {\n constructor(scope: Construct, id: string, props?: {}) {\n super(scope, id, props);\n\n // Define EC2 Security Group with Egress\n const securityGroupEgress = new ec2.CfnSecurityGroup(this, 'MySecurityGroup', {\n groupDescription: 'My security group',\n securityGroupEgress: [\n {\n description: 'Allow HTTP outbound',\n ipProtocol: 'tcp',\n fromPort: 80,\n toPort: 80,\n cidrIp: '0.0.0.0/0',\n },\n ],\n // Other properties for your Security Group\n });\n }\n}\n\nclass MySecurityGroupIngressStack extends Stack {\n constructor(scope: Construct, id: string, props?: {}) {\n super(scope, id, props);\n\n // Define EC2 Security Group Ingress\n new ec2.CfnSecurityGroupIngress(this, 'MySecurityGroupIngress', {\n groupId: 'your-security-group-id', // Replace with your Security Group ID\n ipProtocol: 'tcp',\n fromPort: 80,\n toPort: 80,\n cidrIp: '0.0.0.0/0',\n // Other properties for your Security Group Ingress\n });\n }\n}\n\nclass MySecurityGroupEgressStack2 extends Stack {\n constructor(scope: Construct, id: string, props?: {}) {\n super(scope, id, props);\n\n // Define EC2 Security Group Egress\n new ec2.CfnSecurityGroupEgress(this, 'MySecurityGroupEgress', {\n groupId: 'your-security-group-id', // Replace with your Security Group ID\n ipProtocol: 'tcp',\n fromPort: 80,\n toPort: 80,\n cidrIp: '0.0.0.0/0',\n // Other properties for your Security Group Egress\n });\n }\n}\n\nconst app = new App();\nnew MySecurityGroupStack(app, \"MySecurityGroupStack\");\nnew MySecurityGroupIngressStack(app, \"MySecurityGroupIngressStack\");\nnew MySecurityGroupEgressStack(app, \"MySecurityGroupEgressStack\");\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/SecurityGroupRuleDescription/pass.ts",
"content": "import { App, Stack } from 'aws-cdk-lib';\nimport * as ec2 from 'aws-cdk-lib/aws-ec2';\nimport { Construct } from 'constructs';\n\nclass MySecurityGroupStack extends Stack {\n constructor(scope: Construct, id: string, props?: {}) {\n super(scope, id, props);\n\n // Define EC2 Security Group with Ingress Rules\n new ec2.CfnSecurityGroup(this, 'MySecurityGroup', {\n groupDescription: 'My security group',\n securityGroupIngress: [\n {\n description: 'True',\n ipProtocol: 'tcp',\n fromPort: 80,\n toPort: 80,\n cidrIp: '0.0.0.0/0',\n },\n ],\n // Other properties for your Security Group\n });\n }\n}\n\nclass MySecurityGroupEgressStack extends Stack {\n constructor(scope: Construct, id: string, props?: {}) {\n super(scope, id, props);\n\n // Define EC2 Security Group with Egress Rules\n new ec2.CfnSecurityGroup(this, 'MySecurityGroupEgress', {\n groupDescription: 'My security group',\n securityGroupEgress: [\n {\n description: 'True',\n ipProtocol: 'tcp',\n fromPort: 80,\n toPort: 80,\n cidrIp: '0.0.0.0/0',\n },\n ],\n // Other properties for your Security Group\n });\n }\n}\n\nclass MySecurityGroupIngressStack extends Stack {\n constructor(scope: Construct, id: string, props?: {}) {\n super(scope, id, props);\n\n // Define EC2 Security Group Ingress\n new ec2.CfnSecurityGroupIngress(this, 'MySecurityGroupIngress', {\n groupId: 'your-security-group-id', // Replace with your Security Group ID\n ipProtocol: 'tcp',\n fromPort: 80,\n toPort: 80,\n cidrIp: '0.0.0.0/0',\n description: 'abc',\n // Other properties for your Security Group Ingress\n });\n }\n}\n\nclass MySecurityGroupEgressStack2 extends Stack {\n constructor(scope: Construct, id: string, props?: {}) {\n super(scope, id, props);\n\n // Define EC2 Security Group Egress\n new ec2.CfnSecurityGroupEgress(this, 'MySecurityGroupEgress', {\n groupId: 'your-security-group-id', // Replace with your Security Group ID\n ipProtocol: 'tcp',\n fromPort: 80,\n toPort: 80,\n cidrIp: '0.0.0.0/0',\n description: 'abc',\n // Other properties for your Security Group Egress\n });\n }\n}\n\nconst app = new App();\nnew MySecurityGroupStack(app, \"MySecurityGroupStack\");\nnew MySecurityGroupEgressStack(app, \"MySecurityGroupEgressStack\");\nnew MySecurityGroupIngressStack(app, \"MySecurityGroupIngressStack\");\nnew MySecurityGroupEgressStack2(app, \"MySecurityGroupEgressStack2\");\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/TransferServerIsPublic/fail__1__.ts",
"content": "import { App, Stack } from 'aws-cdk-lib';\nimport * as transfer from 'aws-cdk-lib/aws-transfer';\nimport { Construct } from 'constructs';\n\nclass MyTransferServerStack extends Stack {\n constructor(scope: Construct, id: string, props?: {}) {\n super(scope, id, props);\n\n // Define Transfer Server with EndpointType set to a custom value\n new transfer.CfnServer(this, 'MyTransferServer', {\n endpointType: 'abc', // Replace 'abc' with your endpoint type\n // Other properties as needed for your Transfer Server\n });\n }\n}\n\nconst app = new App();\nnew MyTransferServerStack(app, \"MyTransferServerStack\");\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/TransferServerIsPublic/pass.ts",
"content": "import { App, Stack } from 'aws-cdk-lib';\nimport * as transfer from 'aws-cdk-lib/aws-transfer';\nimport { Construct } from 'constructs';\n\nclass MyTransferServerStack extends Stack {\n constructor(scope: Construct, id: string, props?: {}) {\n super(scope, id, props);\n\n // Define Transfer Server with EndpointType set to VPC\n new transfer.CfnServer(this, 'MyTransferServer', {\n endpointType: 'VPC',\n // Other properties as needed for your Transfer Server\n });\n }\n}\n\nclass MyTransferServerStack2 extends Stack {\n constructor(scope: Construct, id: string, props?: {}) {\n super(scope, id, props);\n\n // Define Transfer Server with EndpointType set to VPC_ENDPOINT\n new transfer.CfnServer(this, 'MyTransferServer2', {\n endpointType: 'VPC_ENDPOINT',\n // Other properties as needed for your Transfer Server\n });\n }\n}\n\nconst app = new App();\nnew MyTransferServerStack(app, \"MyTransferServerStack\");\nnew MyTransferServerStack2(app, \"MyTransferServerStack2\");\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/VPCEndpointAcceptanceConfigured/fail__2__.ts",
"content": "import { App, Stack } from 'aws-cdk-lib';\nimport * as ec2 from 'aws-cdk-lib/aws-ec2';\nimport { Construct } from 'constructs';\n\nclass MyVpcEndpointServiceStack extends Stack {\n constructor(scope: Construct, id: string, props?: {}) {\n super(scope, id, props);\n\n // Define VPC Endpoint Service with acceptance not required\n var x = new ec2.CfnVPCEndpointService(this, 'MyVPCEndpointService');\n\n const y = new ec2.CfnVPCEndpointService(this, 'MyVPCEndpointService', {\n acceptanceRequired: false,\n });\n }\n}\n\nconst app = new App();\nnew MyVpcEndpointServiceStack(app, \"MyVpcEndpointServiceStack\");\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/VPCEndpointAcceptanceConfigured/pass.ts",
"content": "import { App, Stack } from 'aws-cdk-lib';\nimport * as ec2 from 'aws-cdk-lib/aws-ec2';\nimport { Construct } from 'constructs';\n\nclass MyVpcEndpointServiceStack extends Stack {\n constructor(scope: Construct, id: string, props?: {}) {\n super(scope, id, props);\n\n // Define VPC Endpoint Service with acceptance not required\n new ec2.CfnVPCEndpointService(this, 'MyVPCEndpointService', {\n acceptanceRequired: true,\n // Other properties for your VPC Endpoint Service\n });\n }\n}\n\nconst app = new App();\nnew MyVpcEndpointServiceStack(app, \"MyVpcEndpointServiceStack\");\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/WAFEnabled/fail__1__.ts",
"content": "import { App, Stack } from 'aws-cdk-lib';\nimport * as cloudfront from 'aws-cdk-lib/aws-cloudfront';\nimport { Construct } from 'constructs';\n\nclass CloudFrontDistributionStack extends Stack {\n constructor(scope: Construct, id: string, props?: {}) {\n super(scope, id, props);\n\n // Create a CloudFront distribution\n new cloudfront.CfnDistribution(this, 'MyCloudFrontDistribution', {\n distributionConfig: {\n defaultCacheBehavior: {\n // Configure your cache behavior as needed\n viewerProtocolPolicy: 'allow-all', // Example configuration\n targetOriginId: 'myTargetOrigin', // Example configuration, needs to match an origin\n forwardedValues: {\n queryString: true,\n cookies: { forward: 'none' },\n },\n },\n enabled: true,\n // Other distributionConfig properties as needed\n },\n });\n }\n}\n\nconst app = new App();\nnew CloudFrontDistributionStack(app, \"CloudFrontDistributionStack\");\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/WAFEnabled/pass.ts",
"content": "import { App, Stack } from 'aws-cdk-lib';\nimport * as cloudfront from 'aws-cdk-lib/aws-cloudfront';\nimport * as wafv2 from 'aws-cdk-lib/aws-wafv2';\nimport { Construct } from 'constructs';\n\nclass CloudFrontDistributionStack extends Stack {\n constructor(scope: Construct, id: string, props?: {}) {\n super(scope, id, props);\n\n // Create a WebACL\n const webAcl = new wafv2.CfnWebACL(this, 'MyWebACL', {\n defaultAction: { allow: {} },\n scope: 'CLOUDFRONT',\n visibilityConfig: {\n cloudWatchMetricsEnabled: true,\n metricName: 'webAclMetric',\n sampledRequestsEnabled: true,\n },\n // Configure your WebACL as needed\n rules: [],\n });\n\n // Create a CloudFront distribution\n const distribution = new cloudfront.CfnDistribution(this, 'MyCloudFrontDistribution', {\n distributionConfig: {\n defaultCacheBehavior: {\n // Configure your cache behavior as needed\n viewerProtocolPolicy: 'allow-all', // Example configuration\n targetOriginId: 'myTargetOrigin', // Example configuration, needs to match an origin\n forwardedValues: {\n queryString: false,\n cookies: { forward: 'none' },\n },\n },\n enabled: true,\n webAclId: webAcl.attrArn, // Set the WebACL association\n // Other distributionConfig properties as needed\n },\n });\n }\n}\n\nconst app = new App();\nnew CloudFrontDistributionStack(app, 'CloudFrontDistributionStack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/WorkspaceRootVolumeEncrypted/fail__1__.ts",
"content": "import { App, Stack } from 'aws-cdk-lib';\nimport * as workspaces from 'aws-cdk-lib/aws-workspaces';\nimport { Construct } from 'constructs';\n\nclass WorkSpacesStack extends Stack {\n constructor(scope: Construct, id: string, props?: {}) {\n super(scope, id, props);\n\n // Note: The creation of a WorkSpaces directory as depicted in the Python code isn't directly supported through AWS CDK as of my last update.\n // Typically, you would use an existing directory (like an AD Connector or a Simple AD).\n // However, let's assume we're associating the workspace with an existing directory for this example.\n\n // Create a WorkSpaces workspace with root volume encryption enabled\n new workspaces.CfnWorkspace(this, 'MyWorkspace', {\n directoryId: 'your-directory-id', // Replace with your actual directory ID\n userName: 'my-user',\n bundleId: 'wsb-12345678', // Replace with your actual bundle ID\n rootVolumeEncryptionEnabled: false,\n userVolumeEncryptionEnabled: false, // Set to true if you want user volume encryption\n // Workspace properties need to be defined here, if necessary.\n });\n }\n}\n\nconst app = new App();\nnew WorkSpacesStack(app, 'WorkSpacesStack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/WorkspaceRootVolumeEncrypted/pass.ts",
"content": "import { App, Stack } from 'aws-cdk-lib';\nimport * as workspaces from 'aws-cdk-lib/aws-workspaces';\nimport { Construct } from 'constructs';\n\nclass WorkSpacesStack extends Stack {\n constructor(scope: Construct, id: string, props?: {}) {\n super(scope, id, props);\n\n // Assuming the Directory ID is known and exists. Replace 'your-directory-id' with the actual Directory ID.\n const directoryId = 'your-directory-id';\n\n // Create a WorkSpaces workspace with root volume encryption enabled\n new workspaces.CfnWorkspace(this, 'MyWorkspace', {\n directoryId: directoryId, // Use the known Directory ID\n bundleId: 'wsb-12345678', // Replace with your actual bundle ID\n userName: 'my-user',\n rootVolumeEncryptionEnabled: true,\n userVolumeEncryptionEnabled: false, // Set to true if you want user volume encryption\n // Other properties for your Workspace as needed\n });\n }\n}\n\nconst app = new App();\nnew WorkSpacesStack(app, 'WorkSpacesStack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/WorkspaceUserVolumeEncrypted/fail__1__.ts",
"content": "import { App, Stack } from 'aws-cdk-lib';\nimport * as workspaces from 'aws-cdk-lib/aws-workspaces';\nimport { Construct } from 'constructs';\n\nclass WorkSpacesStack extends Stack {\n constructor(scope: Construct, id: string, props?: {}) {\n super(scope, id, props);\n\n // Note: The creation of a WorkSpaces directory as depicted in the Python code isn't directly supported through AWS CDK as of my last update.\n // Typically, you would use an existing directory (like an AD Connector or a Simple AD).\n // However, let's assume we're associating the workspace with an existing directory for this example.\n\n // Create a WorkSpaces workspace with root volume encryption enabled\n new workspaces.CfnWorkspace(this, 'MyWorkspace', {\n directoryId: 'your-directory-id', // Replace with your actual directory ID\n userName: 'my-user',\n bundleId: 'wsb-12345678', // Replace with your actual bundle ID\n rootVolumeEncryptionEnabled: false,\n userVolumeEncryptionEnabled: false, // Set to true if you want user volume encryption\n // Workspace properties need to be defined here, if necessary.\n });\n }\n}\n\nconst app = new App();\nnew WorkSpacesStack(app, 'WorkSpacesStack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/WorkspaceUserVolumeEncrypted/pass.ts",
"content": "import { App, Stack } from 'aws-cdk-lib';\nimport * as workspaces from 'aws-cdk-lib/aws-workspaces';\nimport { Construct } from 'constructs';\n\nclass WorkSpacesStack extends Stack {\n constructor(scope: Construct, id: string, props?: {}) {\n super(scope, id, props);\n\n // Assuming the Directory ID is known and exists. Replace 'your-directory-id' with the actual Directory ID.\n const directoryId = 'your-directory-id';\n\n // Create a WorkSpaces workspace with root volume encryption enabled\n new workspaces.CfnWorkspace(this, 'MyWorkspace', {\n directoryId: directoryId, // Use the known Directory ID\n bundleId: 'wsb-12345678', // Replace with your actual bundle ID\n userName: 'my-user',\n rootVolumeEncryptionEnabled: true,\n userVolumeEncryptionEnabled: true, // Set to true if you want user volume encryption\n // Other properties for your Workspace as needed\n });\n }\n}\n\nconst app = new App();\nnew WorkSpacesStack(app, 'WorkSpacesStack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/src/typescript/s3.ts",
"content": "import { App, Stack, StackProps } from \"aws-cdk-lib\";\nimport * as s3 from 'aws-cdk-lib/aws-s3';\nimport { Construct } from 'constructs';\n\nexport class exampleStack extends Stack {\n constructor(scope: Construct, id: string, props?: StackProps) {\n super(scope, id, props);\n\n new s3.Bucket(this, 'example', {\n encryption: s3.BucketEncryption.S3_MANAGED,\n });\n }\n}\n\nconst app = new App();\nnew exampleStack(app, 'example-stack');\napp.synth();\n"
},
{
"path": "cdk_integration_tests/test_checks_python.py",
"content": "from typing import Dict, Any, List\n\nimport pytest\n\nfrom cdk_integration_tests.utils import run_check, load_failed_checks_from_file\n\nLANGUAGE = 'python'\n\n\n@pytest.fixture(scope=\"session\", autouse=True)\ndef failed_checks() -> Dict[str, List[Dict[str, Any]]]:\n report_failed_checks = load_failed_checks_from_file(LANGUAGE)\n yield report_failed_checks\n\n\ndef test_CKV_AWS_18_S3BucketLogging(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_18\", policy_name=\"S3BucketLogging\", language=\"python\")\n\n\ndef test_CKV_AWS_19_S3BucketEncryption(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_19\", policy_name=\"S3BucketEncryption\", language=\"python\")\n\n\ndef test_CKV_AWS_21_S3BucketVersioning(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_21\", policy_name=\"S3BucketVersioning\", language=\"python\")\n\n\ndef test_CKV_AWS_145_S3BucketKMSEncryption(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_145\", policy_name=\"S3BucketKMSEncryption\", language=\"python\")\n\n\ndef test_CKV2_AWS_6_S3BucketPublicAccessBlock(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV2_AWS_6\", policy_name=\"S3BucketPublicAccessBlock\", language=\"python\")\n\n\ndef test_CKV_AWS_54_S3BlockPublicPolicy(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_54\", policy_name=\"S3BlockPublicPolicy\", language=\"python\")\n\n\ndef test_CKV_AWS_26_SNSTopicEncryption(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_26\", policy_name=\"SNSTopicEncryption\", language=\"python\")\n\n\ndef test_CKV_AWS_20_S3PublicACLRead(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_20\", policy_name=\"S3PublicACLRead\", language=\"python\")\n\n\ndef test_CKV_AWS_55_S3IgnorePublicACLs(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_55\", policy_name=\"S3IgnorePublicACLs\", language=\"python\")\n\n\ndef test_CKV_AWS_56_S3RestrictPublicBuckets(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_56\", policy_name=\"S3RestrictPublicBuckets\", language=\"python\")\n\n\ndef test_CKV_AWS_53_S3BlockPublicACLs(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_53\", policy_name=\"S3BlockPublicACLs\", language=\"python\")\n\n\ndef test_CKV_AWS_57_S3PublicACLWrite(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_57\", policy_name=\"S3PublicACLWrite\", language=\"python\")\n\n\ndef test_CKV_AWS_115_LambdaFunctionLevelConcurrentExecutionLimit(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_115\", policy_name=\"LambdaFunctionLevelConcurrentExecutionLimit\", language=\"python\")\n\n\ndef test_CKV_AWS_116_LambdaDLQConfigured(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_116\", policy_name=\"LambdaDLQConfigured\", language=\"python\")\n\n\ndef test_CKV_AWS_28_DynamodbRecovery(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_28\", policy_name=\"DynamodbRecovery\", language=\"python\")\n\n\ndef test_CKV_AWS_158_CloudWatchLogGroupKMSKey(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_158\", policy_name=\"CloudWatchLogGroupKMSKey\", language=\"python\")\n\n\ndef test_CKV_AWS_3_EBSEncryption(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_3\", policy_name=\"EBSEncryption\", language=\"python\")\n\n\ndef test_CKV_AWS_120_APIGatewayCacheEnable(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_120\", policy_name=\"APIGatewayCacheEnable\", language=\"python\")\n\n\ndef test_CKV_AWS_163_ECRImageScanning(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_163\", policy_name=\"ECRImageScanning\", language=\"python\")\n\n\ndef test_CKV_AWS_51_ECRImmutableTags(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_51\", policy_name=\"ECRImmutableTags\", language=\"python\")\n\n\ndef test_CKV_AWS_44_NeptuneClusterStorageEncrypted(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_44\", policy_name=\"NeptuneClusterStorageEncrypted\", language=\"python\")\n\n\ndef test_CKV_AWS_166_BackupVaultEncrypted(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_166\", policy_name=\"BackupVaultEncrypted\", language=\"python\")\n\n\ndef test_CKV_AWS_74_DocDBEncryption(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_74\", policy_name=\"DocDBEncryption\", language=\"python\")\n\n\ndef test_CKV_AWS_47_DAXEncryption(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_47\", policy_name=\"DAXEncryption\", language=\"python\")\n\n\ndef test_CKV_AWS_156_WorkspaceRootVolumeEncrypted(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_156\", policy_name=\"WorkspaceRootVolumeEncrypted\", language=\"python\")\n\n\ndef test_CKV_AWS_155_WorkspaceUserVolumeEncrypted(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_155\", policy_name=\"WorkspaceUserVolumeEncrypted\", language=\"python\")\n\n\ndef test_CKV_AWS_165_DynamodbGlobalTableRecovery(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_165\", policy_name=\"DynamodbGlobalTableRecovery\", language=\"python\")\n\n\ndef test_CKV_AWS_27_SQSQueueEncryption(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_27\", policy_name=\"SQSQueueEncryption\", language=\"python\")\n\n\ndef test_CKV_AWS_195_GlueSecurityConfigurationEnabled(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_195\", policy_name=\"GlueSecurityConfigurationEnabled\", language=\"python\")\n\n\ndef test_CKV_AWS_30_ElasticacheReplicationGroupEncryptionAtTransit(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_30\", policy_name=\"ElasticacheReplicationGroupEncryptionAtTransit\", language=\"python\")\n\n\ndef test_CKV_AWS_29_ElasticacheReplicationGroupEncryptionAtRest(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_29\", policy_name=\"ElasticacheReplicationGroupEncryptionAtRest\", language=\"python\")\n\n\ndef test_CKV_AWS_43_KinesisStreamEncryptionType(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_43\", policy_name=\"KinesisStreamEncryptionType\", language=\"python\")\n\n\ndef test_CKV_AWS_42_EFSEncryptionEnabled(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_42\", policy_name=\"EFSEncryptionEnabled\", language=\"python\")\n\n\ndef test_CKV_AWS_193_AppSyncLogging(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_193\", policy_name=\"AppSyncLogging\", language=\"python\")\n\n\ndef test_CKV_AWS_194_AppSyncFieldLevelLogs(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_194\", policy_name=\"AppSyncFieldLevelLogs\", language=\"python\")\n\n\ndef test_CKV_AWS_104_DocDBAuditLogs(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_104\", policy_name=\"DocDBAuditLogs\", language=\"python\")\n\n\ndef test_CKV_AWS_82_AthenaWorkgroupConfiguration(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_82\", policy_name=\"AthenaWorkgroupConfiguration\", language=\"python\")\n\n\ndef test_CKV_AWS_17_RDSPubliclyAccessible(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_17\", policy_name=\"RDSPubliclyAccessible\", language=\"python\")\n\n\ndef test_CKV_AWS_87_RedshiftClusterPubliclyAccessible(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_87\", policy_name=\"RedshiftClusterPubliclyAccessible\", language=\"python\")\n\n\ndef test_CKV_AWS_69_AmazonMQBrokerPublicAccess(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_69\", policy_name=\"AmazonMQBrokerPublicAccess\", language=\"python\")\n\n\ndef test_CKV_AWS_118_RDSEnhancedMonitorEnabled(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_118\", policy_name=\"RDSEnhancedMonitorEnabled\", language=\"python\")\n\n\ndef test_CKV_AWS_40_IAMPolicyAttachedToGroupOrRoles(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_40\", policy_name=\"IAMPolicyAttachedToGroupOrRoles\", language=\"python\")\n\n\ndef test_CKV_AWS_36_CloudTrailLogValidation(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_36\", policy_name=\"CloudTrailLogValidation\", language=\"python\")\n\n\ndef test_CKV_AWS_83_ElasticsearchDomainEnforceHTTPS(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_83\", policy_name=\"ElasticsearchDomainEnforceHTTPS\", language=\"python\")\n\n\ndef test_CKV_AWS_76_APIGatewayAccessLogging(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_76\", policy_name=\"APIGatewayAccessLogging\", language=\"python\")\n\n\ndef test_CKV_AWS_117_LambdaInVPC(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_117\", policy_name=\"LambdaInVPC\", language=\"python\")\n\n\ndef test_CKV_AWS_68_WAFEnabled(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_68\", policy_name=\"WAFEnabled\", language=\"python\")\n\n\ndef test_CKV_AWS_64_RedshiftClusterEncryption(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_64\", policy_name=\"RedshiftClusterEncryption\", language=\"python\")\n\n\ndef test_CKV_AWS_78_CodeBuildProjectEncryption(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_78\", policy_name=\"CodeBuildProjectEncryption\", language=\"python\")\n\n\ndef test_CKV_AWS_31_ElasticacheReplicationGroupEncryptionAtTransitAuthToken(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_31\", policy_name=\"ElasticacheReplicationGroupEncryptionAtTransitAuthToken\", language=\"python\")\n\n\ndef test_CKV_AWS_94_GlueDataCatalogEncryption(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_94\", policy_name=\"GlueDataCatalogEncryption\", language=\"python\")\n\n\ndef test_CKV_AWS_99_GlueSecurityConfiguration(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_99\", policy_name=\"GlueSecurityConfiguration\", language=\"python\")\n\n\ndef test_CKV_AWS_105_RedShiftSSL(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_105\", policy_name=\"RedShiftSSL\", language=\"python\")\n\n\ndef test_CKV_AWS_149_SecretManagerSecretEncrypted(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_149\", policy_name=\"SecretManagerSecretEncrypted\", language=\"python\")\n\n\ndef test_CKV_AWS_59_APIGatewayAuthorization(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_59\", policy_name=\"APIGatewayAuthorization\", language=\"python\")\n\n\ndef test_CKV_AWS_89_DMSReplicationInstancePubliclyAccessible(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_89\", policy_name=\"DMSReplicationInstancePubliclyAccessible\", language=\"python\")\n\n\ndef test_CKV_AWS_34_CloudfrontDistributionEncryption(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_34\", policy_name=\"CloudfrontDistributionEncryption\", language=\"python\")\n\n\ndef test_CKV_AWS_95_APIGatewayV2AccessLogging(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_95\", policy_name=\"APIGatewayV2AccessLogging\", language=\"python\")\n\n\ndef test_CKV_AWS_86_CloudfrontDistributionLogging(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_86\", policy_name=\"CloudfrontDistributionLogging\", language=\"python\")\n\n\ndef test_CKV_AWS_90_DocDBTLS(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_90\", policy_name=\"DocDBTLS\", language=\"python\")\n\n\ndef test_CKV_AWS_174_CloudFrontTLS12(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_174\", policy_name=\"CloudFrontTLS12\", language=\"python\")\n\n\ndef test_CKV_AWS_71_RedshiftClusterLogging(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_71\", policy_name=\"RedshiftClusterLogging\", language=\"python\")\n\n\ndef test_CKV_AWS_92_ELBAccessLogs(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_92\", policy_name=\"ELBAccessLogs\", language=\"python\")\n\n\ndef test_CKV_AWS_67_CloudtrailMultiRegion(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_67\", policy_name=\"CloudtrailMultiRegion\", language=\"python\")\n\n\ndef test_CKV_AWS_91_ELBv2AccessLogs(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_91\", policy_name=\"ELBv2AccessLogs\", language=\"python\")\n\n\ndef test_CKV_AWS_164_TransferServerIsPublic(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_164\", policy_name=\"TransferServerIsPublic\", language=\"python\")\n\n\ndef test_CKV_AWS_97_ECSTaskDefinitionEFSVolumeEncryption(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_97\", policy_name=\"ECSTaskDefinitionEFSVolumeEncryption\", language=\"python\")\n\n\ndef test_CKV_AWS_123_VPCEndpointAcceptanceConfigured(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_123\", policy_name=\"VPCEndpointAcceptanceConfigured\", language=\"python\")\n\n\ndef test_CKV_AWS_35_CloudtrailEncryption(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_35\", policy_name=\"CloudtrailEncryption\", language=\"python\")\n\n\ndef test_CKV_AWS_154_RedshiftInEc2ClassicMode(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_154\", policy_name=\"RedshiftInEc2ClassicMode\", language=\"python\")\n\n\ndef test_CKV_AWS_84_ElasticsearchDomainLogging(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_84\", policy_name=\"ElasticsearchDomainLogging\", language=\"python\")\n\n\ndef test_CKV_AWS_136_ECRRepositoryEncrypted(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_136\", policy_name=\"ECRRepositoryEncrypted\", language=\"python\")\n\n\ndef test_CKV_AWS_66_CloudWatchLogGroupRetention(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_66\", policy_name=\"CloudWatchLogGroupRetention\", language=\"python\")\n\n\ndef test_CKV_AWS_5_ElasticsearchEncryption(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_5\", policy_name=\"ElasticsearchEncryption\", language=\"python\")\n\n\ndef test_CKV_AWS_73_APIGatewayXray(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_73\", policy_name=\"APIGatewayXray\", language=\"python\")\n\n\ndef test_CKV_AWS_6_ElasticsearchNodeToNodeEncryption(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_6\", policy_name=\"ElasticsearchNodeToNodeEncryption\", language=\"python\")\n\n\ndef test_CKV_AWS_88_EC2PublicIP(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_88\", policy_name=\"EC2PublicIP\", language=\"python\")\n\n\ndef test_CKV_AWS_8_LaunchConfigurationEBSEncryption(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_8\", policy_name=\"LaunchConfigurationEBSEncryption\", language=\"python\")\n\n\ndef test_CKV_AWS_45_LambdaEnvironmentCredentials(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_45\", policy_name=\"LambdaEnvironmentCredentials\", language=\"python\")\n\n\ndef test_CKV_AWS_58_EKSSecretsEncryption(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_58\", policy_name=\"EKSSecretsEncryption\", language=\"python\")\n\n\ndef test_CKV_AWS_65_ECSClusterContainerInsights(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_65\", policy_name=\"ECSClusterContainerInsights\", language=\"python\")\n\n\ndef test_CKV_AWS_131_ALBDropHttpHeaders(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_131\", policy_name=\"ALBDropHttpHeaders\", language=\"python\")\n\n\ndef test_CKV_AWS_2_ALBListenerHTTPS(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_2\", policy_name=\"ALBListenerHTTPS\", language=\"python\")\n\n\ndef test_CKV_AWS_23_SecurityGroupRuleDescription(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_23\", policy_name=\"SecurityGroupRuleDescription\", language=\"python\")\n\n\ndef test_CKV_AWS_173_LambdaEnvironmentEncryptionSettings(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_173\", policy_name=\"LambdaEnvironmentEncryptionSettings\", language=\"python\")\n\n\ndef test_CKV_AWS_157_RDSMultiAZEnabled(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_157\", policy_name=\"RDSMultiAZEnabled\", language=\"python\")\n\n\ndef test_CKV_AWS_96_AuroraEncryption(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_96\", policy_name=\"AuroraEncryption\", language=\"python\")\n"
},
{
"path": "cdk_integration_tests/test_checks_typescript.py",
"content": "from typing import Dict, Any, List\n\nimport pytest\n\nfrom cdk_integration_tests.utils import run_check, load_failed_checks_from_file\n\nLANGUAGE = 'typescript'\n\n\n@pytest.fixture(scope=\"session\", autouse=True)\ndef failed_checks() -> Dict[str, List[Dict[str, Any]]]:\n report_failed_checks = load_failed_checks_from_file(LANGUAGE)\n yield report_failed_checks\n\n\ndef test_CKV_AWS_131_ALBDropHttpHeaders(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_131\", policy_name=\"ALBDropHttpHeaders\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_2_ALBListenerHTTPS(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_2\", policy_name=\"ALBListenerHTTPS\", language=\"typescript\")\n\n\ndef test_CKV_AWS_59_APIGatewayAuthorization(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_59\", policy_name=\"APIGatewayAuthorization\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_76_APIGatewayAccessLogging(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_76\", policy_name=\"APIGatewayAccessLogging\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_120_APIGatewayCacheEnable(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_120\", policy_name=\"APIGatewayCacheEnable\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_95_APIGatewayV2AccessLogging(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_95\", policy_name=\"APIGatewayV2AccessLogging\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_73_APIGatewayXray(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_73\", policy_name=\"APIGatewayXray\", language=\"typescript\")\n\n\ndef test_CKV_AWS_194_AppSyncFieldLevelLogs(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_194\", policy_name=\"AppSyncFieldLevelLogs\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_193_AppSyncLogging(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_193\", policy_name=\"AppSyncLogging\", language=\"typescript\")\n\n\ndef test_CKV_AWS_82_AthenaWorkgroupConfiguration(failed_checks):\n # need to wait for variable rendering in TS\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_82\", policy_name=\"AthenaWorkgroupConfiguration\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_131_AmazonMQBrokerPublicAccess(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_69\", policy_name=\"AmazonMQBrokerPublicAccess\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_96_AuroraEncryption(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_96\", policy_name=\"AuroraEncryption\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_166_BackupVaultEncrypted(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_166\", policy_name=\"BackupVaultEncrypted\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_174_CloudFrontTLS12(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_174\", policy_name=\"CloudFrontTLS12\", language=\"typescript\")\n\n\ndef test_CKV_AWS_36_CloudTrailLogValidation(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_36\", policy_name=\"CloudTrailLogValidation\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_20_S3PublicACLRead(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_20\", policy_name=\"S3PublicACLRead\", language=\"typescript\")\n\n\ndef test_CKV_AWS_56_S3RestrictPublicBuckets(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_56\", policy_name=\"S3RestrictPublicBuckets\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_149_SecretManagerSecretEncrypted(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_149\", policy_name=\"SecretManagerSecretEncrypted\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_23_SecurityGroupRuleDescription(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_23\", policy_name=\"SecurityGroupRuleDescription\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_26_SNSTopicEncryption(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_26\", policy_name=\"SNSTopicEncryption\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_27_SQSQueueEncryption(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_27\", policy_name=\"SQSQueueEncryption\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_164_TransferServerIsPublic(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_164\", policy_name=\"TransferServerIsPublic\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_123_VPCEndpointAcceptanceConfigured(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_123\", policy_name=\"VPCEndpointAcceptanceConfigured\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_68_WAFEnabled(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_68\", policy_name=\"WAFEnabled\", language=\"typescript\")\n\n\ndef test_CKV_AWS_156_WorkspaceRootVolumeEncrypted(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_156\", policy_name=\"WorkspaceRootVolumeEncrypted\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_155_WorkspaceUserVolumeEncrypted(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_155\", policy_name=\"WorkspaceUserVolumeEncrypted\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_88_EC2PublicIP(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_88\", policy_name=\"EC2PublicIP\", language=\"typescript\")\n\n\ndef test_CKV_AWS_163_ECRImageScanning(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_163\", policy_name=\"ECRImageScanning\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_51_ECRImmutableTags(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_51\", policy_name=\"ECRImmutableTags\", language=\"typescript\")\n\n\ndef test_CKV_AWS_136_ECRRepositoryEncrypted(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_136\", policy_name=\"ECRRepositoryEncrypted\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_65_ECSClusterContainerInsights(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_65\", policy_name=\"ECSClusterContainerInsights\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_97_ECSTaskDefinitionEFSVolumeEncryption(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_97\", policy_name=\"ECSTaskDefinitionEFSVolumeEncryption\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_42_EFSEncryptionEnabled(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_42\", policy_name=\"EFSEncryptionEnabled\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_58_EKSSecretsEncryption(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_58\", policy_name=\"EKSSecretsEncryption\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_29_ElasticacheReplicationGroupEncryptionAtRest(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_29\",\n policy_name=\"ElasticacheReplicationGroupEncryptionAtRest\", language=\"typescript\")\n\n\ndef test_CKV_AWS_30_ElasticacheReplicationGroupEncryptionAtTransit(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_30\",\n policy_name=\"ElasticacheReplicationGroupEncryptionAtTransit\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_31_ElasticacheReplicationGroupEncryptionAtTransitAuthToken(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_31\",\n policy_name=\"ElasticacheReplicationGroupEncryptionAtTransitAuthToken\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_83_ElasticsearchDomainEnforceHTTPS(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_83\", policy_name=\"ElasticsearchDomainEnforceHTTPS\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_84_ElasticsearchDomainLogging(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_84\", policy_name=\"ElasticsearchDomainLogging\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_92_ELBAccessLogs(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_92\", policy_name=\"ELBAccessLogs\", language=\"typescript\")\n\n\ndef test_CKV_AWS_91_ELBv2AccessLogs(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_91\", policy_name=\"ELBv2AccessLogs\", language=\"typescript\")\n\n\ndef test_CKV_AWS_158_CloudWatchLogGroupKMSKey(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_158\", policy_name=\"CloudWatchLogGroupKMSKey\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_66_CloudWatchLogGroupRetention(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_66\", policy_name=\"CloudWatchLogGroupRetention\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_34_CloudfrontDistributionEncryption(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_34\", policy_name=\"CloudfrontDistributionEncryption\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_86_CloudfrontDistributionLogging(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_86\", policy_name=\"CloudfrontDistributionLogging\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_35_CloudtrailEncryption(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_35\", policy_name=\"CloudtrailEncryption\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_67_CloudtrailMultiRegion(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_67\", policy_name=\"CloudtrailMultiRegion\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_78_CodeBuildProjectEncryption(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_78\", policy_name=\"CodeBuildProjectEncryption\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_47_DAXEncryption(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_47\", policy_name=\"DAXEncryption\", language=\"typescript\")\n\n\ndef test_CKV_AWS_89_DMSReplicationInstancePubliclyAccessible(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_89\",\n policy_name=\"DMSReplicationInstancePubliclyAccessible\", language=\"typescript\")\n\n\ndef test_CKV_AWS_104_DocDBAuditLogs(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_104\", policy_name=\"DocDBAuditLogs\", language=\"typescript\")\n\n\ndef test_CKV_AWS_74_DocDBEncryption(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_74\", policy_name=\"DocDBEncryption\", language=\"typescript\")\n\n\ndef test_CKV_AWS_90_DocDBTLS(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_90\", policy_name=\"DocDBTLS\", language=\"typescript\")\n\n\ndef test_CKV_AWS_165_DynamodbGlobalTableRecovery(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_165\", policy_name=\"DynamodbGlobalTableRecovery\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_28_DynamodbRecovery(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_28\", policy_name=\"DynamodbRecovery\", language=\"typescript\")\n\n\ndef test_CKV_AWS_3_EBSEncryption(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_3\", policy_name=\"EBSEncryption\", language=\"typescript\")\n\n\ndef test_CKV_AWS_18_S3BucketLogging(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_18\", policy_name=\"S3BucketLogging\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_19_S3BucketEncryption(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_19\", policy_name=\"S3BucketEncryption\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_21_S3BucketVersioning(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_21\", policy_name=\"S3BucketVersioning\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_145_S3BucketKMSEncryption(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_145\", policy_name=\"S3BucketKMSEncryption\",\n language=\"typescript\")\n\n\ndef test_CKV2_AWS_6_S3BucketPublicAccessBlock(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV2_AWS_6\", policy_name=\"S3BucketPublicAccessBlock\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_195_GlueSecurityConfigurationEnabled(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_195\", policy_name=\"GlueSecurityConfigurationEnabled\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_5_ElasticsearchEncryption(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_5\", policy_name=\"ElasticsearchEncryption\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_6_ElasticsearchNodeToNodeEncryption(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_6\", policy_name=\"ElasticsearchNodeToNodeEncryption\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_94_GlueDataCatalogEncryption(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_94\", policy_name=\"GlueDataCatalogEncryption\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_99_GlueSecurityConfiguration(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_99\", policy_name=\"GlueSecurityConfiguration\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_40_IAMPolicyAttachedToGroupOrRoles(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_40\", policy_name=\"IAMPolicyAttachedToGroupOrRoles\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_43_KinesisStreamEncryptionType(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_43\", policy_name=\"KinesisStreamEncryptionType\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_116_LambdaDLQConfigured(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_116\", policy_name=\"LambdaDLQConfigured\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_45_LambdaEnvironmentCredentials(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_45\", policy_name=\"LambdaEnvironmentCredentials\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_173_LambdaEnvironmentEncryptionSettings(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_173\", policy_name=\"LambdaEnvironmentEncryptionSettings\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_115_LambdaFunctionLevelConcurrentExecutionLimit(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_115\",\n policy_name=\"LambdaFunctionLevelConcurrentExecutionLimit\", language=\"typescript\")\n\n\ndef test_CKV_AWS_117_LambdaInVPC(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_117\", policy_name=\"LambdaInVPC\", language=\"typescript\")\n\n\ndef test_CKV_AWS_8_LaunchConfigurationEBSEncryption(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_8\", policy_name=\"LaunchConfigurationEBSEncryption\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_44_NeptuneClusterStorageEncrypted(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_44\", policy_name=\"NeptuneClusterStorageEncrypted\",\n language=\"typescript\")\n\n\n# unskip after BCE-33034\n# def test_CKV_AWS_118_RDSEnhancedMonitorEnabled(failed_checks):\n# run_check(check_results=failed_checks, check_id=\"CKV_AWS_118\", policy_name=\"RDSEnhancedMonitorEnabled\",\n# language=\"typescript\")\n\n\ndef test_CKV_AWS_157_RDSMultiAZEnabled(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_157\", policy_name=\"RDSMultiAZEnabled\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_17_RDSPubliclyAccessible(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_17\", policy_name=\"RDSPubliclyAccessible\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_105_RedShiftSSL(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_105\", policy_name=\"RedShiftSSL\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_64_RedshiftClusterEncryption(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_64\", policy_name=\"RedshiftClusterEncryption\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_71_RedshiftClusterLogging(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_71\", policy_name=\"RedshiftClusterLogging\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_87_RedshiftClusterPubliclyAccessible(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_87\", policy_name=\"RedshiftClusterPubliclyAccessible\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_154_RedshiftInEc2ClassicMode(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_154\", policy_name=\"RedshiftInEc2ClassicMode\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_53_S3BlockPublicACLs(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_53\", policy_name=\"S3BlockPublicACLs\",\n language=\"typescript\")\n\n\ndef test_CKV_AWS_54_S3BlockPublicPolicy(failed_checks):\n run_check(check_results=failed_checks, check_id=\"CKV_AWS_54\", policy_name=\"S3BlockPublicPolicy\",\n language=\"typescript\")\n"
},
{
"path": "cdk_integration_tests/utils.py",
"content": "import json\nimport os\nfrom typing import List, Dict, Any\nimport yaml\n\n\ncurrent_dir = os.path.dirname(os.path.realpath(__file__))\n\n\ndef load_failed_checks_from_file(lang: str) -> Dict[str, List[Dict[str, Any]]]:\n report_path = os.path.join(current_dir, '..', 'checkov_report_cdk.json')\n with open(report_path) as f:\n data = f.read()\n reports = json.loads(data)\n for report in reports:\n if report.get('check_type') == f'cdk_{lang}':\n assert report is not None\n results = report.get(\"results\", {})\n failed_checks = results.get(\"failed_checks\")\n skipped_checks = results.get(\"skipped_checks\")\n results = {}\n for check in failed_checks:\n check_id = check['check_id']\n if not results.get(check_id):\n results[check_id] = []\n results[check_id].append(check)\n for check in skipped_checks:\n check_id = check['check_id']\n if not results.get(check_id):\n results[check_id] = []\n results[check_id].append(check)\n return results\n return {}\n\n\ndef is_policy_with_correct_check_id(check_id: str, language: str, policy_name: str) -> bool:\n path = os.path.join(current_dir, '..', 'checkov', 'cdk', 'checks', language, policy_name + \".yaml\")\n with open(path, 'r') as file:\n data = yaml.safe_load(file)\n if 'metadata' in data and 'id' in data['metadata'] and data['metadata']['id'] == check_id:\n return True\n return False\n\n\ndef run_check(check_results: Dict[str, List[Dict[str, Any]]], check_id: str, policy_name: str, language: str) -> None:\n assert is_policy_with_correct_check_id(check_id, language, policy_name)\n results_for_check_id = check_results.get(check_id)\n assert results_for_check_id\n\n\ndef validate_report(report_path: str) -> None:\n with open(report_path) as f:\n data = f.read()\n report = json.loads(data)\n assert report is not None\n results = report.get(\"results\")\n assert results is not None\n passed_checks = results.get(\"passed_checks\")\n failed_checks = results.get(\"failed_checks\")\n assert not passed_checks\n assert failed_checks is not None\n assert isinstance(failed_checks, list)\n assert len(failed_checks) > 0\n summary = report.get(\"summary\")\n assert summary.get(\"passed\") == 0\n assert summary.get(\"failed\") > 0\n"
},
{
"path": "checkov/__init__.py",
"content": ""
},
{
"path": "checkov/ansible/__init__.py",
"content": "from checkov.ansible.checks import * # noqa\n"
},
{
"path": "checkov/ansible/checks/__init__.py",
"content": "from checkov.ansible.checks.task import * # noqa\n"
},
{
"path": "checkov/ansible/checks/base_ansible_task_check.py",
"content": "from __future__ import annotations\n\nimport json\nimport logging\nfrom abc import abstractmethod\nfrom collections.abc import Iterable\nfrom typing import TYPE_CHECKING, Any\n\nfrom checkov.ansible.checks.registry import registry\nfrom checkov.common.checks.base_check import BaseCheck\nfrom checkov.common.models.enums import CheckResult\n\nif TYPE_CHECKING:\n from checkov.common.models.enums import CheckCategories\n\n\nclass BaseAnsibleTaskCheck(BaseCheck):\n def __init__(\n self,\n name: str,\n id: str,\n categories: Iterable[CheckCategories],\n supported_modules: Iterable[str],\n block_type: str,\n guideline: str | None = None,\n path: str | None = None,\n ) -> None:\n supported_entities = [\n entity\n for module in supported_modules\n for entity in (\n f'[].tasks[?\"{module}\" != null][]',\n f'[?\"{module}\" != null][]',\n f'[].tasks[].block[?\"{module}\" != null][]',\n f'[].block[?\"{module}\" != null][]',\n f'[].tasks[].block[].block[?\"{module}\" != null][]',\n f'[].block[].block[?\"{module}\" != null][]',\n # in theory, it can be more nested, but let's stop at 3 levels\n # jmespath lib doesn't support recursive search https://github.com/jmespath/jmespath.py/issues/110\n f'[].tasks[].block[].block[].block[?\"{module}\" != null][]',\n f'[].block[].block[].block[?\"{module}\" != null][]',\n )\n ]\n\n super().__init__(\n name=name,\n id=id,\n categories=categories,\n supported_entities=supported_entities,\n block_type=block_type,\n guideline=guideline,\n )\n\n self.entity_conf: dict[str, Any] # stores the complete entity configuration\n self.path = path\n self.supported_modules = supported_modules\n\n registry.register(self)\n\n def scan_entity_conf(self, conf: dict[str, Any], entity_type: str) -> tuple[CheckResult, dict[str, Any]]:\n self.entity_type = entity_type\n self.entity_conf = conf\n\n module_conf = next((conf[module] for module in self.supported_modules if module in conf), None)\n if not module_conf:\n # this should actually never happen, but better to be safe, than sorry\n logging.info(f\"Failed to find supported module {self.supported_modules} in {json.dumps(conf)}\")\n return CheckResult.UNKNOWN, conf\n\n return self.scan_conf(module_conf)\n\n @abstractmethod\n def scan_conf(self, conf: dict[str, Any]) -> tuple[CheckResult, dict[str, Any]]:\n pass\n"
},
{
"path": "checkov/ansible/checks/base_ansible_task_value_check.py",
"content": "from __future__ import annotations\n\nfrom abc import abstractmethod\nfrom collections.abc import Iterable\nfrom typing import TYPE_CHECKING, Any\n\nfrom checkov.ansible.checks.base_ansible_task_check import BaseAnsibleTaskCheck\nfrom checkov.common.models.consts import ANY_VALUE\nfrom checkov.common.models.enums import CheckResult\nfrom checkov.common.util.data_structures_utils import find_in_dict\nfrom checkov.yaml_doc.enums import BlockType\n\nif TYPE_CHECKING:\n from checkov.common.models.enums import CheckCategories\n\n\nclass BaseAnsibleTaskValueCheck(BaseAnsibleTaskCheck):\n def __init__(\n self,\n name: str,\n id: str,\n categories: Iterable[CheckCategories],\n supported_modules: Iterable[str],\n guideline: str | None = None,\n path: str | None = None,\n missing_block_result: CheckResult = CheckResult.FAILED,\n ) -> None:\n super().__init__(\n name=name,\n id=id,\n categories=categories,\n supported_modules=supported_modules,\n block_type=BlockType.ARRAY,\n guideline=guideline,\n path=path,\n )\n self.missing_block_result = missing_block_result\n\n def scan_conf(self, conf: dict[str, Any]) -> tuple[CheckResult, dict[str, Any]]:\n inspected_key = self.get_inspected_key()\n expected_values = self.get_expected_values()\n\n value = find_in_dict(conf, inspected_key)\n\n if value is None:\n return self.missing_block_result, self.entity_conf\n if ANY_VALUE in expected_values:\n return CheckResult.PASSED, self.entity_conf\n if value in expected_values:\n return CheckResult.PASSED, self.entity_conf\n # quite often string values are case-insensitive\n if isinstance(value, str) and value.lower() in [exp.lower() for exp in expected_values if isinstance(exp, str)]:\n return CheckResult.PASSED, self.entity_conf\n\n return CheckResult.FAILED, self.entity_conf\n\n @abstractmethod\n def get_inspected_key(self) -> str:\n \"\"\"\n :return: JSONPath syntax path of the checked attribute\n \"\"\"\n raise NotImplementedError()\n\n def get_expected_values(self) -> list[Any]:\n \"\"\"\n Override the method with the list of acceptable values if the check has more than one possible expected value, given\n the inspected key\n :return: List of expected values, defaults to a list of the expected value\n \"\"\"\n return [self.get_expected_value()]\n\n def get_expected_value(self) -> Any:\n \"\"\"\n Returns the default expected value, governed by provider best practices\n \"\"\"\n return True\n\n def get_evaluated_keys(self) -> list[str]:\n return [self.get_inspected_key()]\n"
},
{
"path": "checkov/ansible/checks/graph_checks/BlockErrorHandling.yaml",
"content": "metadata:\n id: \"CKV2_ANSIBLE_3\"\n name: \"Ensure block is handling task errors properly\"\n category: \"BACKUP_AND_RECOVERY\"\ndefinition:\n cond_type: attribute\n resource_types:\n - block\n attribute: rescue\n operator: exists\n"
},
{
"path": "checkov/ansible/checks/graph_checks/DnfDisableGpgCheck.yaml",
"content": "metadata:\n id: \"CKV2_ANSIBLE_4\"\n name: \"Ensure that packages with untrusted or missing GPG signatures are not used by dnf\"\n category: \"GENERAL_SECURITY\"\ndefinition:\n cond_type: attribute\n resource_types:\n - tasks.ansible.builtin.dnf\n - tasks.dnf\n attribute: disable_gpg_check\n operator: not_equals\n value: true\n"
},
{
"path": "checkov/ansible/checks/graph_checks/DnfSslVerify.yaml",
"content": "metadata:\n id: \"CKV2_ANSIBLE_5\"\n name: \"Ensure that SSL validation isn't disabled with dnf\"\n category: \"GENERAL_SECURITY\"\ndefinition:\n cond_type: attribute\n resource_types:\n - tasks.ansible.builtin.dnf\n - tasks.dnf\n attribute: sslverify\n operator: not_equals\n value: false\n"
},
{
"path": "checkov/ansible/checks/graph_checks/DnfValidateCerts.yaml",
"content": "metadata:\n id: \"CKV2_ANSIBLE_6\"\n name: \"Ensure that certificate validation isn't disabled with dnf\"\n category: \"GENERAL_SECURITY\"\ndefinition:\n cond_type: attribute\n resource_types:\n - tasks.ansible.builtin.dnf\n - tasks.dnf\n attribute: validate_certs\n operator: not_equals\n value: false\n"
},
{
"path": "checkov/ansible/checks/graph_checks/GetUrlHttpsOnly.yaml",
"content": "metadata:\n id: \"CKV2_ANSIBLE_2\"\n name: \"Ensure that HTTPS url is used with get_url\"\n category: \"NETWORKING\"\ndefinition:\n and:\n - cond_type: attribute\n resource_types:\n - tasks.ansible.builtin.get_url\n - tasks.get_url\n attribute: url\n operator: not_starting_with\n value: \"http://\"\n - cond_type: attribute\n resource_types:\n - tasks.ansible.builtin.get_url\n - tasks.get_url\n attribute: url\n operator: not_starting_with\n value: \"ftp://\"\n"
},
{
"path": "checkov/ansible/checks/graph_checks/PanosIPsecAuthenticationAlgorithms.yaml",
"content": "metadata:\n id: \"CKV_PAN_12\"\n name: \"Ensure IPsec profiles do not specify use of insecure authentication algorithms\"\n category: \"NETWORKING\"\ndefinition:\n and:\n - cond_type: attribute\n resource_types:\n - tasks.paloaltonetworks.panos.panos_ipsec_profile\n attribute: esp_authentication\n operator: exists\n - cond_type: attribute\n resource_types:\n - tasks.paloaltonetworks.panos.panos_ipsec_profile\n attribute: esp_authentication\n operator: not_contains\n value: 'none'\n - cond_type: attribute\n resource_types:\n - tasks.paloaltonetworks.panos.panos_ipsec_profile\n attribute: esp_authentication\n operator: not_contains\n value: 'md5'\n - cond_type: attribute\n resource_types:\n - tasks.paloaltonetworks.panos.panos_ipsec_profile\n attribute: esp_authentication\n operator: not_contains\n value: 'sha1'\n"
},
{
"path": "checkov/ansible/checks/graph_checks/PanosIPsecProtocols.yaml",
"content": "metadata:\n id: \"CKV_PAN_13\"\n name: \"Ensure IPsec profiles do not specify use of insecure protocols\"\n category: \"NETWORKING\"\ndefinition:\n cond_type: attribute\n resource_types:\n - tasks.paloaltonetworks.panos.panos_ipsec_profile\n attribute: ah_authentication\n operator: not_exists\n"
},
{
"path": "checkov/ansible/checks/graph_checks/PanosInterfaceMgmtProfileNoHTTP.yaml",
"content": "metadata:\n id: \"CKV_PAN_2\"\n name: \"Ensure plain-text management HTTP is not enabled for an Interface Management Profile\"\n category: \"NETWORKING\"\ndefinition:\n or:\n - cond_type: attribute\n resource_types:\n - tasks.paloaltonetworks.panos.panos_management_profile\n attribute: http\n operator: not_exists\n - cond_type: attribute\n resource_types:\n - tasks.paloaltonetworks.panos.panos_management_profile\n attribute: http\n operator: not_equals\n value: true\n"
},
{
"path": "checkov/ansible/checks/graph_checks/PanosInterfaceMgmtProfileNoTelnet.yaml",
"content": "metadata:\n id: \"CKV_PAN_3\"\n name: \"Ensure plain-text management Telnet is not enabled for an Interface Management Profile\"\n category: \"NETWORKING\"\ndefinition:\n or:\n - cond_type: attribute\n resource_types:\n - tasks.paloaltonetworks.panos.panos_management_profile\n attribute: telnet\n operator: not_exists\n - cond_type: attribute\n resource_types:\n - tasks.paloaltonetworks.panos.panos_management_profile\n attribute: telnet\n operator: not_equals\n value: true\n"
},
{
"path": "checkov/ansible/checks/graph_checks/PanosPolicyDescription.yaml",
"content": "metadata:\n id: \"CKV_PAN_8\"\n name: \"Ensure description is populated within security policies\"\n category: \"NETWORKING\"\ndefinition:\n and:\n - cond_type: attribute\n resource_types:\n - tasks.paloaltonetworks.panos.panos_security_rule\n attribute: description\n operator: exists\n - cond_type: attribute\n resource_types:\n - tasks.paloaltonetworks.panos.panos_security_rule\n attribute: description\n operator: is_not_empty\n"
},
{
"path": "checkov/ansible/checks/graph_checks/PanosPolicyLogForwarding.yaml",
"content": "metadata:\n id: \"CKV_PAN_9\"\n name: \"Ensure a Log Forwarding Profile is selected for each security policy rule\"\n category: \"NETWORKING\"\ndefinition:\n and:\n - cond_type: attribute\n resource_types:\n - tasks.paloaltonetworks.panos.panos_security_rule\n attribute: log_setting\n operator: exists\n - cond_type: attribute\n resource_types:\n - tasks.paloaltonetworks.panos.panos_security_rule\n attribute: log_setting\n operator: is_not_empty\n"
},
{
"path": "checkov/ansible/checks/graph_checks/PanosPolicyLogSessionStart.yaml",
"content": "metadata:\n id: \"CKV_PAN_16\"\n name: \"Ensure logging at session start is disabled within security policies except for troubleshooting and long lived GRE tunnels\"\n category: \"LOGGING\"\ndefinition:\n # Logging config flag \"log_start = true \" is specified, defaults to false, which is a pass\n or:\n - cond_type: attribute\n resource_types:\n - tasks.paloaltonetworks.panos.panos_security_rule\n attribute: log_start\n operator: not_equals_ignore_case\n value: true\n - cond_type: attribute\n resource_types:\n - tasks.paloaltonetworks.panos.panos_security_rule\n attribute: log_start\n operator: not_exists"
},
{
"path": "checkov/ansible/checks/graph_checks/PanosPolicyLoggingEnabled.yaml",
"content": "metadata:\n id: \"CKV_PAN_10\"\n name: \"Ensure logging at session end is enabled within security policies\"\n category: \"NETWORKING\"\ndefinition:\n # Logging config flag \"log_end\" is not specified, defaults to true, which is a pass\n cond_type: attribute\n resource_types:\n - tasks.paloaltonetworks.panos.panos_security_rule\n attribute: log_end\n operator: not_equals\n value: false\n"
},
{
"path": "checkov/ansible/checks/graph_checks/PanosPolicyNoApplicationAny.yaml",
"content": "metadata:\n id: \"CKV_PAN_5\"\n name: \"Ensure security rules do not have 'application' set to 'any'\"\n category: \"NETWORKING\"\ndefinition:\n and:\n - cond_type: attribute\n resource_types:\n - tasks.paloaltonetworks.panos.panos_security_rule\n attribute: application\n operator: exists\n - cond_type: attribute\n resource_types:\n - tasks.paloaltonetworks.panos.panos_security_rule\n attribute: application\n operator: is_not_empty\n - cond_type: attribute\n resource_types:\n - tasks.paloaltonetworks.panos.panos_security_rule\n attribute: application\n operator: not_equals_ignore_case\n value: 'any'\n"
},
{
"path": "checkov/ansible/checks/graph_checks/PanosPolicyNoDSRI.yaml",
"content": "metadata:\n id: \"CKV_PAN_4\"\n name: \"Ensure DSRI is not enabled within security policies\"\n category: \"NETWORKING\"\ndefinition:\n or:\n - cond_type: attribute\n resource_types:\n - tasks.paloaltonetworks.panos.panos_security_rule\n attribute: disable_server_response_inspection\n operator: equals\n value: false\n - cond_type: attribute\n resource_types:\n - tasks.paloaltonetworks.panos.panos_security_rule\n attribute: disable_server_response_inspection\n operator: not_exists # Default value is false which passes the check\n"
},
{
"path": "checkov/ansible/checks/graph_checks/PanosPolicyNoServiceAny.yaml",
"content": "metadata:\n id: \"CKV_PAN_6\"\n name: \"Ensure security rules do not have 'service' set to 'any'\"\n category: \"NETWORKING\"\ndefinition:\n and:\n - cond_type: attribute\n resource_types:\n - tasks.paloaltonetworks.panos.panos_security_rule\n attribute: service\n operator: exists\n - cond_type: attribute\n resource_types:\n - tasks.paloaltonetworks.panos.panos_security_rule\n attribute: service\n operator: is_not_empty\n - cond_type: attribute\n resource_types:\n - tasks.paloaltonetworks.panos.panos_security_rule\n attribute: service\n operator: not_equals_ignore_case\n value: 'any'\n"
},
{
"path": "checkov/ansible/checks/graph_checks/PanosPolicyNoSrcAnyDstAny.yaml",
"content": "metadata:\n id: \"CKV_PAN_7\"\n name: \"Ensure security rules do not have 'source_ip' and 'destination_ip' both containing values of 'any'\"\n category: \"NETWORKING\"\ndefinition:\n or:\n - and:\n - cond_type: attribute\n resource_types:\n - tasks.paloaltonetworks.panos.panos_security_rule\n attribute: source_ip\n operator: exists\n - cond_type: attribute\n resource_types:\n - tasks.paloaltonetworks.panos.panos_security_rule\n attribute: source_ip\n operator: is_not_empty\n - cond_type: attribute\n resource_types:\n - tasks.paloaltonetworks.panos.panos_security_rule\n attribute: source_ip\n operator: not_equals_ignore_case\n value: 'any'\n - and:\n - cond_type: attribute\n resource_types:\n - tasks.paloaltonetworks.panos.panos_security_rule\n attribute: destination_ip\n operator: exists\n - cond_type: attribute\n resource_types:\n - tasks.paloaltonetworks.panos.panos_security_rule\n attribute: destination_ip\n operator: is_not_empty\n - cond_type: attribute\n resource_types:\n - tasks.paloaltonetworks.panos.panos_security_rule\n attribute: destination_ip\n operator: not_equals_ignore_case\n value: 'any'\n"
},
{
"path": "checkov/ansible/checks/graph_checks/PanosPolicyNoSrcZoneAnyNoDstZoneAny.yaml",
"content": "metadata:\n id: \"CKV_PAN_17\"\n name: \"Ensure security rules do not have 'source_zone' and 'destination_zone' both containing values of 'any'\"\n category: \"NETWORKING\"\ndefinition:\n or:\n - and:\n - cond_type: attribute\n resource_types:\n - tasks.paloaltonetworks.panos.panos_security_rule\n attribute: source_zone\n operator: exists\n - cond_type: attribute\n resource_types:\n - tasks.paloaltonetworks.panos.panos_security_rule\n attribute: source_zone\n operator: is_not_empty\n - cond_type: attribute\n resource_types:\n - tasks.paloaltonetworks.panos.panos_security_rule\n attribute: source_zone\n operator: not_equals_ignore_case\n value: 'any'\n - and:\n - cond_type: attribute\n resource_types:\n - tasks.paloaltonetworks.panos.panos_security_rule\n attribute: destination_zone\n operator: exists\n - cond_type: attribute\n resource_types:\n - tasks.paloaltonetworks.panos.panos_security_rule\n attribute: destination_zone\n operator: is_not_empty\n - cond_type: attribute\n resource_types:\n - tasks.paloaltonetworks.panos.panos_security_rule\n attribute: destination_zone\n operator: not_equals_ignore_case\n value: 'any'\n"
},
{
"path": "checkov/ansible/checks/graph_checks/PanosZoneProtectionProfile.yaml",
"content": "metadata:\n id: \"CKV_PAN_14\"\n name: \"Ensure a Zone Protection Profile is defined within Security Zones\"\n category: \"NETWORKING\"\ndefinition:\n and:\n - cond_type: attribute\n resource_types:\n - tasks.paloaltonetworks.panos.panos_zone\n attribute: zone_profile\n operator: exists\n - cond_type: attribute\n resource_types:\n - tasks.paloaltonetworks.panos.panos_zone\n attribute: zone_profile\n operator: is_not_empty\n"
},
{
"path": "checkov/ansible/checks/graph_checks/PanosZoneUserIDIncludeACL.yaml",
"content": "metadata:\n id: \"CKV_PAN_15\"\n name: \"Ensure an Include ACL is defined for a Zone when User-ID is enabled\"\n category: \"NETWORKING\"\ndefinition:\n or:\n # If User-ID is enabled, also check for a non-empty Include ACL\n - and:\n - cond_type: attribute\n resource_types:\n - tasks.paloaltonetworks.panos.panos_zone\n attribute: enable_userid\n operator: equals\n value: true\n - cond_type: attribute\n resource_types:\n - tasks.paloaltonetworks.panos.panos_zone\n attribute: include_acl\n operator: exists\n - cond_type: attribute\n resource_types:\n - tasks.paloaltonetworks.panos.panos_zone\n attribute: include_acl\n operator: is_not_empty\n\n # Or if User-ID is not enabled, there is no need to check for an Include ACL\n - cond_type: attribute\n resource_types:\n - tasks.paloaltonetworks.panos.panos_zone\n attribute: enable_userid\n operator: not_exists\n"
},
{
"path": "checkov/ansible/checks/graph_checks/UriHttpsOnly.yaml",
"content": "metadata:\n id: \"CKV2_ANSIBLE_1\"\n name: \"Ensure that HTTPS url is used with uri\"\n category: \"NETWORKING\"\ndefinition:\n cond_type: attribute\n resource_types:\n - tasks.ansible.builtin.uri\n - tasks.uri\n attribute: url\n operator: starting_with\n value: \"https://\"\n"
},
{
"path": "checkov/ansible/checks/graph_checks/__init__.py",
"content": ""
},
{
"path": "checkov/ansible/checks/registry.py",
"content": "from checkov.common.bridgecrew.check_type import CheckType\nfrom checkov.yaml_doc.base_registry import Registry\n\nregistry = Registry(CheckType.ANSIBLE)\n"
},
{
"path": "checkov/ansible/checks/task/__init__.py",
"content": "from checkov.ansible.checks.task.aws import * # noqa\nfrom checkov.ansible.checks.task.builtin import * # noqa\n"
},
{
"path": "checkov/ansible/checks/task/aws/EC2EBSOptimized.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.ansible.checks.base_ansible_task_value_check import BaseAnsibleTaskValueCheck\nfrom checkov.common.models.enums import CheckResult, CheckCategories\n\n\nclass EC2EBSOptimized(BaseAnsibleTaskValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that EC2 is EBS optimized\"\n id = \"CKV_AWS_135\"\n super().__init__(\n name=name,\n id=id,\n categories=(CheckCategories.GENERAL_SECURITY,),\n supported_modules=(\"amazon.aws.ec2_instance\", \"ec2_instance\"),\n )\n\n def scan_conf(self, conf: dict[str, Any]) -> tuple[CheckResult, dict[str, Any]]:\n if not conf.get(\"image_id\") and not conf.get(\"image\"):\n # if 'image_id' or 'image' are not set, then an already running instance is targeted\n return CheckResult.UNKNOWN, self.entity_conf\n\n return super().scan_conf(conf=conf)\n\n def get_inspected_key(self) -> str:\n return \"ebs_optimized\"\n\n\ncheck = EC2EBSOptimized()\n"
},
{
"path": "checkov/ansible/checks/task/aws/EC2PublicIP.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.ansible.checks.base_ansible_task_value_check import BaseAnsibleTaskValueCheck\nfrom checkov.common.models.enums import CheckResult, CheckCategories\n\n\nclass EC2PublicIP(BaseAnsibleTaskValueCheck):\n def __init__(self) -> None:\n name = \"EC2 instance should not have public IP.\"\n id = \"CKV_AWS_88\"\n super().__init__(\n name=name,\n id=id,\n categories=(CheckCategories.NETWORKING,),\n supported_modules=(\"amazon.aws.ec2_instance\", \"ec2_instance\"),\n )\n\n def scan_conf(self, conf: dict[str, Any]) -> tuple[CheckResult, dict[str, Any]]:\n if not conf.get(\"image_id\") and not conf.get(\"image\"):\n # if 'image_id' or 'image' are not set, then an already running instance is targeted\n return CheckResult.UNKNOWN, self.entity_conf\n\n return super().scan_conf(conf=conf)\n\n def get_inspected_key(self) -> str:\n return \"network/assign_public_ip\"\n\n def get_expected_value(self) -> Any:\n return False\n\n\ncheck = EC2PublicIP()\n"
},
{
"path": "checkov/ansible/checks/task/aws/__init__.py",
"content": "from pathlib import Path\n\nmodules = Path(__file__).parent.glob(\"*.py\")\n__all__ = [f.stem for f in modules if f.is_file() and not f.stem == \"__init__\"]\n"
},
{
"path": "checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.ansible.checks.base_ansible_task_value_check import BaseAnsibleTaskValueCheck\nfrom checkov.common.models.enums import CheckResult, CheckCategories\n\n\nclass AptAllowUnauthenticated(BaseAnsibleTaskValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that packages with untrusted or missing signatures are not used\"\n id = \"CKV_ANSIBLE_5\"\n super().__init__(\n name=name,\n id=id,\n categories=(CheckCategories.GENERAL_SECURITY,),\n supported_modules=(\"ansible.builtin.apt\", \"apt\"),\n missing_block_result=CheckResult.PASSED,\n )\n\n def get_expected_value(self) -> Any:\n return False\n\n def get_inspected_key(self) -> str:\n return \"allow_unauthenticated\"\n\n\ncheck = AptAllowUnauthenticated()\n"
},
{
"path": "checkov/ansible/checks/task/builtin/AptForce.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.ansible.checks.base_ansible_task_value_check import BaseAnsibleTaskValueCheck\nfrom checkov.common.models.enums import CheckResult, CheckCategories\n\n\nclass AptForce(BaseAnsibleTaskValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state\"\n id = \"CKV_ANSIBLE_6\"\n super().__init__(\n name=name,\n id=id,\n categories=(CheckCategories.GENERAL_SECURITY,),\n supported_modules=(\"ansible.builtin.apt\", \"apt\"),\n missing_block_result=CheckResult.PASSED,\n )\n\n def get_expected_value(self) -> Any:\n return False\n\n def get_inspected_key(self) -> str:\n return \"force\"\n\n\ncheck = AptForce()\n"
},
{
"path": "checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py",
"content": "from __future__ import annotations\n\nfrom checkov.ansible.checks.base_ansible_task_value_check import BaseAnsibleTaskValueCheck\nfrom checkov.common.models.enums import CheckResult, CheckCategories\n\n\nclass GetUrlValidateCerts(BaseAnsibleTaskValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that certificate validation isn't disabled with get_url\"\n id = \"CKV_ANSIBLE_2\"\n super().__init__(\n name=name,\n id=id,\n categories=(CheckCategories.GENERAL_SECURITY,),\n supported_modules=(\"ansible.builtin.get_url\", \"get_url\"),\n missing_block_result=CheckResult.PASSED,\n )\n\n def get_inspected_key(self) -> str:\n return \"validate_certs\"\n\n\ncheck = GetUrlValidateCerts()\n"
},
{
"path": "checkov/ansible/checks/task/builtin/UriValidateCerts.py",
"content": "from __future__ import annotations\n\nfrom checkov.ansible.checks.base_ansible_task_value_check import BaseAnsibleTaskValueCheck\nfrom checkov.common.models.enums import CheckResult, CheckCategories\n\n\nclass UriValidateCerts(BaseAnsibleTaskValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that certificate validation isn't disabled with uri\"\n id = \"CKV_ANSIBLE_1\"\n super().__init__(\n name=name,\n id=id,\n categories=(CheckCategories.GENERAL_SECURITY,),\n supported_modules=(\"ansible.builtin.uri\", \"uri\"),\n missing_block_result=CheckResult.PASSED,\n )\n\n def get_inspected_key(self) -> str:\n return \"validate_certs\"\n\n\ncheck = UriValidateCerts()\n"
},
{
"path": "checkov/ansible/checks/task/builtin/YumSslVerify.py",
"content": "from __future__ import annotations\n\nfrom checkov.ansible.checks.base_ansible_task_value_check import BaseAnsibleTaskValueCheck\nfrom checkov.common.models.enums import CheckResult, CheckCategories\n\n\nclass YumSslVerify(BaseAnsibleTaskValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that SSL validation isn't disabled with yum\"\n id = \"CKV_ANSIBLE_4\"\n super().__init__(\n name=name,\n id=id,\n categories=(CheckCategories.GENERAL_SECURITY,),\n supported_modules=(\"ansible.builtin.yum\", \"yum\"),\n missing_block_result=CheckResult.PASSED,\n )\n\n def get_inspected_key(self) -> str:\n return \"sslverify\"\n\n\ncheck = YumSslVerify()\n"
},
{
"path": "checkov/ansible/checks/task/builtin/YumValidateCerts.py",
"content": "from __future__ import annotations\n\nfrom checkov.ansible.checks.base_ansible_task_value_check import BaseAnsibleTaskValueCheck\nfrom checkov.common.models.enums import CheckResult, CheckCategories\n\n\nclass YumValidateCerts(BaseAnsibleTaskValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that certificate validation isn't disabled with yum\"\n id = \"CKV_ANSIBLE_3\"\n super().__init__(\n name=name,\n id=id,\n categories=(CheckCategories.GENERAL_SECURITY,),\n supported_modules=(\"ansible.builtin.yum\", \"yum\"),\n missing_block_result=CheckResult.PASSED,\n )\n\n def get_inspected_key(self) -> str:\n return \"validate_certs\"\n\n\ncheck = YumValidateCerts()\n"
},
{
"path": "checkov/ansible/checks/task/builtin/__init__.py",
"content": "from pathlib import Path\n\nmodules = Path(__file__).parent.glob(\"*.py\")\n__all__ = [f.stem for f in modules if f.is_file() and not f.stem == \"__init__\"]\n"
},
{
"path": "checkov/ansible/graph_builder/__init__.py",
"content": ""
},
{
"path": "checkov/ansible/graph_builder/graph_components/__init__.py",
"content": ""
},
{
"path": "checkov/ansible/graph_builder/graph_components/resource_types.py",
"content": "from enum import Enum\n\n\nclass ResourceType(str, Enum):\n BLOCK = \"block\"\n TASKS = \"tasks\"\n\n def __str__(self) -> str:\n # needed, because of a Python 3.11 change\n return self.value\n"
},
{
"path": "checkov/ansible/graph_builder/local_graph.py",
"content": "from __future__ import annotations\n\nimport logging\nfrom pathlib import Path\nfrom typing import Any\n\nfrom checkov.common.graph.graph_builder import CustomAttributes\nfrom checkov.common.graph.graph_builder.consts import GraphSource, SELF_REFERENCE\nfrom checkov.common.graph.graph_builder.graph_components.block_types import BlockType\nfrom checkov.common.graph.graph_builder.graph_components.blocks import Block\nfrom checkov.common.runners.graph_builder.local_graph import ObjectLocalGraph\nfrom checkov.common.util.consts import START_LINE, END_LINE\nfrom checkov.ansible.graph_builder.graph_components.resource_types import ResourceType\nfrom checkov.ansible.utils import get_scannable_file_paths, TASK_RESERVED_KEYWORDS, parse_file\nfrom checkov.common.util.data_structures_utils import pickle_deepcopy\n\n\nclass AnsibleLocalGraph(ObjectLocalGraph):\n def __init__(self, definitions: dict[str | Path, dict[str, Any] | list[dict[str, Any]]]) -> None:\n super().__init__(definitions=definitions)\n\n self.source = GraphSource.ANSIBLE\n\n def _create_vertices(self) -> None:\n for file_path, definition in self.definitions.items():\n if not isinstance(definition, list):\n logging.debug(f\"definition of file {file_path} has the wrong type {type(definition)}\")\n continue\n\n file_path = str(file_path)\n\n for code_block in definition:\n if ResourceType.TASKS in code_block:\n tasks = code_block[ResourceType.TASKS]\n if tasks: # Check if tasks is not None and not empty\n for task in tasks:\n self._process_blocks(file_path=file_path, task=task)\n else:\n self._process_blocks(file_path=file_path, task=code_block)\n else:\n self._process_blocks(file_path=file_path, task=code_block)\n\n def _process_blocks(self, file_path: str, task: Any, prefix: str = \"\") -> None:\n \"\"\"Checks for possible block usage\"\"\"\n\n if not task or not isinstance(task, dict):\n return\n\n if ResourceType.BLOCK in task and isinstance(task[ResourceType.BLOCK], list):\n prefix += f\"{ResourceType.BLOCK}.\" # with each nested level an extra block prefix is added\n self._create_block_vertices(file_path=file_path, block=task, prefix=prefix)\n\n for block_task in task[ResourceType.BLOCK]:\n self._process_blocks(file_path=file_path, task=block_task, prefix=prefix)\n else:\n self._create_tasks_vertices(file_path=file_path, task=task, prefix=prefix)\n\n def _create_tasks_vertices(self, file_path: str, task: Any, prefix: str = \"\") -> None:\n \"\"\"Creates tasks vertices\"\"\"\n\n if not task or not isinstance(task, dict):\n return\n\n # grab the task name at the beginning before trying to find the actual module name\n task_name = task.get(\"name\") or \"unknown\"\n\n for name, config in task.items():\n if name in TASK_RESERVED_KEYWORDS:\n continue\n if name in (START_LINE, END_LINE):\n continue\n if isinstance(config, list):\n # either it is actually not an Ansible file or a playbook without tasks refs\n continue\n\n resource_type = f\"{ResourceType.TASKS}.{prefix}{name}\"\n\n if isinstance(config, str):\n # this happens when modules have no parameters and are directly used with the user input\n # ex. ansible.builtin.command: cat /etc/passwd\n config = {SELF_REFERENCE: config}\n elif config is None:\n # this happens when modules have no parameters and are passed no value\n # ex. amazon.aws.ec2_instance_info:\n config = {\n START_LINE: task[START_LINE],\n END_LINE: task[END_LINE],\n }\n\n if not isinstance(config, dict):\n # either it is actually not an Ansible file or a playbook without tasks refs\n continue\n\n attributes = pickle_deepcopy(config)\n attributes[CustomAttributes.RESOURCE_TYPE] = resource_type\n\n # only the module code is relevant for validation,\n # but in the check result the whole task should be visible\n attributes[START_LINE] = task[START_LINE]\n attributes[END_LINE] = task[END_LINE]\n\n self.vertices.append(\n Block(\n name=f\"{resource_type}.{task_name}\",\n config=task,\n path=file_path,\n block_type=BlockType.RESOURCE,\n attributes=attributes,\n id=f\"{resource_type}.{task_name}\",\n source=self.source,\n )\n )\n\n # no need to further check\n break\n\n def _create_block_vertices(self, file_path: str, block: dict[str, Any], prefix: str = \"\") -> None:\n \"\"\"Creates block vertices\"\"\"\n\n # grab the block name, if it exists\n block_name = block.get(\"name\") or \"unknown\"\n\n config = block\n attributes = pickle_deepcopy(config)\n attributes[CustomAttributes.RESOURCE_TYPE] = ResourceType.BLOCK\n del attributes[ResourceType.BLOCK] # the real block content are tasks, which have their own vertices\n\n self.vertices.append(\n Block(\n name=f\"{ResourceType.BLOCK}.{block_name}\",\n config=config,\n path=file_path,\n block_type=BlockType.RESOURCE,\n attributes=attributes,\n id=f\"{prefix}{block_name}\",\n source=self.source,\n )\n )\n\n def _create_edges(self) -> None:\n return None\n\n @staticmethod\n def get_files_definitions(root_folder: str | Path) -> dict[str | Path, dict[str, Any] | list[dict[str, Any]]]:\n definitions: \"dict[str | Path, dict[str, Any] | list[dict[str, Any]]]\" = {}\n file_paths = get_scannable_file_paths(root_folder=root_folder)\n\n for file_path in file_paths:\n try:\n result = parse_file(f=file_path)\n if result is not None:\n definitions[file_path] = result[0]\n except Exception as err:\n logging.warning(f'fail to pars file {file_path}, {err}')\n\n return definitions\n"
},
{
"path": "checkov/ansible/runner.py",
"content": "from __future__ import annotations\n\nfrom typing import TYPE_CHECKING, Any\n\nfrom checkov.common.graph.checks_infra.registry import BaseRegistry\n\nfrom checkov.ansible.checks.registry import registry\nfrom checkov.ansible.graph_builder.graph_components.resource_types import ResourceType\nfrom checkov.ansible.graph_builder.local_graph import AnsibleLocalGraph\nfrom checkov.ansible.utils import get_relevant_file_content, build_definitions_context, generate_task_name\nfrom checkov.common.output.report import CheckType\nfrom checkov.common.util.consts import START_LINE, END_LINE\nfrom checkov.yaml_doc.runner import Runner as YamlRunner\n\nif TYPE_CHECKING:\n from checkov.common.checks.base_check_registry import BaseCheckRegistry\n from checkov.common.typing import LibraryGraphConnector\n from checkov.common.runners.graph_builder.local_graph import ObjectLocalGraph\n from checkov.common.runners.graph_manager import ObjectGraphManager\n from collections.abc import Iterable\n\n\nclass Runner(YamlRunner):\n check_type = CheckType.ANSIBLE # noqa: CCE003 # a static attribute\n\n def __init__(\n self,\n db_connector: LibraryGraphConnector | None = None,\n source: str = \"Ansible\",\n graph_class: type[ObjectLocalGraph] = AnsibleLocalGraph,\n graph_manager: ObjectGraphManager | None = None,\n external_registries: list[BaseRegistry] | None = None,\n ) -> None:\n super().__init__(\n db_connector=db_connector,\n source=source,\n graph_class=graph_class,\n graph_manager=graph_manager,\n )\n\n def require_external_checks(self) -> bool:\n return False\n\n def import_registry(self) -> BaseCheckRegistry:\n return registry\n\n @staticmethod\n def _parse_file(\n f: str, file_content: str | None = None\n ) -> tuple[dict[str, Any] | list[dict[str, Any]], list[tuple[int, str]]] | None:\n content = get_relevant_file_content(file_path=f)\n if content:\n return YamlRunner._parse_file(f=f, file_content=content)\n\n return None\n\n def get_resource(\n self,\n file_path: str,\n key: str,\n supported_entities: Iterable[str],\n start_line: int = -1,\n end_line: int = -1,\n graph_resource: bool = False,\n ) -> str:\n if not self.definitions or not isinstance(self.definitions, dict):\n return key\n\n resource_name = self.generate_resource_name(start_line, end_line, self.definitions[file_path])\n return resource_name if resource_name else key\n\n def generate_resource_name(\n self,\n start_line: int,\n end_line: int,\n file_conf: dict[str, Any] | list[dict[str, Any]],\n resource_key: str | None = None,\n ) -> str | None:\n if not isinstance(file_conf, list):\n return resource_key\n\n for code_block in file_conf:\n if code_block[START_LINE] <= start_line <= end_line <= code_block[END_LINE]:\n if ResourceType.TASKS in code_block:\n for task in code_block[ResourceType.TASKS]:\n if task[START_LINE] <= start_line <= end_line <= task[END_LINE]:\n if ResourceType.BLOCK in task:\n resource_name = self._handle_block_tasks(\n start_line=start_line,\n end_line=end_line,\n code_block=task,\n )\n if resource_name is not None:\n return resource_name\n return generate_task_name(task=task) or resource_key\n elif ResourceType.BLOCK in code_block:\n resource_name = self._handle_block_tasks(\n start_line=start_line,\n end_line=end_line,\n code_block=code_block,\n )\n if resource_name is not None:\n return resource_name\n else:\n return generate_task_name(task=code_block) or resource_key\n\n return resource_key\n\n def _handle_block_tasks(\n self, start_line: int, end_line: int, code_block: dict[str, Any], prefix: str = \"\"\n ) -> str | None:\n for block_task in code_block[ResourceType.BLOCK]:\n if block_task[START_LINE] <= start_line <= end_line <= block_task[END_LINE]:\n prefix += f\"{ResourceType.BLOCK}.\" # with each nested level an extra block prefix is added\n if ResourceType.BLOCK in block_task:\n resource_name = self._handle_block_tasks(\n start_line=start_line,\n end_line=end_line,\n code_block=block_task,\n prefix=prefix,\n )\n if resource_name is not None:\n return resource_name\n return generate_task_name(task=block_task, prefix=prefix)\n\n return None\n\n def build_definitions_context(\n self,\n definitions: dict[str, dict[str, Any] | list[dict[str, Any]]],\n definitions_raw: dict[str, list[tuple[int, str]]],\n ) -> dict[str, dict[str, Any]]:\n return build_definitions_context(definitions=definitions, definitions_raw=definitions_raw)\n\n def set_definitions_raw(self, definitions_raw: dict[str, list[tuple[int, str]]]) -> None:\n self.definitions_raw = definitions_raw\n"
},
{
"path": "checkov/ansible/utils.py",
"content": "from __future__ import annotations\n\nimport logging\nimport os\nimport re\nfrom pathlib import Path\nfrom typing import Any, List\n\nfrom checkov.ansible.graph_builder.graph_components.resource_types import ResourceType\nfrom checkov.common.parallelizer.parallel_runner import parallel_runner\nfrom checkov.common.parsers.yaml.parser import parse\nfrom checkov.common.resource_code_logger_filter import add_resource_code_filter_to_logger\nfrom checkov.common.runners.base_runner import filter_ignored_paths\nfrom checkov.common.util.consts import START_LINE, END_LINE\nfrom checkov.common.util.file_utils import read_file_with_any_encoding\nfrom checkov.common.util.suppression import collect_suppressions_for_context\nfrom checkov.runner_filter import RunnerFilter\n\nTASK_NAME_PATTERN = re.compile(r\"^\\s*-\\s+name:\\s+\", re.MULTILINE)\n\n# https://docs.ansible.com/ansible/latest/reference_appendices/playbooks_keywords.html#task\nTASK_RESERVED_KEYWORDS = {\n \"action\",\n \"any_errors_fatal\",\n \"args\",\n \"async\",\n \"become\",\n \"become_exe\",\n \"become_flags\",\n \"become_method\",\n \"become_user\",\n \"changed_when\",\n \"check_mode\",\n \"collections\",\n \"connection\",\n \"debugger\",\n \"delay\",\n \"delegate_facts\",\n \"delegate_to\",\n \"diff\",\n \"environment\",\n \"failed_when\",\n \"ignore_errors\",\n \"ignore_unreachable\",\n \"local_action\",\n \"loop\",\n \"loop_control\",\n \"module_defaults\",\n \"name\",\n \"no_log\",\n \"notify\",\n \"poll\",\n \"port\",\n \"register\",\n \"remote_user\",\n \"retries\",\n \"run_once\",\n \"tags\",\n \"throttle\",\n \"timeout\",\n \"until\",\n \"vars\",\n \"when\",\n}\n\nlogger = logging.getLogger(__name__)\nadd_resource_code_filter_to_logger(logger)\n\n\ndef get_scannable_file_paths(root_folder: str | Path) -> set[Path]:\n \"\"\"Finds yaml files\"\"\"\n\n file_paths: set[Path] = set()\n\n if root_folder:\n root_path = root_folder if isinstance(root_folder, Path) else Path(root_folder)\n file_paths = {file_path for file_path in root_path.rglob(\"*.[y][am]*[l]\") if file_path.is_file()}\n\n return file_paths\n\n\ndef get_relevant_file_content(file_path: str | Path) -> str | None:\n if not str(file_path).endswith((\".yaml\", \".yml\")):\n return None\n\n content = read_file_with_any_encoding(file_path=file_path)\n if \"name:\" not in content:\n # the following regex will search more precisely, but no need to further process\n return None\n\n match_task_name = re.search(TASK_NAME_PATTERN, content)\n if match_task_name:\n # there are more files, which belong to an ansible playbook,\n # but we are currently only interested in 'tasks'\n return content\n\n return None\n\n\ndef parse_file(\n f: str | Path, file_content: str | None = None\n) -> tuple[dict[str, Any] | list[dict[str, Any]], list[tuple[int, str]]] | None:\n file_content = get_relevant_file_content(file_path=f)\n if file_content:\n content = parse(filename=str(f), file_content=file_content)\n return content\n\n return None\n\n\ndef generate_task_name(task: dict[str, Any], prefix: str = \"\") -> str | None:\n # grab the task name at the beginning before trying to find the actual module name\n task_name = task.get(\"name\") or \"unknown\"\n\n for name in task:\n if name in TASK_RESERVED_KEYWORDS:\n continue\n\n if prefix:\n # if the task is found in a block, then prefix the module name with 'block'\n name = f\"{prefix}{name}\"\n\n return f\"{ResourceType.TASKS}.{name}.{task_name}\"\n\n return None\n\n\ndef build_definitions_context(\n definitions: dict[str, dict[str, Any] | list[dict[str, Any]]],\n definitions_raw: dict[str, list[tuple[int, str]]],\n) -> dict[str, dict[str, Any]]:\n definitions_context: dict[str, dict[str, Any]] = {}\n\n for file_path, definition in definitions.items():\n file_path_context: dict[str, Any] = {}\n definition_raw = definitions_raw[file_path]\n\n if not isinstance(definition, list):\n logger.info(f\"File {file_path} has the wrong type {type(definition)}\")\n continue\n\n for code_block in definition:\n if ResourceType.TASKS in code_block:\n tasks = code_block[ResourceType.TASKS]\n if tasks: # Check if tasks is not empty\n for task in tasks:\n _process_blocks(definition_raw=definition_raw, file_path_context=file_path_context, task=task)\n else:\n _process_blocks(definition_raw=definition_raw, file_path_context=file_path_context, task=code_block)\n else:\n _process_blocks(definition_raw=definition_raw, file_path_context=file_path_context, task=code_block)\n\n definitions_context[file_path] = file_path_context\n\n return definitions_context\n\n\ndef _process_blocks(\n definition_raw: list[tuple[int, str]],\n file_path_context: dict[str, Any],\n task: Any,\n prefix: str = \"\",\n) -> None:\n \"\"\"Checks for possible block usage\"\"\"\n\n if not task or not isinstance(task, dict):\n return\n\n if ResourceType.BLOCK in task and isinstance(task[ResourceType.BLOCK], list):\n prefix += f\"{ResourceType.BLOCK}.\" # with each nested level an extra block prefix is added\n block_name = f\"{prefix}.{task.get('name') or 'unknown'}\"\n resource_context = _create_resource_context(definition_raw=definition_raw, resource=task)\n file_path_context[block_name] = resource_context\n\n for block_task in task[ResourceType.BLOCK]:\n _process_blocks(\n definition_raw=definition_raw, file_path_context=file_path_context, task=block_task, prefix=prefix\n )\n else:\n resource_context = _create_resource_context(definition_raw=definition_raw, resource=task)\n task_name = generate_task_name(task=task, prefix=prefix)\n if task_name:\n file_path_context[task_name] = resource_context\n\n\ndef _create_resource_context(definition_raw: list[tuple[int, str]], resource: dict[str, Any]) -> dict[str, Any]:\n \"\"\"Creates the resource context block\"\"\"\n\n start_line = resource[START_LINE]\n end_line = resource[END_LINE]\n code_lines = definition_raw[start_line - 1 : end_line - 1] # lines start with index 0\n skipped_checks = collect_suppressions_for_context(code_lines=code_lines)\n\n return {\n \"start_line\": start_line,\n \"end_line\": end_line - 1,\n \"code_lines\": code_lines,\n \"skipped_checks\": skipped_checks,\n }\n\n\ndef create_definitions(\n root_folder: str | None,\n files: list[str] | None = None,\n runner_filter: RunnerFilter | None = None\n) -> tuple[dict[str, dict[str, Any]], dict[str, list[tuple[int, str]]]]:\n runner_filter = runner_filter or RunnerFilter()\n definitions: dict[str, dict[str, Any]] = {}\n definitions_raw: dict[str, list[tuple[int, str]]] = {}\n if files:\n create_file_definition(files, definitions, definitions_raw)\n\n if root_folder:\n for root, d_names, f_names in os.walk(root_folder):\n filter_ignored_paths(root, d_names, runner_filter.excluded_paths)\n filter_ignored_paths(root, f_names, runner_filter.excluded_paths)\n files_to_load = [os.path.join(root, f_name) for f_name in f_names]\n create_file_definition(files_to_load, definitions, definitions_raw)\n\n return definitions, definitions_raw\n\n\ndef create_file_definition(files_to_load: List[str], definitions: dict[str, dict[str, Any]], definitions_raw: dict[str, list[tuple[int, str]]]) -> None:\n results = parallel_runner.run_function(lambda f: (f, parse_file(f)), files_to_load)\n for file_result_pair in results:\n if file_result_pair is None:\n # this only happens, when an uncaught exception occurs\n continue\n\n file, result = file_result_pair\n if result:\n (definitions[file], definitions_raw[file]) = result # type: ignore[assignment]\n"
},
{
"path": "checkov/argo_workflows/__init__.py",
"content": "from checkov.argo_workflows.checks import * # noqa\n"
},
{
"path": "checkov/argo_workflows/checks/__init__.py",
"content": "from checkov.argo_workflows.checks.template import * # noqa\n"
},
{
"path": "checkov/argo_workflows/checks/base_argo_workflows_check.py",
"content": "from __future__ import annotations\n\nfrom abc import abstractmethod\nfrom collections.abc import Iterable\nfrom typing import TYPE_CHECKING, Any\n\nfrom checkov.common.checks.base_check import BaseCheck\nfrom checkov.argo_workflows.checks.registry import registry\n\nif TYPE_CHECKING:\n from checkov.common.models.enums import CheckCategories, CheckResult\n\n\nclass BaseArgoWorkflowsCheck(BaseCheck):\n def __init__(\n self,\n name: str,\n id: str,\n categories: Iterable[CheckCategories],\n supported_entities: Iterable[str],\n block_type: str,\n path: str | None = None,\n ) -> None:\n super().__init__(\n name=name,\n id=id,\n categories=categories,\n supported_entities=supported_entities,\n block_type=block_type,\n )\n self.path = path\n registry.register(self)\n\n def scan_entity_conf(self, conf: dict[str, Any], entity_type: str) -> tuple[CheckResult, dict[str, Any]]:\n self.entity_type = entity_type\n\n return self.scan_conf(conf)\n\n @abstractmethod\n def scan_conf(self, conf: dict[str, Any]) -> tuple[CheckResult, dict[str, Any]]:\n pass\n"
},
{
"path": "checkov/argo_workflows/checks/registry.py",
"content": "from checkov.common.bridgecrew.check_type import CheckType\nfrom checkov.yaml_doc.base_registry import Registry\n\nregistry = Registry(CheckType.ARGO_WORKFLOWS)\n"
},
{
"path": "checkov/argo_workflows/checks/template/DefaultServiceAccount.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.argo_workflows.checks.base_argo_workflows_check import BaseArgoWorkflowsCheck\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.yaml_doc.enums import BlockType\n\n\nclass DefaultServiceAccount(BaseArgoWorkflowsCheck):\n def __init__(self) -> None:\n name = \"Ensure Workflow pods are not using the default ServiceAccount\"\n id = \"CKV_ARGO_1\"\n super().__init__(\n name=name,\n id=id,\n categories=(CheckCategories.IAM,),\n supported_entities=(\"spec\",),\n block_type=BlockType.OBJECT,\n )\n\n def scan_conf(self, conf: dict[str, Any]) -> tuple[CheckResult, dict[str, Any]]:\n if \"serviceAccountName\" in conf.keys() and conf[\"serviceAccountName\"] != \"default\":\n return CheckResult.PASSED, conf\n\n return CheckResult.FAILED, conf\n\n\ncheck = DefaultServiceAccount()\n"
},
{
"path": "checkov/argo_workflows/checks/template/RunAsNonRoot.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.argo_workflows.checks.base_argo_workflows_check import BaseArgoWorkflowsCheck\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.yaml_doc.enums import BlockType\n\n\nclass RunAsNonRoot(BaseArgoWorkflowsCheck):\n def __init__(self) -> None:\n name = \"Ensure Workflow pods are running as non-root user\"\n id = \"CKV_ARGO_2\"\n super().__init__(\n name=name,\n id=id,\n categories=(CheckCategories.IAM,),\n supported_entities=(\"spec\",),\n block_type=BlockType.OBJECT,\n )\n\n def scan_conf(self, conf: dict[str, Any]) -> tuple[CheckResult, dict[str, Any]]:\n security_context = conf.get(\"securityContext\")\n\n if isinstance(security_context, dict) and security_context.get(\"runAsNonRoot\") is True:\n return CheckResult.PASSED, conf\n\n return CheckResult.FAILED, conf\n\n\ncheck = RunAsNonRoot()\n"
},
{
"path": "checkov/argo_workflows/checks/template/__init__.py",
"content": "from pathlib import Path\n\nmodules = Path(__file__).parent.glob(\"*.py\")\n__all__ = [f.stem for f in modules if f.is_file() and not f.stem == \"__init__\"]\n"
},
{
"path": "checkov/argo_workflows/common/__init__.py",
"content": ""
},
{
"path": "checkov/argo_workflows/runner.py",
"content": "from __future__ import annotations\n\nimport re\nfrom typing import TYPE_CHECKING, Any\n\nfrom checkov.common.images.image_referencer import ImageReferencer, Image\nfrom checkov.common.output.report import CheckType\nfrom checkov.common.util.file_utils import read_file_with_any_encoding\nfrom checkov.yaml_doc.runner import Runner as YamlRunner\n\n# Import of the checks registry for a specific resource type\nfrom checkov.argo_workflows.checks.registry import registry as template_registry\n\nif TYPE_CHECKING:\n from checkov.common.checks.base_check_registry import BaseCheckRegistry\n\nAPI_VERSION_PATTERN = re.compile(r\"^apiVersion:\\s*argoproj.io/\", re.MULTILINE)\nKIND_PATTERN = re.compile(r\"^kind:\\s*Workflow\", re.MULTILINE)\n\n\nclass Runner(YamlRunner, ImageReferencer):\n check_type = CheckType.ARGO_WORKFLOWS # noqa: CCE003 # a static attribute\n\n block_type_registries = { # noqa: CCE003 # a static attribute\n \"template\": template_registry,\n }\n\n def require_external_checks(self) -> bool:\n return False\n\n def import_registry(self) -> BaseCheckRegistry:\n return self.block_type_registries[\"template\"]\n\n @staticmethod\n def _parse_file(\n f: str, file_content: str | None = None\n ) -> tuple[dict[str, Any] | list[dict[str, Any]], list[tuple[int, str]]] | None:\n content = Runner._get_workflow_file_content(file_path=f)\n if content:\n return YamlRunner._parse_file(f=f, file_content=content)\n\n return None\n\n @staticmethod\n def _get_workflow_file_content(file_path: str) -> str | None:\n if not file_path.endswith((\".yaml\", \".yml\")):\n return None\n\n content = read_file_with_any_encoding(file_path=file_path)\n if \"argoproj.io\" not in content:\n # the following regex will search more precisely, but no need to further process\n return None\n\n match_api = re.search(API_VERSION_PATTERN, content)\n if match_api:\n match_kind = re.search(KIND_PATTERN, content)\n if match_kind:\n # only scan Argo Workflows\n return content\n\n return None\n\n def is_workflow_file(self, file_path: str) -> bool:\n return self._get_workflow_file_content(file_path=file_path) is not None\n\n def get_images(self, file_path: str) -> set[Image]:\n \"\"\"Get container images mentioned in a file\n\n Argo Workflows file can have a job and services run within a container.\n\n in the following sample file we can see a node:14.16 image:\n\n apiVersion: argoproj.io/v1alpha1\n kind: Workflow\n metadata:\n generateName: template-defaults-\n spec:\n entrypoint: main\n templates:\n - name: main\n steps:\n - - name: retry-backoff\n template: retry-backoff\n - - name: whalesay\n template: whalesay\n\n - name: whalesay\n container:\n image: argoproj/argosay:v2\n command: [cowsay]\n args: [\"hello world\"]\n\n - name: retry-backoff\n container:\n image: python:alpine3.6\n command: [\"python\", -c]\n # fail with a 66% probability\n args: [\"import random; import sys; exit_code = random.choice([0, 1, 1]); sys.exit(exit_code)\"]\n\n Source: https://github.com/argoproj/argo-workflows/blob/master/examples/template-defaults.yaml\n\n :return: List of container image short ids mentioned in the file.\n Example return value for a file with node:14.16 image: ['sha256:6a353e22ce']\n \"\"\"\n\n images: set[Image] = set()\n parsed_file = self._parse_file(file_path)\n\n if not parsed_file:\n return images\n\n workflow, workflow_line_numbers = parsed_file\n\n if not isinstance(workflow, dict):\n # make type checking happy\n return images\n\n spec = workflow.get(\"spec\")\n if spec:\n templates = spec.get(\"templates\")\n if isinstance(templates, list):\n for template in templates:\n container = template.get(\"container\")\n if container:\n image = self.extract_image(file_path=file_path, container=container)\n if image:\n images.add(image)\n script = template.get(\"script\")\n if script:\n image = self.extract_image(file_path=file_path, container=script)\n if image:\n images.add(image)\n\n return images\n\n def extract_image(self, file_path: str, container: dict[str, Any]) -> Image | None:\n image_name = container.get(\"image\")\n if image_name and isinstance(image_name, str):\n start_line = container.get(\"__startline__\", 0)\n end_line = container.get(\"__endline__\", 0)\n return Image(\n file_path=file_path,\n name=image_name,\n start_line=start_line,\n end_line=end_line,\n )\n\n return None\n"
},
{
"path": "checkov/arm/__init__.py",
"content": "from checkov.arm.checks import * # noqa\n"
},
{
"path": "checkov/arm/base_parameter_check.py",
"content": "from __future__ import annotations\n\nfrom abc import abstractmethod\nfrom collections.abc import Iterable\nfrom typing import TYPE_CHECKING, Any\n\nfrom checkov.arm.registry import arm_parameter_registry\nfrom checkov.common.checks.base_check import BaseCheck\n\nif TYPE_CHECKING:\n from checkov.common.models.enums import CheckCategories, CheckResult\n\n\nclass BaseParameterCheck(BaseCheck):\n def __init__(\n self,\n name: str,\n id: str,\n categories: Iterable[CheckCategories],\n supported_resources: Iterable[str],\n guideline: str | None = None,\n ) -> None:\n super().__init__(\n name=name,\n id=id,\n categories=categories,\n supported_entities=supported_resources,\n block_type=\"parameter\",\n guideline=guideline,\n )\n self.supported_resources = supported_resources\n arm_parameter_registry.register(self)\n\n def scan_entity_conf(self, conf: dict[str, Any], entity_type: str) -> CheckResult:\n self.entity_type = entity_type\n\n return self.scan_resource_conf(conf)\n\n @abstractmethod\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n raise NotImplementedError()\n"
},
{
"path": "checkov/arm/base_registry.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.common.bridgecrew.check_type import CheckType\nfrom checkov.common.checks.base_check_registry import BaseCheckRegistry\n\n\nclass Registry(BaseCheckRegistry):\n def __init__(self) -> None:\n super().__init__(report_type=CheckType.ARM)\n\n def extract_entity_details(self, entity: dict[str, Any]) -> tuple[str, str, dict[str, Any]]:\n resource_name, resource = next(iter(entity.items()))\n resource_type = str(resource.get(\"type\", \"\")) # entity['type'] ??\n return resource_type, resource_name, resource\n"
},
{
"path": "checkov/arm/base_resource_check.py",
"content": "from __future__ import annotations\n\nfrom abc import abstractmethod\nfrom collections.abc import Iterable\nfrom typing import Any\n\nfrom checkov.arm.registry import arm_resource_registry\nfrom checkov.bicep.checks.resource.registry import registry as bicep_registry\nfrom checkov.common.checks.base_check import BaseCheck\nfrom checkov.common.models.enums import CheckCategories, CheckResult\n\n\nclass BaseResourceCheck(BaseCheck):\n def __init__(\n self,\n name: str,\n id: str,\n categories: \"Iterable[CheckCategories]\",\n supported_resources: \"Iterable[str]\",\n guideline: str | None = None,\n ) -> None:\n super().__init__(\n name=name,\n id=id,\n categories=categories,\n supported_entities=supported_resources,\n block_type=\"resource\",\n guideline=guideline,\n )\n self.supported_resources = supported_resources\n arm_resource_registry.register(self)\n # leverage ARM checks to use with bicep runner\n bicep_registry.register(self)\n\n def scan_entity_conf(self, conf: dict[str, Any], entity_type: str) -> CheckResult:\n self.entity_type = entity_type\n\n # the \"existing\" key indicates a Bicep resource\n if \"existing\" in conf:\n if conf[\"existing\"] is True:\n # the existing keyword is used to retrieve information about an already deployed resource\n return CheckResult.UNKNOWN\n\n self.api_version = conf[\"api_version\"]\n conf[\"config\"][\"apiVersion\"] = conf[\"api_version\"] # set for better reusability of existing ARM checks\n\n resource_conf = conf[\"config\"]\n if \"loop_type\" in resource_conf:\n # this means the whole resource block is surrounded by a for loop\n resource_conf = resource_conf[\"config\"]\n\n return self.scan_resource_conf(resource_conf)\n\n self.api_version = None\n\n return self.scan_resource_conf(conf)\n\n @abstractmethod\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n raise NotImplementedError()\n"
},
{
"path": "checkov/arm/base_resource_negative_value_check.py",
"content": "from __future__ import annotations\n\nimport re\nfrom abc import abstractmethod\nfrom collections.abc import Iterable\nfrom typing import Any\n\nfrom checkov.arm.base_resource_check import BaseResourceCheck\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.common.models.consts import ANY_VALUE\nfrom checkov.common.util.data_structures_utils import find_in_dict\nfrom checkov.common.util.type_forcers import force_list\n\nVARIABLE_DEPENDANT_REGEX = re.compile(r\"(?:parameters|variables)\\(\")\n\n\nclass BaseResourceNegativeValueCheck(BaseResourceCheck):\n def __init__(\n self,\n name: str,\n id: str,\n categories: \"Iterable[CheckCategories]\",\n supported_resources: \"Iterable[str]\",\n missing_block_result: CheckResult = CheckResult.PASSED,\n guideline: str | None = None,\n ) -> None:\n super().__init__(\n name=name, id=id, categories=categories, supported_resources=supported_resources, guideline=guideline\n )\n self.missing_block_result = missing_block_result\n\n @staticmethod\n def _is_variable_dependant(value: Any) -> bool:\n return bool(isinstance(value, str) and re.match(VARIABLE_DEPENDANT_REGEX, value))\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n inspected_key = self.get_inspected_key()\n forbidden_values = self.get_forbidden_values()\n value = find_in_dict(conf, inspected_key)\n if value:\n if isinstance(value, list) and len(value) == 1:\n value = value[0]\n\n if self._is_variable_dependant(value):\n # If the tested attribute is variable-dependant, then result is PASSED\n return CheckResult.UNKNOWN\n\n if value in forbidden_values or ANY_VALUE in forbidden_values:\n return CheckResult.FAILED\n else:\n return CheckResult.PASSED\n\n return self.missing_block_result\n\n @abstractmethod\n def get_inspected_key(self) -> str:\n \"\"\"\n :return: JSONPath syntax path of the checked attribute\n \"\"\"\n raise NotImplementedError()\n\n @abstractmethod\n def get_forbidden_values(self) -> list[Any]:\n \"\"\"\n Returns a list of vulnerable values for the inspected key, governed by provider best practices\n \"\"\"\n raise NotImplementedError()\n\n def get_evaluated_keys(self) -> list[str]:\n return force_list(self.get_inspected_key())\n"
},
{
"path": "checkov/arm/base_resource_value_check.py",
"content": "from __future__ import annotations\n\nimport re\nfrom abc import abstractmethod\nfrom collections.abc import Iterable\nfrom typing import Dict, Any, List, Optional\n\nfrom checkov.arm.base_resource_check import BaseResourceCheck\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.common.models.consts import ANY_VALUE\nfrom checkov.common.util.data_structures_utils import find_in_dict\n\nVARIABLE_DEPENDANT_REGEX = re.compile(r\"(?:local|var|module)\\.[^\\s]+\")\n\n\nclass BaseResourceValueCheck(BaseResourceCheck):\n def __init__(\n self,\n name: str,\n id: str,\n categories: Iterable[CheckCategories],\n supported_resources: \"Iterable[str]\",\n missing_block_result: CheckResult = CheckResult.FAILED,\n guideline: Optional[str] = None,\n ) -> None:\n super().__init__(\n name=name, id=id, categories=categories, supported_resources=supported_resources, guideline=guideline\n )\n self.missing_block_result = missing_block_result\n\n @staticmethod\n def _is_variable_dependant(value: Any) -> bool:\n if isinstance(value, str) and re.match(VARIABLE_DEPENDANT_REGEX, value):\n return True\n return False\n\n def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:\n inspected_key = self.get_inspected_key()\n expected_values = self.get_expected_values()\n value = find_in_dict(conf, inspected_key)\n if value is not None:\n if ANY_VALUE in expected_values:\n # Key is found in the configuration - if it accepts any value, the check is PASSED\n return CheckResult.PASSED\n if isinstance(value, list) and len(value) == 1:\n value = value[0]\n if value in expected_values:\n return CheckResult.PASSED\n if self._is_variable_dependant(value):\n # If the tested attribute is variable-dependant, then result is PASSED\n return CheckResult.PASSED\n return CheckResult.FAILED\n return self.missing_block_result\n\n @abstractmethod\n def get_inspected_key(self) -> str:\n \"\"\"\n :return: JSONPath syntax path of the checked attribute\n \"\"\"\n raise NotImplementedError()\n\n def get_expected_values(self) -> List[Any]:\n \"\"\"\n Override the method with the list of acceptable values if the check has more than one possible expected value, given\n the inspected key\n :return: List of expected values, defaults to a list of the expected value\n \"\"\"\n return [self.get_expected_value()]\n\n def get_expected_value(self) -> Any:\n \"\"\"\n Returns the default expected value, governed by provider best practices\n \"\"\"\n return True\n"
},
{
"path": "checkov/arm/checks/__init__.py",
"content": "from checkov.arm.checks.resource import * # noqa\nfrom checkov.arm.checks.parameter import * # noqa\n"
},
{
"path": "checkov/arm/checks/graph_checks/AzureMLWorkspacePublicNetwork.yaml",
"content": "metadata:\n id: \"CKV2_AZURE_49\"\n name: \"Ensure that Azure Machine learning workspace is not configured with overly permissive network access\"\n category: \"NETWORKING\"\ndefinition:\n or:\n - cond_type: \"attribute\"\n resource_types: \"Microsoft.MachineLearningServices/workspaces\"\n attribute: \"properties.publicNetworkAccess\"\n operator: \"not_exists\"\n - cond_type: \"attribute\"\n resource_types: \"Microsoft.MachineLearningServices/workspaces\"\n attribute: \"properties.publicNetworkAccess\"\n operator: \"equals\"\n value: \"Disabled\""
},
{
"path": "checkov/arm/checks/graph_checks/AzureSpringCloudConfigWithVnet.yaml",
"content": "metadata:\n id: \"CKV2_AZURE_23\"\n name: \"Ensure Azure spring cloud is configured with Virtual network (Vnet)\"\n category: \"NETWORKING\"\ndefinition:\n and:\n - cond_type: attribute\n resource_types: \"Microsoft.AppPlatform/Spring\"\n attribute: \"sku.name\"\n operator: \"not_equals_ignore_case\"\n value: \"B0\"\n - cond_type: attribute\n resource_types: \"Microsoft.AppPlatform/Spring\"\n attribute: \"properties.networkProfile.serviceRuntimeSubnetId\"\n operator: \"exists\"\n"
},
{
"path": "checkov/arm/checks/graph_checks/SynapseLogMonitoringEnabledForSQLPool.yaml",
"content": "metadata: \n id: \"CKV2_AZURE_54\"\n name: \"Ensure log monitoring is enabled for Synapse SQL Pool\"\n category: \"LOGGING\"\n\ndefinition:\n and:\n - cond_type: connection\n resource_types:\n - Microsoft.Synapse/workspaces/sqlPools\n connected_resource_types:\n - Microsoft.Synapse/workspaces/sqlPools/auditingSettings\n operator: exists\n - cond_type: filter\n attribute: resource_type\n value:\n - Microsoft.Synapse/workspaces/sqlPools\n operator: within\n\n - or:\n - and:\n - cond_type: attribute\n resource_types:\n - Microsoft.Synapse/workspaces/sqlPools/auditingSettings\n attribute: properties.state\n operator: exists\n\n - cond_type: attribute\n resource_types:\n - Microsoft.Synapse/workspaces/sqlPools/auditingSettings\n attribute: properties.state\n operator: equals\n value: Enabled\n\n - cond_type: attribute\n resource_types:\n - Microsoft.Synapse/workspaces/sqlPools/auditingSettings\n attribute: properties.state\n operator: not_exists"
},
{
"path": "checkov/arm/checks/graph_checks/SynapseSQLPoolHasSecurityAlertPolicy.yaml",
"content": "metadata: \n id: \"CKV2_AZURE_51\"\n name: \"Ensure Synapse SQL Pool has a security alert policy\"\n category: \"GENERAL_SECURITY\"\n\ndefinition:\n and:\n - cond_type: connection\n resource_types:\n - Microsoft.Synapse/workspaces/sqlPools\n connected_resource_types:\n - Microsoft.Sql/servers/securityAlertPolicies\n operator: exists\n - cond_type: filter\n attribute: resource_type\n operator: within\n value:\n - Microsoft.Synapse/workspaces/sqlPools\n\n - or:\n - and:\n - cond_type: attribute\n resource_types:\n - Microsoft.Sql/servers/securityAlertPolicies\n attribute: properties.state\n operator: exists\n\n - cond_type: attribute\n resource_types:\n - Microsoft.Sql/servers/securityAlertPolicies\n attribute: properties.state\n operator: equals\n value: Enabled\n\n - cond_type: attribute\n resource_types:\n - Microsoft.Sql/servers/securityAlertPolicies\n attribute: properties.state\n operator: not_exists\n"
},
{
"path": "checkov/arm/checks/graph_checks/SynapseSQLPoolHasVulnerabilityAssessment.yaml",
"content": "metadata: \n id: \"CKV2_AZURE_52\"\n name: \"Ensure Synapse SQL Pool has vulnerability assessment attached\"\n category: \"GENERAL_SECURITY\"\n\ndefinition:\n and:\n - resource_types:\n - Microsoft.Synapse/workspaces/sqlPools\n connected_resource_types:\n - Microsoft.Sql/servers/securityAlertPolicies\n operator: exists\n cond_type: connection\n - resource_types:\n - Microsoft.Sql/servers/securityAlertPolicies\n connected_resource_types:\n - Microsoft.Sql/servers/vulnerabilityAssessments\n operator: exists\n cond_type: connection\n - cond_type: filter\n attribute: resource_type\n value:\n - Microsoft.Synapse/workspaces/sqlPools\n operator: within\n - or:\n - and:\n - cond_type: attribute\n resource_types:\n - Microsoft.Sql/servers/vulnerabilityAssessments\n attribute: properties.recurringScans.isEnabled\n operator: exists\n\n - cond_type: attribute\n resource_types:\n - Microsoft.Sql/servers/vulnerabilityAssessments\n attribute: properties.recurringScans.isEnabled\n operator: equals\n value: true\n\n - cond_type: attribute\n resource_types:\n - Microsoft.Sql/servers/vulnerabilityAssessments\n attribute: properties.recurringScans.isEnabled\n operator: not_exists"
},
{
"path": "checkov/arm/checks/graph_checks/SynapseWorkspaceHasExtendedAuditLogs.yaml",
"content": "metadata: \n id: \"CKV2_AZURE_53\"\n name: \"Ensure Azure Synapse Workspace has extended audit logs\"\n category: \"LOGGING\"\n\ndefinition:\n and:\n - cond_type: filter\n attribute: resource_type\n value:\n - Microsoft.Synapse/workspaces\n operator: within\n - cond_type: connection\n resource_types:\n - Microsoft.Synapse/workspaces\n connected_resource_types:\n - Microsoft.Synapse/workspaces/extendedAuditingPolicies\n operator: exists\n\n - or:\n - and:\n - cond_type: attribute\n resource_types:\n - Microsoft.Synapse/workspaces/extendedAuditingPolicies\n attribute: properties.state\n operator: exists\n\n - cond_type: attribute\n resource_types:\n - Microsoft.Synapse/workspaces/extendedAuditingPolicies\n attribute: properties.state\n operator: equals\n value: Enabled\n\n - cond_type: attribute\n resource_types:\n - Microsoft.Synapse/workspaces/extendedAuditingPolicies\n attribute: properties.state\n operator: not_exists"
},
{
"path": "checkov/arm/checks/graph_checks/__init__.py",
"content": ""
},
{
"path": "checkov/arm/checks/parameter/SecureStringParameterNoHardcodedValue.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.arm.base_parameter_check import BaseParameterCheck\n\n\nclass SecureStringParameterNoHardcodedValue(BaseParameterCheck):\n def __init__(self) -> None:\n name = \"SecureString parameter should not have hardcoded default values\"\n id = \"CKV_AZURE_131\"\n supported_resources = ('secureString',)\n categories = (CheckCategories.SECRETS,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n # https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/test-cases#secure-parameters-cant-have-hardcoded-default\n default_value = conf.get('defaultValue')\n if default_value: # should be missing, or an empty string\n conf[f'{self.id}_secret'] = default_value\n return CheckResult.FAILED\n else:\n return CheckResult.PASSED\n\n\ncheck = SecureStringParameterNoHardcodedValue()\n"
},
{
"path": "checkov/arm/checks/parameter/__init__.py",
"content": "from os.path import dirname, basename, isfile, join\nimport glob\n\nmodules = glob.glob(join(dirname(__file__), \"*.py\"))\n__all__ = [basename(f)[:-3] for f in modules if isfile(f) and not f.endswith(\"__init__.py\")]\n"
},
{
"path": "checkov/arm/checks/resource/ACRAdminAccountDisabled.py",
"content": "from __future__ import annotations\nfrom typing import Any, List\nfrom checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_negative_value_check import BaseResourceNegativeValueCheck\n\n\nclass ACRAdminAccountDisabled(BaseResourceNegativeValueCheck):\n def __init__(self) -> None:\n name = \"Ensure ACR admin account is disabled\"\n id = \"CKV_AZURE_137\"\n supported_resources = (\"Microsoft.ContainerRegistry/registries\",)\n categories = [CheckCategories.IAM]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return \"properties/adminUserEnabled\"\n\n def get_forbidden_values(self) -> List[Any]:\n return [True]\n\n\ncheck = ACRAdminAccountDisabled()\n"
},
{
"path": "checkov/arm/checks/resource/ACRAnonymousPullDisabled.py",
"content": "from __future__ import annotations\n\nfrom typing import Any, List\n\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\n\nclass ACRAnonymousPullDisabled(BaseResourceCheck):\n ANONYMOUS_PULL_SKUS = {\"Standard\", \"Premium\"} # noqa: CCE003 # a static attribute\n\n def __init__(self) -> None:\n name = \"Ensures that ACR disables anonymous pulling of images\"\n id = \"CKV_AZURE_138\"\n supported_resources = (\"Microsoft.ContainerRegistry/registries\",)\n categories = (CheckCategories.IAM,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n properties = conf.get(\"properties\", {})\n\n anonymousPullEnabled = properties.get(\"anonymousPullEnabled\")\n\n sku = conf.get(\"sku\")\n\n if (\n sku is not None\n and isinstance(sku.get(\"name\"), str)\n and sku.get(\"name\") in ACRAnonymousPullDisabled.ANONYMOUS_PULL_SKUS\n and properties\n and anonymousPullEnabled\n ):\n return CheckResult.FAILED\n\n return CheckResult.PASSED\n\n def get_evaluated_keys(self) -> List[str]:\n return ['properties', 'properties/anonymousPullEnabled', 'sku']\n\n\ncheck = ACRAnonymousPullDisabled()\n"
},
{
"path": "checkov/arm/checks/resource/ACRContainerScanEnabled.py",
"content": "\nfrom __future__ import annotations\nfrom typing import Any, Dict, List\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\n\nclass ACRContainerScanEnabled(BaseResourceCheck):\n SKUS = {\"Standard\", \"Premium\"} # noqa: CCE003 # a static attribute\n\n def __init__(self) -> None:\n name = \"Enable vulnerability scanning for container images.\"\n id = \"CKV_AZURE_163\"\n supported_resources = (\"Microsoft.ContainerRegistry/registries\",)\n categories = (CheckCategories.GENERAL_SECURITY,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:\n sku = conf.get(\"sku\", {})\n sku_name = sku.get(\"name\")\n\n if isinstance(sku_name, str) and sku_name in ACRContainerScanEnabled.SKUS:\n return CheckResult.PASSED\n\n return CheckResult.FAILED\n\n def get_evaluated_keys(self) -> List[str]:\n return [\"sku\", \"sku/name\"]\n\n\ncheck = ACRContainerScanEnabled()\n"
},
{
"path": "checkov/arm/checks/resource/ACREnableImageQuarantine.py",
"content": "from __future__ import annotations\nfrom checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass ACREnableImageQuarantine(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure container image quarantine, scan, and mark images verified\"\n id = \"CKV_AZURE_166\"\n supported_resources = (\"Microsoft.ContainerRegistry/registries\",)\n categories = (CheckCategories.SUPPLY_CHAIN,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return \"properties/policies/quarantinePolicy/status\"\n\n def get_expected_value(self) -> str:\n return \"enabled\"\n\n\ncheck = ACREnableImageQuarantine()\n"
},
{
"path": "checkov/arm/checks/resource/ACREnableZoneRedundancy.py",
"content": "from __future__ import annotations\n\nfrom checkov.common.models.enums import CheckCategories, CheckResult\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\nfrom typing import Any\n\n\nclass ACREnableZoneRedundancy(BaseResourceCheck):\n\n def __init__(self) -> None:\n \"\"\"\n Zone redundancy provides resiliency and high availability to\n a registry or replication resource in a specific region. Supported on Premium.\n \"\"\"\n name = \"Ensure Azure Container Registry (ACR) is zone redundant\"\n id = \"CKV_AZURE_233\"\n supported_resources = (\"Microsoft.ContainerRegistry/registries\", \"Microsoft.ContainerRegistry/registries/replications\",)\n categories = (CheckCategories.BACKUP_AND_RECOVERY,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult:\n # check registry. default=false\n properties = conf.get(\"properties\")\n if properties and isinstance(properties, dict):\n self.evaluated_keys = [\"properties\"]\n if properties.get(\"zoneRedundancy\") == \"Disabled\":\n self.evaluated_keys = [\"properties/zoneRedundancy\"]\n return CheckResult.FAILED\n return CheckResult.PASSED\n\n\ncheck = ACREnableZoneRedundancy()\n"
},
{
"path": "checkov/arm/checks/resource/ACRPublicNetworkAccessDisabled.py",
"content": "\nfrom __future__ import annotations\nfrom checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass ACRPublicNetworkAccessDisabled(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure ACR set to disable public networking\"\n id = \"CKV_AZURE_139\"\n supported_resources = (\"Microsoft.ContainerRegistry/registries\",)\n categories = [CheckCategories.NETWORKING]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return \"properties/publicNetworkAccess\"\n\n def get_expected_value(self) -> str:\n return \"Disabled\"\n\n\ncheck = ACRPublicNetworkAccessDisabled()\n"
},
{
"path": "checkov/arm/checks/resource/AKSApiServerAuthorizedIpRanges.py",
"content": "from __future__ import annotations\n\nfrom typing import Any, List\n\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\n\nclass AKSApiServerAuthorizedIpRanges(BaseResourceCheck):\n def __init__(self) -> None:\n # apiVersion 2017-08-03 and 2018-03-31 = Fail - No authorized IP range available\n # apiVersion 2019-02-01, 2019-04-01, 2019-06-01 - Preview\n # apiversion 2019-08-01 and greater are fully supported\n name = \"Ensure AKS has an API Server Authorized IP Ranges enabled\"\n id = \"CKV_AZURE_6\"\n supported_resources = ('Microsoft.ContainerService/managedClusters',)\n categories = (CheckCategories.KUBERNETES,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n if \"apiVersion\" in conf:\n if conf[\"apiVersion\"] in [\"2017-08-31\", \"2018-03-31\"]:\n # ApiServerAuthorizedIpRanges not supported in these API versions\n return CheckResult.FAILED\n elif conf[\"apiVersion\"] in [\"2019-02-01\", \"2019-04-01\", \"2019-06-01\"]:\n # apiServerAuthorizedIPRanges in Preview in these API versions\n if \"properties\" in conf:\n if \"apiServerAuthorizedIPRanges\" in conf[\"properties\"]:\n if conf[\"properties\"][\"apiServerAuthorizedIPRanges\"]:\n return CheckResult.PASSED\n else:\n # ApiServerAuthorizedIpRanges fully supported in all future API versions\n properties = conf.get('properties')\n if not properties or not isinstance(properties, dict):\n return CheckResult.FAILED\n api_server_access_profile = properties.get('apiServerAccessProfile')\n if not api_server_access_profile:\n return CheckResult.FAILED\n authorized_ip_ranges = api_server_access_profile.get('authorizedIPRanges')\n if authorized_ip_ranges:\n return CheckResult.PASSED\n return CheckResult.FAILED\n\n def get_evaluated_keys(self) -> List[str]:\n return ['properties', 'properties/apiServerAccessProfile', 'properties/apiServerAccessProfile/authorizedIPRanges']\n\n\ncheck = AKSApiServerAuthorizedIpRanges()\n"
},
{
"path": "checkov/arm/checks/resource/AKSDashboardDisabled.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\n\nclass AKSDashboardDisabled(BaseResourceCheck):\n def __init__(self) -> None:\n # apiVersion 2017-08-03 = Fail - No addonProfiles option to configure\n name = \"Ensure Kubernetes Dashboard is disabled\"\n id = \"CKV_AZURE_8\"\n supported_resources = ('Microsoft.ContainerService/managedClusters',)\n categories = (CheckCategories.KUBERNETES,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n if conf.get(\"apiVersion\") is not None:\n if conf[\"apiVersion\"] == \"2017-08-31\":\n # No addonProfiles option to configure\n self.evaluated_keys = [\"apiVersion\"]\n return CheckResult.FAILED\n\n properties = conf.get(\"properties\")\n self.evaluated_keys = [\"properties\"]\n if properties is None or not isinstance(properties, dict):\n self.evaluated_keys = [\"properties\"]\n return CheckResult.FAILED\n addon_profiles = conf[\"properties\"].get(\"addonProfiles\")\n if not isinstance(addon_profiles, dict):\n self.evaluated_keys = [\"properties/addonProfiles\"]\n return CheckResult.FAILED\n kube_dashboard = addon_profiles.get(\"kubeDashboard\")\n if not isinstance(kube_dashboard, dict):\n self.evaluated_keys = [\"properties/addonProfiles/kubeDashboard\"]\n return CheckResult.FAILED\n enabled = kube_dashboard.get(\"enabled\")\n if enabled is not None and str(enabled).lower() == \"false\":\n return CheckResult.PASSED\n return CheckResult.FAILED\n\n\ncheck = AKSDashboardDisabled()\n"
},
{
"path": "checkov/arm/checks/resource/AKSEncryptionAtHostEnabled.py",
"content": "from checkov.common.models.enums import CheckCategories, CheckResult\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass AKSEncryptionAtHostEnabled(BaseResourceValueCheck):\n def __init__(self) -> None:\n \"\"\"\n With host-based encryption, the data stored on the VM host of\n your AKS agent nodes' VMs is encrypted at rest and flows encrypted to the Storage service.\n This means the temp disks are encrypted at rest with platform-managed keys.\n The cache of OS and data disks is encrypted at rest with either platform-managed keys\n or customer-managed keys depending on the encryption type set on those disks.\n \"\"\"\n name = \"Ensure that the AKS cluster encrypt temp disks, caches, and data flows \"\n name += \"between Compute and Storage resources\"\n id = \"CKV_AZURE_227\"\n supported_resources = [\"Microsoft.ContainerService/managedClusters\",\n \"Microsoft.ContainerService/managedClusters/agentPools\"]\n categories = [CheckCategories.KUBERNETES, ]\n super().__init__(\n name=name,\n id=id,\n categories=categories,\n supported_resources=supported_resources,\n missing_block_result=CheckResult.FAILED,\n )\n\n def get_inspected_key(self) -> str:\n if self.entity_type == \"Microsoft.ContainerService/managedClusters\":\n return \"properties/agentPoolProfiles/[0]/enableEncryptionAtHost\"\n else:\n return \"properties/enableEncryptionAtHost\"\n\n def get_expected_value(self) -> bool:\n return True\n\n\ncheck = AKSEncryptionAtHostEnabled()\n"
},
{
"path": "checkov/arm/checks/resource/AKSEphemeralOSDisks.py",
"content": "from checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass AKSEphemeralOSDisks(BaseResourceValueCheck):\n def __init__(self) -> None:\n \"\"\"\n Temporary data can contain sensitive data at some points, by using ephemeral disks,\n we ensure that data written to OS disk is stored on local VM storage and isn't persisted to Azure Storage\n Azure automatically replicates data stored in the managed OS disk of a virtual machine to Azure storage\n to avoid data loss in case the virtual machine needs to be relocated to another host.\n Generally speaking, containers are not designed to have local state persisted to the managed OS disk,\n hence this behavior offers limited value to AKS hosted while providing some drawbacks,\n including slower node provisioning and higher read/write latency.\n Ephemeral disks allow us also to have faster cluster operations like scale or upgrade\n due to faster re-imaging and boot times.\n \"\"\"\n name = \"Ensure ephemeral disks are used for OS disks\"\n id = \"CKV_AZURE_226\"\n supported_resources = [\"Microsoft.ContainerService/managedClusters\",]\n categories = [CheckCategories.KUBERNETES,]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return \"properties/agentPoolProfiles/[0]/osDiskType\"\n\n def get_expected_value(self) -> str:\n return \"Ephemeral\"\n\n\ncheck = AKSEphemeralOSDisks()\n"
},
{
"path": "checkov/arm/checks/resource/AKSLocalAdminDisabled.py",
"content": "from checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass AKSLocalAdminDisabled(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure AKS local admin account is disabled\"\n id = \"CKV_AZURE_141\"\n supported_resources = (\"Microsoft.ContainerService/managedClusters\",)\n categories = (CheckCategories.IAM,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return \"properties/disableLocalAccounts\"\n\n def get_expected_value(self) -> bool:\n return True\n\n\ncheck = AKSLocalAdminDisabled()\n"
},
{
"path": "checkov/arm/checks/resource/AKSLoggingEnabled.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\n\nclass AKSLoggingEnabled(BaseResourceCheck):\n def __init__(self) -> None:\n # apiVersion 2017-08-03 = Fail - No addonProfiles option to configure\n name = \"Ensure AKS logging to Azure Monitoring is Configured\"\n id = \"CKV_AZURE_4\"\n supported_resources = (\"Microsoft.ContainerService/managedClusters\",)\n categories = (CheckCategories.KUBERNETES,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n if \"apiVersion\" in conf:\n if conf[\"apiVersion\"] == \"2017-08-31\":\n self.evaluated_keys = [\"apiVersion\"]\n # No addonProfiles option to configure\n return CheckResult.FAILED\n\n properties = conf.get(\"properties\")\n self.evaluated_keys = [\"properties\"]\n if isinstance(properties, dict):\n addon_profiles = properties.get(\"addonProfiles\")\n if isinstance(addon_profiles, dict):\n self.evaluated_keys = [\"properties/addonProfiles\"]\n omsagent = addon_profiles.get(\"omsagent\")\n if not omsagent:\n # it can be written in lowercase or camelCase\n omsagent = addon_profiles.get(\"omsAgent\")\n\n if isinstance(omsagent, dict) and omsagent.get(\"enabled\"):\n return CheckResult.PASSED\n\n return CheckResult.FAILED\n\n\ncheck = AKSLoggingEnabled()\n"
},
{
"path": "checkov/arm/checks/resource/AKSMaxPodsMinimum.py",
"content": "from __future__ import annotations\nfrom typing import Any, List\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.arm.base_resource_check import BaseResourceCheck\nfrom typing import Optional\n\n\nclass AKSMaxPodsMinimum(BaseResourceCheck):\n def __init__(self) -> None:\n name = \"Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods.\"\n id = \"CKV_AZURE_168\"\n supported_resources = (\"Microsoft.ContainerService/managedClusters\",\n \"Microsoft.ContainerService/managedClusters/agentPools\", )\n categories = (CheckCategories.KUBERNETES,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n max_pods: Optional[int] = 30\n\n properties = conf.get(\"properties\", {})\n if properties and isinstance(properties, dict):\n max_pods = properties.get(\"maxPods\")\n\n if \"agentPoolProfiles\" in properties:\n if \"maxPods\" in properties[\"agentPoolProfiles\"][0]:\n max_pods = properties[\"agentPoolProfiles\"][0][\"maxPods\"]\n\n if max_pods is None or max_pods < 50:\n return CheckResult.FAILED\n\n return CheckResult.PASSED\n\n def get_evaluated_keys(self) -> List[str]:\n return [\"properties\", \"properties/agentPoolProfiles\", \"properties/agentPoolProfiles/maxPods\"]\n\n\ncheck = AKSMaxPodsMinimum()\n"
},
{
"path": "checkov/arm/checks/resource/AKSNetworkPolicy.py",
"content": "from __future__ import annotations\n\nfrom typing import Any, List\n\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\n\nclass AKSNetworkPolicy(BaseResourceCheck):\n def __init__(self) -> None:\n # apiVersion 2017-08-03 = Fail - No networkProfile option to configure\n name = \"Ensure AKS cluster has Network Policy configured\"\n id = \"CKV_AZURE_7\"\n supported_resources = ('Microsoft.ContainerService/managedClusters',)\n categories = (CheckCategories.KUBERNETES,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n if \"apiVersion\" in conf:\n if conf[\"apiVersion\"] == \"2017-08-31\":\n # No networkProfile option to configure\n return CheckResult.FAILED\n\n properties = conf.get('properties')\n if not properties or not isinstance(properties, dict):\n return CheckResult.FAILED\n network_profile = properties.get('networkProfile')\n if not network_profile:\n return CheckResult.FAILED\n network_policy = network_profile.get('networkPolicy')\n if network_policy:\n return CheckResult.PASSED\n return CheckResult.FAILED\n\n def get_evaluated_keys(self) -> List[str]:\n return ['properties', 'properties/networkProfile', 'properties/networkProfile/networkPolicy']\n\n\ncheck = AKSNetworkPolicy()\n"
},
{
"path": "checkov/arm/checks/resource/AKSPoolTypeIsScaleSet.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_negative_value_check import BaseResourceNegativeValueCheck\n\n\nclass AKSPoolTypeIsScaleSet(BaseResourceNegativeValueCheck):\n def __init__(self) -> None:\n name = \"Ensure Azure Kubernetes Cluster (AKS) nodes use scale sets\"\n id = \"CKV_AZURE_169\"\n supported_resources = (\"Microsoft.ContainerService/managedClusters\",)\n categories = (CheckCategories.KUBERNETES,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,)\n\n def get_inspected_key(self) -> str:\n return \"properties/agentPoolProfiles/[0]/type\"\n\n def get_forbidden_values(self) -> list[Any]:\n return [\"AvailabilitySet\"]\n\n\ncheck = AKSPoolTypeIsScaleSet()\n"
},
{
"path": "checkov/arm/checks/resource/AKSRbacEnabled.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\n\nclass AKSRbacEnabled(BaseResourceCheck):\n def __init__(self) -> None:\n # apiVersion 2017-08-03 = Fail - No enableRBAC option to configure\n name = \"Ensure RBAC is enabled on AKS clusters\"\n id = \"CKV_AZURE_5\"\n supported_resources = ('Microsoft.ContainerService/managedClusters',)\n categories = (CheckCategories.KUBERNETES,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n if \"apiVersion\" in conf:\n if conf[\"apiVersion\"] == \"2017-08-31\":\n # No enableRBAC option to configure\n self.evaluated_keys = [\"apiVersion\"]\n return CheckResult.FAILED\n\n self.evaluated_keys = [\"properties\"]\n properties = conf.get('properties')\n if not properties or not isinstance(properties, dict):\n return CheckResult.FAILED\n enable_RBAC = properties.get('enableRBAC')\n if str(enable_RBAC).lower() == \"true\":\n return CheckResult.PASSED\n self.evaluated_keys.append(\"properties/enableRBAC\")\n return CheckResult.FAILED\n\n\ncheck = AKSRbacEnabled()\n"
},
{
"path": "checkov/arm/checks/resource/AKSUpgradeChannel.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.common.models.enums import CheckCategories, CheckResult\nfrom checkov.arm.base_resource_negative_value_check import BaseResourceNegativeValueCheck\n\n\nclass AKSUpgradeChannel(BaseResourceNegativeValueCheck):\n def __init__(self) -> None:\n name = \"Ensure AKS cluster upgrade channel is chosen\"\n id = \"CKV_AZURE_171\"\n supported_resources = (\"Microsoft.ContainerService/managedClusters\",)\n categories = (CheckCategories.NETWORKING,)\n super().__init__(\n name=name,\n id=id,\n categories=categories,\n supported_resources=supported_resources,\n missing_block_result=CheckResult.FAILED,\n )\n\n def get_inspected_key(self) -> str:\n return \"properties/autoUpgradeProfile/upgradeChannel\"\n\n def get_forbidden_values(self) -> Any:\n return \"none\"\n\n\ncheck = AKSUpgradeChannel()\n"
},
{
"path": "checkov/arm/checks/resource/APIManagementMinTLS12.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.common.models.enums import CheckCategories, CheckResult\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\n\nclass APIManagementMinTLS12(BaseResourceCheck):\n def __init__(self) -> None:\n name = \"Ensure API management uses at least TLS 1.2\"\n id = \"CKV_AZURE_173\"\n supported_resources = (\"Microsoft.ApiManagement/service\",)\n categories = (CheckCategories.ENCRYPTION,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n properties = conf.get(\"properties\")\n if isinstance(properties, dict) and \"customProperties\" in properties:\n self.evaluated_keys = [\"properties\"]\n customProperties = properties.get(\"customProperties\")\n if isinstance(customProperties, dict):\n self.evaluated_keys = [\"properties/customProperties\"]\n if customProperties.get(\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30\"):\n return CheckResult.FAILED\n if customProperties.get(\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10\"):\n return CheckResult.FAILED\n if customProperties.get(\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30\"):\n return CheckResult.FAILED\n if customProperties.get(\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10\"):\n return CheckResult.FAILED\n if customProperties.get(\"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11\"):\n return CheckResult.FAILED\n return CheckResult.PASSED\n\n\ncheck = APIManagementMinTLS12()\n"
},
{
"path": "checkov/arm/checks/resource/APIManagementPublicAccess.py",
"content": "from typing import Any\n\nfrom checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass APIManagementPublicAccess(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure API management public access is disabled\"\n id = \"CKV_AZURE_174\"\n supported_resources = (\"Microsoft.ApiManagement/service\",)\n categories = (CheckCategories.NETWORKING,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return \"properties/publicNetworkAccess\"\n\n def get_expected_value(self) -> Any:\n return \"Disabled\"\n\n\ncheck = APIManagementPublicAccess()\n"
},
{
"path": "checkov/arm/checks/resource/APIServicesUseVirtualNetwork.py",
"content": "from typing import Any\n\nfrom checkov.common.models.consts import ANY_VALUE\nfrom checkov.common.models.enums import CheckCategories, CheckResult\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass APIServicesUseVirtualNetwork(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that API management services use virtual networks\"\n id = \"CKV_AZURE_107\"\n supported_resources = (\"Microsoft.ApiManagement/service\",)\n categories = (CheckCategories.NETWORKING,)\n super().__init__(\n name=name,\n id=id,\n categories=categories,\n supported_resources=supported_resources,\n missing_block_result=CheckResult.FAILED,\n )\n\n def get_inspected_key(self) -> str:\n return \"properties/virtualNetworkConfiguration\"\n\n def get_expected_value(self) -> Any:\n return ANY_VALUE\n\n\ncheck = APIServicesUseVirtualNetwork()\n"
},
{
"path": "checkov/arm/checks/resource/AkSSecretStoreRotation.py",
"content": "from checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass AkSSecretStoreRotation(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters\"\n id = \"CKV_AZURE_172\"\n supported_resources = (\"Microsoft.ContainerService/managedClusters\",)\n categories = (CheckCategories.GENERAL_SECURITY,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return \"properties/addonProfiles/azureKeyvaultSecretsProvider/config/enableSecretRotation\"\n\n\ncheck = AkSSecretStoreRotation()\n"
},
{
"path": "checkov/arm/checks/resource/AppGWDefinesSecureProtocols.py",
"content": "from __future__ import annotations\nfrom typing import Any, List\nfrom checkov.common.models.enums import CheckCategories, CheckResult\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\nBAD_CIPHERS = {\n \"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384\",\n \"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256\",\n \"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\",\n \"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA\",\n \"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384\",\n \"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256\",\n \"TLS_DHE_RSA_WITH_AES_256_CBC_SHA\",\n \"TLS_DHE_RSA_WITH_AES_128_CBC_SHA\",\n \"TLS_RSA_WITH_AES_256_GCM_SHA384\",\n \"TLS_RSA_WITH_AES_128_GCM_SHA256\",\n \"TLS_RSA_WITH_AES_256_CBC_SHA256\",\n \"TLS_RSA_WITH_AES_128_CBC_SHA256\",\n \"TLS_RSA_WITH_AES_256_CBC_SHA\",\n \"TLS_RSA_WITH_AES_128_CBC_SHA\",\n \"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 \",\n \"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256\",\n \"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA\",\n \"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA\",\n \"TLS_DHE_DSS_WITH_AES_256_CBC_SHA256\",\n \"TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 \",\n \"TLS_DHE_DSS_WITH_AES_256_CBC_SHA\",\n \"TLS_DHE_DSS_WITH_AES_128_CBC_SHA\",\n \"TLS_RSA_WITH_3DES_EDE_CBC_SHA\",\n \"TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA\",\n}\nPROTOCOL_VERSIONS = {\"TLSv1_2\", \"TLSv1_3\"}\n\n\nclass AppGWDefinesSecureProtocols(BaseResourceCheck):\n def __init__(self) -> None:\n \"\"\"\n https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AppGw.SSLPolicy/\n \"\"\"\n name = \"Ensure Application Gateway defines secure protocols for in transit communication\"\n id = \"CKV_AZURE_218\"\n supported_resources = (\"Microsoft.Network/applicationGateways\",)\n categories = (CheckCategories.ENCRYPTION,)\n super().__init__(name=name,\n id=id,\n categories=categories,\n supported_resources=supported_resources,)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n sslPolicy = conf[\"properties\"].get(\"sslPolicy\")\n if sslPolicy and isinstance(sslPolicy, dict):\n policyType = sslPolicy.get(\"policyType\")\n if policyType != \"Predefined\":\n protocolversion = sslPolicy.get(\"minProtocolVersion\")\n if (\n protocolversion and isinstance(protocolversion, str)\n and protocolversion in PROTOCOL_VERSIONS\n ):\n ciphers = sslPolicy.get(\"cipherSuites\")\n if ciphers and isinstance(ciphers, list) and any(cipher in BAD_CIPHERS for cipher in ciphers):\n return CheckResult.FAILED\n return CheckResult.PASSED\n\n policyName = sslPolicy.get(\"policyName\")\n if policyName == \"AppGwSslPolicy20220101S\":\n return CheckResult.PASSED\n return CheckResult.FAILED\n return CheckResult.FAILED\n\n def get_evaluated_keys(self) -> List[str]:\n return [\"properties/sslPolicy\", \"properties/sslPolicy/policyType\", \"properties/sslPolicy/minProtocolVersion\",\n \"properties/sslPolicy/cipherSuites\"]\n\n\ncheck = AppGWDefinesSecureProtocols()\n"
},
{
"path": "checkov/arm/checks/resource/AppGatewayWAFACLCVE202144228.py",
"content": "from typing import Dict, Any\nfrom checkov.common.models.enums import CheckCategories, CheckResult\nfrom checkov.arm.base_resource_check import BaseResourceCheck\nfrom checkov.common.util.type_forcers import force_list\n\n\nclass AppGatewayWAFACLCVE202144228(BaseResourceCheck):\n def __init__(self) -> None:\n name = \"Ensure Application Gateway WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell\"\n id = \"CKV_AZURE_135\"\n supported_resources = (\"Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies\",)\n categories = (CheckCategories.APPLICATION_SECURITY,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,)\n\n def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:\n properties = conf.get(\"properties\")\n if not properties:\n return CheckResult.FAILED\n self.evaluated_keys = properties.get(\"managedRules\")\n managed_rules = properties.get(\"managedRules\")\n if managed_rules:\n managed_rule_sets = managed_rules.get(\"managedRuleSets\") or []\n for idx_rule_set, rule_set in enumerate(force_list(managed_rule_sets)):\n self.evaluated_keys = [\n f\"managedRules/[0]/managedRuleSets[{idx_rule_set}]/ruleSetType\",\n f\"managedRules/[0]/managedRuleSets[{idx_rule_set}]/ruleSetVersion\",\n ]\n if (rule_set.get(\"ruleSetType\") == \"OWASP\" or not rule_set.get(\"ruleSetType\")) and rule_set.get(\"ruleSetVersion\") in [\"3.1\", \"3.2\"]:\n rule_overrides = rule_set.get(\"ruleGroupOverrides\") or []\n for idx_override, rule_override in enumerate(force_list(rule_overrides)):\n self.evaluated_keys.extend(\n [\n f\"managedRules/[0]/managedRuleSets[{idx_rule_set}]/ruleGroupOverrides/[{idx_override}]/ruleGroupName\",\n f\"managedRules/[0]/managedRuleSets[{idx_rule_set}]/ruleGroupOverrides/[{idx_override}]/rules\",\n ]\n )\n if isinstance(rule_override, dict) and rule_override.get(\"ruleGroupName\") == \"REQUEST-944-APPLICATION-ATTACK-JAVA\":\n disabled_rules = rule_override.get(\"rules\") or []\n for idx_rule_id, disabled_rule in enumerate(force_list(disabled_rules)):\n self.evaluated_keys.extend(\n [\n f\"managedRules/[0]/managedRuleSets[{idx_rule_set}]/ruleGroupOverrides/[{idx_override}]/rules/[{idx_rule_id}]/ruleId\",\n ]\n )\n if disabled_rule.get(\"ruleId\") == \"944240\":\n return CheckResult.FAILED\n\n return CheckResult.PASSED\n\n return CheckResult.FAILED\n\n\ncheck = AppGatewayWAFACLCVE202144228()\n"
},
{
"path": "checkov/arm/checks/resource/AppServiceAuthentication.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\n# https://docs.microsoft.com/en-us/azure/templates/microsoft.web/2019-08-01/sites/config-authsettings\n\n\nclass AppServiceAuthentication(BaseResourceCheck):\n def __init__(self) -> None:\n name = \"Ensure App Service Authentication is set on Azure App Service\"\n id = \"CKV_AZURE_13\"\n supported_resources = (\"Microsoft.Web/sites/config\", \"config\")\n categories = (CheckCategories.IAM,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n self.evaluated_keys = [\"name\"]\n if self.entity_type == \"Microsoft.Web/sites/config\":\n if \"name\" in conf and \"authsettings\" in conf[\"name\"]:\n if \"properties\" in conf and \"enabled\" in conf[\"properties\"]:\n if str(conf[\"properties\"][\"enabled\"]).lower() == \"true\":\n return CheckResult.PASSED\n return CheckResult.FAILED\n elif self.entity_type == \"config\":\n if \"name\" in conf and conf[\"name\"] == \"authsettings\":\n if \"parent_type\" in conf:\n if conf[\"parent_type\"] == \"Microsoft.Web/sites\":\n if \"properties\" in conf:\n if \"enabled\" in conf[\"properties\"]:\n if str(conf[\"properties\"][\"enabled\"]).lower() == \"true\":\n return CheckResult.PASSED\n return CheckResult.FAILED\n\n return CheckResult.UNKNOWN\n\n\ncheck = AppServiceAuthentication()\n"
},
{
"path": "checkov/arm/checks/resource/AppServiceClientCertificate.py",
"content": "from __future__ import annotations\n\nfrom typing import Any, List\n\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\n\nclass AppServiceClientCertificate(BaseResourceCheck):\n def __init__(self) -> None:\n # https://docs.microsoft.com/en-us/azure/templates/microsoft.web/2019-08-01/sites\n # clientCertEnabled default = false\n name = \"Ensure the web app has 'Client Certificates (Incoming client certificates)' set\"\n id = \"CKV_AZURE_17\"\n supported_resources = ('Microsoft.Web/sites',)\n categories = (CheckCategories.NETWORKING,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n if \"properties\" in conf:\n if \"clientCertEnabled\" in conf[\"properties\"]:\n if str(conf[\"properties\"][\"clientCertEnabled\"]).lower() == \"true\":\n return CheckResult.PASSED\n return CheckResult.FAILED\n\n def get_evaluated_keys(self) -> List[str]:\n return [\"properties\", \"properties/clientCertEnabled\"]\n\n\ncheck = AppServiceClientCertificate()\n"
},
{
"path": "checkov/arm/checks/resource/AppServiceDetailedErrorMessagesEnabled.py",
"content": "from __future__ import annotations\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\nfrom checkov.common.models.enums import CheckCategories\n\n\nclass AppServiceDetailedErrorMessagesEnabled(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that App service enables detailed error messages\"\n id = \"CKV_AZURE_65\"\n supported_resources = ['Microsoft.Web/sites/config']\n categories = [CheckCategories.LOGGING]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return \"properties/detailedErrorLoggingEnabled\"\n\n\ncheck = AppServiceDetailedErrorMessagesEnabled()\n"
},
{
"path": "checkov/arm/checks/resource/AppServiceDisallowCORS.py",
"content": "from typing import Any, List\n\nfrom checkov.arm.base_resource_negative_value_check import BaseResourceNegativeValueCheck\nfrom checkov.common.models.enums import CheckCategories, CheckResult\n\n\nclass AppServiceDisallowCORS(BaseResourceNegativeValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that CORS disallows every resource to access app services\"\n id = \"CKV_AZURE_57\"\n supported_resources = (\"Microsoft.Web/sites\",)\n categories = (CheckCategories.GENERAL_SECURITY,)\n super().__init__(\n name=name,\n id=id,\n categories=categories,\n supported_resources=supported_resources,\n missing_block_result=CheckResult.PASSED\n )\n\n def get_inspected_key(self) -> str:\n return 'properties/siteConfig/cors/allowedOrigins'\n\n def get_forbidden_values(self) -> List[Any]:\n return ['*']\n\n\ncheck = AppServiceDisallowCORS()\n"
},
{
"path": "checkov/arm/checks/resource/AppServiceDotnetFrameworkVersion.py",
"content": "from checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass AppServiceDotnetFrameworkVersion(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that 'Net Framework' version is the latest, if used as a part of the web app\"\n id = \"CKV_AZURE_80\"\n supported_resources = ['Microsoft.Web/sites/config']\n categories = [CheckCategories.GENERAL_SECURITY]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return \"properties/netFrameworkVersion\"\n\n def get_expected_value(self) -> str:\n return \"v8.0\"\n\n\ncheck = AppServiceDotnetFrameworkVersion()\n"
},
{
"path": "checkov/arm/checks/resource/AppServiceEnableFailedRequest.py",
"content": "from __future__ import annotations\n\nfrom checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass AppServiceEnableFailedRequest(BaseResourceValueCheck):\n def __init__(self) -> None:\n \"\"\"\n todo: revisit when graph fully enabled as web config section could be missing entirely from a web app\n \"\"\"\n\n name = \"Ensure that App service enables failed request tracing\"\n id = \"CKV_AZURE_66\"\n supported_resources = [\"Microsoft.Web/sites/config\"]\n categories = [CheckCategories.LOGGING]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return \"properties/requestTracingEnabled\"\n\n\ncheck = AppServiceEnableFailedRequest()\n"
},
{
"path": "checkov/arm/checks/resource/AppServiceFTPSState.py",
"content": "from checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\nfrom typing import List\nfrom typing import Any\n\n\nclass AppServiceFTPSState(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure FTP deployments are disabled\"\n id = \"CKV_AZURE_78\"\n supported_resources = ('Microsoft.Web/sites',)\n categories = (CheckCategories.APPLICATION_SECURITY,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return \"properties/siteConfig/ftpsState\"\n\n def get_expected_value(self) -> Any:\n return \"Disabled\"\n\n def get_expected_values(self) -> List[Any]:\n return [\"Disabled\", \"FtpsOnly\"]\n\n\ncheck = AppServiceFTPSState()\n"
},
{
"path": "checkov/arm/checks/resource/AppServiceHTTPSOnly.py",
"content": "from __future__ import annotations\n\nfrom typing import Any, List\n\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\n\nclass AppServiceHTTPSOnly(BaseResourceCheck):\n def __init__(self) -> None:\n # https://docs.microsoft.com/en-us/azure/templates/microsoft.web/2019-08-01/sites\n name = \"Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service\"\n id = \"CKV_AZURE_14\"\n supported_resources = ('Microsoft.Web/sites',)\n categories = (CheckCategories.NETWORKING,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n if \"properties\" in conf:\n if \"httpsOnly\" in conf[\"properties\"]:\n if str(conf[\"properties\"][\"httpsOnly\"]).lower() == \"true\":\n return CheckResult.PASSED\n return CheckResult.FAILED\n\n def get_evaluated_keys(self) -> List[str]:\n return [\"properties\", \"properties/httpsOnly\"]\n\n\ncheck = AppServiceHTTPSOnly()\n"
},
{
"path": "checkov/arm/checks/resource/AppServiceHttpLoggingEnabled.py",
"content": "\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\nfrom checkov.common.models.enums import CheckCategories\n\n\nclass AppServiceHttpLoggingEnabled(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that App service enables HTTP logging\"\n id = \"CKV_AZURE_63\"\n supported_resources = [\"Microsoft.Web/sites/config\"]\n categories = [CheckCategories.LOGGING]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return \"properties/httpLoggingEnabled\"\n\n def get_expected_value(self) -> bool:\n return True\n\n\ncheck = AppServiceHttpLoggingEnabled()\n"
},
{
"path": "checkov/arm/checks/resource/AppServiceHttps20Enabled.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.arm.base_resource_check import BaseResourceCheck\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.common.util.data_structures_utils import find_in_dict\n\n\nclass AppServiceHttps20Enabled(BaseResourceCheck):\n # apiVersion = 2018-11-01 - http20Enabled is a string\n # apiVersion > 2020-10-01 - http20Enabled is a boolean\n def __init__(self) -> None:\n name = \"Ensure that 'HTTP Version' is the latest if used to run the web app\"\n id = \"CKV_AZURE_18\"\n supported_resources = (\"Microsoft.Web/sites\",)\n categories = (CheckCategories.NETWORKING,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n self.evaluated_keys = [\"properties\"]\n http_20_enabled = find_in_dict(conf, \"properties/siteConfig/http20Enabled\")\n if http_20_enabled and \"apiVersion\" in conf:\n self.evaluated_keys = [\"properties/siteConfig/http20Enabled\", \"apiVersion\"]\n if conf[\"apiVersion\"] == \"2018-11-01\":\n if isinstance(http_20_enabled, str) and str(http_20_enabled).lower() == \"true\":\n return CheckResult.PASSED\n elif isinstance(http_20_enabled, bool) and http_20_enabled:\n return CheckResult.PASSED\n return CheckResult.FAILED\n\n\ncheck = AppServiceHttps20Enabled()\n"
},
{
"path": "checkov/arm/checks/resource/AppServiceIdentity.py",
"content": "from __future__ import annotations\n\nfrom typing import Any, List\n\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\n\nclass AppServiceIdentity(BaseResourceCheck):\n def __init__(self) -> None:\n # https://docs.microsoft.com/en-us/azure/templates/microsoft.web/2019-08-01/sites#ManagedServiceIdentity\n # https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity\n # https://docs.microsoft.com/en-us/azure/app-service/samples-resource-manager-templates\n name = \"Ensure that Register with Azure Active Directory is enabled on App Service\"\n id = \"CKV_AZURE_16\"\n supported_resources = ('Microsoft.Web/sites',)\n categories = (CheckCategories.IAM,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n if \"identity\" in conf:\n if \"type\" in conf[\"identity\"]:\n if conf[\"identity\"][\"type\"] == \"SystemAssigned\":\n return CheckResult.PASSED\n elif conf[\"identity\"][\"type\"] == \"UserAssigned\":\n if \"userAssignedIdentities\" in conf[\"identity\"]:\n if conf[\"identity\"][\"userAssignedIdentities\"]:\n return CheckResult.PASSED\n return CheckResult.FAILED\n\n def get_evaluated_keys(self) -> List[str]:\n return ['identity', 'identity/type', 'identity/userAssignedIdentities']\n\n\ncheck = AppServiceIdentity()\n"
},
{
"path": "checkov/arm/checks/resource/AppServiceIdentityProviderEnabled.py",
"content": "from typing import Any\nfrom checkov.common.models.consts import ANY_VALUE\nfrom checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass AppServiceIdentityProviderEnabled(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that Managed identity provider is enabled for web apps\"\n id = \"CKV_AZURE_71\"\n supported_resources = ('Microsoft.Web/sites',)\n categories = (CheckCategories.GENERAL_SECURITY,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return \"identity/type\"\n\n def get_expected_value(self) -> Any:\n return ANY_VALUE\n\n\ncheck = AppServiceIdentityProviderEnabled()\n"
},
{
"path": "checkov/arm/checks/resource/AppServiceInstanceMinimum.py",
"content": "from __future__ import annotations\n\nfrom typing import Dict, List\n\nfrom checkov.arm.base_resource_check import BaseResourceCheck\nfrom checkov.common.models.enums import CheckCategories, CheckResult\n\n\nclass AppServiceInstanceMinimum(BaseResourceCheck):\n def __init__(self) -> None:\n # \"App Services Plans provides a configurable number of instances that will run apps.\n # When a single instance is configured your app may be temporarily unavailable during unplanned interruptions.\n # In most circumstances, Azure will self-heal faulty app service instances automatically.\n # How-ever during this time there may interruptions to your workload.\"\n name = \"Ensure App Service has a minimum number of instances for failover\"\n id = \"CKV_AZURE_212\"\n supported_resources = (\"Microsoft.Web/sites\", \"Microsoft.Web/sites/slots\")\n categories = (CheckCategories.GENERAL_SECURITY,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: Dict[str, Dict[str, Dict[str, int]]]) -> CheckResult:\n if \"properties\" in conf:\n if conf.get(\"properties\", {}).get(\"siteConfig\") is not None:\n if \"numberOfWorkers\" in conf[\"properties\"][\"siteConfig\"]:\n worker_count = conf[\"properties\"][\"siteConfig\"][\"numberOfWorkers\"]\n if worker_count:\n if not isinstance(worker_count, int):\n return CheckResult.UNKNOWN\n if worker_count > 1:\n return CheckResult.PASSED\n return CheckResult.FAILED\n\n def get_evaluated_keys(self) -> List[str]:\n return [\"properties\", \"properties/siteConfig\", \"properties/siteConfig/numberOfWorkers\"]\n\n\ncheck = AppServiceInstanceMinimum()\n"
},
{
"path": "checkov/arm/checks/resource/AppServiceJavaVersion.py",
"content": "from typing import Any\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass AppServiceJavaVersion(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that 'Java version' is the latest, if used to run the web app\"\n id = \"CKV_AZURE_83\"\n supported_resources = ('Microsoft.Web/sites',)\n categories = (CheckCategories.GENERAL_SECURITY,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,\n missing_block_result=CheckResult.UNKNOWN)\n\n def get_inspected_key(self) -> str:\n return \"siteConfig/javaVersion\"\n\n def get_expected_value(self) -> Any:\n return '17'\n\n\ncheck = AppServiceJavaVersion()\n"
},
{
"path": "checkov/arm/checks/resource/AppServiceMinTLSVersion.py",
"content": "from typing import Any, List\n\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\nfrom checkov.common.models.enums import CheckCategories\n\n\nclass AppServiceMinTLSVersion(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure web app is using the latest version of TLS encryption\"\n id = \"CKV_AZURE_15\"\n supported_resources = (\"Microsoft.Web/sites\",)\n categories = (CheckCategories.NETWORKING,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n # https://docs.microsoft.com/en-us/azure/templates/microsoft.web/2019-08-01/sites\n return \"properties/siteConfig/minTlsVersion\"\n\n def get_expected_value(self) -> Any:\n return \"1.2\"\n\n def get_expected_values(self) -> List[Any]:\n return [\"1.2\", 1.2, \"1.3\", 1.3]\n\n\ncheck = AppServiceMinTLSVersion()\n"
},
{
"path": "checkov/arm/checks/resource/AppServicePHPVersion.py",
"content": "from typing import Any, List\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass AppServicePHPVersion(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that 'PHP version' is the latest, if used to run the web app\"\n id = \"CKV_AZURE_81\"\n supported_resources = [\"Microsoft.Web/sites\"]\n categories = [CheckCategories.GENERAL_SECURITY]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,\n missing_block_result=CheckResult.UNKNOWN)\n\n def get_inspected_key(self) -> str:\n return \"properties/siteConfig/phpVersion\"\n\n def get_expected_values(self) -> List[Any]:\n return [\"8.1\", \"8.2\"]\n\n\ncheck = AppServicePHPVersion()\n"
},
{
"path": "checkov/arm/checks/resource/AppServicePlanZoneRedundant.py",
"content": "from checkov.common.models.enums import CheckCategories, CheckResult\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass AppServicePlanZoneRedundant(BaseResourceValueCheck):\n def __init__(self) -> None:\n \"\"\"\n To enhance the resiliency and reliability of business-critical workloads,\n it's recommended to deploy new App Service Plans with zone-redundancy.\n\n There's no additional cost associated with enabling availability zones.\n Pricing for a zone redundant App Service is the same as a single zone App Service.\n \"\"\"\n name = \"Ensure the App Service Plan is zone redundant\"\n id = \"CKV_AZURE_225\"\n supported_resources = [\"Microsoft.Web/serverfarms\", ]\n categories = [CheckCategories.BACKUP_AND_RECOVERY, ]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,\n missing_block_result=CheckResult.FAILED)\n\n def get_inspected_key(self) -> str:\n return \"properties/zoneRedundant\"\n\n def get_expected_value(self) -> bool:\n return True\n\n\ncheck = AppServicePlanZoneRedundant()\n"
},
{
"path": "checkov/arm/checks/resource/AppServicePublicAccessDisabled.py",
"content": "from typing import Any\n\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\nfrom checkov.common.models.enums import CheckCategories\n\n\nclass AppServicePublicAccessDisabled(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that Azure Web App public network access is disabled\"\n id = \"CKV_AZURE_222\"\n supported_resources = [\n \"Microsoft.Web/sites\",\n \"Microsoft.Web/sites/slots\",\n \"Microsoft.Web/sites/config\"\n ]\n categories = [CheckCategories.NETWORKING,]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return \"properties/publicNetworkAccess\"\n\n def get_expected_value(self) -> Any:\n return \"Disabled\"\n\n\ncheck = AppServicePublicAccessDisabled()\n"
},
{
"path": "checkov/arm/checks/resource/AppServicePythonVersion.py",
"content": "from typing import List, Any\n\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\nfrom checkov.common.models.enums import CheckCategories, CheckResult\n\n\nclass AppServicePythonVersion(BaseResourceValueCheck):\n\n def __init__(self) -> None:\n name = \"Ensure that 'Python version' is the latest, if used to run the web app\"\n id = \"CKV_AZURE_82\"\n supported_resources = (\"Microsoft.Web/sites\",)\n categories = (CheckCategories.GENERAL_SECURITY,)\n super().__init__(\n name=name,\n id=id,\n categories=categories,\n supported_resources=supported_resources,\n missing_block_result=CheckResult.UNKNOWN)\n\n def get_inspected_key(self) -> str:\n return \"properties/siteConfig/pythonVersion\"\n\n def get_expected_values(self) -> List[Any]:\n return [\"3.9\", \"3.10\", \"3.11\", \"3.12\"]\n\n\ncheck = AppServicePythonVersion()\n"
},
{
"path": "checkov/arm/checks/resource/AppServiceRemoteDebuggingNotEnabled.py",
"content": "from checkov.common.models.enums import CheckCategories, CheckResult\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass AppServiceRemoteDebuggingNotEnabled(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that remote debugging is not enabled for app services\"\n id = \"CKV_AZURE_72\"\n supported_resources = [\"Microsoft.Web/sites\",]\n categories = [CheckCategories.GENERAL_SECURITY,]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,\n missing_block_result=CheckResult.PASSED,)\n\n def get_inspected_key(self) -> str:\n return \"properties/siteConfig/remoteDebuggingEnabled\"\n\n def get_expected_value(self) -> bool:\n return False\n\n\ncheck = AppServiceRemoteDebuggingNotEnabled()\n"
},
{
"path": "checkov/arm/checks/resource/AppServiceSetHealthCheck.py",
"content": "from typing import Any\n\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\nfrom checkov.common.models.consts import ANY_VALUE\nfrom checkov.common.models.enums import CheckCategories\n\n\nclass AppServiceSetHealthCheck(BaseResourceValueCheck):\n def __init__(self) -> None:\n # \"Azure App Service monitors a specific path for each web app instance to determine health status.\n # The monitored path should implement functional checks to determine if the app is performing correctly.\n # The checks should include dependencies including those that may not be regularly called.\n # Regular checks of the monitored path allow Azure App Service to route traffic based on availability.\"\n name = \"Ensure that App Service configures health check\"\n id = \"CKV_AZURE_213\"\n supported_resources = ('Microsoft.Web/sites', 'Microsoft.Web/sites/slots',)\n categories = (CheckCategories.NETWORKING,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return 'properties/siteConfig/healthCheckPath'\n\n def get_expected_values(self) -> Any:\n return ANY_VALUE\n\n\ncheck = AppServiceSetHealthCheck()\n"
},
{
"path": "checkov/arm/checks/resource/AppServiceSlotDebugDisabled.py",
"content": "from checkov.arm.base_resource_value_check import BaseResourceValueCheck\nfrom checkov.common.models.enums import CheckCategories, CheckResult\n\n\nclass AppServiceSlotDebugDisabled(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure debugging is disabled for the App service slot\"\n id = \"CKV_AZURE_155\"\n supported_resources = ('Microsoft.Web/sites/slots', 'Microsoft.Web/sites',)\n categories = (CheckCategories.NETWORKING,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,\n missing_block_result=CheckResult.PASSED)\n\n def get_inspected_key(self) -> str:\n return \"properties/siteConfig/remoteDebuggingEnabled\"\n\n def get_expected_value(self) -> bool:\n return False\n\n\ncheck = AppServiceSlotDebugDisabled()\n"
},
{
"path": "checkov/arm/checks/resource/AppServiceSlotHTTPSOnly.py",
"content": "from checkov.arm.base_resource_value_check import BaseResourceValueCheck\nfrom checkov.common.models.enums import CheckCategories\n\n\nclass AppServiceSlotHTTPSOnly(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot\"\n id = \"CKV_AZURE_153\"\n supported_resources = (\"Microsoft.Web/sites\", \"Microsoft.Web/sites/slots\",)\n categories = (CheckCategories.NETWORKING,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return \"properties/httpsOnly\"\n\n\ncheck = AppServiceSlotHTTPSOnly()\n"
},
{
"path": "checkov/arm/checks/resource/AppServiceUsedAzureFiles.py",
"content": "from __future__ import annotations\n\nfrom typing import Any, List\n\nfrom checkov.arm.base_resource_check import BaseResourceCheck\nfrom checkov.common.models.enums import CheckCategories, CheckResult\n\n\nclass AppServiceUsedAzureFiles(BaseResourceCheck):\n def __init__(self) -> None:\n name = \"Ensure that app services use Azure Files\"\n id = \"CKV_AZURE_88\"\n supported_resources = (\"Microsoft.Web/sites/config\",)\n categories = (CheckCategories.GENERAL_SECURITY,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n properties = conf.get('properties')\n if properties and isinstance(properties, dict):\n azureStorageAccounts = properties.get(\"azureStorageAccounts\")\n if azureStorageAccounts and isinstance(azureStorageAccounts, dict):\n for account_data in azureStorageAccounts.values():\n if isinstance(account_data, dict) and account_data.get('type') == \"AzureFiles\":\n return CheckResult.PASSED\n return CheckResult.FAILED\n\n def get_evaluated_keys(self) -> List[str]:\n return ['properties', 'properties/azureStorageAccounts']\n\n\ncheck = AppServiceUsedAzureFiles()\n"
},
{
"path": "checkov/arm/checks/resource/AutomationEncrypted.py",
"content": "from checkov.arm.base_resource_value_check import BaseResourceValueCheck\nfrom checkov.common.models.enums import CheckCategories\n\n\nclass AutomationEncrypted(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that Automation account variables are encrypted\"\n id = \"CKV_AZURE_73\"\n supported_resources = (\"Microsoft.Automation/automationAccounts/variables\",)\n categories = (CheckCategories.ENCRYPTION,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return \"properties/isEncrypted\"\n\n def get_expected_value(self) -> bool:\n return True\n\n\ncheck = AutomationEncrypted()\n"
},
{
"path": "checkov/arm/checks/resource/AzureBatchAccountEndpointAccessDefaultAction.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.arm.base_resource_check import BaseResourceCheck\nfrom checkov.common.models.enums import CheckCategories, CheckResult\n\n\nclass AzureBatchAccountEndpointAccessDefaultAction(BaseResourceCheck):\n\n DISABLED_PUBLIC_NETWORK_ACCESS = \"disabled\"\n FORBIDDEN_NETWORK_ACCESS_DEFAULT_ACTION = \"allow\"\n\n def __init__(self) -> None:\n name = \"Ensure that if Azure Batch account public network access in case 'enabled' then its account access must be 'deny'\"\n id = \"CKV_AZURE_248\"\n supported_resources = (\"Microsoft.Batch/batchAccounts\",)\n categories = [CheckCategories.NETWORKING]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,)\n\n @staticmethod\n def _exists_and_lower_equal(actual_value: Any, expected_lowercase_value: str) -> bool:\n return actual_value and str(actual_value).lower() == expected_lowercase_value\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n properties = conf.get('properties')\n if not properties or not isinstance(properties, dict):\n return CheckResult.FAILED\n\n public_network_access = properties.get('publicNetworkAccess')\n # public network access is disabled, no need to check for account access default action\n if self._exists_and_lower_equal(public_network_access, self.DISABLED_PUBLIC_NETWORK_ACCESS):\n return CheckResult.PASSED\n\n network_profile = properties.get('networkProfile')\n if not network_profile:\n return CheckResult.PASSED\n account_access = network_profile.get('accountAccess')\n if not account_access:\n return CheckResult.PASSED\n default_action = account_access.get('defaultAction')\n if not self._exists_and_lower_equal(default_action, self.FORBIDDEN_NETWORK_ACCESS_DEFAULT_ACTION):\n return CheckResult.PASSED\n\n self.evaluated_keys = [\"properties/networkProfile/accountAccess/defaultAction\"]\n return CheckResult.FAILED\n\n\ncheck = AzureBatchAccountEndpointAccessDefaultAction()\n"
},
{
"path": "checkov/arm/checks/resource/AzureBatchAccountUsesKeyVaultEncryption.py",
"content": "from checkov.common.models.consts import ANY_VALUE\nfrom typing import Any\nfrom checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass AzureBatchAccountUsesKeyVaultEncryption(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that Azure Batch account uses key vault to encrypt data\"\n id = \"CKV_AZURE_76\"\n supported_resources = (\"Microsoft.Batch/batchAccounts\",)\n categories = [CheckCategories.ENCRYPTION]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,)\n\n def get_inspected_key(self) -> str:\n return \"properties/keyVaultReference\"\n\n def get_expected_value(self) -> Any:\n return ANY_VALUE\n\n\ncheck = AzureBatchAccountUsesKeyVaultEncryption()\n"
},
{
"path": "checkov/arm/checks/resource/AzureDataExplorerDoubleEncryptionEnabled.py",
"content": "from typing import Any\nfrom checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass AzureDataExplorerDoubleEncryptionEnabled(BaseResourceValueCheck):\n def __init__(self) -> None:\n name: str = \"Ensure that Azure Data Explorer uses double encryption\"\n id: str = \"CKV_AZURE_75\"\n supported_resources = (\"Microsoft.Kusto/clusters\",)\n categories = (CheckCategories.ENCRYPTION,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return \"properties/enableDoubleEncryption\"\n\n def get_expected_value(self) -> Any:\n return True\n\n\ncheck: Any = AzureDataExplorerDoubleEncryptionEnabled()\n"
},
{
"path": "checkov/arm/checks/resource/AzureDefenderOnKeyVaults.py",
"content": "from __future__ import annotations\n\nfrom typing import Any, Dict\n\nfrom checkov.common.models.enums import CheckCategories, CheckResult\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\n\nclass AzureDefenderOnKeyVaults(BaseResourceCheck):\n def __init__(self) -> None:\n name = \"Ensure that Azure Defender is set to On for Key Vault\"\n id = \"CKV_AZURE_87\"\n supported_resources = (\"Microsoft.Security/pricings\",)\n categories = (CheckCategories.GENERAL_SECURITY,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:\n properties = conf.get('properties', {})\n pricing_tier = properties.get('pricingTier')\n name = conf.get('name', '')\n return (\n CheckResult.PASSED\n if pricing_tier == \"Standard\" and name == 'KeyVaults'\n else CheckResult.FAILED\n )\n\n def get_evaluated_keys(self) -> list[str]:\n return [\"properties.pricingTier\", \"name\"]\n\n\ncheck = AzureDefenderOnKeyVaults()\n"
},
{
"path": "checkov/arm/checks/resource/AzureDefenderOnKubernetes.py",
"content": "from __future__ import annotations\nfrom typing import Any\nfrom checkov.common.models.enums import CheckCategories, CheckResult\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\n\nclass AzureDefenderOnKubernetes(BaseResourceCheck):\n def __init__(self) -> None:\n name = \"Ensure that Azure Defender is set to On for Kubernetes\"\n id = \"CKV_AZURE_85\"\n supported_resources = (\"Microsoft.Security/pricings\",)\n categories = (CheckCategories.GENERAL_SECURITY,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n return (\n CheckResult.PASSED\n if conf.get(\"name\") != \"KubernetesService\" or str(conf[\"properties\"][\"pricingTier\"]).lower() == \"standard\"\n else CheckResult.FAILED\n )\n\n def get_evaluated_keys(self) -> list[str]:\n return [\"name\", \"pricingTier\"]\n\n\ncheck = AzureDefenderOnKubernetes()\n"
},
{
"path": "checkov/arm/checks/resource/AzureDefenderOnSqlServersVMS.py",
"content": "from checkov.common.models.enums import CheckCategories, CheckResult\nfrom checkov.arm.base_resource_check import BaseResourceCheck\nfrom typing import List, Dict, Any\n\n\nclass AzureDefenderOnSqlServersVMS(BaseResourceCheck):\n def __init__(self) -> None:\n name = \"Ensure that Azure Defender is set to On for SQL servers on machines\"\n id = \"CKV_AZURE_79\"\n supported_resources = (\"Microsoft.Security/pricings\",)\n categories = [CheckCategories.GENERAL_SECURITY]\n super().__init__(\n name=name,\n id=id,\n categories=categories,\n supported_resources=supported_resources,\n )\n\n def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:\n properties = conf.get(\"properties\", {})\n name = conf.get(\"name\", \"\")\n tier = properties.get(\"tier\")\n if tier == \"Standard\" and name == \"SqlServerVirtualMachines\":\n return CheckResult.FAILED\n return CheckResult.PASSED\n\n def get_evaluated_keys(self) -> List[str]:\n return [\"tier\"]\n\n\ncheck = AzureDefenderOnSqlServersVMS()\n"
},
{
"path": "checkov/arm/checks/resource/AzureDefenderOnStorage.py",
"content": "from typing import Any, Dict, List\nfrom checkov.common.models.enums import CheckCategories, CheckResult\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\n\nclass AzureDefenderOnStorage(BaseResourceCheck):\n def __init__(self) -> None:\n name = \"Ensure that Azure Defender is set to On for Storage\"\n id = \"CKV_AZURE_84\"\n supported_resources = (\"Microsoft.Security/pricings\",)\n categories = (CheckCategories.GENERAL_SECURITY,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:\n properties: Dict[str, Any] = conf.get(\"properties\", {})\n pricingTier = properties.get(\"pricingTier\", \"\")\n return (\n CheckResult.PASSED\n if pricingTier == \"Standard\"\n else CheckResult.FAILED\n )\n\n def get_evaluated_keys(self) -> List[str]:\n return [\"properties/pricingTier\"]\n\n\ncheck = AzureDefenderOnStorage()\n"
},
{
"path": "checkov/arm/checks/resource/AzureFirewallDenyThreatIntelMode.py",
"content": "from typing import Any\n\nfrom checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass AzureFirewallDenyThreatIntelMode(BaseResourceValueCheck):\n def __init__(self) -> None:\n \"\"\"\n https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Firewall.Mode/\n Configure deny on threat intel for classic managed Azure Firewalls\n \"\"\"\n name = \"Ensure DenyIntelMode is set to Deny for Azure Firewalls\"\n id = \"CKV_AZURE_216\"\n supported_resources = (\"Microsoft.Network/azureFirewalls\",)\n categories = (CheckCategories.NETWORKING,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return 'properties/threatIntelMode'\n\n def get_expected_value(self) -> Any:\n return \"Deny\"\n\n\ncheck = AzureFirewallDenyThreatIntelMode()\n"
},
{
"path": "checkov/arm/checks/resource/AzureFrontDoorEnablesWAF.py",
"content": "from typing import Any\n\nfrom checkov.common.models.consts import ANY_VALUE\nfrom checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass AzureFrontDoorEnablesWAF(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that Azure Front Door enables WAF\"\n id = \"CKV_AZURE_121\"\n supported_resources = (\"Microsoft.Network/frontDoors\",)\n categories = [CheckCategories.NETWORKING]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return \"properties/frontendEndpoints/[0]/properties/webApplicationFirewallPolicyLink/id\"\n\n def get_expected_value(self) -> Any:\n return ANY_VALUE\n\n\ncheck = AzureFrontDoorEnablesWAF()\n"
},
{
"path": "checkov/arm/checks/resource/AzureInstanceExtensions.py",
"content": "from checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass AzureInstanceExtensions(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure Virtual Machine Extensions are not Installed\"\n id = \"CKV_AZURE_50\"\n supported_resources = [\"Microsoft.Compute/virtualMachines\"]\n categories = [CheckCategories.GENERAL_SECURITY]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return \"properties/osProfile/allowExtensionOperations\"\n\n def get_expected_value(self) -> bool:\n return False\n\n\ncheck = AzureInstanceExtensions()\n"
},
{
"path": "checkov/arm/checks/resource/AzureInstancePassword.py",
"content": "from typing import Any, Dict\n\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\nfrom checkov.common.models.enums import CheckResult, CheckCategories\n\n\nclass AzureInstancePassword(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)\"\n id = \"CKV_AZURE_1\"\n supported_resources = (\"Microsoft.Compute/virtualMachines\",)\n categories = [CheckCategories.GENERAL_SECURITY]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:\n properties = conf.get(\"properties\")\n if isinstance(properties, dict):\n storage_profile = properties.get(\"storageProfile\")\n if isinstance(storage_profile, dict):\n image_reference = storage_profile.get(\"imageReference\")\n if isinstance(image_reference, dict):\n publisher = image_reference.get(\"publisher\")\n if publisher and (\"windows\" in publisher.lower() or\n \"microsoft\" in publisher.lower()):\n # This check is not relevant to Windows systems\n return CheckResult.UNKNOWN\n\n return super().scan_resource_conf(conf)\n\n def get_inspected_key(self) -> str:\n return \"properties/osProfile/linuxConfiguration/disablePasswordAuthentication\"\n\n def get_expected_value(self) -> Any:\n return True\n\n\ncheck = AzureInstancePassword()\n"
},
{
"path": "checkov/arm/checks/resource/AzureMLWorkspacePrivateEndpoint.py",
"content": "from typing import Dict, Any, List\n\nfrom checkov.common.models.enums import CheckCategories, CheckResult\nfrom checkov.arm.base_resource_check import BaseResourceCheck\nfrom checkov.common.util.consts import START_LINE, END_LINE\n\n\nclass AzureMLWorkspacePrivateEndpoint(BaseResourceCheck):\n def __init__(self) -> None:\n name = \"Ensure Azure Machine learning workspace is configured with private endpoint\"\n id = \"CKV_AZURE_243\"\n supported_resources = [\"Microsoft.MachineLearningServices/workspaces\"]\n categories = [CheckCategories.NETWORKING]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:\n properties = conf.get(\"properties\")\n if isinstance(properties, dict):\n managed_network = properties.get(\"managedNetwork\")\n if isinstance(managed_network, dict):\n ob_rules = managed_network.get(\"outboundRules\")\n if isinstance(ob_rules, dict):\n # check no outbound rule has private endpoint type\n for key, rule in ob_rules.items():\n if key in [START_LINE, END_LINE]:\n # Skip inner fields we add\n continue\n if rule.get(\"type\") == \"PrivateEndpoint\":\n return CheckResult.PASSED\n return CheckResult.FAILED\n\n def get_evaluated_keys(self) -> List[str]:\n return [\"properties\", \"properties/[0]/managedNetwork\", \"properties/[0]/managedNetwork/[0]/outboundRules\"]\n\n\ncheck = AzureMLWorkspacePrivateEndpoint()\n"
},
{
"path": "checkov/arm/checks/resource/AzureManagedDiscEncryption.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.arm.base_resource_check import BaseResourceCheck\nfrom checkov.common.util.data_structures_utils import find_in_dict\n\n\nclass AzureManagedDiscEncryption(BaseResourceCheck):\n def __init__(self) -> None:\n name = \"Ensure Azure managed disk have encryption enabled\"\n id = \"CKV_AZURE_2\"\n supported_resources = (\"Microsoft.Compute/disks\",)\n categories = (CheckCategories.ENCRYPTION,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n properties = conf.get(\"properties\")\n if properties:\n self.evaluated_keys = [\"properties\"]\n encryption = properties.get(\"encryption\")\n if encryption:\n # if the block exists, then it is enabled\n return CheckResult.PASSED\n\n encryption_enabled = find_in_dict(input_dict=properties, key_path=\"encryptionSettingsCollection/enabled\")\n if str(encryption_enabled).lower() == \"true\":\n return CheckResult.PASSED\n\n encryption_enabled = find_in_dict(input_dict=properties, key_path=\"encryptionSettings/enabled\")\n if str(encryption_enabled).lower() == \"true\":\n return CheckResult.PASSED\n\n return CheckResult.FAILED\n\n\ncheck = AzureManagedDiscEncryption()\n"
},
{
"path": "checkov/arm/checks/resource/AzureManagedDiskEncryptionSet.py",
"content": "from typing import Any\n\nfrom checkov.common.models.consts import ANY_VALUE\nfrom checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass AzureManagedDiskEncryptionSet(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = (\n \"Ensure that managed disks use a specific set of disk encryption sets for the \"\n \"customer-managed key encryption\"\n )\n id = \"CKV_AZURE_93\"\n supported_resources = (\"Microsoft.Compute/disks\",)\n categories = (CheckCategories.ENCRYPTION,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return \"properties/encryption/diskEncryptionSetId\"\n\n def get_expected_value(self) -> Any:\n return ANY_VALUE\n\n\ncheck = AzureManagedDiskEncryptionSet()\n"
},
{
"path": "checkov/arm/checks/resource/AzureScaleSetPassword.py",
"content": "from typing import Dict, Any\n\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\nfrom checkov.common.models.enums import CheckResult, CheckCategories\n\n\nclass AzureScaleSetPassword(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead)\"\n id = \"CKV_AZURE_49\"\n supported_resources = (\"Microsoft.Compute/virtualMachineScaleSets\",)\n categories = [CheckCategories.GENERAL_SECURITY]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:\n properties = conf.get(\"properties\")\n if isinstance(properties, dict):\n vm_profile = properties.get(\"virtualMachineProfile\")\n if isinstance(vm_profile, dict):\n storage_profile = vm_profile.get(\"storageProfile\")\n if isinstance(storage_profile, dict):\n image_reference = storage_profile.get(\"imageReference\")\n if isinstance(image_reference, dict):\n publisher = image_reference.get(\"publisher\")\n if publisher and \"windows\" in publisher.lower():\n # This check is not relevant to Windows systems\n return CheckResult.UNKNOWN\n\n return super().scan_resource_conf(conf)\n\n def get_inspected_key(self) -> str:\n return \"properties/virtualMachineProfile/osProfile/linuxConfiguration/disablePasswordAuthentication\"\n\n def get_expected_value(self) -> Any:\n return True\n\n\ncheck = AzureScaleSetPassword()\n"
},
{
"path": "checkov/arm/checks/resource/AzureSearchSLAIndex.py",
"content": "from __future__ import annotations\n\nfrom typing import Any, Dict\n\nfrom checkov.common.models.enums import CheckCategories, CheckResult\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\n\nclass AzureSearchSLAIndex(BaseResourceCheck):\n def __init__(self) -> None:\n # Cognitive Search services support indexing and querying. Indexing is the process of loading content into\n # the service to make it searchable. Querying is the process where a client searches for content\n # by sending queries to the index.\n # Cognitive Search supports a configurable number of replicas. Having multiple replicas allows queries and\n # index updates to load balance across multiple replicas.\n #\n # To receive a Service Level Agreement (SLA) for Search index updates a minimum of 3 replicas is required.\n name = \"Ensure that Azure Cognitive Search maintains SLA for index updates\"\n id = \"CKV_AZURE_208\"\n supported_resources = [\"Microsoft.Search/searchServices\", ]\n categories = [CheckCategories.GENERAL_SECURITY, ]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:\n properties = conf.get(\"properties\", {})\n self.evaluated_keys = [\"properties\"]\n if not isinstance(properties, dict):\n return CheckResult.FAILED\n replica_count = properties.get(\"replicaCount\")\n if replica_count and isinstance(replica_count, int):\n if replica_count >= 3:\n return CheckResult.PASSED\n else:\n self.evaluated_keys = [\"properties/replicaCount\"]\n return CheckResult.FAILED\n else:\n return CheckResult.FAILED\n\n\ncheck = AzureSearchSLAIndex()\n"
},
{
"path": "checkov/arm/checks/resource/AzureSearchSLAQueryUpdates.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.common.models.enums import CheckCategories, CheckResult\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\n\nclass AzureSearchSQLQueryUpdates(BaseResourceCheck):\n def __init__(self) -> None:\n # Cognitive Search services support indexing and querying. Indexing is the process of loading content\n # into the service to make it searchable. Querying is the process where a client searches for content\n # by sending queries to the index.\n # Cognitive Search supports a configurable number of replicas.\n # Having multiple replicas allows queries and index updates to load balance across multiple replicas.\n # To receive a Service Level Agreement (SLA) for Search index queries a minimum of 2 replicas is required.\n name = \"Ensure that Azure Cognitive Search maintains SLA for search index queries\"\n id = \"CKV_AZURE_209\"\n supported_resources = [\"Microsoft.Search/searchServices\", ]\n categories = [CheckCategories.GENERAL_SECURITY, ]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n self.evaluated_keys = [\"properties/replicaCount\"]\n\n properties = conf.get(\"properties\", {})\n if not isinstance(properties, dict):\n return CheckResult.FAILED\n replica_count = properties.get(\"replicaCount\")\n if replica_count:\n if not isinstance(replica_count, int):\n return CheckResult.UNKNOWN\n if replica_count >= 2:\n return CheckResult.PASSED\n\n return CheckResult.FAILED\n\n\ncheck = AzureSearchSQLQueryUpdates()\n"
},
{
"path": "checkov/arm/checks/resource/AzureServiceFabricClusterProtectionLevel.py",
"content": "from typing import Dict, List, Any, Union\nfrom checkov.common.models.enums import CheckCategories, CheckResult\nfrom checkov.arm.base_resource_check import BaseResourceCheck\nfrom checkov.common.util.type_forcers import force_list\n\n\nclass AzureServiceFabricClusterProtectionLevel(BaseResourceCheck):\n def __init__(self) -> None:\n name = \"Ensures that Service Fabric use three levels of protection available\"\n id = \"CKV_AZURE_125\"\n supported_resources = ('Microsoft.ServiceFabric/clusters',)\n categories = (CheckCategories.ENCRYPTION,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: Dict[str, List[Any]]) -> CheckResult:\n properties: Union[List[Any], Dict[str, Any]] = conf.get('properties', {})\n if not isinstance(properties, dict):\n self.evaluated_keys = ['properties']\n return CheckResult.FAILED\n\n settings_conf = force_list(properties.get('fabricSettings', []))\n if not isinstance(settings_conf, list):\n self.evaluated_keys = ['properties/fabricSettings']\n return CheckResult.FAILED\n\n for setting in settings_conf:\n if setting and isinstance(setting, dict) and setting.get('name') == 'Security':\n params = setting.get('parameters', [{}])\n if isinstance(params, list) and len(params) > 0 and isinstance(params[0], dict):\n param = params[0]\n if param.get('name') == 'ClusterProtectionLevel' and param.get('value') == 'EncryptAndSign':\n index = settings_conf.index(setting)\n self.evaluated_keys = [f'fabricSettings/{index}/parameters/name',\n f'fabricSettings/{index}/parameters/value']\n return CheckResult.PASSED\n else:\n self.evaluated_keys = [f'fabricSettings/{settings_conf.index(setting)}/parameters']\n return CheckResult.FAILED\n\n self.evaluated_keys = ['fabricSettings']\n return CheckResult.FAILED\n\n\ncheck = AzureServiceFabricClusterProtectionLevel()\n"
},
{
"path": "checkov/arm/checks/resource/AzureSparkPoolIsolatedComputeEnabled.py",
"content": "from checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass AzureSparkPoolIsolatedComputeEnabled(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure isolated compute is enabled for Synapse Spark pools\"\n id = \"CKV_AZURE_242\"\n supported_resources = [\"Microsoft.Synapse/workspaces/bigDataPools\"]\n categories = [CheckCategories.GENERAL_SECURITY]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return 'properties/isComputeIsolationEnabled'\n\n\ncheck = AzureSparkPoolIsolatedComputeEnabled()\n"
},
{
"path": "checkov/arm/checks/resource/AzureSynapseWorkspaceVAisEnabled.py",
"content": "from checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass SynapseWorkspaceVAisEnabled(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that Azure Synapse Workspace vulnerability assessment is enabled\"\n id = \"CKV2_AZURE_46\"\n supported_resources = [\"Microsoft.Synapse/workspaces/vulnerabilityAssessments\"]\n categories = [CheckCategories.GENERAL_SECURITY]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return 'properties/recurringScans/isEnabled'\n\n\ncheck = SynapseWorkspaceVAisEnabled()\n"
},
{
"path": "checkov/arm/checks/resource/AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.py",
"content": "from typing import Dict, List, Any\nfrom checkov.common.models.enums import CheckCategories, CheckResult\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\n\nclass AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached(BaseResourceCheck):\n def __init__(self) -> None:\n name = \"Ensure that Azure Synapse workspaces have no IP firewall rules attached\"\n id = \"CKV2_AZURE_19\"\n supported_resources = [\"Microsoft.Synapse/workspaces\"]\n categories = [CheckCategories.NETWORKING]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: Dict[str, List[Any]]) -> CheckResult:\n depends_on = conf.get(\"dependsOn\")\n if depends_on is None or not len(depends_on):\n return CheckResult.PASSED\n if any('Microsoft.Synapse/workspaces/firewallRules' in item for item in depends_on):\n self.evaluated_keys = [\"dependsOn\"]\n return CheckResult.FAILED\n return CheckResult.PASSED\n\n\ncheck = AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached()\n"
},
{
"path": "checkov/arm/checks/resource/CognitiveServicesConfigureIdentity.py",
"content": "from typing import Any\nfrom checkov.common.models.consts import ANY_VALUE\nfrom checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass CognitiveServicesConfigureIdentity(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that all Azure Cognitive Services accounts are configured with a managed identity\"\n id = \"CKV_AZURE_238\"\n supported_resources = ('Microsoft.CognitiveServices/accounts',)\n categories = (CheckCategories.GENERAL_SECURITY,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return \"identity/type\"\n\n def get_expected_value(self) -> Any:\n return ANY_VALUE\n\n\ncheck = CognitiveServicesConfigureIdentity()\n"
},
{
"path": "checkov/arm/checks/resource/CognitiveServicesDisablesPublicNetwork.py",
"content": "from typing import Any\n\nfrom checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass CognitiveServicesDisablesPublicNetwork(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that Cognitive Services accounts disable public network access\"\n id = \"CKV_AZURE_134\"\n supported_resources = (\"Microsoft.CognitiveServices/accounts\",)\n categories = (CheckCategories.NETWORKING,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return \"properties/publicNetworkAccess\"\n\n def get_expected_value(self) -> Any:\n return \"Disabled\"\n\n\ncheck = CognitiveServicesDisablesPublicNetwork()\n"
},
{
"path": "checkov/arm/checks/resource/CognitiveServicesEnableLocalAuth.py",
"content": "from typing import Any\n\nfrom checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass CognitiveServicesEnableLocalAuth(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that Cognitive Services accounts disable local authentication\"\n id = \"CKV_AZURE_236\"\n supported_resources = ('Microsoft.CognitiveServices/accounts', )\n categories = (CheckCategories.NETWORKING, )\n super().__init__(\n name=name,\n id=id,\n categories=categories,\n supported_resources=supported_resources,\n )\n\n def get_inspected_key(self) -> str:\n return 'properties/disableLocalAuth'\n\n def get_expected_value(self) -> Any:\n return True\n\n\ncheck = CognitiveServicesEnableLocalAuth()\n"
},
{
"path": "checkov/arm/checks/resource/CosmosDBAccountsRestrictedAccess.py",
"content": "from typing import Dict, Any, Optional\n\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\n\nclass CosmosDBAccountsRestrictedAccess(BaseResourceCheck):\n def __init__(self) -> None:\n name = \"Ensure Cosmos DB accounts have restricted access\"\n id = \"CKV_AZURE_99\"\n supported_resources = ('Microsoft.DocumentDB/databaseAccounts',)\n categories = [CheckCategories.NETWORKING]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:\n properties: Optional[Dict[str, Any]] = conf.get('properties')\n if properties is not None:\n if 'enableMultipleWriteLocations' not in properties or properties['enableMultipleWriteLocations']:\n self.evaluated_keys = ['enableMultipleWriteLocations']\n if 'isVirtualNetworkFilterEnabled' in properties and properties['isVirtualNetworkFilterEnabled']:\n self.evaluated_keys.append('isVirtualNetworkFilterEnabled')\n if 'virtualNetworkRules' in properties and properties['virtualNetworkRules']:\n self.evaluated_keys.append('virtualNetworkRules')\n return CheckResult.PASSED\n if 'ipRules' in properties and properties['ipRules']:\n self.evaluated_keys.append('ipAddressOrRange')\n return CheckResult.PASSED\n return CheckResult.FAILED\n return CheckResult.PASSED\n\n\ncheck = CosmosDBAccountsRestrictedAccess()\n"
},
{
"path": "checkov/arm/checks/resource/CosmosDBDisableAccessKeyWrite.py",
"content": "from __future__ import annotations\n\nfrom typing import Any, List\n\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\n\nclass CosmosDBDisableAccessKeyWrite(BaseResourceCheck):\n def __init__(self) -> None:\n name = \"Ensure cosmosdb does not allow privileged escalation by restricting management plane changes\"\n id = \"CKV_AZURE_132\"\n supported_resources = ('Microsoft.DocumentDB/databaseAccounts',)\n categories = (CheckCategories.GENERAL_SECURITY,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n if 'properties' in conf:\n if \"disableKeyBasedMetadataWriteAccess\" in conf['properties'] and conf['properties']['disableKeyBasedMetadataWriteAccess']:\n return CheckResult.PASSED\n return CheckResult.FAILED\n\n def get_evaluated_keys(self) -> List[str]:\n return [\"properties\", \"properties/disableKeyBasedMetadataWriteAccess\"]\n\n\ncheck = CosmosDBDisableAccessKeyWrite()\n"
},
{
"path": "checkov/arm/checks/resource/CosmosDBDisablesPublicNetwork.py",
"content": "from checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass CosmosDBDisablesPublicNetwork(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that Azure Cosmos DB disables public network access\"\n id = \"CKV_AZURE_101\"\n supported_resources = ['Microsoft.DocumentDB/databaseAccounts']\n categories = [CheckCategories.NETWORKING]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return 'properties/publicNetworkAccess'\n\n def get_expected_value(self) -> str:\n return \"Disabled\"\n\n\ncheck = CosmosDBDisablesPublicNetwork()\n"
},
{
"path": "checkov/arm/checks/resource/CosmosDBHaveCMK.py",
"content": "from typing import Any\n\nfrom checkov.common.models.consts import ANY_VALUE\nfrom checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass CosmosDBHaveCMK(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest\"\n id = \"CKV_AZURE_100\"\n supported_resources = (\"Microsoft.DocumentDb/databaseAccounts\",)\n categories = (CheckCategories.NETWORKING,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return \"properties/keyVaultKeyUri\"\n\n def get_expected_value(self) -> Any:\n return ANY_VALUE\n\n\ncheck = CosmosDBHaveCMK()\n"
},
{
"path": "checkov/arm/checks/resource/CosmosDBLocalAuthDisabled.py",
"content": "from __future__ import annotations\nfrom typing import Any\nfrom checkov.common.models.enums import CheckCategories, CheckResult\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass CosmosDBLocalAuthDisabled(BaseResourceValueCheck):\n def __init__(self) -> None:\n description = \"Ensure that Local Authentication is disabled on CosmosDB\"\n id = \"CKV_AZURE_140\"\n supported_resources = ('Microsoft.DocumentDB/databaseAccounts',)\n categories = (CheckCategories.IAM,)\n super().__init__(name=description, id=id, categories=categories, supported_resources=supported_resources,)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n if conf.get(\"kind\") == \"GlobalDocumentDB\":\n return super().scan_resource_conf(conf)\n return CheckResult.UNKNOWN\n\n def get_inspected_key(self) -> str:\n return \"properties/disableLocalAuth\"\n\n def get_expected_value(self) -> bool:\n return True\n\n\ncheck = CosmosDBLocalAuthDisabled()\n"
},
{
"path": "checkov/arm/checks/resource/CustomRoleDefinitionSubscriptionOwner.py",
"content": "from __future__ import annotations\n\nfrom typing import Any, List\n\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.arm.base_resource_check import BaseResourceCheck\nimport re\n\nSUBSCRIPTION = re.compile(r\"\\/|\\/subscriptions\\/[\\w\\d-]+$|\\[subscription\\(\\).id\\]\")\n\n# https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles-template\n# https://docs.microsoft.com/en-us/azure/role-based-access-control/role-definitions\n# https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/2018-01-01-preview/roledefinitions\n\n\nclass CustomRoleDefinitionSubscriptionOwner(BaseResourceCheck):\n def __init__(self) -> None:\n name = \"Ensure that no custom subscription owner roles are created\"\n id = \"CKV_AZURE_39\"\n supported_resources = (\"Microsoft.Authorization/roleDefinitions\",)\n categories = (CheckCategories.IAM,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n if \"properties\" in conf:\n if \"assignableScopes\" in conf[\"properties\"]:\n if any(\n isinstance(scope, str) and re.match(SUBSCRIPTION, scope)\n for scope in conf[\"properties\"][\"assignableScopes\"]\n ):\n if \"permissions\" in conf[\"properties\"]:\n if conf[\"properties\"][\"permissions\"]:\n for permission in conf[\"properties\"][\"permissions\"]:\n if \"actions\" in permission and \"*\" in permission[\"actions\"]:\n return CheckResult.FAILED\n return CheckResult.PASSED\n\n def get_evaluated_keys(self) -> List[str]:\n return [\"properties/assignableScopes\", \"properties/permissions/actions\"]\n\n\ncheck = CustomRoleDefinitionSubscriptionOwner()\n"
},
{
"path": "checkov/arm/checks/resource/DataExplorerUsesDiskEncryption.py",
"content": "from checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass DataExplorerUsesDiskEncryption(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that Azure Data Explorer (Kusto) uses disk encryption\"\n id = \"CKV_AZURE_74\"\n supported_resources = (\"Microsoft.Kusto/clusters\",)\n categories = [CheckCategories.ENCRYPTION,]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,)\n\n def get_inspected_key(self) -> str:\n return \"properties/enableDiskEncryption\"\n\n def get_expected_value(self) -> bool:\n return True\n\n\ncheck = DataExplorerUsesDiskEncryption()\n"
},
{
"path": "checkov/arm/checks/resource/DataFactoryNoPublicNetworkAccess.py",
"content": "from typing import Any\n\nfrom checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass DataFactoryNoPublicNetworkAccess(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that Azure Data factory public network access is disabled\"\n id = \"CKV_AZURE_104\"\n supported_resources = (\"Microsoft.DataFactory/factories\",)\n categories = (CheckCategories.NETWORKING,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return \"properties/publicNetworkAccess\"\n\n def get_expected_value(self) -> Any:\n return \"Disabled\"\n\n\ncheck = DataFactoryNoPublicNetworkAccess()\n"
},
{
"path": "checkov/arm/checks/resource/DataFactoryUsesGitRepository.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.common.models.enums import CheckCategories, CheckResult\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\n\nclass DataFactoryUsesGitRepository(BaseResourceCheck):\n def __init__(self) -> None:\n name = \"Ensure that Azure Data Factory uses Git repository for source control\"\n id = \"CKV_AZURE_103\"\n supported_resources = (\"Microsoft.DataFactory/factories\",)\n categories = (CheckCategories.GENERAL_SECURITY,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n properties = conf.get(\"properties\")\n if properties and isinstance(properties, dict):\n self.evaluated_keys = [\"properties/repoConfiguration/type\"]\n repo = properties.get(\"repoConfiguration\")\n if not repo:\n return CheckResult.FAILED\n if repo and isinstance(repo, dict) and repo.get(\"type\") is not None:\n return CheckResult.PASSED\n return CheckResult.UNKNOWN\n return CheckResult.FAILED\n\n\ncheck = DataFactoryUsesGitRepository()\n"
},
{
"path": "checkov/arm/checks/resource/DataLakeStoreEncryption.py",
"content": "from checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass DataLakeStoreEncryption(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that Data Lake Store accounts enables encryption\"\n id = \"CKV_AZURE_105\"\n supported_resources = ['Microsoft.DataLakeStore/accounts',]\n categories = [CheckCategories.ENCRYPTION,]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources, missing_block_result=CheckResult.PASSED)\n\n def get_inspected_key(self) -> str:\n return 'properties/encryptionState'\n\n def get_expected_value(self) -> str:\n return \"Enabled\"\n\n\ncheck = DataLakeStoreEncryption()\n"
},
{
"path": "checkov/arm/checks/resource/DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.py",
"content": "from __future__ import annotations\n\nfrom typing import Any, List\n\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.arm.base_resource_check import BaseResourceCheck\nfrom checkov.common.util.data_structures_utils import find_in_dict\n\n\nclass DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey(BaseResourceCheck):\n def __init__(self) -> None:\n # https://learn.microsoft.com/en-us/azure/templates/microsoft.databricks/workspaces?pivots=deployment-language-arm-template#workspaceencryptionparameter-1\n name = \"Ensure that Databricks Workspaces enables customer-managed key for root DBFS encryption\"\n id = \"CKV2_AZURE_48\"\n supported_resources = (\"Microsoft.Databricks/workspaces\",)\n categories = (CheckCategories.ENCRYPTION,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n parameters = conf.get(\"properties\", {}).get(\"parameters\")\n prepare_encryption = find_in_dict(input_dict=parameters, key_path=\"prepareEncryption/value\")\n if not prepare_encryption or str(prepare_encryption).lower() != \"true\":\n return CheckResult.FAILED\n\n encryption_settings = find_in_dict(input_dict=parameters, key_path=\"encryption/value\")\n if not encryption_settings:\n return CheckResult.FAILED\n\n return CheckResult.PASSED\n\n def get_evaluated_keys(self) -> List[str]:\n return [\"properties/parameters\"]\n\n\ncheck = DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey()\n"
},
{
"path": "checkov/arm/checks/resource/DatabricksWorkspaceIsNotPublic.py",
"content": "from __future__ import annotations\n\nfrom typing import Any, List\n\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.arm.base_resource_check import BaseResourceCheck\nfrom checkov.common.util.data_structures_utils import find_in_dict\n\n\nclass DatabricksWorkspaceIsNotPublic(BaseResourceCheck):\n def __init__(self) -> None:\n # https://learn.microsoft.com/en-us/azure/templates/microsoft.databricks/workspaces?pivots=deployment-language-arm-template\n name = \"Ensure Databricks Workspace data plane to control plane communication happens over private link\"\n id = \"CKV_AZURE_158\"\n supported_resources = (\"Microsoft.Databricks/workspaces\",)\n categories = (CheckCategories.NETWORKING,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n public_network_access = find_in_dict(input_dict=conf, key_path=\"properties/publicNetworkAccess\")\n if not public_network_access or public_network_access == \"Enabled\":\n return CheckResult.FAILED\n\n return CheckResult.PASSED\n\n def get_evaluated_keys(self) -> List[str]:\n return [\"properties\", \"properties/publicNetworkAccess\"]\n\n\ncheck = DatabricksWorkspaceIsNotPublic()\n"
},
{
"path": "checkov/arm/checks/resource/EventHubNamespaceMinTLS12.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.common.models.enums import CheckCategories, CheckResult\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass EventHubNamespaceMinTLS12(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure Event Hub Namespace uses at least TLS 1.2\"\n id = \"CKV_AZURE_223\"\n supported_resources = [\"Microsoft.EventHub/namespaces\", ]\n categories = [CheckCategories.ENCRYPTION, ]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,\n missing_block_result=CheckResult.PASSED)\n\n def get_inspected_key(self) -> str:\n return \"properties/minimumTlsVersion\"\n\n def get_expected_value(self) -> Any:\n return \"1.2\"\n\n\ncheck = EventHubNamespaceMinTLS12()\n"
},
{
"path": "checkov/arm/checks/resource/EventgridTopicIdentityProviderEnabled.py",
"content": "from typing import Any\n\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\nfrom checkov.common.models.consts import ANY_VALUE\nfrom checkov.common.models.enums import CheckCategories\n\n\nclass EventgridTopicIdentityProviderEnabled(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that Managed identity provider is enabled for Azure Event Grid Topic\"\n id = \"CKV_AZURE_191\"\n supported_resources = (\"Microsoft.EventGrid/topics\",)\n categories = (CheckCategories.IAM,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return \"identity/type\"\n\n def get_expected_value(self) -> Any:\n return ANY_VALUE\n\n\ncheck = EventgridTopicIdentityProviderEnabled()\n"
},
{
"path": "checkov/arm/checks/resource/EventgridTopicLocalAuthentication.py",
"content": "from checkov.arm.base_resource_value_check import BaseResourceValueCheck\nfrom checkov.common.models.enums import CheckCategories\n\n\nclass EventgridTopicLocalAuthentication(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that Azure Event Grid Topic local Authentication is disabled\"\n id = \"CKV_AZURE_192\"\n supported_resources = (\"Microsoft.EventGrid/topics\",)\n categories = (CheckCategories.IAM,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return \"properties/disableLocalAuth\"\n\n def get_expected_value(self) -> bool:\n return True\n\n\ncheck = EventgridTopicLocalAuthentication()\n"
},
{
"path": "checkov/arm/checks/resource/EventgridTopicNetworkAccess.py",
"content": "from checkov.arm.base_resource_value_check import BaseResourceValueCheck\nfrom checkov.common.models.enums import CheckCategories\n\n\nclass EventgridTopicNetworkAccess(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure public network access is disabled for Azure Event Grid Topic\"\n id = \"CKV_AZURE_193\"\n supported_resources = (\"Microsoft.EventGrid/topics\",)\n categories = (CheckCategories.NETWORKING,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return \"properties/publicNetworkAccess\"\n\n def get_expected_value(self) -> str:\n return \"Disabled\"\n\n\ncheck = EventgridTopicNetworkAccess()\n"
},
{
"path": "checkov/arm/checks/resource/FrontDoorWAFACLCVE202144228.py",
"content": "from typing import Dict, Any\n\nfrom checkov.common.models.enums import CheckCategories, CheckResult\nfrom checkov.common.util.type_forcers import force_list\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\n\nclass FrontDoorWAFACLCVE202144228(BaseResourceCheck):\n def __init__(self) -> None:\n name = \"Ensure Front Door WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell\"\n id = \"CKV_AZURE_133\"\n supported_resources = [\"Microsoft.Network/frontdoorWebApplicationFirewallPolicies\"]\n categories = [CheckCategories.APPLICATION_SECURITY]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: Dict[Any, Any]) -> CheckResult:\n self.evaluatedKeys = [\"managedRules\"]\n properties = conf.get(\"properties\")\n if properties is None or \"managedRules\" not in properties:\n return CheckResult.FAILED\n\n managedRules = properties.get(\"managedRules\")\n if not managedRules:\n return CheckResult.FAILED\n\n for idx_managed_rule, managed_rule in enumerate(force_list(managedRules.get(\"managedRuleSets\", []))):\n self.evaluated_keys = [f\"managedRules/[{idx_managed_rule}]/type\"]\n if managed_rule and managed_rule.get(\"ruleSetType\") in [\"DefaultRuleSet\", \"Microsoft_DefaultRuleSet\"]:\n ruleOverrides = managed_rule.get(\"ruleGroupOverrides\", [])\n if ruleOverrides == []:\n return CheckResult.PASSED\n for idx_override, rule_override in enumerate(force_list(ruleOverrides)):\n self.evaluated_keys.append(\n f\"managedRules/[{idx_managed_rule}]/ruleGroupOverrides/[{idx_override}]/ruleGroupName\"\n )\n if rule_override.get(\"ruleGroupName\") == \"JAVA\":\n rules = rule_override.get(\"rules\", [])\n for idx_rule, rule in enumerate(force_list(rules)):\n self.evaluated_keys.extend([\n f\"managedRules/[{idx_managed_rule}]/ruleGroupOverrides/[{idx_override}]/rules/[{idx_rule}]/ruleId\",\n f\"managedRules/[{idx_managed_rule}]/ruleGroupOverrides/[{idx_override}]/rules/[{idx_rule}]/enabledState\",\n f\"managedRules/[{idx_managed_rule}]/ruleGroupOverrides/[{idx_override}]/rules/[{idx_rule}]/action\",\n ])\n if rule.get(\"ruleId\") == \"944240\":\n enabledState = rule.get(\"enabledState\")\n if not enabledState:\n return CheckResult.FAILED\n if rule.get(\"action\") in [\"Block\", \"Redirect\"]:\n return CheckResult.PASSED\n\n return CheckResult.FAILED\n\n\ncheck = FrontDoorWAFACLCVE202144228()\n"
},
{
"path": "checkov/arm/checks/resource/FrontdoorUseWAFMode.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.common.models.enums import CheckCategories, CheckResult\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\n\nclass FrontdoorUseWAFMode(BaseResourceCheck):\n def __init__(self) -> None:\n name = \"Ensure that Azure Front Door uses WAF in \\\"Detection\\\" or \\\"Prevention\\\" modes\"\n id = \"CKV_AZURE_123\"\n supported_resources = ('Microsoft.Network/FrontDoorWebApplicationFirewallPolicies',)\n categories = (CheckCategories.NETWORKING,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n properties = conf.get('properties')\n if properties and isinstance(properties, dict):\n policy_settings = properties.get('policySettings')\n if policy_settings and isinstance(policy_settings, dict):\n if policy_settings.get('enabledState') == \"Enabled\":\n return CheckResult.PASSED\n return CheckResult.FAILED\n\n def get_evaluated_keys(self) -> list[str]:\n return [\"policySettings/[0]/enabledState\"]\n\n\ncheck = FrontdoorUseWAFMode()\n"
},
{
"path": "checkov/arm/checks/resource/FunctionAppDisallowCORS.py",
"content": "from typing import List, Any\nfrom checkov.common.models.enums import CheckCategories, CheckResult\nfrom checkov.arm.base_resource_negative_value_check import BaseResourceNegativeValueCheck\n\n\nclass FunctionAppDisallowCORS(BaseResourceNegativeValueCheck):\n\n def __init__(self) -> None:\n name = \"Ensure function apps are not accessible from all regions\"\n id = \"CKV_AZURE_62\"\n supported_resources = (\"Microsoft.Web/sites\",)\n categories = (CheckCategories.GENERAL_SECURITY,)\n super().__init__(name=name, id=id, categories=categories,\n supported_resources=supported_resources,\n missing_block_result=CheckResult.PASSED)\n\n def get_inspected_key(self) -> str:\n return \"properties/siteConfig/cors/allowedOrigins\"\n\n def get_forbidden_values(self) -> List[Any]:\n return [\"*\"]\n\n\ncheck = FunctionAppDisallowCORS()\n"
},
{
"path": "checkov/arm/checks/resource/FunctionAppHttpVersionLatest.py",
"content": "from checkov.arm.base_resource_value_check import BaseResourceValueCheck\nfrom checkov.common.models.enums import CheckCategories\n\n\nclass FunctionAppHttpVersionLatest(BaseResourceValueCheck):\n\n def __init__(self) -> None:\n name = \"Ensure that 'HTTP Version' is the latest, if used to run the Function app\"\n id = \"CKV_AZURE_67\"\n supported_resources = (\"Microsoft.Web/sites/slots\", \"Microsoft.Web/sites\",)\n categories = (CheckCategories.GENERAL_SECURITY,)\n super().__init__(\n name=name,\n id=id,\n categories=categories,\n supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return \"properties/siteConfig/http20Enabled\"\n\n\ncheck = FunctionAppHttpVersionLatest()\n"
},
{
"path": "checkov/arm/checks/resource/FunctionAppMinTLSVersion.py",
"content": "from typing import Any, List\n\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass FunctionAppMinTLSVersion(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure Function app is using the latest version of TLS encryption\"\n id = \"CKV_AZURE_145\"\n supported_resources = ('Microsoft.Web/sites', 'Microsoft.Web/sites/slots',)\n categories = [CheckCategories.NETWORKING]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,\n missing_block_result=CheckResult.PASSED)\n\n def get_inspected_key(self) -> str:\n return \"properties/siteConfig/minTlsVersion\"\n\n def get_expected_value(self) -> Any:\n return 1.2\n\n def get_expected_values(self) -> List[Any]:\n return [\"1.2\", 1.2, \"1.3\", 1.3]\n\n\ncheck = FunctionAppMinTLSVersion()\n"
},
{
"path": "checkov/arm/checks/resource/FunctionAppsAccessibleOverHttps.py",
"content": "from __future__ import annotations\n\nfrom typing import Any, List\n\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\n\nclass FunctionAppsAccessibleOverHttps(BaseResourceCheck):\n def __init__(self) -> None:\n name = \"Ensure that Function apps is only accessible over HTTPS\"\n id = \"CKV_AZURE_70\"\n supported_resources = (\n \"Microsoft.Web/sites/config\",\n \"Microsoft.Web/sites\",\n \"Microsoft.Web/sites/slots\",\n )\n categories = (CheckCategories.NETWORKING,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n if \"properties\" in conf:\n if self.entity_type == \"Microsoft.Web/sites\" or self.entity_type == \"Microsoft.Web/sites/slots\":\n if \"httpsOnly\" not in conf[\"properties\"]:\n return CheckResult.FAILED\n\n https_only = conf[\"properties\"][\"httpsOnly\"]\n if not https_only:\n return CheckResult.FAILED\n\n if \"httpSettings\" in conf[\"properties\"]:\n auth_settings_v2 = conf[\"properties\"][\"httpSettings\"]\n\n # default=true for require_https\n if 'requireHttps' not in auth_settings_v2:\n return CheckResult.PASSED\n\n require_https = auth_settings_v2.get(\"requireHttps\")\n if not require_https:\n return CheckResult.FAILED\n\n return CheckResult.PASSED\n\n def get_evaluated_keys(self) -> List[str]:\n return [\"properties\", \"properties/httpsOnly\", \"properties/httpSettings\"]\n\n\ncheck = FunctionAppsAccessibleOverHttps()\n"
},
{
"path": "checkov/arm/checks/resource/FunctionAppsEnableAuthentication.py",
"content": "from __future__ import annotations\n\nfrom typing import Any, List\n\nfrom checkov.arm.base_resource_check import BaseResourceCheck\nfrom checkov.common.models.enums import CheckCategories, CheckResult\n\n\nclass FunctionAppsEnableAuthentication(BaseResourceCheck):\n\n def __init__(self) -> None:\n name = \"Ensure that function apps enables Authentication\"\n id = \"CKV_AZURE_56\"\n supported_resources = (\"Microsoft.Web/sites/config\",)\n categories = (CheckCategories.GENERAL_SECURITY,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n if conf.get('name', '') != 'authsettingsV2':\n return CheckResult.PASSED\n\n properties = conf.get('properties', {})\n if properties and isinstance(properties, dict):\n platform = properties.get('platform', {})\n if platform and isinstance(properties, dict):\n enabled = platform.get('enabled', False)\n if enabled:\n return CheckResult.PASSED\n return CheckResult.FAILED\n\n def get_evaluated_keys(self) -> List[str]:\n return ['properties', 'properties/platform', 'properties/platform/enabled']\n\n\ncheck = FunctionAppsEnableAuthentication()\n"
},
{
"path": "checkov/arm/checks/resource/KeyBackedByHSM.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass KeyBackedByHSM(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that key vault key is backed by HSM\"\n id = \"CKV_AZURE_112\"\n supported_resources = (\"Microsoft.KeyVault/vaults/keys\",)\n categories = (CheckCategories.BACKUP_AND_RECOVERY,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return \"properties/kty\"\n\n def get_expected_value(self) -> Any:\n return \"RSA-HSM\"\n\n def get_expected_values(self) -> list[Any]:\n return [self.get_expected_value(), \"EC-HSM\"]\n\n\ncheck = KeyBackedByHSM()\n"
},
{
"path": "checkov/arm/checks/resource/KeyExpirationDate.py",
"content": "from checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\nfrom checkov.common.models.consts import ANY_VALUE\n\n\nclass KeyExpirationDate(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that the expiration date is set on all keys\"\n id = \"CKV_AZURE_40\"\n supported_resources = ['Microsoft.KeyVault/vaults/keys']\n categories = [CheckCategories.GENERAL_SECURITY]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return 'properties/rotationPolicy/attributes/expiryTime'\n\n def get_expected_value(self) -> str:\n return ANY_VALUE\n\n\ncheck = KeyExpirationDate()\n"
},
{
"path": "checkov/arm/checks/resource/KeyVaultDisablesPublicNetworkAccess.py",
"content": "from checkov.common.models.enums import CheckCategories, CheckResult\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\nfrom typing import Dict, Any\n\n\nclass KeyVaultDisablesPublicNetworkAccess(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that Azure Key Vault disables public network access\"\n id = \"CKV_AZURE_189\"\n supported_resources = (\"Microsoft.KeyVault/vaults\",)\n categories = (CheckCategories.NETWORKING,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return \"publicNetworkAccess\"\n\n def get_expected_value(self) -> str:\n return \"disabled\"\n\n def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:\n properties = conf.get(\"properties\", {})\n if self.get_inspected_key() in properties:\n conf_value = conf[\"properties\"][self.get_inspected_key()]\n # Docs are unclear, so supporting Disabled and disabled\n if conf_value and conf_value.lower() == self.get_expected_value():\n return CheckResult.PASSED\n\n if properties and \"networkAcls\" in properties:\n network_acls = conf[\"properties\"][\"networkAcls\"]\n if isinstance(network_acls, dict) and \"ipRules\" in network_acls:\n ip_rules = network_acls[\"ipRules\"]\n ip_rules = ip_rules[0] if ip_rules and isinstance(ip_rules, list) else ip_rules\n if ip_rules:\n return CheckResult.PASSED\n return CheckResult.FAILED\n\n\ncheck = KeyVaultDisablesPublicNetworkAccess()\n"
},
{
"path": "checkov/arm/checks/resource/KeyVaultEnablesFirewallRulesSettings.py",
"content": "from typing import Any\n\nfrom checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass KeyVaultEnablesFirewallRulesSettings(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that key vault allows firewall rules settings\"\n id = \"CKV_AZURE_109\"\n supported_resources = (\"Microsoft.KeyVault/vaults\",)\n categories = (CheckCategories.NETWORKING,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return \"properties/networkAcls/defaultAction\"\n\n def get_expected_value(self) -> Any:\n return \"Deny\"\n\n\ncheck = KeyVaultEnablesFirewallRulesSettings()\n"
},
{
"path": "checkov/arm/checks/resource/KeyVaultEnablesPurgeProtection.py",
"content": "from typing import Any\n\nfrom checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass KeyVaultEnablesPurgeProtection(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that key vault enables purge protection\"\n id = \"CKV_AZURE_110\"\n supported_resources = ['Microsoft.KeyVault/vaults']\n categories = [CheckCategories.NETWORKING]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> Any:\n return \"properties/enablePurgeProtection\"\n\n def get_expected_value(self) -> bool:\n return True\n\n\ncheck = KeyVaultEnablesPurgeProtection()\n"
},
{
"path": "checkov/arm/checks/resource/KeyVaultEnablesSoftDelete.py",
"content": "from checkov.arm.base_resource_value_check import BaseResourceValueCheck\nfrom checkov.common.models.enums import CheckCategories\nfrom checkov.common.models.enums import CheckResult\n\n\nclass KeyVaultEnablesSoftDelete(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that key vault enables soft delete\"\n id = \"CKV_AZURE_111\"\n supported_resources = ['Microsoft.KeyVault/vaults']\n categories = [CheckCategories.LOGGING]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,\n missing_block_result=CheckResult.PASSED)\n\n def get_inspected_key(self) -> str:\n return \"properties/enableSoftDelete\"\n\n\ncheck = KeyVaultEnablesSoftDelete()\n"
},
{
"path": "checkov/arm/checks/resource/KeyvaultRecoveryEnabled.py",
"content": "from __future__ import annotations\n\nfrom typing import Any, List\n\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\n\nclass KeyVaultRecoveryEnabled(BaseResourceCheck):\n def __init__(self) -> None:\n # https://docs.microsoft.com/en-us/azure/templates/microsoft.keyvault/2016-10-01/vaults\n name = \"Ensure the key vault is recoverable\"\n id = \"CKV_AZURE_42\"\n supported_resources = ('Microsoft.KeyVault/vaults',)\n categories = (CheckCategories.BACKUP_AND_RECOVERY,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n # NOTE: enablePurgeProtection not supported in API version 2015-06-01\n if \"properties\" in conf:\n if \"enablePurgeProtection\" in conf[\"properties\"] and \"enableSoftDelete\" in conf[\"properties\"]:\n if str(conf[\"properties\"][\"enablePurgeProtection\"]).lower() == \"true\" and \\\n str(conf[\"properties\"][\"enableSoftDelete\"]).lower() == \"true\":\n return CheckResult.PASSED\n return CheckResult.FAILED\n\n def get_evaluated_keys(self) -> List[str]:\n return [\"properties\", \"properties/enablePurgeProtection\", \"properties/enableSoftDelete\"]\n\n\ncheck = KeyVaultRecoveryEnabled()\n"
},
{
"path": "checkov/arm/checks/resource/LinuxVMUsesSSH.py",
"content": "from checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\nfrom typing import Any\nfrom checkov.common.models.consts import ANY_VALUE\n\n\nclass LinuxVMUsesSSH(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure linux VM enables SSH with keys for secure communication\"\n id = \"CKV_AZURE_178\"\n supported_resources = (\"Microsoft.Compute/virtualMachines\", \"Microsoft.Compute/virtualMachineScaleSets\")\n categories = (CheckCategories.GENERAL_SECURITY,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,)\n\n def get_inspected_key(self) -> str:\n if self.entity_type == \"Microsoft.Compute/virtualMachineScaleSets\":\n return \"properties/virtualMachineProfile/osProfile/linuxConfiguration/ssh/publicKeys/[0]/path\"\n return \"properties/osProfile/linuxConfiguration/ssh/publicKeys/[0]/path\"\n\n def get_expected_value(self) -> Any:\n return ANY_VALUE\n\n\ncheck = LinuxVMUsesSSH()\n"
},
{
"path": "checkov/arm/checks/resource/MSSQLServerMinTLSVersion.py",
"content": "from typing import List, Any\n\nfrom checkov.common.models.enums import CheckCategories, CheckResult\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass MSSQLServerMinTLSVersion(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure MSSQL is using the latest version of TLS encryption\"\n id = \"CKV_AZURE_52\"\n supported_resources = (\"Microsoft.Sql/servers\",)\n categories = (CheckCategories.NETWORKING,)\n super().__init__(name=name,\n id=id,\n categories=categories,\n supported_resources=supported_resources,\n missing_block_result=CheckResult.FAILED,)\n\n def get_inspected_key(self) -> str:\n return \"properties/minimalTlsVersion\"\n\n def get_expected_value(self) -> str:\n return \"1.2\"\n\n def get_expected_values(self) -> List[Any]:\n return [\"1.2\", 1.2, \"1.3\", 1.3]\n\n\ncheck = MSSQLServerMinTLSVersion()\n"
},
{
"path": "checkov/arm/checks/resource/MariaDBGeoBackupEnabled.py",
"content": "from checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass MariaDBGeoBackupEnabled(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that MariaDB server enables geo-redundant backups\"\n id = \"CKV_AZURE_129\"\n supported_resources = (\"Microsoft.DBforMariaDB/servers\",)\n categories = (CheckCategories.BACKUP_AND_RECOVERY,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return \"properties/storageProfile/geoRedundantBackup\"\n\n def get_expected_value(self) -> str:\n return \"Enabled\"\n\n\ncheck = MariaDBGeoBackupEnabled()\n"
},
{
"path": "checkov/arm/checks/resource/MariaDBPublicAccessDisabled.py",
"content": "from checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass MariaDBPublicAccessDisabled(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure 'public network access enabled' is set to 'False' for MariaDB servers\"\n id = \"CKV_AZURE_48\"\n supported_resources = (\"Microsoft.DBforMariaDB/servers\",)\n categories = (CheckCategories.NETWORKING,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return \"properties/publicNetworkAccess\"\n\n def get_expected_value(self) -> str:\n return \"Disabled\"\n\n\ncheck = MariaDBPublicAccessDisabled()\n"
},
{
"path": "checkov/arm/checks/resource/MariaDBSSLEnforcementEnabled.py",
"content": "from typing import Any\n\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\nfrom checkov.common.models.enums import CheckCategories\n\n\nclass MariaDBSSLEnforcementEnabled(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers\"\n id = \"CKV_AZURE_47\"\n supported_resources = [\"Microsoft.DBforMariaDB/servers\"]\n categories = [CheckCategories.NETWORKING]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return \"properties/sslEnforcement\"\n\n def get_expected_value(self) -> Any:\n return \"Enabled\"\n\n\ncheck = MariaDBSSLEnforcementEnabled()\n"
},
{
"path": "checkov/arm/checks/resource/MonitorLogProfileCategories.py",
"content": "from __future__ import annotations\n\nfrom typing import Any, List\n\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\n# https://docs.microsoft.com/en-us/azure/templates/microsoft.insights/2016-03-01/logprofiles\n\n\nclass MonitorLogProfileRetentionDays(BaseResourceCheck):\n def __init__(self) -> None:\n name = \"Ensure audit profile captures all the activities\"\n id = \"CKV_AZURE_38\"\n supported_resources = (\"Microsoft.Insights/logprofiles\",)\n categories = (CheckCategories.LOGGING,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n if \"properties\" in conf and \"categories\" in conf[\"properties\"]:\n categories = (\"Write\", \"Delete\", \"Action\")\n if all(category in conf[\"properties\"][\"categories\"] for category in categories):\n return CheckResult.PASSED\n return CheckResult.FAILED\n\n def get_evaluated_keys(self) -> List[str]:\n return [\"properties\", \"properties/categories\"]\n\n\ncheck = MonitorLogProfileRetentionDays()\n"
},
{
"path": "checkov/arm/checks/resource/MonitorLogProfileRetentionDays.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.arm.base_resource_check import BaseResourceCheck\nfrom checkov.common.util.type_forcers import force_int\n\n# https://docs.microsoft.com/en-us/azure/templates/microsoft.insights/2016-03-01/logprofiles\n\n\nclass MonitorLogProfileRetentionDays(BaseResourceCheck):\n def __init__(self) -> None:\n name = \"Ensure that Activity Log Retention is set 365 days or greater\"\n id = \"CKV_AZURE_37\"\n supported_resources = (\"Microsoft.Insights/logprofiles\",)\n categories = (CheckCategories.LOGGING,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n self.evaluated_keys = [\"properties\"]\n if \"properties\" in conf and \"retentionPolicy\" in conf[\"properties\"]:\n self.evaluated_keys = [\"properties/retentionPolicy\"]\n retention = conf[\"properties\"][\"retentionPolicy\"]\n if \"enabled\" in retention and str(retention[\"enabled\"]).lower() == \"true\":\n if \"days\" in retention:\n days = force_int(retention[\"days\"])\n if days is not None and (days == 0 or days >= 365):\n return CheckResult.PASSED\n return CheckResult.FAILED\n\n\ncheck = MonitorLogProfileRetentionDays()\n"
},
{
"path": "checkov/arm/checks/resource/MySQLEncryptionEnabled.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\nfrom checkov.common.models.enums import CheckCategories, CheckResult\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\n\nclass MySQLEncryptionEnabled(BaseResourceCheck):\n def __init__(self) -> None:\n name = \"Ensure that MySQL server enables infrastructure encryption\"\n id = \"CKV_AZURE_96\"\n supported_resources = (\"Microsoft.DBforMySQL/flexibleServers\",)\n categories = (CheckCategories.ENCRYPTION,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n properties = conf.get(\"properties\")\n if properties and isinstance(properties, dict):\n self.evaluated_keys = [\"properties/dataencryption\"]\n data_encryption = properties.get(\"dataencryption\")\n if data_encryption and isinstance(data_encryption, dict):\n if data_encryption is None:\n return CheckResult.FAILED\n return CheckResult.PASSED\n # unparsed\n elif data_encryption and isinstance(data_encryption, str):\n return CheckResult.UNKNOWN\n return CheckResult.FAILED\n return CheckResult.UNKNOWN\n\n\ncheck = MySQLEncryptionEnabled()\n"
},
{
"path": "checkov/arm/checks/resource/MySQLGeoBackupEnabled.py",
"content": "from checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass MySQLGeoBackupEnabled(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that My SQL server enables geo-redundant backups\"\n id = \"CKV_AZURE_94\"\n supported_resources = (\"Microsoft.DBforMySQL/flexibleServers\",)\n categories = (CheckCategories.BACKUP_AND_RECOVERY,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return \"properties/Backup/geoRedundantBackup\"\n\n\ncheck = MySQLGeoBackupEnabled()\n"
},
{
"path": "checkov/arm/checks/resource/MySQLPublicAccessDisabled.py",
"content": "from typing import List\n\nfrom checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass MySQLPublicAccessDisabled(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure 'public network access enabled' is set to 'False' for mySQL servers\"\n id = \"CKV_AZURE_53\"\n supported_resources = (\"Microsoft.DBforMySQL/servers\", \"Microsoft.DBforMySQL/flexibleServers\",)\n categories = (CheckCategories.NETWORKING,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n if self.entity_type == \"Microsoft.DBforMySQL/servers\":\n return \"properties/publicNetworkAccess\"\n else:\n return \"properties/network/publicNetworkAccess\"\n\n def get_expected_value(self) -> str:\n return \"disabled\"\n\n def get_expected_values(self) -> List[str]:\n return [\"disabled\", \"Disabled\"]\n\n\ncheck = MySQLPublicAccessDisabled()\n"
},
{
"path": "checkov/arm/checks/resource/MySQLServerMinTLSVersion.py",
"content": "from checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass MySQLServerMinTLSVersion(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure MySQL is using the latest version of TLS encryption\"\n id = \"CKV_AZURE_54\"\n supported_resources = (\"Microsoft.DBforMySQL/servers\",)\n categories = (CheckCategories.NETWORKING,)\n super().__init__(name=name,\n id=id,\n categories=categories,\n supported_resources=supported_resources, )\n\n def get_inspected_key(self) -> str:\n return \"properties/minimalTlsVersion\"\n\n def get_expected_value(self) -> str:\n return \"TLS1_2\"\n\n\ncheck = MySQLServerMinTLSVersion()\n"
},
{
"path": "checkov/arm/checks/resource/MySQLServerSSLEnforcementEnabled.py",
"content": "from typing import Any\n\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\nfrom checkov.common.models.enums import CheckCategories\n\n\nclass MySQLServerSSLEnforcementEnabled(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server\"\n id = \"CKV_AZURE_28\"\n supported_resources = [\"Microsoft.DBforMySQL/servers\"]\n categories = [CheckCategories.NETWORKING]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return \"properties/sslEnforcement\"\n\n def get_expected_value(self) -> Any:\n return \"Enabled\"\n\n\ncheck = MySQLServerSSLEnforcementEnabled()\n"
},
{
"path": "checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py",
"content": "from checkov.arm.checks.resource.NSGRulePortAccessRestricted import NSGRulePortAccessRestricted\n\n\nclass NSGRuleHTTPAccessRestricted(NSGRulePortAccessRestricted):\n def __init__(self) -> None:\n super().__init__(\n name=\"Ensure that HTTP (port 80) access is restricted from the internet\",\n check_id=\"CKV_AZURE_160\",\n port=80,\n )\n\n\ncheck = NSGRuleHTTPAccessRestricted()\n"
},
{
"path": "checkov/arm/checks/resource/NSGRulePortAccessRestricted.py",
"content": "import re\nfrom typing import Union, Dict, Any\n\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\n# https://docs.microsoft.com/en-us/azure/templates/microsoft.network/networksecuritygroups\n# https://docs.microsoft.com/en-us/azure/templates/microsoft.network/networksecuritygroups/securityrules\n\nINTERNET_ADDRESSES = [\"*\", \"0.0.0.0\", \"/0\", \"/0\", \"internet\", \"any\"] # nosec\nPORT_RANGE = re.compile(r\"\\d+-\\d+\")\n\n\nclass NSGRulePortAccessRestricted(BaseResourceCheck):\n def __init__(self, name: str, check_id: str, port: int) -> None:\n supported_resources = (\n \"Microsoft.Network/networkSecurityGroups\",\n \"Microsoft.Network/networkSecurityGroups/securityRules\",\n )\n categories = (CheckCategories.NETWORKING,)\n super().__init__(name=name, id=check_id, categories=categories, supported_resources=supported_resources)\n self.port = port\n\n def is_port_in_range(self, port_range: Union[int, str]) -> bool:\n port_range_str = str(port_range)\n if re.match(PORT_RANGE, port_range_str):\n start, end = int(port_range_str.split(\"-\")[0]), int(port_range_str.split(\"-\")[1])\n if start <= self.port <= end:\n return True\n if port_range in (str(self.port), \"*\"):\n return True\n return False\n\n def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:\n if \"properties\" in conf:\n securityRules = []\n if self.entity_type == \"Microsoft.Network/networkSecurityGroups\":\n if \"securityRules\" in conf[\"properties\"]:\n securityRules.extend(conf[\"properties\"][\"securityRules\"])\n if self.entity_type == \"Microsoft.Network/networkSecurityGroups/securityRules\":\n securityRules.append(conf)\n\n for rule in securityRules:\n portRanges = []\n sourcePrefixes = []\n if \"properties\" in rule:\n if \"access\" in rule[\"properties\"] and rule[\"properties\"][\"access\"].lower() == \"allow\":\n if \"direction\" in rule[\"properties\"] and rule[\"properties\"][\"direction\"].lower() == \"inbound\":\n if \"protocol\" in rule[\"properties\"] and rule[\"properties\"][\"protocol\"].lower() in (\"tcp\", \"*\"):\n if \"destinationPortRanges\" in rule[\"properties\"]:\n portRanges.extend(rule[\"properties\"][\"destinationPortRanges\"])\n if \"destinationPortRange\" in rule[\"properties\"]:\n portRanges.append(rule[\"properties\"][\"destinationPortRange\"])\n\n if \"sourceAddressPrefixes\" in rule[\"properties\"]:\n sourcePrefixes.extend(rule[\"properties\"][\"sourceAddressPrefixes\"])\n if \"sourceAddressPrefix\" in rule[\"properties\"]:\n sourcePrefixes.append(rule[\"properties\"][\"sourceAddressPrefix\"])\n\n for portRange in portRanges:\n if self.is_port_in_range(portRange):\n for prefix in sourcePrefixes:\n if prefix in INTERNET_ADDRESSES:\n return CheckResult.FAILED\n\n return CheckResult.PASSED\n"
},
{
"path": "checkov/arm/checks/resource/NSGRuleRDPAccessRestricted.py",
"content": "from checkov.arm.checks.resource.NSGRulePortAccessRestricted import NSGRulePortAccessRestricted\n\n\nclass NSGRuleRDPAccessRestricted(NSGRulePortAccessRestricted):\n def __init__(self) -> None:\n super().__init__(\n name=\"Ensure that RDP access is restricted from the internet\", check_id=\"CKV_AZURE_9\", port=3389\n )\n\n\ncheck = NSGRuleRDPAccessRestricted()\n"
},
{
"path": "checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py",
"content": "from checkov.arm.checks.resource.NSGRulePortAccessRestricted import NSGRulePortAccessRestricted\n\n\nclass NSGRuleSSHAccessRestricted(NSGRulePortAccessRestricted):\n def __init__(self) -> None:\n super().__init__(\n name=\"Ensure that SSH access is restricted from the internet\", check_id=\"CKV_AZURE_10\", port=22\n )\n\n\ncheck = NSGRuleSSHAccessRestricted()\n"
},
{
"path": "checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py",
"content": "from __future__ import annotations\n\nfrom typing import Any, List\n\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.arm.base_resource_check import BaseResourceCheck\nfrom checkov.common.util.type_forcers import force_int\n\n\nclass NetworkWatcherFlowLogPeriod(BaseResourceCheck):\n def __init__(self) -> None:\n # https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2020-04-01/networkwatchers/flowlogs\n name = \"Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'\"\n id = \"CKV_AZURE_12\"\n supported_resources = (\n 'Microsoft.Network/networkWatchers/flowLogs',\n 'Microsoft.Network/networkWatchers/FlowLogs',\n 'Microsoft.Network/networkWatchers/flowLogs/',\n 'Microsoft.Network/networkWatchers/FlowLogs/',\n )\n categories = (CheckCategories.LOGGING,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n if \"properties\" in conf:\n if \"enabled\" in conf[\"properties\"]:\n if str(conf[\"properties\"][\"enabled\"]).lower() == \"true\":\n if \"retentionPolicy\" in conf[\"properties\"]:\n if \"enabled\" in conf[\"properties\"][\"retentionPolicy\"]:\n if str(conf[\"properties\"][\"retentionPolicy\"][\"enabled\"]).lower() == \"true\":\n if \"days\" in conf[\"properties\"][\"retentionPolicy\"]:\n days = force_int(conf[\"properties\"][\"retentionPolicy\"][\"days\"])\n if days and days >= 90:\n return CheckResult.PASSED\n return CheckResult.FAILED\n\n def get_evaluated_keys(self) -> List[str]:\n return ['properties', 'properties/enabled', 'properties/retentionPolicy', 'properties/retentionPolicy/enabled',\n 'properties/retentionPolicy/days']\n\n\ncheck = NetworkWatcherFlowLogPeriod()\n"
},
{
"path": "checkov/arm/checks/resource/PostgreSQLEncryptionEnabled.py",
"content": "from checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass PostgreSQLEncryptionEnabled(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that PostgreSQL server enables infrastructure encryption\"\n id = \"CKV_AZURE_130\"\n supported_resources = [\"Microsoft.DBforPostgreSQL/servers\"]\n categories = [CheckCategories.ENCRYPTION]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return \"properties/infrastructureEncryption\"\n\n def get_expected_value(self) -> str:\n return \"Enabled\"\n\n\ncheck = PostgreSQLEncryptionEnabled()\n"
},
{
"path": "checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\n\nclass PostgreSQLServerConnectionThrottlingEnabled(BaseResourceCheck):\n def __init__(self) -> None:\n # https://docs.microsoft.com/en-us/azure/templates/microsoft.dbforpostgresql/servers\n # https://docs.microsoft.com/en-us/azure/templates/microsoft.dbforpostgresql/servers/configurations\n name = \"Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server\"\n id = \"CKV_AZURE_32\"\n supported_resources = ('Microsoft.DBforPostgreSQL/servers/configurations', 'configurations')\n categories = (CheckCategories.NETWORKING,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n if \"type\" in conf:\n if conf[\"type\"] == \"Microsoft.DBforPostgreSQL/servers/configurations\":\n if \"name\" in conf and conf[\"name\"] == \"connection_throttling\":\n if \"properties\" in conf:\n if \"value\" in conf[\"properties\"] and \\\n conf[\"properties\"][\"value\"].lower() == \"on\":\n return CheckResult.PASSED\n self.evaluated_keys = ['properties', 'properties/value']\n return CheckResult.FAILED\n elif conf[\"type\"] == \"configurations\":\n if \"name\" in conf and conf[\"name\"] == \"connection_throttling\":\n if \"parent_type\" in conf:\n if conf[\"parent_type\"] == \"Microsoft.DBforPostgreSQL/servers\":\n if \"properties\" in conf:\n if \"value\" in conf[\"properties\"] and \\\n conf[\"properties\"][\"value\"].lower() == \"on\":\n return CheckResult.PASSED\n self.evaluated_keys = ['properties', 'properties/value']\n return CheckResult.FAILED\n else:\n self.evaluated_keys = [\"properties\"]\n return CheckResult.FAILED\n\n # If name not connection_throttling - don't report (neither pass nor fail)\n return CheckResult.UNKNOWN\n\n\ncheck = PostgreSQLServerConnectionThrottlingEnabled()\n"
},
{
"path": "checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\n\nclass PostgreSQLServerLogCheckpointsEnabled(BaseResourceCheck):\n def __init__(self) -> None:\n # https://docs.microsoft.com/en-us/azure/templates/microsoft.dbforpostgresql/servers\n # https://docs.microsoft.com/en-us/azure/templates/microsoft.dbforpostgresql/servers/configurations\n # https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver#examples\n name = \"Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server\"\n id = \"CKV_AZURE_30\"\n supported_resources = ('Microsoft.DBforPostgreSQL/servers/configurations', 'configurations')\n categories = (CheckCategories.NETWORKING,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n self.evaluated_keys = [\"properties\"]\n if \"type\" in conf:\n if conf[\"type\"] == \"Microsoft.DBforPostgreSQL/servers/configurations\":\n if \"name\" in conf and conf[\"name\"] == \"log_checkpoints\":\n if \"properties\" in conf:\n if \"value\" in conf[\"properties\"] and \\\n conf[\"properties\"][\"value\"].lower() == \"on\":\n return CheckResult.PASSED\n self.evaluated_keys.append(\"properties/value\")\n return CheckResult.FAILED\n elif conf[\"type\"] == \"configurations\":\n if \"name\" in conf and conf[\"name\"] == \"log_checkpoints\":\n if \"parent_type\" in conf:\n if conf[\"parent_type\"] == \"Microsoft.DBforPostgreSQL/servers\":\n if \"properties\" in conf:\n if \"value\" in conf[\"properties\"] and \\\n conf[\"properties\"][\"value\"].lower() == \"on\":\n return CheckResult.PASSED\n self.evaluated_keys.append(\"properties/value\")\n return CheckResult.FAILED\n else:\n return CheckResult.FAILED\n\n # If name not connection_throttling - don't report (neither pass nor fail)\n return CheckResult.UNKNOWN\n\n\ncheck = PostgreSQLServerLogCheckpointsEnabled()\n"
},
{
"path": "checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py",
"content": "from __future__ import annotations\n\nfrom typing import Any, List\n\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\n\nclass PostgreSQLServerLogConnectionsEnabled(BaseResourceCheck):\n def __init__(self) -> None:\n # https://docs.microsoft.com/en-us/azure/templates/microsoft.dbforpostgresql/servers\n # https://docs.microsoft.com/en-us/azure/templates/microsoft.dbforpostgresql/servers/configurations\n # https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver#examples\n name = \"Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server\"\n id = \"CKV_AZURE_31\"\n supported_resources = ('Microsoft.DBforPostgreSQL/servers/configurations', 'configurations')\n categories = (CheckCategories.NETWORKING,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n if \"type\" in conf:\n if conf[\"type\"] == \"Microsoft.DBforPostgreSQL/servers/configurations\":\n if \"name\" in conf and conf[\"name\"] == \"log_connections\":\n if \"properties\" in conf:\n if \"value\" in conf[\"properties\"] and \\\n conf[\"properties\"][\"value\"].lower() == \"on\":\n return CheckResult.PASSED\n return CheckResult.FAILED\n elif conf[\"type\"] == \"configurations\":\n if \"name\" in conf and conf[\"name\"] == \"log_connections\":\n if \"parent_type\" in conf:\n if conf[\"parent_type\"] == \"Microsoft.DBforPostgreSQL/servers\":\n if \"properties\" in conf:\n if \"value\" in conf[\"properties\"] and \\\n conf[\"properties\"][\"value\"].lower() == \"on\":\n return CheckResult.PASSED\n return CheckResult.FAILED\n else:\n return CheckResult.FAILED\n\n # If name not connection_throttling - don't report (neither pass nor fail)\n return CheckResult.UNKNOWN\n\n def get_evaluated_keys(self) -> List[str]:\n return [\"type\", \"name\", \"properties/value\"]\n\n\ncheck = PostgreSQLServerLogConnectionsEnabled()\n"
},
{
"path": "checkov/arm/checks/resource/PostgreSQLServerPublicAccessDisabled.py",
"content": "from checkov.common.models.enums import CheckCategories, CheckResult\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass PostgreSQLServerHasPublicAccessDisabled(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that PostgreSQL server disables public network access\"\n id = \"CKV_AZURE_68\"\n supported_resources = ('Microsoft.DBforPostgreSQL/servers',)\n categories = [CheckCategories.NETWORKING]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,\n missing_block_result=CheckResult.FAILED)\n\n def get_inspected_key(self) -> str:\n return 'properties/publicNetworkAccess'\n\n def get_expected_value(self) -> str:\n return \"Disabled\"\n\n\ncheck = PostgreSQLServerHasPublicAccessDisabled()\n"
},
{
"path": "checkov/arm/checks/resource/PostgreSQLServerSSLEnforcementEnabled.py",
"content": "from typing import Any\n\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\nfrom checkov.common.models.enums import CheckCategories\n\n\nclass PostgreSQLServerSSLEnforcementEnabled(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server\"\n id = \"CKV_AZURE_29\"\n supported_resources = [\"Microsoft.DBforPostgreSQL/servers\"]\n categories = [CheckCategories.NETWORKING]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return \"properties/sslEnforcement\"\n\n def get_expected_value(self) -> Any:\n return \"Enabled\"\n\n\ncheck = PostgreSQLServerSSLEnforcementEnabled()\n"
},
{
"path": "checkov/arm/checks/resource/PostgressSQLGeoBackupEnabled.py",
"content": "from typing import Any\n\nfrom checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass PostgressSQLGeoBackupEnabled(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that PostgreSQL server enables geo-redundant backups\"\n id = \"CKV_AZURE_102\"\n supported_resources = ['Microsoft.DBforPostgreSQL/servers']\n categories = [CheckCategories.BACKUP_AND_RECOVERY]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> Any:\n return 'properties/storageProfile/geoRedundantBackup'\n\n def get_expected_value(self) -> str:\n return 'Enabled'\n\n\ncheck = PostgressSQLGeoBackupEnabled()\n"
},
{
"path": "checkov/arm/checks/resource/PubsubSKUSLA.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_negative_value_check import BaseResourceNegativeValueCheck\n\n\nclass PubsubSKUSLA(BaseResourceNegativeValueCheck):\n def __init__(self) -> None:\n name = \"Ensure Web PubSub uses a SKU with an SLA\"\n id = \"CKV_AZURE_175\"\n supported_resources = (\"Microsoft.SignalRService/webPubSub\",)\n categories = (CheckCategories.GENERAL_SECURITY,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,)\n\n def get_inspected_key(self) -> str:\n return \"sku/name\"\n\n def get_forbidden_values(self) -> Any:\n return \"Free_F1\"\n\n\ncheck = PubsubSKUSLA()\n"
},
{
"path": "checkov/arm/checks/resource/PubsubSpecifyIdentity.py",
"content": "from typing import Any\n\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\nfrom checkov.common.models.consts import ANY_VALUE\nfrom checkov.common.models.enums import CheckCategories\n\n\nclass PubsubSpecifyIdentity(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure Web PubSub uses managed identities to access Azure resources\"\n id = \"CKV_AZURE_176\"\n supported_resources = [\"Microsoft.SignalRService/webPubSub\"]\n categories = [CheckCategories.IAM]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return \"identity/type\"\n\n def get_expected_value(self) -> Any:\n return ANY_VALUE\n\n\ncheck = PubsubSpecifyIdentity()\n"
},
{
"path": "checkov/arm/checks/resource/RedisCachePublicNetworkAccessEnabled.py",
"content": "from checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass RedisCachePublicNetworkAccessEnabled(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that Azure Cache for Redis disables public network access\"\n id = \"CKV_AZURE_89\"\n supported_resources = ('Microsoft.Cache/redis',)\n categories = (CheckCategories.NETWORKING,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return 'properties/publicNetworkAccess'\n\n def get_expected_value(self) -> str:\n return 'Disabled'\n\n\ncheck = RedisCachePublicNetworkAccessEnabled()\n"
},
{
"path": "checkov/arm/checks/resource/SQLDatabaseZoneRedundant.py",
"content": "from __future__ import annotations\n\nfrom checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass SQLDatabaseZoneRedundant(BaseResourceValueCheck):\n def __init__(self) -> None:\n \"\"\"\n This is a best practise which helps to:\n - Improved High Availability: Zone redundancy ensures that your database is replicated\n across Availability Zones within an Azure region. If one Availability Zone experiences an outage,\n your database continues to operate from the other zones, minimizing downtime.\n - Reduced Maintenance Downtime: Zone-redundant configurations often require\n less planned maintenance downtime because updates and patches can be applied to\n one zone at a time while the other zones continue to serve traffic.\n - Improved Scalability: Zone-redundant configurations are designed to scale with your workload.\n You can take advantage of features like Hyperscale to dynamically adjust resources based on\n your database's performance needs.\n - Improved SLA: Azure SQL Database zone-redundant configurations typically offer\n a higher service-level agreement (SLA) for availability compared to non-zone-redundant configurations.\n\n However, it's critical to note that:\n Note that:\n - Zone-redundant availability is available to databases in the\n General Purpose, Premium, Business Critical and Hyperscale service tiers of the vCore purchasing model,\n and not the Basic and Standard service tiers of the DTU-based purchasing model.\n - This may not be required for:\n - Databases that supports applications which doesn't a high maturity in terms of \"High Availability\"\n - Databases that are very sensitive to network latency that may increase the transaction commit time,\n and thus impact the performance of some OLTP workloads.\n \"\"\"\n name = \"Ensure the Azure SQL Database Namespace is zone redundant\"\n id = \"CKV_AZURE_229\"\n supported_resources = [\"Microsoft.Sql/servers/databases\",]\n categories = [CheckCategories.BACKUP_AND_RECOVERY,]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return \"properties/zoneRedundant\"\n\n\ncheck = SQLDatabaseZoneRedundant()\n"
},
{
"path": "checkov/arm/checks/resource/SQLServerAuditingEnabled.py",
"content": "from __future__ import annotations\n\nfrom typing import Any, List\n\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\n# https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2019-06-01-preview/servers\n# https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2017-03-01-preview/servers/databases/auditingsettings\n\n\nclass SQLServerAuditingEnabled(BaseResourceCheck):\n # this should be a graph check, due to the possible connection between\n # Microsoft.Sql/servers -> Microsoft.Sql/servers/auditingSettings\n # Microsoft.Sql/servers -> Microsoft.Sql/servers/databases/auditingSettings\n\n def __init__(self) -> None:\n name = \"Ensure that 'Auditing' is set to 'Enabled' for SQL servers\"\n id = \"CKV_AZURE_23\"\n supported_resources = (\"Microsoft.Sql/servers\", \"Microsoft.Sql/servers/databases\")\n categories = (CheckCategories.LOGGING,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n resources = conf.get(\"resources\")\n if resources and isinstance(resources, list):\n for resource in resources:\n if resource.get(\"type\") in (\n \"auditingSettings\",\n \"Microsoft.Sql/servers/auditingSettings\",\n \"Microsoft.Sql/servers/databases/auditingSettings\",\n ):\n properties = resource.get(\"properties\")\n if properties:\n state = properties.get(\"state\")\n if state and state.lower() == \"enabled\":\n return CheckResult.PASSED\n\n return CheckResult.FAILED\n\n def get_evaluated_keys(self) -> List[str]:\n return [\"resources\"]\n\n\ncheck = SQLServerAuditingEnabled()\n"
},
{
"path": "checkov/arm/checks/resource/SQLServerAuditingRetention90Days.py",
"content": "from typing import Dict, Any\n\nfrom checkov.arm.base_resource_check import BaseResourceCheck\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.common.util.type_forcers import force_list\n\n# https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2019-06-01-preview/servers\n# https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2017-03-01-preview/servers/databases/auditingsettings\n\n\nclass SQLServerAuditingRetention90Days(BaseResourceCheck):\n def __init__(self) -> None:\n name = \"Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers\"\n id = \"CKV_AZURE_24\"\n supported_resources = (\"Microsoft.Sql/servers\",)\n categories = (CheckCategories.LOGGING,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:\n self.evaluated_keys = [\"resources\"]\n resources = conf.get(\"resources\") or []\n for idx, resource in enumerate(force_list(resources)):\n self.evaluated_keys = [\n f\"resources/[{idx}]/type\",\n f\"resources/[{idx}]/properties/state\",\n f\"resources/[{idx}]/properties/retentionDays\",\n ]\n if resource.get(\"type\") in (\n \"Microsoft.Sql/servers/databases/auditingSettings\",\n 'Microsoft.Sql/servers/auditingSettings',\n \"auditingSettings\",\n ):\n return self.check_resource(resource)\n elif resource.get(\"type\") in (\n \"databases\"\n ):\n sub_resources = resource.get(\"resources\") or []\n for sr in sub_resources:\n if sr.get(\"type\") == \"Microsoft.Sql/servers/databases/auditingPolicies\":\n return self.check_resource(sr)\n\n return CheckResult.FAILED\n\n @staticmethod\n def check_resource(resource: Dict[str, Any]) -> CheckResult:\n properties = resource.get(\"properties\")\n if isinstance(properties, dict):\n state = properties.get(\"state\")\n if isinstance(state, str) and state.lower() == \"enabled\":\n retention = properties.get(\"retentionDays\")\n if isinstance(retention, int) and retention >= 90:\n return CheckResult.PASSED\n if isinstance(retention, str):\n try:\n if int(retention) >= 90:\n return CheckResult.PASSED\n except ValueError: # not a valid number\n return CheckResult.FAILED\n return CheckResult.FAILED\n\n\ncheck = SQLServerAuditingRetention90Days()\n"
},
{
"path": "checkov/arm/checks/resource/SQLServerEmailAlertsEnabled.py",
"content": "from typing import Dict, Any\n\nfrom checkov.arm.base_resource_check import BaseResourceCheck\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.common.util.type_forcers import force_list\n\n# https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2019-06-01-preview/servers\n# https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2017-03-01-preview/servers/securityalertpolicies\n\n\nclass SQLServerEmailAlertsEnabled(BaseResourceCheck):\n def __init__(self) -> None:\n name = \"Ensure that 'Send Alerts To' is enabled for MSSQL servers\"\n id = \"CKV_AZURE_26\"\n supported_resources = (\"Microsoft.Sql/servers/databases\",)\n categories = (CheckCategories.GENERAL_SECURITY,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:\n self.evaluated_keys = [\"resources\"]\n resources = conf.get(\"resources\") or []\n for idx, resource in enumerate(force_list(resources)):\n self.evaluated_keys = [\n f\"resources/[{idx}]/type\",\n f\"resources/[{idx}]/properties/state\",\n f\"resources/[{idx}]/properties/emailAddresses\",\n ]\n if resource.get(\"type\") in (\n \"Microsoft.Sql/servers/databases/securityAlertPolicies\",\n \"securityAlertPolicies\",\n ):\n properties = resource.get(\"properties\")\n if isinstance(properties, dict):\n state = properties.get(\"state\")\n if isinstance(state, str) and state.lower() == \"enabled\":\n if properties.get(\"emailAddresses\"):\n return CheckResult.PASSED\n\n return CheckResult.FAILED\n\n\ncheck = SQLServerEmailAlertsEnabled()\n"
},
{
"path": "checkov/arm/checks/resource/SQLServerEmailAlertsToAdminsEnabled.py",
"content": "from typing import Dict, Any\n\nfrom checkov.arm.base_resource_check import BaseResourceCheck\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.common.util.type_forcers import force_list\n\n# https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2019-06-01-preview/servers\n# https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2017-03-01-preview/servers/securityalertpolicies\n\n\nclass SQLServerEmailAlertsToAdminsEnabled(BaseResourceCheck):\n def __init__(self) -> None:\n name = \"Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers\"\n id = \"CKV_AZURE_27\"\n supported_resources = [\"Microsoft.Sql/servers/databases\"]\n categories = [CheckCategories.GENERAL_SECURITY]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:\n self.evaluated_keys = [\"resources\"]\n resources = conf.get(\"resources\") or []\n for idx, resource in enumerate(force_list(resources)):\n self.evaluated_keys = [\n f\"resources/[{idx}]/type\",\n f\"resources/[{idx}]/properties/state\",\n f\"resources/[{idx}]/properties/emailAccountAdmins\",\n ]\n if resource.get(\"type\") in (\n \"Microsoft.Sql/servers/databases/securityAlertPolicies\",\n \"securityAlertPolicies\",\n ):\n properties = resource.get(\"properties\")\n if isinstance(properties, dict):\n state = properties.get(\"state\")\n if isinstance(state, str) and state.lower() == \"enabled\":\n email_admins = properties.get(\"emailAccountAdmins\")\n if email_admins:\n return CheckResult.PASSED\n\n return CheckResult.FAILED\n\n\ncheck = SQLServerEmailAlertsToAdminsEnabled()\n"
},
{
"path": "checkov/arm/checks/resource/SQLServerHasPublicAccessDisabled.py",
"content": "from checkov.common.models.enums import CheckCategories, CheckResult\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass SQLServerHasPublicAccessDisabled(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that SQL server disables public network access\"\n id = \"CKV_AZURE_113\"\n supported_resources = [\"Microsoft.Sql/servers\"]\n categories = [CheckCategories.NETWORKING]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,\n missing_block_result=CheckResult.FAILED)\n\n def get_inspected_key(self) -> str:\n return 'properties/publicNetworkAccess'\n\n def get_expected_value(self) -> str:\n return \"Disabled\"\n\n\ncheck = SQLServerHasPublicAccessDisabled()\n"
},
{
"path": "checkov/arm/checks/resource/SQLServerNoPublicAccess.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\n\nclass SQLServerNoPublicAccess(BaseResourceCheck):\n def __init__(self) -> None:\n # https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2019-06-01-preview/servers\n # https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2014-04-01/servers/firewallrules\n name = \"Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)\"\n id = \"CKV_AZURE_11\"\n supported_resources = (\"Microsoft.Sql/servers\",)\n categories = (CheckCategories.LOGGING,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n # API Version 2015-05-01-preview and 2014-04-01\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n resources = conf.get(\"resources\")\n if resources and isinstance(resources, list):\n self.evaluated_keys = [\"resources\"]\n for idx, resource in enumerate(resources):\n self.evaluated_keys = [f\"resources/[{idx}]/type\", f\"resources/[{idx}]/properties/startIpAddress\",\n f\"resources/[{idx}]/properties/endIpAddress\"]\n resource_type = resource.get(\"type\")\n if resource_type in (\"Microsoft.Sql/servers/firewallRules\", \"firewallRules\", \"firewallrules\"):\n if \"properties\" in resource:\n if (\n \"startIpAddress\" in resource[\"properties\"]\n and resource[\"properties\"][\"startIpAddress\"] in [\"0.0.0.0\", \"0.0.0.0/0\"] # nosec # false positive\n and \"endIpAddress\" in resource[\"properties\"]\n and resource[\"properties\"][\"endIpAddress\"] == \"255.255.255.255\"\n ):\n return CheckResult.FAILED\n return CheckResult.PASSED\n\n\ncheck = SQLServerNoPublicAccess()\n"
},
{
"path": "checkov/arm/checks/resource/SQLServerThreatDetectionTypes.py",
"content": "from typing import Dict, Any\n\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\n\n# https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2019-06-01-preview/servers\n# https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2017-03-01-preview/servers/securityalertpolicies\n\n\nclass SQLServerThreatDetectionTypes(BaseResourceCheck):\n def __init__(self) -> None:\n name = \"Ensure that 'Threat Detection types' is set to 'All'\"\n id = \"CKV_AZURE_25\"\n supported_resources = (\"Microsoft.Sql/servers/databases\",) # 'Microsoft.Sql/servers'\n categories = (CheckCategories.GENERAL_SECURITY,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:\n resources = conf.get(\"resources\")\n if isinstance(resources, list):\n self.evaluated_keys = [\"resources\"]\n for resource in resources:\n if \"type\" in resource:\n if resource[\"type\"] in (\n \"Microsoft.Sql/servers/databases/securityAlertPolicies\",\n \"securityAlertPolicies\",\n ):\n properties = resource.get(\"properties\")\n if isinstance(properties, dict):\n if \"state\" in properties and properties[\"state\"].lower() == \"enabled\":\n if not properties.get(\"disabledAlerts\"):\n return CheckResult.PASSED\n\n return CheckResult.FAILED\n\n\ncheck = SQLServerThreatDetectionTypes()\n"
},
{
"path": "checkov/arm/checks/resource/SQLServerUsesADAuth.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.common.models.consts import ANY_VALUE\nfrom checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_negative_value_check import BaseResourceNegativeValueCheck\n\n\nclass SQLServerUsesADAuth(BaseResourceNegativeValueCheck):\n def __init__(self) -> None:\n \"\"\"\n I think that this check is really, ensure that only AD auth is used (not user/pass)\n \"\"\"\n\n name = \"Ensure Azure AD authentication is enabled for Azure SQL (MSSQL)\"\n id = \"CKV2_AZURE_27\"\n supported_resources = [\"Microsoft.Sql/servers\"]\n categories = [CheckCategories.GENERAL_SECURITY]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return 'properties/administratorLogin'\n\n def get_forbidden_values(self) -> list[Any]:\n return [ANY_VALUE]\n\n\ncheck = SQLServerUsesADAuth()\n"
},
{
"path": "checkov/arm/checks/resource/SecretContentType.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\nfrom checkov.common.models.consts import ANY_VALUE\nfrom checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass SecretContentType(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = 'Ensure that key vault secrets have \"content_type\" set'\n id = \"CKV_AZURE_114\"\n supported_resources = (\"Microsoft.KeyVault/vaults/secrets\",)\n categories = (CheckCategories.GENERAL_SECURITY,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return \"properties/contentType\"\n\n def get_expected_value(self) -> Any:\n return ANY_VALUE\n\n\ncheck = SecretContentType()\n"
},
{
"path": "checkov/arm/checks/resource/SecretExpirationDate.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\n\nclass SecretExpirationDate(BaseResourceCheck):\n def __init__(self) -> None:\n # https://docs.microsoft.com/en-us/azure/templates/microsoft.keyvault/vaults/secrets\n name = \"Ensure that the expiration date is set on all secrets\"\n id = \"CKV_AZURE_41\"\n supported_resources = ('Microsoft.KeyVault/vaults/secrets',)\n categories = (CheckCategories.GENERAL_SECURITY,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n if \"properties\" in conf:\n self.evaluated_keys = ['properties']\n if \"attributes\" in conf[\"properties\"]:\n self.evaluated_keys = ['properties/attributes']\n if \"exp\" in conf[\"properties\"][\"attributes\"]:\n if conf[\"properties\"][\"attributes\"][\"exp\"]:\n return CheckResult.PASSED\n return CheckResult.FAILED\n\n\ncheck = SecretExpirationDate()\n"
},
{
"path": "checkov/arm/checks/resource/SecurityCenterContactEmailAlert.py",
"content": "from __future__ import annotations\n\nfrom typing import Any, List\n\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\n\nclass SecurityCenterContactEmailAlert(BaseResourceCheck):\n def __init__(self) -> None:\n # https://docs.microsoft.com/en-us/azure/templates/microsoft.security/securitycontacts\n name = \"Ensure that 'Send email notification for high severity alerts' is set to 'On'\"\n id = \"CKV_AZURE_21\"\n supported_resources = ('Microsoft.Security/securityContacts',)\n categories = (CheckCategories.NETWORKING,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n if \"properties\" in conf:\n if \"alertNotifications\" in conf[\"properties\"]:\n if str(conf[\"properties\"][\"alertNotifications\"]).lower() == \"on\":\n return CheckResult.PASSED\n return CheckResult.FAILED\n\n def get_evaluated_keys(self) -> List[str]:\n return ['properties', 'properties/alertNotifications']\n\n\ncheck = SecurityCenterContactEmailAlert()\n"
},
{
"path": "checkov/arm/checks/resource/SecurityCenterContactEmailAlertAdmins.py",
"content": "from __future__ import annotations\n\nfrom typing import Any, List\n\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\n\nclass SecurityCenterContactEmailAlertAdmins(BaseResourceCheck):\n def __init__(self) -> None:\n # https://docs.microsoft.com/en-us/azure/templates/microsoft.security/securitycontacts\n name = \"Ensure that 'Send email notification for high severity alerts' is set to 'On'\"\n id = \"CKV_AZURE_22\"\n supported_resources = ('Microsoft.Security/securityContacts',)\n categories = (CheckCategories.NETWORKING,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n if \"properties\" in conf:\n if \"alertsToAdmins\" in conf[\"properties\"]:\n if str(conf[\"properties\"][\"alertsToAdmins\"]).lower() == \"on\":\n return CheckResult.PASSED\n return CheckResult.FAILED\n\n def get_evaluated_keys(self) -> List[str]:\n return ['properties', 'properties/alertsToAdmins']\n\n\ncheck = SecurityCenterContactEmailAlertAdmins()\n"
},
{
"path": "checkov/arm/checks/resource/SecurityCenterContactPhone.py",
"content": "from __future__ import annotations\n\nfrom typing import Any, List\n\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\n\nclass SecurityCenterContactPhone(BaseResourceCheck):\n def __init__(self) -> None:\n # https://docs.microsoft.com/en-us/azure/templates/microsoft.security/securitycontacts\n name = \"Ensure that security contact 'Phone number' is set\"\n id = \"CKV_AZURE_20\"\n supported_resources = ('Microsoft.Security/securityContacts',)\n categories = (CheckCategories.NETWORKING,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n if \"properties\" in conf:\n if \"phone\" in conf[\"properties\"]:\n if conf[\"properties\"][\"phone\"]:\n return CheckResult.PASSED\n return CheckResult.FAILED\n\n def get_evaluated_keys(self) -> List[str]:\n return [\"properties\", \"properties/phone\"]\n\n\ncheck = SecurityCenterContactPhone()\n"
},
{
"path": "checkov/arm/checks/resource/SecurityCenterStandardPricing.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\n\nclass SecurityCenterStandardPricing(BaseResourceCheck):\n def __init__(self) -> None:\n # https://docs.microsoft.com/en-us/azure/templates/microsoft.security/securitycontacts\n name = \"Ensure that standard pricing tier is selected\"\n id = \"CKV_AZURE_19\"\n supported_resources = ('Microsoft.Security/pricings',)\n categories = (CheckCategories.NETWORKING,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n self.evaluated_keys = [\"properties\"]\n if \"properties\" in conf:\n if \"pricingTier\" in conf[\"properties\"]:\n self.evaluated_keys = [\"properties/pricingTier\"]\n if str(conf[\"properties\"][\"pricingTier\"]).lower() == \"standard\":\n return CheckResult.PASSED\n return CheckResult.FAILED\n\n\ncheck = SecurityCenterStandardPricing()\n"
},
{
"path": "checkov/arm/checks/resource/StorageAccountAzureServicesAccessEnabled.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.arm.base_resource_check import BaseResourceCheck\nfrom checkov.common.models.enums import CheckResult, CheckCategories\n# https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts\nfrom checkov.common.util.type_forcers import force_int\n\n\nclass StorageAccountAzureServicesAccessEnabled(BaseResourceCheck):\n def __init__(self) -> None:\n # properties.networkAcls.bypass == \"AzureServices\"\n # Fail if apiVersion less than 2017 as this setting wasn't available\n name = \"Ensure 'Trusted Microsoft Services' is enabled for Storage Account access\"\n id = \"CKV_AZURE_36\"\n supported_resources = ('Microsoft.Storage/storageAccounts',)\n categories = (CheckCategories.NETWORKING,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n if \"apiVersion\" in conf:\n # Fail if apiVersion < 2017 as you could not set networkAcls\n year = force_int(conf[\"apiVersion\"][0:4])\n\n if year is None:\n return CheckResult.UNKNOWN # Should be handled by variable rendering\n if year < 2017:\n self.evaluated_keys = [\"apiVersion\"]\n return CheckResult.FAILED\n\n self.evaluated_keys = [\"properties\"]\n if \"properties\" in conf:\n if \"networkAcls\" in conf[\"properties\"]:\n self.evaluated_keys = [\"properties/networkAcls\"]\n if \"defaultAction\" in conf[\"properties\"][\"networkAcls\"]:\n if not isinstance(conf[\"properties\"][\"networkAcls\"], dict):\n return CheckResult.UNKNOWN\n if conf[\"properties\"][\"networkAcls\"][\"defaultAction\"] == \"Allow\":\n return CheckResult.PASSED\n elif \"bypass\" in conf[\"properties\"][\"networkAcls\"] and \\\n conf[\"properties\"][\"networkAcls\"][\"bypass\"] == \"AzureServices\":\n return CheckResult.PASSED\n return CheckResult.FAILED\n\n\ncheck = StorageAccountAzureServicesAccessEnabled()\n"
},
{
"path": "checkov/arm/checks/resource/StorageAccountDefaultNetworkAccessDeny.py",
"content": "from __future__ import annotations\n\nfrom typing import Any, List\n\nfrom checkov.arm.base_resource_check import BaseResourceCheck\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.common.util.type_forcers import force_int\n\n\n# https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts\n\nclass StorageAccountDefaultNetworkAccessDeny(BaseResourceCheck):\n def __init__(self) -> None:\n # properties.networkAcls.bypass == \"AzureServices\"\n # Fail if apiVersion less than 2017 as this setting wasn't available\n name = \"Ensure default network access rule for Storage Accounts is set to deny\"\n id = \"CKV_AZURE_35\"\n supported_resources = ('Microsoft.Storage/storageAccounts',)\n categories = (CheckCategories.NETWORKING,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n if \"apiVersion\" in conf:\n # Fail if apiVersion < 2017 as you could not set networkAcls\n year = force_int(conf[\"apiVersion\"][0:4])\n\n if year is None:\n return CheckResult.UNKNOWN\n elif year < 2017:\n return CheckResult.FAILED\n\n if \"properties\" in conf:\n if \"networkAcls\" in conf[\"properties\"]:\n if not isinstance(conf[\"properties\"][\"networkAcls\"], dict):\n return CheckResult.UNKNOWN\n if \"defaultAction\" in conf[\"properties\"][\"networkAcls\"]:\n if conf[\"properties\"][\"networkAcls\"][\"defaultAction\"] == \"Deny\":\n return CheckResult.PASSED\n return CheckResult.FAILED\n\n def get_evaluated_keys(self) -> List[str]:\n return [\"apiVersion\", \"properties\", \"properties/networkAcls\"]\n\n\ncheck = StorageAccountDefaultNetworkAccessDeny()\n"
},
{
"path": "checkov/arm/checks/resource/StorageAccountDisablePublicAccess.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.arm.base_resource_negative_value_check import BaseResourceNegativeValueCheck\nfrom checkov.common.models.enums import CheckCategories\n\n\nclass StorageAccountDisablePublicAccess(BaseResourceNegativeValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that Storage accounts disallow public access\"\n id = \"CKV_AZURE_59\"\n supported_resources = (\"Microsoft.Storage/storageAccounts\",)\n categories = (CheckCategories.NETWORKING,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return \"properties/publicNetworkAccess\"\n\n def get_forbidden_values(self) -> list[Any]:\n return [\"Enabled\"]\n\n\ncheck = StorageAccountDisablePublicAccess()\n"
},
{
"path": "checkov/arm/checks/resource/StorageAccountLoggingQueueServiceEnabled.py",
"content": "from __future__ import annotations\n\nfrom typing import Any, List\n\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\n\nclass StorageAccountLoggingQueueServiceEnabled(BaseResourceCheck):\n def __init__(self) -> None:\n # https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts\n # https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts/queueservices\n # https://github.com/MicrosoftDocs/azure-docs/issues/13195\n # This check is only relevant for storageAccounts with Queue Service enabled\n\n # properties.networkAcls.bypass == \"AzureServices\"\n # Fail if apiVersion less than 2017 as this setting wasn't available\n name = \"Ensure Storage logging is enabled for Queue service for read, write and delete requests\"\n id = \"CKV_AZURE_33\"\n supported_resources = ('Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings',)\n categories = (CheckCategories.LOGGING,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n if \"properties\" in conf:\n if \"logs\" in conf[\"properties\"]:\n if conf[\"properties\"][\"logs\"]:\n storage = {}\n for log in conf[\"properties\"][\"logs\"]:\n if \"category\" in log and \"enabled\" in log:\n if str(log[\"enabled\"]).lower() == \"true\":\n storage[log[\"category\"]] = True\n if \"StorageRead\" in storage.keys() and \\\n \"StorageWrite\" in storage.keys() and \\\n \"StorageDelete\" in storage.keys():\n if storage[\"StorageRead\"] and storage[\"StorageWrite\"] and storage[\"StorageDelete\"]:\n return CheckResult.PASSED\n return CheckResult.FAILED\n\n def get_evaluated_keys(self) -> List[str]:\n return ['properties', 'properties/logs']\n\n\ncheck = StorageAccountLoggingQueueServiceEnabled()\n"
},
{
"path": "checkov/arm/checks/resource/StorageAccountMinimumTlsVersion.py",
"content": "from __future__ import annotations\n\nfrom typing import Any, List\n\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\n\nclass StorageAccountMinimumTlsVersion(BaseResourceCheck):\n def __init__(self) -> None:\n \"\"\"\n Looks for min_tls_version configuration at azurerm_storage_account to be set to TLS1_2\n https://www.terraform.io/docs/providers/azurerm/r/storage_account.html#min_tls_version\n :param conf: azurerm_storage_account configuration\n :return: \n \"\"\"\n name = \"Ensure Storage Account is using the latest version of TLS encryption\"\n id = \"CKV_AZURE_44\"\n supported_resources = ('Microsoft.Storage/storageAccounts',)\n categories = (CheckCategories.NETWORKING,)\n\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n if \"properties\" in conf and \\\n \"minimumTlsVersion\" in conf[\"properties\"] and \\\n conf[\"properties\"][\"minimumTlsVersion\"] in ['TLS1_2']:\n return CheckResult.PASSED\n return CheckResult.FAILED\n\n def get_evaluated_keys(self) -> List[str]:\n return ['properties', 'properties/minimumTlsVersion']\n\n\ncheck = StorageAccountMinimumTlsVersion()\n"
},
{
"path": "checkov/arm/checks/resource/StorageAccountName.py",
"content": "from __future__ import annotations\n\nimport re\nimport typing\n\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\n\nSTO_NAME_REGEX = re.compile(r\"^[a-z0-9]{3,24}$\")\nVARIABLE_REFS = (\"local.\", \"module.\", \"var.\", \"random_string.\", \"random_id.\", \"random_integer.\", \"random_pet.\",\n \"azurecaf_name\", \"each.\", \"substring\")\n\n\nclass StorageAccountName(BaseResourceCheck):\n def __init__(self) -> None:\n \"\"\"\n Initializes a check to ensure that Storage Accounts adhere to the naming rules.\n\n The naming reference for Storage Accounts can be found here:\n https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview#naming-storage-accounts\n \"\"\"\n name = \"Ensure Storage Accounts adhere to the naming rules\"\n id = \"CKV_AZURE_43\"\n supported_resources = ['Microsoft.Storage/storageAccounts']\n categories = [CheckCategories.CONVENTION]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, typing.Any]) -> CheckResult:\n \"\"\"\n The Storage Account naming reference:\n https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview#naming-storage-accounts\n :param conf: azurerm_storage_account configuration\n :return: \n \"\"\"\n if \"name\" in conf.keys():\n name = conf[\"name\"]\n if name:\n name = str(name)\n if any(x in name for x in VARIABLE_REFS):\n # in the case we couldn't evaluate the name, just ignore\n return CheckResult.UNKNOWN\n if re.findall(STO_NAME_REGEX, name):\n return CheckResult.PASSED\n return CheckResult.FAILED\n\n def get_evaluated_keys(self) -> typing.List[str]:\n return [\"name\"]\n\n\ncheck = StorageAccountName()\n"
},
{
"path": "checkov/arm/checks/resource/StorageAccountsTransportEncryption.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.arm.base_resource_check import BaseResourceCheck\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.common.util.type_forcers import force_int\n\n\nclass StorageAccountsTransportEncryption(BaseResourceCheck):\n def __init__(self) -> None:\n # supportsHttpsTrafficOnly: Allows https traffic only to storage service if sets to true. The default value is\n # true since API version 2019-04-01.\n name = \"Ensure that 'supportsHttpsTrafficOnly' is set to 'true'\"\n id = \"CKV_AZURE_3\"\n supported_resources = (\"Microsoft.Storage/storageAccounts\",)\n categories = (CheckCategories.ENCRYPTION,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n self.evaluated_keys = [\"properties\"]\n properties = conf.get(\"properties\")\n if isinstance(properties, dict) and \"supportsHttpsTrafficOnly\" in properties:\n self.evaluated_keys = [\"properties/supportsHttpsTrafficOnly\"]\n https = str(properties[\"supportsHttpsTrafficOnly\"]).lower()\n return CheckResult.PASSED if https == \"true\" else CheckResult.FAILED\n\n # Use default if supportsHttpsTrafficOnly is not set\n if \"apiVersion\" in conf:\n # Default for apiVersion 2019 and newer is supportsHttpsTrafficOnly = True\n year = force_int(conf[\"apiVersion\"][0:4])\n\n if year is None:\n return CheckResult.UNKNOWN\n elif year < 2019:\n self.evaluated_keys = [\"apiVersion\"]\n return CheckResult.FAILED\n else:\n return CheckResult.PASSED\n return CheckResult.FAILED\n\n\ncheck = StorageAccountsTransportEncryption()\n"
},
{
"path": "checkov/arm/checks/resource/StorageAccountsUseReplication.py",
"content": "from checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\nfrom typing import Any, List\n\n\nclass StorageAccountsUseReplication(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that Storage Accounts use replication\"\n id = \"CKV_AZURE_206\"\n supported_resources = (\"Microsoft.Storage/storageAccounts\",)\n categories = (CheckCategories.BACKUP_AND_RECOVERY,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,)\n\n def get_inspected_key(self) -> str:\n return \"sku/name\"\n\n def get_expected_value(self) -> Any:\n return \"Standard_GRS\"\n\n def get_expected_values(self) -> List[Any]:\n return [\"Standard_GRS\", \"Standard_RAGRS\", \"Standard_GZRS\", \"Standard_RAGZRS\"]\n\n\ncheck = StorageAccountsUseReplication()\n"
},
{
"path": "checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\n\nclass StorageBlobServiceContainerPrivateAccess(BaseResourceCheck):\n def __init__(self) -> None:\n # https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts/blobservices/containers\n # publicAccess default is None\n name = \"Ensure that 'Public access level' is set to Private for blob containers\"\n id = \"CKV_AZURE_34\"\n supported_resources = (\n 'Microsoft.Storage/storageAccounts/blobServices/containers',\n 'containers',\n 'blobServices/containers',\n )\n categories = (CheckCategories.NETWORKING,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n if \"properties\" in conf:\n self.evaluated_keys = [\"properties\"]\n if \"publicAccess\" in conf[\"properties\"]:\n self.evaluated_keys = [\"properties/publicAccess\"]\n if str(conf[\"properties\"][\"publicAccess\"]).lower() == \"container\" or \\\n str(conf[\"properties\"][\"publicAccess\"]).lower() == \"blob\":\n return CheckResult.FAILED\n return CheckResult.PASSED\n\n\ncheck = StorageBlobServiceContainerPrivateAccess()\n"
},
{
"path": "checkov/arm/checks/resource/StorageSyncPublicAccessDisabled.py",
"content": "from checkov.common.models.enums import CheckCategories, CheckResult\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass NetworkInterfaceEnableIPForwarding(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that Azure File Sync disables public network access\"\n id = \"CKV_AZURE_64\"\n supported_resources = ('Microsoft.StorageSync/storageSyncServices',)\n categories = (CheckCategories.NETWORKING,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,\n missing_block_result=CheckResult.FAILED)\n\n def get_inspected_key(self) -> str:\n return 'properties/incomingTrafficPolicy'\n\n def get_expected_value(self) -> str:\n return 'AllowVirtualNetworksOnly'\n\n\ncheck = NetworkInterfaceEnableIPForwarding()\n"
},
{
"path": "checkov/arm/checks/resource/SynapseWorkspaceAdministratorLoginPasswordHidden.py",
"content": "from __future__ import annotations\n\nfrom typing import Any, List\n\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\n\nclass SynapseWorkspaceAdministratorLoginPasswordHidden(BaseResourceCheck):\n def __init__(self) -> None:\n name = \"Ensure Azure Synapse Workspace administrator login password is not exposed\"\n id = \"CKV_AZURE_239\"\n supported_resources = ['Microsoft.Synapse/workspaces']\n categories = [CheckCategories.SECRETS]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n if conf.get(\"properties\", {}).get(\"sqlAdministratorLoginPassword\"):\n return CheckResult.FAILED\n return CheckResult.PASSED\n\n def get_evaluated_keys(self) -> List[str]:\n return ['properties/sqlAdministratorLoginPassword']\n\n\ncheck = SynapseWorkspaceAdministratorLoginPasswordHidden()\n"
},
{
"path": "checkov/arm/checks/resource/SynapseWorkspaceCMKEncryption.py",
"content": "from __future__ import annotations\nfrom typing import Any\nfrom checkov.arm.base_resource_check import BaseResourceCheck\nfrom checkov.common.models.enums import CheckResult, CheckCategories\n\n\nclass SynapseWorkspaceCMKEncryption(BaseResourceCheck):\n def __init__(self) -> None:\n name = \"Ensure Azure Synapse Workspace is encrypted with a CMK\"\n id = \"CKV_AZURE_240\"\n supported_resources = ['Microsoft.Synapse/workspaces']\n categories = [CheckCategories.ENCRYPTION]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n encryption = conf.get(\"properties\", {}).get(\"encryption\", {})\n\n if \"cmk\" in encryption:\n return CheckResult.PASSED\n\n return CheckResult.FAILED\n\n def get_evaluated_keys(self) -> list[str]:\n return ['properties', 'properties/encryption']\n\n\ncheck = SynapseWorkspaceCMKEncryption()\n"
},
{
"path": "checkov/arm/checks/resource/SynapseWorkspaceEnablesDataExfilProtection.py",
"content": "from checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass SynapseWorkspaceEnablesDataExfilProtection(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that Synapse workspace has data_exfiltration_protection_enabled\"\n id = \"CKV_AZURE_157\"\n supported_resources = [\"Microsoft.Synapse/workspaces\"]\n categories = [CheckCategories.GENERAL_SECURITY]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return 'properties/dataExfiltrationProtectionEnabled'\n\n\ncheck = SynapseWorkspaceEnablesDataExfilProtection()\n"
},
{
"path": "checkov/arm/checks/resource/SynapseWorkspaceEnablesManagedVirtualNetworks.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_negative_value_check import BaseResourceNegativeValueCheck\n\n\nclass SynapseWorkspaceEnablesManagedVirtualNetworks(BaseResourceNegativeValueCheck):\n def __init__(self) -> None:\n name = \"Ensure that Azure Synapse workspaces enables managed virtual networks\"\n id = \"CKV_AZURE_58\"\n supported_resources = ['Microsoft.Synapse/workspaces']\n categories = [CheckCategories.NETWORKING]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return 'properties/managedVirtualNetwork'\n\n def get_forbidden_values(self) -> list[Any]:\n return [\"default\"]\n\n\ncheck = SynapseWorkspaceEnablesManagedVirtualNetworks()\n"
},
{
"path": "checkov/arm/checks/resource/VMCredsInCustomData.py",
"content": "from typing import List, Dict, Any\n\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.common.util.secrets import string_has_secrets, AZURE, GENERAL\nfrom checkov.arm.base_resource_value_check import BaseResourceCheck\n\n\nclass VMCredsInCustomData(BaseResourceCheck):\n def __init__(self) -> None:\n name = \"Ensure that no sensitive credentials are exposed in VM custom_data\"\n id = \"CKV_AZURE_45\"\n supported_resources = (\"Microsoft.Compute/virtualMachines\",)\n categories = (CheckCategories.SECRETS,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,)\n\n def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:\n properties = conf.get(\"properties\")\n if properties and isinstance(properties, dict):\n os_profile = properties.get(\"osProfile\")\n if isinstance(os_profile, dict):\n custom_data = os_profile.get(\"customData\")\n if isinstance(custom_data, str):\n if string_has_secrets(custom_data, AZURE, GENERAL):\n conf[f'{self.id}_secret'] = custom_data\n return CheckResult.FAILED\n return CheckResult.PASSED\n\n def get_evaluated_keys(self) -> List[str]:\n return [\"properties/osProfile/customData\"]\n\n\ncheck = VMCredsInCustomData()\n"
},
{
"path": "checkov/arm/checks/resource/VMDisablePasswordAuthentication.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.common.models.enums import CheckCategories, CheckResult\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\n\nclass VMDisablePasswordAuthentication(BaseResourceCheck):\n def __init__(self) -> None:\n name = \"Ensure that Virtual machine does not enable password authentication\"\n id = \"CKV_AZURE_149\"\n supported_resources = (\n \"Microsoft.Compute/virtualMachineScaleSets\",\n \"Microsoft.Compute/virtualMachines\",\n )\n categories = (CheckCategories.ENCRYPTION,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n os_profile = None\n\n properties = conf.get(\"properties\")\n if properties and isinstance(properties, dict):\n self.evaluated_keys = [\"properties\"]\n if self.entity_type == \"Microsoft.Compute/virtualMachines\":\n tmp_os_profile = properties.get(\"osProfile\")\n if tmp_os_profile and isinstance(tmp_os_profile, dict):\n self.evaluated_keys = [\"properties/osProfile\"]\n os_profile = tmp_os_profile\n elif self.entity_type == \"Microsoft.Compute/virtualMachineScaleSets\":\n vm_profile = properties.get(\"virtualMachineProfile\")\n if vm_profile and isinstance(vm_profile, dict):\n tmp_os_profile = vm_profile.get(\"osProfile\")\n if tmp_os_profile and isinstance(tmp_os_profile, dict):\n self.evaluated_keys = [\"properties/virtualMachineProfile/osProfile\"]\n os_profile = tmp_os_profile\n\n if os_profile is None:\n return CheckResult.UNKNOWN\n\n linux_config = os_profile.get(\"linuxConfiguration\")\n if linux_config and isinstance(linux_config, dict):\n pass_auth = linux_config.get(\"disablePasswordAuthentication\")\n if pass_auth and isinstance(pass_auth, bool):\n return CheckResult.PASSED if pass_auth and isinstance(pass_auth, bool) else CheckResult.FAILED\n return CheckResult.FAILED\n\n return CheckResult.UNKNOWN\n\n return CheckResult.FAILED\n\n\ncheck = VMDisablePasswordAuthentication()\n"
},
{
"path": "checkov/arm/checks/resource/VMEncryptionAtHostEnabled.py",
"content": "from __future__ import annotations\n\nfrom checkov.common.models.enums import CheckCategories, CheckResult\nfrom checkov.arm.base_resource_check import BaseResourceCheck\n\nfrom typing import Any\n\nfrom checkov.common.util.data_structures_utils import find_in_dict\n\n\nclass VMEncryptionAtHostEnabled(BaseResourceCheck):\n def __init__(self) -> None:\n name = \"Ensure that Virtual machine scale sets have encryption at host enabled\"\n id = \"CKV_AZURE_97\"\n supported_resources = (\"Microsoft.Compute/virtualMachineScaleSets\", \"Microsoft.Compute/virtualMachines\")\n categories = (CheckCategories.ENCRYPTION,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n encryption = \"\"\n\n if self.entity_type == \"Microsoft.Compute/virtualMachines\":\n self.evaluated_keys = [\"properties/securityProfile/encryptionAtHost\"]\n encryption = find_in_dict(input_dict=conf, key_path=\"properties/securityProfile/encryptionAtHost\")\n elif self.entity_type == \"Microsoft.Compute/virtualMachineScaleSets\":\n self.evaluated_keys = [\"properties/virtualMachineProfile/securityProfile/encryptionAtHost\"]\n encryption = find_in_dict(\n input_dict=conf, key_path=\"properties/virtualMachineProfile/securityProfile/encryptionAtHost\"\n )\n\n if str(encryption).lower() == \"true\":\n return CheckResult.PASSED\n\n return CheckResult.FAILED\n\n\ncheck = VMEncryptionAtHostEnabled()\n"
},
{
"path": "checkov/arm/checks/resource/VMScaleSetsAutoOSImagePatchingEnabled.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.common.models.enums import CheckCategories, CheckResult\nfrom checkov.arm.base_resource_check import BaseResourceCheck\nfrom checkov.common.util.data_structures_utils import find_in_dict\n\n\nclass VMScaleSetsAutoOSImagePatchingEnabled(BaseResourceCheck):\n def __init__(self) -> None:\n name = \"Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets\"\n id = \"CKV_AZURE_95\"\n supported_resources = (\"Microsoft.Compute/virtualMachineScaleSets\",)\n categories = (CheckCategories.GENERAL_SECURITY,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n properties = conf.get(\"properties\")\n if properties and isinstance(properties, dict):\n if properties.get(\"orchestrationMode\") == \"Flexible\":\n self.evaluated_keys = [\"properties/orchestrationMode\"]\n return CheckResult.FAILED\n\n self.evaluated_keys = [\"properties/virtualMachineProfile/extensionProfile/extensions\"]\n extensions = find_in_dict(\n input_dict=properties,\n key_path=\"virtualMachineProfile/extensionProfile/extensions\",\n )\n if extensions:\n for extension in extensions:\n extension_properties = extension.get(\"properties\")\n if extension_properties and isinstance(extension_properties, dict):\n if extension_properties.get(\"enableAutomaticUpgrade\") is True:\n return CheckResult.PASSED\n\n return CheckResult.FAILED\n\n return CheckResult.UNKNOWN\n\n\ncheck = VMScaleSetsAutoOSImagePatchingEnabled()\n"
},
{
"path": "checkov/arm/checks/resource/VMStorageOsDisk.py",
"content": "from typing import Any, Dict\n\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceCheck\n\n\nclass VMStorageOsDisk(BaseResourceCheck):\n def __init__(self) -> None:\n name = \"Ensure that Virtual Machines use managed disks\"\n id = \"CKV_AZURE_92\"\n supported_resources = (\"Microsoft.Compute/virtualMachines\",)\n categories = (CheckCategories.GENERAL_SECURITY,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:\n properties = conf.get('properties')\n if not properties or not isinstance(properties, dict):\n return CheckResult.PASSED\n storage_profile = properties.get('storageProfile')\n if not storage_profile or not isinstance(storage_profile, dict):\n return CheckResult.PASSED\n os_disk = storage_profile.get('osDisk')\n data_disks = list(storage_profile.get('dataDisks', []))\n if os_disk and isinstance(os_disk, dict) and \"vhd\" in os_disk:\n self.evaluated_keys = ['os_disk']\n return CheckResult.FAILED\n if data_disks and any(isinstance(data_disk, dict) and \"vhd\" in data_disk for data_disk in data_disks):\n self.evaluated_keys = ['data_disks']\n return CheckResult.FAILED\n self.evaluated_keys = ['os_disk'] if os_disk else []\n if data_disks:\n self.evaluated_keys.append('data_disks')\n return CheckResult.PASSED\n\n\ncheck = VMStorageOsDisk()\n"
},
{
"path": "checkov/arm/checks/resource/VnetLocalDNS.py",
"content": "from ipaddress import ip_network, ip_address\nfrom typing import Any, List, Dict\n\nfrom checkov.arm.base_resource_check import BaseResourceCheck\nfrom checkov.common.models.enums import CheckCategories, CheckResult\n\n\nclass VnetLocalDNS(BaseResourceCheck):\n def __init__(self) -> None:\n \"\"\"Avoid taking a dependency on external DNS servers\n for local communication such as those deployed on-premises.\n Where possible consider deploying Azure Private DNS Zones,\n a platform-as-a-service (PaaS) DNS service for VNETs\"\"\"\n\n name = \"Ensure that VNET uses local DNS addresses\"\n id = \"CKV_AZURE_183\"\n supported_resources = (\"Microsoft.Network/virtualNetworks\",)\n categories = [CheckCategories.NETWORKING, ]\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: Dict[str, Dict[str, Dict[str, List[Any]]]]) -> CheckResult:\n if \"properties\" in conf and \"dhcpOptions\" in conf[\"properties\"]:\n if \"dnsServers\" in conf[\"properties\"][\"dhcpOptions\"]:\n if isinstance(conf[\"properties\"][\"dhcpOptions\"][\"dnsServers\"], list):\n dns_servers = conf[\"properties\"][\"dhcpOptions\"][\"dnsServers\"]\n if dns_servers:\n for ip in dns_servers:\n if \"addressSpace\" in conf[\"properties\"] and conf[\"properties\"][\"addressSpace\"]:\n if \"addressPrefixes\" in conf[\"properties\"][\"addressSpace\"]:\n if isinstance(conf[\"properties\"][\"addressSpace\"][\"addressPrefixes\"], list):\n address_spaces = conf[\"properties\"][\"addressSpace\"][\"addressPrefixes\"]\n if isinstance(address_spaces, list):\n for address_range in address_spaces:\n if not isinstance(address_range, str):\n continue\n try:\n net = ip_network(address_range)\n ip_add = ip_address(ip) if isinstance(ip, str) else None\n except ValueError:\n return CheckResult.UNKNOWN\n if isinstance(ip, str) and ip_add in net:\n return CheckResult.PASSED\n self.evaluated_keys = [\"dnsServers\"]\n return CheckResult.FAILED\n return CheckResult.PASSED\n\n\ncheck = VnetLocalDNS()\n"
},
{
"path": "checkov/arm/checks/resource/VnetSingleDNSServer.py",
"content": "from typing import Any, List, Dict\n\nfrom checkov.arm.base_resource_check import BaseResourceCheck\nfrom checkov.common.models.enums import CheckCategories, CheckResult\n\n\nclass VnetSingleDNSServer(BaseResourceCheck):\n\n def __init__(self) -> None:\n \"\"\"Using a single DNS server may indicate a single point of failure\n where the DNS IP address is not load balanced.\"\"\"\n name = \"Ensure that VNET has at least 2 connected DNS Endpoints\"\n id = \"CKV_AZURE_182\"\n supported_resources = (\"Microsoft.Network/networkInterfaces\", \"Microsoft.Network/virtualNetworks\")\n categories = (CheckCategories.NETWORKING,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: Dict[str, Dict[str, Dict[str, List[Any]]]]) -> CheckResult:\n if \"properties\" in conf and \"dnsSettings\" in conf[\"properties\"]:\n if \"dnsServers\" in conf[\"properties\"][\"dnsSettings\"] and isinstance(\n conf[\"properties\"][\"dnsSettings\"][\"dnsServers\"], list):\n dns_servers = conf[\"properties\"][\"dnsSettings\"][\"dnsServers\"]\n if dns_servers and len(dns_servers) == 1:\n self.evaluated_keys = [\"dnsServers\"]\n return CheckResult.FAILED\n else:\n if \"properties\" in conf and \"dhcpOptions\" in conf[\"properties\"]:\n if \"dnsServers\" in conf[\"properties\"][\"dhcpOptions\"] and isinstance(\n conf[\"properties\"][\"dhcpOptions\"][\"dnsServers\"], list):\n dns_servers = conf[\"properties\"][\"dhcpOptions\"][\"dnsServers\"]\n if dns_servers and len(dns_servers) == 1:\n self.evaluated_keys = [\"dnsServers\"]\n return CheckResult.FAILED\n return CheckResult.PASSED\n\n\ncheck = VnetSingleDNSServer()\n"
},
{
"path": "checkov/arm/checks/resource/WinVMAutomaticUpdates.py",
"content": "from checkov.common.models.enums import CheckCategories, CheckResult\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass WinVMAutomaticUpdates(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure Windows VM enables automatic updates\"\n id = \"CKV_AZURE_177\"\n supported_resources = (\"Microsoft.Compute/virtualMachines\", \"Microsoft.Compute/virtualMachineScaleSets\")\n categories = (CheckCategories.GENERAL_SECURITY,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,\n missing_block_result=CheckResult.PASSED,)\n\n def get_inspected_key(self) -> str:\n if self.entity_type == \"Microsoft.Compute/virtualMachineScaleSets\":\n return \"properties/virtualMachineProfile/osProfile/windowsConfiguration/enableAutomaticUpdates\"\n return \"properties/osProfile/windowsConfiguration/enableAutomaticUpdates\"\n\n\ncheck = WinVMAutomaticUpdates()\n"
},
{
"path": "checkov/arm/checks/resource/WinVMEncryptionAtHost.py",
"content": "from checkov.common.models.enums import CheckCategories\nfrom checkov.arm.base_resource_value_check import BaseResourceValueCheck\n\n\nclass WinVMEncryptionAtHost(BaseResourceValueCheck):\n def __init__(self) -> None:\n \"\"\"\n If enabled, all the disks (including the temp disk) attached to this Virtual Machine will be encrypted\n\n If not enabled:\n https://learn.microsoft.com/en-gb/azure/virtual-machines/disks-enable-host-based-encryption-portal?tabs=azure-cli#prerequisites\n\n \"\"\"\n name = \"Ensure Windows VM enables encryption\"\n id = \"CKV_AZURE_151\"\n supported_resources = (\"Microsoft.Compute/virtualMachines\",)\n categories = (CheckCategories.ENCRYPTION,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return \"properties/securityProfile/encryptionAtHost\"\n\n\ncheck = WinVMEncryptionAtHost()\n"
},
{
"path": "checkov/arm/checks/resource/__init__.py",
"content": "from os.path import dirname, basename, isfile, join\nimport glob\n\nmodules = glob.glob(join(dirname(__file__), \"*.py\"))\n__all__ = [basename(f)[:-3] for f in modules if isfile(f) and not f.endswith(\"__init__.py\")]\n"
},
{
"path": "checkov/arm/context_parser.py",
"content": "from __future__ import annotations\n\nimport logging\nimport operator\nimport re\nfrom functools import reduce\nfrom typing import Any, TYPE_CHECKING, Generator\n\nfrom checkov.arm.utils import ArmElements\nfrom checkov.common.bridgecrew.integration_features.features.policy_metadata_integration import integration as metadata_integration\nfrom checkov.common.util.consts import LINE_FIELD_NAMES, START_LINE, END_LINE\nfrom checkov.common.util.type_forcers import force_list\n\nif TYPE_CHECKING:\n from checkov.common.typing import _SkippedCheck\n\nCOMMENT_REGEX = re.compile(r'([A-Z_\\d]+)(:[^\\n]+)?')\nPARAMETERS_PATTERN = re.compile(r\"\\[parameters\\('|'\\)]\")\nVARIABLES_PATTERN = re.compile(r\"\\[variables\\('|'\\)]\")\n\n\nclass ContextParser:\n \"\"\"\n ARM template context parser\n \"\"\"\n\n def __init__(self, arm_file: str, arm_template: dict[str, Any], arm_template_lines: list[tuple[int, str]]) -> None:\n self.arm_file = arm_file\n self.arm_template = arm_template\n self.arm_template_lines = arm_template_lines\n\n def evaluate_default_parameters(self) -> None:\n # Get parameter defaults and variable values\n parameter_defaults = {}\n if ArmElements.PARAMETERS in self.arm_template:\n for parameter, config in self.arm_template[ArmElements.PARAMETERS].items():\n if parameter in LINE_FIELD_NAMES:\n continue\n if \"defaultValue\" in config:\n parameter_defaults[parameter] = config[\"defaultValue\"]\n\n variable_values = {}\n if ArmElements.VARIABLES in self.arm_template:\n for var, config in self.arm_template[ArmElements.VARIABLES].items():\n if var in LINE_FIELD_NAMES:\n continue\n variable_values[var] = config.get('value') if config.get('value') else config\n\n # Find paths to substitute parameters and variables\n keys_w_params = self.search_deep_values('[parameters(', self.arm_template, [])\n keys_w_vars = self.search_deep_values('[variables(', self.arm_template, [])\n\n # Substitute Parameters and Variables\n for key_entry in keys_w_params:\n try:\n param = re.sub(\n PARAMETERS_PATTERN,\n \"\",\n self._get_from_dict(dict(self.arm_template), key_entry[:-1])[key_entry[-1]], # type:ignore[index] # this will be a str\n )\n if param in parameter_defaults:\n logging.debug(f\"Replacing parameter {param} in file {self.arm_file} with default value: {parameter_defaults[param]}\")\n self._set_in_dict(dict(self.arm_template), key_entry, parameter_defaults[param])\n except TypeError:\n logging.debug(f\"Failed to evaluate param in {self.arm_file}\", exc_info=True)\n\n for key_entry in keys_w_vars:\n try:\n param = re.sub(\n VARIABLES_PATTERN,\n \"\",\n self._get_from_dict(dict(self.arm_template), key_entry[:-1])[key_entry[-1]], # type:ignore[index] # this will be a str\n )\n if param in variable_values.keys():\n self._set_in_dict(dict(self.arm_template), key_entry, variable_values[param])\n logging.debug(\n \"Replacing variable {} in file {} with default value: {}\".format(param, self.arm_file,\n variable_values[param]))\n else:\n logging.debug(\"Variable {} not found in evaluated variables in file {}\".format(param, self.arm_file))\n except TypeError:\n logging.debug(f\"Failed to evaluate param in {self.arm_file}\", exc_info=True)\n\n @staticmethod\n def extract_arm_resource_id(arm_resource: dict[str, Any]) -> str | None:\n # if arm_resource_name == '__startline__' or arm_resource_name == '__endline__':\n # return\n if 'type' not in arm_resource:\n # This is not an ARM resource, skip\n return None\n if 'name' not in arm_resource:\n # This is not an ARM resource, skip\n return None\n return f\"{arm_resource['type']}.{arm_resource['name']}\"\n\n @staticmethod\n def extract_arm_resource_name(arm_resource: dict[str, Any]) -> str | None:\n # if arm_resource_name == '__startline__' or arm_resource_name == '__endline__':\n # return\n if 'name' not in arm_resource:\n # This is not an ARM resource, skip\n return None\n return f\"{arm_resource['name']}\"\n\n def extract_arm_resource_code_lines(\n self, arm_resource: dict[str, Any]\n ) -> tuple[list[int], list[tuple[int, str]]] | tuple[None, None]:\n find_lines_result_list = list(self.find_lines(arm_resource, START_LINE))\n if len(find_lines_result_list) >= 1:\n start_line = min(find_lines_result_list)\n end_line = max(list(self.find_lines(arm_resource, END_LINE)))\n\n entity_lines_range = [start_line, end_line]\n\n entity_code_lines = self.arm_template_lines[start_line - 1: end_line]\n return entity_lines_range, entity_code_lines\n return None, None\n\n @staticmethod\n def find_lines(node: dict[str, Any] | list[dict[str, Any]], kv: str) -> Generator[Any, None, None]:\n if isinstance(node, list):\n for i in node:\n for x in ContextParser.find_lines(i, kv):\n yield x\n elif isinstance(node, dict):\n if kv in node:\n yield node[kv]\n for j in node.values():\n for x in ContextParser.find_lines(j, kv):\n yield x\n\n @staticmethod\n def collect_skip_comments(resource: dict[str, Any]) -> list[_SkippedCheck]:\n skipped_checks = []\n bc_id_mapping = metadata_integration.bc_to_ckv_id_mapping\n if \"metadata\" in resource:\n if \"checkov\" in resource[\"metadata\"]:\n for item in force_list(resource[\"metadata\"][\"checkov\"]):\n skip_search = re.search(COMMENT_REGEX, str(item))\n if skip_search:\n skipped_check: \"_SkippedCheck\" = {\n 'id': skip_search.group(1),\n 'suppress_comment': skip_search.group(2)[1:] if skip_search.group(\n 2) else \"No comment provided\"\n }\n if bc_id_mapping and skipped_check[\"id\"] in bc_id_mapping:\n skipped_check[\"bc_id\"] = skipped_check[\"id\"]\n skipped_check[\"id\"] = bc_id_mapping[skipped_check[\"id\"]]\n elif metadata_integration.check_metadata:\n skipped_check[\"bc_id\"] = metadata_integration.get_bc_id(skipped_check[\"id\"])\n\n skipped_checks.append(skipped_check)\n\n return skipped_checks\n\n @staticmethod\n def search_deep_keys(search_text: str, arm_dict: dict[str, Any], path: list[str | int]) -> list[list[Any]]:\n \"\"\"Search deep for keys and get their values\"\"\"\n keys = []\n if isinstance(arm_dict, dict):\n for key in arm_dict:\n pathprop = path[:]\n pathprop.append(key)\n if key == search_text:\n pathprop.append(arm_dict[key])\n keys.append(pathprop)\n # pop the last element off for nesting of found elements for\n # dict and list checks\n pathprop = pathprop[:-1]\n if isinstance(arm_dict[key], dict):\n keys.extend(ContextParser.search_deep_keys(search_text, arm_dict[key], pathprop))\n elif isinstance(arm_dict[key], list):\n for index, item in enumerate(arm_dict[key]):\n pathproparr = pathprop[:]\n pathproparr.append(index)\n keys.extend(ContextParser.search_deep_keys(search_text, item, pathproparr))\n elif isinstance(arm_dict, list):\n for index, item in enumerate(arm_dict):\n pathprop = path[:]\n pathprop.append(index)\n keys.extend(ContextParser.search_deep_keys(search_text, item, pathprop))\n\n return keys\n\n @staticmethod\n def search_deep_values(search_text: str, arm_dict: dict[str, Any], path: list[str | int]) -> list[list[str | int]]:\n \"\"\"Search deep for keys with values matching search text\"\"\"\n keys: \"list[list[str | int]]\" = []\n if isinstance(arm_dict, dict):\n for key in arm_dict:\n pathprop = path[:]\n pathprop.append(key)\n\n if search_text in str(arm_dict[key]):\n pathprop.append(arm_dict[key])\n keys.append(pathprop)\n # pop the last element off for nesting of found elements for\n # dict and list checks\n pathprop = pathprop[:-1]\n if isinstance(arm_dict[key], dict):\n keys.extend(ContextParser.search_deep_values(search_text, arm_dict[key], pathprop))\n elif isinstance(arm_dict[key], list):\n for index, item in enumerate(arm_dict[key]):\n pathproparr = pathprop[:]\n pathproparr.append(index)\n keys.extend(ContextParser.search_deep_values(search_text, item, pathproparr))\n elif isinstance(arm_dict, list):\n for index, item in enumerate(arm_dict):\n pathprop = path[:]\n pathprop.append(index)\n keys.extend(ContextParser.search_deep_values(search_text, item, pathprop))\n\n for inner_keys in keys[:]:\n for i in inner_keys:\n if isinstance(i, list) or isinstance(i, dict):\n keys.remove(inner_keys)\n\n # Remove parameter\n if search_text in inner_keys[-1]: # type:ignore[operator] # this will be a str\n inner_keys.pop()\n\n return keys\n\n def _set_in_dict(self, data_dict: dict[str, Any], map_list: list[str | int], value: Any) -> None:\n self._get_from_dict(data_dict, map_list[:-1])[map_list[-1]] = value # type:ignore[index] # this will be a str\n\n @staticmethod\n def _get_from_dict(data_dict: dict[str, Any], map_list: list[str | int]) -> dict[str, Any]:\n return reduce(operator.getitem, map_list, data_dict) # type:ignore[arg-type] # this works, because of a deeper dict access\n"
},
{
"path": "checkov/arm/graph_builder/__init__.py",
"content": ""
},
{
"path": "checkov/arm/graph_builder/definition_context.py",
"content": "from __future__ import annotations\n\nfrom typing import cast, Dict, Any\n\nfrom checkov.common.util.consts import START_LINE, END_LINE\nfrom checkov.common.util.suppression import collect_suppressions_for_report\n\n\nARM_COMMENT = \"//\"\nDEFINITIONS_KEYS = [\"parameters\", \"resources\"]\n\n\ndef build_definitions_context(definitions: dict[str, dict[str, Any]], definitions_raw: dict[str, list[tuple[int, str]]]\n ) -> Dict[str, Dict[str, Any]]:\n definitions_context: Dict[str, Dict[str, Any]] = {}\n for file_path_object, file_path_definitions in definitions.items():\n file_path = str(file_path_object)\n definitions_context[file_path] = {}\n for definition_attribute, resources in file_path_definitions.items():\n if definition_attribute not in DEFINITIONS_KEYS:\n continue\n definitions_context[file_path][definition_attribute] = {}\n if isinstance(resources, dict):\n for resource_key, resource_attributes in resources.items():\n if isinstance(resource_attributes, dict):\n add_resource_to_definitions_context(definitions_context, resource_key, resource_attributes,\n definition_attribute, definitions_raw, file_path)\n elif isinstance(resources, list):\n for resource in resources:\n if isinstance(resource, dict):\n add_resource_to_definitions_context(definitions_context, '', resource,\n definition_attribute, definitions_raw, file_path)\n return definitions_context\n\n\ndef add_resource_to_definitions_context(definitions_context: dict[str, dict[str, Any]], resource_key: str,\n resource_attributes: dict[str, Any], definition_attribute: str,\n definitions_raw: dict[str, Any], file_path: str) -> None:\n start_line = resource_attributes[START_LINE]\n end_line = resource_attributes[END_LINE]\n definition_resource = {\"start_line\": start_line, \"end_line\": end_line}\n\n if definition_attribute == \"resources\":\n resource_key = f\"{resource_attributes.get('type')}.{resource_attributes.get('name')}\"\n int_start_line = cast(int, definition_resource[\"start_line\"])\n int_end_line = cast(int, definition_resource[\"end_line\"])\n code_lines_for_suppressions_check = definitions_raw[file_path][int_start_line: int_end_line]\n definition_resource['skipped_checks'] = collect_suppressions_for_report(\n code_lines=code_lines_for_suppressions_check)\n else:\n definition_resource[\"type\"] = resource_attributes.get('type')\n\n definition_resource[\"code_lines\"] = definitions_raw[file_path][start_line - 1: end_line]\n definitions_context[file_path][definition_attribute][resource_key] = definition_resource\n"
},
{
"path": "checkov/arm/graph_builder/graph_components/__init__.py",
"content": ""
},
{
"path": "checkov/arm/graph_builder/graph_components/block_types.py",
"content": "from __future__ import annotations\n\nfrom dataclasses import dataclass\nfrom typing import Literal\n\nfrom checkov.common.graph.graph_builder.graph_components.block_types import BlockType as CommonBlockType\n\n\n@dataclass\nclass BlockType(CommonBlockType):\n PARAMETER: Literal[\"parameters\"] = \"parameters\"\n VARIABLE: Literal[\"variables\"] = \"variables\"\n OUTPUT: Literal[\"outputs\"] = \"outputs\"\n"
},
{
"path": "checkov/arm/graph_builder/graph_components/blocks.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.common.graph.graph_builder.consts import GraphSource\nfrom checkov.common.graph.graph_builder.graph_components.blocks import Block\n\n\nclass ArmBlock(Block):\n def __init__(\n self,\n name: str,\n config: dict[str, Any],\n path: str,\n block_type: str,\n attributes: dict[str, Any],\n id: str = \"\",\n ) -> None:\n super().__init__(name, config, path, block_type, attributes, id, GraphSource.ARM)\n\n def should_run_get_inner_attributes(self, attribute_value: Any) -> bool:\n \"\"\"\n this function is triggered from _extract_inner_attributes to check whether we need to run the get_inner_attributes function.\n for ARM we want to get the inner_attributes also from list[str] and only for list[dict] like the rest of the frameworks,\n specific for the 'dependsOn' attribute in a resource\n \"\"\"\n return isinstance(attribute_value, dict) or (isinstance(attribute_value, list) and len(attribute_value) > 0)\n"
},
{
"path": "checkov/arm/graph_builder/graph_to_definitions.py",
"content": "from __future__ import annotations\n\nimport os\nfrom pathlib import Path\nfrom typing import Any, TYPE_CHECKING\n\nfrom checkov.arm.graph_builder.graph_components.block_types import BlockType\nfrom checkov.arm.utils import ArmElements\n\nif TYPE_CHECKING:\n from checkov.arm.graph_builder.graph_components.blocks import ArmBlock\n\n\ndef convert_graph_vertices_to_definitions(vertices: list[ArmBlock], root_folder: str | Path | None)\\\n -> tuple[dict[str, dict[str, Any]], dict[str, dict[str, Any]]]:\n arm_definitions: dict[str, dict[str, Any]] = {}\n breadcrumbs: dict[str, dict[str, Any]] = {}\n for vertex in vertices:\n block_path = vertex.path\n if vertex.block_type == BlockType.RESOURCE:\n arm_definitions.setdefault(block_path, {}).setdefault(ArmElements.RESOURCES, []).append(vertex.config)\n else:\n element_name = vertex.name.split('/')[-1]\n arm_definitions.setdefault(block_path, {}).setdefault(vertex.block_type, {})[element_name] = vertex.config\n\n if vertex.breadcrumbs:\n relative_block_path = f\"/{os.path.relpath(block_path, root_folder)}\"\n add_breadcrumbs(vertex, breadcrumbs, relative_block_path)\n return arm_definitions, breadcrumbs\n\n\ndef add_breadcrumbs(vertex: ArmBlock, breadcrumbs: dict[str, dict[str, Any]], relative_block_path: str) -> None:\n breadcrumbs.setdefault(relative_block_path, {})[vertex.name] = vertex.breadcrumbs\n"
},
{
"path": "checkov/arm/graph_builder/local_graph.py",
"content": "from __future__ import annotations\n\nimport logging\nimport re\nfrom typing import Any, TYPE_CHECKING\n\nfrom checkov.arm.graph_builder.graph_components.blocks import ArmBlock\nfrom checkov.arm.utils import ArmElements, extract_resource_name_from_resource_id_func, \\\n extract_resource_name_from_reference_func\nfrom checkov.arm.graph_builder.variable_rendering.renderer import ArmVariableRenderer\nfrom checkov.arm.graph_builder.graph_components.block_types import BlockType\nfrom checkov.common.graph.graph_builder import CustomAttributes, Edge\nfrom checkov.common.graph.graph_builder.local_graph import LocalGraph\nfrom checkov.common.graph.graph_builder.utils import filter_sub_keys, adjust_value\nfrom checkov.common.util.consts import START_LINE, END_LINE\nfrom checkov.common.util.data_structures_utils import pickle_deepcopy\nfrom checkov.common.util.type_forcers import force_int\n\nif TYPE_CHECKING:\n from checkov.common.graph.graph_builder.local_graph import Block\n\nDEPENDS_ON_FIELD = 'dependsOn'\nRESOURCE_ID_FUNC = 'resourceId('\nREFERENCE_FUNC = 'reference('\nPARAMETER_FUNC = 'parameters('\nVARIABLE_FUNC = 'variables('\n\n\nclass ArmLocalGraph(LocalGraph[ArmBlock]):\n def __init__(self, definitions: dict[str, dict[str, Any]]) -> None:\n super().__init__()\n self.vertices: list[ArmBlock] = []\n self.definitions = definitions\n self.vertices_by_path_and_id: dict[tuple[str, str], int] = {}\n self.vertices_by_name: dict[str, int] = {}\n\n def build_graph(self, render_variables: bool = True) -> None:\n self._create_vertices()\n logging.debug(f\"[ArmLocalGraph] created {len(self.vertices)} vertices\")\n\n '''\n In order to resolve the resources names for the dependencies we need to render the variables first\n Examples: https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/resource-dependency\n '''\n\n self._create_vars_and_parameters_edges()\n if render_variables:\n renderer = ArmVariableRenderer(self)\n renderer.render_variables_from_local_graph()\n self._update_resource_vertices_names()\n\n self._create_edges()\n logging.debug(f\"[ArmLocalGraph] created {len(self.edges)} edges\")\n\n def _create_vertices(self) -> None:\n for file_path, definition in self.definitions.items():\n self._create_parameter_vertices(file_path=file_path, parameters=definition.get(ArmElements.PARAMETERS))\n self._create_resource_vertices(file_path=file_path, resources=definition.get(ArmElements.RESOURCES))\n self._create_variables_vertices(file_path=file_path, variables=definition.get(ArmElements.VARIABLES))\n\n for i, vertex in enumerate(self.vertices):\n self.vertices_by_block_type[vertex.block_type].append(i)\n self.vertices_block_name_map[vertex.block_type][vertex.name].append(i)\n self.vertices_by_path_and_id[(vertex.path, vertex.id)] = i\n self.vertices_by_name[vertex.name] = i\n\n self.in_edges[i] = []\n self.out_edges[i] = []\n\n def _create_variables_vertices(self, file_path: str, variables: dict[str, dict[str, Any]] | None) -> None:\n if not variables:\n return\n\n for name, conf in variables.items():\n if name in [START_LINE, END_LINE]:\n continue\n if not isinstance(conf, dict) or \"value\" not in conf:\n full_conf = {\"value\": pickle_deepcopy(conf)}\n else:\n full_conf = conf\n config = pickle_deepcopy(full_conf)\n attributes = pickle_deepcopy(full_conf)\n\n self.vertices.append(\n ArmBlock(\n name=f\"{file_path}/{name}\",\n config=config,\n path=file_path,\n block_type=BlockType.VARIABLE,\n attributes=attributes,\n id=f\"{ArmElements.VARIABLES}.{name}\",\n )\n )\n\n def _create_parameter_vertices(self, file_path: str, parameters: dict[str, dict[str, Any]] | None) -> None:\n if not parameters:\n return\n\n for name, config in parameters.items():\n if name in (START_LINE, END_LINE):\n continue\n if not isinstance(config, dict):\n logging.warning(f\"[ArmLocalGraph] parameter {name} has wrong type {type(config)}\")\n continue\n\n attributes = pickle_deepcopy(config)\n\n self.vertices.append(\n ArmBlock(\n name=f\"{file_path}/{name}\",\n config=config,\n path=file_path,\n block_type=BlockType.PARAMETER,\n attributes=attributes,\n id=f\"{ArmElements.PARAMETERS}.{name}\",\n )\n )\n\n def _create_resource_vertices(self, file_path: str, resources: list[dict[str, Any]] | None) -> None:\n if not resources:\n return\n\n for config in resources:\n if \"type\" not in config:\n # this can't be a real ARM resource without a \"type\" field\n return\n\n resource_name = config.get(\"name\") or \"unknown\"\n resource_type = config[\"type\"]\n\n attributes = pickle_deepcopy(config)\n attributes[CustomAttributes.RESOURCE_TYPE] = resource_type\n\n self.vertices.append(\n ArmBlock(\n name=resource_name,\n config=config,\n path=file_path,\n block_type=BlockType.RESOURCE,\n attributes=attributes,\n id=f\"{resource_type}.{resource_name}\"\n )\n )\n\n def _create_edges(self) -> None:\n for origin_vertex_index, vertex in enumerate(self.vertices):\n if DEPENDS_ON_FIELD in vertex.attributes:\n self._create_explicit_edge(origin_vertex_index, vertex.name, vertex.attributes['dependsOn'])\n self._create_implicit_edges(origin_vertex_index, vertex.name, vertex.attributes)\n\n def _create_explicit_edge(self, origin_vertex_index: int, resource_name: str, deps: list[str]) -> None:\n for dep in deps:\n if RESOURCE_ID_FUNC in dep:\n processed_dep = extract_resource_name_from_resource_id_func(dep)\n else:\n processed_dep = dep.split('/')[-1]\n # Check if the processed dependency exists in the map\n if processed_dep in self.vertices_by_name:\n self._create_edge(processed_dep, origin_vertex_index, f'{resource_name}->{processed_dep}')\n else:\n # Dependency not found\n logging.warning(f\"[ArmLocalGraph] resource dependency {processed_dep} defined in {dep} for resource\"\n f\" {resource_name} not found\")\n continue\n\n def _create_vars_and_parameters_edges(self) -> None:\n pattern = r\"(variables|parameters)\\('(\\w+)'\\)\"\n for origin_vertex_index, vertex in enumerate(self.vertices):\n for attr_key, attr_value in vertex.attributes.items():\n if not isinstance(attr_value, str):\n continue\n if ArmElements.VARIABLES in attr_value or ArmElements.PARAMETERS in attr_value:\n matches = re.findall(pattern, attr_value)\n for match in matches:\n var_name = match[1]\n self._create_edge(f\"{vertex.path}/{var_name}\", origin_vertex_index, attr_key)\n\n def _create_edge(self, element_name: str, origin_vertex_index: int, label: str) -> None:\n dest_vertex_index = self.vertices_by_name.get(element_name)\n if origin_vertex_index == dest_vertex_index or dest_vertex_index is None:\n return\n edge = Edge(origin_vertex_index, dest_vertex_index, label)\n self.edges.append(edge)\n self.out_edges[origin_vertex_index].append(edge)\n self.in_edges[dest_vertex_index].append(edge)\n\n def _create_implicit_edges(self, origin_vertex_index: int, resource_name: str, resource: dict[str, Any]) -> None:\n for value in resource.values():\n if isinstance(value, str):\n if REFERENCE_FUNC in value:\n self._create_implicit_edge(origin_vertex_index, resource_name, value)\n\n def _create_implicit_edge(self, origin_vertex_index: int, resource_name: str, reference_string: str) -> None:\n dep_name = extract_resource_name_from_reference_func(reference_string)\n self._create_edge(dep_name, origin_vertex_index, f'{resource_name}->{dep_name}')\n\n def _update_resource_vertices_names(self) -> None:\n for i, vertex in enumerate(self.vertices):\n if ((vertex.block_type != BlockType.RESOURCE or 'name' not in vertex.config or vertex.name == vertex.config['name'])\n or not isinstance(vertex.config['name'], str)):\n continue\n\n if PARAMETER_FUNC in vertex.name or VARIABLE_FUNC in vertex.name:\n if vertex.name in self.vertices_by_name:\n del self.vertices_by_name[vertex.name]\n\n vertex.name = vertex.config['name']\n self.vertices_by_name[vertex.name] = i\n\n def update_vertices_configs(self) -> None:\n for vertex in self.vertices:\n changed_attributes = list(vertex.changed_attributes.keys())\n changed_attributes = filter_sub_keys(changed_attributes)\n self.update_vertex_config(vertex, changed_attributes)\n\n @staticmethod\n def update_vertex_config(vertex: Block, changed_attributes: list[str] | dict[str, Any],\n dynamic_blocks: bool = False) -> None:\n if not changed_attributes:\n # skip, if there is no change\n return\n\n for attr in changed_attributes:\n new_value = vertex.attributes.get(attr, None)\n if vertex.block_type == BlockType.RESOURCE:\n ArmLocalGraph.update_config_attribute(\n config=vertex.config, key_to_update=attr, new_value=new_value\n )\n\n @staticmethod\n def update_config_attribute(config: list[Any] | dict[str, Any], key_to_update: str, new_value: Any) -> None:\n key_parts = key_to_update.split(\".\")\n\n if isinstance(config, dict):\n key = key_parts[0]\n if len(key_parts) == 1:\n ArmLocalGraph.update_config_value(config=config, key=key, new_value=new_value)\n return\n else:\n key, key_parts = ArmLocalGraph.adjust_key(config, key, key_parts)\n if len(key_parts) == 1:\n ArmLocalGraph.update_config_value(config=config, key=key, new_value=new_value)\n return\n\n ArmLocalGraph.update_config_attribute(config[key], \".\".join(key_parts[1:]), new_value)\n elif isinstance(config, list):\n key_idx = force_int(key_parts[0])\n if key_idx is None:\n return\n\n if len(key_parts) == 1:\n ArmLocalGraph.update_config_value(config=config, key=key_idx, new_value=new_value)\n return\n else:\n ArmLocalGraph.update_config_attribute(config[key_idx], \".\".join(key_parts[1:]), new_value)\n\n return\n\n @staticmethod\n def update_config_value(config: list[Any] | dict[str, Any], key: int | str, new_value: Any) -> None:\n new_value = adjust_value(config[key], new_value) # type:ignore[index]\n if new_value is None:\n # couldn't find key in in value object\n return\n\n config[key] = new_value # type:ignore[index]\n\n @staticmethod\n def adjust_key(config: dict[str, Any], key: str, key_parts: list[str]) -> tuple[str, list[str]]:\n \"\"\"Adjusts the key, if it consists of multiple dots\n\n Ex:\n config = {\"'container.registry'\": \"acrName\"}\n key = \"'container\"\n key_parts = [\"'container\", \"registry'\"]\n\n returns new_key = \"'container.registry'\"\n new_key_parts = [\"'container.registry'\"]\n \"\"\"\n\n if key not in config:\n if len(key_parts) >= 2:\n new_key = \".\".join(key_parts[:2])\n new_key_parts = [new_key] + key_parts[2:]\n\n return ArmLocalGraph.adjust_key(config, new_key, new_key_parts)\n\n return key, key_parts\n\n def get_resources_types_in_graph(self) -> list[str]:\n # not used\n return []\n"
},
{
"path": "checkov/arm/graph_builder/variable_rendering/__init__.py",
"content": ""
},
{
"path": "checkov/arm/graph_builder/variable_rendering/renderer.py",
"content": "from __future__ import annotations\n\nimport logging\nfrom typing import TYPE_CHECKING, Any\n\nfrom checkov.arm.graph_builder.graph_components.block_types import BlockType\nfrom checkov.common.graph.graph_builder import Edge\nfrom checkov.common.graph.graph_builder.utils import adjust_value\nfrom checkov.common.graph.graph_builder.variable_rendering.renderer import VariableRenderer\nfrom checkov.common.util.data_structures_utils import pickle_deepcopy\n\nif TYPE_CHECKING:\n from checkov.arm.graph_builder.local_graph import ArmLocalGraph\n\n\nclass ArmVariableRenderer(VariableRenderer[\"ArmLocalGraph\"]):\n def __init__(self, local_graph: ArmLocalGraph) -> None:\n super().__init__(local_graph)\n\n def _render_variables_from_vertices(self) -> None:\n # need to add rendering to function like format, reference etc\n pass\n\n def evaluate_vertex_attribute_from_edge(self, edge_list: list[Edge]) -> None:\n origin_vertex_attributes = self.local_graph.vertices[edge_list[0].origin].attributes\n value_to_eval = pickle_deepcopy(origin_vertex_attributes.get(edge_list[0].label, \"\"))\n attr_path = None\n for edge in edge_list:\n attr_path, attr_value = self.extract_dest_attribute_path_and_value(dest_index=edge.dest,\n origin_value=value_to_eval)\n if not attr_value:\n continue\n\n '''if the arg start with '[parameters'/ '[variables' its mean we need to eval the all attribute\n like here - \"addressPrefix\": \"[parameters('subnetAddressPrefix')]\" '''\n if len(edge_list) == 1 and isinstance(value_to_eval, str) and value_to_eval.startswith((\"[parameters\", \"[variables\")):\n value_to_eval = attr_value\n continue\n '''\n if the value i need to eval is part of the full attribute like \"[format('{0}/{1}', parameters('vnetName'), variables('subnetName'))]\"\n or \"[resourceId('Microsoft.Network/networkProfiles', variables('networkProfileName'))]\".\n vertices[edge.dest].id = variables.networkProfileName -> variables('networkProfileName')\n '''\n val_to_replace = self.local_graph.vertices[edge.dest].id.replace(\".\", \"('\") + \"')\"\n if attr_value and isinstance(value_to_eval, str):\n value_to_eval = value_to_eval.replace(val_to_replace, str(attr_value))\n\n self.local_graph.update_vertex_attribute(\n vertex_index=edge_list[0].origin,\n attribute_key=edge_list[0].label,\n attribute_value=value_to_eval,\n change_origin_id=edge_list[0].dest,\n attribute_at_dest=attr_path,\n )\n\n def extract_dest_attribute_path_and_value(self, dest_index: int, origin_value: Any) -> tuple[str, Any] | tuple[None, None]:\n vertex = self.local_graph.vertices[dest_index]\n if vertex.block_type == BlockType.PARAMETER:\n new_value = vertex.attributes.get(\"defaultValue\")\n if new_value:\n new_value = adjust_value(element_name=origin_value, value=new_value)\n return \"defaultValue\", new_value\n else:\n logging.warning(f'No defaultValue for parameter id = {vertex.id}')\n return \"defaultValue\", None\n elif vertex.block_type == BlockType.VARIABLE:\n new_value = adjust_value(element_name=origin_value, value=vertex.attributes.get(\"value\"))\n return \"value\", new_value\n return None, None\n\n def evaluate_non_rendered_values(self) -> None:\n pass\n"
},
{
"path": "checkov/arm/graph_manager.py",
"content": "from __future__ import annotations\n\nfrom typing import TYPE_CHECKING, Any, Optional\n\nfrom checkov.arm.graph_builder.local_graph import ArmLocalGraph\nfrom checkov.arm.utils import get_scannable_file_paths, get_files_definitions\nfrom checkov.common.graph.graph_builder.consts import GraphSource\nfrom checkov.common.graph.graph_manager import GraphManager\n\nif TYPE_CHECKING:\n from checkov.common.typing import LibraryGraphConnector\n\n\nclass ArmGraphManager(GraphManager[ArmLocalGraph, \"dict[str, dict[str, Any]]\"]):\n def __init__(self, db_connector: LibraryGraphConnector, source: str = GraphSource.ARM) -> None:\n super().__init__(db_connector=db_connector, parser=None, source=source)\n\n def build_graph_from_source_directory(\n self,\n source_dir: str,\n local_graph_class: type[ArmLocalGraph] = ArmLocalGraph,\n render_variables: bool = False,\n parsing_errors: dict[str, Exception] | None = None,\n download_external_modules: Optional[bool] = False,\n excluded_paths: list[str] | None = None,\n **kwargs: Any,\n ) -> tuple[ArmLocalGraph, dict[str, dict[str, Any]]]:\n file_paths = get_scannable_file_paths(root_folder=source_dir, excluded_paths=excluded_paths)\n definitions, _, _ = get_files_definitions(files=file_paths)\n\n local_graph = self.build_graph_from_definitions(definitions=definitions)\n\n return local_graph, definitions\n\n def build_graph_from_definitions(\n self, definitions: dict[str, dict[str, Any]], render_variables: bool = True\n ) -> ArmLocalGraph:\n local_graph = ArmLocalGraph(definitions=definitions)\n local_graph.build_graph(render_variables=render_variables)\n\n return local_graph\n"
},
{
"path": "checkov/arm/parser/__init__.py",
"content": ""
},
{
"path": "checkov/arm/parser/parser.py",
"content": "from __future__ import annotations\n\nimport logging\nfrom pathlib import Path\nfrom typing import Any\n\nfrom yaml.scanner import ScannerError\nfrom yaml import YAMLError\n\nfrom checkov.common.parsers.json import parse as json_parse\nfrom checkov.common.parsers.yaml import loader\nfrom checkov.common.resource_code_logger_filter import add_resource_code_filter_to_logger\nfrom checkov.common.util.file_utils import read_file_with_any_encoding\n\nLOGGER = logging.getLogger(__name__)\nadd_resource_code_filter_to_logger(LOGGER)\n\n\ndef parse(filename: str) -> tuple[dict[str, Any], list[tuple[int, str]]] | tuple[None, None]:\n \"\"\"Decode filename into an object\"\"\"\n\n template = None\n template_lines = None\n try:\n template, template_lines = load(filename)\n except IOError as e:\n if e.errno == 2:\n LOGGER.error(f\"Template file not found: {filename}\")\n elif e.errno == 21:\n LOGGER.error(f\"Template references a directory, not a file: {filename}\")\n elif e.errno == 13:\n LOGGER.error(f\"Permission denied when accessing template file: {filename}\")\n except UnicodeDecodeError:\n LOGGER.error(f\"Cannot read file contents: {filename}\")\n except ScannerError as err:\n if err.problem in (\"found character '\\\\t' that cannot start any token\", \"found unknown escape character\"):\n try:\n result = json_parse(filename, allow_nulls=False)\n if result:\n template, template_lines = result # type:ignore[assignment] # this is handled by the next line\n if isinstance(template, list):\n # should not happen and is more relevant for type safety\n template = template[0]\n except Exception:\n LOGGER.error(f\"Template {filename} is malformed: {err.problem}\")\n LOGGER.error(f\"Tried to parse {filename} as JSON\", exc_info=True)\n except YAMLError:\n LOGGER.info(f\"Failed to parse {filename}\")\n LOGGER.debug(\"With Exception\", exc_info=True)\n\n if template is None or template_lines is None:\n return None, None\n\n return template, template_lines\n\n\ndef load(filename: Path | str) -> tuple[dict[str, Any], list[tuple[int, str]]]:\n \"\"\"\n Load the given JSON/YAML file\n \"\"\"\n\n content = read_file_with_any_encoding(file_path=filename)\n\n if not all(key in content for key in (\"$schema\", \"contentVersion\")):\n return {}, []\n\n file_lines = [(idx + 1, line) for idx, line in enumerate(content.splitlines(keepends=True))]\n\n template: \"dict[str, Any] | list[dict[str, Any]]\" = loader.loads(content=content)\n if not template:\n template = {}\n if isinstance(template, list):\n template = template[0]\n\n return template, file_lines\n"
},
{
"path": "checkov/arm/registry.py",
"content": "from checkov.arm.base_registry import Registry\n\narm_resource_registry = Registry()\narm_parameter_registry = Registry()\n"
},
{
"path": "checkov/arm/runner.py",
"content": "from __future__ import annotations\n\nimport logging\nimport os\nfrom collections.abc import Iterable\nfrom pathlib import Path\nfrom typing import TYPE_CHECKING, Any, cast\nfrom typing_extensions import TypeAlias # noqa[TC002]\n\nfrom checkov.arm.graph_builder.definition_context import build_definitions_context\nfrom checkov.arm.graph_builder.graph_to_definitions import convert_graph_vertices_to_definitions\nfrom checkov.arm.graph_builder.local_graph import ArmLocalGraph\nfrom checkov.arm.graph_manager import ArmGraphManager\nfrom checkov.arm.registry import arm_resource_registry, arm_parameter_registry\nfrom checkov.arm.utils import get_scannable_file_paths, get_files_definitions, ARM_POSSIBLE_ENDINGS, ArmElements, \\\n clean_file_path, filter_failed_checks_with_unrendered_resources\nfrom checkov.common.checks_infra.registry import get_graph_checks_registry\nfrom checkov.common.graph.graph_builder import CustomAttributes\nfrom checkov.common.graph.graph_builder.consts import GraphSource\nfrom checkov.common.output.extra_resource import ExtraResource\nfrom checkov.common.output.graph_record import GraphRecord\nfrom checkov.common.output.record import Record\nfrom checkov.common.output.report import Report\nfrom checkov.common.bridgecrew.check_type import CheckType\nfrom checkov.common.runners.base_runner import BaseRunner\nfrom checkov.common.util.consts import START_LINE, END_LINE\nfrom checkov.common.util.secrets import omit_secret_value_from_checks\nfrom checkov.runner_filter import RunnerFilter\nfrom checkov.arm.context_parser import ContextParser\n\nif TYPE_CHECKING:\n from checkov.common.checks.base_check import BaseCheck\n from checkov.common.graph.checks_infra.base_check import BaseGraphCheck\n from checkov.common.graph.checks_infra.registry import BaseRegistry\n from checkov.common.typing import LibraryGraphConnector, _CheckResult\n\n_ArmContext: TypeAlias = \"dict[str, dict[str, Any]]\"\n_ArmDefinitions: TypeAlias = \"dict[str, dict[str, Any]]\"\n\n\nclass Runner(BaseRunner[_ArmDefinitions, _ArmContext, ArmGraphManager]):\n check_type = CheckType.ARM # noqa: CCE003 # a static attribute\n\n def __init__(\n self,\n db_connector: LibraryGraphConnector | None = None,\n source: str = GraphSource.ARM,\n graph_class: type[ArmLocalGraph] = ArmLocalGraph,\n graph_manager: ArmGraphManager | None = None,\n external_registries: list[BaseRegistry] | None = None,\n ) -> None:\n super().__init__(file_extensions=ARM_POSSIBLE_ENDINGS)\n\n db_connector = db_connector or self.db_connector\n self.external_registries = external_registries if external_registries else []\n self.graph_class = graph_class\n self.graph_manager: \"ArmGraphManager\" = (\n graph_manager if graph_manager else ArmGraphManager(source=source, db_connector=db_connector)\n )\n self.graph_registry = get_graph_checks_registry(self.check_type)\n\n # need to check, how to support subclass differences\n self.definitions: _ArmDefinitions = {}\n self.definitions_raw: \"dict[str, list[tuple[int, str]]]\" = {}\n self.context: _ArmContext | None = None\n self.root_folder: \"str | None\" = None\n\n def run(\n self,\n root_folder: str | None = None,\n external_checks_dir: list[str] | None = None,\n files: list[str] | None = None,\n runner_filter: RunnerFilter | None = None,\n collect_skip_comments: bool = True,\n ) -> Report | list[Report]:\n runner_filter = runner_filter or RunnerFilter()\n if not runner_filter.show_progress_bar:\n self.pbar.turn_off_progress_bar()\n\n report = Report(self.check_type)\n self.root_folder = root_folder\n\n if not self.context or not self.definitions:\n files_list: \"Iterable[str]\" = []\n if external_checks_dir:\n for directory in external_checks_dir:\n arm_resource_registry.load_external_checks(directory)\n\n if self.graph_registry:\n self.graph_registry.load_external_checks(directory)\n\n if files:\n files_list = files.copy()\n\n if self.root_folder:\n files_list = get_scannable_file_paths(root_folder=root_folder,\n excluded_paths=runner_filter.excluded_paths)\n\n self.definitions, self.definitions_raw, parsing_errors = get_files_definitions(files_list)\n self.context = build_definitions_context(definitions=self.definitions, definitions_raw=self.definitions_raw)\n report.add_parsing_errors(parsing_errors)\n\n if self.graph_registry and self.graph_manager:\n logging.info(\"Creating ARM graph\")\n local_graph = self.graph_manager.build_graph_from_definitions(definitions=self.definitions)\n logging.info(\"Successfully created ARM graph\")\n\n self.graph_manager.save_graph(local_graph)\n self.definitions, self.breadcrumbs = convert_graph_vertices_to_definitions(\n vertices=local_graph.vertices,\n root_folder=root_folder,\n )\n\n self.pbar.initiate(len(self.definitions))\n\n # run Python checks\n self.add_python_check_results(report=report, runner_filter=runner_filter, root_folder=root_folder)\n\n # run graph checks\n if self.graph_registry:\n self.add_graph_check_results(report=report, runner_filter=runner_filter)\n\n # Filter failed checks on resources with unrendered string functions\n # Remove if we ever implement full variable rendering for arm\n report = filter_failed_checks_with_unrendered_resources(report)\n\n return report\n\n def set_definitions_raw(self, definitions_raw: dict[str, list[tuple[int, str]]]) -> None:\n self.definitions_raw = definitions_raw\n\n def add_python_check_results(self, report: Report, runner_filter: RunnerFilter, root_folder: str | None) -> None:\n \"\"\"Adds Python check results to given report\"\"\"\n\n for arm_file in self.definitions.keys():\n self.pbar.set_additional_data({\"Current File Scanned\": os.path.relpath(arm_file, root_folder)})\n\n file_abs_path = Path(arm_file).absolute()\n\n if isinstance(self.definitions[arm_file], dict):\n arm_context_parser = ContextParser(arm_file, self.definitions[arm_file], self.definitions_raw[arm_file])\n logging.debug(f\"Template Dump for {arm_file}: {self.definitions[arm_file]}\")\n\n if ArmElements.RESOURCES in self.definitions[arm_file]:\n arm_context_parser.evaluate_default_parameters()\n\n # Split out nested resources from base resource\n for resource in self.definitions[arm_file][ArmElements.RESOURCES]:\n if isinstance(resource, dict) and \"parent_name\" in resource.keys():\n continue\n nested_resources = arm_context_parser.search_deep_keys(ArmElements.RESOURCES, resource, [])\n if nested_resources:\n for nr in nested_resources:\n nr_element = nr.pop()\n if nr_element:\n for element in nr_element:\n new_resource = element\n if isinstance(new_resource, dict):\n new_resource[\"parent_name\"] = resource.get(\"name\", \"\")\n new_resource[\"parent_type\"] = resource.get(\"type\", \"\")\n self.definitions[arm_file][ArmElements.RESOURCES].append(new_resource)\n\n for resource in self.definitions[arm_file][ArmElements.RESOURCES]:\n resource_id = arm_context_parser.extract_arm_resource_id(resource)\n resource_name = arm_context_parser.extract_arm_resource_name(resource)\n if resource_id is None or resource_name is None:\n logging.debug(f\"Could not determine 'resource_id' of Resource {resource}\")\n continue\n\n cleaned_path = clean_file_path(Path(arm_file))\n\n report.add_resource(f\"{cleaned_path}:{resource_id}\")\n entity_lines_range, entity_code_lines = arm_context_parser.extract_arm_resource_code_lines(\n resource\n )\n if entity_lines_range and entity_code_lines:\n # TODO - Variable Eval Message!\n variable_evaluations: \"dict[str, Any]\" = {}\n\n skipped_checks = ContextParser.collect_skip_comments(resource)\n\n results = arm_resource_registry.scan(\n arm_file,\n {resource_name: resource},\n skipped_checks,\n runner_filter,\n report_type=CheckType.ARM,\n )\n\n if results:\n for check, check_result in results.items():\n record = Record(\n check_id=check.id,\n bc_check_id=check.bc_id,\n check_name=check.name,\n check_result=check_result,\n code_block=entity_code_lines,\n file_path=self.extract_file_path_from_abs_path(cleaned_path),\n file_line_range=entity_lines_range,\n resource=resource_id,\n evaluations=variable_evaluations,\n check_class=check.__class__.__module__,\n file_abs_path=str(file_abs_path),\n severity=check.severity,\n )\n record.set_guideline(check.guideline)\n report.add_record(record=record)\n else:\n # resources without checks, but not existing ones\n report.extra_resources.add(\n ExtraResource(\n file_abs_path=str(file_abs_path),\n file_path=self.extract_file_path_from_abs_path(cleaned_path),\n resource=resource_id,\n )\n )\n\n if ArmElements.PARAMETERS in self.definitions[arm_file]:\n parameters = self.definitions[arm_file][ArmElements.PARAMETERS]\n for parameter_name, parameter_details in parameters.items():\n # TODO - Variable Eval Message!\n variable_evaluations = {}\n\n resource_id = f\"parameter.{parameter_name}\"\n resource_name = cast(str, parameter_name)\n entity_lines_range, entity_code_lines = arm_context_parser.extract_arm_resource_code_lines(\n parameter_details\n )\n\n if entity_lines_range and entity_code_lines:\n skipped_checks = ContextParser.collect_skip_comments(parameter_details)\n results = arm_parameter_registry.scan(\n arm_file, {resource_name: parameter_details}, skipped_checks, runner_filter\n )\n for check, check_result in results.items():\n censored_code_lines = omit_secret_value_from_checks(\n check=check,\n check_result=check_result,\n entity_code_lines=entity_code_lines,\n entity_config=parameter_details,\n resource_attributes_to_omit=runner_filter.resource_attr_to_omit,\n )\n cleaned_path = clean_file_path(Path(arm_file))\n self.build_record(\n report=report,\n check=check,\n check_result=check_result,\n code_block=censored_code_lines,\n file_path=self.extract_file_path_from_abs_path(cleaned_path),\n file_abs_path=str(file_abs_path),\n file_line_range=entity_lines_range,\n resource_id=resource_id,\n evaluations=variable_evaluations,\n )\n\n self.pbar.update()\n self.pbar.close()\n\n def add_graph_check_results(self, report: Report, runner_filter: RunnerFilter) -> None:\n \"\"\"Adds graph check results to given report\"\"\"\n\n graph_checks_results = self.run_graph_checks_results(runner_filter, self.check_type)\n\n for check, check_results in graph_checks_results.items():\n for check_result in check_results:\n entity = check_result[\"entity\"]\n entity_file_path = entity[CustomAttributes.FILE_PATH]\n file_abs_path = Path(entity_file_path).absolute()\n start_line = entity[START_LINE] - 1\n end_line = entity[END_LINE] - 1\n\n if CustomAttributes.RESOURCE_TYPE not in entity or CustomAttributes.BLOCK_NAME not in entity:\n logging.debug(f\"Could not determine 'resource_id' of Entity {entity_file_path}\")\n continue\n\n self.build_record(\n report=report,\n check=check,\n check_result=check_result,\n code_block=self.definitions_raw[entity_file_path][start_line:end_line],\n file_path=self.extract_file_path_from_abs_path(clean_file_path(Path(entity_file_path))),\n file_abs_path=str(file_abs_path),\n file_line_range=[start_line - 1, end_line - 1],\n resource_id=f'{entity[CustomAttributes.RESOURCE_TYPE]}.{entity[CustomAttributes.BLOCK_NAME]}',\n )\n\n def build_record(\n self,\n report: Report,\n check: BaseCheck | BaseGraphCheck,\n check_result: _CheckResult,\n code_block: list[tuple[int, str]],\n file_path: str,\n file_abs_path: str,\n file_line_range: list[int],\n resource_id: str,\n evaluations: dict[str, Any] | None = None,\n ) -> None:\n record = Record(\n check_id=check.id,\n bc_check_id=check.bc_id,\n check_name=check.name,\n check_result=check_result,\n code_block=code_block,\n file_path=file_path,\n file_line_range=file_line_range,\n resource=resource_id,\n evaluations=evaluations,\n check_class=check.__class__.__module__,\n file_abs_path=file_abs_path,\n severity=check.severity,\n )\n if self.breadcrumbs:\n breadcrumb = self.breadcrumbs.get(record.file_path, {}).get(record.resource)\n if breadcrumb:\n record = GraphRecord(record, breadcrumb)\n record.set_guideline(check.guideline)\n report.add_record(record=record)\n\n def extract_file_path_from_abs_path(self, path: Path) -> str:\n return f\"{os.path.sep}{os.path.relpath(path, self.root_folder)}\"\n"
},
{
"path": "checkov/arm/utils.py",
"content": "from __future__ import annotations\n\nimport logging\nimport os\nfrom enum import Enum\nfrom typing import Iterable, Callable, Any\nfrom collections.abc import Collection\nfrom pathlib import Path\n\nfrom checkov.arm.parser.parser import parse\nfrom checkov.common.output.report import Report\nfrom checkov.common.runners.base_runner import filter_ignored_paths\nfrom checkov.common.util.data_structures_utils import pickle_deepcopy\nfrom checkov.runner_filter import RunnerFilter\n\nARM_POSSIBLE_ENDINGS = [\".json\"]\n\n\nclass ArmElements(str, Enum):\n OUTPUTS = \"outputs\"\n PARAMETERS = \"parameters\"\n RESOURCES = \"resources\"\n VARIABLES = \"variables\"\n\n def __str__(self) -> str:\n # needed, because of a Python 3.11 change\n return self.value\n\n\ndef get_scannable_file_paths(root_folder: str | None = None, excluded_paths: list[str] | None = None) -> set[str]:\n \"\"\"Finds ARM files\"\"\"\n\n file_paths: \"set[str]\" = set()\n if not root_folder:\n return file_paths\n\n for root, d_names, f_names in os.walk(root_folder):\n filter_ignored_paths(root, d_names, excluded_paths)\n filter_ignored_paths(root, f_names, excluded_paths)\n for file in f_names:\n file_ending = os.path.splitext(file)[1]\n if file_ending in ARM_POSSIBLE_ENDINGS:\n file_paths.add(os.path.join(root, file))\n\n return file_paths\n\n\ndef create_definitions(\n root_folder: str,\n files: Collection[Path] | None = None,\n runner_filter: RunnerFilter | None = None,\n) -> tuple[dict[str, dict[str, Any]], dict[str, list[tuple[int, str]]]]:\n definitions: dict[str, dict[str, Any]] = {}\n definitions_raw: dict[str, list[tuple[int, str]]] = {}\n parsing_errors: list[str] = []\n runner_filter = runner_filter or RunnerFilter()\n\n if root_folder:\n file_paths = get_scannable_file_paths(root_folder, runner_filter.excluded_paths)\n definitions, definitions_raw, parsing_errors = get_files_definitions(files=file_paths)\n\n if parsing_errors:\n logging.warning(f\"[arm] found errors while parsing definitions: {parsing_errors}\")\n\n return definitions, definitions_raw\n\n\ndef get_files_definitions(\n files: Iterable[str],\n filepath_fn: Callable[[str], str] | None = None,\n) -> tuple[dict[str, dict[str, Any]], dict[str, list[tuple[int, str]]], list[str]]:\n \"\"\"Parses ARM files into its definitions and raw data\"\"\"\n\n definitions = {}\n definitions_raw = {}\n parsing_errors = []\n\n for file in files:\n result = parse(file)\n\n definition, definition_raw = result\n if definition is not None and definition_raw is not None: # this has to be a 'None' check\n path = filepath_fn(file) if filepath_fn else file\n definitions[path] = definition\n definitions_raw[path] = definition_raw\n else:\n parsing_errors.append(os.path.normpath(file))\n\n return definitions, definitions_raw, parsing_errors\n\n\ndef extract_resource_name_from_resource_id_func(resource_id: str) -> str:\n '''\n Examples:\n resourceId('Microsoft.Network/virtualNetworks/', virtualNetworkName) -> virtualNetworkName\n '''\n return clean_string(resource_id.split(',')[1].split(')')[0])\n\n\ndef extract_resource_name_from_reference_func(reference: str) -> str:\n '''\n Examples:\n reference('storageAccountName') -> storageAccountName\n reference('myStorage').primaryEndpoints -> myStorage\n reference('myStorage', '2022-09-01', 'Full').location -> myStorage\n reference(resourceId('storageResourceGroup', 'Microsoft.Storage/storageAccounts', 'storageAccountName')), '2022-09-01') -> storageAccountName\n reference(resourceId('Microsoft.Network/publicIPAddresses', 'ipAddressName')) -> ipAddressName\n '''\n resource_name = ')'.join(reference.split('reference(', 1)[1].split(')')[:-1])\n if 'resourceId' in resource_name:\n return clean_string(\n ''.join(resource_name.split('resourceId(', 1)[1].split(')')[0]).split(',')[-1])\n else:\n return clean_string(resource_name.split(',')[0].split('/')[-1])\n\n\ndef clean_string(input: str) -> str:\n return input.replace(\"'\", '').replace(\" \", \"\")\n\n\ndef clean_file_path(file_path: Path) -> Path:\n path_parts = [part for part in file_path.parts if part not in (\".\", \"..\")]\n\n return Path(*path_parts)\n\n\ndef filter_failed_checks_with_unrendered_resources(report: Report) -> Report:\n \"\"\"Returns a new report with filtered checks instead of modifying the original\"\"\"\n arm_function_patterns = ['toLower(', 'trim(', 'join(', 'split(', 'substring(']\n\n filtered_report = pickle_deepcopy(report)\n filtered_report.failed_checks = [\n check for check in report.failed_checks\n if not any(func in str(check.resource) for func in arm_function_patterns)\n ]\n\n return filtered_report\n"
},
{
"path": "checkov/azure_pipelines/__init__.py",
"content": "from checkov.azure_pipelines.checks import * # noqa\n"
},
{
"path": "checkov/azure_pipelines/checks/__init__.py",
"content": "from checkov.azure_pipelines.checks.job import * # noqa\n"
},
{
"path": "checkov/azure_pipelines/checks/base_azure_pipelines_check.py",
"content": "from __future__ import annotations\n\nfrom abc import abstractmethod\nfrom collections.abc import Iterable\nfrom typing import TYPE_CHECKING, Any\n\nfrom checkov.common.checks.base_check import BaseCheck\nfrom checkov.azure_pipelines.checks.registry import registry\n\nif TYPE_CHECKING:\n from checkov.common.models.enums import CheckCategories, CheckResult\n\n\nclass BaseAzurePipelinesCheck(BaseCheck):\n def __init__(\n self,\n name: str,\n id: str,\n categories: Iterable[CheckCategories],\n supported_entities: Iterable[str],\n block_type: str,\n path: str | None = None,\n ) -> None:\n super().__init__(\n name=name,\n id=id,\n categories=categories,\n supported_entities=supported_entities,\n block_type=block_type,\n )\n self.path = path\n registry.register(self)\n\n def scan_entity_conf(self, conf: dict[str, Any], entity_type: str) -> tuple[CheckResult, dict[str, Any]]:\n self.entity_type = entity_type\n\n return self.scan_conf(conf)\n\n @abstractmethod\n def scan_conf(self, conf: dict[str, Any]) -> tuple[CheckResult, dict[str, Any]]:\n pass\n"
},
{
"path": "checkov/azure_pipelines/checks/job/ContainerDigest.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.azure_pipelines.checks.base_azure_pipelines_check import BaseAzurePipelinesCheck\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.yaml_doc.enums import BlockType\n\n\nclass ContainerDigest(BaseAzurePipelinesCheck):\n def __init__(self) -> None:\n name = \"Ensure container job uses a version digest\"\n id = \"CKV_AZUREPIPELINES_2\"\n super().__init__(\n name=name,\n id=id,\n categories=(CheckCategories.SUPPLY_CHAIN,),\n supported_entities=(\"jobs\", \"stages[].jobs[]\"),\n block_type=BlockType.ARRAY,\n )\n\n def scan_conf(self, conf: dict[str, Any]) -> tuple[CheckResult, dict[str, Any]]:\n container = conf.get(\"container\")\n if container and isinstance(container, str):\n if \"@\" in container:\n return CheckResult.PASSED, conf\n\n return CheckResult.FAILED, conf\n\n return CheckResult.UNKNOWN, conf\n\n\ncheck = ContainerDigest()\n"
},
{
"path": "checkov/azure_pipelines/checks/job/ContainerLatestTag.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.azure_pipelines.checks.base_azure_pipelines_check import BaseAzurePipelinesCheck\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.yaml_doc.enums import BlockType\n\n\nclass ContainerLatestTag(BaseAzurePipelinesCheck):\n def __init__(self) -> None:\n name = \"Ensure container job uses a non latest version tag\"\n id = \"CKV_AZUREPIPELINES_1\"\n super().__init__(\n name=name,\n id=id,\n categories=(CheckCategories.SUPPLY_CHAIN,),\n supported_entities=(\"jobs\", \"stages[].jobs[]\"),\n block_type=BlockType.ARRAY,\n )\n\n def scan_conf(self, conf: dict[str, Any]) -> tuple[CheckResult, dict[str, Any]]:\n container = conf.get(\"container\")\n if container and isinstance(container, dict):\n container = container.get('image')\n if container and isinstance(container, str):\n if \":\" in container:\n # some image tag\n if container.split(\":\")[1] == \"latest\":\n # latest image tag\n return CheckResult.FAILED, conf\n elif \"@\" not in container:\n # no image tag\n return CheckResult.FAILED, conf\n\n # image tag is either not latest or a digest\n return CheckResult.PASSED, conf\n\n return CheckResult.UNKNOWN, conf\n\n\ncheck = ContainerLatestTag()\n"
},
{
"path": "checkov/azure_pipelines/checks/job/DetectImagesUsage.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.azure_pipelines.checks.base_azure_pipelines_check import BaseAzurePipelinesCheck\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.yaml_doc.enums import BlockType\n\n\nclass DetectImageUsage(BaseAzurePipelinesCheck):\n def __init__(self) -> None:\n name = \"Detecting image usages in azure pipelines workflows\"\n id = \"CKV_AZUREPIPELINES_5\"\n super().__init__(\n name=name,\n id=id,\n categories=(CheckCategories.SUPPLY_CHAIN,),\n supported_entities=(\"jobs[]\", \"stages[].jobs[]\", \"*.container[]\"),\n block_type=BlockType.ARRAY,\n )\n\n def scan_conf(self, conf: dict[str, Any]) -> tuple[CheckResult, dict[str, Any]]:\n return CheckResult.PASSED, conf\n\n\ncheck = DetectImageUsage()\n"
},
{
"path": "checkov/azure_pipelines/checks/job/SetSecretVariable.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.azure_pipelines.checks.base_azure_pipelines_check import BaseAzurePipelinesCheck\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.yaml_doc.enums import BlockType\n\n\nclass SetSecretVariable(BaseAzurePipelinesCheck):\n def __init__(self) -> None:\n name = \"Ensure set variable is not marked as a secret\"\n id = \"CKV_AZUREPIPELINES_3\"\n super().__init__(\n name=name,\n id=id,\n categories=(CheckCategories.SUPPLY_CHAIN,),\n supported_entities=(\"jobs[].steps[]\", \"stages[].jobs[].steps[]\"),\n block_type=BlockType.ARRAY,\n )\n\n def scan_conf(self, conf: dict[str, Any]) -> tuple[CheckResult, dict[str, Any]]:\n run_cmd = conf.get(\"bash\") or conf.get(\"powershell\")\n if run_cmd and isinstance(run_cmd, str):\n variable_found = False\n\n for line in run_cmd.splitlines():\n if \"task.setvariable\" in line:\n variable_found = True\n\n if \"issecret=true\" in line:\n return CheckResult.FAILED, conf\n\n if variable_found:\n # should only pass, if it really found a set variable, otherwise unknown\n return CheckResult.PASSED, conf\n\n return CheckResult.UNKNOWN, conf\n\n\ncheck = SetSecretVariable()\n"
},
{
"path": "checkov/azure_pipelines/checks/job/__init__.py",
"content": "from pathlib import Path\n\nmodules = Path(__file__).parent.glob(\"*.py\")\n__all__ = [f.stem for f in modules if f.is_file() and not f.stem == \"__init__\"]\n"
},
{
"path": "checkov/azure_pipelines/checks/registry.py",
"content": "from checkov.common.bridgecrew.check_type import CheckType\nfrom checkov.yaml_doc.base_registry import Registry\n\nregistry = Registry(CheckType.AZURE_PIPELINES)\n"
},
{
"path": "checkov/azure_pipelines/common/__init__.py",
"content": ""
},
{
"path": "checkov/azure_pipelines/common/resource_id_utils.py",
"content": "from __future__ import annotations\n\nfrom typing import Any, Dict, List\n\nfrom checkov.common.util.consts import START_LINE, END_LINE\n\n\ndef _get_resource_from_code_block(start_line: int, end_line: int, block_to_inspect: dict[str, Any], inspected_key: str | None) -> str | None:\n if block_to_inspect[START_LINE] <= start_line <= end_line <= block_to_inspect[END_LINE]:\n block_name = block_to_inspect.get('displayName',\n block_to_inspect.get('name',\n block_to_inspect.get('job',\n block_to_inspect.get('stage',\n False))))\n inspected_key = f'{inspected_key}({block_name})' if block_name else inspected_key\n if block_to_inspect[START_LINE] == start_line:\n return inspected_key\n return generate_resource_key_recursive(start_line, end_line, block_to_inspect, resource_key=inspected_key)\n return None\n\n\ndef generate_resource_key_recursive(start_line: int, end_line: int,\n file_conf: Dict[str, Any] | List[Dict[str, Any]], resource_key: str | None = None\n ) -> str | None:\n if not isinstance(file_conf, dict):\n return resource_key\n\n for code_block_name, code_block in file_conf.items():\n if isinstance(code_block, dict):\n new_key = f'{resource_key}.{code_block_name}' if resource_key else code_block_name\n resource = _get_resource_from_code_block(start_line, end_line, code_block, new_key)\n if resource:\n return resource\n elif isinstance(code_block, list):\n for index, item in enumerate(code_block):\n if isinstance(item, dict):\n resource_key_to_inspect = f'{resource_key}.{code_block_name}[{index}]' if resource_key else f'{code_block_name}[{index}]'\n resource = _get_resource_from_code_block(start_line, end_line, item, resource_key_to_inspect)\n if resource:\n return resource\n return resource_key\n"
},
{
"path": "checkov/azure_pipelines/runner.py",
"content": "from __future__ import annotations\n\nfrom typing import TYPE_CHECKING, Any, Optional\n\nfrom checkov.azure_pipelines.checks.registry import registry\nfrom checkov.azure_pipelines.common.resource_id_utils import generate_resource_key_recursive\nfrom checkov.common.output.report import CheckType, Report\nfrom checkov.runner_filter import RunnerFilter\nfrom checkov.yaml_doc.runner import Runner as YamlRunner\n\nif TYPE_CHECKING:\n from checkov.common.checks.base_check_registry import BaseCheckRegistry\n from collections.abc import Iterable\n\n\nclass Runner(YamlRunner):\n check_type = CheckType.AZURE_PIPELINES # noqa: CCE003 # a static attribute\n\n def require_external_checks(self) -> bool:\n return False\n\n def import_registry(self) -> BaseCheckRegistry:\n return registry\n\n @staticmethod\n def _parse_file(\n f: str, file_content: str | None = None\n ) -> tuple[dict[str, Any] | list[dict[str, Any]], list[tuple[int, str]]] | None:\n if Runner.is_workflow_file(f):\n return YamlRunner._parse_file(f=f)\n return None\n\n @staticmethod\n def is_workflow_file(file_path: str) -> bool:\n return file_path.endswith(('azure-pipelines.yml', 'azure-pipelines.yaml'))\n\n def get_resource(self, file_path: str, key: str, supported_entities: Iterable[str],\n start_line: int = -1, end_line: int = -1, graph_resource: bool = False) -> str:\n if not self.definitions or not isinstance(self.definitions, dict):\n return key\n resource_name: Optional[str] = generate_resource_key_recursive(start_line, end_line, self.definitions[file_path])\n return resource_name if resource_name else key\n\n def run(\n self,\n root_folder: str | None = None,\n external_checks_dir: list[str] | None = None,\n files: list[str] | None = None,\n runner_filter: RunnerFilter | None = None,\n collect_skip_comments: bool = True,\n ) -> Report | list[Report]:\n runner_filter = runner_filter or RunnerFilter()\n report = super().run(root_folder=root_folder, external_checks_dir=external_checks_dir,\n files=files, runner_filter=runner_filter, collect_skip_comments=collect_skip_comments)\n return report\n"
},
{
"path": "checkov/bicep/__init__.py",
"content": "from checkov.bicep.checks import * # noqa\n"
},
{
"path": "checkov/bicep/checks/__init__.py",
"content": ""
},
{
"path": "checkov/bicep/checks/graph_checks/SQLServerAuditingEnabled.yaml",
"content": "metadata:\n id: \"CKV_AZURE_23\"\n name: \"Ensure that 'Auditing' is set to 'On' for SQL servers\"\n category: \"LOGGING\"\ndefinition:\n and:\n - cond_type: filter\n attribute: resource_type\n operator: within\n value:\n - Microsoft.Sql/servers\n - Microsoft.Sql/servers/databases\n - or:\n - and:\n - cond_type: connection\n resource_types:\n - Microsoft.Sql/servers\n connected_resource_types:\n - Microsoft.Sql/servers/auditingSettings\n operator: exists\n - cond_type: attribute\n resource_types:\n - Microsoft.Sql/servers/auditingSettings\n attribute: properties.state\n operator: equals\n value: Enabled\n - and:\n - cond_type: connection\n resource_types:\n - Microsoft.Sql/servers/databases\n connected_resource_types:\n - Microsoft.Sql/servers/databases/auditingSettings\n operator: exists\n - cond_type: attribute\n resource_types:\n - Microsoft.Sql/servers/databases/auditingSettings\n attribute: properties.state\n operator: equals\n value: Enabled\n"
},
{
"path": "checkov/bicep/checks/graph_checks/SQLServerAuditingRetention90Days.yaml",
"content": "metadata:\n id: \"CKV_AZURE_24\"\n name: \"Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers\"\n category: \"LOGGING\"\ndefinition:\n and:\n - cond_type: \"filter\"\n attribute: \"resource_type\"\n value:\n - \"Microsoft.Sql/servers\"\n operator: \"within\"\n - cond_type: \"connection\"\n resource_types:\n - \"Microsoft.Sql/servers\"\n connected_resource_types:\n - \"Microsoft.Sql/servers/auditingSettings\"\n operator: \"exists\"\n - cond_type: \"attribute\"\n resource_types:\n - \"Microsoft.Sql/servers/auditingSettings\"\n attribute: \"properties.retentionDays\"\n operator: \"exists\"\n - cond_type: \"attribute\"\n resource_types:\n - \"Microsoft.Sql/servers/auditingSettings\"\n attribute: \"properties.retentionDays\"\n operator: \"greater_than_or_equal\"\n value: 90\n - cond_type: \"attribute\"\n resource_types:\n - \"Microsoft.Sql/servers/auditingSettings\"\n attribute: \"properties.state\"\n operator: \"equals\"\n value: Enabled\n"
},
{
"path": "checkov/bicep/checks/graph_checks/SQLServerThreatDetectionTypes.yaml",
"content": "metadata:\n id: \"CKV_AZURE_25\"\n name: \"Azure SQL Server threat detection alerts are enabled for all threat types\"\n category: \"LOGGING\"\ndefinition:\n and:\n - cond_type: filter\n attribute: resource_type\n operator: within\n value:\n - Microsoft.Sql/servers\n - Microsoft.Sql/servers/databases\n - or:\n - and:\n - cond_type: connection\n resource_types:\n - Microsoft.Sql/servers\n connected_resource_types:\n - Microsoft.Sql/servers/securityAlertPolicies\n operator: exists\n - cond_type: attribute\n resource_types:\n - Microsoft.Sql/servers/securityAlertPolicies\n attribute: properties.state\n operator: equals\n value: Enabled\n - or:\n - cond_type: attribute\n resource_types:\n - Microsoft.Sql/servers/securityAlertPolicies\n attribute: properties.disabledAlerts\n operator: is_empty\n - cond_type: attribute\n resource_types:\n - Microsoft.Sql/servers/securityAlertPolicies\n attribute: properties.disabledAlerts\n operator: not_exists\n - and:\n - cond_type: connection\n resource_types:\n - Microsoft.Sql/servers/databases\n connected_resource_types:\n - Microsoft.Sql/servers/databases/securityAlertPolicies\n operator: exists\n - cond_type: attribute\n resource_types:\n - Microsoft.Sql/servers/databases/securityAlertPolicies\n attribute: properties.state\n operator: equals\n value: Enabled\n - or:\n - cond_type: attribute\n resource_types:\n - Microsoft.Sql/servers/databases/securityAlertPolicies\n attribute: properties.disabledAlerts\n operator: is_empty\n - cond_type: attribute\n resource_types:\n - Microsoft.Sql/servers/databases/securityAlertPolicies\n attribute: properties.disabledAlerts\n operator: not_exists\n"
},
{
"path": "checkov/bicep/checks/graph_checks/__init__.py",
"content": ""
},
{
"path": "checkov/bicep/checks/param/__init__.py",
"content": "from checkov.bicep.checks.param.azure import * # noqa\n"
},
{
"path": "checkov/bicep/checks/param/azure/SecureStringParameterNoHardcodedValue.py",
"content": "from checkov.bicep.checks.param.base_param_check import BaseParamCheck, CheckovParameterAttributes\nfrom checkov.common.models.enums import CheckResult, CheckCategories\n\n# https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/test-cases#secure-parameters-cant-have-hardcoded-default\n\n\nclass SecureStringParameterNoHardcodedValue(BaseParamCheck):\n def __init__(self) -> None:\n name = \"SecureString parameter should not have hardcoded default values\"\n id = \"CKV_AZURE_131\"\n supported_type = (\"string\",)\n categories = (CheckCategories.SECRETS,)\n super().__init__(name=name, id=id, categories=categories, supported_type=supported_type)\n\n def scan_param_conf(self, conf: CheckovParameterAttributes) -> CheckResult:\n if not any(decorator[\"type\"] == \"secure\" for decorator in conf[\"decorators\"]):\n # if the decorator '@secure()' is not set, then it is a normal string\n return CheckResult.UNKNOWN\n default_value = conf.get(\"default\")\n if default_value: # should be missing, or an empty string\n conf[\"CKV_AZURE_131_secret\"] = str(default_value)\n return CheckResult.FAILED\n else:\n return CheckResult.PASSED\n\n\ncheck = SecureStringParameterNoHardcodedValue()\n"
},
{
"path": "checkov/bicep/checks/param/azure/__init__.py",
"content": "from pathlib import Path\n\nmodules = Path(__file__).parent.glob(\"*.py\")\n__all__ = [f.stem for f in modules if f.is_file() and not f.stem == \"__init__\"]\n"
},
{
"path": "checkov/bicep/checks/param/base_param_check.py",
"content": "from __future__ import annotations\n\nfrom abc import abstractmethod\nfrom collections.abc import Iterable\nfrom typing import TYPE_CHECKING\n\nfrom pycep.typing import ParameterAttributes\n\nfrom checkov.bicep.checks.param.registry import registry\nfrom checkov.common.checks.base_check import BaseCheck\nfrom checkov.common.models.enums import CheckCategories, CheckResult\n\nif TYPE_CHECKING:\n from typing_extensions import NotRequired\n\n\nclass CheckovParameterAttributes(ParameterAttributes):\n CKV_AZURE_131_secret: NotRequired[str] # noqa\n\n\nclass BaseParamCheck(BaseCheck):\n def __init__(\n self,\n name: str,\n id: str,\n categories: \"Iterable[CheckCategories]\",\n supported_type: \"Iterable[str]\",\n guideline: str | None = None,\n ) -> None:\n super().__init__(\n name=name,\n id=id,\n categories=categories,\n supported_entities=supported_type,\n block_type=\"param\",\n guideline=guideline,\n )\n self.supported_type = supported_type\n registry.register(self)\n\n def scan_entity_conf(self, conf: CheckovParameterAttributes, entity_type: str) -> CheckResult: # type:ignore[override] # it's ok\n self.entity_type = entity_type\n\n return self.scan_param_conf(conf)\n\n @abstractmethod\n def scan_param_conf(self, conf: CheckovParameterAttributes) -> CheckResult:\n raise NotImplementedError()\n"
},
{
"path": "checkov/bicep/checks/param/base_registry.py",
"content": "from __future__ import annotations\n\nfrom collections import defaultdict\nfrom typing import TYPE_CHECKING\n\nfrom checkov.common.bridgecrew.check_type import CheckType\nfrom checkov.common.checks.base_check import BaseCheck\nfrom checkov.common.checks.base_check_registry import BaseCheckRegistry\nfrom checkov.runner_filter import RunnerFilter\n\nif TYPE_CHECKING:\n from pycep.typing import ParameterAttributes\n\n\nclass Registry(BaseCheckRegistry):\n def __init__(self) -> None:\n self.entity_to_check_map: dict[str, set[str]] = defaultdict(set)\n\n super().__init__(report_type=CheckType.BICEP)\n\n def register(self, check: BaseCheck) -> None:\n if self._BaseCheckRegistry__loading_external_checks: # type:ignore[attr-defined] # they exist\n RunnerFilter.notify_external_check(check.id)\n\n for entity in check.supported_entities:\n checks = self.wildcard_checks if self._is_wildcard(entity) else self.checks\n if check.id not in self.entity_to_check_map[entity]:\n checks[entity].append(check)\n self.entity_to_check_map[entity].add(check.id)\n\n self._BaseCheckRegistry__all_registered_checks.append(check) # type:ignore[attr-defined] # they exist\n\n def extract_entity_details(self, entity: dict[str, ParameterAttributes]) -> tuple[str, str, ParameterAttributes]: # type:ignore[override] # it's ok\n param_name, param = next(iter(entity.items()))\n param_type = param[\"type\"]\n return param_type, param_name, param\n"
},
{
"path": "checkov/bicep/checks/param/registry.py",
"content": "from checkov.bicep.checks.param.base_registry import Registry\n\nregistry = Registry()\n"
},
{
"path": "checkov/bicep/checks/resource/__init__.py",
"content": "from checkov.bicep.checks.resource.azure import * # noqa\n"
},
{
"path": "checkov/bicep/checks/resource/azure/StorageAccountAzureServicesAccessEnabled.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.bicep.checks.resource.base_resource_check import BaseResourceCheck\nfrom checkov.common.models.enums import CheckResult, CheckCategories\n\n\nclass StorageAccountAzureServicesAccessEnabled(BaseResourceCheck):\n def __init__(self) -> None:\n name = \"Ensure 'Trusted Microsoft Services' is enabled for Storage Account access\"\n id = \"CKV_AZURE_36\"\n supported_resources = (\"Microsoft.Storage/storageAccounts\",)\n categories = (CheckCategories.NETWORKING,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n self.evaluated_keys = [\"properties/networkAcls/defaultAction\"]\n properties = conf.get(\"properties\")\n if properties:\n if not isinstance(properties, dict):\n return CheckResult.UNKNOWN\n\n nacls = properties.get(\"networkAcls\")\n if nacls and isinstance(nacls, dict):\n default_action = nacls.get(\"defaultAction\")\n if default_action == \"Deny\":\n bypass = nacls.get(\"bypass\")\n if not bypass or bypass == \"None\":\n self.evaluated_keys.append(\"properties/networkAcls/bypass\")\n return CheckResult.FAILED\n\n return CheckResult.PASSED\n\n\ncheck = StorageAccountAzureServicesAccessEnabled()\n"
},
{
"path": "checkov/bicep/checks/resource/azure/StorageAccountDefaultNetworkAccessDeny.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.bicep.checks.resource.base_resource_value_check import BaseResourceValueCheck\nfrom checkov.common.models.enums import CheckCategories\n\n\nclass StorageAccountDefaultNetworkAccessDeny(BaseResourceValueCheck):\n def __init__(self) -> None:\n name = \"Ensure default network access rule for Storage Accounts is set to deny\"\n id = \"CKV_AZURE_35\"\n supported_resources = (\"Microsoft.Storage/storageAccounts\",)\n categories = (CheckCategories.NETWORKING,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def get_inspected_key(self) -> str:\n return \"properties/networkAcls/defaultAction\"\n\n def get_expected_value(self) -> Any:\n return \"Deny\"\n\n\ncheck = StorageAccountDefaultNetworkAccessDeny()\n"
},
{
"path": "checkov/bicep/checks/resource/azure/StorageAccountsTransportEncryption.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.bicep.checks.resource.base_resource_check import BaseResourceCheck\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.common.util.type_forcers import force_int\n\n\nclass StorageAccountsTransportEncryption(BaseResourceCheck):\n def __init__(self) -> None:\n name = \"Ensure that 'supportsHttpsTrafficOnly' is set to 'true'\"\n id = \"CKV_AZURE_3\"\n supported_resources = (\"Microsoft.Storage/storageAccounts\",)\n categories = (CheckCategories.ENCRYPTION,)\n super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n self.evaluated_keys = [\"properties/supportsHttpsTrafficOnly\"]\n properties = conf.get(\"properties\")\n if properties:\n if not isinstance(properties, dict):\n return CheckResult.UNKNOWN\n\n https_only = properties.get(\"supportsHttpsTrafficOnly\")\n if https_only is True:\n return CheckResult.PASSED\n elif https_only is False:\n return CheckResult.FAILED\n\n year = force_int(self.api_version[:4])\n if year is None:\n return CheckResult.UNKNOWN\n elif year < 2019:\n return CheckResult.FAILED\n\n return CheckResult.PASSED\n\n\ncheck = StorageAccountsTransportEncryption()\n"
},
{
"path": "checkov/bicep/checks/resource/azure/__init__.py",
"content": "from pathlib import Path\n\nmodules = Path(__file__).parent.glob(\"*.py\")\n__all__ = [f.stem for f in modules if f.is_file() and not f.stem == \"__init__\"]\n"
},
{
"path": "checkov/bicep/checks/resource/base_registry.py",
"content": "from __future__ import annotations\n\nfrom typing import TYPE_CHECKING\n\nfrom checkov.common.checks.base_check import BaseCheck\nfrom checkov.common.checks.base_check_registry import BaseCheckRegistry\nfrom checkov.common.checks_infra.registry import get_graph_checks_registry\nfrom checkov.common.output.report import CheckType\nfrom checkov.runner_filter import RunnerFilter\n\nif TYPE_CHECKING:\n from pycep.typing import ResourceAttributes\n\n\nclass Registry(BaseCheckRegistry):\n def __init__(self) -> None:\n self.check_id_to_enitity_map: dict[str, list[str]] = {}\n\n self.graph_registry = get_graph_checks_registry(CheckType.BICEP)\n self.graph_registry.load_checks()\n self.graph_check_ids = [check.id for check in self.graph_registry.checks]\n\n super().__init__(report_type=CheckType.BICEP)\n\n def register(self, check: BaseCheck) -> None:\n # a copy of the original method to be able to prioritize Bicep styled checks over the ARM equivalent\n if self._BaseCheckRegistry__loading_external_checks: # type:ignore[attr-defined] # they exist\n RunnerFilter.notify_external_check(check.id)\n\n # don't add an ARM check, if a Bicep graph check exists for it\n if check.id in self.graph_check_ids:\n return\n\n # remove the ARM check, if a Bicep check with the same check ID exists\n if check.id in self.check_id_to_enitity_map.keys():\n if check.__module__.split(\".\")[1] != \"bicep\":\n return\n\n entities = self.check_id_to_enitity_map[check.id]\n for entity in entities:\n checks = self.wildcard_checks if self._is_wildcard(entity) else self.checks\n check_idx = next((idx for idx, c in enumerate(checks[entity]) if c.id == check.id), None)\n if check_idx is not None:\n del checks[entity][check_idx]\n\n del self.check_id_to_enitity_map[check.id]\n\n for entity in check.supported_entities:\n checks = self.wildcard_checks if self._is_wildcard(entity) else self.checks\n checks[entity].append(check)\n self.check_id_to_enitity_map.setdefault(check.id, []).append(entity)\n\n self._BaseCheckRegistry__all_registered_checks.append(check) # type:ignore[attr-defined] # they exist\n\n def extract_entity_details(self, entity: dict[str, ResourceAttributes]) -> tuple[str, str, ResourceAttributes]: # type:ignore[override] # it's ok\n resource_name, resource = next(iter(entity.items()))\n resource_type = resource[\"type\"]\n return resource_type, resource_name, resource\n"
},
{
"path": "checkov/bicep/checks/resource/base_resource_check.py",
"content": "from __future__ import annotations\n\nfrom abc import abstractmethod\nfrom collections.abc import Iterable\nfrom typing import Any, TYPE_CHECKING\n\nfrom checkov.bicep.checks.resource.registry import registry\nfrom checkov.common.checks.base_check import BaseCheck\nfrom checkov.common.models.enums import CheckCategories, CheckResult\n\nif TYPE_CHECKING:\n from pycep.typing import ResourceAttributes\n\n\nclass BaseResourceCheck(BaseCheck):\n def __init__(\n self,\n name: str,\n id: str,\n categories: \"Iterable[CheckCategories]\",\n supported_resources: \"Iterable[str]\",\n guideline: str | None = None,\n ) -> None:\n super().__init__(\n name=name,\n id=id,\n categories=categories,\n supported_entities=supported_resources,\n block_type=\"resource\",\n guideline=guideline,\n )\n self.supported_resources = supported_resources\n registry.register(self)\n\n def scan_entity_conf(self, conf: ResourceAttributes, entity_type: str) -> CheckResult: # type:ignore[override] # it's ok\n if conf[\"existing\"] is True:\n # the existing keyword is used to retrieve information about an already deployed resource\n return CheckResult.UNKNOWN\n\n self.entity_type = entity_type\n self.api_version = conf[\"api_version\"]\n\n return self.scan_resource_conf(conf[\"config\"])\n\n @abstractmethod\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n raise NotImplementedError()\n"
},
{
"path": "checkov/bicep/checks/resource/base_resource_value_check.py",
"content": "from __future__ import annotations\n\nfrom abc import abstractmethod\nfrom collections.abc import Iterable\nfrom typing import Any\n\nfrom checkov.bicep.checks.resource.base_resource_check import BaseResourceCheck\nfrom checkov.common.models.enums import CheckResult, CheckCategories\nfrom checkov.common.models.consts import ANY_VALUE\nfrom checkov.common.util.data_structures_utils import find_in_dict\n\n\nclass BaseResourceValueCheck(BaseResourceCheck):\n def __init__(\n self,\n name: str,\n id: str,\n categories: \"Iterable[CheckCategories]\",\n supported_resources: \"Iterable[str]\",\n guideline: str | None = None,\n missing_block_result: CheckResult = CheckResult.FAILED,\n ) -> None:\n super().__init__(\n name=name, id=id, categories=categories, supported_resources=supported_resources, guideline=guideline\n )\n self.missing_block_result = missing_block_result\n\n def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:\n inspected_key = self.get_inspected_key()\n expected_values = self.get_expected_values()\n\n value = find_in_dict(conf, inspected_key)\n\n if value is None:\n return self.missing_block_result\n if ANY_VALUE in expected_values:\n return CheckResult.PASSED\n if value in expected_values:\n return CheckResult.PASSED\n # quite often string values are case-insensitive\n if isinstance(value, str) and value.lower() in [exp.lower() for exp in expected_values if isinstance(exp, str)]:\n return CheckResult.PASSED\n\n return self.missing_block_result\n\n @abstractmethod\n def get_inspected_key(self) -> str:\n \"\"\"\n :return: JSONPath syntax path of the checked attribute\n \"\"\"\n raise NotImplementedError()\n\n def get_expected_values(self) -> list[Any]:\n \"\"\"\n Override the method with the list of acceptable values if the check has more than one possible expected value, given\n the inspected key\n :return: List of expected values, defaults to a list of the expected value\n \"\"\"\n return [self.get_expected_value()]\n\n def get_expected_value(self) -> Any:\n \"\"\"\n Returns the default expected value, governed by provider best practices\n \"\"\"\n return True\n\n def get_evaluated_keys(self) -> list[str]:\n return [self.get_inspected_key()]\n"
},
{
"path": "checkov/bicep/checks/resource/registry.py",
"content": "from checkov.bicep.checks.resource.base_registry import Registry\n\nregistry = Registry()\n"
},
{
"path": "checkov/bicep/graph_builder/__init__.py",
"content": ""
},
{
"path": "checkov/bicep/graph_builder/context_definitions.py",
"content": "from __future__ import annotations\n\nfrom pathlib import Path\nfrom typing import cast, List, Tuple, Dict, Any, TYPE_CHECKING\n\nfrom checkov.common.util.suppression import collect_suppressions_for_report\n\nif TYPE_CHECKING:\n from pycep.typing import BicepJson\n\nBICEP_COMMENT = \"//\"\nDEFINITIONS_KEYS_TO_PARSE = {\"parameters\": \"parameters\", \"resources\": \"resources\"}\n\n\ndef build_definitions_context(definitions: Dict[Path, BicepJson], definitions_raw: Dict[Path, List[Tuple[int, str]]]\n ) -> Dict[str, Dict[str, Any]]:\n definitions_context: Dict[str, Dict[str, Any]] = {}\n for file_path_object, file_path_definitions in definitions.items():\n file_path = str(file_path_object)\n definitions_context[file_path] = {}\n for definition_attribute, resources in file_path_definitions.items():\n if definition_attribute not in DEFINITIONS_KEYS_TO_PARSE.values():\n continue\n definitions_context[file_path][definition_attribute] = {}\n # ignore mypy mismatched type warning since it can't resolve this type correctly\n for resource_key, resource_attributes in resources.items(): # type:ignore[attr-defined]\n definition_resource = {\"start_line\": resource_attributes[\"__start_line__\"], \"end_line\": resource_attributes[\"__end_line__\"]}\n\n if definition_attribute == DEFINITIONS_KEYS_TO_PARSE[\"resources\"]:\n definition_key = f\"{resource_attributes['type']}.{resource_key}\"\n int_start_line = cast(int, definition_resource[\"start_line\"])\n int_end_line = cast(int, definition_resource[\"end_line\"])\n code_lines_for_suppressions_check = definitions_raw[file_path_object][int_start_line: int_end_line]\n definition_resource['skipped_checks'] = collect_suppressions_for_report(code_lines=code_lines_for_suppressions_check)\n elif definition_attribute == DEFINITIONS_KEYS_TO_PARSE[\"parameters\"]:\n definition_key = resource_key\n definition_resource[\"type\"] = resource_attributes['type']\n\n start_line = resource_attributes[\"__start_line__\"]\n end_line = resource_attributes[\"__end_line__\"]\n\n # add resource comments to definition lines\n current_line = str.strip(definitions_raw[file_path_object][start_line - 1][1])\n while not current_line or current_line[0] == BICEP_COMMENT:\n start_line -= 1\n current_line = str.strip(definitions_raw[file_path_object][start_line - 1][1])\n\n # remove next resource comments from definition lines\n current_line = str.strip(definitions_raw[file_path_object][end_line - 1][1])\n while not current_line or current_line[0] == BICEP_COMMENT:\n end_line -= 1\n current_line = str.strip(definitions_raw[file_path_object][end_line - 1][1])\n\n definition_resource[\"code_lines\"] = definitions_raw[file_path_object][start_line - 1: end_line]\n definitions_context[file_path][definition_attribute][definition_key] = definition_resource\n\n return definitions_context\n"
},
{
"path": "checkov/bicep/graph_builder/graph_components/__init__.py",
"content": ""
},
{
"path": "checkov/bicep/graph_builder/graph_components/block_types.py",
"content": "from dataclasses import dataclass\nfrom typing import Literal\n\nfrom typing_extensions import TypeAlias # noqa[TC002]\n\nfrom checkov.common.graph.graph_builder.graph_components.block_types import BlockType as CommonBlockType\n\nBlockTypeAlias: TypeAlias = Literal[\"targetScope\", \"param\", \"var\", \"resource\", \"module\", \"output\"]\n\n\n@dataclass\nclass BlockType(CommonBlockType):\n TARGET_SCOPE: Literal[\"targetScope\"] = \"targetScope\"\n PARAM: Literal[\"param\"] = \"param\"\n VAR: Literal[\"var\"] = \"var\"\n MODULE: Literal[\"module\"] = \"module\"\n OUTPUT: Literal[\"output\"] = \"output\"\n"
},
{
"path": "checkov/bicep/graph_builder/graph_components/blocks.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.common.graph.graph_builder.consts import GraphSource\nfrom checkov.common.graph.graph_builder.graph_components.blocks import Block\n\n\nclass BicepBlock(Block):\n def __init__(\n self,\n name: str,\n config: dict[str, Any],\n path: str,\n block_type: str,\n attributes: dict[str, Any],\n id: str = \"\",\n ) -> None:\n super().__init__(name, config, path, block_type, attributes, id, GraphSource.BICEP)\n"
},
{
"path": "checkov/bicep/graph_builder/graph_to_tf_definitions.py",
"content": "from __future__ import annotations\n\nimport os\nfrom pathlib import Path\nfrom typing import Any, TYPE_CHECKING, cast\n\nfrom checkov.bicep.graph_builder.graph_components.block_types import BlockType, BlockTypeAlias\nfrom checkov.bicep.graph_builder.local_graph import BicepElements, BicepElementsAlias\n\nif TYPE_CHECKING:\n from checkov.bicep.graph_builder.graph_components.blocks import BicepBlock\n from pycep.typing import BicepJson\n\nBLOCK_TYPE_TO_BICEP_ELEMENTS_MAP = {\n BlockType.MODULE: BicepElements.MODULES,\n BlockType.OUTPUT: BicepElements.OUTPUTS,\n BlockType.PARAM: BicepElements.PARAMETERS,\n BlockType.RESOURCE: BicepElements.RESOURCES,\n BlockType.TARGET_SCOPE: BicepElements.GLOBALS,\n BlockType.VAR: BicepElements.VARIABLES,\n}\n\n\ndef convert_graph_vertices_to_tf_definitions(\n vertices: list[BicepBlock], root_folder: str | Path | None\n) -> tuple[dict[Path, BicepJson], dict[str, dict[str, Any]]]:\n tf_definitions: dict[Path, BicepJson] = {}\n breadcrumbs: dict[str, dict[str, Any]] = {}\n for vertex in vertices:\n block_path = Path(vertex.path)\n # in theory block_type could be any string, but not in a Bicep Graph\n block_type = cast(\"BlockTypeAlias\", vertex.block_type)\n bicep_element: BicepElementsAlias = BLOCK_TYPE_TO_BICEP_ELEMENTS_MAP[block_type].value\n element_name = vertex.name\n\n if block_type == BlockType.TARGET_SCOPE:\n element_name = \"scope\"\n\n tf_definitions.setdefault(block_path, {}).setdefault(bicep_element, {})[element_name] = vertex.config # type:ignore[typeddict-item]\n\n if vertex.breadcrumbs:\n relative_block_path = f\"/{os.path.relpath(block_path, root_folder)}\"\n add_breadcrumbs(vertex, breadcrumbs, relative_block_path)\n return tf_definitions, breadcrumbs\n\n\ndef add_breadcrumbs(vertex: BicepBlock, breadcrumbs: dict[str, dict[str, Any]], relative_block_path: str) -> None:\n breadcrumbs.setdefault(relative_block_path, {})[vertex.name] = vertex.breadcrumbs\n"
},
{
"path": "checkov/bicep/graph_builder/local_graph.py",
"content": "from __future__ import annotations\n\nimport logging\nfrom enum import Enum\nfrom pathlib import Path\nfrom typing import Any, TYPE_CHECKING, overload, Literal\n\nfrom pycep.transformer import BicepElement\nfrom typing_extensions import TypeAlias # noqa[TC002]\n\nfrom checkov.bicep.graph_builder.graph_components.block_types import BlockType\nfrom checkov.bicep.graph_builder.graph_components.blocks import BicepBlock\nfrom checkov.bicep.graph_builder.variable_rendering.renderer import BicepVariableRenderer\nfrom checkov.common.graph.graph_builder.graph_components.edge import Edge\nfrom checkov.common.graph.graph_builder.local_graph import LocalGraph\nfrom checkov.common.graph.graph_builder.utils import filter_sub_keys\nfrom checkov.common.graph.graph_builder.utils import adjust_value\nfrom checkov.common.util.data_structures_utils import pickle_deepcopy\nfrom checkov.common.util.type_forcers import force_int\n\nif TYPE_CHECKING:\n from checkov.common.graph.graph_builder.graph_components.blocks import Block\n from pycep.typing import (\n BicepJson,\n ResourceAttributes,\n GlobalsAttributes,\n ParameterAttributes,\n VariableAttributes,\n OutputAttributes,\n ModuleAttributes,\n )\n\n\nBicepElementsAlias: TypeAlias = Literal[\"globals\", \"parameters\", \"variables\", \"resources\", \"modules\", \"outputs\"]\n\n\n# mypy: disable-error-code=\"misc\"\nclass BicepElements(str, Enum):\n GLOBALS: Literal[\"globals\"] = \"globals\"\n PARAMETERS: Literal[\"parameters\"] = \"parameters\"\n VARIABLES: Literal[\"variables\"] = \"variables\"\n RESOURCES: Literal[\"resources\"] = \"resources\"\n MODULES: Literal[\"modules\"] = \"modules\"\n OUTPUTS: Literal[\"outputs\"] = \"outputs\"\n\n\nclass BicepLocalGraph(LocalGraph[BicepBlock]):\n def __init__(self, definitions: dict[Path, BicepJson]) -> None:\n super().__init__()\n self.vertices: list[BicepBlock] = []\n self.definitions = definitions\n self.vertices_by_name: dict[str, int] = {}\n\n def build_graph(self, render_variables: bool) -> None:\n self._create_vertices()\n logging.info(f\"[BicepLocalGraph] created {len(self.vertices)} vertices\")\n self._create_edges()\n logging.info(f\"[BicepLocalGraph] created {len(self.edges)} edges\")\n\n if render_variables:\n renderer = BicepVariableRenderer(self)\n renderer.render_variables_from_local_graph()\n\n def _create_vertices(self) -> None:\n for file_path, bicep_conf in self.definitions.items():\n self._create_global_vertices(file_path=file_path, globals_attrs=bicep_conf.get(BicepElements.GLOBALS.value))\n self._create_param_vertices(file_path=file_path, parameters=bicep_conf.get(BicepElements.PARAMETERS.value))\n self._create_var_vertices(file_path=file_path, variables=bicep_conf.get(BicepElements.VARIABLES.value))\n self._create_resource_vertices(file_path=file_path, resources=bicep_conf.get(BicepElements.RESOURCES.value))\n self._create_module_vertices(file_path=file_path, modules=bicep_conf.get(BicepElements.MODULES.value))\n self._create_output_vertices(file_path=file_path, outputs=bicep_conf.get(BicepElements.OUTPUTS.value))\n\n for i, vertex in enumerate(self.vertices):\n self.vertices_by_block_type[vertex.block_type].append(i)\n self.vertices_block_name_map[vertex.block_type][vertex.name].append(i)\n self.vertices_by_name[vertex.name] = i\n\n self.in_edges[i] = []\n self.out_edges[i] = []\n\n def _create_global_vertices(self, file_path: Path, globals_attrs: GlobalsAttributes | None) -> None:\n if not globals_attrs:\n return\n\n # there can only be one target scope per file\n config = pickle_deepcopy(globals_attrs[\"scope\"])\n attributes = pickle_deepcopy(config)\n\n self.vertices.append(\n BicepBlock(\n name=BlockType.TARGET_SCOPE,\n config=config, # type:ignore[arg-type]\n path=str(file_path),\n block_type=BlockType.TARGET_SCOPE,\n attributes=attributes, # type:ignore[arg-type]\n id=BlockType.TARGET_SCOPE,\n )\n )\n\n def _create_param_vertices(self, file_path: Path, parameters: dict[str, ParameterAttributes] | None) -> None:\n if not parameters:\n return\n\n for name, conf in parameters.items():\n config = pickle_deepcopy(conf)\n attributes = pickle_deepcopy(conf)\n\n self.vertices.append(\n BicepBlock(\n name=name,\n config=config, # type:ignore[arg-type]\n path=str(file_path),\n block_type=BlockType.PARAM,\n attributes=attributes, # type:ignore[arg-type]\n id=f\"{BlockType.PARAM}.{name}\",\n )\n )\n\n def _create_var_vertices(self, file_path: Path, variables: dict[str, VariableAttributes] | None) -> None:\n if not variables:\n return\n\n for name, conf in variables.items():\n config = pickle_deepcopy(conf)\n attributes = pickle_deepcopy(conf)\n\n self.vertices.append(\n BicepBlock(\n name=name,\n config=config, # type:ignore[arg-type]\n path=str(file_path),\n block_type=BlockType.VAR,\n attributes=attributes, # type:ignore[arg-type]\n id=f\"{BlockType.VAR}.{name}\",\n )\n )\n\n def _create_resource_vertices(self, file_path: Path, resources: dict[str, ResourceAttributes] | None) -> None:\n if not resources:\n return\n\n for name, conf in resources.items():\n config = pickle_deepcopy(conf)\n\n attributes: dict[str, Any] = {}\n attributes[\"decorators\"] = pickle_deepcopy(config[\"decorators\"])\n attributes[\"type_\"] = config[\"type\"]\n attributes[\"api_version_\"] = config[\"api_version\"]\n attributes[\"existing_\"] = config[\"existing\"]\n attributes.update(pickle_deepcopy(config[\"config\"]))\n\n attributes[\"resource_type\"] = config[\"type\"]\n attributes[\"__start_line__\"] = config[\"__start_line__\"]\n attributes[\"__end_line__\"] = config[\"__end_line__\"]\n\n self.vertices.append(\n BicepBlock(\n name=name,\n config=config, # type:ignore[arg-type]\n path=str(file_path),\n block_type=BlockType.RESOURCE,\n attributes=attributes,\n id=f\"{config['type']}.{name}\",\n )\n )\n\n def _create_module_vertices(self, file_path: Path, modules: dict[str, ModuleAttributes] | None) -> None:\n if not modules:\n return\n\n for name, conf in modules.items():\n config = pickle_deepcopy(conf)\n\n attributes: dict[str, Any] = {}\n attributes[\"decorators\"] = pickle_deepcopy(config[\"decorators\"])\n attributes[\"type_\"] = config[\"type\"]\n attributes[\"detail_\"] = config[\"detail\"]\n attributes.update(pickle_deepcopy(config[\"config\"]))\n\n attributes[\"resource_type\"] = config[\"type\"]\n attributes[\"__start_line__\"] = config[\"__start_line__\"]\n attributes[\"__end_line__\"] = config[\"__end_line__\"]\n\n self.vertices.append(\n BicepBlock(\n name=str(name), # this will be fixed in pycep with the next version, currently type Token\n config=config, # type:ignore[arg-type]\n path=str(file_path),\n block_type=BlockType.MODULE,\n attributes=attributes,\n id=f\"{config['type']}.{name}\",\n )\n )\n\n def _create_output_vertices(self, file_path: Path, outputs: dict[str, OutputAttributes] | None) -> None:\n if not outputs:\n return\n\n for name, conf in outputs.items():\n config = pickle_deepcopy(conf)\n attributes = pickle_deepcopy(conf)\n\n self.vertices.append(\n BicepBlock(\n name=name,\n config=config, # type:ignore[arg-type]\n path=str(file_path),\n block_type=BlockType.OUTPUT,\n attributes=attributes, # type:ignore[arg-type]\n id=f\"{BlockType.OUTPUT}.{name}\",\n )\n )\n\n def _create_edges(self) -> None:\n # TODO: support connections in interpolated strings\n for origin_vertex_index, vertex in enumerate(self.vertices):\n for attr_key, attr_value in vertex.attributes.items():\n if isinstance(attr_value, BicepElement):\n self._create_edge(\n element_name=attr_value,\n origin_vertex_index=origin_vertex_index,\n label=attr_key,\n )\n if isinstance(attr_value, list):\n for list_value in attr_value:\n if isinstance(list_value, BicepElement):\n self._create_edge(\n element_name=list_value,\n origin_vertex_index=origin_vertex_index,\n label=attr_key,\n )\n\n def _create_edge(self, element_name: str, origin_vertex_index: int, label: str) -> None:\n vertex_name = element_name\n if \".\" in vertex_name:\n # special case for`bicep elements, when properties are accessed\n vertex_name = vertex_name.split(\".\")[0]\n\n dest_vertex_index = self.vertices_by_name.get(vertex_name)\n if dest_vertex_index:\n if origin_vertex_index == dest_vertex_index:\n return\n edge = Edge(origin_vertex_index, dest_vertex_index, label)\n self.edges.append(edge)\n self.out_edges[origin_vertex_index].append(edge)\n self.in_edges[dest_vertex_index].append(edge)\n\n def update_vertices_configs(self) -> None:\n for vertex in self.vertices:\n changed_attributes = list(vertex.changed_attributes.keys())\n changed_attributes = filter_sub_keys(changed_attributes)\n self.update_vertex_config(vertex, changed_attributes)\n\n @staticmethod\n def update_vertex_config(vertex: Block, changed_attributes: list[str] | dict[str, Any], dynamic_blocks: bool = False) -> None:\n if not changed_attributes:\n # skip, if there is no change\n return\n\n for attr in changed_attributes:\n new_value = vertex.attributes.get(attr, None)\n if vertex.block_type == BlockType.RESOURCE:\n BicepLocalGraph.update_config_attribute(\n config=vertex.config[\"config\"], key_to_update=attr, new_value=new_value\n )\n\n @staticmethod\n def update_config_attribute(config: list[Any] | dict[str, Any], key_to_update: str, new_value: Any) -> None:\n key_parts = key_to_update.split(\".\")\n\n if isinstance(config, dict):\n key = key_parts[0]\n if len(key_parts) == 1:\n BicepLocalGraph.update_config_value(config=config, key=key, new_value=new_value)\n return\n else:\n key, key_parts = BicepLocalGraph.adjust_key(config, key, key_parts)\n if len(key_parts) == 1:\n BicepLocalGraph.update_config_value(config=config, key=key, new_value=new_value)\n return\n\n BicepLocalGraph.update_config_attribute(config[key], \".\".join(key_parts[1:]), new_value)\n elif isinstance(config, list):\n key_idx = force_int(key_parts[0])\n if key_idx is None:\n return\n\n if len(key_parts) == 1:\n BicepLocalGraph.update_config_value(config=config, key=key_idx, new_value=new_value)\n return\n else:\n BicepLocalGraph.update_config_attribute(config[key_idx], \".\".join(key_parts[1:]), new_value)\n\n return\n\n @overload\n @staticmethod\n def update_config_value(config: list[Any], key: int, new_value: Any) -> None:\n ...\n\n @overload\n @staticmethod\n def update_config_value(config: dict[str, Any], key: str, new_value: Any) -> None:\n ...\n\n @staticmethod\n def update_config_value(config: list[Any] | dict[str, Any], key: int | str, new_value: Any) -> None:\n new_value = adjust_value(config[key], new_value) # type:ignore[index]\n if new_value is None:\n # couldn't find key in in value object\n return\n\n config[key] = new_value # type:ignore[index]\n\n @staticmethod\n def adjust_key(config: dict[str, Any], key: str, key_parts: list[str]) -> tuple[str, list[str]]:\n \"\"\"Adjusts the key, if it consists of multiple dots\n\n Ex:\n config = {\"'container.registry'\": \"acrName\"}\n key = \"'container\"\n key_parts = [\"'container\", \"registry'\"]\n\n returns new_key = \"'container.registry'\"\n new_key_parts = [\"'container.registry'\"]\n \"\"\"\n\n if key not in config:\n if len(key_parts) >= 2:\n new_key = \".\".join(key_parts[:2])\n new_key_parts = [new_key] + key_parts[2:]\n\n return BicepLocalGraph.adjust_key(config, new_key, new_key_parts)\n\n return key, key_parts\n\n def get_resources_types_in_graph(self) -> list[str]:\n return []\n"
},
{
"path": "checkov/bicep/graph_builder/variable_rendering/__init__.py",
"content": ""
},
{
"path": "checkov/bicep/graph_builder/variable_rendering/renderer.py",
"content": "from __future__ import annotations\n\nfrom typing import TYPE_CHECKING, Any\n\nfrom pycep.transformer import BicepElement\n\nfrom checkov.bicep.graph_builder.graph_components.block_types import BlockType\nfrom checkov.common.graph.graph_builder import Edge\nfrom checkov.common.graph.graph_builder.utils import adjust_value\nfrom checkov.common.graph.graph_builder.variable_rendering.renderer import VariableRenderer\nfrom checkov.common.util.data_structures_utils import pickle_deepcopy\n\nif TYPE_CHECKING:\n from checkov.bicep.graph_builder.local_graph import BicepLocalGraph\n\n\nclass BicepVariableRenderer(VariableRenderer[\"BicepLocalGraph\"]):\n def __init__(self, local_graph: BicepLocalGraph) -> None:\n super().__init__(local_graph)\n\n def _render_variables_from_vertices(self) -> None:\n pass\n\n def evaluate_vertex_attribute_from_edge(self, edge_list: list[Edge]) -> None:\n edge = edge_list[0]\n origin_vertex_attributes = self.local_graph.vertices[edge.origin].attributes\n val_to_eval = pickle_deepcopy(origin_vertex_attributes.get(edge.label, \"\"))\n\n attr_path, attr_value = self.extract_dest_attribute_path_and_value(dest_index=edge.dest, origin_value=val_to_eval)\n\n if attr_path:\n self.local_graph.update_vertex_attribute(\n vertex_index=edge.origin,\n attribute_key=edge.label,\n attribute_value=attr_value,\n change_origin_id=edge.dest,\n attribute_at_dest=attr_path,\n )\n\n def extract_dest_attribute_path_and_value(self, dest_index: int, origin_value: Any) -> tuple[str, Any] | tuple[None, None]:\n if isinstance(origin_value, BicepElement):\n vertex = self.local_graph.vertices[dest_index]\n\n if vertex.block_type == BlockType.PARAM:\n new_value = vertex.attributes.get(\"default\")\n if new_value:\n new_value = adjust_value(element_name=origin_value, value=new_value)\n return \"default\", new_value\n elif vertex.block_type == BlockType.VAR:\n new_value = adjust_value(element_name=origin_value, value=vertex.attributes[\"value\"])\n return \"value\", new_value\n\n return None, None\n\n def evaluate_non_rendered_values(self) -> None:\n # not used\n pass\n"
},
{
"path": "checkov/bicep/graph_manager.py",
"content": "from __future__ import annotations\n\nfrom pathlib import Path\nfrom typing import TYPE_CHECKING, Any, Optional\n\nfrom checkov.bicep.parser import Parser\nfrom checkov.bicep.utils import get_scannable_file_paths\nfrom checkov.common.graph.graph_builder.consts import GraphSource\nfrom checkov.common.graph.graph_manager import GraphManager\nfrom checkov.bicep.graph_builder.local_graph import BicepLocalGraph\n\nif TYPE_CHECKING:\n from checkov.common.typing import LibraryGraphConnector\n from pycep.typing import BicepJson\n\n\nclass BicepGraphManager(GraphManager[BicepLocalGraph, \"dict[Path, BicepJson]\"]):\n def __init__(self, db_connector: LibraryGraphConnector, source: str = GraphSource.BICEP) -> None:\n super().__init__(db_connector=db_connector, parser=None, source=source)\n\n def build_graph_from_source_directory(\n self,\n source_dir: str,\n local_graph_class: type[BicepLocalGraph] = BicepLocalGraph,\n render_variables: bool = True,\n parsing_errors: Optional[dict[str, Exception]] = None,\n download_external_modules: Optional[bool] = False,\n excluded_paths: Optional[list[str]] = None,\n **kwargs: Any,\n ) -> tuple[BicepLocalGraph, dict[Path, BicepJson]]:\n file_paths = get_scannable_file_paths(root_folder=source_dir)\n definitions, definitions_raw, parsing_errors = Parser().get_files_definitions(file_paths) # type:ignore[assignment]\n local_graph = self.build_graph_from_definitions(definitions)\n\n return local_graph, definitions\n\n def build_graph_from_definitions(\n self, definitions: dict[Path, BicepJson], render_variables: bool = True\n ) -> BicepLocalGraph:\n local_graph = BicepLocalGraph(definitions)\n local_graph.build_graph(render_variables)\n return local_graph\n"
},
{
"path": "checkov/bicep/image_referencer/__init__.py",
"content": ""
},
{
"path": "checkov/bicep/image_referencer/base_provider.py",
"content": "from __future__ import annotations\n\nimport os\n\nfrom checkov.bicep.utils import BICEP_START_LINE, BICEP_END_LINE\nfrom checkov.common.graph.graph_builder import CustomAttributes\nfrom checkov.common.images.graph.image_referencer_provider import GraphImageReferencerProvider\nfrom checkov.common.images.image_referencer import Image\nfrom checkov.common.util.str_utils import removeprefix\n\n\nclass BaseBicepProvider(GraphImageReferencerProvider):\n\n def extract_images_from_resources(self) -> list[Image]:\n images = []\n\n supported_resources_graph = self.extract_nodes()\n\n for resource in self.extract_resource(supported_resources_graph):\n image_names: list[str] = []\n resource_type = resource[CustomAttributes.RESOURCE_TYPE]\n\n extract_images_func = self.supported_resource_types.get(resource_type)\n if extract_images_func:\n image_names.extend(extract_images_func(resource))\n\n for name in image_names:\n images.append(\n Image(\n file_path=resource[CustomAttributes.FILE_PATH],\n name=name,\n start_line=resource[BICEP_START_LINE],\n end_line=resource[BICEP_END_LINE],\n related_resource_id=f'{removeprefix(resource.get(\"file_path_\", \"\"), os.getenv(\"BC_ROOT_DIR\", \"\"))}:{resource.get(\"id_\")}',\n )\n )\n\n return images\n"
},
{
"path": "checkov/bicep/image_referencer/manager.py",
"content": "from __future__ import annotations\n\nfrom typing import TYPE_CHECKING\n\nfrom checkov.bicep.image_referencer.provider.azure import AzureBicepProvider\nfrom checkov.common.images.graph.image_referencer_manager import GraphImageReferencerManager\n\nif TYPE_CHECKING:\n from checkov.common.images.image_referencer import Image\n\n\nclass BicepImageReferencerManager(GraphImageReferencerManager):\n\n def extract_images_from_resources(self) -> list[Image]:\n bicep_provider = AzureBicepProvider(graph_connector=self.graph_connector)\n\n images = bicep_provider.extract_images_from_resources()\n\n return images\n"
},
{
"path": "checkov/bicep/image_referencer/provider/__init__.py",
"content": ""
},
{
"path": "checkov/bicep/image_referencer/provider/azure.py",
"content": "from __future__ import annotations\n\nfrom typing import TYPE_CHECKING, Any\n\nfrom checkov.bicep.image_referencer.base_provider import BaseBicepProvider\nfrom checkov.common.util.data_structures_utils import find_in_dict\nfrom checkov.common.util.type_forcers import force_list\n\nif TYPE_CHECKING:\n from networkx import DiGraph\n\n\nclass AzureBicepProvider(BaseBicepProvider):\n def __init__(self, graph_connector: DiGraph) -> None:\n super().__init__(\n graph_connector=graph_connector,\n supported_resource_types=SUPPORTED_AZURE_IMAGE_RESOURCE_TYPES,\n )\n\n\ndef extract_images_from_azurerm_batch_pool(resource: dict[str, Any]) -> list[str]:\n image_names: list[str] = []\n\n containers = find_in_dict(\n input_dict=resource,\n key_path=\"properties/virtualMachineConfiguration/containerConfiguration/containerImageNames\",\n )\n if isinstance(containers, list):\n image_names.extend(container for container in containers if isinstance(container, str))\n\n return image_names\n\n\ndef extract_images_from_azurerm_container_group(resource: dict[str, Any]) -> list[str]:\n image_names: list[str] = []\n\n properties = resource.get(\"properties\")\n if properties and isinstance(properties, dict):\n containers = properties.get(\"containers\")\n if containers:\n for container in force_list(containers):\n name = find_in_dict(input_dict=container, key_path=\"properties/image\")\n if name and isinstance(name, str):\n image_names.append(name)\n containers = properties.get(\"initContainers\")\n if containers:\n for container in force_list(containers):\n name = find_in_dict(input_dict=container, key_path=\"properties/image\")\n if name and isinstance(name, str):\n image_names.append(name)\n\n return image_names\n\n\ndef extract_images_from_azurerm_web_app(resource: dict[str, Any]) -> list[str]:\n image_names: list[str] = []\n\n containers = find_in_dict(input_dict=resource, key_path=\"properties/template/containers\")\n if containers:\n for container in force_list(containers):\n name = container.get(\"image\")\n if name and isinstance(name, str):\n image_names.append(name)\n\n return image_names\n\n\n# needs to be at the bottom to add the defined functions\nSUPPORTED_AZURE_IMAGE_RESOURCE_TYPES = {\n \"Microsoft.App/containerApps\": extract_images_from_azurerm_web_app,\n \"Microsoft.Batch/batchAccounts/pools\": extract_images_from_azurerm_batch_pool,\n \"Microsoft.ContainerInstance/containerGroups\": extract_images_from_azurerm_container_group,\n \"Microsoft.Web/containerApps\": extract_images_from_azurerm_web_app,\n}\n"
},
{
"path": "checkov/bicep/parser.py",
"content": "from __future__ import annotations\n\nimport logging\nimport os\nfrom collections.abc import Collection\nfrom pathlib import Path\nfrom typing import TYPE_CHECKING\n\nfrom pycep import BicepParser\n\nfrom checkov.common.util.file_utils import read_file_with_any_encoding\n\nif TYPE_CHECKING:\n from pycep.typing import BicepJson\n\n\nclass Parser:\n def __init__(self) -> None:\n self.bicep_parser = BicepParser(add_line_numbers=True)\n\n def parse(self, file_path: Path) -> tuple[BicepJson, list[tuple[int, str]]] | tuple[None, None]:\n try:\n content = read_file_with_any_encoding(file_path=file_path)\n template = self.bicep_parser.parse(text=content)\n except Exception:\n logging.debug(f\"[bicep] Couldn't parse {file_path}\", exc_info=True)\n return None, None\n\n file_lines = [(idx + 1, line) for idx, line in enumerate(content.splitlines(keepends=True))]\n\n return template, file_lines\n\n def get_files_definitions(\n self, file_paths: \"Collection[Path]\"\n ) -> tuple[dict[Path, BicepJson], dict[Path, list[tuple[int, str]]], list[str]]:\n logging.info(f\"[bicep] start to parse {len(file_paths)} files\")\n\n definitions: dict[Path, BicepJson] = {}\n definitions_raw: dict[Path, list[tuple[int, str]]] = {}\n parsing_errors: list[str] = []\n\n for file_path in file_paths:\n template, file_lines = self.parse(file_path)\n if template and file_lines:\n definitions[file_path] = template\n definitions_raw[file_path] = file_lines\n else:\n parsing_errors.append(os.path.normpath(file_path.absolute()))\n\n logging.info(f\"[bicep] successfully parsed {len(definitions)} files\")\n\n return definitions, definitions_raw, parsing_errors\n"
},
{
"path": "checkov/bicep/runner.py",
"content": "from __future__ import annotations\n\nimport os\nimport logging\nfrom pathlib import Path\nfrom typing import cast, Type, TYPE_CHECKING, Any, Literal\n\nfrom typing_extensions import TypeAlias # noqa[TC002]\n\nfrom checkov.bicep.graph_builder.context_definitions import build_definitions_context\nfrom checkov.bicep.checks.param.registry import registry as param_registry\nfrom checkov.bicep.checks.resource.registry import registry as resource_registry\nfrom checkov.bicep.graph_builder.graph_to_tf_definitions import convert_graph_vertices_to_tf_definitions\nfrom checkov.bicep.graph_builder.local_graph import BicepLocalGraph\nfrom checkov.bicep.graph_manager import BicepGraphManager\nfrom checkov.bicep.image_referencer.manager import BicepImageReferencerManager\nfrom checkov.bicep.parser import Parser\nfrom checkov.bicep.utils import clean_file_path, get_scannable_file_paths\nfrom checkov.common.checks_infra.registry import get_graph_checks_registry\n\nfrom checkov.common.typing import LibraryGraphConnector\nfrom checkov.common.graph.graph_builder import CustomAttributes\nfrom checkov.common.graph.graph_builder.consts import GraphSource\nfrom checkov.common.images.image_referencer import ImageReferencerMixin\nfrom checkov.common.output.extra_resource import ExtraResource\nfrom checkov.common.output.graph_record import GraphRecord\nfrom checkov.common.output.record import Record\nfrom checkov.common.output.report import Report\nfrom checkov.common.bridgecrew.check_type import CheckType\nfrom checkov.common.runners.base_runner import BaseRunner\nfrom checkov.common.typing import _CheckResult\nfrom checkov.common.util.secrets import omit_secret_value_from_checks\nfrom checkov.common.util.suppression import collect_suppressions_for_report\nfrom checkov.runner_filter import RunnerFilter\n\nif TYPE_CHECKING:\n from checkov.common.checks.base_check_registry import BaseCheckRegistry\n from checkov.common.checks_infra.registry import Registry\n from checkov.common.graph.checks_infra.registry import BaseRegistry\n from checkov.common.images.image_referencer import Image\n from networkx import DiGraph\n from pycep.typing import BicepJson\n\n_BicepContext: TypeAlias = \"dict[str, dict[str, Any]]\"\n_BicepDefinitions: TypeAlias = \"dict[Path, BicepJson]\"\n\n\nclass Runner(ImageReferencerMixin[None], BaseRunner[_BicepDefinitions, _BicepContext, BicepGraphManager]):\n check_type = CheckType.BICEP # noqa: CCE003 # a static attribute\n\n block_type_registries: 'dict[Literal[\"parameters\", \"resources\"], BaseCheckRegistry]' = { # noqa: CCE003 # a static attribute\n \"parameters\": param_registry,\n \"resources\": resource_registry,\n }\n\n def __init__(\n self,\n db_connector: LibraryGraphConnector | None = None,\n source: str = GraphSource.BICEP,\n graph_class: Type[BicepLocalGraph] = BicepLocalGraph,\n graph_manager: BicepGraphManager | None = None,\n external_registries: list[BaseRegistry] | None = None\n ) -> None:\n super().__init__(file_extensions=['.bicep'])\n db_connector = db_connector or self.db_connector\n self.external_registries = external_registries if external_registries else []\n self.graph_class = graph_class\n self.graph_manager: BicepGraphManager = (\n graph_manager if graph_manager else BicepGraphManager(source=source, db_connector=db_connector)\n )\n self.graph_registry: Registry = get_graph_checks_registry(self.check_type)\n\n self.context: _BicepContext = {}\n self.definitions: _BicepDefinitions = {}\n self.definitions_raw: dict[Path, list[tuple[int, str]]] = {} # type:ignore[assignment]\n self.root_folder: str | Path | None = None\n\n def run(\n self,\n root_folder: str | Path | None,\n external_checks_dir: list[str] | None = None,\n files: list[str] | None = None,\n runner_filter: RunnerFilter | None = None,\n collect_skip_comments: bool = True,\n ) -> Report | list[Report]:\n runner_filter = runner_filter or RunnerFilter()\n if not runner_filter.show_progress_bar:\n self.pbar.turn_off_progress_bar()\n\n report = Report(Runner.check_type)\n self.root_folder = root_folder\n\n if not self.context or not self.definitions:\n file_paths = get_scannable_file_paths(\n root_folder=root_folder, files=files, excluded_paths=runner_filter.excluded_paths\n )\n\n if not file_paths:\n return report\n\n self.definitions, self.definitions_raw, parsing_errors = Parser().get_files_definitions(file_paths)\n\n report.add_parsing_errors(parsing_errors)\n\n if external_checks_dir:\n for directory in external_checks_dir:\n resource_registry.load_external_checks(directory)\n self.graph_registry.load_external_checks(directory)\n\n self.context = build_definitions_context(definitions=self.definitions, definitions_raw=self.definitions_raw)\n\n logging.info(\"Creating Bicep graph\")\n local_graph = self.graph_manager.build_graph_from_definitions(self.definitions)\n logging.info(\"Successfully created Bicep graph\")\n\n self.graph_manager.save_graph(local_graph)\n self.definitions, self.breadcrumbs = convert_graph_vertices_to_tf_definitions(\n vertices=local_graph.vertices, root_folder=root_folder\n )\n\n self.pbar.initiate(len(self.definitions))\n\n # run Python checks\n self.add_python_check_results(report=report, runner_filter=runner_filter, root_folder=root_folder)\n\n # run graph checks\n self.add_graph_check_results(report=report, runner_filter=runner_filter)\n\n if runner_filter.run_image_referencer:\n if files:\n # 'root_folder' shouldn't be empty to remove the whole path later and only leave the shortened form\n root_folder = os.path.split(os.path.commonprefix(files))[0]\n\n image_report = self.check_container_image_references(\n graph_connector=self.graph_manager.get_reader_endpoint(),\n root_path=root_folder,\n runner_filter=runner_filter,\n )\n\n if image_report:\n # due too many tests failing only return a list, if there is an image report\n return [report, image_report]\n\n return report\n\n def set_definitions_raw(self, definitions_raw: dict[Path, list[tuple[int, str]]]) -> None:\n self.definitions_raw = definitions_raw\n\n def add_python_check_results(\n self, report: Report, runner_filter: RunnerFilter, root_folder: str | Path | None\n ) -> None:\n \"\"\"Adds Python check results to given report\"\"\"\n\n for file_path, definition in self.definitions.items():\n self.pbar.set_additional_data({'Current File Scanned': os.path.relpath(file_path, root_folder)})\n for block_type, registry in Runner.block_type_registries.items():\n block_type_confs = definition.get(block_type)\n if block_type_confs:\n for name, conf in block_type_confs.items():\n results = registry.scan(\n scanned_file=str(file_path),\n entity={name: conf},\n skipped_checks=[],\n runner_filter=runner_filter\n )\n\n if results:\n file_code_lines = self.definitions_raw[file_path]\n start_line = conf[\"__start_line__\"]\n end_line = conf[\"__end_line__\"]\n\n cleaned_path = clean_file_path(file_path)\n resource_id = f\"{conf['type']}.{name}\"\n report.add_resource(f\"{cleaned_path}:{resource_id}\")\n\n suppressions = collect_suppressions_for_report(\n code_lines=file_code_lines[start_line - 1 : end_line]\n )\n\n for check, check_result in results.items():\n if check.id in suppressions.keys():\n check_result = suppressions[check.id]\n elif check.bc_id and check.bc_id in suppressions.keys():\n check_result = suppressions[check.bc_id]\n\n censored_code_lines = omit_secret_value_from_checks(\n check=check,\n check_result=check_result,\n entity_code_lines=file_code_lines[start_line - 1 : end_line],\n entity_config=conf,\n resource_attributes_to_omit=runner_filter.resource_attr_to_omit\n )\n\n record = Record(\n check_id=check.id,\n bc_check_id=check.bc_id,\n check_name=check.name,\n check_result=check_result,\n code_block=censored_code_lines,\n file_path=self.extract_file_path_from_abs_path(cleaned_path),\n file_line_range=[start_line, end_line],\n resource=resource_id,\n check_class=check.__class__.__module__,\n file_abs_path=str(file_path.absolute()),\n evaluations=None,\n severity=check.severity,\n )\n record.set_guideline(check.guideline)\n report.add_record(record=record)\n elif conf.get(\"existing\") is False:\n # resources without checks, but not existing ones\n\n cleaned_path = clean_file_path(file_path)\n resource_id = f\"{conf['type']}.{name}\"\n report.extra_resources.add(\n ExtraResource(\n file_abs_path=str(file_path.absolute()),\n file_path=self.extract_file_path_from_abs_path(cleaned_path),\n resource=resource_id,\n )\n )\n self.pbar.update()\n self.pbar.close()\n\n def extract_file_path_from_abs_path(self, path: Path) -> str:\n return f\"/{os.path.relpath(path, self.root_folder)}\"\n\n def add_graph_check_results(self, report: Report, runner_filter: RunnerFilter) -> None:\n \"\"\"Adds YAML check results to given report\"\"\"\n\n checks_results = self.run_graph_checks_results(runner_filter, self.check_type)\n\n for check, check_results in checks_results.items():\n for check_result in check_results:\n entity = check_result[\"entity\"]\n entity_file_path = Path(entity[CustomAttributes.FILE_PATH])\n\n clean_check_result: _CheckResult = {\n \"result\": check_result[\"result\"],\n \"evaluated_keys\": check_result[\"evaluated_keys\"],\n }\n\n file_code_lines = self.definitions_raw[entity_file_path]\n start_line = entity[\"__start_line__\"]\n end_line = cast(\"int\", entity[\"__end_line__\"])\n\n record = Record(\n check_id=check.id,\n bc_check_id=check.bc_id,\n check_name=check.name,\n check_result=clean_check_result,\n code_block=file_code_lines[start_line - 1 : end_line],\n file_path=self.extract_file_path_from_abs_path(clean_file_path(entity_file_path)),\n file_line_range=[start_line, end_line],\n resource=entity[CustomAttributes.ID],\n check_class=check.__class__.__module__,\n file_abs_path=str(entity_file_path.absolute()),\n evaluations=None,\n severity=check.severity,\n )\n if self.breadcrumbs:\n breadcrumb = self.breadcrumbs.get(record.file_path, {}).get(record.resource)\n if breadcrumb:\n record = GraphRecord(record, breadcrumb)\n record.set_guideline(check.guideline)\n report.add_record(record=record)\n\n def extract_images(\n self,\n graph_connector: DiGraph | None = None,\n definitions: None = None,\n definitions_raw: dict[str, list[tuple[int, str]]] | None = None,\n ) -> list[Image]:\n if not graph_connector:\n # should not happen\n return []\n\n manager = BicepImageReferencerManager(graph_connector=graph_connector)\n images = manager.extract_images_from_resources()\n\n return images\n"
},
{
"path": "checkov/bicep/utils.py",
"content": "from __future__ import annotations\n\nimport logging\nimport os\nimport re\nfrom collections.abc import Collection\nfrom pathlib import Path\nfrom typing import TYPE_CHECKING\n\nfrom checkov.common.runners.base_runner import filter_ignored_paths\nfrom checkov.runner_filter import RunnerFilter\nfrom checkov.bicep.parser import Parser\n\nif TYPE_CHECKING:\n from pycep.typing import BicepJson\n\n\nBICEP_POSSIBLE_ENDINGS = [\".bicep\"]\nBICEP_START_LINE = \"__start_line__\"\nBICEP_END_LINE = \"__end_line__\"\n\n\ndef get_scannable_file_paths(\n root_folder: str | Path | None = None, files: list[str] | None = None, excluded_paths: list[str] | None = None\n) -> set[Path]:\n \"\"\"Finds Bicep files\"\"\"\n\n file_paths: set[Path] = set()\n\n if root_folder:\n root_path = Path(root_folder)\n file_paths = {file_path for file_path in root_path.rglob(\"*.bicep\") if file_path.is_file()}\n\n if excluded_paths:\n compiled = [re.compile(p.replace(\".terraform\", r\"\\.terraform\")) for p in excluded_paths]\n file_paths = {\n file_path for file_path in file_paths if not any(pattern.search(str(file_path)) for pattern in compiled)\n }\n if files:\n for file in files:\n if file.endswith(\".bicep\"):\n file_paths.add(Path(file))\n\n return file_paths\n\n\ndef clean_file_path(file_path: Path) -> Path:\n path_parts = [part for part in file_path.parts if part not in (\".\", \"..\")]\n\n return Path(*path_parts)\n\n\ndef get_folder_definitions(\n root_folder: str, excluded_paths: list[str] | None\n) -> tuple[dict[Path, BicepJson], dict[Path, list[tuple[int, str]]], list[str]]:\n files_list: set[Path] = set()\n for root, d_names, f_names in os.walk(root_folder):\n filter_ignored_paths(root, d_names, excluded_paths)\n filter_ignored_paths(root, f_names, excluded_paths)\n for file in f_names:\n file_ending = os.path.splitext(file)[1]\n if file_ending in BICEP_POSSIBLE_ENDINGS:\n full_path = os.path.join(root, file)\n files_list.add(Path(full_path))\n parser = Parser()\n\n return parser.get_files_definitions(files_list)\n\n\ndef create_definitions(\n root_folder: str,\n files: \"Collection[Path] | None\" = None,\n runner_filter: RunnerFilter | None = None,\n) -> tuple[dict[Path, BicepJson], dict[Path, list[tuple[int, str]]]]:\n definitions: dict[Path, BicepJson] = {}\n definitions_raw: dict[Path, list[tuple[int, str]]] = {}\n parsing_errors: list[str] = []\n runner_filter = runner_filter or RunnerFilter()\n\n if files:\n parser = Parser()\n definitions, definitions_raw, parsing_errors = parser.get_files_definitions(file_paths=files)\n\n if root_folder:\n definitions, definitions_raw, parsing_errors = get_folder_definitions(root_folder, runner_filter.excluded_paths)\n\n if parsing_errors:\n logging.warning(f\"[bicep] found errors while parsing definitions: {parsing_errors}\")\n\n return definitions, definitions_raw\n"
},
{
"path": "checkov/bitbucket/__init__.py",
"content": "from checkov.bitbucket.checks import * # noqa\n"
},
{
"path": "checkov/bitbucket/base_bitbucket_configuration_check.py",
"content": "from __future__ import annotations\n\nfrom abc import abstractmethod\nfrom collections.abc import Iterable\nfrom typing import TYPE_CHECKING, Any\n\nfrom checkov.bitbucket.registry import registry\nfrom checkov.common.checks.base_check import BaseCheck\n\nif TYPE_CHECKING:\n from checkov.common.models.enums import CheckCategories, CheckResult\n\n\nclass BaseBitbucketCheck(BaseCheck):\n def __init__(\n self,\n name: str,\n id: str,\n categories: Iterable[CheckCategories],\n supported_entities: Iterable[str],\n block_type: str,\n path: str | None = None,\n guideline: str | None = None,\n ):\n super().__init__(\n name=name,\n id=id,\n categories=categories,\n supported_entities=supported_entities,\n block_type=block_type,\n guideline=guideline,\n )\n self.path = path\n registry.register(self)\n\n def scan_entity_conf(self, conf: dict[str, Any], entity_type: str) -> tuple[CheckResult, dict[str, Any]] | None: # type:ignore[override] # multi_signature decorator is problematic\n self.entity_type = entity_type\n\n return self.scan_conf(conf)\n\n @abstractmethod\n def scan_conf(self, conf: dict[str, Any]) -> tuple[CheckResult, dict[str, Any]] | None:\n pass\n"
},
{
"path": "checkov/bitbucket/checks/__init__.py",
"content": "from pathlib import Path\n\nmodules = Path(__file__).parent.glob(\"*.py\")\n__all__ = [f.stem for f in modules if f.is_file() and not f.stem == \"__init__\"]\n"
},
{
"path": "checkov/bitbucket/checks/merge_requests_approvals.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.bitbucket.base_bitbucket_configuration_check import BaseBitbucketCheck\nfrom checkov.bitbucket.schemas.branch_restrictions import schema as branch_restrictions_schema\nfrom checkov.common.models.enums import CheckCategories, CheckResult\nfrom checkov.json_doc.enums import BlockType\n\n\nclass MergeRequestRequiresApproval(BaseBitbucketCheck):\n def __init__(self) -> None:\n name = \"Merge requests should require at least 2 approvals\"\n id = \"CKV_BITBUCKET_1\"\n categories = (CheckCategories.SUPPLY_CHAIN,)\n super().__init__(\n name=name,\n id=id,\n categories=categories,\n supported_entities=(\"*\",),\n block_type=BlockType.DOCUMENT\n )\n\n def scan_conf(self, conf: dict[str, Any]) -> tuple[CheckResult, dict[str, Any]] | None:\n if branch_restrictions_schema.validate(conf):\n for value in conf.get(\"values\", []):\n if value.get('kind', '') == 'require_approvals_to_merge':\n if value.get('value', 0) >= 2:\n return CheckResult.PASSED, conf\n return CheckResult.FAILED, conf\n\n return None\n\n\ncheck = MergeRequestRequiresApproval()\n"
},
{
"path": "checkov/bitbucket/dal.py",
"content": "from __future__ import annotations\n\nimport logging\nimport os\nfrom typing import Any\n\nimport requests\n\nfrom checkov.common.runners.base_runner import strtobool\nfrom checkov.common.vcs.base_vcs_dal import BaseVCSDAL\n\n\nclass Bitbucket(BaseVCSDAL):\n def setup_conf_dir(self) -> None:\n \"\"\"\n discover parameters from execution context of checkov and determine the directory to save temporal files of vcs configuration\n \"\"\"\n bitbucket_conf_dir_name = os.getenv('CKV_BITBUCKET_CONF_DIR_NAME', 'bitbucket_conf')\n self.bitbucket_conf_dir_path = os.path.join(os.getcwd(), bitbucket_conf_dir_name)\n self.bitbucket_branch_restrictions_file_path = os.path.join(self.bitbucket_conf_dir_path,\n \"branch_restrictions.json\")\n\n def discover(self) -> None:\n \"\"\"\n discover parameters from execution context of checkov. usually from env variable\n \"\"\"\n server_host = os.getenv('CI_SERVER_URL', \"https://api.bitbucket.org/\")\n self.api_url = f'{server_host}2.0'\n self.graphql_api_url = f\"{server_host}api/graphql\"\n\n self.token = os.getenv('APP_PASSWORD', '')\n\n self.current_repository = os.getenv('BITBUCKET_REPO_FULL_NAME', '')\n self.current_branch = os.getenv('BITBUCKET_BRANCH', '')\n self.default_branch_cache = {}\n self.username = os.getenv('BITBUCKET_USERNAME', '')\n\n def _request(self, endpoint: str, allowed_status_codes: list[int]) -> dict[str, Any] | None:\n if not self.token:\n return None\n url_endpoint = f\"{self.api_url}/{endpoint}\"\n try:\n s = requests.Session()\n s.auth = (self.username, self.token)\n request = s.get(url_endpoint)\n if request.status_code in allowed_status_codes:\n data: \"dict[str, Any]\" = request.json()\n if isinstance(data, dict) and 'errors' in data.keys():\n return None\n return data\n else:\n request.raise_for_status()\n except Exception:\n logging.debug(f\"Query failed to run by returning code of {url_endpoint}\", exc_info=True)\n\n return None\n\n def _headers(self) -> dict[str, Any]:\n # not needed here\n return {}\n\n def get_branch_restrictions(self) -> dict[str, Any] | None:\n if self.current_repository:\n branch_restrictions = self._request(endpoint=f\"repositories/{self.current_repository}/branch-restrictions\",\n allowed_status_codes=[200])\n return branch_restrictions\n logging.debug(\"Environment variable BITBUCKET_REPO_FULL_NAME was not set. Cannot fetch branch restrictions.\")\n return None\n\n def persist_branch_restrictions(self) -> None:\n branch_restrictions = self.get_branch_restrictions()\n\n if branch_restrictions:\n BaseVCSDAL.persist(path=self.bitbucket_branch_restrictions_file_path, conf=branch_restrictions)\n\n def persist_all_confs(self) -> None:\n if strtobool(os.getenv(\"CKV_BITBUCKET_CONFIG_FETCH_DATA\", \"True\")):\n self.persist_branch_restrictions()\n"
},
{
"path": "checkov/bitbucket/registry.py",
"content": "from checkov.common.bridgecrew.check_type import CheckType\nfrom checkov.json_doc.base_registry import Registry\n\nregistry = Registry(CheckType.BITBUCKET_CONFIGURATION)\n"
},
{
"path": "checkov/bitbucket/runner.py",
"content": "from __future__ import annotations\n\nfrom typing import TYPE_CHECKING\n\nfrom checkov.bitbucket.dal import Bitbucket\nfrom checkov.common.bridgecrew.check_type import CheckType\nfrom checkov.json_doc.runner import Runner as JsonRunner\nfrom checkov.runner_filter import RunnerFilter\n\nif TYPE_CHECKING:\n from checkov.common.checks.base_check_registry import BaseCheckRegistry\n from checkov.common.output.report import Report\n\n\nclass Runner(JsonRunner):\n check_type = CheckType.BITBUCKET_CONFIGURATION # noqa: CCE003 # a static attribute\n\n def __init__(self) -> None:\n self.bitbucket = Bitbucket()\n super().__init__()\n\n def run(\n self,\n root_folder: str | None = None,\n external_checks_dir: list[str] | None = None,\n files: list[str] | None = None,\n runner_filter: RunnerFilter | None = None,\n collect_skip_comments: bool = True\n ) -> Report | list[Report]:\n runner_filter = runner_filter or RunnerFilter()\n if not runner_filter.show_progress_bar:\n self.pbar.turn_off_progress_bar()\n\n self.prepare_data()\n\n report = super().run(\n root_folder=self.bitbucket.bitbucket_conf_dir_path,\n external_checks_dir=external_checks_dir,\n files=None, # ignore file scans\n runner_filter=runner_filter,\n collect_skip_comments=collect_skip_comments,\n )\n\n return report\n\n def prepare_data(self) -> None:\n self.bitbucket.persist_all_confs()\n\n def require_external_checks(self) -> bool:\n # default json runner require only external checks. Bitbucket runner brings build in checks\n return False\n\n def import_registry(self) -> BaseCheckRegistry:\n from checkov.bitbucket.registry import registry\n return registry\n"
},
{
"path": "checkov/bitbucket/schemas/__init__.py",
"content": ""
},
{
"path": "checkov/bitbucket/schemas/branch_restrictions.py",
"content": "from checkov.common.vcs.vcs_schema import VCSSchema\n\n\nclass BranchRestrictionsSchema(VCSSchema):\n def __init__(self) -> None:\n schema = \\\n {\n \"$schema\": \"http://json-schema.org/draft-04/schema#\",\n \"type\": \"object\",\n \"properties\": {\n \"pagelen\": {\n \"type\": \"integer\"\n },\n \"values\": {\n \"type\": \"array\",\n \"items\": [\n {\n \"type\": \"object\",\n \"properties\": {\n \"kind\": {\n \"type\": \"string\"\n },\n \"users\": {\n \"type\": \"array\",\n \"items\": {}\n },\n \"links\": {\n \"type\": \"object\",\n \"properties\": {\n \"self\": {\n \"type\": \"object\",\n \"properties\": {\n \"href\": {\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"href\"\n ]\n }\n },\n \"required\": [\n \"self\"\n ]\n },\n \"pattern\": {\n \"type\": \"string\"\n },\n\n \"branch_match_kind\": {\n \"type\": \"string\"\n },\n \"groups\": {\n \"type\": \"array\",\n \"items\": {}\n },\n \"type\": {\n \"type\": \"string\"\n },\n \"id\": {\n \"type\": \"integer\"\n }\n },\n \"required\": [\n \"kind\",\n \"users\",\n \"links\",\n \"pattern\",\n \"branch_match_kind\",\n \"groups\",\n \"type\",\n \"id\"\n ]\n },\n {\n \"type\": \"object\",\n \"properties\": {\n \"kind\": {\n \"type\": \"string\"\n },\n \"users\": {\n \"type\": \"array\",\n \"items\": {}\n },\n \"links\": {\n \"type\": \"object\",\n \"properties\": {\n \"self\": {\n \"type\": \"object\",\n \"properties\": {\n \"href\": {\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"href\"\n ]\n }\n },\n \"required\": [\n \"self\"\n ]\n },\n \"pattern\": {\n \"type\": \"string\"\n },\n\n \"branch_match_kind\": {\n \"type\": \"string\"\n },\n \"groups\": {\n \"type\": \"array\",\n \"items\": {}\n },\n \"type\": {\n \"type\": \"string\"\n },\n \"id\": {\n \"type\": \"integer\"\n }\n },\n \"required\": [\n \"kind\",\n \"users\",\n \"links\",\n \"pattern\",\n \"branch_match_kind\",\n \"groups\",\n \"type\",\n \"id\"\n ]\n },\n {\n \"type\": \"object\",\n \"properties\": {\n \"kind\": {\n \"type\": \"string\"\n },\n \"users\": {\n \"type\": \"array\",\n \"items\": {}\n },\n \"links\": {\n \"type\": \"object\",\n \"properties\": {\n \"self\": {\n \"type\": \"object\",\n \"properties\": {\n \"href\": {\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"href\"\n ]\n }\n },\n \"required\": [\n \"self\"\n ]\n },\n \"pattern\": {\n \"type\": \"string\"\n },\n\n \"branch_match_kind\": {\n \"type\": \"string\"\n },\n \"groups\": {\n \"type\": \"array\",\n \"items\": {}\n },\n \"type\": {\n \"type\": \"string\"\n },\n \"id\": {\n \"type\": \"integer\"\n }\n },\n \"required\": [\n \"kind\",\n \"users\",\n \"links\",\n \"pattern\",\n \"branch_match_kind\",\n \"groups\",\n \"type\",\n \"id\"\n ]\n }\n ]\n },\n \"page\": {\n \"type\": \"integer\"\n },\n \"size\": {\n \"type\": \"integer\"\n }\n },\n \"required\": [\n \"pagelen\",\n \"values\",\n \"page\",\n \"size\"\n ]\n }\n super().__init__(schema=schema)\n\n\nschema = BranchRestrictionsSchema()\n"
},
{
"path": "checkov/bitbucket_pipelines/__init__.py",
"content": "from checkov.bitbucket_pipelines.checks import * # noqa\n"
},
{
"path": "checkov/bitbucket_pipelines/base_bitbucket_pipelines_check.py",
"content": "from __future__ import annotations\n\nfrom abc import abstractmethod\nfrom collections.abc import Iterable\nfrom typing import TYPE_CHECKING, Any\n\nfrom checkov.common.checks.base_check import BaseCheck\n\nfrom checkov.common.models.enums import CheckCategories\nfrom checkov.bitbucket_pipelines.registry import registry\n\nif TYPE_CHECKING:\n from checkov.common.models.enums import CheckResult\n\n\nclass BaseBitbucketPipelinesCheck(BaseCheck):\n def __init__(\n self, name: str, id: str, supported_entities: Iterable[str], block_type: str, path: str | None = None\n ) -> None:\n categories = (CheckCategories.SUPPLY_CHAIN,)\n\n super().__init__(\n name=name,\n id=id,\n categories=categories,\n supported_entities=supported_entities,\n block_type=block_type,\n )\n self.path = path\n registry.register(self)\n\n def scan_entity_conf(self, conf: dict[str, Any], entity_type: str) -> tuple[CheckResult, dict[str, Any]]:\n self.entity_type = entity_type\n\n return self.scan_conf(conf)\n\n @abstractmethod\n def scan_conf(self, conf: dict[str, Any]) -> tuple[CheckResult, dict[str, Any]]:\n pass\n"
},
{
"path": "checkov/bitbucket_pipelines/checks/__init__.py",
"content": "from pathlib import Path\n\nmodules = Path(__file__).parent.glob(\"*.py\")\n__all__ = [f.stem for f in modules if f.is_file() and not f.stem == \"__init__\"]\n"
},
{
"path": "checkov/bitbucket_pipelines/checks/latest_image.py",
"content": "from __future__ import annotations\n\nfrom typing import Any\n\nfrom checkov.bitbucket_pipelines.base_bitbucket_pipelines_check import BaseBitbucketPipelinesCheck\nfrom checkov.common.models.enums import CheckResult\nfrom checkov.yaml_doc.enums import BlockType\n\n\nclass ImageReferenceLatestTag(BaseBitbucketPipelinesCheck):\n def __init__(self) -> None:\n name = \"Ensure the pipeline image uses a non latest version tag\"\n id = \"CKV_BITBUCKETPIPELINES_1\"\n super().__init__(\n name=name,\n id=id,\n block_type=BlockType.ARRAY,\n supported_entities=(\n \"[{image:image,__startline__:__startline__,__endline__:__endline__}]\",\n \"pipelines.default[].step.{image: image, __startline__: __startline__, __endline__:__endline__}\",\n \"pipelines.*.[*][][][].step.{image: image, __startline__: __startline__, __endline__:__endline__}\",\n ),\n )\n\n def scan_conf(self, conf: dict[str, Any]) -> tuple[CheckResult, dict[str, Any]]:\n if not isinstance(conf, dict):\n return CheckResult.UNKNOWN, conf\n image = conf.get(\"image\")\n if not image:\n return CheckResult.UNKNOWN, conf\n if isinstance(image, str):\n if image.endswith(\":latest\"):\n return CheckResult.FAILED, conf\n\n return CheckResult.PASSED, conf\n\n\ncheck = ImageReferenceLatestTag()\n"
},
{
"path": "checkov/bitbucket_pipelines/registry.py",
"content": "from checkov.common.bridgecrew.check_type import CheckType\nfrom checkov.yaml_doc.base_registry import Registry\n\nregistry = Registry(CheckType.BITBUCKET_PIPELINES)\n"
},
{
"path": "checkov/bitbucket_pipelines/runner.py",
"content": "from __future__ import annotations\n\nfrom typing import Any, TYPE_CHECKING\n\nfrom checkov.bitbucket_pipelines.registry import registry\nfrom checkov.common.bridgecrew.check_type import CheckType\nfrom checkov.yaml_doc.runner import Runner as YamlRunner\n\nif TYPE_CHECKING:\n from checkov.common.checks.base_check_registry import BaseCheckRegistry\n\n\nclass Runner(YamlRunner):\n check_type = CheckType.BITBUCKET_PIPELINES # noqa: CCE003 # a static attribute\n\n def __init__(self) -> None:\n super().__init__()\n\n def require_external_checks(self) -> bool:\n return False\n\n def import_registry(self) -> BaseCheckRegistry:\n return registry\n\n @staticmethod\n def is_workflow_file(file_path: str) -> bool:\n \"\"\"\n :return: True if the file mentioned is named bitbucket-pipelines.yml. Otherwise: False\n \"\"\"\n return file_path.endswith((\"bitbucket-pipelines.yml\", \"bitbucket-pipelines.yaml\"))\n\n @staticmethod\n def _parse_file(\n f: str, file_content: str | None = None\n ) -> tuple[dict[str, Any] | list[dict[str, Any]], list[tuple[int, str]]] | None:\n if Runner.is_workflow_file(f):\n return YamlRunner._parse_file(f)\n\n return None\n"
},
{
"path": "checkov/cdk/__init__.py",
"content": ""
},
{
"path": "checkov/cdk/checks/__init__.py",
"content": ""
},
{
"path": "checkov/cdk/checks/python/ALBDropHttpHeaders.yaml",
"content": "metadata:\n version: 0.2\n approach: define failing\n id: CKV_AWS_131\n name: Ensure that ALB drops HTTP headers\n category: NETWORKING\n framework: cdk\nscope:\n languages:\n - python\ndefinition:\n pattern: aws_cdk.aws_elasticloadbalancingv2.CfnLoadBalancer()\n conditions:\n - not_pattern: |\n aws_cdk.aws_elasticloadbalancingv2.CfnLoadBalancer(, type='application' ,, load_balancer_attributes=[, {'key': 'routing.http.drop_invalid_header_fields.enabled','value': 'true'} ,] ,)\n - not_pattern: |\n aws_cdk.aws_elasticloadbalancingv2.CfnLoadBalancer(, type='application' ,, load_balancer_attributes=[, {'value': 'true','key': 'routing.http.drop_invalid_header_fields.enabled'} ,] ,)\n - not_pattern: |\n aws_cdk.aws_elasticloadbalancingv2.CfnLoadBalancer(, load_balancer_attributes=[, {'key': 'routing.http.drop_invalid_header_fields.enabled','value': 'true'} ,] ,, type='application' ,)\n - not_pattern: |\n aws_cdk.aws_elasticloadbalancingv2.CfnLoadBalancer(, load_balancer_attributes=[, {'value': 'true','key': 'routing.http.drop_invalid_header_fields.enabled'} ,] ,, type='application' ,)"
},
{
"path": "checkov/cdk/checks/python/ALBListenerHTTPS.yaml",
"content": "metadata:\n version: 0.2\n approach: define failing\n id: CKV_AWS_2\n name: Ensure EFS is securely encrypted\n category: ENCRYPTION\n framework: cdk\nscope:\n languages:\n - python\ndefinition:\n pattern: aws_cdk.aws_elasticloadbalancingv2.CfnListener()\n conditions:\n - not_pattern: aws_cdk.aws_elasticloadbalancingv2.CfnListener(, protocol='HTTPS', )\n - not_pattern: aws_cdk.aws_elasticloadbalancingv2.CfnListener(, protocol='TLS', )\n - not_pattern: aws_cdk.aws_elasticloadbalancingv2.CfnListener(, protocol='TCP', )\n - not_pattern: aws_cdk.aws_elasticloadbalancingv2.CfnListener(, protocol='UDP', )\n - not_pattern: aws_cdk.aws_elasticloadbalancingv2.CfnListener(, protocol='TCP_UDP', )\n - not_pattern: |\n aws_cdk.aws_elasticloadbalancingv2.CfnListener(, default_actions=[, {'type': 'redirect', 'redirectConfig':{'protocol': 'HTTPS'}} , ] , )"
},
{
"path": "checkov/cdk/checks/python/APIGatewayAccessLogging.yaml",
"content": "metadata:\n version: 0.2\n approach: define failing\n id: CKV_AWS_76\n name: Ensure API Gateway has Access Logging enabled\n category: LOGGING\n framework: cdk\nscope:\n languages:\n - python\ndefinition:\n patterns:\n or:\n - pattern: aws_cdk.aws_apigateway.CfnStage()\n conditions:\n - not_pattern: aws_cdk.aws_apigateway.CfnStage(, access_log_setting=aws_cdk.aws_apigateway.CfnStage.AccessLogSettingProperty(, destination_arn=$ARG , ) , )\n - not_pattern: |\n $P = aws_cdk.aws_apigateway.CfnStage.AccessLogSettingProperty(, destination_arn=$ARG , )\n \n aws_cdk.aws_apigateway.CfnStage(, access_log_setting=$P, )\n - pattern: aws_cdk.aws_serverless.Api()\n conditions:\n - not_pattern: |\n aws_cdk.aws_serverless.Api(, default_stage={, \"access_log_setting\": aws_cdk.aws_serverless.AccessLogSetting(, destination_arn=$ARG,), } , )\n - not_pattern: |\n $P = aws_cdk.aws_serverless.AccessLogSetting(, destination_arn=$ARG , )\n \n aws_cdk.aws_serverless.Api(, default_stage={, \"access_log_setting\": $P, }, )\n"
},
{
"path": "checkov/cdk/checks/python/APIGatewayAuthorization.yaml",
"content": "metadata:\n version: 0.2\n approach: define failing\n id: CKV_AWS_59\n name: Ensure there is no open access to back-end resources through API\n category: GENERAL_SECURITY\n framework: cdk\nscope:\n languages:\n - python\ndefinition:\n patterns:\n or:\n - pattern: aws_cdk.aws_apigateway.Method(, http_method=$ARG, , authorization_type=aws_cdk.aws_apigateway.AuthorizationType.NONE, , api_key_required=False, )\n - pattern: aws_cdk.aws_apigateway.Method(, http_method=$ARG, , api_key_required=False, , authorization_type=aws_cdk.aws_apigateway.AuthorizationType.NONE, )\n - pattern: aws_cdk.aws_apigateway.Method(, authorization_type=aws_cdk.aws_apigateway.AuthorizationType.NONE, , http_method=$ARG, , api_key_required=False, )\n - pattern: aws_cdk.aws_apigateway.Method(, authorization_type=aws_cdk.aws_apigateway.AuthorizationType.NONE, , api_key_required=False, , http_method=$ARG, )\n - pattern: aws_cdk.aws_apigateway.Method(, api_key_required=False, , authorization_type=aws_cdk.aws_apigateway.AuthorizationType.NONE, , http_method=$ARG, )\n - pattern: aws_cdk.aws_apigateway.Method(, api_key_required=False, , http_method=$ARG, , authorization_type=aws_cdk.aws_apigateway.AuthorizationType.NONE, )\n conditions:\n - metavariable: $ARG\n not_regex: OPTIONS"
},
{
"path": "checkov/cdk/checks/python/APIGatewayCacheEnable.yaml",
"content": "metadata:\n version: 0.2\n approach: define failing\n id: CKV_AWS_120\n name: Ensure API Gateway caching is enabled\n category: BACKUP_AND_RECOVERY\n framework: cdk\nscope:\n languages:\n - python\ndefinition:\n patterns:\n or:\n - pattern: aws_cdk.aws_apigateway.Stage()\n conditions:\n - not_pattern: aws_cdk.aws_apigateway.Stage(, cache_cluster_enabled=True, )\n - pattern: aws_cdk.aws_sam.CfnApi()\n conditions:\n - not_pattern: aws_cdk.aws_sam.CfnApi(, cacheClusterEnabled=True , )"
},
{
"path": "checkov/cdk/checks/python/APIGatewayV2AccessLogging.yaml",
"content": "metadata:\n version: 0.2\n approach: define failing\n id: CKV_AWS_95\n name: Ensure API Gateway V2 has Access Logging enabled\n category: LOGGING\n framework: cdk\nscope:\n languages:\n - python\ndefinition:\n pattern: aws_cdk.aws_apigatewayv2.$FUNC()\n conditions:\n - not_pattern: aws_cdk.aws_apigatewayv2.$FUNC(, access_log_settings=aws_cdk.aws_apigatewayv2.$FUNC.AccessLogSettingsProperty(, destination_arn=$ARG ,) ,)\n - metavariable: $FUNC\n regex: (CfnStage|CfnApi)\n"
},
{
"path": "checkov/cdk/checks/python/APIGatewayXray.yaml",
"content": "metadata:\n version: 0.2\n approach: define failing\n id: CKV_AWS_73\n name: Ensure API Gateway has X-Ray Tracing enabled\n category: LOGGING\n framework: cdk\nscope:\n languages:\n - python\ndefinition:\n pattern: aws_cdk.$MOD.CfnStage()\n conditions:\n - not_pattern: aws_cdk.$MOD.CfnStage(, tracing_enabled=True , )\n - metavariable: $MOD\n regex: (aws_apigateway|aws_apigateway2)"
},
{
"path": "checkov/cdk/checks/python/AmazonMQBrokerPublicAccess.yaml",
"content": "metadata:\n version: 0.2\n approach: define failing\n id: CKV_AWS_69\n name: Ensure Amazon MQ Broker should not have public access\n category: GENERAL_SECURITY\n framework: cdk\nscope:\n languages:\n - python\ndefinition:\n pattern: aws_cdk.aws_amazonmq.CfnBroker(, publicly_accessible=True , )"
},
{
"path": "checkov/cdk/checks/python/AppSyncFieldLevelLogs.yaml",
"content": "metadata:\n version: 0.2\n approach: define failing\n id: CKV_AWS_194\n name: Ensure AppSync has Field-Level logs enabled\n category: LOGGING\n framework: cdk\nscope:\n languages:\n - python\ndefinition:\n pattern: aws_cdk.aws_appsync.CfnGraphQLApi()\n conditions:\n - not_pattern:\n source: aws_cdk.aws_appsync.CfnGraphQLApi.LogConfigProperty(, field_log_level=aws_cdk.aws_appsync.FieldLogLevel.$ARG , )\n sink: aws_cdk.aws_appsync.CfnGraphQLApi(, log_config=$LOG , )\n - not_pattern: aws_cdk.aws_appsync.CfnGraphQLApi(, log_config=aws_cdk.aws_appsync.CfnGraphQLApi.LogConfigProperty(, field_log_level=aws_cdk.aws_appsync.FieldLogLevel.$ARG , ) , )\n - not_pattern: |\n $LOG = aws_cdk.aws_appsync.CfnGraphQLApi.LogConfigProperty(, field_log_level=aws_cdk.aws_appsync.FieldLogLevel.$ARG , )\n \n aws_cdk.aws_appsync.CfnGraphQLApi(, log_config=$LOG , )\n - metavariable: $ARG\n regex: (ERROR|ALL)"
},
{
"path": "checkov/cdk/checks/python/AppSyncLogging.yaml",
"content": "metadata:\n version: 0.2\n approach: define failing\n id: CKV_AWS_193\n name: Ensure AppSync has Logging enabled\n category: LOGGING\n framework: cdk\nscope:\n languages:\n - python\ndefinition:\n pattern: aws_cdk.aws_appsync.CfnGraphQLApi()\n conditions:\n - not_pattern: aws_cdk.aws_appsync.CfnGraphQLApi(, log_config=aws_cdk.aws_appsync.CfnGraphQLApi.LogConfigProperty(, cloud_watch_logs_role_arn=$ARG , ) , )\n - not_pattern: |\n $LOG = aws_cdk.aws_appsync.CfnGraphQLApi.LogConfigProperty(, cloud_watch_logs_role_arn=$ARG , )\n \n aws_cdk.aws_appsync.CfnGraphQLApi(, log_config=$LOG , )"
},
{
"path": "checkov/cdk/checks/python/AthenaWorkgroupConfiguration.yaml",
"content": "metadata:\n version: 0.2\n approach: define failing\n id: CKV_AWS_82\n name: Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption\n category: GENERAL_SECURITY\n framework: cdk\nscope:\n languages:\n - python\ndefinition:\n pattern: aws_cdk.aws_athena.CfnWorkGroup()\n conditions:\n - not_pattern: aws_cdk.aws_athena.CfnWorkGroup(, work_group_configuration=aws_cdk.aws_athena.CfnWorkGroup.WorkGroupConfigurationProperty(, enforce_work_group_configuration=True , ) , )\n - not_pattern: |\n $ARG = aws_cdk.aws_athena.CfnWorkGroup.WorkGroupConfigurationProperty(, enforce_work_group_configuration=True , )\n \n aws_cdk.aws_athena.CfnWorkGroup(, work_group_configuration=$ARG , )"
},
{
"path": "checkov/cdk/checks/python/AuroraEncryption.yaml",
"content": "metadata:\n version: 0.2\n approach: define failing\n id: CKV_AWS_96\n name: Ensure all data stored in Aurora is securely encrypted at rest\n category: ENCRYPTION\n framework: cdk\nscope:\n languages:\n - python\ndefinition:\n pattern: aws_cdk.aws_rds.CfnDBCluster()\n conditions:\n - not_pattern: aws_cdk.aws_rds.CfnDBCluster(, storage_encrypted=True ,)"
},
{
"path": "checkov/cdk/checks/python/BackupVaultEncrypted.yaml",
"content": "metadata:\n version: 0.2\n approach: define failing\n id: CKV_AWS_166\n name: Ensure Backup Vault is encrypted at rest using KMS CMK\n category: LOGGING\n framework: cdk\nscope:\n languages:\n - python\ndefinition:\n pattern: aws_cdk.aws_backup.CfnBackupVault()\n conditions:\n - not_pattern: aws_cdk.aws_backup.CfnBackupVault(, encryption_key_arn=$ARG, )"
},
{
"path": "checkov/cdk/checks/python/CloudFrontTLS12.yaml",
"content": "metadata:\n version: 0.2\n approach: define failing\n id: CKV_AWS_174\n name: Verify CloudFront Distribution Viewer Certificate is using TLS v1.2\n category: ENCRYPTION\n framework: cdk\nscope:\n languages:\n - python\ndefinition:\n pattern: aws_cdk.aws_cloudfront.CfnDistribution()\n conditions:\n - not_pattern: aws_cdk.aws_cloudfront.CfnDistribution(, distribution_config=aws_cdk.aws_cloudfront.CfnDistribution.DistributionConfigProperty(, viewer_certificate=aws_cdk.aws_cloudfront.CfnDistribution.ViewerCertificateProperty(, minimum_protocol_version='TLSv1.2' ,) ,) ,)"
},
{
"path": "checkov/cdk/checks/python/CloudTrailLogValidation.yaml",
"content": "metadata:\n version: 0.2\n approach: define failing\n id: CKV_AWS_36\n name: Ensure CloudTrail log file validation is enabled\n category: LOGGING\n framework: cdk\nscope:\n languages:\n - python\ndefinition:\n pattern: aws_cdk.aws_cloudtrail.CfnTrail()\n conditions:\n - not_pattern: aws_cdk.aws_cloudtrail.CfnTrail(, enable_log_file_validation=True , )"
},
{
"path": "checkov/cdk/checks/python/CloudWatchLogGroupKMSKey.yaml",
"content": "metadata:\n version: 0.2\n approach: define failing\n id: CKV_AWS_158\n name: Ensure that CloudWatch Log Group is encrypted by KMS\n category: ENCRYPTION\n framework: cdk\nscope:\n languages:\n - python\ndefinition:\n pattern: aws_cdk.aws_logs.LogGroup()\n conditions:\n - not_pattern: aws_cdk.aws_logs.LogGroup(, kms_key=$KEY, )"
},
{
"path": "checkov/cdk/checks/python/CloudWatchLogGroupRetention.yaml",
"content": "metadata:\n version: 0.2\n approach: define failing\n id: CKV_AWS_66\n name: Ensure that CloudWatch Log Group specifies retention days\n category: LOGGING\n framework: cdk\nscope:\n languages:\n - python\ndefinition:\n pattern: aws_cdk.aws_logs.CfnLogGroup()\n conditions:\n - not_pattern: aws_cdk.aws_logs.CfnLogGroup(, retention_in_days=$NUM ,)"
},
{
"path": "checkov/cdk/checks/python/CloudfrontDistributionEncryption.yaml",
"content": "metadata:\n version: 0.2\n approach: define failing\n id: CKV_AWS_34\n name: Ensure CloudFront distribution ViewerProtocolPolicy is set to HTTPS\n category: ENCRYPTION\n framework: cdk\nscope:\n languages:\n - python\ndefinition:\n patterns:\n or:\n - pattern: aws_cdk.aws_cloudfront.CfnDistribution(, distribution_config=aws_cdk.aws_cloudfront.CfnDistribution.DistributionConfigProperty(, default_cache_behavior=aws_cdk.aws_cloudfront.CfnDistribution.DefaultCacheBehaviorProperty(,viewer_protocol_policy='allow-all' ,) ,) , )\n - pattern: aws_cdk.aws_cloudfront.CfnDistribution(, distribution_config=aws_cdk.aws_cloudfront.CfnDistribution.DistributionConfigProperty(,cache_behaviors=[,aws_cdk.aws_cloudfront.CfnDistribution.CacheBehaviorProperty(, viewer_protocol_policy='allow-all' ,) ,] ,) ,)"
},
{
"path": "checkov/cdk/checks/python/CloudfrontDistributionLogging.yaml",
"content": "metadata:\n version: 0.2\n approach: define failing\n id: CKV_AWS_86\n name: Ensure CloudFront distribution has Access Logging enabled\n category: LOGGING\n framework: cdk\nscope:\n languages:\n - python\ndefinition:\n pattern: aws_cdk.aws_cloudfront.CfnDistribution()\n conditions:\n - not_pattern: aws_cdk.aws_cloudfront.CfnDistribution(, distribution_config=aws_cdk.aws_cloudfront.CfnDistribution.DistributionConfigProperty(, logging=aws_cdk.aws_cloudfront.CfnDistribution.LoggingProperty(, bucket=$ARG ,) ,) ,)"
},
{
"path": "checkov/cdk/checks/python/CloudtrailEncryption.yaml",
"content": "metadata:\n version: 0.2\n approach: define failing\n id: CKV_AWS_35\n name: Ensure CloudTrail logs are encrypted at rest using KMS CMKs\n category: LOGGING\n framework: cdk\nscope:\n languages:\n - python\ndefinition:\n pattern: aws_cdk.aws_cloudtrail.CfnTrail()\n conditions:\n - not_pattern: aws_cdk.aws_cloudtrail.CfnTrail(, kms_key_id=$ARG ,)"
},
{
"path": "checkov/cdk/checks/python/CloudtrailMultiRegion.yaml",
"content": "metadata:\n version: 0.2\n approach: define failing\n id: CKV_AWS_67\n name: Ensure CloudTrail is enabled in all Regions\n category: LOGGING\n framework: cdk\nscope:\n languages:\n - python\ndefinition:\n pattern: aws_cdk.aws_cloudtrail.Trail()\n conditions:\n - not_pattern: aws_cdk.aws_cloudtrail.Trail(, is_multi_region_trail=True ,)"
},
{
"path": "checkov/cdk/checks/python/CodeBuildProjectEncryption.yaml",
"content": "metadata:\n version: 0.2\n approach: define failing\n id: CKV_AWS_78\n name: Ensure that CodeBuild Project encryption is not disabled\n category: ENCRYPTION\n framework: cdk\nscope:\n languages:\n - python\ndefinition:\n patterns:\n or:\n - pattern: aws_cdk.aws_codebuild.Project(, artifacts=aws_cdk.aws_codebuild.Artifacts(, type=aws_cdk.aws_codebuild.ArtifactsType.S3, , encryption_disabled=True, ) , )\n - pattern: aws_cdk.aws_codebuild.Project(, artifacts=aws_cdk.aws_codebuild.Artifacts(, encryption_disabled=True, , type=aws_cdk.aws_codebuild.ArtifactsType.S3, ) , )"
},
{
"path": "checkov/cdk/checks/python/DAXEncryption.yaml",
"content": "metadata:\n version: 0.2\n approach: define failing\n id: CKV_AWS_47\n name: Ensure DAX is encrypted at rest (default is unencrypted)\n category: ENCRYPTION\n framework: cdk\nscope:\n languages:\n - python\ndefinition:\n pattern: aws_cdk.aws_dax.CfnCluster()\n conditions:\n - not_pattern: aws_cdk.aws_dax.CfnCluster(, sse_specification=aws_cdk.aws_dax.CfnCluster.SSESpecificationProperty(, enabled=True , ), )\n - not_pattern: |\n $P = aws_cdk.aws_dax.CfnCluster.SSESpecificationProperty(, enabled=True , )\n \n aws_cdk.aws_dax.CfnCluster(sse_specification=$P)"
},
{
"path": "checkov/cdk/checks/python/DMSReplicationInstancePubliclyAccessible.yaml",
"content": "metadata:\n version: 0.2\n approach: define failing\n id: CKV_AWS_89\n name: DMS replication instance should not be publicly accessible\n category: ENCRYPTION\n framework: cdk\nscope:\n languages:\n - python\ndefinition:\n pattern: aws_cdk.aws_dms.ReplicationInstance(, publicly_accessible=True, )"
},
{
"path": "checkov/cdk/checks/python/DocDBAuditLogs.yaml",
"content": "metadata:\n version: 0.2\n approach: define failing\n id: CKV_AWS_104\n name: Ensure DocumentDB has audit logs enabled\n category: LOGGING\n framework: cdk\nscope:\n languages:\n - python\ndefinition:\n pattern: aws_cdk.aws_docdb.CfnDBClusterParameterGroup()\n conditions:\n - not_pattern: 'aws_cdk.aws_docdb.CfnDBClusterParameterGroup(, parameters={, \"audit_logs\": \"enabled\" , } , )'"
},
{
"path": "checkov/cdk/checks/python/DocDBEncryption.yaml",
"content": "metadata:\n version: 0.2\n approach: define failing\n id: CKV_AWS_74\n name: Ensure DocumentDB is encrypted at rest (default is unencrypted)\n category: ENCRYPTION\n framework: cdk\nscope:\n languages:\n - python\ndefinition:\n pattern: aws_cdk.aws_docdb.CfnDBCluster()\n conditions:\n - not_pattern: aws_cdk.aws_neptune.CfnDBCluster(, storage_encrypted=True , )"
},
{
"path": "checkov/cdk/checks/python/DocDBTLS.yaml",
"content": "metadata:\n version: 0.2\n approach: define failing\n id: CKV_AWS_90\n name: Ensure DocumentDB TLS is not disabled\n category: ENCRYPTION\n framework: cdk\nscope:\n languages:\n - python\ndefinition:\n pattern: |\n aws_cdk.aws_docdb.CfnDBClusterParameterGroup(, parameters={'tls': 'disabled'} ,)"
},
{
"path": "checkov/cdk/checks/python/DynamodbGlobalTableRecovery.yaml",
"content": "metadata:\n version: 0.2\n approach: define failing\n id: CKV_AWS_165\n name: Ensure DynamoDB global table point in time recovery (backup) is enabled\n category: BACKUP_AND_RECOVERY\n framework: cdk\nscope:\n languages:\n - python\ndefinition:\n pattern: aws_cdk.aws_dynamodb.CfnGlobalTable()\n conditions:\n - not_pattern: aws_cdk.aws_dynamodb.CfnGlobalTable(, replicas=[, aws_cdk.aws_dynamodb.CfnGlobalTable.ReplicaSpecificationProperty(, point_in_time_recovery_specification=aws_cdk.aws_dynamodb.CfnGlobalTable.PointInTimeRecoverySpecificationProperty(point_in_time_recovery_enabled=True) , ) , ], )"
},
{
"path": "checkov/cdk/checks/python/DynamodbRecovery.yaml",
"content": "metadata:\n version: 0.2\n approach: define failing\n id: CKV_AWS_28\n name: Ensure DynamoDB point-in-time recovery (backup) is enabled\n category: BACKUP_AND_RECOVERY\n framework: cdk\nscope:\n languages:\n - python\ndefinition:\n pattern: aws_cdk.aws_dynamodb.Table()\n conditions:\n - not_pattern: aws_cdk.aws_dynamodb.Table(, point_in_time_recovery=True , )"
},
{
"path": "checkov/cdk/checks/python/EBSEncryption.yaml",
"content": "metadata:\n version: 0.2\n approach: define failing\n id: CKV_AWS_3\n name: Ensure all data stored in the EBS is securely encrypted\n category: ENCRYPTION\n framework: cdk\nscope:\n languages:\n - python\ndefinition:\n pattern: aws_cdk.aws_ec2.Volume()\n conditions:\n - not_pattern: aws_cdk.aws_ec2.Volume(, encrypted=True , )"
},
{
"path": "checkov/cdk/checks/python/EC2PublicIP.yaml",
"content": "metadata:\n version: 0.2\n approach: define failing\n id: CKV_AWS_88\n name: EC2 instance should not have public IP\n category: NETWORKING\n framework: cdk\nscope:\n languages:\n - python\ndefinition:\n patterns:\n or:\n - pattern: | \n aws_cdk.aws_ec2.CfnInstance(, network_interfaces=[, {'associate_public_ip_address': True} ,] ,)\n - pattern: | \n aws_cdk.aws_ec2.CfnLaunchTemplate(, launch_template_data={'network_interfaces':[, {'associate_public_ip_address': True} ,]} ,