Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add support for awscc provider secrets check #6647

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

feat: add support for awscc provider secrets check #6647

wants to merge 4 commits into from

Conversation

quixoticmonk
Copy link
Contributor

@quixoticmonk quixoticmonk commented Aug 9, 2024
edited by baz-review bot
Loading

User description

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Description

The PR intends to extend the CKV_AWS_41 to have an AWSCC variant to the support the provider. Since the IDs have to be unique, I have currently kept it to be CKV_AWSCC_41 with the assumption that the rules are based on the provider and not the target platform. Ideally this can be handled as an extension to CKV_AWS_41, but the tests and any additional resourced based rules would need AWS CC based resources which have a different resource attribute structure in many cases.

Though this PR doesn't fix #6410, the intention is to start contributing rules targeting AWSCC provider.

New/Edited policies (Delete if not relevant)

  • [NEW] : CKV_AWSCC_41 : "Ensure no hard coded AWS access key and secret key exists in provider"

Description

The rule maps back to the way a provider is configured to work with AWS.

Fix

How does someone fix the issue in code and/or in runtime?

Checklist:

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have added tests that prove my feature, policy, or fix is effective and works
  • New and existing tests pass locally with my changes

Generated description

Dear maintainer, below is a concise technical summary of the changes proposed in this PR:

Introduce a new security check CKV_AWSCC_41 to ensure no hard-coded AWS access keys and secret keys exist in the AWSCC provider configuration. This involves creating a new class AWSCCCredentials in credentials.py under the awscc provider directory. The class extends BaseProviderCheck and implements the scan_provider_conf method to detect hard-coded credentials using regex patterns. Additionally, the __init__.py files are updated to include the new provider and its checks. Corresponding unit tests are added in test_credentials.py to validate the functionality of the new check.

TopicDetails
AWSCC Security Check Add a new security check for AWSCC provider to detect hard-coded credentials.
Modified files (2)
  • tests/terraform/checks/provider/awscc/test_credentials.py
  • checkov/terraform/checks/provider/awscc/credentials.py
Latest Contributors(0)
EmailCommitDate
Provider Imports Update Update provider imports to include AWSCC checks.
Modified files (2)
  • checkov/terraform/checks/provider/__init__.py
  • checkov/terraform/checks/provider/awscc/__init__.py
Latest Contributors(2)
EmailCommitDate
jholland@paloaltonetwo...Initial-panos-terrafor...January 04, 2022
[email protected]add-pre-commit-flake8December 12, 2021
This pull request is reviewed by Baz. Join @quixoticmonk and the rest of your team on (Baz).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support for AWSCC Terraform provider
1 participant
@quixoticmonk