horiagunica
commented
1 year ago Pre-commit YAML modification
-
Modified the checkov hook to exclude certain checks
-
Fixed issues with alot of other checks
-
The following checks have been fixed by modifying the code :
| Checkov ID | Description | Status |
|---|---|---|
| CKV_AWS_79 | Instance Metadata Service version 1 is enabled | Fixed |
| CKV_AWS_8 | Ensure Instances and Launch configurations use encrypted EBS volumes | Fixed |
| CKV_AWS_50 | Ensure AWS Lambda functions with tracing are enabled | Fixed |
| CKV_AWS_23 | Ensure every Security Group rule has a description | Fixed |
| CKV_AWS_21 | Ensure AWS S3 object versioning is enabled | Fixed |
| CKV_AWS_19 | Ensure data stored in the S3 bucket is securely encrypted at rest | Fixed |
| CKV2_AWS_41 | Ensure an IAM role is attached to EC2 instance | Fixed |
| CKV_AWS_115 | Ensure AWS Lambda function is configured for function-level concurrent execution limit | Fixed |
| CKV_AWS_237 | Ensure Create before destroy for API GATEWAY | Fixed |
| CKV_AWS_217 | Ensure Create before destroy for API deployments | Fixed |
| CKV2_GHA_1 | Ensure GitHub ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables | Fixed |
| CKV_AWS_88 | Ensure AWS EC2 instances aren't automatically made public with a public IP | Fixed |
| CKV_AWS_117 | Ensure that AWS Lambda function is configured inside a VPC | Fixed |
| CKV_AWS_59 | Ensure there is no open access to back-end resources through API | Fixed |
| CKV_AWS_91 | Ensure AWS ELB (Classic) with access log is enabled | FIxed |
| CKV_AWS_57 | S3 Bucket has an ACL defined which allows public WRITE access. | Fixed |
| CKV_AWS_20 | S3 Bucket has an ACL defined which allows public READ access. | Fixed |
| CKV2_AWS_2 | Ensure that only encrypted EBS volumes are attached to EC2 instances | Fixed |
| CKV_AWS_3 | Ensure all data stored in the EBS is securely encrypted | Fixed |
| CKV2_AWS_6 | Ensure that S3 bucket has a Public Access block | Fixed |
| CKV_AWS_55 | Ensure S3 bucket has ignore public ACLs enabled | Fixed |
| CKV_AWS_56 | Ensure S3 bucket has 'restrict_public_bucket' enabled | Fixed |
| CKV_AWS_145 | Ensure that S3 buckets are encrypted with KMS by default | Fixed |
| CKV_AWS_355 | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions | Fixed |
| CKV_AWS_186 | Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK) | Fixed |
- The following checks still require review/discussions :
| Checkov ID | Description | Status |
|---|
- The following checks will soft_fail :
| Checkov ID | Description | Status |
|---|---|---|
| CKV_AWS_290 | Ensure IAM policies does not allow write access without constraints | Soft fail - while trying not to use for resource, I have problems e.g. in asg module for Lambda, for which I haven't found solution yet - do we really need to get rid of this resource ? |
| CKV_AWS_355 | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions | Soft fail - while trying not to use for resource, I have problems e.g. in asg module for Lambda, for which I haven't found solution yet - do we really need to get rid of this resource ? |
- The following checks will be skipped :
| Checkov ID | Description | Status |
|---|---|---|
| CKV_AWS_150 | Ensure load balancer has deletion protection enabled | Skipped - this would cause issues with IaC operations |
| CKV_AWS_18 | Ensure AWS access logging is enabled on S3 buckets | Skipped - requires an additional bucket for logging... |
| CKV_AWS_144 | Ensure that S3 bucket has cross-region replication enabled | Skipped |
| CKV2_AWS_19 | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Skipped - we are doing the associations with the NICs already ? |
| CKV_AWS_272 | Ensure AWS Lambda function is configured to validate code-signing | Skipped - too much complexity for little benefit |
| CKV_AWS_116 | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) | Skipped - Too much complexity for little benefit |
| CKV2_AWS_11 | Ensure VPC flow logging is enabled in all VPCs | Skipped - visibility is done by the vmseries itself |
| CKV2_AWS_28 | Ensure public facing ALB are protected by WAF | Skipped - WAF functionality is not required |
| CKV_AWS_173 | Check encryption settings for Lambda environmental variable | Skipped - Too much complexity for little benefit |
| CKV2_AWS_5 | Ensure that Security Groups are attached to another resource | Skipped - does not make sense for me... |
| CKV2_AWS_12 | Ensure the default security group of every VPC restricts all traffic | Skipped |
| CKV2_AWS_1 | Ensure all NACL are attached to subnets | Skipped - we are attaching NACL using aws_network_acl_association in module subnet_set |
| CKV_AWS_126 | Ensure detailed monitoring for EC2 instances is enabled | Skipped - we don't need detailed monitoring enabled by default e.g. for spoke VMs it's useless |
| CKV_AWS_2 | Ensure ALB protocol is HTTPS | Skipped - for testing purposes we are using not only HTTPS, but also HTTP and SSH protocol (for NLB) |
| CKV_AWS_103 | Ensure that load balancer is using at least TLS 1.2 | Skipped - for testing purposes we are using not only HTTPS, but also HTTP, so SSL policy is optional |
| CKV_AWS_123 | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Skipped - in tests executed in GitHub actions we need automatic acceptance |
| CKV2_AWS_62 | Ensure S3 buckets should have event notifications enabled | Skipped - not really needed for examples, where buckets are used mainly to bootstrap VM-Series |
| CKV2_AWS_61 | Ensure that an S3 bucket has a lifecycle configuration | Skipped - not really needed for examples, where buckets are used mainly to bootstrap VM-Series |
| CKV2_AWS_53 | Ensure AWS API gateway request is validated | Skipped - no examples is using module crosszone_failover, so at this moment there is no need to build API Gateway Request Validator |
| CKV2_AWS_20 | Ensure that ALB redirects HTTP requests into HTTPS ones | Skipped - we need HTTP for testing purposes |
| CKV_AWS_135 | Ensure that EC2 is EBS optimized | Skipped - for spoke VMs we have t2.micro instance type, for which EBS optimized is not supported |
Syntax is excluding check one by one :
#checkov:skip=<CHECK_ID>:<Exclusion comment>
sebastianczech
Is your feature request related to a problem?
Right now we don't specify which test we want to check, and the result of that is whole errors which checkov makes are skipped because they touch something we don't need or wont to check.
Describe the solution you'd like We need to clarify which test we want to do with check and properly configure it.