search

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
7.17k stars 1.12k forks source link

Check suppression in plan-file mode fails half the time #1286

Closed kevincantu closed 2 years ago

kevincantu commented 3 years ago

I'm on macOS Big Sur, running Python 3.9.5 and the pip install of Checkov v2.0.192 with some Terraform v0.12.31 compatible code.

My Terraform code defines a GKE cluster and four node groups. I've satisfied Checkov in directory mode by adding about a dozen skips for particular things in Terraform comments, so that this reports no failed checks:

aporeto-ci/terraform % checkov --quiet --directory .
...
Passed checks: 39, Failed checks: 0, Skipped checks: 13

After some initial success with https://github.com/bridgecrewio/checkov/pull/1221, I expected a run with the --file flag to be ok with that stuff but maybe show me an additional failed check... But actually this occurs:

aporeto-ci/terraform % terraform plan --out plan.tfplan                         
...
aporeto-ci/terraform % terraform show -json plan.tfplan | jq . > plan.tfplan.json
aporeto-ci/terraform % 
aporeto-ci/terraform % checkov --quiet --compact --file plan.tfplan.json --repo-root-for-plan-enrichment . 

       _               _              
   ___| |__   ___  ___| | _______   __
  / __| '_ \ / _ \/ __| |/ / _ \ \ / /
 | (__| | | |  __/ (__|   < (_) \ V / 
  \___|_| |_|\___|\___|_|\_\___/ \_/  

By bridgecrew.io | version: 2.0.192 

terraform_plan scan results:

Passed checks: 45, Failed checks: 6, Skipped checks: 6

Check: CKV_GCP_61: "Enable VPC Flow Logs and Intranode Visibility"
    FAILED for resource: google_container_cluster.primary
    File: ci-cluster.tf:1-60
    Guide: https://docs.bridgecrew.io/docs/enable-vpc-flow-logs-and-intranode-visibility

Check: CKV_GCP_68: "Ensure Secure Boot for Shielded GKE Nodes is Enabled"
    FAILED for resource: google_container_cluster.primary
    File: ci-cluster.tf:1-60
    Guide: https://docs.bridgecrew.io/docs/ensure-secure-boot-for-shielded-gke-nodes-is-enabled

Check: CKV_GCP_66: "Ensure use of Binary Authorization"
    FAILED for resource: google_container_cluster.primary
    File: ci-cluster.tf:1-60
    Guide: https://docs.bridgecrew.io/docs/ensure-use-of-binary-authorization

Check: CKV_GCP_12: "Ensure Network Policy is enabled on Kubernetes Engine Clusters"
    FAILED for resource: google_container_cluster.primary
    File: ci-cluster.tf:1-60
    Guide: https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_7

Check: CKV_GCP_68: "Ensure Secure Boot for Shielded GKE Nodes is Enabled"
    FAILED for resource: google_container_node_pool.tools
    File: ci-nodes-tools.tf:1-38
    Guide: https://docs.bridgecrew.io/docs/ensure-secure-boot-for-shielded-gke-nodes-is-enabled

Check: CKV_GCP_68: "Ensure Secure Boot for Shielded GKE Nodes is Enabled"
    FAILED for resource: google_container_node_pool.worker
    File: ci-nodes-worker.tf:1-41
    Guide: https://docs.bridgecrew.io/docs/ensure-secure-boot-for-shielded-gke-nodes-is-enabled

But this really doesn't add up!

I have nearly identical node pools here and here, but only one of the two showed up in the failures above! Why would that skip instruction work in one and not the other??

// ci-nodes-web.tf
resource "google_container_node_pool" "web" {
  name    = "web-node-pool"
  //...
  //checkov:skip=CKV_GCP_68: don't enable secure boot until we schedule an outage
}
// ci-nodes-worker.tf
resource "google_container_node_pool" "worker" {
  name    = "worker-node-pool"
  //...
  //checkov:skip=CKV_GCP_68: don't enable secure boot until we schedule an outage
}

And in this file I have had to add a bunch of skips to satisfy directory-mode, but only half of them appeared in the failures in plan-mode:

resource "google_container_cluster" "primary" {
  name = "ci-gke-cluster"
  //...
  remove_default_node_pool = true
  //...
  //checkov:skip=CKV_GCP_61: enable this (and turn on the check) if you want to expose pod-to-pod traffic to VPC flow logging and firewalls
  enable_intranode_visibility = false

  //checkov:skip=CKV_GCP_21: (checkov bug?) I've added labels right here:
  resource_labels = local.default_labels

  //checkov:skip=CKV_GCP_69: (checkov bug?) with disabled default node pool this should be satisifed
  //checkov:skip=CKV_GCP_71: we'll enable shielded node features for all our node groups _later_
  //checkov:skip=CKV_GCP_65: avoid using Google Groups to manage RBAC users (this sounds cool as hell, but not today)
  // https://docs.bridgecrew.io/docs/manage-kubernetes-rbac-users-with-google-groups-for-gke
  //checkov:skip=CKV_GCP_13: avoid forcing client certificates auth for now
  //checkov:skip=CKV_GCP_66: avoid forcing binary auth for now
  //checkov:skip=CKV_GCP_24: avoid the PodSecurityPolicy controller (a beta feature for soon-to-be-deprecated PSPs)
  //checkov:skip=CKV_GCP_12: avoid a Network Policy for now (our CI needs lots of egress)
  // sounds neat though! https://kubernetes.io/docs/concepts/services-networking/network-policies/
}

There's a parser bug in here or something!

ac-hibbert commented 3 years ago

I get similar issues to this, although with AWS resources

stale[bot] commented 2 years ago

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io Thanks!

stale[bot] commented 2 years ago

Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: https://slack.bridgecrew.io Thanks!