search

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
6.84k stars 1.09k forks source link

Custom YAML check for Cloudformation can't handle nested properties list #5220

Closed Lucas3oo closed 1 year ago

Lucas3oo commented 1 year ago

Describe the issue Tried to create a custom check to check the tags on any AWS resource using the YAML rule syntax. But I am not able to check the actual tags. Like the names of the keys/tags. I can check if there are tags there but not the actual tags.

Examples Rule:

metadata:
  name: "Check that all resources are tagged with the keys - env and owner"
  id: "SLRK_AWS_1"
  category: "GENERAL_SECURITY" 
definition:
  and:
  - cond_type: "attribute"
    resource_types: "AWS::S3::Bucket"
    attribute: "Tags.Key.env"
    operator: "exists"
  - cond_type: "attribute"
    resource_types: "AWS::S3::Bucket"
    attribute: "Tags.Key.owner"
    operator: "exists"

The generated template (from CDK)

{
 "Resources": {
  "bucket1D4C77784": {
   "Type": "AWS::S3::Bucket",
   "Properties": {
    "BucketName": "slrk-my-bucket-for-stage14",
    "Tags": [
     {
      "Key": "env",
      "Value": "stage14"
     },
     {
      "Key": "owner",
      "Value": "lucas"
     }
    ],
    "VersioningConfiguration": {
     "Status": "Enabled"
    },
    "WebsiteConfiguration": {
     "RedirectAllRequestsTo": {
      "HostName": "aws.amazon.com"
     }
    }
   },
   "UpdateReplacePolicy": "Retain",
   "DeletionPolicy": "Retain",
   "Metadata": {
    "checkov": {
     "skip": [
      {
       "id": "CKV_AWS_18",
       "comment": "No need to ensure the S3 bucket has access logging enabled"
      }
     ]
    }
   }
  }
 }
}

Version (please complete the following information): checkov -v 2.3.270

Running like this

 checkov --external-checks-dir checkov-checks -d cdk.out --check SLRK_AWS_1 --framework cloudformation
gruebel commented 1 year ago

hey @Lucas3oo thanks for reaching out.

This is possible with our jsonpath_ operators, you can prefix all of the current operators with it and then write a JSONPath query.

ex.

metadata:
  name: "Check that all resources are tagged with the keys - env and owner"
  id: "SLRK_AWS_1"
  category: "GENERAL_SECURITY" 
definition:
  and:
    - cond_type: "attribute"
      resource_types:
      - "AWS::S3::Bucket"
      attribute: "Tags[?(@.Key == env)].Value"
      operator: "jsonpath_within"
      value:
        - stage1
        - stage14
Lucas3oo commented 1 year ago

Thanks a lot!