Open jmcmillan1873 opened 6 months ago
Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at codifiedsecurity.slack.com Thanks!
Describe the issue Currently checkov skips checking an ingress rules if that rule contains
self=true
. This is true even ifcidr_blocks = ["0.0.0.0/0"]
oripv6_cidr_blocks = ["::/0"]
is present in the same rule.i.e. If an ingress contains both
self
and one ofcidr_blocks
oripv6_cidr_blocks
- the current checkov logic skips checking the ingress rule due to the presence ofself
. The result is that potentially insecure ingress rules are flagged as passed/OK - resulting in an apparent clean bill of health for the SG.known affected Check ID's: CKV_AWS_24 CKV_AWS_25 CKV_AWS_260
Examples Consider the security group below. I expect it to trigger various objections to the ingress rule, but it does not. This security group passes checkov tests. If you remove
self = true
from the code snippet below, checkov correctly identifies the insecure rules.Version (please complete the following information):
Additional context As far as I can tell the issue lies with the logic in
terraform/checks/resource/aws/AbsSecurityGroupUnrestrictedIngress.py
.If I comment out the
check_self
test from the evaluation logic inAbsSecurityGroupUnrestrictedIngress.py
, a subsequent checkov run correctly highlights the insecure ingress rules in my SG definition.I understand the reason for skipping
self
and not flagging that as insecure, but could thecheck_self
definition be modified to return False ifself
is paired withcidr_blocks
oripv6_cidr_blocks
? (Sorry - I'd have a go myself, but I don't yet have the python knowledge to suggest a fix in a reasonable time frame.)