From 74397bb177fd7e9bbcbe9e0f2a2a1d8c2075d5f2 Mon Sep 17 00:00:00 2001 From: Taylor Date: Fri, 17 Jan 2025 13:46:28 -0800 Subject: [PATCH 1/4] Add action and example --- .github/workflows/pr-test.yml | 55 +++++++++++++++++++ .../AzureMLWorkspacePrivateEndpoint.py | 1 + 2 files changed, 56 insertions(+) diff --git a/.github/workflows/pr-test.yml b/.github/workflows/pr-test.yml index 7050e778db2..ed5074502b6 100644 --- a/.github/workflows/pr-test.yml +++ b/.github/workflows/pr-test.yml @@ -494,3 +494,58 @@ jobs: run: | pipenv run pytest working-directory: ${{ env.WORKING_DIRECTORY }} + + eval-keys-test: + runs-on: ubuntu-latest + steps: + - name: Check out repository + uses: actions/checkout@v2 + + - name: Validate 'BaseResourceCheck' usage + run: | + # 1. Collect all changed files in this pull request + CHANGED_FILES=$(git diff --name-only ${{ github.base_ref }}..${{ github.head_ref }}) + + # Define an array of exceptions (files to skip). + EXCEPTIONS=( + "base_resource_check.py" + "VPCDefaultNetwork.py" + "IAMUserNotUsedForAccess.py" # Whole Resource type check + ) + + echo "Changed files:" + echo "$CHANGED_FILES" + + EXIT_CODE=0 + for file in $CHANGED_FILES; do + # Only examine Python files within the 'checkov/' directory + if [[ $file == checkov/**/*.py ]]; then + # Check if the file is in the list of exceptions + SKIP_FILE="false" + for exception in "${EXCEPTIONS[@]}"; do + # If the file ends with one of the exception file names, skip it + if [[ "$file" == *"$exception" ]]; then + echo "Skipping $file (allowed exception)" + SKIP_FILE="true" + break + fi + done + + # Only run checks if not in exceptions list + if [[ "$SKIP_FILE" == "false" ]]; then + # If file contains 'BaseResourceCheck', check for 'get_inspected_key' or 'evaluated_keys' + if grep -q "BaseResourceCheck" "$file"; then + if ! grep -q "get_inspected_key" "$file" && ! grep -q "evaluated_keys" "$file"; then + echo "ERROR: $file has BaseResourceCheck but does NOT contain 'get_inspected_key' or 'evaluated_keys'" + EXIT_CODE=1 + fi + fi + fi + fi + done + + # Fail the job if any file violated the rule + if [ "$EXIT_CODE" -ne 0 ]; then + echo "One or more files did not satisfy the requirement." + exit 1 + fi diff --git a/checkov/arm/checks/resource/AzureMLWorkspacePrivateEndpoint.py b/checkov/arm/checks/resource/AzureMLWorkspacePrivateEndpoint.py index 3d212a3b09c..6d3596c9bb3 100644 --- a/checkov/arm/checks/resource/AzureMLWorkspacePrivateEndpoint.py +++ b/checkov/arm/checks/resource/AzureMLWorkspacePrivateEndpoint.py @@ -27,6 +27,7 @@ def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult: continue if rule.get("type") == "PrivateEndpoint": return CheckResult.PASSED + # TODO: Add evaluated keys return CheckResult.FAILED From 902baa9344a3e6822a6cd0d9b4a2bfc6cef32dab Mon Sep 17 00:00:00 2001 From: Taylor Date: Fri, 17 Jan 2025 14:02:24 -0800 Subject: [PATCH 2/4] fix --- .github/workflows/pr-test.yml | 63 ++++++++++++++++++----------------- 1 file changed, 32 insertions(+), 31 deletions(-) diff --git a/.github/workflows/pr-test.yml b/.github/workflows/pr-test.yml index ed5074502b6..dec1e8f6553 100644 --- a/.github/workflows/pr-test.yml +++ b/.github/workflows/pr-test.yml @@ -499,51 +499,52 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out repository - uses: actions/checkout@v2 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3 + + - name: Get changed Python files + id: changed-files + uses: tj-actions/changed-files@6b2903bdce6310cfbddd87c418f253cf29b2dec9 # v44 + with: + files: checkov/**/*.py - name: Validate 'BaseResourceCheck' usage + if: steps.changed-files.outputs.any_changed == 'true' run: | - # 1. Collect all changed files in this pull request - CHANGED_FILES=$(git diff --name-only ${{ github.base_ref }}..${{ github.head_ref }}) - - # Define an array of exceptions (files to skip). + # Define an array of exceptions (files to skip) EXCEPTIONS=( "base_resource_check.py" "VPCDefaultNetwork.py" "IAMUserNotUsedForAccess.py" # Whole Resource type check ) - + echo "Changed files:" - echo "$CHANGED_FILES" - + echo "${{ steps.changed-files.outputs.all_changed_files }}" + EXIT_CODE=0 - for file in $CHANGED_FILES; do - # Only examine Python files within the 'checkov/' directory - if [[ $file == checkov/**/*.py ]]; then - # Check if the file is in the list of exceptions - SKIP_FILE="false" - for exception in "${EXCEPTIONS[@]}"; do - # If the file ends with one of the exception file names, skip it - if [[ "$file" == *"$exception" ]]; then - echo "Skipping $file (allowed exception)" - SKIP_FILE="true" - break - fi - done - - # Only run checks if not in exceptions list - if [[ "$SKIP_FILE" == "false" ]]; then - # If file contains 'BaseResourceCheck', check for 'get_inspected_key' or 'evaluated_keys' - if grep -q "BaseResourceCheck" "$file"; then - if ! grep -q "get_inspected_key" "$file" && ! grep -q "evaluated_keys" "$file"; then - echo "ERROR: $file has BaseResourceCheck but does NOT contain 'get_inspected_key' or 'evaluated_keys'" - EXIT_CODE=1 - fi + for file in ${{ steps.changed-files.outputs.all_changed_files }}; do + # Check if the file is in the list of exceptions + SKIP_FILE="false" + for exception in "${EXCEPTIONS[@]}"; do + # If the file ends with one of the exception file names, skip it + if [[ "$file" == *"$exception" ]]; then + echo "Skipping $file (allowed exception)" + SKIP_FILE="true" + break + fi + done + + # Only run checks if not in exceptions list + if [[ "$SKIP_FILE" == "false" ]]; then + # If file contains 'BaseResourceCheck', check for 'get_inspected_key' or 'evaluated_keys' + if grep -q "BaseResourceCheck" "$file"; then + if ! grep -q "get_inspected_key" "$file" && ! grep -q "evaluated_keys" "$file"; then + echo "ERROR: $file has BaseResourceCheck but does NOT contain 'get_inspected_key' or 'evaluated_keys'" + EXIT_CODE=1 fi fi fi done - + # Fail the job if any file violated the rule if [ "$EXIT_CODE" -ne 0 ]; then echo "One or more files did not satisfy the requirement." From 5a44dc0aa87e7b5bbf0e691dc92748c6303444e6 Mon Sep 17 00:00:00 2001 From: Taylor Date: Fri, 17 Jan 2025 19:58:34 -0800 Subject: [PATCH 3/4] Fix lint and test case --- .github/workflows/pr-test.yml | 4 +++- .../arm/checks/resource/AzureMLWorkspacePrivateEndpoint.py | 6 ++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/pr-test.yml b/.github/workflows/pr-test.yml index dec1e8f6553..5649c529d9c 100644 --- a/.github/workflows/pr-test.yml +++ b/.github/workflows/pr-test.yml @@ -507,7 +507,7 @@ jobs: with: files: checkov/**/*.py - - name: Validate 'BaseResourceCheck' usage + - name: Validate 'BaseResourceCheck' use contains eval keys if: steps.changed-files.outputs.any_changed == 'true' run: | # Define an array of exceptions (files to skip) @@ -521,6 +521,7 @@ jobs: echo "${{ steps.changed-files.outputs.all_changed_files }}" EXIT_CODE=0 + IFS=$'\n' # Change Internal Field Separator to handle spaces in filenames too for file in ${{ steps.changed-files.outputs.all_changed_files }}; do # Check if the file is in the list of exceptions SKIP_FILE="false" @@ -544,6 +545,7 @@ jobs: fi fi done + unset IFS # Restore IFS to default # Fail the job if any file violated the rule if [ "$EXIT_CODE" -ne 0 ]; then diff --git a/checkov/arm/checks/resource/AzureMLWorkspacePrivateEndpoint.py b/checkov/arm/checks/resource/AzureMLWorkspacePrivateEndpoint.py index 6d3596c9bb3..3500fe2630e 100644 --- a/checkov/arm/checks/resource/AzureMLWorkspacePrivateEndpoint.py +++ b/checkov/arm/checks/resource/AzureMLWorkspacePrivateEndpoint.py @@ -1,4 +1,4 @@ -from typing import Dict, Any +from typing import Dict, Any, List from checkov.common.models.enums import CheckCategories, CheckResult from checkov.arm.base_resource_check import BaseResourceCheck @@ -27,8 +27,10 @@ def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult: continue if rule.get("type") == "PrivateEndpoint": return CheckResult.PASSED - # TODO: Add evaluated keys return CheckResult.FAILED + def get_evaluated_keys(self) -> List[str]: + return ["properties", "properties/[0]/managedNetwork", "properties/[0]/managedNetwork/[0]/outboundRules"] + check = AzureMLWorkspacePrivateEndpoint() From 19eda3daca5118276e858b9cf8039d39ffc8acff Mon Sep 17 00:00:00 2001 From: Taylor Date: Fri, 17 Jan 2025 20:08:16 -0800 Subject: [PATCH 4/4] fix lint --- .github/workflows/pr-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-test.yml b/.github/workflows/pr-test.yml index 5649c529d9c..6c6f9fd269d 100644 --- a/.github/workflows/pr-test.yml +++ b/.github/workflows/pr-test.yml @@ -522,7 +522,7 @@ jobs: EXIT_CODE=0 IFS=$'\n' # Change Internal Field Separator to handle spaces in filenames too - for file in ${{ steps.changed-files.outputs.all_changed_files }}; do + for file in $(echo "${{ steps.changed-files.outputs.all_changed_files }}" | tr ',' '\n'); do # Check if the file is in the list of exceptions SKIP_FILE="false" for exception in "${EXCEPTIONS[@]}"; do