Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Unable to Load Custom V2 Yaml Checks with --external-checks-dir

See original GitHub issue

Hello Checkov Team,

checkov==2.0.107

I’m struggling to load a custom Checkov check in the new .yaml format with --external-checks-dir.

What I’ve done I’ve copied an existing check (just a POC for myself) and put it into a file mychecks/S3BucketPublicAccessBlock.yaml

metadata:
  name: "Ensure that S3 bucket has a Public Access block"
  category: "Networking"
  id: "CUSTOM_AWS_6"
definition:
  and:
    - resource_types:
        - aws_s3_bucket
      connected_resource_types:
        - aws_s3_bucket_public_access_block
      operator:  exists
      cond_type: connection
    - cond_type: filter
      attribute: resource_type
      value:
        - aws_s3_bucket
      operator: within
    - cond_type: attribute
      attribute: block_public_acls
      value: true
      operator: equals
      resource_types:
        - aws_s3_bucket_public_access_block
    - cond_type: attribute
      attribute: block_public_policy
      value: true
      operator: equals
      resource_types:
        - aws_s3_bucket_public_access_block

When I execute Checkov with checkov -d /tmp/project --external-checks-dir mychecks against some example terraform, I don’t see the check in my run output. I looked in the code and I think I see the issue:

https://github.com/bridgecrewio/checkov/blob/master/checkov/common/checks/base_check_registry.py#L165 looks for arguments passed to --external-checks-dir and loads only those with a .py.

What I expect I expect checkov to load both .py or .yaml checks in the specified --external-checks-dir directory. Or have the ability to load the .yaml files in a different way.

Is there a separate way to load external .yaml files, or does this logic need to be extended to include the new version checks?

Thanks for your help and guidance!

Issue Analytics

State:
Created 2 years ago
Reactions:2
Comments:8 (5 by maintainers)

Top GitHub Comments

1reaction

nimrodkorcommented, May 6, 2021

Thanks for all the help @gruebel ! @jmeredith16 - please update checkov version, and if you still do not see the CKV2 checks - let me know! @lvolta - Supporting graph for CloudFormation is on our roadmap, a dedicated issue with 👍 votes would definitely help push it!

Closing this issue as it is solved

1reaction

gruebelcommented, May 5, 2021

@lvolta sadly the YAML checks only work with Terraform at the moment.

Top Results From Across the Web

checkov custom policy working only with terraform code and ...

I created a Checkov custom YAML policy and noticed ...

Create Custom Policy - Python - Attribute Check - checkov

A Python-based Custom Policy for Checkov consists of sections for Metadata and Policy Definition. Read also how to create custom YAML Policies for...

SodaCL optional check configurations - Soda Documentation

The detailed documentation for metrics and individual check types indicate specifically which optional configurations are compatible. Customize check names. Add ...

bridgecrew/checkov - Docker Image

Supports Python format for attribute policies and YAML format for both ... Passed Checks: 1, Failed Checks: 1, Suppressed Checks: 0 Check: "Ensure...

Custom Agent Check - Datadog Docs

yaml . In this example, the custom check sends a value of 1 for the metric hello.world . The configuration file includes no ......