Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Usage of --external-checks-dir, custom checks do not get recognised

See original GitHub issue

Describe the bug: I created a basic yaml custom rules and I plan to create several new rules. Currently I don’t get why the custom rules does not get asserted as it should be.

My custom rule checkov-checks/chekov_custom_rule_tagging.yaml looks like that:

---
metadata:
 name: "Check that all resources are tagged with the key - InfoSecClass"
 id: "CKV_AWS_123"
 category: "GENERAL_SECURITY"
scope:
 provider: aws
definition:
       cond_type: "attribute"
       resource_types: "AWS::EC2::SecurityGroup"
       attribute: "tags.infosecclass"
       operator: "exists"

And I run it via checkov -f src/test/rds-cf-template.json --external-checks-dir ./checkov-checks

Is there something I am doing wrong or is the rule malformed/incorrect?

Currently I am using the Version 2.0.1079

Issue Analytics

State:
Created a year ago
Reactions:4
Comments:6 (3 by maintainers)

Top GitHub Comments

1reaction

tsmithv11commented, Apr 27, 2022

This is a case where a Python check is likely better, but here are both options:

from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.cloudformation.checks.resource.base_resource_value_check import BaseResourceCheck

class BagTagging(BaseResourceCheck):
    def __init__(self):
        name = "Check that all resources are tagged with the key - InfoSecClass"
        id = "CKV_AWS_999"
        supported_resources = ['AWS::EC2::SecurityGroup']
        categories = (CheckCategories.GENERAL_SECURITY)
        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)

    def scan_resource_conf(self, conf):
        if 'Properties' in conf.keys():
            if 'Tags' in conf['Properties'].keys():
                for tag in conf['Properties']['Tags']:
                    if tag['Key'] == 'infosecclass':
                        return CheckResult.PASSED
        return CheckResult.FAILED

check = BagTagging()

or in YAML:

---
metadata:
 name: "Check that all resources are tagged with the key - InfoSecClass"
 id: "CKV_AWS_999"
 category: "GENERAL_SECURITY"
scope:
 provider: aws
definition:
       cond_type: "attribute"
       resource_types: "AWS::EC2::SecurityGroup"
       attribute: Tags.*.Key
       operator: "equals"
       value: "infosecclass"

0reactions

antoniorodriguezmorenocommented, May 31, 2022

Thank you for the help @tsmithv11 ! I was able to run it successfully.

Top Results From Across the Web

Scanning Infrastructure as Code for Security Issues

Typically, tools scanning the HCL code take no more than a few seconds to run and can be used without network connectivity.

Replacement Check Instructions | U.S. Customs and Border ...

Replacement of an original check mailed to a U.S. address that is deemed to be outstanding/not negotiated at the time of a FOIA...

CLI Command Reference - checkov

CLI Command Reference ; --add-check, Generate a new check via CLI prompt ; -f, --file FILE, File to scan (can not be used...

Create custom checks for the Splunk AppInspect CLI

You can create your own custom checks for Splunk AppInspect validation. ... If the word "bad" is not detected in the Splunk app,...

How to Order New Checks: Business and Personal Accounts

One risk of online check printers is that you provide checking account information to somebody you don't know. Most printers are trustworthy and ......