Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(terraform): add CKV NCP rules about Network ACL. #3668

Merged
merged 42 commits into from
Oct 27, 2022
Merged

feat(terraform): add CKV NCP rules about Network ACL. #3668

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
42 commits
Select commit Hold shift + click to select a range
5afbd24
[22.09.27][추가] CKV_NCP_1
pj991207 Sep 27, 2022
4d48fe1
[22.09.27][추가] CKV_NCP_2
Floodnut Sep 27, 2022
9011d54
[22.09.27][Merge]
Floodnut Sep 27, 2022
ea829d9
Apply suggestions from code review
pj991207 Sep 27, 2022
0e76a1f
Apply suggestions from code review
pj991207 Sep 27, 2022
5150177
Apply suggestions from code review
pj991207 Sep 27, 2022
d2b322f
Create main.yml
pj991207 Sep 28, 2022
a7e3000
[22.09.28][수정] Lint test
Floodnut Sep 28, 2022
2f7dcdf
Merge branch 'master' of https://github.com/init-cloud/checkov
Floodnut Sep 28, 2022
f8e7357
Delete main.yml
pj991207 Sep 28, 2022
52cb35d
[22.09.29][수정]testcode 수정
pj991207 Sep 28, 2022
b1555cb
[22.09.29][수정] 테스트 코드 수정
Floodnut Sep 28, 2022
e77773d
[22.09.29][수정] 테스트코드 수정
Floodnut Sep 29, 2022
51d2b71
Merge branch 'master' into master
pj991207 Sep 29, 2022
1ccffed
[22.09.29][수정] add test resource for 'ncloud_access_control_group_rule'
Floodnut Sep 29, 2022
49fb76a
Merge branch 'master' of https://github.com/init-cloud/checkov
Floodnut Sep 29, 2022
a8ef4c5
Merge branch 'bridgecrewio:master' into master
Floodnut Oct 3, 2022
281c4dc
Merge branch 'bridgecrewio:master' into master
Floodnut Oct 3, 2022
ad93303
Merge branch 'bridgecrewio:master' into master
pj991207 Oct 3, 2022
5d8360b
[22.10.03][add]CKV_AWS_3 RULE
pj991207 Oct 3, 2022
b21c1f4
Merge branch 'bridgecrewio:master' into master
pj991207 Oct 3, 2022
3b28b37
[22.10.04][add]CKV_NCP_4, CKV_NCP_5 RULE
pj991207 Oct 4, 2022
87ecf3d
[22.10.04][add] NCP ACG Inbound for port 22, 3389
Floodnut Oct 4, 2022
53cd21b
[22.10.04][add] NCP NACL for port 20, 21, 22, 3389
taeng0204 Oct 4, 2022
8867513
[22.10.05][modify] LBSecureProtocols.py
taeng0204 Oct 5, 2022
ab60ab0
[22.10.05][add] NCP ACGIngress & Egress Check
taeng0204 Oct 5, 2022
f8be0ae
[22.10.06][add] NCP rules about ACG, LB, NACL, Encrpytion
Floodnut Oct 5, 2022
edfeef9
[22.10.06][refactor] rename rules
Floodnut Oct 5, 2022
0a66496
[22.10.07][add] NCP NACLPortCheck
Oct 7, 2022
740fc95
[22.10.08][refactor] modify rule id 77 to 14
Floodnut Oct 8, 2022
77e210a
Merge branch 'bridgecrewio:master' into master
Floodnut Oct 11, 2022
9533ea3
[22.10.14][add] add NCP rule about Network ACL
Floodnut Oct 14, 2022
0c8e0d7
[22.10.03][add]CKV_AWS_3 RULE
Floodnut Oct 17, 2022
ff158f0
Merge branch 'ncp/rule-12' of https://github.com/init-cloud/checkov i…
Floodnut Oct 17, 2022
a0dac77
[22.10.18][test] commit test
Floodnut Oct 17, 2022
fbe491d
Merge branch 'bridgecrewio:master' into ncp/rule-12
Floodnut Oct 19, 2022
42d1cca
[22.10.19][refactor] adjust ncp rule 12
Floodnut Oct 19, 2022
2d130cd
Merge branch 'bridgecrewio:master' into ncp/rule-12
Floodnut Oct 20, 2022
31605f1
[22.10.25][fix] delete guideline
Floodnut Oct 25, 2022
155a60c
Merge branch 'bridgecrewio:master' into ncp/rule-12
Floodnut Oct 25, 2022
3490d7b
Merge branch 'bridgecrewio:master' into ncp/rule-12
Floodnut Oct 26, 2022
5d941e2
Merge branch 'bridgecrewio:master' into ncp/rule-12
Floodnut Oct 27, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 24 additions & 0 deletions checkov/terraform/checks/resource/ncp/NACLPortCheck.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck
from checkov.common.models.enums import CheckResult, CheckCategories


class NACLPortCheck(BaseResourceCheck):
def __init__(self):
name = "An inbound Network ACL rule should not allow ALL ports."
id = "CKV_NCP_12"
supported_resources = ('ncloud_network_acl_rule',)
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)

def scan_resource_conf(self, conf):
if 'inbound' in conf.keys():
for inbound in conf['inbound']:
if 'port_range' in inbound.keys():
for port_range in inbound['port_range']:
if port_range == "1-65535":
return CheckResult.FAILED
return CheckResult.PASSED
return CheckResult.FAILED


check = NACLPortCheck()
46 changes: 46 additions & 0 deletions tests/terraform/checks/resource/ncp/example_NACLPortCheck/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
resource "ncloud_network_acl_rule" "pass" {
network_acl_no = ncloud_network_acl.nacl.id

inbound {
priority = 110
protocol = "TCP"
rule_action = "ALLOW"
deny_allow_group_no = ncloud_network_acl_deny_allow_group.deny_allow_group.id
port_range = "22"
}
}

resource "ncloud_network_acl_rule" "pass1" {
network_acl_no = ncloud_network_acl.nacl.id

inbound {
priority = 110
protocol = "TCP"
rule_action = "ALLOW"
deny_allow_group_no = ncloud_network_acl_deny_allow_group.deny_allow_group.id
port_range = "1-43"
}
}

resource "ncloud_network_acl_rule" "fail" {
network_acl_no = ncloud_network_acl.nacl.id

inbound {
priority = 110
protocol = "TCP"
rule_action = "ALLOW"
deny_allow_group_no = ncloud_network_acl_deny_allow_group.deny_allow_group.id
}
}

resource "ncloud_network_acl_rule" "fail1" {
network_acl_no = ncloud_network_acl.nacl.id

inbound {
priority = 110
protocol = "TCP"
rule_action = "ALLOW"
deny_allow_group_no = ncloud_network_acl_deny_allow_group.deny_allow_group.id
port_range = "1-65535"
}
}
42 changes: 42 additions & 0 deletions tests/terraform/checks/resource/ncp/test_NACLPortCheck.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
import unittest
from pathlib import Path

from checkov.runner_filter import RunnerFilter
from checkov.terraform.checks.resource.ncp.NACLPortCheck import check
from checkov.terraform.runner import Runner


class TestNACLPortCheck(unittest.TestCase):
def test(self):
# given
test_files_dir = Path(__file__).parent / "example_NACLPortCheck"

# when
report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))

# then
summary = report.get_summary()

passing_resources = {
"ncloud_network_acl_rule.pass",
"ncloud_network_acl_rule.pass1"
}
failing_resources = {
"ncloud_network_acl_rule.fail",
"ncloud_network_acl_rule.fail1"
}

passed_check_resources = {c.resource for c in report.passed_checks}
failed_check_resources = {c.resource for c in report.failed_checks}

self.assertEqual(summary["passed"], 2)
self.assertEqual(summary["failed"], 2)
self.assertEqual(summary["skipped"], 0)
self.assertEqual(summary["parsing_errors"], 0)

self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)


if __name__ == "__main__":
unittest.main()