Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(gitlab): Modify gitlab ci resource id #3706

Merged
merged 12 commits into from
Oct 24, 2022
Merged

fix(gitlab): Modify gitlab ci resource id #3706

merged 12 commits into from
Oct 24, 2022

Conversation

Eliran-Turgeman
Copy link
Contributor

@Eliran-Turgeman Eliran-Turgeman commented Oct 20, 2022
edited
Loading

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Description

  • Fixed SuspectCurlInScript check not having lines and code block via definitions_raw object
  • Changed resource id to better reflect the resource, for example:
    *.rules.*.rules.CKV_GITLABCI_2[7:9] -> planOnlySubset
    For the following source code:
planOnlySubset:
  script: echo "This job creates double pipelines!"
  rules:
    - changes:
        - $DOCKERFILES_DIR/*
    - if: $CI_PIPELINE_SOURCE == "push"
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"

...
  • Added matching resource ids for images in gitlab ci

Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change.

Fixes # (issue)

New/Edited policies (Delete if not relevant)

Description

Include a description of what makes it a violation and any relevant external links.

Fix

How does someone fix the issue in code and/or in runtime?

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have added tests that prove my feature, policy, or fix is effective and works
  • New and existing tests pass locally with my changes
  • Any dependent changes have been merged and published in downstream modules

gruebel
gruebel reviewed Oct 23, 2022
View reviewed changes
Copy link
Contributor

@gruebel gruebel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice work, left a couple of comments

checkov/common/checks/base_check_registry.py Outdated Show resolved Hide resolved
checkov/common/runners/object_runner.py Outdated
Comment on lines 104 to 105
if registry.report_type == CheckType.GITLAB_CI:
registry.set_definitions_raw(self.definitions_raw[file_path])
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

any reason, why limit it to just GitLab CI?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wasn't sure if that's needed for all frameworks, I added it because some gitlab ci check names were missing the resource lines and code blocks and I needed the definitions to resolve them.
I think we should gradually apply it to more frameworks as we find issues with their resource ids, WDYT?

Copy link
Contributor

@gruebel gruebel Oct 23, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

gotcha, gotcha. let's leave it for now as it is. if we need it for something else, then lets add it for all check types

checkov/gitlab_ci/common/resource_id_utils.py Show resolved Hide resolved
checkov/gitlab_ci/common/resource_id_utils.py Outdated Show resolved Hide resolved
checkov/gitlab_ci/image_referencer/provider.py Outdated Show resolved Hide resolved
checkov/gitlab_ci/runner.py Outdated Show resolved Hide resolved
checkov/gitlab_ci/runner.py Outdated Show resolved Hide resolved
checkov/gitlab_ci/runner.py Outdated Show resolved Hide resolved
checkov/yaml_doc/base_registry.py Outdated Show resolved Hide resolved
checkov/yaml_doc/base_registry.py Outdated Show resolved Hide resolved
@Eliran-Turgeman
Copy link
Contributor Author

@gruebel Addressed all your comments, thanks! 😄

gruebel
gruebel approved these changes Oct 23, 2022
View reviewed changes
Copy link
Contributor

@gruebel gruebel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

last one 😄

checkov/yaml_doc/base_registry.py Show resolved Hide resolved
@Eliran-Turgeman Eliran-Turgeman merged commit b87bdc3 into master Oct 24, 2022
@Eliran-Turgeman Eliran-Turgeman deleted the change_gitlab_ci_resource_id branch October 24, 2022 08:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gruebel gruebel gruebel approved these changes

@lirshindalman lirshindalman lirshindalman approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Eliran-Turgeman @gruebel @lirshindalman