From 031757c7df0ace66d275c8fb746112fe14a48011 Mon Sep 17 00:00:00 2001 From: gruebel Date: Sun, 2 Oct 2022 21:15:19 +0200 Subject: [PATCH 1/2] add support for guideline to graph checks --- checkov/common/checks_infra/checks_parser.py | 1 + .../runner/extra_yaml_checks/bucket_versioned_owned.yaml | 1 + tests/terraform/runner/test_runner.py | 4 ++++ 3 files changed, 6 insertions(+) diff --git a/checkov/common/checks_infra/checks_parser.py b/checkov/common/checks_infra/checks_parser.py index 7327d43a681..0dca7ddaf87 100644 --- a/checkov/common/checks_infra/checks_parser.py +++ b/checkov/common/checks_infra/checks_parser.py @@ -134,6 +134,7 @@ def parse_raw_check(self, raw_check: Dict[str, Dict[str, Any]], **kwargs: Any) - check.name = raw_check.get("metadata", {}).get("name", "") check.category = raw_check.get("metadata", {}).get("category", "") check.frameworks = raw_check.get("metadata", {}).get("frameworks", []) + check.guideline = raw_check.get("metadata", {}).get("guideline") solver = self.get_check_solver(check) check.set_solver(solver) diff --git a/tests/terraform/runner/extra_yaml_checks/bucket_versioned_owned.yaml b/tests/terraform/runner/extra_yaml_checks/bucket_versioned_owned.yaml index 5c76828bea2..9d7c0bb713f 100644 --- a/tests/terraform/runner/extra_yaml_checks/bucket_versioned_owned.yaml +++ b/tests/terraform/runner/extra_yaml_checks/bucket_versioned_owned.yaml @@ -2,6 +2,7 @@ metadata: id: "CKV2_CUSTOM_1" name: "Ensure bucket has versioning and owner tag" category: "BACKUP_AND_RECOVERY" + guideline: "https://docs.bridgecrew.io/docs/ckv2_custom_1" definition: and: - cond_type: "attribute" diff --git a/tests/terraform/runner/test_runner.py b/tests/terraform/runner/test_runner.py index e878d428b98..06e6a0984c9 100644 --- a/tests/terraform/runner/test_runner.py +++ b/tests/terraform/runner/test_runner.py @@ -182,6 +182,10 @@ def test_runner_extra_yaml_check(self): self.assertEqual(passing_custom, 0) self.assertEqual(failed_custom, 3) + + graph_record = next(record for record in report.failed_checks if record.check_id == "CKV2_CUSTOM_1") + self.assertEqual(graph_record.guideline, "https://docs.bridgecrew.io/docs/ckv2_custom_1") + # Remove external checks from registry. runner.graph_registry.checks[:] = [check for check in runner.graph_registry.checks if "CUSTOM" not in check.id] From d943b5418ccc98c2b0762c7f0af1ce1682d68ce7 Mon Sep 17 00:00:00 2001 From: gruebel Date: Sun, 2 Oct 2022 21:28:46 +0200 Subject: [PATCH 2/2] add docs --- docs/3.Custom Policies/YAML Custom Policies.md | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/docs/3.Custom Policies/YAML Custom Policies.md b/docs/3.Custom Policies/YAML Custom Policies.md index 03a9ba46aba..0a2e0e4f663 100644 --- a/docs/3.Custom Policies/YAML Custom Policies.md +++ b/docs/3.Custom Policies/YAML Custom Policies.md @@ -20,6 +20,7 @@ The Metadata includes: * Policy Name * ID - `CKV2__` * Category +* Guideline (optional) The possible values for category are: @@ -32,6 +33,17 @@ The possible values for category are: * CONVENTION * SECRETS * KUBERNETES +* APPLICATION_SECURITY +* SUPPLY_CHAIN +* API_SECURITY + +```yaml +metadata: + id: "CKV2_CUSTOM_1" + name: "Ensure bucket has versioning and owner tag" + category: "BACKUP_AND_RECOVERY" + guideline: "https://docs.bridgecrew.io/docs/ckv2_custom_1" +``` ## Policy Definition @@ -39,7 +51,7 @@ The policy definition consists of: * **Definition Block(s)** - either *Attribute Block(s)* or *Connection State Block(s)* or both * **Logical Operator(s)** (optional) -* **Filter**(optional) +* **Filter** (optional) The top level object under `definition` must be a single object (not a list). It can be an attribute block, a connection block, or a logical operator (`and`, `or`, `not`).