add ckv_azure_40

Azure · Mar 7, 2025 · a78faf9 · a78faf9
1 parent 8130f90
commit a78faf9
Show file tree

Hide file tree

Showing 6 changed files with 236 additions and 118 deletions.
diff --git a/policy/checkov/KeyExpirationDate.mock.json b/policy/checkov/KeyExpirationDate.mock.json
@@ -0,0 +1,60 @@
+{
+  "mock": {
+    "default": {
+      "resource_changes": [
+        {
+          "address": "azurerm_key_vault_key.generated",
+          "mode": "managed",
+          "type": "azurerm_key_vault_key",
+          "name": "generated",
+          "provider_name": "registry.terraform.io/hashicorp/azurerm",
+          "change": {
+            "actions": [
+              "create"
+            ],
+            "after": {
+              "expiration_date": "2024-12-31T00:00:00Z"
+            }
+          }
+        }
+      ]
+    },
+    "known_after_apply": {
+      "resource_changes": [
+        {
+          "address": "azurerm_key_vault_key.generated",
+          "mode": "managed",
+          "type": "azurerm_key_vault_key",
+          "name": "generated",
+          "provider_name": "registry.terraform.io/hashicorp/azurerm",
+          "change": {
+            "actions": [
+              "create"
+            ],
+            "after": {},
+            "after_unknown": {
+                "expiration_date": true
+            }
+          }
+        }
+      ]
+    },
+    "invalid_omitted": {
+      "resource_changes": [
+        {
+          "address": "azurerm_key_vault_key.generated",
+          "mode": "managed",
+          "type": "azurerm_key_vault_key",
+          "name": "generated",
+          "provider_name": "registry.terraform.io/hashicorp/azurerm",
+          "change": {
+            "actions": [
+              "create"
+            ],
+            "after": {}
+          }
+        }
+      ]
+    }
+  }
+}
diff --git a/policy/checkov/KeyExpirationDate.rego b/policy/checkov/KeyExpirationDate.rego
@@ -0,0 +1,18 @@
+package checkov
+
+import rego.v1
+
+valid_azurerm_key_vault_key_has_expiration_date(resource) if {
+    resource.values.expiration_date == resource.values.expiration_date
+}
+
+valid_azurerm_key_vault_key_has_expiration_date(resource) if {
+    resource.after_unknown.expiration_date == resource.after_unknown.expiration_date
+}
+
+deny_CKV_AZURE_40 contains reason if {
+    resource := data.utils.resource(input, "azurerm_key_vault_key")[_]
+    not valid_azurerm_key_vault_key_has_expiration_date(resource)
+
+    reason := sprintf("checkov/CKV_AZURE_40: Ensure that the expiration date is set on all keys %s. https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyExpirationDate.py", [resource.address])
+}
diff --git a/policy/checkov/azurerm/KeyExpirationDate.py.bak b/policy/checkov/azurerm/KeyExpirationDate.py.bak
diff --git a/policy/checkov/azurerm/KeyExpirationDate.rego.bak b/policy/checkov/azurerm/KeyExpirationDate.rego.bak
diff --git a/policy/checkov/azurerm/KeyExpirationDate.tf.bak b/policy/checkov/azurerm/KeyExpirationDate.tf.bak
diff --git a/policy/checkov/severity.rego b/policy/checkov/severity.rego
@@ -0,0 +1,158 @@
+package checkov
+
+import rego.v1
+
+high_severity_rules := [
+	"CKV_AZURE_40",
+	"CKV_AZURE_49",
+	"CKV_AZURE_86",
+	"CKV_AZURE_85",
+	"CKV_AZURE_26",
+	"CKV_AZURE_25",
+	"CKV_AZURE_215",
+	"CKV_AZURE_223",
+	"CKV_AZURE_178",
+	"CKV2_AZURE_1",
+]
+
+medium_severity_rules := [
+	"CKV_AZURE_172",
+	"CKV_AZURE_173",
+	"CKV_AZURE_186",
+	"CKV_AZURE_187",
+	"CKV2_AZURE_28",
+	"CKV_AZURE_72",
+	"CKV_AZURE_217",
+	"CKV2_AZURE_24",
+	"CKV_AZURE_166",
+	"CKV_AZURE_164",
+	"CKV2_AZURE_43",
+	"CKV2_AZURE_44",
+	"CKV_AZURE_234",
+	"CKV2_AZURE_26",
+	"CKV2_AZURE_42",
+	"CKV_AZURE_201",
+	"CKV_AZURE_199",
+	"CKV2_AZURE_45",
+	"CKV2_AZURE_33",
+	"CKV2_AZURE_46",
+	"CKV_AZURE_52",
+	"CKV_AZURE_54",
+	"CKV_AZURE_105",
+	"CKV_AZURE_50",
+	"CKV_AZURE_163",
+	"CKV_AZURE_177",
+]
+
+low_severity_rules := [
+	"CKV_AZURE_125",
+	"CKV_AZURE_170",
+	"CKV_AZURE_188",
+	"CKV_AZURE_88",
+	"CKV_AZURE_95",
+	"CKV_AZURE_212",
+	"CKV_AZURE_214",
+	"CKV_AZURE_211",
+	"CKV_AZURE_13",
+	"CKV_AZURE_83",
+	"CKV_AZURE_81",
+	"CKV_AZURE_82",
+	"CKV_AZURE_80",
+	"CKV_AZURE_78",
+	"CKV_AZURE_218",
+	"CKV_AZURE_73",
+	"CKV_AZURE_76",
+	"CKV_AZURE_159",
+	"CKV_AZURE_152",
+	"CKV_AZURE_209",
+	"CKV_AZURE_208",
+	"CKV2_AZURE_22",
+	"CKV_AZURE_235",
+	"CKV_AZURE_167",
+	"CKV_AZURE_233",
+	"CKV_AZURE_237",
+	"CKV_AZURE_157",
+	"CKV2_AZURE_11",
+	"CKV_AZURE_180",
+	"CKV2_AZURE_15",
+	"CKV_AZURE_103",
+	"CKV2_AZURE_48",
+	"CKV_AZURE_56",
+	"CKV2_AZURE_32",
+	"CKV_AZURE_92",
+	"CKV_AZURE_150",
+	"CKV2_AZURE_37",
+	"CKV_AZURE_21",
+	"CKV_AZURE_136",
+	"CKV_AZURE_126",
+	"CKV_AZURE_196",
+	"CKV2_AZURE_25",
+	"CKV_AZURE_149",
+	"CKV2_AZURE_5",
+	"CKV2_AZURE_4",
+	"CKV2_AZURE_3",
+	"CKV_AZURE_156",
+	"CKV2_AZURE_7",
+	"CKV2_AZURE_18",
+	"CKV2_AZURE_38",
+	"CKV_AZURE_3",
+	"CKV_AZURE_206",
+	"CKV_AZURE_241",
+	"CKV_AZURE_240",
+	"CKV2_AZURE_9",
+	"CKV2_AZURE_31",
+	"CKV_AZURE_57",
+	"CKV_AZURE_62",
+	"CKV_AZURE_100",
+	"CKV_AZURE_111",
+	"CKV_AZURE_112",
+	"CKV_AZURE_114",
+	"CKV_AZURE_244",
+	"CKV_AZURE_93",
+	"CKV_AZURE_129",
+	"CKV2_AZURE_10",
+	"CKV_AZURE_94",
+	"CKV_AZURE_127",
+	"CKV_AZURE_96",
+	"CKV2_AZURE_16",
+	"CKV2_AZURE_17",
+	"CKV_AZURE_130",
+	"CKV_AZURE_128",
+	"CKV_AZURE_102",
+	"CKV_AZURE_43",
+	"CKV2_AZURE_14",
+	"CKV_AZURE_97",
+	"CKV2_AZURE_12",
+	"CKV_AZURE_179",
+	"CKV_AZURE_175",
+]
+
+info_severity_rules := [
+	"CKV2_AZURE_29",
+	"CKV_AZURE_71",
+	"CKV2_AZURE_30",
+	"CKV_AZURE_74",
+	"CKV_AZURE_75",
+	"CKV_AZURE_67",
+	"CKV_AZURE_42",
+	"CKV_AZURE_110",
+	"CKV_AZURE_19",
+	"CKV_AZURE_22",
+	"CKV_AZURE_61",
+	"CKV_AZURE_69",
+	"CKV_AZURE_87",
+	"CKV_AZURE_55",
+	"CKV_AZURE_79",
+	"CKV_AZURE_84",
+	"CKV_AZURE_131",
+	"CKV_AZURE_20",
+	"CKV2_AZURE_6",
+	"CKV_AZURE_27",
+	"CKV2_AZURE_2",
+	"CKV2_AZURE_13",
+	"CKV2_AZURE_27",
+	"CKV_AZURE_242",
+	"CKV2_AZURE_51",
+	"CKV2_AZURE_52",
+	"CKV_AZURE_2",
+]