Skip to content

Commit

Permalink
new rule for CKV_AZURE_138
Browse files Browse the repository at this point in the history
  • Loading branch information
@lonegunmanb
lonegunmanb committed Mar 6, 2025
1 parent a034653 commit bf1a7f7
Show file tree
Hide file tree
Showing 94 changed files with 213 additions and 2,080 deletions.
0 ...m/ACRAdminAccountDisabled.azapi.mock.json → ...v/ACRAdminAccountDisabled.azapi.mock.json
View file
File renamed without changes.
0 ...zurerm/ACRAdminAccountDisabled.azapi.rego → ...heckov/ACRAdminAccountDisabled.azapi.rego
View file
File renamed without changes.
0 ...azurerm/ACRAdminAccountDisabled.mock.json → ...checkov/ACRAdminAccountDisabled.mock.json
View file
File renamed without changes.
0 ...heckov/azurerm/ACRAdminAccountDisabled.py → policy/checkov/ACRAdminAccountDisabled.py
View file
File renamed without changes.
0 ...ckov/azurerm/ACRAdminAccountDisabled.rego → policy/checkov/ACRAdminAccountDisabled.rego
View file
File renamed without changes.
0 ...heckov/azurerm/ACRAdminAccountDisabled.tf → policy/checkov/ACRAdminAccountDisabled.tf
View file
File renamed without changes.
119 changes: 119 additions & 0 deletions policy/checkov/ACRAnonymousPullDisabled.azapi.mock.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,119 @@
{
"mock": {
"basic": {
"resource_changes": [{
"address": "azurerm_container_registry.example",
"mode": "managed",
"type": "azapi_resource",
"change": {
"actions": [
"create"
],
"after": {
"type": "Microsoft.ContainerRegistry/registries@2023-11-01-preview",
"body": {
"properties": {
"anonymousPullEnabled": false
},
"sku": {
"name": "Basic"
}
}
}
}
}]
},
"standard_without_anonymous_pull_enabled": {
"resource_changes": [{
"address": "azurerm_container_registry.example",
"mode": "managed",
"type": "azapi_resource",
"change": {
"actions": [
"create"
],
"after": {
"type": "Microsoft.ContainerRegistry/registries@2023-11-01-preview",
"body": {
"properties": {
"anonymousPullEnabled": false
},
"sku": {
"name": "Standard"
}
}
}
}
}]
},
"premium_without_anonymous_pull_enabled_false": {
"resource_changes": [{
"address": "azurerm_container_registry.example",
"mode": "managed",
"type": "azapi_resource",
"change": {
"actions": [
"create"
],
"after": {
"type": "Microsoft.ContainerRegistry/registries@2023-11-01-preview",
"body": {
"properties": {
"anonymousPullEnabled": false
},
"sku": {
"name": "Premium"
}
}
}
}
}]
},
"invalid_standard": {
"resource_changes": [{
"address": "azurerm_container_registry.example",
"mode": "managed",
"type": "azapi_resource",
"change": {
"actions": [
"create"
],
"after": {
"type": "Microsoft.ContainerRegistry/registries@2023-11-01-preview",
"body": {
"properties": {
"anonymousPullEnabled": true
},
"sku": {
"name": "Standard"
}
}
}
}
}]
},
"invalid_premium": {
"resource_changes": [{
"address": "azurerm_container_registry.example",
"mode": "managed",
"type": "azapi_resource",
"change": {
"actions": [
"create"
],
"after": {
"type": "Microsoft.ContainerRegistry/registries@2023-11-01-preview",
"body": {
"properties": {
"anonymousPullEnabled": true
},
"sku": {
"name": "Premium"
}
}
}
}
}]
}
}
}
4 changes: 2 additions & 2 deletions ...m/ACRAnonymousPullDisabled.azapi.rego.bak → ...eckov/ACRAnonymousPullDisabled.azapi.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,9 @@ valid_azapi_container_registry_anonymous_pull_disabled(resource) if {
resource.body.properties.anonymousPullEnabled == false
}

deny_CKV_AZURE_138_azapi contains reason if {
deny_CKV_AZURE_138 contains reason if {
resource := data.utils.resource(input, "azapi_resource")[_]
resource.type == "Microsoft.ContainerRegistry/registries"
data.utils.is_azure_type(resource.values, "Microsoft.ContainerRegistry/registries")
not valid_azapi_container_registry_anonymous_pull_disabled(resource)
reason := sprintf("checkov/CKV_AZURE_138: Ensures that ACR disables anonymous pulling of images. https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRAnonymousPullDisabled.py")
}
92 changes: 92 additions & 0 deletions policy/checkov/ACRAnonymousPullDisabled.mock.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
{
"mock" : {
"basic": {
"resource_changes": [
{
"address": "azurerm_container_registry.example",
"mode": "managed",
"type": "azurerm_container_registry",
"change": {
"actions": [
"create"
],
"after": {
"sku": "Basic"
}
}
}
]
},
"standard_without_anonymous_pull_enabled": {
"resource_changes": [
{
"address": "azurerm_container_registry.example",
"mode": "managed",
"type": "azurerm_container_registry",
"change": {
"actions": [
"create"
],
"after": {
"sku": "Standard"
}
}
}
]
},
"premium_without_anonymous_pull_enabled_false": {
"resource_changes": [
{
"address": "azurerm_container_registry.example",
"mode": "managed",
"type": "azurerm_container_registry",
"change": {
"actions": [
"create"
],
"after": {
"anonymous_pull_enabled": false,
"sku": "Premium"
}
}
}
]
},
"invalid_standard": {
"resource_changes": [
{
"address": "azurerm_container_registry.example",
"mode": "managed",
"type": "azurerm_container_registry",
"change": {
"actions": [
"create"
],
"after": {
"anonymous_pull_enabled": true,
"sku": "Standard"
}
}
}
]
},
"invalid_premium": {
"resource_changes": [
{
"address": "azurerm_container_registry.example",
"mode": "managed",
"type": "azurerm_container_registry",
"change": {
"actions": [
"create"
],
"after": {
"anonymous_pull_enabled": true,
"sku": "Premium"
}
}
}
]
}
}
}
0 ...v/azurerm/ACRAnonymousPullDisabled.py.bak → policy/checkov/ACRAnonymousPullDisabled.py
View file
File renamed without changes.
0 ...azurerm/ACRAnonymousPullDisabled.rego.bak → policy/checkov/ACRAnonymousPullDisabled.rego
View file
File renamed without changes.
0 ...v/azurerm/ACRAnonymousPullDisabled.tf.bak → policy/checkov/ACRAnonymousPullDisabled.tf
View file
File renamed without changes.
27 changes: 0 additions & 27 deletions policy/checkov/azurerm/ACRAnonymousPullDisabled.azapi.mock.json.bak
View file

This file was deleted.

32 changes: 0 additions & 32 deletions policy/checkov/azurerm/ACRAnonymousPullDisabled.mock.json.bak
View file

This file was deleted.

24 changes: 0 additions & 24 deletions policy/checkov/azurerm/ACRPublicNetworkAccessDisabled.azapi.mock.json.bak
View file

This file was deleted.

29 changes: 0 additions & 29 deletions policy/checkov/azurerm/AKSApiServerAuthorizedIpRanges.azapi.mock.json.bak
View file

This file was deleted.

24 changes: 0 additions & 24 deletions policy/checkov/azurerm/AKSDashboardDisabled.azapi.mock.json.bak
View file

This file was deleted.

24 changes: 0 additions & 24 deletions policy/checkov/azurerm/AKSEnablesPrivateClusters.azapi.mock.json.bak
View file

This file was deleted.

Loading

0 comments on commit bf1a7f7

Please sign in to comment.