From fe2631d24e3580f7a649011cd63fa0471cf2dda5 Mon Sep 17 00:00:00 2001 From: nacho <49342621+iheanachochukwu@users.noreply.github.com> Date: Wed, 11 Sep 2024 18:20:30 +0100 Subject: [PATCH 1/5] Issue-6536: An example of implementing Checkovignore file to skip test on Azure DevOps --- checkovignore/.checkovignore | 17 +++++++ checkovignore/checkov_ignore.py | 37 +++++++++++++++ .../azure-pipelines-checkov-ignore.yml | 46 +++++++++++++++++++ tests/bicep/examples/checkovignore.bicep | 18 ++++++++ 4 files changed, 118 insertions(+) create mode 100644 checkovignore/.checkovignore create mode 100644 checkovignore/checkov_ignore.py create mode 100644 tests/azure_pipelines/examples/azure-pipelines-checkov-ignore.yml create mode 100644 tests/bicep/examples/checkovignore.bicep diff --git a/checkovignore/.checkovignore b/checkovignore/.checkovignore new file mode 100644 index 00000000000..d4f19a9662b --- /dev/null +++ b/checkovignore/.checkovignore @@ -0,0 +1,17 @@ +# listed ruleIDs will be ignored from the scan results +ignore: + - id: "CKV_AZURE_151" + expiry: "2025-07-09" + created: "2024-07-09" + reason: "Not Required" + guideline: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-iam-policies/ensure-azure-windows-vm-enables-encryption + - id: "CKV_AZURE_50" + expiry: "2025-07-09" + created: "2024-07-09" + reason: "No Extensions are Installed on VM" + guideline: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/bc-azr-general-14 + - id: "CKV_AZURE_97" + expiry: "2025-07-09" + created: "2024-07-09" + reason: "Resource is not a VMSS" + guideline: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/ensure-that-virtual-machine-scale-sets-have-encryption-at-host-enabled diff --git a/checkovignore/checkov_ignore.py b/checkovignore/checkov_ignore.py new file mode 100644 index 00000000000..c39c503796e --- /dev/null +++ b/checkovignore/checkov_ignore.py @@ -0,0 +1,37 @@ +import yaml +from datetime import datetime + +def is_expired(expiry_date): + current_date = datetime.now().date() + expiry_date = datetime.strptime(expiry_date, "%Y-%m-%d").date() + return current_date > expiry_date + +try: + # Load the YAML content from the file + with open('.checkovignore', 'r') as file: + data = yaml.safe_load(file) + + # Extract the 'id' values from the ignore list that are not expired + ids = [rule['id'] for rule in data['ignore'] if not is_expired(rule['expiry'])] + + if ids: + # Join the ids into a comma-separated string + skip_checks = ','.join(ids) + else: + skip_checks = "null" + + # Get the total number of ids + total_ids = len(ids) + + # Print the results in a way that can be captured by the shell script + print(f"SKIP_CHECKS: {skip_checks}") + print(f"TOTAL_SKIPPED: {total_ids}") + + # Set the pipeline variable for other tasks + print(f"##vso[task.setvariable variable=SKIP_CHECKS]{skip_checks}") + +except FileNotFoundError: + # Handle the case where the file is not found + skip_checks = "null" + print("[INFO], Checkov ignore file not found, assign SKIP_CHECKS as null, for error handling when running checkov scan...") + print(f"##vso[task.setvariable variable=SKIP_CHECKS]{skip_checks}") diff --git a/tests/azure_pipelines/examples/azure-pipelines-checkov-ignore.yml b/tests/azure_pipelines/examples/azure-pipelines-checkov-ignore.yml new file mode 100644 index 00000000000..1a53748b8fa --- /dev/null +++ b/tests/azure_pipelines/examples/azure-pipelines-checkov-ignore.yml @@ -0,0 +1,46 @@ +variables: + templateFile: '$(Build.Repository.LocalPath)/tests/bicep/examples/checkovignore.bicep' + templateFileDir: '$(Build.Repository.LocalPath)/tests/bicep/examples' + iacReportScriptFolder: '$(Build.Repository.LocalPath)/checkovignore' + +name: 'CheckovIgnore-$(SourceBranchName)-$(Date:yyyyMMdd)$(Rev:r)' + +pool: 'linux-agent-pool' + +stages: +- stage: checkov_scan + displayName: checkov scan + jobs: + - job: checkov_scan + displayName: checkov scan + steps: + # Checkov Ignore Checks + - task: Bash@3 + name: Checkov_Ignore_Checks + inputs: + targetType: 'inline' + script: | + python3 checkov_ignore.py + workingDirectory: '$(iacReportScriptFolder)' + displayName: "Checkov Ignore Checks" + + # Run Checkov Scan + - task: Bash@3 + name: Run_Checkov_Scan + inputs: + targetType: 'inline' + script: | + echo "[INFO], Running Checkov scan..." + checkov --directory $(templateFileDir) --file $(templateFile) --framework bicep --soft-fail --quiet --compact --output junitxml \ + --output-file-path $(System.DefaultWorkingDirectory)/ --skip-check $(SKIP_CHECKS) > results_checkov.xml + displayName: "Run Checkov for Compliance check" + + # Publish Scan Result + - task: PublishTestResults@2 + inputs: + testRunTitle: "Checkov Results" + failTaskOnFailedTests: true + testResultsFormat: "JUnit" + testResultsFiles: "results_checkov.xml" + searchFolder: "$(System.DefaultWorkingDirectory)" + displayName: "Publish Test results" \ No newline at end of file diff --git a/tests/bicep/examples/checkovignore.bicep b/tests/bicep/examples/checkovignore.bicep new file mode 100644 index 00000000000..b24597f7a8b --- /dev/null +++ b/tests/bicep/examples/checkovignore.bicep @@ -0,0 +1,18 @@ +param storageAccountName string +param location string = resourceGroup().location +param tags object + +resource storageAccountResource 'Microsoft.Storage/storageAccounts@2023-01-01' = { + name: storageAccountName + location: location + kind: 'StorageV2' + sku: { + name: 'Standard_GRS' + } + properties: { + allowBlobPublicAccess: false + minimumTlsVersion: 'TLS1_2' + supportsHttpsTrafficOnly: true + } + tags: tags +} From bb9b1f64674af2f725a22f25400a1ca13b3d40a0 Mon Sep 17 00:00:00 2001 From: nacho <49342621+iheanachochukwu@users.noreply.github.com> Date: Wed, 11 Sep 2024 18:27:11 +0100 Subject: [PATCH 2/5] Issue-6536: update checks to a file --- .../azure_pipelines/examples/azure-pipelines-checkov-ignore.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/azure_pipelines/examples/azure-pipelines-checkov-ignore.yml b/tests/azure_pipelines/examples/azure-pipelines-checkov-ignore.yml index 1a53748b8fa..fbcff355b6f 100644 --- a/tests/azure_pipelines/examples/azure-pipelines-checkov-ignore.yml +++ b/tests/azure_pipelines/examples/azure-pipelines-checkov-ignore.yml @@ -31,7 +31,7 @@ stages: targetType: 'inline' script: | echo "[INFO], Running Checkov scan..." - checkov --directory $(templateFileDir) --file $(templateFile) --framework bicep --soft-fail --quiet --compact --output junitxml \ + checkov --file $(templateFile) --framework bicep --soft-fail --quiet --compact --output junitxml \ --output-file-path $(System.DefaultWorkingDirectory)/ --skip-check $(SKIP_CHECKS) > results_checkov.xml displayName: "Run Checkov for Compliance check" From 77299af0f2e6b4100ce70771a1757958c9e70a28 Mon Sep 17 00:00:00 2001 From: nacho <49342621+iheanachochukwu@users.noreply.github.com> Date: Wed, 11 Sep 2024 18:35:45 +0100 Subject: [PATCH 3/5] Issue-6536: skip checks for CKV_AZURE_35 and CKV_AZURE_50 using .checkovignore file --- checkovignore/.checkovignore | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/checkovignore/.checkovignore b/checkovignore/.checkovignore index d4f19a9662b..99fd6b4f02c 100644 --- a/checkovignore/.checkovignore +++ b/checkovignore/.checkovignore @@ -1,17 +1,12 @@ -# listed ruleIDs will be ignored from the scan results +# listed ruleIDs will be ignored from the scan results, if expiry date is in the future ignore: - - id: "CKV_AZURE_151" + - id: "CKV_AZURE_35" expiry: "2025-07-09" created: "2024-07-09" - reason: "Not Required" - guideline: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-iam-policies/ensure-azure-windows-vm-enables-encryption + reason: "Testing Skip Checks using checkovignore file" + guideline: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/set-default-network-access-rule-for-storage-accounts-to-deny - id: "CKV_AZURE_50" expiry: "2025-07-09" created: "2024-07-09" - reason: "No Extensions are Installed on VM" - guideline: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/bc-azr-general-14 - - id: "CKV_AZURE_97" - expiry: "2025-07-09" - created: "2024-07-09" - reason: "Resource is not a VMSS" - guideline: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/ensure-that-virtual-machine-scale-sets-have-encryption-at-host-enabled + reason: "Testing Skip Checks using checkovignore file" + guideline: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/ensure-cognitive-services-account-encryption-cmks-are-enabled From 2334fa60b4e9dfb5bb211813aacd0a08a1e9ede0 Mon Sep 17 00:00:00 2001 From: nacho <49342621+iheanachochukwu@users.noreply.github.com> Date: Wed, 11 Sep 2024 18:39:53 +0100 Subject: [PATCH 4/5] Issue-6536: skip checks for CKV_AZURE_35 and CKV_AZURE_43 using .checkovignore file --- checkovignore/.checkovignore | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/checkovignore/.checkovignore b/checkovignore/.checkovignore index 99fd6b4f02c..6de7cb9aebc 100644 --- a/checkovignore/.checkovignore +++ b/checkovignore/.checkovignore @@ -5,8 +5,8 @@ ignore: created: "2024-07-09" reason: "Testing Skip Checks using checkovignore file" guideline: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/set-default-network-access-rule-for-storage-accounts-to-deny - - id: "CKV_AZURE_50" + - id: "CKV_AZURE_43" expiry: "2025-07-09" created: "2024-07-09" reason: "Testing Skip Checks using checkovignore file" - guideline: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/ensure-cognitive-services-account-encryption-cmks-are-enabled + guideline: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/ensure-cognitive-services-account-encryption-cmks-are-enabled \ No newline at end of file From 59bb2c55d5fe189085798601d221359a42aea5a6 Mon Sep 17 00:00:00 2001 From: nacho <49342621+iheanachochukwu@users.noreply.github.com> Date: Wed, 11 Sep 2024 18:51:02 +0100 Subject: [PATCH 5/5] Issue-6536: skip checks for CKV_AZURE_35 and CKV_AZURE_43 using .checkovignore file --- checkovignore/.checkovignore | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/checkovignore/.checkovignore b/checkovignore/.checkovignore index 6de7cb9aebc..07d93244bee 100644 --- a/checkovignore/.checkovignore +++ b/checkovignore/.checkovignore @@ -3,10 +3,6 @@ ignore: - id: "CKV_AZURE_35" expiry: "2025-07-09" created: "2024-07-09" - reason: "Testing Skip Checks using checkovignore file" - guideline: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/set-default-network-access-rule-for-storage-accounts-to-deny - id: "CKV_AZURE_43" expiry: "2025-07-09" - created: "2024-07-09" - reason: "Testing Skip Checks using checkovignore file" - guideline: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/ensure-cognitive-services-account-encryption-cmks-are-enabled \ No newline at end of file + created: "2024-07-09" \ No newline at end of file