feat(terraform): Adding YAML based build time policies for corresponding PC runtime policies #5714
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
praveen-panw
temporarily deployed
to
scan-security
GitHub Actions
Inactive
praveen-panw
had a problem deploying
to
scan-security
GitHub Actions
Failure
praveen-panw
temporarily deployed
to
scan-security
GitHub Actions
Inactive
praveen-panw
had a problem deploying
to
scan-security
GitHub Actions
Failure
praveen-panw
temporarily deployed
to
scan-security
GitHub Actions
Inactive
|
@praveen-panw Thanks for the new checks 🏅 Do let me know if you need any assistance with the tests 🙂 |
praveen-panw
had a problem deploying
to
scan-security
GitHub Actions
Failure
praveen-panw
temporarily deployed
to
scan-security
GitHub Actions
Inactive
praveen-panw
temporarily deployed
to
scan-security
GitHub Actions
Inactive
Hello @Saarett, Just fixed them. Thank you for reaching out. 🙌🏻 |
gruebel
reviewed
Nov 15, 2023
checkov/terraform/checks/graph_checks/azure/AzureMSSQLserverConfigPrivEndpt.yaml
Outdated
Show resolved
Hide resolved
checkov/terraform/checks/graph_checks/ibm/IBM_AppLBforVPCisPrivate.yaml
Outdated
Show resolved
Hide resolved
checkov/terraform/checks/graph_checks/ibm/IBM_AppLBforVPCisPrivate.yaml
Outdated
Show resolved
Hide resolved
praveen-panw
had a problem deploying
to
scan-security
GitHub Actions
Failure
praveen-panw
had a problem deploying
to
scan-security
GitHub Actions
Failure
praveen-panw
temporarily deployed
to
scan-security
GitHub Actions
Inactive
Thank you @gruebel! 🍻 |
Michael-McClelland
pushed a commit
to Michael-McClelland/checkov
that referenced
this pull request
Nov 16, 2023
…ing PC runtime policies (bridgecrewio#5714) * Added 5 Azure and 2 IBM policies * Updated the 'test_yaml_policies.py' file with new policies * Updated Terraform files with skip secrets comments * Added comments to skip secrets validation * Fixed expected.yaml of AzureSynapseWorkspaceVAisEnabled policy * Updated title for CKV2_IBM_1 and modified it to work for any type of load balancer * Updated title of CKV2_AZURE_45 as per request
Michael-McClelland
pushed a commit
to Michael-McClelland/checkov
that referenced
this pull request
Nov 16, 2023
…ing PC runtime policies (bridgecrewio#5714) * Added 5 Azure and 2 IBM policies * Updated the 'test_yaml_policies.py' file with new policies * Updated Terraform files with skip secrets comments * Added comments to skip secrets validation * Fixed expected.yaml of AzureSynapseWorkspaceVAisEnabled policy * Updated title for CKV2_IBM_1 and modified it to work for any type of load balancer * Updated title of CKV2_AZURE_45 as per request
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
This PR has 7 YAML-based checks with detailed description below
1. Checkov Title - Ensure Azure PostgreSQL server is configured with private endpoint
PC Policy ID - d670580e-266a-44bb-9f31-6d3dd548eb68
PC Policy Title - Azure PostgreSQL servers not configured with private endpoint
PC Policy Description - This policy identifies Azure PostgreSQL database servers that are not configured with private endpoint. Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configuring a private endpoint enables access to traffic coming from only known networks and prevents access from malicious or unknown IP addresses which includes IP addresses within Azure. It is recommended to create private endpoint for secure communication for your Azure PostgreSQL database.
Compliance standards -
NARemediation:
Refer to below link for step by step process:
https://learn.microsoft.com/en-us/azure/postgresql/single-server/how-to-configure-privatelink-portal
2. Checkov Title - Ensure Azure MariaDB server is configured with private endpoint
PC Policy ID - 4c9e653c-2110-4719-b333-be3d8d078b71
PC Policy Title - Azure Database for MariaDB not configured with private endpoint
PC Policy Description - This policy identifies Azure MariaDB database servers that are not configured with private endpoint. Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configuring a private endpoint enables access to traffic coming from only known networks and prevents access from malicious or unknown IP addresses which includes IP addresses within Azure. It is recommended to create private endpoint for secure communication for your Azure MariaDB database.
Compliance standards -
NARemediation:
To configure private endpoint for MariaDB, follow below URL:
https://learn.microsoft.com/en-us/azure/mariadb/howto-configure-privatelink-portal
3. Checkov Title - Ensure Azure MySQL server is configured with private endpoint
PC Policy ID - 19c4d9f1-a1fd-4e53-a3ca-4eedc720ec36
PC Policy Title - Azure Database for MySQL server not configured with private endpoint
PC Policy Description - This policy identifies Azure MySQL database servers that are not configured with private endpoint. Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configuring a private endpoint enables access to traffic coming from only known networks and prevents access from malicious or unknown IP addresses which includes IP addresses within Azure. It is recommended to create private endpoint for secure communication for your Azure MySQL database.
Compliance standards -
NARemediation:
Refer to below link for step by step process:
https://learn.microsoft.com/en-us/azure/mysql/single-server/how-to-configure-private-link-cli
4. Checkov Title - Ensure that Azure Synapse Workspace vulnerability assessment is enabled
PC Policy ID - f0f026d1-72ee-47dd-9543-53fe130f2471
PC Policy Title - Azure Synapse Workspace vulnerability assessment is disabled
PC Policy Description - This policy identifies Azure Synpase workspace which has Vulnerability Assessment setting disabled. Vulnerability Assessment service scans Synapse workspaces for known security vulnerabilities and highlight deviations from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data. It is recommended to enable Vulnerability assessment on Synapse workspaces.
Compliance standards -
NARemediation:
To configure vulnerability assessment for your existing Azure Synapse workspace, follow below steps:
5 To configure vulnerability assessments to automatically run periodic scans, set Periodic recurring scans to On.
5. Checkov Title - Ensure Azure SQL server is configured with private endpoint
PC Policy ID - 857ef0a9-b6e1-4a2a-9ac5-6de2ef0052ec
PC Policy Title - Azure SQL Database server not configured with private endpoint
PC Policy Description - This policy identifies Azure SQL database servers that are not configured with private endpoint. Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for SQL. Configuring a private endpoint enables access to traffic coming from only known networks and prevents access from malicious or unknown IP addresses which includes IP addresses within Azure. It is recommended to create private endpoint for secure communication for your Azure SQL database.
Compliance standards -
NARemediation:
Refer to below link for step by step process:
https://learn.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-sql-portal
6. Checkov Title - Ensure application load balancer for VPC is private (disable public access)
PC Policy ID - 585fd941-88ca-4c5d-b79b-961ca61fd2ea
PC Policy Title - IBM Cloud Application Load Balancer for VPC has public access enabled
PC Policy Description - This policy identifies IBM Cloud Application Load Balancer for VPC which has public access enabled. Creating a load balancer with public access will lead to unexpected malicious requests getting sent to the public DNS address assigned. A private load balancer is only accessible from within a specific virtual private cloud (VPC). It is highly recommended to use load balancers of type private to protect from unauthorized access.
Compliance standards -
NARemediation:
A Load balancer can be made private only at the time of creation. To create a private application
load balancer, follow below URL:
https://cloud.ibm.com/docs/vpc?topic=vpc-load-balancer&interface=ui
Make sure to select 'Private' for load balancer 'Type' under 'details' section.
Note: Please make sure to create new load balancer in accordance with alerted resource.
Also update load balancer reference at all the clients/places of usage with newly created
load balancer.
7. Checkov Title - Ensure VPC classic access is disabled
PC Policy ID - e712ade9-87d3-4937-854d-604fa5c23cd6
PC Policy Title - IBM Cloud Virtual Private Cloud (VPC) classic access is enabled
PC Policy Description - This policy identifies IBM Virtual Private Cloud where access to classic resources are enabled. If the classic access is enabled one can access & communicate IBM Cloud classic infrastructure & network from the VPC. Classic access should be disabled initially.
Compliance standards -
NARemediation:
Refer to https://cloud.ibm.com/docs/vpc?topic=vpc-deleting-vpc-resources&interface=ui to safely delete the affected VPC. Note- A VPC must be set up for classic access when it is created & it cannot be updated to add or remove classic access.