Skip to content

fix(terraform): Update CKV_AZURE_167 to correct check on retention policy #15102

fix(terraform): Update CKV_AZURE_167 to correct check on retention policy

fix(terraform): Update CKV_AZURE_167 to correct check on retention policy #15102

Workflow file for this run

name: PR Test
on: pull_request
permissions:
contents: read
jobs:
lint:
uses: bridgecrewio/gha-reusable-workflows/.github/workflows/pre-commit.yaml@main
with:
python-version: "3.9"
danger-check:
runs-on: [ self-hosted, public, linux, x64 ]
permissions:
contents: read
pull-requests: read
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3
- name: Install Node.js
uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4
with:
node-version: "16"
- name: Install and run DangerJS
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
npm install -g danger
danger ci --verbose --failOnErrors
cfn-lint:
runs-on: ubuntu-latest
env:
PYTHON_VERSION: "3.8"
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Get changed CFN test files
id: changed-files-specific
uses: tj-actions/changed-files@6b2903bdce6310cfbddd87c418f253cf29b2dec9 # v44
with:
files: tests/cloudformation/checks/resource/aws/**/*
- name: Filter YAML and JSON files
if: steps.changed-files-specific.outputs.any_changed == 'true'
id: filter-files
run: |
YAML_JSON_FILES=$(echo ${{ steps.changed-files-specific.outputs.all_changed_files }} | tr ' ' '\n' | grep -E '\.ya?ml$|\.json$' | tr '\n' ' ')
if [ -n "$YAML_JSON_FILES" ]; then
echo "YAML_JSON_FILES=$YAML_JSON_FILES" >> "$GITHUB_ENV"
fi
- name: Install cfn-lint & Lint Cloudformation templates
if: env.YAML_JSON_FILES != ''
run: |
pip install -U cfn-lint
for file in $YAML_JSON_FILES; do
cfn-lint "$file" -i W
done
mypy:
uses: bridgecrewio/gha-reusable-workflows/.github/workflows/mypy.yaml@main
with:
python-version: "3.8"
unit-tests:
strategy:
fail-fast: true
matrix:
python: ["3.8", "3.9", "3.10", "3.11", "3.12"]
runs-on: ubuntu-latest
timeout-minutes: 30
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3
- name: Set up Python ${{ matrix.python }}
uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ matrix.python }}
allow-prereleases: true
cache: "pipenv"
cache-dependency-path: "Pipfile.lock"
- uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3
with:
token: ${{ secrets.GITHUB_TOKEN }}
- uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1 # v2
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Install pipenv
run: |
if [ '${{ matrix.python }}' == '3.12' ]; then
# needed for numpy
python -m pip install --no-cache-dir --upgrade pipenv==2024.0.3
else
python -m pip install --no-cache-dir --upgrade pipenv
fi
- name: Install dependencies
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python ${{ matrix.python }}
if [ '${{ matrix.python }}' == '3.12' ]; then
# needed for numpy
pipenv install --skip-lock --dev -v
else
pipenv install --dev -v
fi
# list all dependencies to get a better view about installed package versions
pipenv run pip list
- name: Unit tests
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: pipenv run python -m pytest tests
integration-tests:
strategy:
fail-fast: true
matrix:
python: ["3.10", "3.11", "3.12"]
os: [ubuntu-latest, macos-latest, windows-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ matrix.python }}
allow-prereleases: true
cache: "pipenv"
cache-dependency-path: "Pipfile.lock"
- uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4
- uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3
with:
token: ${{ secrets.GITHUB_TOKEN }}
- uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1 # v2
if: ${{ runner.os != 'windows' }}
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Build & install checkov package
shell: bash
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python ${{ matrix.python }}
pipenv run pip install pytest pytest-xdist setuptools wheel
pipenv run python setup.py sdist bdist_wheel
bash -c 'pipenv run pip install dist/checkov-*.whl'
- name: Clone Terragoat - vulnerable terraform
run: git clone https://github.com/bridgecrewio/terragoat
- name: Clone Cfngoat - vulnerable cloudformation
run: git clone https://github.com/bridgecrewio/cfngoat
- name: Clone Kubernetes-goat - vulnerable kubernetes
run: git clone https://github.com/madhuakula/kubernetes-goat
- name: Clone kustomize-goat - vulnerable kustomize
run: git clone https://github.com/bridgecrewio/kustomizegoat
- name: Create checkov reports
env:
LOG_LEVEL: INFO
BC_KEY: ${{ secrets.PRISMA_KEY_API2 }}
PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
run: |
# Just making sure the API key tests don't run on PRs
bash -c './integration_tests/prepare_data.sh ${{ matrix.os }} 3.8'
- name: Run integration tests
run: |
pipenv run pytest integration_tests -k 'not api_key'
integration-tests-old-python:
strategy:
fail-fast: true
matrix:
python: ["3.8", "3.9"]
os: [ubuntu-latest, macos-12, windows-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ matrix.python }}
allow-prereleases: true
cache: "pipenv"
cache-dependency-path: "Pipfile.lock"
- uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4
- uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3
with:
token: ${{ secrets.GITHUB_TOKEN }}
- uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1 # v2
if: ${{ runner.os != 'windows' }}
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Build & install checkov package
shell: bash
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python ${{ matrix.python }}
pipenv run pip install pytest pytest-xdist setuptools wheel
pipenv run python setup.py sdist bdist_wheel
bash -c 'pipenv run pip install dist/checkov-*.whl'
- name: Clone Terragoat - vulnerable terraform
run: git clone https://github.com/bridgecrewio/terragoat
- name: Clone Cfngoat - vulnerable cloudformation
run: git clone https://github.com/bridgecrewio/cfngoat
- name: Clone Kubernetes-goat - vulnerable kubernetes
run: git clone https://github.com/madhuakula/kubernetes-goat
- name: Clone kustomize-goat - vulnerable kustomize
run: git clone https://github.com/bridgecrewio/kustomizegoat
- name: Create checkov reports
env:
LOG_LEVEL: INFO
BC_KEY: ${{ secrets.PRISMA_KEY_API2 }}
PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
run: |
# Just making sure the API key tests don't run on PRs
bash -c './integration_tests/prepare_data.sh ${{ matrix.os }} 3.8'
- name: Run integration tests
run: |
pipenv run pytest integration_tests -k 'not api_key'
sast-integration-tests:
strategy:
fail-fast: true
matrix:
python: ["3.12"]
os: [ubuntu-latest, macos-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ matrix.python }}
allow-prereleases: true
cache: "pipenv"
cache-dependency-path: "Pipfile.lock"
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Build & install checkov package
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python ${{ matrix.python }}
pipenv run pip install pytest pytest-xdist setuptools wheel
pipenv run python setup.py sdist bdist_wheel
bash -c 'pipenv run pip install dist/checkov-*.whl'
- name: Clone flask - Python repo for SAST
run: git clone https://github.com/pallets/flask
- name: Clone WebGoat - Java repo for SAST
run: git clone https://github.com/WebGoat/WebGoat
- name: Clone axios - JavaScript repo for SAST
run: git clone https://github.com/axios/axios
- name: Create checkov reports
env:
LOG_LEVEL: INFO
BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
if: env.BC_API_KEY != null
run: bash -c './sast_integration_tests/prepare_data.sh'
- name: Run integration tests
env:
LOG_LEVEL: INFO
BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
if: env.BC_API_KEY != null
run: |
pipenv run pytest sast_integration_tests
sast-integration-tests-old-python:
strategy:
fail-fast: true
matrix:
python: ["3.8"]
os: [ubuntu-latest, macos-12]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ matrix.python }}
allow-prereleases: true
cache: "pipenv"
cache-dependency-path: "Pipfile.lock"
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Build & install checkov package
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python ${{ matrix.python }}
pipenv run pip install pytest pytest-xdist setuptools wheel
pipenv run python setup.py sdist bdist_wheel
bash -c 'pipenv run pip install dist/checkov-*.whl'
- name: Clone flask - Python repo for SAST
run: git clone https://github.com/pallets/flask
- name: Clone WebGoat - Java repo for SAST
run: git clone https://github.com/WebGoat/WebGoat
- name: Clone axios - JavaScript repo for SAST
run: git clone https://github.com/axios/axios
- name: Create checkov reports
env:
LOG_LEVEL: INFO
BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
if: env.BC_API_KEY != null
run: bash -c './sast_integration_tests/prepare_data.sh'
- name: Run integration tests
env:
LOG_LEVEL: INFO
BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
if: env.BC_API_KEY != null
run: |
pipenv run pytest sast_integration_tests
cdk-integration-tests:
strategy:
fail-fast: true
matrix:
python: ["3.12"]
os: [ubuntu-latest, macos-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ matrix.python }}
allow-prereleases: true
cache: "pipenv"
cache-dependency-path: "Pipfile.lock"
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Build & install checkov package
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python ${{ matrix.python }}
pipenv run pip install pytest pytest-xdist setuptools wheel
pipenv run python setup.py sdist bdist_wheel
bash -c 'pipenv run pip install dist/checkov-*.whl'
- name: Create checkov reports
env:
LOG_LEVEL: INFO
BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
if: env.BC_API_KEY != null
run: bash -c './cdk_integration_tests/prepare_data.sh'
- name: Run integration tests
env:
LOG_LEVEL: INFO
BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
if: env.BC_API_KEY != null
run: |
pipenv run pytest cdk_integration_tests
cdk-integration-tests-old-python:
strategy:
fail-fast: true
matrix:
python: ["3.8"]
os: [ubuntu-latest, macos-12]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ matrix.python }}
allow-prereleases: true
cache: "pipenv"
cache-dependency-path: "Pipfile.lock"
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Build & install checkov package
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python ${{ matrix.python }}
pipenv run pip install pytest pytest-xdist setuptools wheel
pipenv run python setup.py sdist bdist_wheel
bash -c 'pipenv run pip install dist/checkov-*.whl'
- name: Create checkov reports
env:
LOG_LEVEL: INFO
BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
if: env.BC_API_KEY != null
run: bash -c './cdk_integration_tests/prepare_data.sh'
- name: Run integration tests
env:
LOG_LEVEL: INFO
BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
if: env.BC_API_KEY != null
run: |
pipenv run pytest cdk_integration_tests
performance-tests:
env:
PYTHON_VERSION: "3.8"
working-directory: ./performance_tests
runs-on: [self-hosted, public, linux, x64]
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ env.PYTHON_VERSION }}
cache: "pipenv"
cache-dependency-path: "Pipfile.lock"
- uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4
- uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3
with:
token: ${{ secrets.GITHUB_TOKEN }}
- uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1 # v2
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Build & install checkov package
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python ${{ env.PYTHON_VERSION }}
# 'py' package is used in 'pytest-benchmark', but 'pytest' removed it in their latest version
pipenv run pip install pytest pytest-benchmark py
pipenv run python setup.py sdist bdist_wheel
bash -c 'pipenv run pip install dist/checkov-*.whl'
- name: Clone terraform-aws-components
run: git clone --branch 0.182.0 https://github.com/cloudposse/terraform-aws-components.git
working-directory: ${{ env.working-directory }}
- name: Clone aws-cloudformation-templates
run: git clone --branch 0.0.1 https://github.com/awslabs/aws-cloudformation-templates.git
working-directory: ${{ env.working-directory }}
- name: Clone kubernetes-yaml-templates
run: git clone https://github.com/dennyzhang/kubernetes-yaml-templates.git
working-directory: ${{ env.working-directory }}
# TODO: migrate to separate performance tests
# - name: Clone Python-Mini-Projects
# run: git clone https://github.com/alimoustafa2000/Python-Mini-Projects.git
# working-directory: ${{ env.working-directory }}
# - name: Clone NodeJs
# run: git clone https://github.com/harshitbansal373/NodeJs.git
# working-directory: ${{ env.working-directory }}
# - name: Clone Mini-Project-using-Java
# run: git clone https://github.com/ikanurfitriani/Mini-Project-using-Java.git
# working-directory: ${{ env.working-directory }}
- name: Run performance tests
run: |
pipenv run pytest
working-directory: ${{ env.working-directory }}
dogfood-tests:
runs-on: ubuntu-latest
env:
PYTHON_VERSION: "3.8"
WORKING_DIRECTORY: ./dogfood_tests
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4
with:
python-version: ${{ env.PYTHON_VERSION }}
cache: "pipenv"
cache-dependency-path: "Pipfile.lock"
- uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3
with:
token: ${{ secrets.GITHUB_TOKEN }}
- uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1 # v2
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Build & install checkov package
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python ${{ env.PYTHON_VERSION }}
pipenv run pip install pytest pytest-xdist
pipenv run python setup.py sdist bdist_wheel
bash -c 'pipenv run pip install dist/checkov-*.whl'
- name: Run dogfood tests
run: |
pipenv run pytest
working-directory: ${{ env.WORKING_DIRECTORY }}