Contributing a new Provider

In this example we’ll add support for a new Terraform Provider, the Linode Cloud platform.

Add resource checks for a new provider

This check is going to examine resources of the type: linode_instance, to ensure they have the property authorised_keys set.

Add a test

First create a new folder tests/terraform/checks/resource/linode/ and add test_authorised_keys.py with this:

import unittest

import hcl2
from checkov.terraform.checks.resource.linode.authorized_keys import check
from checkov.common.models.enums import CheckResult


class Testauthorized_keys(unittest.TestCase):

    def test_success(self):
        hcl_res = hcl2.loads("""
        resource "linode_instance" "test" {
        authorized_keys="1234355-12345-12-1213123"
        }
        """)
        resource_conf = hcl_res['resource'][0]['linode_instance']['test']
        scan_result = check.scan_resource_conf(conf=resource_conf)
        self.assertEqual(CheckResult.PASSED, scan_result)

    def test_failure(self):
        hcl_res = hcl2.loads("""
        resource "linode_instance" "test" {
        }
        """)
        resource_conf = hcl_res['resource'][0]['linode_instance']['test']
        scan_result = check.scan_resource_conf(conf=resource_conf)
        self.assertEqual(CheckResult.FAILED, scan_result)

if __name__ == '__main__':
    unittest.main()

Add a placeholder file at tests/terraform/checks/resource/linode/__init__.py

Add the check

Create the folder checkov/checkov/terraform/checks/resource/linode and add authorized_keys.py with:

from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceCheck

class authorized_keys(BaseResourceCheck):
    def __init__(self):
        name = "Ensure SSH key set in authorized_keys"
        id = "CKV_LIN_2"
        supported_resources = ['linode_instance']
        categories = [CheckCategories.GENERAL_SECURITY]
        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)

    def scan_resource_conf(self, conf):
        if 'authorized_keys' in conf:
            if conf['authorized_keys']:
                return CheckResult.PASSED
        return CheckResult.FAILED


check = authorized_keys() 

And also add checkov/terraform/checks/resource/linode/__init__.py with:

from os.path import dirname, basename, isfile, join
import glob
modules = glob.glob(join(dirname(__file__), "*.py"))
__all__ = [ basename(f)[:-3] for f in modules if isfile(f) and not f.endswith('__init__.py')]

Include the checks

In checkov/terraform/checks/resource/__init__.py, update include Linode resources with the entry “from checkov.terraform.checks.resource.linode import * “.

This will ensure that this and any future Linode resource test are included in Checkov runs:

from checkov.terraform.checks.resource.gcp import *
from checkov.terraform.checks.resource.azure import *
from checkov.terraform.checks.resource.github import *
from checkov.terraform.checks.resource.linode import * 

Add new Provider checks

This Provider check verifies that the user hasn’t added their Linode token secret to their file. Adding that to a Public repository, well that would be bad, very bad.

Adding a test

Create the folder tests/terraform/checks/provider/linode/ and test_credentials.py

import unittest

from checkov.terraform.checks.provider.linode.credentials import check
from checkov.common.models.enums import CheckResult


class TestCredentials(unittest.TestCase):

    def test_success(self):
        provider_conf = {}

        scan_result = check.scan_provider_conf(conf=provider_conf)
        self.assertEqual(CheckResult.PASSED, scan_result)

    def test_failure(self):
        provider_conf = {'token' :['AKIAIOSFODNN7EXAMPLE']}
        scan_result = check.scan_provider_conf(conf=provider_conf)
        self.assertEqual(CheckResult.FAILED, scan_result)

if __name__ == '__main__':
    unittest.main()

Then add the placeholder tests/terraform/checks/provider/linode/__init__.py

Add the Provider check

Create a directory checkov/terraform/checks/provider/linode and add credentials.py

import re
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.terraform.checks.provider.base_check import BaseProviderCheck
from checkov.common.models.consts import linode_token_pattern


class LinodeCredentials(BaseProviderCheck):

    def __init__(self):
        name = "Ensure no hard coded Linode tokens exist in provider"
        id = "CKV_LIN_1"
        supported_provider = ['linode']
        categories = [CheckCategories.SECRETS]
        super().__init__(name=name, id=id, categories=categories, supported_provider=supported_provider)

    def scan_provider_conf(self, conf):
        if self.secret_found(conf, "token", linode_token_pattern):
            return CheckResult.FAILED
        return CheckResult.PASSED

    @staticmethod
    def secret_found(conf, field, pattern):
        if field in conf.keys():
            value = conf[field][0]
            if re.match(pattern, value) is not None:
                return True
        return False


check = LinodeCredentials()

And also checkov/terraform/checks/provider/linode/__init__.py

Update the security constants checkov/common/models/consts.py with the new pattern.

SUPPORTED_FILE_EXTENSIONS = [".tf", ".yml", ".yaml", ".json", ".template"]
ANY_VALUE = "CKV_ANY"
DOCKER_IMAGE_REGEX = r'(?:[^\s\/]+/)?([^\s:]+):?([^\s]*)'
access_key_pattern = "(?<![A-Z0-9])[A-Z0-9]{20}(?![A-Z0-9])" # nosec
secret_key_pattern = "(?<![A-Za-z0-9/+=])[A-Za-z0-9/+=]{40}(?![A-Za-z0-9/+=])" # nosec
linode_token_pattern ="(?<![A-Za-z0-9/+=])[A-Za-z0-9/+=]{64}(?![A-Za-z0-9/+=])" # nosec

from os.path import dirname, basename, isfile, join
import glob

modules = glob.glob(join(dirname(__file__), "*.py"))
__all__ = [basename(f)[:-3] for f in modules if isfile(f) and not f.endswith('__init__.py')]

Include the Provider checks

Update checkov/terraform/checks/provider/__init__.py with “from checkov.terraform.checks.provider.linode import *” making it:

from checkov.terraform.checks.provider.aws import *
from checkov.terraform.checks.provider.linode import *

So there you have it, 2 new checks, one for the provider, one for your resource and a newly supported Terraform Provider.