Bridgecrew.io
  • About Bridgecrew by Prisma Cloud
Checkov home
  • Docs
    • Quick start
    • Overview
    • Integrations
  • Download
  • Try Bridgecrew
  • Docs
    • Quick start
    • Overview
    • Integrations

Checkov Documentation

  • 1.Welcome
    • What is Checkov?
    • Terms and Concepts
    • Quick Start
    • Feature Descriptions
  • 2.Basics
    • Installing Checkov
    • CLI Command Reference
    • Suppressing and Skipping Policies
    • Hard and soft fail
    • Scanning Credentials and Secrets
    • Reviewing Scan Results
    • Visualizing Checkov Output
    • Handling Variables
  • 3.Custom Policies
    • Custom Policies Overview
    • Python Custom Policies
    • YAML Custom Policies
    • Custom YAML Policies Examples
    • Sharing Custom Policies
  • 4.Integrations
    • Jenkins
    • Bitbucket Cloud Pipelines
    • GitHub Actions
    • GitLab CI
    • Kubernetes
    • Pre-Commit
    • Docker
  • 5.Policy Index
    • all resource scans
    • ansible resource scans
    • argo_workflows resource scans
    • arm resource scans
    • azure_pipelines resource scans
    • bicep resource scans
    • bitbucket_configuration resource scans
    • bitbucket_pipelines resource scans
    • circleci_pipelines resource scans
    • cloudformation resource scans
    • dockerfile resource scans
    • github_actions resource scans
    • github_configuration resource scans
    • gitlab_ci resource scans
    • gitlab_configuration resource scans
    • kubernetes resource scans
    • openapi resource scans
    • secrets resource scans
    • serverless resource scans
    • terraform resource scans
  • 6.Contribution
    • Checkov Runner Contribution Guide
    • Implementing CI Metadata extractor
    • Implementing ImageReferencer
    • Contribution Overview
    • Contribute Python-Based Policies
    • Contribute YAML-based Policies
    • Contribute New Terraform Provider
    • Contribute New Argo Workflows configuration policy
    • Contribute New Azure Pipelines configuration policy
    • Contribute New Bitbucket configuration policy
    • Contribute New GitHub configuration policy
      • Add new API call to fetch data from GitHub
        • Add an API call
        • Add a Check
        • Adding a Test
    • Contribute New Gitlab configuration policy
  • 7.Scan Examples
    • Terraform Plan Scanning
    • Terraform Scanning
    • Helm
    • Kustomize
    • AWS SAM configuration scanning
    • Ansible configuration scanning
    • Argo Workflows configuration scanning
    • Azure ARM templates configuration scanning
    • Azure Pipelines configuration scanning
    • Azure Bicep configuration scanning
    • Bitbucket configuration scanning
    • AWS CDK configuration scanning
    • Cloudformation configuration scanning
    • Dockerfile configuration scanning
    • GitHub configuration scanning
    • Gitlab configuration scanning
    • Kubernetes configuration scanning
    • OpenAPI configuration scanning
    • SCA scanning
    • Serverless framework configuration scanning
  • 8.Outputs
    • CSV
    • CycloneDX BOM
    • GitLab SAST
    • JUnit XML
    • SARIF
  • 9.Level up
    • Upgrade from Checkov to Bridgecrew
  • Docs
  • 6.contribution
  • Contribute New GitHub configuration policy
Edit on GitHub

Contribute New GitHub configuration policy

In this example, we’ll add support for a new GitHub configuration check.

Add new API call to fetch data from GitHub

We are going to add a new check that will examine how branch protection rules are configured and validate we enforce protection rules on admin users too.

Add an API call

First, we will validate if the GitHub API call that GETs the branch protection current state exists in checkov/github/dal.py. If not it can be added to that file like the following example:


class GitHub(BaseVCSDAL):
    ...
    ...
    def setup_conf_dir(self) -> None:
        ...
        self.github_conf_file_paths = {
            "branch_protection_rules": [Path(self.github_conf_dir_path) / "branch_protection_rules.json"],
            ...
        }
        
    def get_branch_protection_rules(self):
        if self.current_branch and self.current_repository:
            branch_protection_rules = self._request(
                endpoint="repos/{}/branches/{}/protection".format(self.current_repository, self.current_branch))
            return branch_protection_rules
        return None
    
    def persist_branch_protection_rules(self):
        data = self.get_branch_protection_rules()
        if data:
            BaseVCSDAL.persist(path=self.github_conf_file_paths["branch_protection_rules"][0], conf=data)        
    
    def persist_all_confs(self):
        if strtobool(os.getenv("CKV_GITHUB_CONFIG_FETCH_DATA", "True")):
            self.persist_organization_security()
            self.persist_branch_protection_rules()

Add a Check

Go to checkov/github/checks and add enforce_branch_protection_on_admins.py:

from checkov.github.base_github_branch_security import BranchSecurity


class GithubBranchEnforceAdmins(BranchSecurity):
    def __init__(self):
        name = "Ensure GitHub branch protection rules is enforced on admins"
        id = "CKV_GITHUB_8"
        super().__init__(
            name=name,
            id=id
        )

    def get_evaluated_keys(self):
        return ['enforce_admins/enabled']


check = GithubBranchEnforceAdmins()

And also add the JSON schema to validate the GitHub API response /checkov/github/schemas/branch_protection.py:

from checkov.github.schemas.base_schema import GithubConfSchema


class BranchProtectionSchema(GithubConfSchema):
    def __init__(self):
        schema = {
            "$schema": "http://json-schema.org/draft-04/schema#",
            "type": "object",
            "properties": {
                "url": {
                    "type": "string"
                },
                "required_signatures": {
                    "type": "object",
                    "properties": {
                        "url": {
                            "type": "string"
                        },
                        "enabled": {
                            "type": "boolean"
                        }
                    },
                    "required": [
                        "url",
                        "enabled"
                    ]
                },
                "enforce_admins": {
                    "type": "object",
                    "properties": {
                        "url": {
                            "type": "string"
                        },
                        "enabled": {
                            "type": "boolean"
                        }
                    },
                    "required": [
                        "url",
                        "enabled"
                    ]
                },
                "required_linear_history": {
                    "type": "object",
                    "properties": {
                        "enabled": {
                            "type": "boolean"
                        }
                    },
                    "required": [
                        "enabled"
                    ]
                },
                "allow_force_pushes": {
                    "type": "object",
                    "properties": {
                        "enabled": {
                            "type": "boolean"
                        }
                    },
                    "required": [
                        "enabled"
                    ]
                },
                "allow_deletions": {
                    "type": "object",
                    "properties": {
                        "enabled": {
                            "type": "boolean"
                        }
                    },
                    "required": [
                        "enabled"
                    ]
                },
                "required_conversation_resolution": {
                    "type": "object",
                    "properties": {
                        "enabled": {
                            "type": "boolean"
                        }
                    },
                    "required": [
                        "enabled"
                    ]
                }
            },
            "required": [
                "url",
                "enforce_admins",
                "required_linear_history",
                "allow_force_pushes",
                "allow_deletions",
            ]
        }
        super().__init__(schema=schema)


schema = BranchProtectionSchema()

Adding a Test

follow the examples in tests/github/test_runner.py and add a test to the new check

So there you have it! A new check will be scanned once your contribution is merged!

Powered By

  • Slack Community
  • About Bridgecrew
  • Platform
  • Terms of use
  • GitHub
  • Docs
  • Contact Us
  • Privacy policy