image/svg+xml Checkov home
  • Docs
    • Quick start
    • Overview
    • Integrations
  • Download
  • Docs
    • Quick start
    • Overview
    • Integrations

Checkov Documentation

  • 1.Welcome
    • What is Checkov?
    • Terms and Concepts
    • Quick Start
    • Feature Descriptions
    • Migration
  • 2.Basics
    • Installing Checkov
    • CLI Command Reference
    • Suppressing and Skipping Policies
    • Hard and soft fail
    • Scanning Credentials and Secrets
    • Reviewing Scan Results
    • Visualizing Checkov Output
    • Handling Variables
  • 3.Custom Policies
    • Custom Policies Overview
    • Python Custom Policies
    • YAML Custom Policies
    • Custom YAML Policies Examples
    • Sharing Custom Policies
  • 4.Integrations
    • Jenkins
    • Bitbucket Cloud Pipelines
    • GitHub Actions
    • GitLab CI
    • Kubernetes
    • Pre-Commit Hooks
    • Docker
  • 5.Policy Index
    • all resource scans
    • ansible resource scans
    • argo_workflows resource scans
    • arm resource scans
    • azure_pipelines resource scans
    • bicep resource scans
    • bitbucket_configuration resource scans
    • bitbucket_pipelines resource scans
    • circleci_pipelines resource scans
    • cloudformation resource scans
    • dockerfile resource scans
    • github_actions resource scans
    • github_configuration resource scans
    • gitlab_ci resource scans
    • gitlab_configuration resource scans
    • kubernetes resource scans
    • openapi resource scans
    • secrets resource scans
    • serverless resource scans
    • terraform resource scans
  • 6.Contribution
    • Checkov Runner Contribution Guide
    • Implementing CI Metadata extractor
    • Implementing ImageReferencer
    • Contribution Overview
    • Contribute Python-Based Policies
    • Contribute YAML-based Policies
    • Contribute New Terraform Provider
    • Contribute New Argo Workflows configuration policy
    • Contribute New Azure Pipelines configuration policy
    • Contribute New Bitbucket configuration policy
    • Contribute New GitHub configuration policy
    • Contribute New Gitlab configuration policy
      • Add new API call to fetch data from Gitlab
        • Add an API call
        • Add a Check
        • Adding a Test
  • 7.Scan Examples
    • Terraform Plan Scanning
    • Terraform Scanning
    • Helm
    • Kustomize
    • AWS SAM configuration scanning
    • Ansible configuration scanning
    • Argo Workflows configuration scanning
    • Azure ARM templates configuration scanning
    • Azure Pipelines configuration scanning
    • Azure Bicep configuration scanning
    • Bitbucket configuration scanning
    • AWS CDK configuration scanning
    • Cloudformation configuration scanning
    • Dockerfile configuration scanning
    • GitHub configuration scanning
    • Gitlab configuration scanning
    • Kubernetes configuration scanning
    • OpenAPI configuration scanning
    • SCA scanning
    • Serverless framework configuration scanning
  • 8.Outputs
    • CSV
    • CycloneDX BOM
    • GitLab SAST
    • JUnit XML
    • SARIF
  • Docs
  • 6.contribution
  • Contribute New Gitlab configuration policy
Edit on GitHub

Contribute New Gitlab configuration policy

In this example, we’ll add support for a new Gitlab configuration check.

Add new API call to fetch data from Gitlab

We are going to add a new check that will examine how merge requests protection rules are configured and validate we enforce at least 2 approvers.

Add an API call

First, we will validate if the Gitlab API call that GETs the branch protection current state exists in checkov/gitlab/dal.py. If not it can be added to that file like the following example:


class Gitlab(BaseVCSDAL):
    ...
    ...
    def get_project_approvals(self):
        if self.project_id:
            project_approvals = self._request(
                endpoint=f"projects/{self.project_id}/approvals")
            return project_approvals
        return None

    def persist_project_approvals(self):
        project_approvals = self.get_project_approvals()

        if project_approvals:
            BaseVCSDAL.persist(path=self.gitlab_project_approvals_file_path, conf=project_approvals)   
    
    def persist_all_confs(self):
        if strtobool(os.getenv("CKV_GITLAB_CONFIG_FETCH_DATA", "True")):
            self.persist_project_approvals()
            self.persist_groups()

Add a Check

Go to checkov/gitlab/checks and add enforce_branch_protection_on_admins.py:

class MergeRequestRequiresApproval(BaseGitlabCheck):
    def __init__(self):
        name = "Merge requests should require at least 2 approvals"
        id = "CKV_GITLAB_1"
        categories = [CheckCategories.SUPPLY_CHAIN]
        super().__init__(
            name=name,
            id=id,
            categories=categories,
            supported_entities=["*"],
            block_type=BlockType.DOCUMENT
        )

    def scan_entity_conf(self, conf):
        if project_aprovals_schema.validate(conf):
            if conf.get("approvals_before_merge", 0) < 2:
                return CheckResult.FAILED, conf
            return CheckResult.PASSED, conf


check = MergeRequestRequiresApproval()

And also add the JSON schema to validate the Gitlab API response /checkov/gitlab/schemas/project_approvals.py:


from checkov.common.vcs.vcs_schema import VCSSchema


class ProjectApprovalsSchema(VCSSchema):
    def __init__(self):
        schema = {
            "$schema": "http://json-schema.org/draft-04/schema#",
            "type": "object",
            "properties": {
                "approvals_before_merge": {
                    "type": "integer"
                },
                "reset_approvals_on_push": {
                    "type": "boolean"
                },
                "disable_overriding_approvers_per_merge_request": {
                    "type": "boolean"
                },
                "merge_requests_author_approval": {
                    "type": "boolean"
                },
                "merge_requests_disable_committers_approval": {
                    "type": "boolean"
                },
                "require_password_to_approve": {
                    "type": "boolean"
                }
            },
            "required": [
                "approvals_before_merge",
                "reset_approvals_on_push",
                "disable_overriding_approvers_per_merge_request",
                "merge_requests_author_approval",
                "merge_requests_disable_committers_approval",
                "require_password_to_approve"
            ]
        }
        super().__init__(schema=schema)


schema = ProjectApprovalsSchema()

Adding a Test

follow the examples in tests/gitlab/test_runner.py and add a test to the new check

So there you have it! A new check will be scanned once your contribution is merged!

Powered By

  • Slack Community
  • Prisma Cloud
  • Terms of use
  • GitHub
  • Docs
  • Privacy policy