Bridgecrew.io
  • About Bridgecrew by Prisma Cloud
Checkov home
  • Docs
    • Quick start
    • Overview
    • Integrations
  • Download
  • Try Bridgecrew
  • Docs
    • Quick start
    • Overview
    • Integrations

Checkov Documentation

  • 1.Welcome
    • What is Checkov?
    • Terms and Concepts
    • Quick Start
    • Feature Descriptions
  • 2.Basics
    • Installing Checkov
    • CLI Command Reference
    • Suppressing and Skipping Policies
    • Hard and soft fail
    • Scanning Credentials and Secrets
    • Reviewing Scan Results
    • Visualizing Checkov Output
    • Handling Variables
  • 3.Custom Policies
    • Custom Policies Overview
    • Python Custom Policies
    • YAML Custom Policies
    • Custom YAML Policies Examples
    • Sharing Custom Policies
  • 4.Integrations
    • Jenkins
    • Bitbucket Cloud Pipelines
    • GitHub Actions
    • GitLab CI
    • Kubernetes
    • Pre-Commit
    • Docker
  • 5.Policy Index
    • all resource scans
    • ansible resource scans
    • argo_workflows resource scans
    • arm resource scans
    • azure_pipelines resource scans
    • bicep resource scans
    • bitbucket_configuration resource scans
    • bitbucket_pipelines resource scans
    • circleci_pipelines resource scans
    • cloudformation resource scans
    • dockerfile resource scans
    • github_actions resource scans
    • github_configuration resource scans
    • gitlab_ci resource scans
    • gitlab_configuration resource scans
    • kubernetes resource scans
    • openapi resource scans
    • secrets resource scans
    • serverless resource scans
    • terraform resource scans
  • 6.Contribution
    • Checkov Runner Contribution Guide
    • Implementing CI Metadata extractor
    • Implementing ImageReferencer
    • Contribution Overview
    • Contribute Python-Based Policies
    • Contributing YAML-based Custom Policies
      • Example
      • YAML Format Testing
        • Terraform Files Example
      • ‘expected.yaml’ File Example
        • Example
    • Contribute New Terraform Provider
    • Contribute New Argo Workflows configuration policy
    • Contribute New Azure Pipelines configuration policy
    • Contribute New Bitbucket configuration policy
    • Contribute New GitHub configuration policy
    • Contribute New Gitlab configuration policy
  • 7.Scan Examples
    • Terraform Plan Scanning
    • Terraform Scanning
    • Helm
    • Kustomize
    • AWS SAM configuration scanning
    • Ansible configuration scanning
    • Argo Workflows configuration scanning
    • Azure ARM templates configuration scanning
    • Azure Pipelines configuration scanning
    • Azure Bicep configuration scanning
    • Bitbucket configuration scanning
    • AWS CDK configuration scanning
    • Cloudformation configuration scanning
    • Dockerfile configuration scanning
    • GitHub configuration scanning
    • Gitlab configuration scanning
    • Kubernetes configuration scanning
    • OpenAPI configuration scanning
    • SCA scanning
    • Serverless framework configuration scanning
  • 8.Outputs
    • CSV
    • CycloneDX BOM
    • GitLab SAST
    • JUnit XML
    • SARIF
  • 9.Level up
    • Upgrade from Checkov to Bridgecrew
  • Docs
  • 6.contribution
  • Contribute YAML-based Policies
Edit on GitHub

Contributing YAML-based Custom Policies

  1. Define a policy as described here.
  2. Create a branch under the checkov2 fork (will be changed + the URLs after merge) - https://github.com/bridgecrewio/checkov
  3. Add <policy_name>.yaml file to https://github.com/bridgecrewio/checkov/tree/main/checkov/terraform/checks/graph_checks inside the relevant provider folder that matches your current policy.

Example

checkov/terraform/checks/graph_checks/aws/EBSAddedBackup.yaml

metadata:
  name: "Ensure that EBS are added in the backup plans of AWS Backup"
  id: "CKV2_AWS_9"
  category: "BACKUP_AND_RECOVERY"
definition:
  and:
    - cond_type: connection
      resource_types:
        - aws_backup_selection
      connected_resource_types:
        - aws_ebs_volume
      operator: exists
    - cond_type: filter
      attribute: resource_type
      value:
        - aws_ebs_volume
      operator: within

YAML Format Testing

1 - Add the test resources directory to: https://github.com/bridgecrewio/checkov/tree/main/tests/terraform/graph/checks/resources and create a folder with the same name as your Custom Policy. In this folder, add the Terraform file(s) which are resources for testing the policy, and expected.yaml - all the resources that should pass and the resources that should fail.

Terraform Files Example

tests//terraform/graph/checks/resources/EBSAddedBackup/main.tf

resource "aws_ebs_volume" "ebs_good" {
  availability_zone = "us-west-2a"
  size              = 40
 
  tags = {
    Name = "HelloWorld"
  }
}
 
resource "aws_ebs_volume" "ebs_bad" {
  availability_zone = "us-west-2a"
  size              = 40
 
  tags = {
    Name = "HelloWorld"
  }
}
 
resource "aws_backup_selection" "backup_good" {
  iam_role_arn = "arn"
  name         = "tf_example_backup_selection"
  plan_id      = "123456"
 
  resources = [
    aws_ebs_volume.ebs_good.arn
  ]
}
 
resource "aws_backup_selection" "backup_bad" {
  iam_role_arn = "arn"
  name         = "tf_example_backup_selection"
  plan_id      = "123456"
 
  resources = [
  ]
}

‘expected.yaml’ File Example

tests/terraform/graph/checks/resources/EBSAddedBackup/expected.yaml

pass:
  - "aws_ebs_volume.ebs_good"
fail:
  - "aws_ebs_volume.ebs_bad"

2 - Add the test call into tests file - tests/terraform/graph/checks/test_yaml_policies.py

Example

...
    def test_EBSAddedBackup(self):
        self.go("EBSAddedBackup")
...

Powered By

  • Slack Community
  • About Bridgecrew
  • Platform
  • Terms of use
  • GitHub
  • Docs
  • Contact Us
  • Privacy policy