bridgecrewio / checkov Goto Github PK

Can this tool provide support for ARM templates also in Azure Devil's?

Describe the bug
Check fails even though configuration correct for GCP cloudSQL
Check: CKV_GCP_6: "Ensure all Cloud SQL database instance requires all incoming connections to use SSL"
FAILED for resource: google_sql_database_instance.db-instance
File: /:29-41

	29 | resource "google_sql_database_instance" "db-instance" {
	30 |   name             = var.instance_name
	31 |   database_version = var.database_version
	32 |
	33 |   settings {
	34 |     # Second-generation instance tiers are based on the machine
	35 |     # type. See argument reference below.
	36 |     tier            = var.instance_tier
	37 |     ip_configuration {
	38 |       require_ssl = true
	39 |     }
	40 |   }
	41 | }

To Reproduce
Create resource as in the output

Expected behavior
Check PASS

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: MacOSX
• Checkov Version 1.0.173

Additional context
Add any other context about the problem here (e.g. code snippets).

Is your feature request related to a problem? Please describe.
It's a bit unusual that one needs to run the tool with no arguments to get the version, took me a bit to get it.

Describe the solution you'd like
--version flag printing the current version of the app

Additional context
If you ever get dependent modules, etc. in the future it may help with support tickets as you can print not only the core package version, but the version of the OS, dependencies, etc.

EDIT: I accidentally a word

Encryption of data at rest (storage_encrypted = true)
https://www.terraform.io/docs/providers/aws/r/neptune_cluster.html

Describe the bug
The docker run command in the readme is incorrect and does not work. It should be:
docker run -v /user/tf:/tf bridgecrew/checkov -d /tf

Is your feature request related to a problem? Please describe.
When running checkov, you get pointed to rule violations with a one line explanation of what is wrong, ex. Ensure Amazon EKS public endpoint disabled. However, there's no deeper explanation on why that's something to be concerned about, only that it's suggested that you fix it. Also, fixing it with respect to making checkov happy is one thing, but supporting, external steps to make it work may be bigger than the one line configuration change. Tooling like this is a great opportunity to educate users on good practices, common problems, and solutions.

Describe the solution you'd like
I would like to see documentation that explains why each rule is there (ie. what exactly is the problem?) and suggestions on how to fix it (ie. what configuration to change/add/update, as well as external changes to support it). Since each rule is supposed to be based on 'best practices', there should be a valid explanation of what problem the rule identifies actually is. Likewise, if these are 'best practices', then well known solution patterns should be available easily and conveniently. Similarly, examples, when applicable, of when this violation might safely be ignored/disabled should be discussed.

Describe alternatives you've considered
The alternative is to internet search phrases around the one line suggestion in the output to try to find help on why it's a problem, and what to do about it.

Additional context
TFLint does a decent job of this: https://github.com/terraform-linters/tflint/blob/v0.14.0/docs/rules/aws_db_instance_default_parameter_group.md, and Rubocop at least links out to an external explanation: https://docs.rubocop.org/en/stable/cops_lint/

Describe the bug
When running checkov against the following resource:

resource "aws_iam_account_password_policy" "password-policy" {
  minimum_password_length        = 15
  require_lowercase_characters   = true
  require_numbers                = true
  require_uppercase_characters   = true
  require_symbols                = true
  allow_users_to_change_password = true
}

I get the following error:

Traceback (most recent call last):
  File "/Users/arkadiyt/.pyenv/versions/3.6.0/bin/checkov", line 24, in <module>
    report = Runner().run(root_folder)
  File "/Users/arkadiyt/.pyenv/versions/3.6.0/lib/python3.6/site-packages/checkov/terraform/runner.py", line 34, in run
    results = resource_registry.scan(resource, scanned_file, skipped_checks)
  File "/Users/arkadiyt/.pyenv/versions/3.6.0/lib/python3.6/site-packages/checkov/terraform/checks/resource/registry.py", line 34, in scan
    resource_name=resource_name, resource_type=resource, skip_info=skip_info)
  File "/Users/arkadiyt/.pyenv/versions/3.6.0/lib/python3.6/site-packages/checkov/terraform/checks/resource/base_check.py", line 31, in run
    check_result['result'] = self.scan_resource_conf(resource_configuration)
  File "/Users/arkadiyt/.pyenv/versions/3.6.0/lib/python3.6/site-packages/checkov/terraform/checks/resource/aws/PasswordPolicyLength.py", line 22, in scan_resource_conf
    if conf[key] >= 14:
TypeError: '>=' not supported between instances of 'list' and 'int'

Is your feature request related to a problem? Please describe.
Having integrated checks is cool. But it would even better if (as users) we could load our own checks. Like I have a policy saying that my RDS must be highly-available when deployed in our "production" environment. Such policy shouldn't belong to the core checks.

Describe the solution you'd like
Some parameter to provide a directory where checkov can find Python files to load.

I already implemented it in my own fork. Thus would you consider a PR ?

Describe the bug
referencing a security_group instead of cidr_block in a security group rule causes an exception

To Reproduce
Steps to reproduce the behavior:

1. try to run checkov on the following resource:

resource "aws_security_group" "bar-sg" {
  name        = "sg-bar"
  vpc_id      = aws_vpc.main.id

  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    security_groups = [aws_security_group.foo-sg.id]
    description = "foo"
  }

  egress {
    from_port       = 0
    to_port         = 0
    protocol        = "-1"
    cidr_blocks     = ["0.0.0.0/0"]
  }

}

result:

Traceback (most recent call last):
  File "/path/tf-checks/bin/checkov", line 34, in <module>
    report = Runner().run(root_folder, external_checks_dir=args.external_checks_dir)
  File "/path/tf-checks/lib/python3.7/site-packages/checkov/terraform/runner.py", line 38, in run
    results = resource_registry.scan(resource, scanned_file, skipped_checks)
  File "/pathtf-checks/lib/python3.7/site-packages/checkov/terraform/checks/resource/registry.py", line 38, in scan
    resource_name=resource_name, resource_type=resource, skip_info=skip_info)
  File "/path/tf-checks/lib/python3.7/site-packages/checkov/terraform/checks/resource/base_check.py", line 31, in run
    check_result['result'] = self.scan_resource_conf(resource_configuration)
  File "/path/tf-checks/lib/python3.7/site-packages/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress22.py", line 25, in scan_resource_conf
    if rule['from_port'] == [PORT] and rule['to_port'] == [PORT] and rule['cidr_blocks'] == [[
KeyError: 'cidr_blocks'

Expected behavior
such resource definition is perfectly valid

Desktop (please complete the following information):

• OS: Ubuntu 19.10
• Python: 3.7.5
• Checkov Version 1.0.99

Describe the bug
When attempting to use a comment to suppress a rule check, it does not work.

To Reproduce
Steps to reproduce the behavior:

1. Create a terraform file containing this minimal, stripped down example:

  resource "aws_eks_cluster" "main" {
    #checkov.skip=CKV_AWS_38:Testing suppression
    #checkov.skip=CKV_AWS_39:Testing suppression
    vpc_config {
      subnet_ids = [for value in aws_subnet.public : value.id]
    }

    enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
  }

2. Run checkov via checkov --directory . -o cli
3. Observe that the output does not have 2 skipped checks, and instead lists failures:

       _               _
   ___| |__   ___  ___| | _______   __
  / __| '_ \ / _ \/ __| |/ / _ \ \ / /
 | (__| | | |  __/ (__|   < (_) \ V /
  \___|_| |_|\___|\___|_|\_\___/ \_/

version: 1.0.167

Passed checks: 1, Failed checks: 2, Skipped checks: 0

Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
        PASSED for resource: aws_eks_cluster.main
        File: /eks:1-9


Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
        FAILED for resource: aws_eks_cluster.main
        File: /eks:1-9

                1 | resource "aws_eks_cluster" "main" {
                2 |   #checkov.skip=CKV_AWS_38:Testing suppression
                3 |   #checkov.skip=CKV_AWS_39:Testing suppression
                4 |   vpc_config {
                5 |     subnet_ids = [for value in aws_subnet.public : value.id]
                6 |   }
                7 | 
                8 |   enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
                9 | }


Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
        FAILED for resource: aws_eks_cluster.main
        File: /eks:1-9

                1 | resource "aws_eks_cluster" "main" {
                2 |   #checkov.skip=CKV_AWS_38:Testing suppression
                3 |   #checkov.skip=CKV_AWS_39:Testing suppression
                4 |   vpc_config {
                5 |     subnet_ids = [for value in aws_subnet.public : value.id]
                6 |   }
                7 | 
                8 |   enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
                9 | }

Expected behavior
I expected the output to list 2 skipped checks, and list both CKV_AWS_38 and CKV_AWS_39 as skipped and not failed.

Screenshots
The examples above should describe things sufficiently.

Desktop (please complete the following information):

• OS: Ubuntu 18.04.4 LTS
• Checkov Version: 1.0.167

Additional context
The example above is the most stripped down example I could make from my original Terraform code that produced the error. It's not intended to be a complete, sensible Terraform file, it's intended to illustrate the bug.

Is your feature request related to a problem? Please describe.
Enable checking cloudfront distribution ViewerProtocolPolicy and verify that viewer_protocol_policy=https-only or viewer_protocol_policy=redirect-to-https

Describe the solution you'd like
Create a new policies that checks for viewer_protocol_policy for cloudfront resources.
The following resource block should have a CheckResult.Passed:

resource "aws_cloudfront_distribution" "s3_distribution" {
  origin {
    domain_name = "${aws_s3_bucket.b.bucket_regional_domain_name}"
    origin_id   = "${local.s3_origin_id}"

    s3_origin_config {
      origin_access_identity = "origin-access-identity/cloudfront/ABCDEFG1234567"
    }
  }

  enabled             = true
  is_ipv6_enabled     = true
  comment             = "Some comment"
  default_root_object = "index.html"

  logging_config {
    include_cookies = false
    bucket          = "mylogs.s3.amazonaws.com"
    prefix          = "myprefix"
  }

  aliases = ["mysite.example.com", "yoursite.example.com"]

  ordered_cache_behavior {
    path_pattern     = "/content/immutable/*"
    allowed_methods  = ["GET", "HEAD", "OPTIONS"]
    cached_methods   = ["GET", "HEAD", "OPTIONS"]
    target_origin_id = "${local.s3_origin_id}"

    forwarded_values {
      query_string = false
      headers      = ["Origin"]

      cookies {
        forward = "none"
      }
    }

    min_ttl                = 0
    default_ttl            = 86400
    max_ttl                = 31536000
    compress               = true
    viewer_protocol_policy = "redirect-to-https"
  }

  # Cache behavior with precedence 1
  ordered_cache_behavior {
    path_pattern     = "/content/*"
    allowed_methods  = ["GET", "HEAD", "OPTIONS"]
    cached_methods   = ["GET", "HEAD"]
    target_origin_id = "${local.s3_origin_id}"

    forwarded_values {
      query_string = false

      cookies {
        forward = "none"
      }
    }

    min_ttl                = 0
    default_ttl            = 3600
    max_ttl                = 86400
    compress               = true
    viewer_protocol_policy = "redirect-to-https"
  }

  price_class = "PriceClass_200"

  restrictions {
    geo_restriction {
      restriction_type = "whitelist"
      locations        = ["US", "CA", "GB", "DE"]
    }
  }

  tags = {
    Environment = "production"
  }

  viewer_certificate {
    cloudfront_default_certificate = true
  }
}

Additional context
Terraform resource:
https://www.terraform.io/docs/providers/aws/r/cloudfront_distribution.html#viewer_protocol_policy

Describe the bug
After you install Checkov on Windows, running Checkov does nothing.

To Reproduce
Steps to reproduce the behavior:

1. Open Powershell/cmd
2. Run cli command 'checkov'
3. Does nothing

Expected behavior
The tool running. Magic.

Screenshots
I'm not sure showing nothing would help.

Desktop (please complete the following information):

• OS: Windows 10
• Checkov Version 1.0.173

Additional context
I know Windows! Like who cares and tbh ive got WSL2 and it works a dream but customers, customers and their awful locked down... anyway.
I'm using Python37 where i've installed .
If you look in your c:/Python37/scripts folder there is a "checkov" bash script. This is the nub of it this doesn't run! However if you add a batch file "checkov-scan.bat" [or call whatever} with this content:

C:\Python37\python C:\Python37\Lib\site-packages\checkov\main.py %1 %2

Then when you run "checkov-scan" at your shell, it works! So is there anyway you could package up something similar in a release? please?
Also I made a python based pre-commit for checkov called checkov-scan - here https://github.com/JamesWoolfenden/pre-commit

Is your feature request related to a problem? Please describe.
The default cli output is very noisy on a clean, successful run. For example, I have 11 checks that run on my current project, and if it is successful, with no problems at all, I get:

• 8 lines of output displaying Checkov in fancy branding and the version
• 2 lines of output displaying how many checks passed, failed or were skipped
• 4+ lines of output for each successful check, showing the line, the name of the check, the fact that it passed, and the evaluation of every variable evaluated in an expression that check, which adds an extra line each (which could be a lot if it's checking a complex object)
• 5+ lines of output for each skipped check, show the same as successful check, but with also the skipped comment

This means running the tool, on a repo with no issues, scrolls by about 2 pages of noise, which I have to scroll back up to check on the actual status, which is printed at the top of the output.

Describe the solution you'd like
I would like the tool to behave like a standard CLI utility, with respect to default output. If there are no errors, don't print out anything and return code 0. If there are problems, just show the problems, and not a full report of everything possible, and return a code greater than 0. I still believe the default cli output has value, for when you need to validate that rule is running or you are investigating a possible problem, but that giant report is unnecessary 90% of the time when you're just iterating through changes, making sure you didn't introduce something foolish. IMO, the default cli output should be what I've just described, and if you want a full report on all checks, version, summary, etc, you should explicitly supply --output report.

Describe alternatives you've considered
One could pipe the output from Checkov into a few chained together CLI utilities, to filter down the unnecessary noise, but that definitely feels like hacking into place something that should be more or less the default.

Additional context
None

Is your feature request related to a problem? Please describe.
Enable checking cloudtrail log file integrity by verifying that in a cloudtrail definition block enable_log_file_validation=true

Describe the solution you'd like
Create a new policies that checks for log validation for cloudtrail resources.
The following resource block should have a CheckResult.Passed:

resource "aws_cloudtrail" "good_cloudtrail" {
  enable_logging                = true
  s3_bucket_name                = foo
 enable_log_file_validation    = true
  is_multi_region_trail         = true
  include_global_service_events = true
}

The following resource block should have a CheckResult.Failed:

resource "aws_cloudtrail" "bad_cloudtrail" {
  enable_logging                = true
  s3_bucket_name                = foo
  is_multi_region_trail         = true
  include_global_service_events = true
}

Additional context
Terraform cloudtrail resource page: https://www.terraform.io/docs/providers/aws/r/cloudtrail.html
How to write a new checkov policy: https://bridgecrewio.github.io/checkov/1.Introduction/Policies.html
CIS check description: https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf#page=64

(encrypted = true) https://www.terraform.io/docs/providers/aws/r/efs_file_system.html

Is your feature request related to a problem? Please describe.
Currently it is impossible to update to a new version of checkov to get bug-fixes without also getting potentially new rules. This would result in a number of quick changes to get a repo to lint clean again. While the new rules should be fixed and deficiencies should be corrected, it shouldn't be in the same change to update software.

Describe the solution you'd like
Each rule should be part of a rule set and these sets should be enabled or disabled independently of the version of checkov running. New rulesets should default to disabled.

Describe alternatives you've considered
I've considered pinning checkov to a specific version, but this means I won't get bug-fixes anymore.

Is your feature request related to a problem? Please describe.
I would like to contribute, but between the lack code documentation and the lack of "how to start contributing", it's pretty hard to start. I know it's not the first thing you think about when you publish a project, but it would be very nice to see that kind of documentation 😃

Describe the solution you'd like
It could mention :

• coding and commit style
• how to get started : pipenv, dependencies, etc...
• Should I commit pipfile and pipfile.lock
• etc...

Thanks in advance !

https://www.terraform.io/docs/providers/aws/r/ecr_repository_policy.html
Example Public Pull Policy: https://docs.aws.amazon.com/cli/latest/reference/ecr/set-repository-policy.html
ECR Repository Policy Docs -> https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-policies.html

Thanks for sharing Checkov with the community. I've tried it out briefly on a few of our Terraform projects and found it easy enough to work with. I found some of the checks a little hard to understand the reasoning behind however.

Would it be reasonable to add a rational to each check where it's explained what kind of issues are being avoided by enforcing the check and why it is considered a best practice to follow a particular configuration?

Encryption of data at rest (encryption_type = KMS)
https://www.terraform.io/docs/providers/aws/r/kinesis_stream.html

Describe the bug
Checkov traces back on checking some of my GCP manifests.

To Reproduce
Managed to get a reproducible scenario:

temikus λ checkov
...
version: 1.0.131
...

λ mkdir test && cd test                                                                                                                                       
λ wget https://gist.githubusercontent.com/Temikus/6be1f3e408d84f609a739718a42e3cf5/raw/971c5834234d32b3ddf4614defd6a641249d935c/checkov_fail.tf

λ checkov -d .
ERROR:checkov.terraform.checks.resource.gcp.GoogleComputeFirewallUnrestrictedIngress3389:Failed to run check Ensure Google compute firewall ingress does not allow unrestricted rdp access for configuration {'description': ['allow Google health checks and network load balancers access'], 'name': ['my-firewall'], 'network': ['default'], 'allow': [{'protocol': ['icmp']}, {'protocol': ['tcp'], 'ports': [['8080', '443']]}], 'source_ranges': [['130.211.0.0/22', '35.191.0.0/16']], 'target_tags': [['my-tag']]}
Traceback (most recent call last):
  File "/Users/temikus/.homebrew/bin/checkov", line 5, in <module>
    run()
  File "/Users/temikus/.homebrew/lib/python3.7/site-packages/checkov/main.py", line 37, in run
    report = Runner().run(root_folder, external_checks_dir=args.external_checks_dir, files=file)
  File "/Users/temikus/.homebrew/lib/python3.7/site-packages/checkov/terraform/runner.py", line 29, in run
    self.check_tf_definition(report, root_folder, tf_definitions)
  File "/Users/temikus/.homebrew/lib/python3.7/site-packages/checkov/terraform/runner.py", line 52, in check_tf_definition
    block_type)
  File "/Users/temikus/.homebrew/lib/python3.7/site-packages/checkov/terraform/runner.py", line 66, in run_block
    results = registry.scan(entity, scanned_file, skipped_checks)
  File "/Users/temikus/.homebrew/lib/python3.7/site-packages/checkov/terraform/checks/utilities/base_registry.py", line 39, in scan
    entity_name=entity_name, entity_type=entity, skip_info=skip_info)
  File "/Users/temikus/.homebrew/lib/python3.7/site-packages/checkov/terraform/checks/utilities/base_check.py", line 44, in run
    raise e
  File "/Users/temikus/.homebrew/lib/python3.7/site-packages/checkov/terraform/checks/utilities/base_check.py", line 33, in run
    check_result['result'] = self.scan_entity_conf(entity_configuration)
  File "/Users/temikus/.homebrew/lib/python3.7/site-packages/checkov/terraform/checks/resource/base_check.py", line 20, in scan_entity_conf
    return self.scan_resource_conf(conf)
  File "/Users/temikus/.homebrew/lib/python3.7/site-packages/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress3389.py", line 22, in scan_resource_conf
    if PORT in conf['allow'][0]['ports'][0]:
KeyError: 'ports'

Expected behavior
Not errorring out.

Screenshots
N/A

Desktop (please complete the following information):

• OS: OSX Mojave 10.14.6
• Checkov Version: 1.0.131

A guide on how to integrate Checkov into a Jenkins pipeline

Is your feature request related to a problem? Please describe.
Some default policies might be troublesome in some environments like production. We want to be able to disable globally some default checks e.g. CKV_GCP_10: "Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters" which might not be an ideal for production environments.

Describe the solution you'd like
Have an cli option where you specify list of excluded default checks

Describe alternatives you've considered
Forcing people to use skip check is against main motivation of the tool which should define what the standard is and is fight against what the best practice is

Additional context
Add any other context or screenshots about the feature request here.

Describe the bug
The checkov CLI has an exception if two objects share the same object and name.
For some unknown reason we have a data and resource with the same names - one checking if an object exists, the other to make it.

data "aws_sns_topic" "this" {
  count = "${(1 - var.create_sns_topic) * var.create}"
  name  = var.sns_topic_name
}

resource "aws_sns_topic" "this" {
  count = var.create_sns_topic * var.create
  name  = var.sns_topic_name
}

checkov -d .
Traceback (most recent call last):
File "C:\Python37\Lib\site-packages\checkov\main.py", line 55, in
run()
File "C:\Python37\Lib\site-packages\checkov\main.py", line 43, in run
report = Runner().run(root_folder, external_checks_dir=args.external_checks_dir, files=file)
File "C:\Python37\lib\site-packages\checkov\terraform\runner.py", line 32, in run
self.check_tf_definition(report, root_folder, tf_definitions)
File "C:\Python37\lib\site-packages\checkov\terraform\runner.py", line 60, in check_tf_definition
block_type)
File "C:\Python37\lib\site-packages\checkov\terraform\runner.py", line 68, in run_block
entity_context = dpath.get(definition_context[full_file_path], f'*/{entity_type}/{entity_name}')
File "C:\Python37\lib\site-packages\dpath\util.py", line 124, in get
raise ValueError("dpath.util.get() globs must match only one leaf : %s" % glob)
ValueError: dpath.util.get() globs must match only one leaf : */aws_sns_topic/this
To Reproduce
Steps to reproduce the behavior:
0. add code like above.

1. Go to 'CLI'
2. Run cli command '.checkov -d .'
3. See error

Expected behavior
Checkov should be able to tell if they are data or resource and not throw an exception.

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: Win10
• Checkov Version 1.0.173

Additional context
I'm just going to rename the data source but it is a bug, if minor.

Is your feature request related to a problem? Please describe.
I would like to be able to more easily add suppressions based on CLI output

Describe the solution you'd like
Add the check number in the output, Something like:

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
        FAILED for resource: aws_security_group_rule.my_rule
        File: /ec2_security_rules.tf:211-218

                211 | resource "aws_security_group_rule" "my_rule" {
                212 |   type              = "ingress"
                ...
                218 | }

Describe alternatives you've considered
Look at the docs and compare the text to the provided table

Describe the bug
I get this error for any of my terraform modules. Could it be due to tfvars files? Is there some way to specify a var file to use?

$ checkov -d /path/to/module
Traceback (most recent call last):
  File "/usr/local/bin/checkov", line 24, in <module>
    report = Runner().run(root_folder)
  File "/usr/local/lib/python3.8/site-packages/checkov/terraform/runner.py", line 22, in run
    scanned_file = definition[0].split(root_folder)[1]
IndexError: list index out of range

My terraform module is formatted as folows:

├── apis.tf
├── dataflow.tf
├── env
│   ├── backend
│   │   ├── development.tfvars
│   │   ├── production.tfvars
│   │   └── staging.tfvars
│   ├── development.tfvars
│   ├── production.tfvars
│   └── staging.tfvars
├── main.tf
├── variables.tf
└── versions.tf

To Reproduce
Steps to reproduce the behavior:

1. run checkov -d /path/to/module
2. See error

Expected behavior
Output

Desktop (please complete the following information):

• OS: python:alpine docker image
• Checkov Version [e.g. 22]: 1.0.78

Describe the solution you'd like
I'd love to get the same checks for ansible IaC too.

Is your feature request related to a problem? Please describe.
Terraform lets us create and manage IAM policies. To keep them orderly and updated is a daunting task, which requires a lot of knowledge around IAM. https://github.com/rdkls/tf-parliament can help us manage that - we should think about integrating with it.

Describe the solution you'd like
Have a "check" which runs this python script on the policies in the dir.

Additional context
https://github.com/rdkls/tf-parliament

Today Checkov support to scan one file using the command:
checkov -f /user/tf/example.tf

I'd love to get Checkov support multi files scan. Instead of running Checkov multiple time with different path file.

For example:
checkov -f [/user/tf/example.tf, /user/tf/example/main.tf]

It would be nice to validate if all encryption features for AWS Elasticache Replication Group are enabled.

From https://www.terraform.io/docs/providers/aws/r/elasticache_replication_group.html:

- at_rest_encryption_enabled - (Optional) Whether to enable encryption at rest.
- transit_encryption_enabled - (Optional) Whether to enable encryption in transit.
- auth_token - (Optional) The password used to access a password protected server. Can be specified only if transit_encryption_enabled = true.
- kms_key_id - (Optional) The ARN of the key that you wish to use if encrypting at rest. If not supplied, uses service managed encryption. Can be specified only if at_rest_encryption_enabled = true. 

Describe the bug
Checkov doesn't seem to support variables for aws_ebs_volume / encrypted.

Perhaps this was by design, but please explain if otherwise.

i.e.

resource "aws_ebs_volume" "default" {
  availability_zone = var.volume_az
  size                     = var.volume_size
  type                    = var.volume_type
  encrypted          = var.volume_encryption
}

variable "volume_encryption" {
  type        = bool
  description = "Volume encryption enabled or disabled."
  default     = true
}

To Reproduce
Steps to reproduce the behavior:

1. Run checkov -d ./terraform-code.tf
2. You get:

Check: CKV_AWS_3: "Ensure all data stored in the EBS is securely encrypted "
	FAILED for resource: aws_ebs_volume.default

Expected behavior
It should interpret the variable and pass. As it's set to true by default and nothing is overriding that.

Desktop (please complete the following information):

• OS: MacOS
• Checkov Version checkov==1.0.102

Is your feature request related to a problem? Please describe.
I would like to define global checks, e.g. a Naming Convention check, that can apply globally to all resources, without me having to write out all the supported resources

Describe the solution you'd like
I would like to write something like:

from checkov.terraform.checks.resource.base_check import BaseResourceCheck

class NamingCheck(BaseResourceCheck):
    def __init__(self):
        name = "Ensure naming convention is correct"
        id = "MY_GLOBAL_001"
        supported_resources = ['*']
        # ...

The registry's get_checks could also look at the * resource, de-duplicating as necessary (maybe it could be a set?)

Describe alternatives you've considered
Get a list of all terraform resources and put that in the list

Additional context
It could also be neat to do, for example, supported_resources = ["aws_*"], or more advanced matching, but that is not necessary for my purposes right now.

"Resource names must start with a letter or underscore, and may contain only letters, digits, underscores, and dashes" (source) so anything else should be fair game for matching

Encryption at rest not disabled (encryption_disabled = true and type not NO_ARTIFACTS):
https://www.terraform.io/docs/providers/aws/r/codebuild_project.html

Describe the bug
When running checkov -h, the directory switch claims it is repeatable but when you repeat it, only the last directory listed is scanned

  -d DIRECTORY, --directory DIRECTORY
                        Terraform root directory (can not be used together with --file). Can be repeated

To Reproduce
Steps to reproduce the behavior:

1. Create two directories (directory1, directory2) containing valid terraform files
2. Run cli command checkov -d ./directory1 -d ./directory2
3. Only directory2 is scanned

Expected behavior
Both directory1 and directory2 are scanned

Desktop (please complete the following information):

• Checkov Version: 1.0.180

Additional context
I would actually prefer a recursive switch, using the -d directive multiple times is a workaround

Is your feature request related to a problem? Please describe.
We are using Gitlab CI. It would be easier/faster to integrate checkov if we had a docker image of it.

Describe the solution you'd like
Create a docker image and publish it to docker hub.

Describe alternatives you've considered
We are just getting started with checkov and just install it manually at build time. This works ok. We could build a docker image ourselves, but it'd be nice if it was official.

Additional context
Forgive me if this does not mesh with your vision for the tool or an image already exists. I couldn't find one docker hub.

Is your feature request related to a problem? Please describe.
Enable checking cloudtrail encryption by verifying that in a cloudtrail definition block kms_key_id =foo

Describe the solution you'd like
Create a new policies that checks for kms encryption for cloudtrail resources.
The following resource block should have a CheckResult.Passed:

resource "aws_cloudtrail" "good_cloudtrail" {
  enable_logging                = true
  s3_bucket_name                = foo
  enable_log_file_validation    = true
  is_multi_region_trail         = true
  include_global_service_events = true
 kms_key_id =foo
}

The following resource block should have a CheckResult.Failed:

resource "aws_cloudtrail" "bad_cloudtrail" {
  enable_logging                = true
  s3_bucket_name                = foo
  enable_log_file_validation    = true
  is_multi_region_trail         = true
  include_global_service_events = true
}

Additional context
Terraform cloudtrail resource page: https://www.terraform.io/docs/providers/aws/r/cloudtrail.html
How to write a new checkov policy: https://bridgecrewio.github.io/checkov/1.Introduction/Policies.html
CIS check description: https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf#page=78

When checkov reports parsing errors there's no way to see the error or even the file which caused it. I'm testing this in a project which passes terraform validate.

$ checkov -f main.tf 

       _               _              
   ___| |__   ___  ___| | _______   __
  / __| '_ \ / _ \/ __| |/ / _ \ \ / /
 | (__| | | |  __/ (__|   < (_) \ V / 
  \___|_| |_|\___|\___|_|\_\___/ \_/  
                                      
version: 1.0.181 

Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1

Is your feature request related to a problem? Please describe.
We would like to use checkov in conjunction with pre-commit so that infra engineers can be notified of misconfigurations locally (and before checkov is executed in CI).

However, it seems checkov can only be run on directories. That means we cannot adopt this workflow without running static analysis on every terraform file in the repo every time we make a commit with any terraform changes -- or, at best, every terraform file that shares a path with any terraform file being committed.

Describe the solution you'd like
A command-line switch such as -f or --file that accepts a path to an individual file to be analyzed.

Describe alternatives you've considered
N/A

Additional context
N/A

Fail if aws_iam_user ‘policy’ section exists:
https://www.terraform.io/docs/providers/aws/r/iam_user.html
Fail if this aws_iam_user_policy_attachment exists:
https://www.terraform.io/docs/providers/aws/r/iam_user_policy_attachment.html

Describe the bug
When you run checkov at the cli (windows or bash) in either python 3.6 or 3.7 it throws at exception in checkov/cloudformation/runner.py

09:17 $ checkov -d .
Traceback (most recent call last):
  File "/home/jim/.local/bin/checkov", line 5, in <module>
    run()
  File "/home/jim/.local/lib/python3.6/site-packages/checkov/main.py", line 42, in run
    scan_reports = runner_registry.run(root_folder, external_checks_dir=args.external_checks_dir, files=file)
  File "/home/jim/.local/lib/python3.6/site-packages/checkov/common/runners/runner_registry.py", line 24, in run
    scan_report = runner().run(root_folder, external_checks_dir=external_checks_dir, files=files)
  File "/home/jim/.local/lib/python3.6/site-packages/checkov/cloudformation/runner.py", line 71, in run
    for resource_name, resource in definitions[cf_file]['Resources'].items():
KeyError: 'Resources'
**To Reproduce**
Install latest checkov- [greater than 10.188]

Steps to reproduce the behavior:
1. Go to 'a folder with terraform init'
2. Run cli command  checkov -d .
3. See error

**Expected behavior**
Checkov scan results.

**Screenshots**
If applicable, add screenshots to help explain your problem.

**Desktop (please complete the following information):**
 - OS: [windows and ubuntu]
 - Checkov Version [gt 1.0.188]

**Additional context**
Add any other context about the problem here (e.g. code snippets).

Describe the bug
An S3 bucket with a dynamic logging block is considered a violation, even if a value was set for the variable externally.

To Reproduce
Steps to reproduce the behavior:
S3 configuration:

resource "aws_s3_bucket" "bridgecrew_cws_bucket" {
  count = var.existing_bucket_name == null ? 1 : 0

  bucket        = local.bucket_name
  acl               = "private"

  versioning {
    enabled = true
  }

  lifecycle_rule {
    id      = "Delete old log files"
    enabled = true

    noncurrent_version_expiration {
      days = var.log_file_expiration
    }

    expiration {
      days = var.log_file_expiration
    }
  }

  dynamic "logging" {
    for_each = var.logs_bucket_id != null ? [var.logs_bucket_id] : []

    content {
      target_bucket = logging.value
      target_prefix = "/${local.bucket_name}"
    }
  }

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = local.kms_key
        sse_algorithm     = "aws:kms"
      }
    }
  }

  tags = {
    Name = "BridgecrewCWSBucket"
  }
}

Expected behavior
The check should not fail

Desktop (please complete the following information):

• OS: mac OSX Catalina
• Checkov Version 1.0.167

as requested here: #75
terraform docs: https://www.terraform.io/docs/providers/google/r/sql_database_instance.html#enabled

Encryption of data at rest(encrypted = true)
https://www.terraform.io/docs/providers/aws/d/redshift_cluster.html#encrypted

Enable image scanning on push (scan on push = true)
https://www.terraform.io/docs/providers/aws/r/ecr_repository.html

Describe the bug
Checkov exits 0 on success and 1 on any failed checks.

It also returns 0 on parsing errors. It should probably return something else, to cause CI pipelines to fail instead of quietly succeeding.

To Reproduce
Steps to reproduce the behavior:

1. echo "hello" > ./bad.tf
2. checkov -d .
3. See that there is a parsing error, but checkov exits 0.

$ checkov -d .
       _               _              
   ___| |__   ___  ___| | _______   __
  / __| '_ \ / _ \/ __| |/ / _ \ \ / /
 | (__| | | |  __/ (__|   < (_) \ V / 
  \___|_| |_|\___|\___|_|\_\___/ \_/  
                                      
version: 1.0.98 

Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1

$ echo $?
0

Expected behavior
Checkov should return something non-zero (maybe 2?)

$ checkov -d .
       _               _              
   ___| |__   ___  ___| | _______   __
  / __| '_ \ / _ \/ __| |/ / _ \ \ / /
 | (__| | | |  __/ (__|   < (_) \ V / 
  \___|_| |_|\___|\___|_|\_\___/ \_/  
                                      
version: 1.0.98 

Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1

$ echo $?
2

Desktop (please complete the following information):

• OS: Linux
• Checkov Version: 1.0.98

Description
I've just attached Checkov to our pre-commit config, and when i run pre-commit --all-files it seems that Checkov is ran 4 times - first three are blanks, with just the ASCII logo and "Passed checks: 0, Failed checks: 0, Skipped checks: 0", and the 4th time is when the tests are done.

To Reproduce
Steps to reproduce the behavior:

1. Add Checkov to .pre-commit-config.yaml
2. Run pre-commit --all-files
3. See error

Expected behavior
I was pretty sure it would just run once, including all .tf files found in all directories, recursively, and print the results once.

Desktop

• OS: Linux Debian 10, Python 3.7.3
• Checkov rev: 1.0.170

Additional context
It doesn't seem a really large issue - but, as it prints quite a lot of lines, it does punch the rest of the pre-commit run results pretty far away.

It would be ideal to globally suppress a check rather than needing to suppress each resource. For instance, if all security groups don't have a description, it would be preferable to raise a global suppression until the issue can be addressed.

Run checkov checks against cloudformation files