Skip to content

Commit

Permalink
feat(misconf): add ability to disable checks by ID (aquasecurity#7536)
Browse files Browse the repository at this point in the history
Signed-off-by: nikpivkin <[email protected]>
Co-authored-by: Simar <[email protected]>
  • Loading branch information
2 people authored and fhielpos committed Dec 20, 2024
1 parent dd06360 commit fa1805b
Show file tree
Hide file tree
Showing 4 changed files with 110 additions and 6 deletions.
6 changes: 6 additions & 0 deletions pkg/iac/rego/load.go
Original file line number Diff line number Diff line change
Expand Up @@ -295,6 +295,12 @@ func (s *Scanner) filterModules(retriever *MetadataRetriever) error {
continue
}

if IsBuiltinNamespace(getModuleNamespace(module)) {
if _, disabled := s.disabledCheckIDs[meta.ID]; disabled { // ignore builtin disabled checks
continue
}
}

if len(meta.InputOptions.Selectors) == 0 {
s.logger.Warn(
"Module has no input selectors - it will be loaded for all inputs!",
Expand Down
11 changes: 11 additions & 0 deletions pkg/iac/rego/options.go
Original file line number Diff line number Diff line change
Expand Up @@ -106,3 +106,14 @@ func WithCustomSchemas(schemas map[string][]byte) options.ScannerOption {
}
}
}

// WithDisabledCheckIDs disables checks by their ID (ID field in metadata)
func WithDisabledCheckIDs(ids ...string) options.ScannerOption {
return func(s options.ConfigurableScanner) {
if ss, ok := s.(*Scanner); ok {
for _, id := range ids {
ss.disabledCheckIDs[id] = struct{}{}
}
}
}
}
15 changes: 9 additions & 6 deletions pkg/iac/rego/scanner.go
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,8 @@ type Scanner struct {
embeddedLibs map[string]*ast.Module
embeddedChecks map[string]*ast.Module
customSchemas map[string][]byte

disabledCheckIDs map[string]struct{}
}

func (s *Scanner) SetIncludeDeprecatedChecks(b bool) {
Expand Down Expand Up @@ -109,12 +111,13 @@ func NewScanner(source types.Source, opts ...options.ScannerOption) *Scanner {
}

s := &Scanner{
regoErrorLimit: ast.CompileErrorLimitDefault,
sourceType: source,
ruleNamespaces: make(map[string]struct{}),
runtimeValues: addRuntimeValues(),
logger: log.WithPrefix("rego"),
customSchemas: make(map[string][]byte),
regoErrorLimit: ast.CompileErrorLimitDefault,
sourceType: source,
ruleNamespaces: make(map[string]struct{}),
runtimeValues: addRuntimeValues(),
logger: log.WithPrefix("rego"),
customSchemas: make(map[string][]byte),
disabledCheckIDs: make(map[string]struct{}),
}

maps.Copy(s.ruleNamespaces, builtinNamespaces)
Expand Down
84 changes: 84 additions & 0 deletions pkg/iac/rego/scanner_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -1153,3 +1153,87 @@ deny {
})
}
}

func Test_RegoScanner_WithDisabledCheckIDs(t *testing.T) {

check := `# METADATA
# custom:
# id: TEST-001
# avd_id: AVD-TEST-001
# severity: LOW
# provider: aws
# service: s3
# short_code: test
package builtin.test
deny {
true
}
`

tests := []struct {
name string
disabledChecks []string
inputCheck string
expected bool
}{
{
name: "no disabled checks",
expected: true,
inputCheck: check,
},
{
name: "disable check by ID",
disabledChecks: []string{"TEST-001"},
inputCheck: check,
},
{
name: "disabling a non-existent check",
disabledChecks: []string{"FOO"},
expected: true,
inputCheck: check,
},
{
name: "one of the identifiers does not exist",
disabledChecks: []string{"FOO", "TEST-001"},
inputCheck: check,
},
{
name: "do not disable user checks with builtin IDs",
inputCheck: `# METADATA
# custom:
# id: TEST-001
# avd_id: AVD-TEST-001
# severity: LOW
# provider: aws
# service: s3
# short_code: test
package user.test
deny {
true
}
`,
disabledChecks: []string{"TEST-001"},
expected: true,
},
}

for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {

scanner := rego.NewScanner(
types.SourceYAML,
rego.WithPolicyReader(strings.NewReader(tt.inputCheck)),
rego.WithDisabledCheckIDs(tt.disabledChecks...),
rego.WithPolicyNamespaces("user"),
)

require.NoError(t, scanner.LoadPolicies(nil))
results, err := scanner.ScanInput(context.TODO(), rego.Input{})
require.NoError(t, err)

require.Equal(t, tt.expected, len(results.GetFailed()) > 0)
})
}
}

0 comments on commit fa1805b

Please sign in to comment.