Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom Policies aren't showing in the Azure DevOps Test Results #6750

Open
DerekTheBrave opened this issue Oct 3, 2024 · 1 comment
Open

Custom Policies aren't showing in the Azure DevOps Test Results #6750

DerekTheBrave opened this issue Oct 3, 2024 · 1 comment
Labels
checks Check additions or changes

Comments

@DerekTheBrave
Copy link

Describe the issue
I've been writing some Custom Policies, and I've tried both yaml and Python. These are scanning Terraform AKS clusters, there's not a huge amount of code being scanned. However the built-in scans are showing up in the results, not the custom ones.

Examples
Here's an example of one of them: -

int.py

from .kubernetes_no_privilege_escalation_check import KubernetesNoPrivilegeEscalationCheck

`from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.kubernetes.checks.resource.base_container_check import BaseK8sContainerCheck

class KubernetesNoPrivilegeEscalationCheck(BaseK8sContainerCheck):
def init(self):
name = "Ensure Kubernetes containers do not allow privilege escalation"
id = "CUSTOM_K8S_6"
supported_resources = [
"kubernetes_pod",
"kubernetes_deployment",
"kubernetes_stateful_set",
"kubernetes_daemonset",
"kubernetes_replica_set"
]
categories = [CheckCategories.KUBERNETES]
super().init(name=name, id=id, categories=categories, supported_entities=supported_resources)

def scan_container_conf(self, conf, metadata):
    if "spec" in conf:
        containers = conf["spec"].get("containers", [])
        for container in containers:
            security_context = container.get("securityContext", {})
            if security_context.get("allowPrivilegeEscalation", True):
                return CheckResult.FAILED
        return CheckResult.PASSED
    return CheckResult.PASSED

scanner = KubernetesNoPrivilegeEscalationCheck()`

Version (please complete the following information):

  • Checkov Version v3.2.256

Additional context
I'm downloading them in the azure devops pipeline, and I've been checking they're all there. Originally there was a syntax error which failed the scan, I fixed that, and it all runs clean but the custom policies aren't in the Tests - Pass, Fail, not impacted, etc.

Any ideas?
@DerekTheBrave DerekTheBrave added the checks Check additions or changes label Oct 3, 2024
@bo156
Copy link
Contributor

bo156 commented Nov 10, 2024

@DerekTheBrave can you provide info on how did you run your scan?
If you are adding a custom policy in a specific location, please remember to use --external-checks-dir to support it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
checks Check additions or changes
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bo156 @DerekTheBrave