Skip to content

fix(terraform): Lambda images don't have code signing #7448

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
leetrout wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(terraform): Lambda images don't have code signing #7448

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 10 additions & 1 deletion checkov/terraform/checks/resource/aws/LambdaCodeSigningConfigured.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
from __future__ import annotations

from typing import Any
from checkov.common.models.consts import ANY_VALUE
from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
from checkov.common.models.enums import CheckCategories
from checkov.common.models.enums import CheckCategories, CheckResult


class LambdaCodeSigningConfigured(BaseResourceValueCheck):
Expand All @@ -11,6 +14,12 @@ def __init__(self):
categories = [CheckCategories.SUPPLY_CHAIN]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)

def scan_resource_conf(self, conf: dict[str, Any], entity_type: str = None):
# Code signing only applies to Zip package type, not Image (container)
if conf.get("package_type") == "Image":
return CheckResult.PASSED
return super().scan_resource_conf(conf, entity_type)

def get_inspected_key(self):
return "code_signing_config_arn"

Expand Down
9 changes: 9 additions & 0 deletions tests/terraform/checks/resource/aws/example_LambdaCodeSigningConfigured/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,3 +14,12 @@ resource "aws_lambda_function" "fail" {
role = ""
runtime = "python3.9"
}

# pass (Image package type - code signing not applicable)

resource "aws_lambda_function" "image_pass" {
function_name = "test-image"
role = ""
package_type = "Image"
image_uri = "123456789012.dkr.ecr.us-east-1.amazonaws.com/myimage:latest"
}
9 changes: 6 additions & 3 deletions tests/terraform/checks/resource/aws/test_LambdaCodeSigningConfigured.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
from checkov.terraform.runner import Runner


class TestWafHasAnyRules(unittest.TestCase):
class TestLambdaCodeSigningConfigured(unittest.TestCase):
def test(self):
# given
test_files_dir = Path(__file__).parent / "example_LambdaCodeSigningConfigured"
Expand All @@ -17,18 +17,21 @@ def test(self):
# then
summary = report.get_summary()

# pass: has code_signing_config_arn; image_pass: package_type=Image (check skipped, passes)
passing_resources = {
"aws_lambda_function.pass"
"aws_lambda_function.pass",
"aws_lambda_function.image_pass",
}

# fail: Zip package type (default) without code_signing_config_arn
failing_resources = {
"aws_lambda_function.fail"
}

passed_check_resources = {c.resource for c in report.passed_checks}
failed_check_resources = {c.resource for c in report.failed_checks}

self.assertEqual(summary["passed"], 1)
self.assertEqual(summary["passed"], 2)
self.assertEqual(summary["failed"], 1)
self.assertEqual(summary["skipped"], 0)
self.assertEqual(summary["parsing_errors"], 0)
Expand Down
Loading