fix(allowlist): allowlist file default value (#1425)

Co-authored-by: sergargar <sergio@verica.io>
2026-02-10 14:55:00 +00:00 · 2022-10-24 09:29:24 +02:00
parent e77486f771
commit 2d86254549
4 changed files with 30 additions and 17 deletions
--- a/config/config.py
+++ b/config/config.py
@@ -21,7 +21,6 @@ csv_file_suffix = ".csv"
 json_file_suffix = ".json"
 json_asff_file_suffix = ".asff.json"
 config_yaml = "providers/aws/config.yaml"
-allowlist_yaml = "providers/aws/allowlist.yaml"


 def change_config_var(variable, value):
--- a/lib/outputs/outputs.py
+++ b/lib/outputs/outputs.py
@@ -47,14 +47,15 @@ def report(check_findings, output_options, audit_info):
    if check_findings:
        for finding in check_findings:
            # Check if finding is allowlisted
-            if is_allowlisted(
-                output_options.allowlist_file,
-                audit_info.audited_account,
-                finding.check_metadata.CheckID,
-                finding.region,
-                finding.resource_id,
-            ):
-                finding.status = "WARNING"
+            if output_options.allowlist_file:
+                if is_allowlisted(
+                    output_options.allowlist_file,
+                    audit_info.audited_account,
+                    finding.check_metadata.CheckID,
+                    finding.region,
+                    finding.resource_id,
+                ):
+                    finding.status = "WARNING"
            # Print findings by stdout
            color = set_report_color(finding.status)
            if output_options.is_quiet and "FAIL" in finding.status:
--- a/providers/aws/lib/allowlist/allowlist.py
+++ b/providers/aws/lib/allowlist/allowlist.py
@@ -56,7 +56,6 @@ def parse_allowlist_file(audit_info, allowlist_file):
        else:
            with open(allowlist_file) as f:
                allowlist = yaml.safe_load(f)["Allowlist"]
-                print(allowlist)
        return allowlist
    except Exception as error:
        logger.critical(f"{error.__class__.__name__} -- {error}")
@@ -66,12 +65,16 @@ def parse_allowlist_file(audit_info, allowlist_file):
 def is_allowlisted(allowlist, audited_account, check, region, resource):
    try:
        if audited_account in allowlist["Accounts"]:
-            if is_allowlisted_in_check(allowlist, audited_account, check, region, resource):
+            if is_allowlisted_in_check(
+                allowlist, audited_account, check, region, resource
+            ):
                return True
        # If there is a *, it affects to all accounts
        if "*" in allowlist["Accounts"]:
            audited_account = "*"
-            if is_allowlisted_in_check(allowlist, audited_account, check, region, resource):
+            if is_allowlisted_in_check(
+                allowlist, audited_account, check, region, resource
+            ):
                return True
        return False
    except Exception as error:
@@ -83,11 +86,15 @@ def is_allowlisted_in_check(allowlist, audited_account, check, region, resource)
    # If there is a *, it affects to all checks
    if "*" in allowlist["Accounts"][audited_account]["Checks"]:
        check = "*"
-        if is_allowlisted_in_region(allowlist, audited_account, check, region, resource):
+        if is_allowlisted_in_region(
+            allowlist, audited_account, check, region, resource
+        ):
            return True
    # Check if there is the specific check
    if check in allowlist["Accounts"][audited_account]["Checks"]:
-        if is_allowlisted_in_region(allowlist, audited_account, check, region, resource):
+        if is_allowlisted_in_region(
+            allowlist, audited_account, check, region, resource
+        ):
            return True
    return False

@@ -95,11 +102,15 @@ def is_allowlisted_in_check(allowlist, audited_account, check, region, resource)
 def is_allowlisted_in_region(allowlist, audited_account, check, region, resource):
    # If there is a *, it affects to all regions
    if "*" in allowlist["Accounts"][audited_account]["Checks"][check]["Regions"]:
-        for elem in allowlist["Accounts"][audited_account]["Checks"][check]["Resources"]:
+        for elem in allowlist["Accounts"][audited_account]["Checks"][check][
+            "Resources"
+        ]:
            if re.search(elem, resource):
                return True
    # Check if there is the specific region
    if region in allowlist["Accounts"][audited_account]["Checks"][check]["Regions"]:
-        for elem in allowlist["Accounts"][audited_account]["Checks"][check]["Resources"]:
+        for elem in allowlist["Accounts"][audited_account]["Checks"][check][
+            "Resources"
+        ]:
            if re.search(elem, resource):
                return True
--- a/4
+++ b/4
@@ -7,7 +7,6 @@ from os import mkdir
 from os.path import isdir

 from config.config import (
-    allowlist_yaml,
    change_config_var,
    default_output_directory,
    output_file_timestamp,
@@ -192,6 +191,7 @@ if __name__ == "__main__":
        "-w",
        "--allowlist-file",
        nargs="?",
+        default=None,
        help="Path for allowlist yaml file, by default is 'providers/aws/allowlist.yaml'. See default yaml for reference and format.",
    )
    # Parse Arguments
@@ -310,6 +310,8 @@ if __name__ == "__main__":
    # Parse content from Allowlist file and get it, if necessary, from S3
    if args.allowlist_file:
        allowlist_file = parse_allowlist_file(audit_info, args.allowlist_file)
+    else:
+        allowlist_file = None

    # Setting output options
    audit_output_options = set_output_options(