ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(check): new check ecr_registry_scan_images_on_push_enabled (#2237)

Browse Source
This commit is contained in:
Sergio Garcia
2023-04-18 15:45:21 +02:00
committed by GitHub
parent 05d866e6b3
commit 4536780a19
7 changed files with 259 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

123
tests/providers/aws/services/ecr/ecr_registry_scan_images_on_push_enabled/ecr_registry_scan_images_on_push_enabled_test.py Normal file
View File

@@ -0,0 +1,123 @@
from re import search
from unittest import mock
from prowler.providers.aws.services.ecr.ecr_service import Registry, ScanningRule
# Mock Test Region
AWS_REGION = "eu-west-1"
AWS_ACCOUNT_NUMBER = "123456789012"
class Test_ecr_registry_scan_images_on_push_enabled:
def test_no_registries(self):
ecr_client = mock.MagicMock
ecr_client.registries = []
with mock.patch(
"prowler.providers.aws.services.ecr.ecr_service.ECR",
ecr_client,
):
from prowler.providers.aws.services.ecr.ecr_registry_scan_images_on_push_enabled.ecr_registry_scan_images_on_push_enabled import (
ecr_registry_scan_images_on_push_enabled,
)
check = ecr_registry_scan_images_on_push_enabled()
result = check.execute()
assert len(result) == 0
def test_scan_on_push_enabled(self):
ecr_client = mock.MagicMock
ecr_client.registries = []
ecr_client.registries.append(
Registry(
id=AWS_ACCOUNT_NUMBER,
region=AWS_REGION,
scan_type="BASIC",
rules=[
ScanningRule(
scan_frequency="SCAN_ON_PUSH",
scan_filters=[{"filter": "*", "filterType": "WILDCARD"}],
)
],
)
)
with mock.patch(
"prowler.providers.aws.services.ecr.ecr_service.ECR",
ecr_client,
):
from prowler.providers.aws.services.ecr.ecr_registry_scan_images_on_push_enabled.ecr_registry_scan_images_on_push_enabled import (
ecr_registry_scan_images_on_push_enabled,
)
check = ecr_registry_scan_images_on_push_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert search("with scan on push", result[0].status_extended)
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert result[0].region == AWS_REGION
def test_scan_on_push_enabled_with_filters(self):
ecr_client = mock.MagicMock
ecr_client.registries = []
ecr_client.registries.append(
Registry(
id=AWS_ACCOUNT_NUMBER,
region=AWS_REGION,
scan_type="BASIC",
rules=[
ScanningRule(
scan_frequency="SCAN_ON_PUSH",
scan_filters=[{"filter": "test", "filterType": "WILDCARD"}],
)
],
)
)
with mock.patch(
"prowler.providers.aws.services.ecr.ecr_service.ECR",
ecr_client,
):
from prowler.providers.aws.services.ecr.ecr_registry_scan_images_on_push_enabled.ecr_registry_scan_images_on_push_enabled import (
ecr_registry_scan_images_on_push_enabled,
)
check = ecr_registry_scan_images_on_push_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert search(
"scanning with scan on push but with repository filters",
result[0].status_extended,
)
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert result[0].region == AWS_REGION
def test_scan_on_push_disabled(self):
ecr_client = mock.MagicMock
ecr_client.registries = []
ecr_client.registries.append(
Registry(
id=AWS_ACCOUNT_NUMBER,
region=AWS_REGION,
scan_type="BASIC",
rules=[],
)
)
with mock.patch(
"prowler.providers.aws.services.ecr.ecr_service.ECR",
ecr_client,
):
from prowler.providers.aws.services.ecr.ecr_registry_scan_images_on_push_enabled.ecr_registry_scan_images_on_push_enabled import (
ecr_registry_scan_images_on_push_enabled,
)
check = ecr_registry_scan_images_on_push_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert search("scanning without scan on push", result[0].status_extended)
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert result[0].region == AWS_REGION

32
tests/providers/aws/services/ecr/ecr_service_test.py
View File

@@ -5,7 +5,7 @@ from boto3 import client, session
from moto import mock_ecr
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.aws.services.ecr.ecr_service import ECR
from prowler.providers.aws.services.ecr.ecr_service import ECR, ScanningRule
AWS_ACCOUNT_NUMBER = "123456789012"
AWS_REGION = "eu-west-1"
@@ -53,6 +53,21 @@ def mock_make_api_call(self, operation_name, kwarg):
"repositoryName": "string",
"lifecyclePolicyText": "test-policy",
}
if operation_name == "GetRegistryScanningConfiguration":
return {
"registryId": AWS_ACCOUNT_NUMBER,
"scanningConfiguration": {
"scanType": "BASIC",
"rules": [
{
"scanFrequency": "SCAN_ON_PUSH",
"repositoryFilters": [
{"filter": "*", "filterType": "WILDCARD"},
],
},
],
},
}
return make_api_call(self, operation_name, kwarg)
@@ -218,3 +233,18 @@ class Test_ECR_Service:
)
assert not ecr.repositories[0].images_details[1].scan_findings_status
assert not ecr.repositories[0].images_details[1].scan_findings_severity_count
# Test get ECR Registries
@mock_ecr
def test__get_registry_scanning_configuration__(self):
audit_info = self.set_mocked_audit_info()
ecr = ECR(audit_info)
assert len(ecr.registries) == 1
assert ecr.registries[0].id == AWS_ACCOUNT_NUMBER
assert ecr.registries[0].scan_type == "BASIC"
assert ecr.registries[0].rules == [
ScanningRule(
scan_frequency="SCAN_ON_PUSH",
scan_filters=[{"filter": "*", "filterType": "WILDCARD"}],
)
]