feat(compliance): Loader and Execute (#1465)

2026-02-10 06:45:08 +00:00 · 2022-11-23 15:53:53 +01:00
parent 1a70a45805
commit b3e57ca3e5
515 changed files with 6018 additions and 5614 deletions
--- a/providers/aws/services/ecr/ecr_repositories_lifecycle_policy_enabled/ecr_repositories_lifecycle_policy_enabled.metadata.json
+++ b/providers/aws/services/ecr/ecr_repositories_lifecycle_policy_enabled/ecr_repositories_lifecycle_policy_enabled.metadata.json
@@ -1,35 +1,37 @@
 {
-    "Provider": "aws",
-    "CheckID": "ecr_repositories_lifecycle_policy_enabled",
-    "CheckTitle": "Check if ECR repositories have lifecycle policies enabled",
-    "CheckType": ["Identify", "Resource configuration"],
-    "ServiceName": "ecr",
-    "SubServiceName": "",
-    "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
-    "Severity": "low",
-    "ResourceType": "AwsEcrRepository",
-    "Description": "Check if ECR repositories have lifecycle policies enabled",
-    "Risk": "Amazon ECR repositories run the risk of retaining huge volumes of images, increasing unnecessary cost.",
-    "RelatedUrl": "",
-    "Remediation": {
-      "Code": {
-        "CLI": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/ECR/lifecycle-policy-in-use.html",
-        "NativeIaC": "",
-        "Other": "",
-        "Terraform": ""
-      },
-      "Recommendation": {
-        "Text": "Open the Amazon ECR console. Create an ECR lifecycle policy.",
-        "Url": "https://docs.aws.amazon.com/AmazonECR/latest/userguide/LifecyclePolicies.html"
-      }
+  "Provider": "aws",
+  "CheckID": "ecr_repositories_lifecycle_policy_enabled",
+  "CheckTitle": "Check if ECR repositories have lifecycle policies enabled",
+  "CheckType": [
+    "Identify",
+    "Resource configuration"
+  ],
+  "ServiceName": "ecr",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "Severity": "low",
+  "ResourceType": "AwsEcrRepository",
+  "Description": "Check if ECR repositories have lifecycle policies enabled",
+  "Risk": "Amazon ECR repositories run the risk of retaining huge volumes of images, increasing unnecessary cost.",
+  "RelatedUrl": "",
+  "Remediation": {
+    "Code": {
+      "CLI": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/ECR/lifecycle-policy-in-use.html",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
    },
-    "Categories": [],
-    "Tags": {
-      "Tag1Key": "value",
-      "Tag2Key": "value"
-    },
-    "DependsOn": [],
-    "RelatedTo": [],
-    "Notes": "",
-    "Compliance": []
-  }
+    "Recommendation": {
+      "Text": "Open the Amazon ECR console. Create an ECR lifecycle policy.",
+      "Url": "https://docs.aws.amazon.com/AmazonECR/latest/userguide/LifecyclePolicies.html"
+    }
+  },
+  "Categories": [],
+  "Tags": {
+    "Tag1Key": "value",
+    "Tag2Key": "value"
+  },
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}
--- a/providers/aws/services/ecr/ecr_repositories_lifecycle_policy_enabled/ecr_repositories_lifecycle_policy_enabled.py
+++ b/providers/aws/services/ecr/ecr_repositories_lifecycle_policy_enabled/ecr_repositories_lifecycle_policy_enabled.py
@@ -6,7 +6,7 @@ class ecr_repositories_lifecycle_policy_enabled(Check):
    def execute(self):
        findings = []
        for repository in ecr_client.repositories:
-            report = Check_Report(self.metadata)
+            report = Check_Report(self.metadata())
            report.region = repository.region
            report.resource_id = repository.name
            report.resource_arn = repository.arn
--- a/providers/aws/services/ecr/ecr_repositories_not_publicly_accessible/ecr_repositories_not_publicly_accessible.metadata.json
+++ b/providers/aws/services/ecr/ecr_repositories_not_publicly_accessible/ecr_repositories_not_publicly_accessible.metadata.json
@@ -1,35 +1,37 @@
 {
-    "Provider": "aws",
-    "CheckID": "ecr_repositories_not_publicly_accessible",
-    "CheckTitle": "Ensure there are no ECR repositories set as Public",
-    "CheckType": ["Protect", "Secure Access Management"],
-    "ServiceName": "ecr",
-    "SubServiceName": "",
-    "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
-    "Severity": "critical",
-    "ResourceType": "AwsEcrRepository",
-    "Description": "Ensure there are no ECR repositories set as Public",
-    "Risk": "A repository policy that allows anonymous access may allow anonymous users to perform actions.",
-    "RelatedUrl": "",
-    "Remediation": {
-      "Code": {
-        "CLI": "",
-        "NativeIaC": "https://docs.bridgecrew.io/docs/public_1-ecr-repositories-not-public#cloudformation",
-        "Other": "https://docs.bridgecrew.io/docs/public_1-ecr-repositories-not-public#aws-console",
-        "Terraform": ""
-      },
-      "Recommendation": {
-        "Text": "Ensure the repository and its contents are not publicly accessible",
-        "Url": "https://docs.aws.amazon.com/AmazonECR/latest/public/security_iam_service-with-iam.html"
-      }
+  "Provider": "aws",
+  "CheckID": "ecr_repositories_not_publicly_accessible",
+  "CheckTitle": "Ensure there are no ECR repositories set as Public",
+  "CheckType": [
+    "Protect",
+    "Secure Access Management"
+  ],
+  "ServiceName": "ecr",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "Severity": "critical",
+  "ResourceType": "AwsEcrRepository",
+  "Description": "Ensure there are no ECR repositories set as Public",
+  "Risk": "A repository policy that allows anonymous access may allow anonymous users to perform actions.",
+  "RelatedUrl": "",
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "https://docs.bridgecrew.io/docs/public_1-ecr-repositories-not-public#cloudformation",
+      "Other": "https://docs.bridgecrew.io/docs/public_1-ecr-repositories-not-public#aws-console",
+      "Terraform": ""
    },
-    "Categories": [],
-    "Tags": {
-      "Tag1Key": "value",
-      "Tag2Key": "value"
-    },
-    "DependsOn": [],
-    "RelatedTo": [],
-    "Notes": "",
-    "Compliance": []
-  }
+    "Recommendation": {
+      "Text": "Ensure the repository and its contents are not publicly accessible",
+      "Url": "https://docs.aws.amazon.com/AmazonECR/latest/public/security_iam_service-with-iam.html"
+    }
+  },
+  "Categories": [],
+  "Tags": {
+    "Tag1Key": "value",
+    "Tag2Key": "value"
+  },
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}
--- a/providers/aws/services/ecr/ecr_repositories_not_publicly_accessible/ecr_repositories_not_publicly_accessible.py
+++ b/providers/aws/services/ecr/ecr_repositories_not_publicly_accessible/ecr_repositories_not_publicly_accessible.py
@@ -6,7 +6,7 @@ class ecr_repositories_not_publicly_accessible(Check):
    def execute(self):
        findings = []
        for repository in ecr_client.repositories:
-            report = Check_Report(self.metadata)
+            report = Check_Report(self.metadata())
            report.region = repository.region
            report.resource_id = repository.name
            report.resource_arn = repository.arn
--- a/providers/aws/services/ecr/ecr_repositories_scan_images_on_push_enabled/ecr_repositories_scan_images_on_push_enabled.metadata.json
+++ b/providers/aws/services/ecr/ecr_repositories_scan_images_on_push_enabled/ecr_repositories_scan_images_on_push_enabled.metadata.json
@@ -1,35 +1,37 @@
 {
-    "Provider": "aws",
-    "CheckID": "ecr_repositories_scan_images_on_push_enabled",
-    "CheckTitle": "Check if ECR image scan on push is enabled",
-    "CheckType": ["Identify", "Vulnerability, patch, and version management"],
-    "ServiceName": "ecr",
-    "SubServiceName": "",
-    "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
-    "Severity": "medium",
-    "ResourceType": "AwsEcrRepository",
-    "Description": "Check if ECR image scan on push is enabled",
-    "Risk": "Amazon ECR image scanning helps in identifying software vulnerabilities in your container images. Amazon ECR uses the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project and provides a list of scan findings. ",
-    "RelatedUrl": "",
-    "Remediation": {
-      "Code": {
-        "CLI": "aws ecr create-repository --repository-name <repo_name> --image-scanning-configuration scanOnPush=true--region <region_name>",
-        "NativeIaC": "https://docs.bridgecrew.io/docs/general_8#cli-command",
-        "Other": "",
-        "Terraform": "https://docs.bridgecrew.io/docs/general_8#fix---buildtime"
-      },
-      "Recommendation": {
-        "Text": "Enable ECR image scanning and review the scan findings for information about the security of the container images that are being deployed.",
-        "Url": "https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html"
-      }
+  "Provider": "aws",
+  "CheckID": "ecr_repositories_scan_images_on_push_enabled",
+  "CheckTitle": "Check if ECR image scan on push is enabled",
+  "CheckType": [
+    "Identify",
+    "Vulnerability, patch, and version management"
+  ],
+  "ServiceName": "ecr",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "Severity": "medium",
+  "ResourceType": "AwsEcrRepository",
+  "Description": "Check if ECR image scan on push is enabled",
+  "Risk": "Amazon ECR image scanning helps in identifying software vulnerabilities in your container images. Amazon ECR uses the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project and provides a list of scan findings. ",
+  "RelatedUrl": "",
+  "Remediation": {
+    "Code": {
+      "CLI": "aws ecr create-repository --repository-name <repo_name> --image-scanning-configuration scanOnPush=true--region <region_name>",
+      "NativeIaC": "https://docs.bridgecrew.io/docs/general_8#cli-command",
+      "Other": "",
+      "Terraform": "https://docs.bridgecrew.io/docs/general_8#fix---buildtime"
    },
-    "Categories": [],
-    "Tags": {
-      "Tag1Key": "value",
-      "Tag2Key": "value"
-    },
-    "DependsOn": [],
-    "RelatedTo": [],
-    "Notes": "",
-    "Compliance": []
-  }
+    "Recommendation": {
+      "Text": "Enable ECR image scanning and review the scan findings for information about the security of the container images that are being deployed.",
+      "Url": "https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html"
+    }
+  },
+  "Categories": [],
+  "Tags": {
+    "Tag1Key": "value",
+    "Tag2Key": "value"
+  },
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}
--- a/providers/aws/services/ecr/ecr_repositories_scan_images_on_push_enabled/ecr_repositories_scan_images_on_push_enabled.py
+++ b/providers/aws/services/ecr/ecr_repositories_scan_images_on_push_enabled/ecr_repositories_scan_images_on_push_enabled.py
@@ -6,7 +6,7 @@ class ecr_repositories_scan_images_on_push_enabled(Check):
    def execute(self):
        findings = []
        for repository in ecr_client.repositories:
-            report = Check_Report(self.metadata)
+            report = Check_Report(self.metadata())
            report.region = repository.region
            report.resource_id = repository.name
            report.resource_arn = repository.arn
--- a/providers/aws/services/ecr/ecr_repositories_scan_vulnerabilities_in_latest_image/ecr_repositories_scan_vulnerabilities_in_latest_image.metadata.json
+++ b/providers/aws/services/ecr/ecr_repositories_scan_vulnerabilities_in_latest_image/ecr_repositories_scan_vulnerabilities_in_latest_image.metadata.json
@@ -1,35 +1,37 @@
 {
-    "Provider": "aws",
-    "CheckID": "ecr_repositories_scan_vulnerabilities_in_latest_image",
-    "CheckTitle": "Check if ECR image scan found vulnerabilities in the newest image version",
-    "CheckType": ["Identify", "Vulnerability, patch, and version management"],
-    "ServiceName": "ecr",
-    "SubServiceName": "",
-    "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
-    "Severity": "medium",
-    "ResourceType": "AwsEcrRepository",
-    "Description": "Check if ECR image scan found vulnerabilities in the newest image version",
-    "Risk": "Amazon ECR image scanning helps in identifying software vulnerabilities in your container images. Amazon ECR uses the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project and provides a list of scan findings.",
-    "RelatedUrl": "",
-    "Remediation": {
-      "Code": {
-        "CLI": "",
-        "NativeIaC": "",
-        "Other": "",
-        "Terraform": ""
-      },
-      "Recommendation": {
-        "Text": "Open the Amazon ECR console. Then look for vulnerabilities and fix them.",
-        "Url": "https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html#describe-scan-findings"
-      }
+  "Provider": "aws",
+  "CheckID": "ecr_repositories_scan_vulnerabilities_in_latest_image",
+  "CheckTitle": "Check if ECR image scan found vulnerabilities in the newest image version",
+  "CheckType": [
+    "Identify",
+    "Vulnerability, patch, and version management"
+  ],
+  "ServiceName": "ecr",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "Severity": "medium",
+  "ResourceType": "AwsEcrRepository",
+  "Description": "Check if ECR image scan found vulnerabilities in the newest image version",
+  "Risk": "Amazon ECR image scanning helps in identifying software vulnerabilities in your container images. Amazon ECR uses the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project and provides a list of scan findings.",
+  "RelatedUrl": "",
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
    },
-    "Categories": [],
-    "Tags": {
-      "Tag1Key": "value",
-      "Tag2Key": "value"
-    },
-    "DependsOn": [],
-    "RelatedTo": [],
-    "Notes": "",
-    "Compliance": []
-  }
+    "Recommendation": {
+      "Text": "Open the Amazon ECR console. Then look for vulnerabilities and fix them.",
+      "Url": "https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html#describe-scan-findings"
+    }
+  },
+  "Categories": [],
+  "Tags": {
+    "Tag1Key": "value",
+    "Tag2Key": "value"
+  },
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}
--- a/providers/aws/services/ecr/ecr_repositories_scan_vulnerabilities_in_latest_image/ecr_repositories_scan_vulnerabilities_in_latest_image.py
+++ b/providers/aws/services/ecr/ecr_repositories_scan_vulnerabilities_in_latest_image/ecr_repositories_scan_vulnerabilities_in_latest_image.py
@@ -7,7 +7,7 @@ class ecr_repositories_scan_vulnerabilities_in_latest_image(Check):
        findings = []
        for repository in ecr_client.repositories:
            for image in repository.images_details:
-                report = Check_Report(self.metadata)
+                report = Check_Report(self.metadata())
                report.region = repository.region
                report.resource_id = repository.name
                report.resource_arn = repository.arn