Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 38 additions & 0 deletions docs/Docusaurus/docs/modules/engine_sast/engine_iac.md
100644 → 100755
Original file line number Diff line number Diff line change
Expand Up @@ -294,14 +294,52 @@ Defines exclusion rules for repositories and specific security checks.
"hu": "4338704"
}
]
},
"BY_PATTERN_SEARCH": {
".*_Repository_Test": {
"THRESHOLD": {
"VULNERABILITY": {
"Critical": 1,
"High": 4,
"Medium": 10,
"Low": 15
},
"COMPLIANCE": {
"Critical": 1
},
"PRIORITY": {
"Very Critical": 1,
"Critical": 4,
"High": 10,
"Medium Low": 15
}
},
"SKIP_TOOL": {
"create_date": "24012024",
"expired_date": "30012024",
"hu": "3423213"
},
"CHECKOV": [
{
"id": "CKV_K8S_24",
"where": "all",
"create_date": "18112023",
"expired_date": "18032024",
"severity": "HIGH",
"hu": "4338704"
}
]
}
}
}
```

#### Exclusion Types
- **All**: Global exclusions applied to all repositories
- **Repository-specific**: Exclusions for specific repositories
- **BY_PATTERN_SEARCH**: Regex-based exclusions for matching multiple pipeline names
- **SKIP_TOOL**: Complete tool bypass for a repository
- **THRESHOLD**: Optional threshold override by repository or pattern (VULNERABILITY, COMPLIANCE, PRIORITY)
- **Rule-specific**: Exclusions for specific security rules with:
- `id`: Security rule identifier
- `where`: File or location scope ("all" for global)
Expand Down
36 changes: 36 additions & 0 deletions example_remote_config_local/engine_sast/engine_iac/Exclusions.json
100644 → 100755
Original file line number Diff line number Diff line change
Expand Up @@ -27,5 +27,41 @@
"hu": "4338704"
}
]
},
"BY_PATTERN_SEARCH": {
".*_Repository_Test": {
"THRESHOLD": {
"VULNERABILITY": {
"Critical": 1,
"High": 4,
"Medium": 10,
"Low": 15
},
"COMPLIANCE": {
"Critical": 1
},
"PRIORITY": {
"Very Critical": 1,
"Critical": 4,
"High": 10,
"Medium Low": 15
}
},
"SKIP_TOOL": {
"create_date": "24012024",
"expired_date": "30012024",
"hu": "3423213"
},
"CHECKOV": [
{
"id": "CKV_K8S_24",
"where": "all",
"create_date": "18112023",
"expired_date": "18032024",
"severity": "HIGH",
"hu": "4338704"
}
]
}
}
}
20 changes: 13 additions & 7 deletions tools/devsecops_engine_tools/engine_sast/engine_iac/src/domain/usecases/iac_scan.py
100644 → 100755
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@

return findings_list, input_core

def _complete_config_tool(self, data_file_tool, exclusions, tool, dict_args):

Check failure on line 92 in tools/devsecops_engine_tools/engine_sast/engine_iac/src/domain/usecases/iac_scan.py

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Refactor this function to reduce its Cognitive Complexity from 21 to the 15 allowed.

See more on https://sonarcloud.io/project/issues?id=bancolombia_devsecops-engine-tools&issues=AZ5LDNdP5Jxk9XZaKmaM&open=AZ5LDNdP5Jxk9XZaKmaM&pullRequest=658
config_tool = ConfigTool(json_data=data_file_tool)

config_tool.exclusions = exclusions
Expand All @@ -111,13 +111,19 @@

if config_tool.exclusions.get("All") is not None:
config_tool.exclusions_all = config_tool.exclusions.get("All").get(tool)
if config_tool.exclusions.get(config_tool.scope_pipeline) is not None:
config_tool.exclusions_scope = config_tool.exclusions.get(
config_tool.scope_pipeline
).get(tool)
skip_tool = bool(
config_tool.exclusions.get(config_tool.scope_pipeline).get("SKIP_TOOL")
)

exclusions_scope = config_tool.exclusions.get(config_tool.scope_pipeline)
if exclusions_scope is None:
for pattern, values in config_tool.exclusions.get(
"BY_PATTERN_SEARCH", {}
).items():
if re.match(pattern, config_tool.scope_pipeline, re.IGNORECASE):
exclusions_scope = values
break

if exclusions_scope is not None:
config_tool.exclusions_scope = exclusions_scope.get(tool)
skip_tool = bool(exclusions_scope.get("SKIP_TOOL"))

if dict_args["folder_path"]:
if (
Expand Down
108 changes: 108 additions & 0 deletions tools/devsecops_engine_tools/engine_sast/engine_iac/test/domain/usecases/test_iac_scan.py
100644 → 100755
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,7 @@ def test_process_skip_search_folder(self):
"folder_path": "example_folder",
"environment": "test",
"platform": "eks",
"token_external_checks": "token",
}
secret_tool = "example_secret"
tool = "CHECKOV"
Expand Down Expand Up @@ -173,3 +174,110 @@ def test_process_skip_search_folder(self):
# Assert the expected return values
self.assertEqual(findings_list, [])
self.assertIsNotNone(input_core)

def test_process_skip_search_folder_by_pattern_search(self):
dict_args = {
"remote_config_repo": "example_repo",
"remote_config_branch": "",
"folder_path": "example_folder",
"environment": "test",
"platform": "eks",
"token_external_checks": "token",
}
secret_tool = "example_secret"
tool = "CHECKOV"

self.remote_config_source_gateway.get_remote_config.side_effect = [
{
"SEARCH_PATTERN": ["AW", "NU"],
"IGNORE_SEARCH_PATTERN": "(.*_test)",
"EXCLUSIONS_PATH": "Exclusions.json",
"MESSAGE_INFO_ENGINE_IAC": "message test",
"UPDATE_SERVICE_WITH_FILE_NAME_CFT": "false",
"THRESHOLD": {
"VULNERABILITY": {
"Critical": 10,
"High": 3,
"Medium": 20,
"Low": 30,
},
"COMPLIANCE": {"Critical": 4},
"PRIORITY": {
"Very Critical": 1,
"Critical": 3,
"High": 5,
"Medium Low": 15,
},
},
"CHECKOV": {
"VERSION": "2.3.296",
"USE_EXTERNAL_CHECKS_GIT": "True",
"EXTERNAL_CHECKS_GIT": "rules",
"EXTERNAL_GIT_SSH_HOST": "github",
"EXTERNAL_GIT_PUBLIC_KEY_FINGERPRINT": "fingerprint",
"USE_EXTERNAL_CHECKS_DIR": "False",
"EXTERNAL_DIR_OWNER": "test",
"EXTERNAL_DIR_REPOSITORY": "repository",
"RULES": "",
},
},
{
"All": {
"CHECKOV": [
{
"id": "CKV_K8S_8",
"where": "all",
"create_date": "18112023",
"expired_date": "18032024",
"severity": "HIGH",
"hu": "4338704",
}
]
},
"BY_PATTERN_SEARCH": {
".*example_pipeline": {
"THRESHOLD": {
"VULNERABILITY": {
"Critical": 1,
"High": 2,
"Medium": 3,
"Low": 4,
},
"COMPLIANCE": {"Critical": 1},
"PRIORITY": {
"Very Critical": 1,
"Critical": 1,
"High": 1,
"Medium Low": 1,
},
},
"SKIP_TOOL": {
"create_date": "24012024",
"expired_date": "30012024",
"hu": "3423213",
},
"CHECKOV": [
{
"id": "CKV_K8S_9",
"where": "deployment-configmap.yaml",
"create_date": "18112023",
"expired_date": "18032024",
"severity": "HIGH",
"hu": "4338704",
}
],
}
},
},
]

self.devops_platform_gateway.get_variable.return_value = "example_pipeline"
self.tool_gateway.run_tool.return_value = ([], None)

findings_list, input_core = self.iac_scan.process(dict_args, secret_tool, tool, "qa")

self.assertEqual(findings_list, [])
self.assertEqual(len(input_core.totalized_exclusions), 2)
self.assertEqual(input_core.totalized_exclusions[0].id, "CKV_K8S_8")
self.assertEqual(input_core.totalized_exclusions[1].id, "CKV_K8S_9")
self.tool_gateway.run_tool.assert_not_called()
Loading