Skip to content

Checkov #111

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Checkov #111

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d440f58
add a bad tf file
alexcoderabbitai Apr 16, 2025
5d7beff
this should trigger shit
alexcoderabbitai Apr 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
105 changes: 105 additions & 0 deletions sampleTerraformFile.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
## This is a sample Terraform file to check CHECKOV with intentional vulnerabilities.
## Run checkov:
## checkov --directory /user/path/to/iac/code
## checkov --file /user/tf/example.tf
## checkov -f /user/cloudformation/example1.yml -f /user/cloudformation/example2.yml
##
## Refer: https://www.checkov.io/2.Basics/Installing%20Checkov.html

locals {
sg_name = "checkov-test"
aws_vpc_id = "vpc-#####" #enter vpc id here
cidr_block = ["0.0.0.0/0"]
from_port = "80"
to_port = "80"
}
Comment on lines +9 to +15
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Incorrect variable types and insecure defaults in locals.
Defining cidr_block as ["0.0.0.0/0"] opens all traffic, contradicting the intended VPC-only access. Also, from_port and to_port are strings rather than numbers, which may cause type mismatches. Suggest using a data source to retrieve the VPC CIDR and defining ports as numeric values:

 locals {
-  cidr_block = ["0.0.0.0/0"]
-  from_port  = "80"
-  to_port    = "80"
+  cidr_block = [data.aws_vpc.selected.cidr_block]
+  from_port  = 80
+  to_port    = 80
 }

And add:

data "aws_vpc" "selected" {
  id = local.aws_vpc_id
}


##################################################################
# we do this in production
# do the lalalalalala
##################################################################
provider "aws" {
region = "us-east-1"
access_key = "AKIA123456789EXAMPLE"
secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
}
Comment on lines +21 to +25
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Remove hard‑coded AWS credentials from source
Storing access_key and secret_key in your Terraform code risks leaking sensitive credentials. Use environment variables (e.g., AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY), shared credentials files, or a secrets manager.

Proposed refactor:

- provider "aws" {
-   region     = "us-east-1"
-   access_key = "AKIA123456789EXAMPLE"
-   secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
- }
+ provider "aws" {
+   region = var.aws_region
+   # credentials supplied via environment variables or shared credentials file
+ }

Let me know if you’d like sample variable definitions and documentation.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
provider "aws" {
region = "us-east-1"
access_key = "AKIA123456789EXAMPLE"
secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
}
provider "aws" {
region = var.aws_region
# credentials supplied via environment variables or shared credentials file
}
🧰 Tools
🪛 GitHub Actions: Security Checks

[error] 24-24: terraform.aws.security.aws-provider-static-credentials.aws-provider-static-credentials: A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked. Use environment variables or secure vaults instead.

🪛 CircleCI: semgrep

[error] 24-24: terraform.aws.security.aws-provider-static-credentials.aws-provider-static-credentials: Hard-coded credential detected. Storing credentials in source code risks secrets being leaked. Use environment variables or secure vaults to provide credentials.


##################################################################
# A security group with minimal restrictions in the first resource.
##################################################################
resource "aws_security_group" "this" {
name = local.sg_name
description = "Security group "
vpc_id = local.aws_vpc_id

ingress {
description = "Ingress from VPC"
from_port = local.from_port
to_port = local.to_port
protocol = "tcp"
cidr_blocks = local.cidr_block
}
Comment on lines +35 to +41
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Ingress rule allows traffic from any IP despite the description
The cidr_blocks = local.cidr_block default of ["0.0.0.0/0"] contradicts the "Ingress from VPC" description and opens port 80 globally. Restrict this to your VPC CIDR or specific IP ranges.

Example using a data source:

data "aws_vpc" "selected" {
  id = var.aws_vpc_id
}

resource "aws_security_group" "this" {
  ingress {
    from_port   = local.from_port
    to_port     = local.to_port
    protocol    = "tcp"
-   cidr_blocks = local.cidr_block
+   cidr_blocks = [data.aws_vpc.selected.cidr_block]
  }
  # ...
}


egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}

##################################################################
# An additional security group with an overly permissive rule.
# This rule allows ALL TCP ports (0-65535) from ANY source.
##################################################################
resource "aws_security_group" "insecure" {
name = "insecure-sg"
description = "Insecure SG exposing all TCP ports to the world"
vpc_id = local.aws_vpc_id

ingress {
description = "Allow all TCP traffic"
from_port = 0
to_port = 65535
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
Comment on lines +60 to +66
Copy link

@alexcrtestapp alexcrtestapp bot Apr 18, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Critical: Insecure security group permitting all TCP ports from the internet
This aws_security_group.insecure resource opens ports 0–65535 to 0.0.0.0/0, undermining network security. Unless strictly required for testing, remove or narrow this rule to specific ports and trusted CIDRs.


egress {
description = "Allow all outbound traffic"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}

##################################################################
# A public S3 bucket configuration with unsafe ACL and disabled block public access.
##################################################################
resource "aws_s3_bucket" "public" {
bucket = "checkov-public-bucket-demo-12345"
acl = "public-read" # Vulnerability: Bucket is publicly readable

versioning {
enabled = false
}

# Intentionally not configuring block public access to expose potential risk
website {
index_document = "index.html"
}
}
Comment on lines +80 to +92
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Public S3 bucket with public‑read ACL and no public access block
This configuration exposes bucket contents publicly and disables protective controls. For production, set acl = "private", enable public_access_block, and turn on versioning.

Proposed diff:

 resource "aws_s3_bucket" "public" {
   bucket = "checkov-public-bucket-demo-12345"
-  acl    = "public-read"
+  acl    = "private"
+  public_access_block {
+    block_public_acls       = true
+    block_public_policy     = true
+    ignore_public_acls      = true
+    restrict_public_buckets = true
+  }

   versioning {
-    enabled = false
+    enabled = true
   }

   # website configuration (only enable if hosting a static site via CloudFront)
   website {
     index_document = "index.html"
   }
 }

Let me know if you’d like a full refactor for private hosting behind CloudFront.

Committable suggestion skipped: line range outside the PR's diff.


##################################################################
# Terraform configuration, with required versions and providers.
##################################################################
terraform {
required_version = "~> 1.2.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.20.0"
}
}
}
Loading