Checkov项目中支持AzApi资源自定义YAML策略的实践指南

2025-05-30 03:10:41作者：晏闻田Solitary

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.

项目地址：https://gitcode.com/GitHub_Trending/ch/checkov

背景与挑战

在Azure云环境中，AzApi资源(azapi_resource)是一种特殊的资源类型，它允许用户创建和管理Azure中任何类型的资源。这种灵活性带来了一个显著挑战：如何在Checkov这类基础设施即代码(IaC)安全扫描工具中，为不同类型的AzApi资源定义和执行针对性的安全策略。

AzApi资源检查的基本原理

Checkov通过资源类型和属性匹配机制来执行安全检查。对于AzApi资源，关键在于如何准确识别资源类型并应用相应的策略规则。AzApi资源在Terraform配置中通常表现为：

resource "azapi_resource" "example" {
  type      = "Microsoft.ContainerRegistry/registries@2021-06-01-preview"
  name      = "example"
  location  = "eastus"
  parent_id = azurerm_resource_group.example.id
  # 其他配置...
}

实现策略检查的两种方法

方法一：YAML策略定义

Checkov支持通过YAML格式定义自定义策略。针对AzApi资源，可以利用条件组合来实现精确控制：

definition:
  or:
    - cond_type: attribute
      resource_types:
      - azapi_resource
      attribute: type
      operator: not_regex_match
      value: Microsoft\.ContainerRegistry/registries@[^/]+
    - cond_type: attribute
      resource_types:
      - azapi_resource
      attribute: identity.type
      operator: not_contains
      value: "UserAssigned"

这种方法的优势在于：

无需编写代码即可快速实现策略
支持复杂的逻辑组合
易于维护和共享

但需要注意，这种方法可能会产生较多的"通过"结果，因为第一个条件会放过所有非目标资源类型。

方法二：Python自定义检查

对于更复杂的检查逻辑，可以开发Python检查插件：

from __future__ import annotations
from typing import Any
import re
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck

resource_regex = r'Microsoft\.ContainerRegistry/registries@[^/]+'

class CustomAzApiCheck(BaseResourceCheck):
    def __init__(self) -> None:
        name = "AzAPI资源身份验证检查"
        id = "CKV_AZURE_CUSTOM_001"
        supported_resources = ("azapi_resource",)
        categories = (CheckCategories.IAM,)
        super().__init__(name=name, id=id, categories=categories, 
                        supported_resources=supported_resources)

    def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult:
        resource_type = conf.get("type")
        if not resource_type or re.match(resource_regex, resource_type[0]) is None:
            return CheckResult.UNKNOWN
        
        identity = conf.get("identity")
        if not identity:
            return CheckResult.FAILED
            
        identity_type = identity[0].get("type")
        if not identity_type:
            return CheckResult.FAILED
            
        if isinstance(identity_type, list):
            identity_types = [s.replace(" ", "") for s in identity_type[0].split(',')]
        else:
            identity_types = [identity_type.replace(" ", "")]
            
        return CheckResult.PASSED if "UserAssigned" in identity_types else CheckResult.FAILED

check = CustomAzApiCheck()