fix(terraform): CKV_GCP_13 pass when client_certificate_config is omitted#7569
Open
arpitjain099 wants to merge 2 commits into
Open
fix(terraform): CKV_GCP_13 pass when client_certificate_config is omitted#7569arpitjain099 wants to merge 2 commits into
arpitjain099 wants to merge 2 commits into
Conversation
…tted CKV_GCP_13 failed any google_container_cluster that did not explicitly set master_auth.client_certificate_config.issue_client_certificate = false. The google provider defaults that field to false, so omitting the block already leaves client certificate authentication disabled. Treating the omission as a failure is a false positive that punishes the secure default. Pass missing_block_result=CheckResult.PASSED so an omitted block passes, while an explicit issue_client_certificate = true still fails. Fixes bridgecrewio#7558 Signed-off-by: arpitjain099 <arpitjain099@gmail.com>
arpitjain099
requested a deployment
to
scan-security
GitHub Actions
Waiting
arpitjain099
requested a deployment
to
scan-security
GitHub Actions
Waiting
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #7558
Problem
CKV_GCP_13("Ensure client certificate authentication to Kubernetes Engine Clusters is disabled") fails on anygoogle_container_clusterthat does not explicitly set:That is a false positive. The
googleprovider defaultsissue_client_certificatetofalse, so a cluster that omits the block entirely already has client certificate authentication disabled. The check was penalizing the safer pattern (rely on the secure default) and rewarding boilerplate (declare an empty block just to satisfy the scanner).Provider default evidence
master_auth.client_certificate_config.issue_client_certificate: "Whether client certificate authorization is enabled for this cluster ... Defaults tofalse." https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#issue_client_certificateMasterAuth.clientCertificateConfig.issueClientCertificatedefaults to disabled: https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.zones.clusters#masterauthRoot cause
GKEClientCertificateDisabledextendsBaseResourceValueCheckwithout settingmissing_block_result, which defaults toCheckResult.FAILED. When the inspected key is absent,scan_resource_confreturnsmissing_block_result, so an omitted-but-secure block is reported as a failure.Fix
Pass
missing_block_result=CheckResult.PASSED. An omitted block now passes (matching the provider default), while an explicitissue_client_certificate = truestill fails.Repro / before and after
Before:
FAILED for resource: google_container_cluster.implicitAfter:
PASSED for resource: google_container_cluster.implicitAn explicit
issue_client_certificate = trueremainsFAILED(existingtest_failureis unchanged).Tests
Added
test_success_omitted_blockasserting an omitted block passes. Verified the new test fails against the unpatched check and passes with the fix; the existing pass/fail cases are unchanged.