From 47a50bcd4cf8c6cb0418bd047ed93686697117f4 Mon Sep 17 00:00:00 2001 From: arpitjain099 Date: Thu, 4 Jun 2026 15:25:15 +0900 Subject: [PATCH] fix(terraform): CKV_GCP_13 pass when client_certificate_config is omitted CKV_GCP_13 failed any google_container_cluster that did not explicitly set master_auth.client_certificate_config.issue_client_certificate = false. The google provider defaults that field to false, so omitting the block already leaves client certificate authentication disabled. Treating the omission as a failure is a false positive that punishes the secure default. Pass missing_block_result=CheckResult.PASSED so an omitted block passes, while an explicit issue_client_certificate = true still fails. Fixes #7558 Signed-off-by: arpitjain099 --- .../checks/resource/gcp/GKEClientCertificateDisabled.py | 8 ++++++-- .../resource/gcp/test_GKEClientCertificateDisabled.py | 7 +++++++ 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/checkov/terraform/checks/resource/gcp/GKEClientCertificateDisabled.py b/checkov/terraform/checks/resource/gcp/GKEClientCertificateDisabled.py index fa1ee855c0..b824af3e26 100644 --- a/checkov/terraform/checks/resource/gcp/GKEClientCertificateDisabled.py +++ b/checkov/terraform/checks/resource/gcp/GKEClientCertificateDisabled.py @@ -1,5 +1,5 @@ from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck -from checkov.common.models.enums import CheckCategories +from checkov.common.models.enums import CheckCategories, CheckResult class GKEClientCertificateDisabled(BaseResourceValueCheck): @@ -8,7 +8,11 @@ def __init__(self): id = "CKV_GCP_13" supported_resources = ['google_container_cluster'] categories = [CheckCategories.KUBERNETES] - super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + # The google provider defaults issue_client_certificate to false, which is exactly the + # desired state. Omitting master_auth/client_certificate_config therefore leaves client + # certificate auth disabled, so a missing block should pass rather than fail. + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources, + missing_block_result=CheckResult.PASSED) def get_inspected_key(self): """ diff --git a/tests/terraform/checks/resource/gcp/test_GKEClientCertificateDisabled.py b/tests/terraform/checks/resource/gcp/test_GKEClientCertificateDisabled.py index fd06b95381..686ed71b4c 100644 --- a/tests/terraform/checks/resource/gcp/test_GKEClientCertificateDisabled.py +++ b/tests/terraform/checks/resource/gcp/test_GKEClientCertificateDisabled.py @@ -12,6 +12,13 @@ def test_success(self): scan_result = check.scan_resource_conf(conf=resource_conf) self.assertEqual(CheckResult.PASSED, scan_result) + def test_success_omitted_block(self): + # The google provider defaults issue_client_certificate to false, so a cluster that omits + # master_auth/client_certificate_config still has client certificate auth disabled. + resource_conf = {'name': ['google_cluster'], 'location': ['us-central1']} + scan_result = check.scan_resource_conf(conf=resource_conf) + self.assertEqual(CheckResult.PASSED, scan_result) + def test_failure(self): resource_conf = {'name': ['google_cluster'], 'master_auth': [{'client_certificate_config': [{'issue_client_certificate': [True]}]}]} scan_result = check.scan_resource_conf(conf=resource_conf)