2

I created a Checkov custom YAML policy and noticed that only terraform files are getting scanned with the custom policy. Did not find any documentation that confirms this as the expected behavior. How can I scan cloudformation code with custom policy?

Here is the custom policy I used (Basic query) - https://www.checkov.io/3.Custom%20Policies/Examples.html

Below are the commands

# cd to cfn folder
# my custom policy is in my_extra_checks folder
checkov -d . --external-checks-dir my_extra_checks

output has other scans but not the custom scan.

cloudformation scan results:
Passed checks: 1, Failed checks: 1, Skipped checks: 0
user
  • 67
  • 1
  • 6

2 Answers2

0

It all depends how you define your resources, I had a similar problem. I removed the scope, and also set my attributes to Tags.

shearn89
  • 798
  • 1
  • 9
  • 24
0

Most of the graph check/yaml policy examples on the docs page are terraform examples, the give away is how they refer to the resources - AWS::AppSync::GraphQLApi would be a cloudformation resource and aws_appsync_graphql_api a terraform equivalent. If you want a fuller yaml graph example see here https://github.com/bridgecrewio/checkov/blob/master/checkov/cloudformation/checks/graph_checks/AppSyncProtectedByWAF.yaml

James Woolfenden
  • 6,498
  • 33
  • 53