fix(serverless): Enhance yaml parsing, better support for file expansion #7115

thentenaar · 2025-04-21T06:19:26Z

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Description

Although the issue reported in #7006 doesn't cause a /crash/ per se, checkov was failing to process the file() expansion on the resources SequenceNode; thus not scanning the file at all.

The serverless parser expands file() expansions by way of yaml.safe_load which is fine for scalar values, but for SequenceNodes of resources, this needs to be handled in cfn_yaml otherwise the resources don't get added to
the graph (they lack the marking attributes, and so the graph creation fails.)

This PR also adds a 'file' attribute to the yaml nodes for use in diagnostics, extends the serverless runner to use it, and enriches yaml parse error handling, adding a logging.error() tell with specifics. I've also replaced the IOError exceptions groked by errno with thier more descriptive equivalents in the serverless and cfn parsers.

Additional tests have been added to test that the file() expansion handling works as it should, and that a check passes when run on yaml containing an expansion; and that an CfnParseError gets raised on attempts at circular inclusions.

For the yaml provided in #7006, after correcting a syntax error in the yaml itself, I get the following results with these changes applied:

serverless scan results:

Passed checks: 4, Failed checks: 0, Skipped checks: 0

Check: CKV_AWS_364: "Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount"
        PASSED for resource: AWS::Lambda::Permission.CustomFunctionInvokePermission
        File: /serverless.yml:4-9
        Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-364
Check: CKV_AWS_41: "Ensure no hard coded AWS access key and secret key exists in provider"
        PASSED for resource: Alerts
        File: /Alerts.yml:1-10
        Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/secrets-policies/bc-aws-secrets-5
Check: CKV_AWS_1: "Ensure IAM policies that allow full "*-*" administrative privileges are not created"
        PASSED for resource: Alerts
        File: /Alerts.yml:1-10
        Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/iam-23
Check: CKV_AWS_49: "Ensure no IAM policies documents allow "*" as a statement's actions"
        PASSED for resource: Alerts
        File: /Alerts.yml:1-10
        Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-iam-43

Checklist:

I have performed a self-review of my own code
I have commented my code, particularly in hard-to-understand areas
I have made corresponding changes to the documentation
I have added tests that prove my feature, policy, or fix is effective and works
New and existing tests pass locally with my changes

…ions - Improve yaml parsing wrt file() expansion - Add tests for file() expansion - Add a '__file__' marker attribute to yaml nodes - Utilize the '__file__' marker when generating reports for serverless - Raise CfnParseError on circular inclusions - Added a ``logger.error`` that logs specifics on pyyaml parse errors - Updated the serverless graph builder to cope with file() expansion Fixes bridgecrewio#7006

thentenaar had a problem deploying to scan-security April 21, 2025 06:19 — with GitHub Actions Failure

thentenaar force-pushed the yaml-fix branch from 119a31b to 65304c2 Compare April 21, 2025 12:22

thentenaar had a problem deploying to scan-security April 21, 2025 12:22 — with GitHub Actions Failure

thentenaar force-pushed the yaml-fix branch from 65304c2 to 7b5bc41 Compare April 22, 2025 14:15

thentenaar had a problem deploying to scan-security April 22, 2025 14:15 — with GitHub Actions Failure

thentenaar force-pushed the yaml-fix branch from 7b5bc41 to d5f53c0 Compare April 24, 2025 12:14

thentenaar had a problem deploying to scan-security April 24, 2025 12:14 — with GitHub Actions Failure

thentenaar force-pushed the yaml-fix branch from d5f53c0 to d987230 Compare April 24, 2025 23:07

thentenaar had a problem deploying to scan-security April 24, 2025 23:07 — with GitHub Actions Failure

thentenaar force-pushed the yaml-fix branch from d987230 to eb96929 Compare April 26, 2025 03:08

thentenaar had a problem deploying to scan-security April 26, 2025 03:08 — with GitHub Actions Failure

thentenaar force-pushed the yaml-fix branch from eb96929 to 2e78162 Compare April 28, 2025 05:41

thentenaar had a problem deploying to scan-security April 28, 2025 05:41 — with GitHub Actions Failure

thentenaar force-pushed the yaml-fix branch from 2e78162 to a394af1 Compare April 28, 2025 12:10

thentenaar had a problem deploying to scan-security April 28, 2025 12:10 — with GitHub Actions Failure

thentenaar force-pushed the yaml-fix branch from a394af1 to 8acb06f Compare April 28, 2025 23:34

thentenaar had a problem deploying to scan-security April 28, 2025 23:34 — with GitHub Actions Failure

thentenaar force-pushed the yaml-fix branch from 8acb06f to c623529 Compare April 29, 2025 15:43

thentenaar had a problem deploying to scan-security April 29, 2025 15:43 — with GitHub Actions Failure

thentenaar force-pushed the yaml-fix branch from c623529 to a087313 Compare April 29, 2025 16:33

thentenaar had a problem deploying to scan-security April 29, 2025 16:33 — with GitHub Actions Failure

thentenaar force-pushed the yaml-fix branch from a087313 to 884259d Compare April 29, 2025 23:06

thentenaar had a problem deploying to scan-security April 29, 2025 23:06 — with GitHub Actions Failure

thentenaar force-pushed the yaml-fix branch from 884259d to 9d2935d Compare May 1, 2025 16:32

thentenaar had a problem deploying to scan-security May 1, 2025 16:32 — with GitHub Actions Failure

thentenaar force-pushed the yaml-fix branch from 9d2935d to 47173b1 Compare May 1, 2025 23:02

thentenaar had a problem deploying to scan-security May 1, 2025 23:02 — with GitHub Actions Failure

thentenaar force-pushed the yaml-fix branch from 47173b1 to b827283 Compare May 5, 2025 17:57

thentenaar had a problem deploying to scan-security May 5, 2025 17:57 — with GitHub Actions Failure

thentenaar force-pushed the yaml-fix branch from b827283 to 5cbf81f Compare May 6, 2025 02:07

thentenaar had a problem deploying to scan-security May 19, 2025 14:43 — with GitHub Actions Failure

thentenaar force-pushed the yaml-fix branch from 55e3210 to a4ee4e1 Compare May 19, 2025 18:30

thentenaar had a problem deploying to scan-security May 19, 2025 18:30 — with GitHub Actions Failure

thentenaar force-pushed the yaml-fix branch from a4ee4e1 to 6a99a94 Compare May 19, 2025 23:04

thentenaar had a problem deploying to scan-security May 19, 2025 23:04 — with GitHub Actions Failure

thentenaar force-pushed the yaml-fix branch from 6a99a94 to 44ee98b Compare May 20, 2025 11:02

thentenaar had a problem deploying to scan-security May 20, 2025 11:02 — with GitHub Actions Failure

thentenaar force-pushed the yaml-fix branch from 44ee98b to 5daa5f9 Compare May 21, 2025 01:09

thentenaar had a problem deploying to scan-security May 21, 2025 01:09 — with GitHub Actions Failure

thentenaar force-pushed the yaml-fix branch from 5daa5f9 to e3bf9af Compare May 22, 2025 15:36

thentenaar had a problem deploying to scan-security May 22, 2025 15:36 — with GitHub Actions Failure

thentenaar force-pushed the yaml-fix branch from e3bf9af to c9f8929 Compare May 23, 2025 04:06

thentenaar had a problem deploying to scan-security May 23, 2025 04:06 — with GitHub Actions Failure

thentenaar force-pushed the yaml-fix branch from c9f8929 to 1a1039f Compare May 27, 2025 15:47

thentenaar had a problem deploying to scan-security May 27, 2025 15:47 — with GitHub Actions Failure

thentenaar force-pushed the yaml-fix branch from 1a1039f to a5dc797 Compare May 28, 2025 00:43

thentenaar had a problem deploying to scan-security May 28, 2025 00:43 — with GitHub Actions Failure

thentenaar force-pushed the yaml-fix branch from a5dc797 to 396b512 Compare May 31, 2025 06:47

thentenaar had a problem deploying to scan-security May 31, 2025 06:47 — with GitHub Actions Failure

thentenaar force-pushed the yaml-fix branch from 396b512 to b2ef29a Compare June 5, 2025 11:34

thentenaar had a problem deploying to scan-security June 5, 2025 11:34 — with GitHub Actions Failure

thentenaar force-pushed the yaml-fix branch from b2ef29a to 30f7a39 Compare June 6, 2025 11:07

thentenaar had a problem deploying to scan-security June 6, 2025 11:07 — with GitHub Actions Failure

thentenaar force-pushed the yaml-fix branch from 30f7a39 to bddd4f2 Compare June 8, 2025 12:00

thentenaar temporarily deployed to scan-security June 8, 2025 12:00 — with GitHub Actions Inactive

lirshindalman approved these changes Jun 8, 2025

View reviewed changes

omriyoffe-panw approved these changes Jun 9, 2025

View reviewed changes

lirshindalman merged commit 5972309 into bridgecrewio:main Jun 9, 2025
46 checks passed

thentenaar deleted the yaml-fix branch June 9, 2025 10:10

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix(serverless): Enhance yaml parsing, better support for file expansion #7115

fix(serverless): Enhance yaml parsing, better support for file expansion #7115

Uh oh!

thentenaar commented Apr 21, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

fix(serverless): Enhance yaml parsing, better support for file expansion #7115

fix(serverless): Enhance yaml parsing, better support for file expansion #7115

Uh oh!

Conversation

thentenaar commented Apr 21, 2025

Description

Checklist:

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants