Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CKV2_GCP_10 - false positive #4812

Closed
pfilourenco opened this issue Mar 31, 2023 · 4 comments
Closed

CKV2_GCP_10 - false positive #4812

pfilourenco opened this issue Mar 31, 2023 · 4 comments
Labels
checks Check additions or changes stale

Comments

@pfilourenco
Copy link

pfilourenco commented Mar 31, 2023
edited
Loading

Description

CKV2_GCP_10 - Ensure GCP Cloud Function HTTP trigger is secured

This should only alert if the cloud function is HTTP triggered.
You should check the trigger type to see if is HTTP or not(trigger_http = true), example bellow of a not HTTP triggered function.

Examples

resource "google_cloudfunctions_function" "this" {
  name        = var.function_name
  description = "Function"
  runtime     = "python310"
  region      = var.location

  available_memory_mb   = 256
  source_archive_bucket = var.bucket_name
  source_archive_object = google_storage_bucket_object.this.name
  entry_point           = "main"
  service_account_email = google_service_account.this.email
  timeout               = 500

  event_trigger {
    event_type = "google.pubsub.topic.publish"
    resource   = var.pubsub_topic
    failure_policy {
      retry = false
    }
  }
}

Version :

  • Checkov Version v2.3.120
@pfilourenco pfilourenco added the checks Check additions or changes label Mar 31, 2023
@JamesWoolfenden
Copy link
Contributor

In your case you can't specify trigger_http as the attributes are not compatible with an event trigger block, and so you should be specifying https_trigger_security_level on which the check is based.

@pfilourenco
Copy link
Author

pfilourenco commented Apr 10, 2023
edited
Loading

In your case you can't specify trigger_http as the attributes are not compatible with an event trigger block, and so you should be specifying https_trigger_security_level on which the check is based.

If the Cloud Function is not HTTP trigger we should use https_trigger_security_level anyway ? is that you are saying?

@stale
Copy link

stale bot commented Oct 8, 2023

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io
Thanks!

@stale stale bot added the stale label Oct 8, 2023
@stale
Copy link

stale bot commented Oct 23, 2023

Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: https://slack.bridgecrew.io Thanks!

@stale stale bot closed this as completed Oct 23, 2023
@brodowskid brodowskid mentioned this issue Dec 22, 2023
Closed
@mustex mustex mentioned this issue Jan 10, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
checks Check additions or changes stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@JamesWoolfenden @pfilourenco