platform(general): Backfill more eval keys (#6970)

* Backfill more eval keys

* fix flake8

checkov/arm/checks/resource/ACRAnonymousPullDisabled.py

@@ -1,6 +1,6 @@
 from __future__ import annotations
 
-from typing import Any
+from typing import Any, List
 
 from checkov.common.models.enums import CheckResult, CheckCategories
 from checkov.arm.base_resource_check import BaseResourceCheck
@@ -34,5 +34,8 @@ def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
 
         return CheckResult.PASSED
 
+    def get_evaluated_keys(self) -> List[str]:
+        return ['properties', 'properties/anonymousPullEnabled', 'sku']
+
 
 check = ACRAnonymousPullDisabled()

checkov/arm/checks/resource/ACRContainerScanEnabled.py

@@ -1,6 +1,6 @@
 
 from __future__ import annotations
-from typing import Any, Dict
+from typing import Any, Dict, List
 from checkov.common.models.enums import CheckResult, CheckCategories
 from checkov.arm.base_resource_check import BaseResourceCheck
 
@@ -24,5 +24,8 @@ def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
 
         return CheckResult.FAILED
 
+    def get_evaluated_keys(self) -> List[str]:
+        return ["sku", "sku/name"]
+
 
 check = ACRContainerScanEnabled()

checkov/arm/checks/resource/ACREnableZoneRedundancy.py

@@ -23,7 +23,9 @@ def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult:
         # check registry. default=false
         properties = conf.get("properties")
         if properties and isinstance(properties, dict):
+            self.evaluated_keys = ["properties"]
             if properties.get("zoneRedundancy") == "Disabled":
+                self.evaluated_keys = ["properties/zoneRedundancy"]
                 return CheckResult.FAILED
         return CheckResult.PASSED
 

checkov/arm/checks/resource/AKSApiServerAuthorizedIpRanges.py

@@ -1,6 +1,6 @@
 from __future__ import annotations
 
-from typing import Any
+from typing import Any, List
 
 from checkov.common.models.enums import CheckResult, CheckCategories
 from checkov.arm.base_resource_check import BaseResourceCheck
@@ -41,5 +41,8 @@ def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
                     return CheckResult.PASSED
         return CheckResult.FAILED
 
+    def get_evaluated_keys(self) -> List[str]:
+        return ['properties', 'properties/apiServerAccessProfile', 'properties/apiServerAccessProfile/authorizedIPRanges']
+
 
 check = AKSApiServerAuthorizedIpRanges()

checkov/arm/checks/resource/AKSDashboardDisabled.py

@@ -19,16 +19,21 @@ def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
         if conf.get("apiVersion") is not None:
             if conf["apiVersion"] == "2017-08-31":
                 # No addonProfiles option to configure
+                self.evaluated_keys = ["apiVersion"]
                 return CheckResult.FAILED
 
         properties = conf.get("properties")
+        self.evaluated_keys = ["properties"]
         if properties is None or not isinstance(properties, dict):
+            self.evaluated_keys = ["properties"]
             return CheckResult.FAILED
         addon_profiles = conf["properties"].get("addonProfiles")
         if not isinstance(addon_profiles, dict):
+            self.evaluated_keys = ["properties/addonProfiles"]
             return CheckResult.FAILED
         kube_dashboard = addon_profiles.get("kubeDashboard")
         if not isinstance(kube_dashboard, dict):
+            self.evaluated_keys = ["properties/addonProfiles/kubeDashboard"]
             return CheckResult.FAILED
         enabled = kube_dashboard.get("enabled")
         if enabled is not None and str(enabled).lower() == "false":

checkov/arm/checks/resource/AKSLoggingEnabled.py

@@ -18,13 +18,16 @@ def __init__(self) -> None:
     def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
         if "apiVersion" in conf:
             if conf["apiVersion"] == "2017-08-31":
+                self.evaluated_keys = ["apiVersion"]
                 # No addonProfiles option to configure
                 return CheckResult.FAILED
 
         properties = conf.get("properties")
+        self.evaluated_keys = ["properties"]
         if isinstance(properties, dict):
             addon_profiles = properties.get("addonProfiles")
             if isinstance(addon_profiles, dict):
+                self.evaluated_keys = ["properties/addonProfiles"]
                 omsagent = addon_profiles.get("omsagent")
                 if not omsagent:
                     # it can be written in lowercase or camelCase

checkov/arm/checks/resource/AKSMaxPodsMinimum.py

@@ -1,5 +1,5 @@
 from __future__ import annotations
-from typing import Any
+from typing import Any, List
 from checkov.common.models.enums import CheckResult, CheckCategories
 from checkov.arm.base_resource_check import BaseResourceCheck
 from typing import Optional
@@ -30,5 +30,8 @@ def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
 
         return CheckResult.PASSED
 
+    def get_evaluated_keys(self) -> List[str]:
+        return ["properties", "properties/agentPoolProfiles", "properties/agentPoolProfiles/maxPods"]
+
 
 check = AKSMaxPodsMinimum()

checkov/arm/checks/resource/AKSNetworkPolicy.py

@@ -1,6 +1,6 @@
 from __future__ import annotations
 
-from typing import Any
+from typing import Any, List
 
 from checkov.common.models.enums import CheckResult, CheckCategories
 from checkov.arm.base_resource_check import BaseResourceCheck
@@ -32,5 +32,8 @@ def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
             return CheckResult.PASSED
         return CheckResult.FAILED
 
+    def get_evaluated_keys(self) -> List[str]:
+        return ['properties', 'properties/networkProfile', 'properties/networkProfile/networkPolicy']
+
 
 check = AKSNetworkPolicy()

checkov/arm/checks/resource/AKSRbacEnabled.py

@@ -19,14 +19,17 @@ def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
         if "apiVersion" in conf:
             if conf["apiVersion"] == "2017-08-31":
                 # No enableRBAC option to configure
+                self.evaluated_keys = ["apiVersion"]
                 return CheckResult.FAILED
 
+        self.evaluated_keys = ["properties"]
         properties = conf.get('properties')
         if not properties or not isinstance(properties, dict):
             return CheckResult.FAILED
         enable_RBAC = properties.get('enableRBAC')
         if str(enable_RBAC).lower() == "true":
             return CheckResult.PASSED
+        self.evaluated_keys.append("properties/enableRBAC")
         return CheckResult.FAILED
 
 

checkov/arm/checks/resource/APIManagementMinTLS12.py

@@ -17,8 +17,10 @@ def __init__(self) -> None:
     def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
         properties = conf.get("properties")
         if isinstance(properties, dict) and "customProperties" in properties:
+            self.evaluated_keys = ["properties"]
             customProperties = properties.get("customProperties")
             if isinstance(customProperties, dict):
+                self.evaluated_keys = ["properties/customProperties"]
                 if customProperties.get("Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30"):
                     return CheckResult.FAILED
                 if customProperties.get("Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10"):

checkov/arm/checks/resource/AppGWDefinesSecureProtocols.py

@@ -1,5 +1,5 @@
 from __future__ import annotations
-from typing import Any
+from typing import Any, List
 from checkov.common.models.enums import CheckCategories, CheckResult
 from checkov.arm.base_resource_check import BaseResourceCheck
 
@@ -67,5 +67,9 @@ def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
             return CheckResult.FAILED
         return CheckResult.FAILED
 
+    def get_evaluated_keys(self) -> List[str]:
+        return ["properties/sslPolicy", "properties/sslPolicy/policyType", "properties/sslPolicy/minProtocolVersion",
+                "properties/sslPolicy/cipherSuites"]
+
 
 check = AppGWDefinesSecureProtocols()

checkov/arm/checks/resource/AppServiceAuthentication.py

@@ -17,6 +17,7 @@ def __init__(self) -> None:
         super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
 
     def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
+        self.evaluated_keys = ["name"]
         if self.entity_type == "Microsoft.Web/sites/config":
             if "name" in conf and "authsettings" in conf["name"]:
                 if "properties" in conf and "enabled" in conf["properties"]:

checkov/arm/checks/resource/AppServiceClientCertificate.py

@@ -1,6 +1,6 @@
 from __future__ import annotations
 
-from typing import Any
+from typing import Any, List
 
 from checkov.common.models.enums import CheckResult, CheckCategories
 from checkov.arm.base_resource_check import BaseResourceCheck
@@ -23,5 +23,8 @@ def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
                     return CheckResult.PASSED
         return CheckResult.FAILED
 
+    def get_evaluated_keys(self) -> List[str]:
+        return ["properties", "properties/clientCertEnabled"]
+
 
 check = AppServiceClientCertificate()

checkov/arm/checks/resource/AppServiceHTTPSOnly.py

@@ -1,6 +1,6 @@
 from __future__ import annotations
 
-from typing import Any
+from typing import Any, List
 
 from checkov.common.models.enums import CheckResult, CheckCategories
 from checkov.arm.base_resource_check import BaseResourceCheck
@@ -22,5 +22,8 @@ def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
                     return CheckResult.PASSED
         return CheckResult.FAILED
 
+    def get_evaluated_keys(self) -> List[str]:
+        return ["properties", "properties/httpsOnly"]
+
 
 check = AppServiceHTTPSOnly()

checkov/arm/checks/resource/AppServiceHttps20Enabled.py

@@ -18,8 +18,10 @@ def __init__(self) -> None:
         super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
 
     def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
+        self.evaluated_keys = ["properties"]
         http_20_enabled = find_in_dict(conf, "properties/siteConfig/http20Enabled")
         if http_20_enabled and "apiVersion" in conf:
+            self.evaluated_keys = ["properties/siteConfig/http20Enabled", "apiVersion"]
             if conf["apiVersion"] == "2018-11-01":
                 if isinstance(http_20_enabled, str) and str(http_20_enabled).lower() == "true":
                     return CheckResult.PASSED

checkov/arm/checks/resource/AppServiceIdentity.py

@@ -1,6 +1,6 @@
 from __future__ import annotations
 
-from typing import Any
+from typing import Any, List
 
 from checkov.common.models.enums import CheckResult, CheckCategories
 from checkov.arm.base_resource_check import BaseResourceCheck
@@ -28,5 +28,8 @@ def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
                             return CheckResult.PASSED
         return CheckResult.FAILED
 
+    def get_evaluated_keys(self) -> List[str]:
+        return ['identity', 'identity/type', 'identity/userAssignedIdentities']
+
 
 check = AppServiceIdentity()

checkov/arm/checks/resource/AppServiceInstanceMinimum.py

@@ -1,6 +1,6 @@
 from __future__ import annotations
 
-from typing import Dict
+from typing import Dict, List
 
 from checkov.arm.base_resource_check import BaseResourceCheck
 from checkov.common.models.enums import CheckCategories, CheckResult
@@ -30,5 +30,8 @@ def scan_resource_conf(self, conf: Dict[str, Dict[str, Dict[str, int]]]) -> Chec
                             return CheckResult.PASSED
         return CheckResult.FAILED
 
+    def get_evaluated_keys(self) -> List[str]:
+        return ["properties", "properties/siteConfig", "properties/siteConfig/numberOfWorkers"]
+
 
 check = AppServiceInstanceMinimum()

checkov/arm/checks/resource/AppServiceUsedAzureFiles.py

@@ -1,6 +1,6 @@
 from __future__ import annotations
 
-from typing import Any
+from typing import Any, List
 
 from checkov.arm.base_resource_check import BaseResourceCheck
 from checkov.common.models.enums import CheckCategories, CheckResult
@@ -24,5 +24,8 @@ def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
                         return CheckResult.PASSED
         return CheckResult.FAILED
 
+    def get_evaluated_keys(self) -> List[str]:
+        return ['properties', 'properties/azureStorageAccounts']
+
 
 check = AppServiceUsedAzureFiles()

checkov/arm/checks/resource/AzureManagedDiscEncryption.py

@@ -18,6 +18,7 @@ def __init__(self) -> None:
     def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
         properties = conf.get("properties")
         if properties:
+            self.evaluated_keys = ["properties"]
             encryption = properties.get("encryption")
             if encryption:
                 # if the block exists, then it is enabled

checkov/arm/checks/resource/AzureSearchSLAIndex.py

@@ -23,13 +23,15 @@ def __init__(self) -> None:
 
     def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
         properties = conf.get("properties", {})
+        self.evaluated_keys = ["properties"]
         if not isinstance(properties, dict):
             return CheckResult.FAILED
         replica_count = properties.get("replicaCount")
         if replica_count and isinstance(replica_count, int):
             if replica_count >= 3:
                 return CheckResult.PASSED
             else:
+                self.evaluated_keys = ["properties/replicaCount"]
                 return CheckResult.FAILED
         else:
             return CheckResult.FAILED

checkov/arm/checks/resource/AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.py

@@ -16,6 +16,7 @@ def scan_resource_conf(self, conf: Dict[str, List[Any]]) -> CheckResult:
         if depends_on is None or not len(depends_on):
             return CheckResult.PASSED
         if any('Microsoft.Synapse/workspaces/firewallRules' in item for item in depends_on):
+            self.evaluated_keys = ["dependsOn"]
             return CheckResult.FAILED
         return CheckResult.PASSED
 

checkov/arm/checks/resource/CosmosDBDisableAccessKeyWrite.py

@@ -1,6 +1,6 @@
 from __future__ import annotations
 
-from typing import Any
+from typing import Any, List
 
 from checkov.common.models.enums import CheckResult, CheckCategories
 from checkov.arm.base_resource_check import BaseResourceCheck
@@ -20,5 +20,8 @@ def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
                 return CheckResult.PASSED
         return CheckResult.FAILED
 
+    def get_evaluated_keys(self) -> List[str]:
+        return ["properties", "properties/disableKeyBasedMetadataWriteAccess"]
+
 
 check = CosmosDBDisableAccessKeyWrite()

checkov/arm/checks/resource/CustomRoleDefinitionSubscriptionOwner.py

@@ -1,6 +1,6 @@
 from __future__ import annotations
 
-from typing import Any
+from typing import Any, List
 
 from checkov.common.models.enums import CheckResult, CheckCategories
 from checkov.arm.base_resource_check import BaseResourceCheck
@@ -35,5 +35,8 @@ def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
                                     return CheckResult.FAILED
         return CheckResult.PASSED
 
+    def get_evaluated_keys(self) -> List[str]:
+        return ["properties/assignableScopes", "properties/permissions/actions"]
+
 
 check = CustomRoleDefinitionSubscriptionOwner()

checkov/arm/checks/resource/DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.py

@@ -1,6 +1,6 @@
 from __future__ import annotations
 
-from typing import Any
+from typing import Any, List
 
 from checkov.common.models.enums import CheckResult, CheckCategories
 from checkov.arm.base_resource_check import BaseResourceCheck
@@ -28,5 +28,8 @@ def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
 
         return CheckResult.PASSED
 
+    def get_evaluated_keys(self) -> List[str]:
+        return ["properties/parameters"]
+
 
 check = DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey()

checkov/arm/checks/resource/DatabricksWorkspaceIsNotPublic.py

@@ -1,6 +1,6 @@
 from __future__ import annotations
 
-from typing import Any
+from typing import Any, List
 
 from checkov.common.models.enums import CheckResult, CheckCategories
 from checkov.arm.base_resource_check import BaseResourceCheck
@@ -23,5 +23,8 @@ def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
 
         return CheckResult.PASSED
 
+    def get_evaluated_keys(self) -> List[str]:
+        return ["properties", "properties/publicNetworkAccess"]
+
 
 check = DatabricksWorkspaceIsNotPublic()

checkov/arm/checks/resource/FunctionAppsAccessibleOverHttps.py

@@ -1,6 +1,6 @@
 from __future__ import annotations
 
-from typing import Any
+from typing import Any, List
 
 from checkov.common.models.enums import CheckResult, CheckCategories
 from checkov.arm.base_resource_check import BaseResourceCheck
@@ -41,5 +41,8 @@ def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
 
         return CheckResult.PASSED
 
+    def get_evaluated_keys(self) -> List[str]:
+        return ["properties", "properties/httpsOnly", "properties/httpSettings"]
+
 
 check = FunctionAppsAccessibleOverHttps()