feat(codebuild): add new check codebuild_report_group_export_encrypted (#5384)

Co-authored-by: Sergio Garcia <38561120+sergargar@users.noreply.github.com> Co-authored-by: Sergio <sergio@prowler.com>
2026-01-25 02:08:11 +00:00 · 2024-10-15 14:39:18 +02:00
parent aac6038565
commit 78d2fb9fd5
8 changed files with 370 additions and 4 deletions
--- a/tests/providers/aws/services/codebuild/codebuild_service_test.py
+++ b/tests/providers/aws/services/codebuild/codebuild_service_test.py
@@ -2,12 +2,15 @@ from datetime import datetime, timedelta
 from unittest.mock import patch

 import botocore
+from moto import mock_aws

 from prowler.providers.aws.services.codebuild.codebuild_service import (
    Build,
    CloudWatchLogs,
    Codebuild,
+    ExportConfig,
    Project,
+    ReportGroup,
    s3Logs,
 )
 from tests.providers.aws.utils import (
@@ -26,6 +29,8 @@ last_invoked_time = datetime.now() - timedelta(days=2)
 bitbucket_url = "https://bitbucket.org/example/repo.git"
 secondary_bitbucket_url = "https://bitbucket.org/example/secondary-repo.git"

+report_group_arn = f"arn:{AWS_COMMERCIAL_PARTITION}:codebuild:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:report-group/{project_name}"
+
 # Mocking batch_get_projects
 make_api_call = botocore.client.BaseClient._make_api_call

@@ -33,11 +38,11 @@ make_api_call = botocore.client.BaseClient._make_api_call
 def mock_make_api_call(self, operation_name, kwarg):
    if operation_name == "ListProjects":
        return {"projects": [project_name]}
-    if operation_name == "ListBuildsForProject":
+    elif operation_name == "ListBuildsForProject":
        return {"ids": [build_id]}
-    if operation_name == "BatchGetBuilds":
+    elif operation_name == "BatchGetBuilds":
        return {"builds": [{"endTime": last_invoked_time}]}
-    if operation_name == "BatchGetProjects":
+    elif operation_name == "BatchGetProjects":
        return {
            "projects": [
                {
@@ -69,6 +74,29 @@ def mock_make_api_call(self, operation_name, kwarg):
                }
            ]
        }
+    elif operation_name == "ListReportGroups":
+        return {"reportGroups": [report_group_arn]}
+    elif operation_name == "BatchGetReportGroups":
+        return {
+            "reportGroups": [
+                {
+                    "name": project_name,
+                    "arn": report_group_arn,
+                    "exportConfig": {
+                        "exportConfigType": "S3",
+                        "s3Destination": {
+                            "bucket": "test-bucket",
+                            "path": "test-path",
+                            "encryptionKey": "arn:aws:kms:eu-west-1:123456789012:key/12345678-1234-1234-1234-123456789012",
+                            "encryptionDisabled": False,
+                        },
+                    },
+                    "tags": [{"key": "Name", "value": project_name}],
+                    "status": "ACTIVE",
+                }
+            ]
+        }
+
    return make_api_call(self, operation_name, kwarg)


@@ -87,12 +115,13 @@ class Test_Codebuild_Service:
        "prowler.providers.aws.aws_provider.AwsProvider.generate_regional_clients",
        new=mock_generate_regional_clients,
    )
+    @mock_aws
    def test_codebuild_service(self):
        codebuild = Codebuild(set_mocked_aws_provider())

        assert codebuild.session.__class__.__name__ == "Session"
        assert codebuild.service == "codebuild"
-
+        # Asserttions related with projects
        assert len(codebuild.projects) == 1
        assert isinstance(codebuild.projects, dict)
        assert isinstance(codebuild.projects[project_arn], Project)
@@ -123,3 +152,28 @@ class Test_Codebuild_Service:
        )
        assert codebuild.projects[project_arn].tags[0]["key"] == "Name"
        assert codebuild.projects[project_arn].tags[0]["value"] == project_name
+        # Asserttions related with report groups
+        assert len(codebuild.report_groups) == 1
+        assert isinstance(codebuild.report_groups, dict)
+        assert isinstance(codebuild.report_groups[report_group_arn], ReportGroup)
+        assert codebuild.report_groups[report_group_arn].name == project_name
+        assert codebuild.report_groups[report_group_arn].arn == report_group_arn
+        assert codebuild.report_groups[report_group_arn].region == AWS_REGION_EU_WEST_1
+        assert codebuild.report_groups[report_group_arn].status == "ACTIVE"
+        assert isinstance(
+            codebuild.report_groups[report_group_arn].export_config, ExportConfig
+        )
+        assert codebuild.report_groups[report_group_arn].export_config.type == "S3"
+        assert (
+            codebuild.report_groups[report_group_arn].export_config.bucket_location
+            == "s3://test-bucket/test-path"
+        )
+        assert (
+            codebuild.report_groups[report_group_arn].export_config.encryption_key
+            == "arn:aws:kms:eu-west-1:123456789012:key/12345678-1234-1234-1234-123456789012"
+        )
+        assert codebuild.report_groups[report_group_arn].export_config.encrypted
+        assert codebuild.report_groups[report_group_arn].tags[0]["key"] == "Name"
+        assert (
+            codebuild.report_groups[report_group_arn].tags[0]["value"] == project_name
+        )