From 38983e59d889a904fcb8cdf5af096fd476e4d96e Mon Sep 17 00:00:00 2001
From: Cesar Rodriguez <cesar@accurics.com>
Date: Wed, 26 Aug 2020 22:51:26 -0400
Subject: [PATCH 1/9] rebase with upstream

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index a1596190..33d5d34c 100644
--- a/README.md
+++ b/README.md
@@ -236,7 +236,7 @@ But if you wish to select or exclude specific linters, we give you full control
 | **VALIDATE_STATES**               | `true`                | Flag to enable or disable the linting process for AWS States Language.                                                                                                           |
 | **VALIDATE_SQL**                  | `true`                | Flag to enable or disable the linting process of the SQL language.                                                                                                               |
 | **VALIDATE_TERRAFORM**            | `true`                | Flag to enable or disable the linting process of the Terraform language.                                                                                                         |
-| **VALIDATE_TERRAFORM_TERRASCAN**  | `false`               | Flag to enable or disable the linting process of the Terraform language for security related issues.                                                                             |
+| **VALIDATE_TERRAFORM_TERRASCAN**  | `true`               | Flag to enable or disable the linting process of the Terraform language for security related issues.                                                                             |
 | **VALIDATE_TSX**                  | `true`                | Flag to enable or disable the linting process for tsx files (Utilizing: eslint)                                                                                                  |
 | **VALIDATE_TYPESCRIPT_ES**        | `true`                | Flag to enable or disable the linting process of the Typescript language. (Utilizing: eslint)                                                                                    |
 | **VALIDATE_TYPESCRIPT_STANDARD**  | `true`                | Flag to enable or disable the linting process of the Typescript language. (Utilizing: standard)                                                                                  |

From 3475acbebbc29928e5264faba43d347b622a8a15 Mon Sep 17 00:00:00 2001
From: Cesar Rodriguez <cesar@accurics.com>
Date: Mon, 17 Aug 2020 22:25:36 -0400
Subject: [PATCH 2/9] adds terrascan from docker

---
 Dockerfile | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index a7cead71..7ef0d2e9 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -14,6 +14,7 @@ FROM golangci/golangci-lint:v1.30.0 as golangci-lint
 FROM yoheimuta/protolint:v0.26.0 as protolint
 FROM koalaman/shellcheck:v0.7.1 as shellcheck
 FROM wata727/tflint:0.19.1 as tflint
+FROM accurics/terrascan:latest as terrascan
 FROM hadolint/hadolint:latest-alpine as dockerfile-lint
 FROM assignuser/lintr-lib:v0.1.0 as lintr-lib
 FROM assignuser/chktex-alpine:v0.1.0 as chktex
@@ -166,6 +167,12 @@ COPY --from=golangci-lint /usr/bin/golangci-lint /usr/bin/
 ##################
 COPY --from=tflint /usr/local/bin/tflint /usr/bin/
 
+##################
+# Install Terrascan #
+##################
+COPY --from=terrascan /go/bin/terrascan /usr/bin/
+
+
 ######################
 # Install protolint #
 ######################

From 68fb0560991dcab66e13a628f246e4a22ebd87a5 Mon Sep 17 00:00:00 2001
From: Cesar Rodriguez <cesar@accurics.com>
Date: Mon, 17 Aug 2020 22:26:20 -0400
Subject: [PATCH 3/9] removes terrascan python

---
 dependencies/Pipfile.lock | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/dependencies/Pipfile.lock b/dependencies/Pipfile.lock
index f018ef5f..143337cf 100644
--- a/dependencies/Pipfile.lock
+++ b/dependencies/Pipfile.lock
@@ -300,14 +300,6 @@
             ],
             "version": "==1.15.0"
         },
-        "terrascan": {
-            "hashes": [
-                "sha256:2003638e2e38feba9215df3add2ee99565731b86dbd5c43fd8982b1a4ddac927",
-                "sha256:b44d8c7eac96aa8094865061783ab0e8e849690b8187b75778caf5dd34002d18"
-            ],
-            "index": "pypi",
-            "version": "==0.2.3"
-        },
         "toml": {
             "hashes": [
                 "sha256:926b612be1e5ce0634a2ca03470f95169cf16f939018233a670519cb4ac58b0f",

From 95576fd66fa1d956559e7de7829c5d7c8152f78e Mon Sep 17 00:00:00 2001
From: Cesar Rodriguez <cesar@accurics.com>
Date: Sat, 22 Aug 2020 21:52:39 -0400
Subject: [PATCH 4/9] updates terraform test

---
 .../terraform_terrascan/bad/terraform_bad_1.tf     | 11 +++++------
 .../terraform_terrascan/good/terraform_good_1.tf   | 14 ++++++++------
 2 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/.automation/test/terraform_terrascan/bad/terraform_bad_1.tf b/.automation/test/terraform_terrascan/bad/terraform_bad_1.tf
index 57b891dc..2b2788b1 100644
--- a/.automation/test/terraform_terrascan/bad/terraform_bad_1.tf
+++ b/.automation/test/terraform_terrascan/bad/terraform_bad_1.tf
@@ -1,9 +1,8 @@
-resource "aws_instance" "bad" {
-  ami                         = "ami-0ff8a91507f77f867"
-  instance_type               = "t2.small"
-  associate_public_ip_address = true
+resource "aws_instance" "instanceWithNoVpc" {
+  ami           = "some-id"
+  instance_type = "t2.micro"
 
-  ebs_block_device {
-    encrypted = true
+  tags = {
+    Name = "HelloWorld"
   }
 }
diff --git a/.automation/test/terraform_terrascan/good/terraform_good_1.tf b/.automation/test/terraform_terrascan/good/terraform_good_1.tf
index 59d24f7e..7d4e8853 100644
--- a/.automation/test/terraform_terrascan/good/terraform_good_1.tf
+++ b/.automation/test/terraform_terrascan/good/terraform_good_1.tf
@@ -1,9 +1,11 @@
-resource "aws_instance" "good" {
-  ami                         = "ami-0ff8a91507f77f867"
-  instance_type               = "t2.small"
-  associate_public_ip_address = false
+resource "aws_instance" "instanceWithVpc" {
+  ami           = "some-id"
+  instance_type = "t2.micro"
 
-  ebs_block_device {
-    encrypted = true
+  vpc_security_group_ids = ["sg-12345678901234567"]
+  subnet_id = "subnet-12345678901234567"
+
+  tags = {
+    Name = "HelloWorld"
   }
 }

From e060679ea8667dfb72dd98fad90b917cfe6bb873 Mon Sep 17 00:00:00 2001
From: Cesar Rodriguez <cesar@accurics.com>
Date: Sat, 22 Aug 2020 21:52:59 -0400
Subject: [PATCH 5/9] Updates terrascan command

---
 lib/linter.sh | 2 +-
 lib/worker.sh | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/linter.sh b/lib/linter.sh
index 5f3dd8a2..f2ab6039 100755
--- a/lib/linter.sh
+++ b/lib/linter.sh
@@ -1869,7 +1869,7 @@ if [ "${VALIDATE_TERRAFORM_TERRASCAN}" == "true" ]; then
   # Lint the Terraform files #
   ############################
   # LintCodebase "FILE_TYPE" "LINTER_NAME" "LINTER_CMD" "FILE_TYPES_REGEX" "FILE_ARRAY"
-  LintCodebase "TERRAFORM_TERRASCAN" "terrascan" "terrascan -f " ".*\.\(tf\)\$" "${FILE_ARRAY_TERRAFORM_TERRASCAN[@]}"
+  LintCodebase "TERRAFORM_TERRASCAN" "terrascan" "terrascan scan -t aws -f " ".*\.\(tf\)\$" "${FILE_ARRAY_TERRAFORM_TERRASCAN[@]}"
 fi
 
 ###############
diff --git a/lib/worker.sh b/lib/worker.sh
index 53bfc825..70dacc99 100755
--- a/lib/worker.sh
+++ b/lib/worker.sh
@@ -651,7 +651,7 @@ function RunTestCases() {
   TestCodebase "STATES" "asl-validator" "asl-validator --json-path" ".*\.\(json\)\$" "states"
   TestCodebase "SQL" "sql-lint" "sql-lint --config ${SQL_LINTER_RULES}" ".*\.\(sql\)\$" "sql"
   TestCodebase "TERRAFORM" "tflint" "tflint -c ${TERRAFORM_LINTER_RULES}" ".*\.\(tf\)\$" "terraform"
-  TestCodebase "TERRAFORM_TERRASCAN" "terrascan" "terrascan -f" ".*\.\(tf\)\$" "terraform_terrascan"
+  TestCodebase "TERRAFORM_TERRASCAN" "terrascan scan -t aws -f " ".*\.\(tf\)\$" "terraform_terrascan"
   TestCodebase "TYPESCRIPT_ES" "eslint" "eslint --no-eslintrc -c ${TYPESCRIPT_LINTER_RULES}" ".*\.\(ts\)\$" "typescript"
   TestCodebase "TYPESCRIPT_STANDARD" "standard" "standard --parser @typescript-eslint/parser --plugin @typescript-eslint/eslint-plugin ${TYPESCRIPT_STANDARD_LINTER_RULES}" ".*\.\(ts\)\$" "typescript"
   TestCodebase "XML" "xmllint" "xmllint" ".*\.\(xml\)\$" "xml"

From ddd2ac395e2b393619c167f34253f2189635103b Mon Sep 17 00:00:00 2001
From: Cesar Rodriguez <cesar@accurics.com>
Date: Mon, 24 Aug 2020 15:41:51 -0400
Subject: [PATCH 6/9] Updates dockerfile to support new version of terrascan

---
 Dockerfile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Dockerfile b/Dockerfile
index 7ef0d2e9..0c0d032a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -171,6 +171,7 @@ COPY --from=tflint /usr/local/bin/tflint /usr/bin/
 # Install Terrascan #
 ##################
 COPY --from=terrascan /go/bin/terrascan /usr/bin/
+RUN terrascan init
 
 
 ######################

From 815f8236ddcc3a2caa486cecc3767c0c7b4386e4 Mon Sep 17 00:00:00 2001
From: Cesar Rodriguez <cesar@accurics.com>
Date: Mon, 24 Aug 2020 15:42:15 -0400
Subject: [PATCH 7/9] Updates scan command for Terrascan

---
 lib/linter.sh | 2 +-
 lib/worker.sh | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/linter.sh b/lib/linter.sh
index f2ab6039..2f7fa548 100755
--- a/lib/linter.sh
+++ b/lib/linter.sh
@@ -1869,7 +1869,7 @@ if [ "${VALIDATE_TERRAFORM_TERRASCAN}" == "true" ]; then
   # Lint the Terraform files #
   ############################
   # LintCodebase "FILE_TYPE" "LINTER_NAME" "LINTER_CMD" "FILE_TYPES_REGEX" "FILE_ARRAY"
-  LintCodebase "TERRAFORM_TERRASCAN" "terrascan" "terrascan scan -t aws -f " ".*\.\(tf\)\$" "${FILE_ARRAY_TERRAFORM_TERRASCAN[@]}"
+  LintCodebase "TERRAFORM_TERRASCAN" "terrascan" "terrascan scan -p /root/.terrascan/pkg/policies/opa/rego/ -t aws -f " ".*\.\(tf\)\$" "${FILE_ARRAY_TERRAFORM_TERRASCAN[@]}"
 fi
 
 ###############
diff --git a/lib/worker.sh b/lib/worker.sh
index 70dacc99..16f0a8ba 100755
--- a/lib/worker.sh
+++ b/lib/worker.sh
@@ -651,7 +651,7 @@ function RunTestCases() {
   TestCodebase "STATES" "asl-validator" "asl-validator --json-path" ".*\.\(json\)\$" "states"
   TestCodebase "SQL" "sql-lint" "sql-lint --config ${SQL_LINTER_RULES}" ".*\.\(sql\)\$" "sql"
   TestCodebase "TERRAFORM" "tflint" "tflint -c ${TERRAFORM_LINTER_RULES}" ".*\.\(tf\)\$" "terraform"
-  TestCodebase "TERRAFORM_TERRASCAN" "terrascan scan -t aws -f " ".*\.\(tf\)\$" "terraform_terrascan"
+  TestCodebase "TERRAFORM_TERRASCAN" "terrascan" "terrascan scan -p /root/.terrascan/pkg/policies/opa/rego/ -t aws -f " ".*\.\(tf\)\$" "terraform_terrascan"
   TestCodebase "TYPESCRIPT_ES" "eslint" "eslint --no-eslintrc -c ${TYPESCRIPT_LINTER_RULES}" ".*\.\(ts\)\$" "typescript"
   TestCodebase "TYPESCRIPT_STANDARD" "standard" "standard --parser @typescript-eslint/parser --plugin @typescript-eslint/eslint-plugin ${TYPESCRIPT_STANDARD_LINTER_RULES}" ".*\.\(ts\)\$" "typescript"
   TestCodebase "XML" "xmllint" "xmllint" ".*\.\(xml\)\$" "xml"

From c4270769a251d5a244d81de158e5be035ad58b9e Mon Sep 17 00:00:00 2001
From: Cesar Rodriguez <cesar@accurics.com>
Date: Wed, 26 Aug 2020 22:59:58 -0400
Subject: [PATCH 8/9] removes python version of terrascan

---
 dependencies/Pipfile | 1 -
 1 file changed, 1 deletion(-)

diff --git a/dependencies/Pipfile b/dependencies/Pipfile
index ffe213f6..a935ed23 100644
--- a/dependencies/Pipfile
+++ b/dependencies/Pipfile
@@ -10,7 +10,6 @@ black = "*"
 cfn-lint = "*"
 flake8 = "*"
 pylint = "*"
-terrascan = "*"
 yamllint = "*"
 yq = "*"
 

From 772df7ff4be3fdce423169ef5e1093ca7ecea689 Mon Sep 17 00:00:00 2001
From: Cesar Rodriguez <cesar@accurics.com>
Date: Wed, 26 Aug 2020 23:39:56 -0400
Subject: [PATCH 9/9] adds vpc sgs to good test

---
 .automation/test/terraform/good/terraform_good_1.tf | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.automation/test/terraform/good/terraform_good_1.tf b/.automation/test/terraform/good/terraform_good_1.tf
index 59d24f7e..330a28bf 100644
--- a/.automation/test/terraform/good/terraform_good_1.tf
+++ b/.automation/test/terraform/good/terraform_good_1.tf
@@ -3,6 +3,8 @@ resource "aws_instance" "good" {
   instance_type               = "t2.small"
   associate_public_ip_address = false
 
+  vpc_security_group_ids = ["sg-12345678901234567"]
+
   ebs_block_device {
     encrypted = true
   }