mirror of
https://github.com/super-linter/super-linter.git
synced 2024-12-22 12:42:09 -05:00
Merge pull request #473 from cesar-rodriguez/cesar-rodriguez/terrascan
Adds optional security linting for Terraform
This commit is contained in:
commit
c9eae4876c
13 changed files with 133 additions and 46 deletions
|
@ -0,0 +1,19 @@
|
|||
# AWS States language Test Cases
|
||||
|
||||
This folder holds the test cases for **Terraform**.
|
||||
|
||||
## Additional Docs
|
||||
|
||||
No Additional information is needed for this test case.
|
||||
|
||||
## Good Test Cases
|
||||
|
||||
The test cases denoted: `LANGUAGE_good_FILE.EXTENSION` are all valid, and should pass successfully when linted.
|
||||
|
||||
- **Note:** They are linted utilizing the default linter rules.
|
||||
|
||||
## Bad Test Cases
|
||||
|
||||
The test cases denoted: `LANGUAGE_bad_FILE.EXTENSION` are **NOT** valid, and should trigger errors when linted.
|
||||
|
||||
- **Note:** They are linted utilizing the default linter rules.
|
19
.automation/test/terraform_terrascan/README.md
Normal file
19
.automation/test/terraform_terrascan/README.md
Normal file
|
@ -0,0 +1,19 @@
|
|||
# AWS States language Test Cases
|
||||
|
||||
This folder holds the test cases for **Terraform terrascan**.
|
||||
|
||||
## Additional Docs
|
||||
|
||||
No Additional information is needed for this test case.
|
||||
|
||||
## Good Test Cases
|
||||
|
||||
The test cases denoted: `LANGUAGE_good_FILE.EXTENSION` are all valid, and should pass successfully when linted.
|
||||
|
||||
- **Note:** They are linted utilizing the default linter rules.
|
||||
|
||||
## Bad Test Cases
|
||||
|
||||
The test cases denoted: `LANGUAGE_bad_FILE.EXTENSION` are **NOT** valid, and should trigger errors when linted.
|
||||
|
||||
- **Note:** They are linted utilizing the default linter rules.
|
|
@ -0,0 +1,9 @@
|
|||
resource "aws_instance" "bad" {
|
||||
ami = "ami-0ff8a91507f77f867"
|
||||
instance_type = "t2.small"
|
||||
associate_public_ip_address = true
|
||||
|
||||
ebs_block_device {
|
||||
encrypted = true
|
||||
}
|
||||
}
|
|
@ -0,0 +1,9 @@
|
|||
resource "aws_instance" "good" {
|
||||
ami = "ami-0ff8a91507f77f867"
|
||||
instance_type = "t2.small"
|
||||
associate_public_ip_address = false
|
||||
|
||||
ebs_block_device {
|
||||
encrypted = true
|
||||
}
|
||||
}
|
|
@ -0,0 +1,22 @@
|
|||
TAP version 13
|
||||
1..2
|
||||
not ok 1 - terraform_bad_1.tf
|
||||
terrascan version 0.2.3
|
||||
Logging level set to error.
|
||||
........................................................................
|
||||
----------------------------------------------------------------------
|
||||
Ran 72 tests in 0.008s
|
||||
|
||||
OK
|
||||
|
||||
Processed 1 files in /tmp/lint/.terrascan
|
||||
|
||||
|
||||
Processed on 07/24/2020 at 03:22
|
||||
Results (took 0.42 seconds):
|
||||
|
||||
Failures: (1)
|
||||
[high] [aws_instance.bad.associate_public_ip_address] should not be 'True'. Is: 'True' in module .terrascan, file /tmp/lint/.terrascan/terraform_bad_1.tf
|
||||
|
||||
Errors: (0)
|
||||
ok 2 - terraform_good_1.tf
|
|
@ -229,6 +229,7 @@ ENV ACTIONS_RUNNER_DEBUG=${ACTIONS_RUNNER_DEBUG} \
|
|||
VALIDATE_RUBY=${VALIDATE_RUBY} \
|
||||
VALIDATE_STATES=${VALIDATE_STATES} \
|
||||
VALIDATE_TERRAFORM=${VALIDATE_TERRAFORM} \
|
||||
VALIDATE_TERRAFORM_TERRASCAN=${VALIDATE_TERRAFORM_TERRASCAN} \
|
||||
VALIDATE_TYPESCRIPT_ES=${VALIDATE_TYPESCRIPT_ES} \
|
||||
VALIDATE_TYPESCRIPT_STANDARD=${VALIDATE_TYPESCRIPT_STANDARD} \
|
||||
VALIDATE_XML=${VALIDATE_XML} \
|
||||
|
|
|
@ -69,7 +69,7 @@ Developers on **GitHub** can call the **GitHub Action** to lint their code base
|
|||
| **Raku** | [raku](https://raku.org) |
|
||||
| **Ruby** | [RuboCop](https://github.com/rubocop-hq/rubocop) |
|
||||
| **Shell** | [Shellcheck](https://github.com/koalaman/shellcheck) |
|
||||
| **Terraform** | [tflint](https://github.com/terraform-linters/tflint) |
|
||||
| **Terraform** | [tflint](https://github.com/terraform-linters/tflint) [terrascan](https://github.com/accurics/terrascan) |
|
||||
| **TypeScript** | [eslint](https://eslint.org/) [standard js](https://standardjs.com/) |
|
||||
| **XML** | [LibXML](http://xmlsoft.org/) |
|
||||
| **YAML** | [YamlLint](https://github.com/adrienverge/yamllint) |
|
||||
|
@ -212,6 +212,7 @@ and won't run anything unexpected.
|
|||
| **VALIDATE_RUBY** | `true` | Flag to enable or disable the linting process of the Ruby language. |
|
||||
| **VALIDATE_STATES** | `true` | Flag to enable or disable the linting process for AWS States Language. |
|
||||
| **VALIDATE_TERRAFORM** | `true` | Flag to enable or disable the linting process of the Terraform language. |
|
||||
| **VALIDATE_TERRAFORM_TERRASCAN** | `false` | Flag to enable or disable the linting process of the Terraform language for security related issues. |
|
||||
| **VALIDATE_TSX** | `true` | Flag to enable or disable the linting process for tsx files (Utilizing: eslint) |
|
||||
| **VALIDATE_TYPESCRIPT_ES** | `true` | Flag to enable or disable the linting process of the Typescript language. (Utilizing: eslint) |
|
||||
| **VALIDATE_TYPESCRIPT_STANDARD** | `true` | Flag to enable or disable the linting process of the Typescript language. (Utilizing: standard) |
|
||||
|
|
1
dependencies/Pipfile
vendored
1
dependencies/Pipfile
vendored
|
@ -10,6 +10,7 @@ yamllint = "*"
|
|||
pylint = "*"
|
||||
yq = "*"
|
||||
cfn-lint = "*"
|
||||
terrascan = "*"
|
||||
|
||||
[requires]
|
||||
python_version = "3.8"
|
||||
|
|
37
dependencies/Pipfile.lock
generated
vendored
37
dependencies/Pipfile.lock
generated
vendored
|
@ -1,7 +1,7 @@
|
|||
{
|
||||
"_meta": {
|
||||
"hash": {
|
||||
"sha256": "1ccc4fd5c20ba56f1cca85abdd09b24798c3ad68b921cb42c501177598d986c9"
|
||||
"sha256": "c62b95247cb67b10711da0012966cc031d5a9ec08885a45736c0ee77bba3a844"
|
||||
},
|
||||
"pipfile-spec": 6,
|
||||
"requires": {
|
||||
|
@ -28,7 +28,6 @@
|
|||
"sha256:2f4078c2a41bf377eea06d71c9d2ba4eb8f6b1af2135bec27bbbb7d8f12bb703",
|
||||
"sha256:bc58d83eb610252fd8de6363e39d4f1d0619c894b0ed24603b881c02e64c7386"
|
||||
],
|
||||
"markers": "python_version >= '3.5'",
|
||||
"version": "==2.4.2"
|
||||
},
|
||||
"attrs": {
|
||||
|
@ -36,7 +35,6 @@
|
|||
"sha256:08a96c641c3a74e44eb59afb61a24f2cb9f4d7188748e76ba4bb5edfa3cb7d1c",
|
||||
"sha256:f7b7ce16570fe9965acd6d30101a28f62fb4a7f9e926b3bbc9b61f8b04247e72"
|
||||
],
|
||||
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
|
||||
"version": "==19.3.0"
|
||||
},
|
||||
"aws-sam-translator": {
|
||||
|
@ -49,17 +47,17 @@
|
|||
},
|
||||
"boto3": {
|
||||
"hashes": [
|
||||
"sha256:4735fdf490094537ea0cb93ba4237db442195c37f974ea4ad44b9a5af98e6d7b",
|
||||
"sha256:838cea329851e11b9a9dae1c00cd5ef2f3b29ac83c061733b2e93b64c333750f"
|
||||
"sha256:65c131b72c2a75e3cc6044e5fd6426719051b9b1f28bd026b4a5490648d13019",
|
||||
"sha256:e1e09587763671cc07c9e6d349d93bf53a140f83947cb6cf1ec4cb9f07b0ff95"
|
||||
],
|
||||
"version": "==1.14.26"
|
||||
"version": "==1.14.27"
|
||||
},
|
||||
"botocore": {
|
||||
"hashes": [
|
||||
"sha256:0c4ed6349e8ef6bfe9648757f3ff66c33a8f37d9cbadd9c17987138184990cbd",
|
||||
"sha256:28832be365204f00d5c7d2c2a0538d9d082dbfc39ed984fdc9556770470b7487"
|
||||
"sha256:994a9f50e0e770c0f9ea74659f501848f7d12b22186026c219cde8a481ede298",
|
||||
"sha256:acd955f0315b5d17e3e8ddc2ef74d7f03c4ef37f0ceb042058637f7edfbbad4e"
|
||||
],
|
||||
"version": "==1.17.26"
|
||||
"version": "==1.17.27"
|
||||
},
|
||||
"cfn-lint": {
|
||||
"hashes": [
|
||||
|
@ -82,7 +80,6 @@
|
|||
"sha256:9e4d7ecfc600058e07ba661411a2b7de2fd0fafa17d1a7f7361cd47b1175c827",
|
||||
"sha256:a2aeea129088da402665e92e0b25b04b073c04b2dce4ab65caaa38b7ce2e1a99"
|
||||
],
|
||||
"markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2'",
|
||||
"version": "==0.15.2"
|
||||
},
|
||||
"isort": {
|
||||
|
@ -90,7 +87,6 @@
|
|||
"sha256:54da7e92468955c4fceacd0c86bd0ec997b0e1ee80d97f67c35a78b719dccab1",
|
||||
"sha256:6e811fcb295968434526407adb8796944f1988c5b65e8139058f2014cbe100fd"
|
||||
],
|
||||
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
|
||||
"version": "==4.3.21"
|
||||
},
|
||||
"jmespath": {
|
||||
|
@ -98,7 +94,6 @@
|
|||
"sha256:b85d0567b8666149a93172712e68920734333c0ce7e89b78b3e987f71e5ed4f9",
|
||||
"sha256:cdf6525904cc597730141d61b36f2e4b8ecc257c420fa2f4549bac2c2d0cb72f"
|
||||
],
|
||||
"markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2'",
|
||||
"version": "==0.10.0"
|
||||
},
|
||||
"jsonpatch": {
|
||||
|
@ -114,7 +109,6 @@
|
|||
"sha256:c192ba86648e05fdae4f08a17ec25180a9aef5008d973407b581798a83975362",
|
||||
"sha256:ff379fa021d1b81ab539f5ec467c7745beb1a5671463f9dcc2b2d458bd361c1e"
|
||||
],
|
||||
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
|
||||
"version": "==2.0"
|
||||
},
|
||||
"jsonschema": {
|
||||
|
@ -154,7 +148,6 @@
|
|||
"sha256:efa1909120ce98bbb3777e8b6f92237f5d5c8ea6758efea36a473e1d38f7d3e4",
|
||||
"sha256:f3900e8a5de27447acbf900b4750b0ddfd7ec1ea7fbaf11dfa911141bc522af0"
|
||||
],
|
||||
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
|
||||
"version": "==1.4.3"
|
||||
},
|
||||
"mccabe": {
|
||||
|
@ -179,6 +172,12 @@
|
|||
],
|
||||
"version": "==0.8.0"
|
||||
},
|
||||
"pyhcl": {
|
||||
"hashes": [
|
||||
"sha256:2d9b9dcdf1023d812bfed561ba72c99104c5b3f52e558d595130a44ce081b003"
|
||||
],
|
||||
"version": "==0.4.4"
|
||||
},
|
||||
"pylint": {
|
||||
"hashes": [
|
||||
"sha256:7dd78437f2d8d019717dbf287772d0b2dbdfd13fc016aa7faa08d67bccc46adc",
|
||||
|
@ -198,7 +197,6 @@
|
|||
"sha256:73ebfe9dbf22e832286dafa60473e4cd239f8592f699aa5adaf10050e6e1823c",
|
||||
"sha256:75bb3f31ea686f1197762692a9ee6a7550b59fc6ca3a1f4b5d7e32fb98e2da2a"
|
||||
],
|
||||
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2'",
|
||||
"version": "==2.8.1"
|
||||
},
|
||||
"pyyaml": {
|
||||
|
@ -230,9 +228,16 @@
|
|||
"sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259",
|
||||
"sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced"
|
||||
],
|
||||
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2'",
|
||||
"version": "==1.15.0"
|
||||
},
|
||||
"terrascan": {
|
||||
"hashes": [
|
||||
"sha256:2003638e2e38feba9215df3add2ee99565731b86dbd5c43fd8982b1a4ddac927",
|
||||
"sha256:b44d8c7eac96aa8094865061783ab0e8e849690b8187b75778caf5dd34002d18"
|
||||
],
|
||||
"index": "pypi",
|
||||
"version": "==0.2.3"
|
||||
},
|
||||
"toml": {
|
||||
"hashes": [
|
||||
"sha256:926b612be1e5ce0634a2ca03470f95169cf16f939018233a670519cb4ac58b0f",
|
||||
|
|
|
@ -353,6 +353,7 @@ function BuildFileList() {
|
|||
# Append the file to the array #
|
||||
################################
|
||||
FILE_ARRAY_TERRAFORM+=("${FILE}")
|
||||
FILE_ARRAY_TERRAFORM_TERRASCAN+=("${FILE}")
|
||||
##########################################################
|
||||
# Set the READ_ONLY_CHANGE_FLAG since this could be exec #
|
||||
##########################################################
|
||||
|
|
|
@ -98,7 +98,7 @@ LINTER_ARRAY=('ansible-lint' 'arm-ttk' 'asl-validator' 'cfn-lint' 'clj-kondo'
|
|||
'coffeelint' 'dart' 'dockerfilelint' 'dotenv-linter' 'eslint' 'golangci-lint'
|
||||
'htmlhint' 'jsonlint' 'ktlint' 'markdownlint' 'npm-groovy-lint' 'perl'
|
||||
'protolint' 'pwsh' 'pylint' 'raku' 'rubocop' 'shellcheck' 'spectral'
|
||||
'standard' 'stylelint' 'tflint' 'xmllint' 'yamllint')
|
||||
'standard' 'stylelint' 'terrascan' 'tflint' 'xmllint' 'yamllint')
|
||||
|
||||
|
||||
#############################
|
||||
|
@ -108,7 +108,7 @@ LANGUAGE_ARRAY=('ANSIBLE' 'ARM' 'BASH' 'CLOUDFORMATION' 'CLOJURE' 'COFFEESCRIPT'
|
|||
'CSS' 'DART' 'DOCKER' 'ENV' 'GO' 'GROOVY' 'HTML' 'JAVASCRIPT_ES'
|
||||
'JAVASCRIPT_STANDARD' 'JSON' 'JSX' 'KOTLIN' 'MARKDOWN' 'OPENAPI'
|
||||
'PERL' 'PHP' 'POWERSHELL' 'PROTOBUF' 'PYTHON'
|
||||
'RAKU' 'RUBY' 'STATES' 'TERRAFORM' 'TSX' 'TYPESCRIPT_ES'
|
||||
'RAKU' 'RUBY' 'STATES' 'TERRAFORM' 'TERRAFORM_TERRASCAN' 'TSX' 'TYPESCRIPT_ES'
|
||||
'TYPESCRIPT_STANDARD' 'XML' 'YML')
|
||||
|
||||
############################################
|
||||
|
@ -161,6 +161,7 @@ VALIDATE_RAKU="${VALIDATE_RAKU}" # Boolean to vali
|
|||
VALIDATE_RUBY="${VALIDATE_RUBY}" # Boolean to validate language
|
||||
VALIDATE_STATES="${VALIDATE_STATES}" # Boolean to validate language
|
||||
VALIDATE_TERRAFORM="${VALIDATE_TERRAFORM}" # Boolean to validate language
|
||||
VALIDATE_TERRAFORM_TERRASCAN="${VALIDATE_TERRAFORM_TERRASCAN}" # Boolean to validate language
|
||||
VALIDATE_TSX="${VALIDATE_TSX}" # Boolean to validate language
|
||||
VALIDATE_TYPESCRIPT_ES="${VALIDATE_TYPESCRIPT_ES}" # Boolean to validate language
|
||||
VALIDATE_TYPESCRIPT_STANDARD="${VALIDATE_TYPESCRIPT_STANDARD}" # Boolean to validate language
|
||||
|
@ -304,6 +305,8 @@ ERRORS_FOUND_STATES=0 # Count of errors found
|
|||
export ERRORS_FOUND_STATES # Workaround SC2034
|
||||
ERRORS_FOUND_TERRAFORM=0 # Count of errors found
|
||||
export ERRORS_FOUND_TERRAFORM # Workaround SC2034
|
||||
ERRORS_FOUND_TERRAFORM_TERRASCAN=0 # Count of errors found
|
||||
export ERRORS_FOUND_TERRAFORM_TERRASCAN # Workaround SC2034
|
||||
ERRORS_FOUND_TSX=0 # Count of errors found
|
||||
export ERRORS_FOUND_TSX # Workaround SC2034
|
||||
ERRORS_FOUND_TYPESCRIPT_STANDARD=0 # Count of errors found
|
||||
|
@ -1372,13 +1375,13 @@ if [ "${VALIDATE_JSON}" == "true" ]; then
|
|||
LintCodebase "JSON" "jsonlint" "jsonlint" ".*\.\(json\)\$" "${FILE_ARRAY_JSON[@]}"
|
||||
fi
|
||||
|
||||
######################
|
||||
###############
|
||||
# JSX LINTING #
|
||||
######################
|
||||
###############
|
||||
if [ "${VALIDATE_JSX}" == "true" ]; then
|
||||
#############################
|
||||
######################
|
||||
# Lint the JSX files #
|
||||
#############################
|
||||
######################
|
||||
# LintCodebase "FILE_TYPE" "LINTER_NAME" "LINTER_CMD" "FILE_TYPES_REGEX" "FILE_ARRAY"
|
||||
LintCodebase "JSX" "eslint" "eslint --no-eslintrc -c ${JAVASCRIPT_LINTER_RULES}" ".*\.\(jsx\)\$" "${FILE_ARRAY_JSX[@]}"
|
||||
fi
|
||||
|
@ -1563,13 +1566,24 @@ if [ "${VALIDATE_TERRAFORM}" == "true" ]; then
|
|||
LintCodebase "TERRAFORM" "tflint" "tflint -c ${TERRAFORM_LINTER_RULES}" ".*\.\(tf\)\$" "${FILE_ARRAY_TERRAFORM[@]}"
|
||||
fi
|
||||
|
||||
######################
|
||||
###############################
|
||||
# TERRAFORM TERRASCAN LINTING #
|
||||
###############################
|
||||
if [ "${VALIDATE_TERRAFORM_TERRASCAN}" == "true" ]; then
|
||||
############################
|
||||
# Lint the Terraform files #
|
||||
############################
|
||||
# LintCodebase "FILE_TYPE" "LINTER_NAME" "LINTER_CMD" "FILE_TYPES_REGEX" "FILE_ARRAY"
|
||||
LintCodebase "TERRAFORM_TERRASCAN" "terrascan" "terrascan -f " ".*\.\(tf\)\$" "${FILE_ARRAY_TERRAFORM_TERRASCAN[@]}"
|
||||
fi
|
||||
|
||||
###############
|
||||
# TSX LINTING #
|
||||
######################
|
||||
###############
|
||||
if [ "${VALIDATE_TSX}" == "true" ]; then
|
||||
#############################
|
||||
######################
|
||||
# Lint the TSX files #
|
||||
#############################
|
||||
######################
|
||||
LintCodebase "TSX" "eslint" "eslint --no-eslintrc -c ${TYPESCRIPT_LINTER_RULES}" ".*\.\(tsx\)\$" "${FILE_ARRAY_TSX[@]}"
|
||||
fi
|
||||
|
||||
|
|
|
@ -92,20 +92,6 @@ function GetValidationInfo() {
|
|||
fi
|
||||
done
|
||||
|
||||
######################################
|
||||
# Validate if we should check GROOVY #
|
||||
######################################
|
||||
if [[ $ANY_SET == "true" ]]; then
|
||||
# Some linter flags were set - only run those set to true
|
||||
if [[ -z $VALIDATE_GROOVY ]]; then
|
||||
# GROOVY flag was not set - default to false
|
||||
VALIDATE_GROOVY="false"
|
||||
fi
|
||||
else
|
||||
# No linter flags were set - default all to true
|
||||
VALIDATE_GROOVY="true"
|
||||
fi
|
||||
|
||||
#######################################
|
||||
# Print which linters we are enabling #
|
||||
#######################################
|
||||
|
|
|
@ -214,7 +214,6 @@ function LintCodebase() {
|
|||
${LINTER_COMMAND} "${FILE}" 2>&1
|
||||
)
|
||||
fi
|
||||
|
||||
#######################
|
||||
# Load the error code #
|
||||
#######################
|
||||
|
@ -607,6 +606,7 @@ function RunTestCases() {
|
|||
TestCodebase "RUBY" "rubocop" "rubocop -c ${RUBY_LINTER_RULES}" ".*\.\(rb\)\$" "ruby"
|
||||
TestCodebase "STATES" "asl-validator" "asl-validator --json-path" ".*\.\(json\)\$" "states"
|
||||
TestCodebase "TERRAFORM" "tflint" "tflint -c ${TERRAFORM_LINTER_RULES}" ".*\.\(tf\)\$" "terraform"
|
||||
TestCodebase "TERRAFORM_TERRASCAN" "terrascan" "terrascan -f " ".*\.\(tf\)\$" "terraform_terrascan"
|
||||
TestCodebase "TYPESCRIPT_ES" "eslint" "eslint --no-eslintrc -c ${TYPESCRIPT_LINTER_RULES}" ".*\.\(ts\)\$" "typescript"
|
||||
TestCodebase "TYPESCRIPT_STANDARD" "standard" "standard --parser @typescript-eslint/parser --plugin @typescript-eslint/eslint-plugin ${TYPESCRIPT_STANDARD_LINTER_RULES}" ".*\.\(ts\)\$" "typescript"
|
||||
TestCodebase "XML" "xmllint" "xmllint" ".*\.\(xml\)\$" "xml"
|
||||
|
|
Loading…
Reference in a new issue