From 5b5e54ad5ced66a1dff4260f8144c1a36b271a4b Mon Sep 17 00:00:00 2001 From: Marco Ferrari Date: Fri, 9 Feb 2024 23:57:01 +0100 Subject: [PATCH] fix: initialize terrascan at runtime (#5246) Terrascan runs initialization anyway when scanning files, so there's no point in running it at build time. Also, this works around a Terrascan bug that caused it to fail its initialization if $HOME/.terrascan directory is not present. This happens on GitHub Actions because it configures a $HOME directory that is different from ours. --- Dockerfile | 5 ----- Makefile | 8 +++++++- lib/functions/buildFileList.sh | 2 +- lib/functions/detectFiles.sh | 16 ++++++++++++++++ .../inspec/super-linter/controls/super_linter.rb | 3 +-- .../good/terraform-terrascan_good_2.tf | 15 +++++++++++++++ test/run-super-linter-tests.sh | 5 +++++ 7 files changed, 45 insertions(+), 9 deletions(-) create mode 100644 test/linters/terraform_terrascan/good/terraform-terrascan_good_2.tf diff --git a/Dockerfile b/Dockerfile index 9c4c0193..4d207ae7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -391,11 +391,6 @@ ENV PATH="${PATH}:${DART_SDK}/bin:/root/.pub-cache/bin" ENV VERSION_FILE="/action/linterVersions.txt" RUN mkdir /action -# Initialize Terrascan -# Initialize ChkTeX config file -RUN terrascan init --log-level "debug" \ - && touch ~/.chktexrc - ENTRYPOINT ["/action/lib/linter.sh"] FROM base_image as slim diff --git a/Makefile b/Makefile index 6690e138..75a8f20d 100644 --- a/Makefile +++ b/Makefile @@ -4,7 +4,7 @@ all: info docker test ## Run all targets. .PHONY: test -test: info validate-container-image-labels test-lib inspec lint-codebase test-default-config-files test-find lint-subset-files test-custom-ssl-cert test-non-default-workdir test-git-flags test-log-level test-linters ## Run the test suite +test: info validate-container-image-labels test-lib inspec lint-codebase test-default-config-files test-find lint-subset-files test-custom-ssl-cert test-non-default-workdir test-git-flags test-non-default-home-directory test-log-level test-linters ## Run the test suite # if this session isn't interactive, then we don't want to allocate a # TTY, which would fail, but if it is interactive, we do want to attach @@ -289,6 +289,12 @@ test-custom-ssl-cert: ## Test the configuration of a custom SSL/TLS certificate -v "$(CURDIR)/docs":/tmp/lint \ $(SUPER_LINTER_TEST_CONTAINER_URL) +.phony: test-non-default-home-directory +test-non-default-home-directory: ## Test a non-default HOME directory + $(CURDIR)/test/run-super-linter-tests.sh \ + $(SUPER_LINTER_TEST_CONTAINER_URL) \ + "run_test_cases_non_default_home" + .phony: test-linters test-linters: test-linters-expect-success test-linters-expect-failure ## Run the linters test suite diff --git a/lib/functions/buildFileList.sh b/lib/functions/buildFileList.sh index e80bf681..b9953e86 100755 --- a/lib/functions/buildFileList.sh +++ b/lib/functions/buildFileList.sh @@ -156,7 +156,7 @@ function BuildFileList() { if ! RESULTS_OBJECT=$(jq --raw-output -n '[inputs]' "${PARALLEL_RESULTS_FILE_PATH}"); then fatal "Error loading results when building the file list: ${RESULTS_OBJECT}" fi - debug "RESULTS_OBJECT for ${FILE_TYPE}:\n${RESULTS_OBJECT}" + debug "RESULTS_OBJECT when building the file list:\n${RESULTS_OBJECT}" local STDOUT_BUILD_FILE_LIST # Get raw output so we can strip quotes from the data we load diff --git a/lib/functions/detectFiles.sh b/lib/functions/detectFiles.sh index 880c01f2..19483a52 100755 --- a/lib/functions/detectFiles.sh +++ b/lib/functions/detectFiles.sh @@ -444,6 +444,22 @@ function RunAdditionalInstalls() { done fi + if [ "${VALIDATE_TERRAFORM_TERRASCAN}" == "true" ] && [ -e "${FILE_ARRAYS_DIRECTORY_PATH}/file-array-TERRAFORM_TERRASCAN" ]; then + info "Initializing Terrascan repository" + local -a TERRASCAN_INIT_COMMAND + TERRASCAN_INIT_COMMAND=(terrascan init -c "${TERRAFORM_TERRASCAN_LINTER_RULES}") + if [[ "${LOG_DEBUG}" == "true" ]]; then + TERRASCAN_INIT_COMMAND+=(--log-level "debug") + fi + debug "Terrascan init command: ${TERRASCAN_INIT_COMMAND[*]}" + + local TERRASCAN_INIT_COMMAND_OUTPUT + if ! TERRASCAN_INIT_COMMAND_OUTPUT="$("${TERRASCAN_INIT_COMMAND[@]}" 2>&1)"; then + fatal "Error while initializing Terrascan:\n${TERRASCAN_INIT_COMMAND_OUTPUT}" + fi + debug "Terrascan init command output:\n${TERRASCAN_INIT_COMMAND_OUTPUT}" + fi + # Check if there's local configuration for the Raku linter if [ -e "${GITHUB_WORKSPACE}/META6.json" ]; then cd "${GITHUB_WORKSPACE}" && zef install --deps-only --/test . diff --git a/test/inspec/super-linter/controls/super_linter.rb b/test/inspec/super-linter/controls/super_linter.rb index debe4f87..c30101a6 100644 --- a/test/inspec/super-linter/controls/super_linter.rb +++ b/test/inspec/super-linter/controls/super_linter.rb @@ -495,8 +495,7 @@ control "super-linter-validate-files" do "/action/lib/.automation/.yaml-lint.yml", "/action/lib/.automation/phpcs.xml", "/action/lib/.automation/phpstan.neon", - "/action/lib/.automation/psalm.xml", - "/root/.chktexrc" + "/action/lib/.automation/psalm.xml" ] files.each do |item| diff --git a/test/linters/terraform_terrascan/good/terraform-terrascan_good_2.tf b/test/linters/terraform_terrascan/good/terraform-terrascan_good_2.tf new file mode 100644 index 00000000..267941f1 --- /dev/null +++ b/test/linters/terraform_terrascan/good/terraform-terrascan_good_2.tf @@ -0,0 +1,15 @@ +resource "aws_instance" "instanceWithVpc2" { + ami = "some-id" + instance_type = "t2.micro" + monitoring = true + ebs_optimized = true + + vpc_security_group_ids = ["sg-12345678901234567"] + subnet_id = "subnet-12345678901234567" + metadata_options { + http_endpoint = "disabled" + } + tags = { + Name = "HelloWorld" + } +} diff --git a/test/run-super-linter-tests.sh b/test/run-super-linter-tests.sh index 10f08a55..4d0fd5e4 100755 --- a/test/run-super-linter-tests.sh +++ b/test/run-super-linter-tests.sh @@ -23,6 +23,11 @@ run_test_cases_log_level() { LOG_LEVEL="NOTICE" } +run_test_cases_non_default_home() { + run_test_cases_expect_success + COMMAND_TO_RUN+=(-e HOME=/tmp) +} + # Run the test setup function ${TEST_FUNCTION_NAME}