Merge pull request #473 from cesar-rodriguez/cesar-rodriguez/terrascan

Adds optional security linting for Terraform
This commit is contained in:
Lukas Gravley 2020-07-24 08:32:04 -05:00 committed by GitHub
commit c9eae4876c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
13 changed files with 133 additions and 46 deletions

View file

@ -0,0 +1,19 @@
# AWS States language Test Cases
This folder holds the test cases for **Terraform**.
## Additional Docs
No Additional information is needed for this test case.
## Good Test Cases
The test cases denoted: `LANGUAGE_good_FILE.EXTENSION` are all valid, and should pass successfully when linted.
- **Note:** They are linted utilizing the default linter rules.
## Bad Test Cases
The test cases denoted: `LANGUAGE_bad_FILE.EXTENSION` are **NOT** valid, and should trigger errors when linted.
- **Note:** They are linted utilizing the default linter rules.

View file

@ -0,0 +1,19 @@
# AWS States language Test Cases
This folder holds the test cases for **Terraform terrascan**.
## Additional Docs
No Additional information is needed for this test case.
## Good Test Cases
The test cases denoted: `LANGUAGE_good_FILE.EXTENSION` are all valid, and should pass successfully when linted.
- **Note:** They are linted utilizing the default linter rules.
## Bad Test Cases
The test cases denoted: `LANGUAGE_bad_FILE.EXTENSION` are **NOT** valid, and should trigger errors when linted.
- **Note:** They are linted utilizing the default linter rules.

View file

@ -0,0 +1,9 @@
resource "aws_instance" "bad" {
ami = "ami-0ff8a91507f77f867"
instance_type = "t2.small"
associate_public_ip_address = true
ebs_block_device {
encrypted = true
}
}

View file

@ -0,0 +1,9 @@
resource "aws_instance" "good" {
ami = "ami-0ff8a91507f77f867"
instance_type = "t2.small"
associate_public_ip_address = false
ebs_block_device {
encrypted = true
}
}

View file

@ -0,0 +1,22 @@
TAP version 13
1..2
not ok 1 - terraform_bad_1.tf
terrascan version 0.2.3
Logging level set to error.
........................................................................
----------------------------------------------------------------------
Ran 72 tests in 0.008s
OK
Processed 1 files in /tmp/lint/.terrascan
Processed on 07/24/2020 at 03:22
Results (took 0.42 seconds):
Failures: (1)
[high] [aws_instance.bad.associate_public_ip_address] should not be 'True'. Is: 'True' in module .terrascan, file /tmp/lint/.terrascan/terraform_bad_1.tf
Errors: (0)
ok 2 - terraform_good_1.tf

View file

@ -229,6 +229,7 @@ ENV ACTIONS_RUNNER_DEBUG=${ACTIONS_RUNNER_DEBUG} \
VALIDATE_RUBY=${VALIDATE_RUBY} \
VALIDATE_STATES=${VALIDATE_STATES} \
VALIDATE_TERRAFORM=${VALIDATE_TERRAFORM} \
VALIDATE_TERRAFORM_TERRASCAN=${VALIDATE_TERRAFORM_TERRASCAN} \
VALIDATE_TYPESCRIPT_ES=${VALIDATE_TYPESCRIPT_ES} \
VALIDATE_TYPESCRIPT_STANDARD=${VALIDATE_TYPESCRIPT_STANDARD} \
VALIDATE_XML=${VALIDATE_XML} \

View file

@ -69,7 +69,7 @@ Developers on **GitHub** can call the **GitHub Action** to lint their code base
| **Raku** | [raku](https://raku.org) |
| **Ruby** | [RuboCop](https://github.com/rubocop-hq/rubocop) |
| **Shell** | [Shellcheck](https://github.com/koalaman/shellcheck) |
| **Terraform** | [tflint](https://github.com/terraform-linters/tflint) |
| **Terraform** | [tflint](https://github.com/terraform-linters/tflint) [terrascan](https://github.com/accurics/terrascan) |
| **TypeScript** | [eslint](https://eslint.org/) [standard js](https://standardjs.com/) |
| **XML** | [LibXML](http://xmlsoft.org/) |
| **YAML** | [YamlLint](https://github.com/adrienverge/yamllint) |
@ -212,6 +212,7 @@ and won't run anything unexpected.
| **VALIDATE_RUBY** | `true` | Flag to enable or disable the linting process of the Ruby language. |
| **VALIDATE_STATES** | `true` | Flag to enable or disable the linting process for AWS States Language. |
| **VALIDATE_TERRAFORM** | `true` | Flag to enable or disable the linting process of the Terraform language. |
| **VALIDATE_TERRAFORM_TERRASCAN** | `false` | Flag to enable or disable the linting process of the Terraform language for security related issues. |
| **VALIDATE_TSX** | `true` | Flag to enable or disable the linting process for tsx files (Utilizing: eslint) |
| **VALIDATE_TYPESCRIPT_ES** | `true` | Flag to enable or disable the linting process of the Typescript language. (Utilizing: eslint) |
| **VALIDATE_TYPESCRIPT_STANDARD** | `true` | Flag to enable or disable the linting process of the Typescript language. (Utilizing: standard) |

View file

@ -10,6 +10,7 @@ yamllint = "*"
pylint = "*"
yq = "*"
cfn-lint = "*"
terrascan = "*"
[requires]
python_version = "3.8"

37
dependencies/Pipfile.lock generated vendored
View file

@ -1,7 +1,7 @@
{
"_meta": {
"hash": {
"sha256": "1ccc4fd5c20ba56f1cca85abdd09b24798c3ad68b921cb42c501177598d986c9"
"sha256": "c62b95247cb67b10711da0012966cc031d5a9ec08885a45736c0ee77bba3a844"
},
"pipfile-spec": 6,
"requires": {
@ -28,7 +28,6 @@
"sha256:2f4078c2a41bf377eea06d71c9d2ba4eb8f6b1af2135bec27bbbb7d8f12bb703",
"sha256:bc58d83eb610252fd8de6363e39d4f1d0619c894b0ed24603b881c02e64c7386"
],
"markers": "python_version >= '3.5'",
"version": "==2.4.2"
},
"attrs": {
@ -36,7 +35,6 @@
"sha256:08a96c641c3a74e44eb59afb61a24f2cb9f4d7188748e76ba4bb5edfa3cb7d1c",
"sha256:f7b7ce16570fe9965acd6d30101a28f62fb4a7f9e926b3bbc9b61f8b04247e72"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==19.3.0"
},
"aws-sam-translator": {
@ -49,17 +47,17 @@
},
"boto3": {
"hashes": [
"sha256:4735fdf490094537ea0cb93ba4237db442195c37f974ea4ad44b9a5af98e6d7b",
"sha256:838cea329851e11b9a9dae1c00cd5ef2f3b29ac83c061733b2e93b64c333750f"
"sha256:65c131b72c2a75e3cc6044e5fd6426719051b9b1f28bd026b4a5490648d13019",
"sha256:e1e09587763671cc07c9e6d349d93bf53a140f83947cb6cf1ec4cb9f07b0ff95"
],
"version": "==1.14.26"
"version": "==1.14.27"
},
"botocore": {
"hashes": [
"sha256:0c4ed6349e8ef6bfe9648757f3ff66c33a8f37d9cbadd9c17987138184990cbd",
"sha256:28832be365204f00d5c7d2c2a0538d9d082dbfc39ed984fdc9556770470b7487"
"sha256:994a9f50e0e770c0f9ea74659f501848f7d12b22186026c219cde8a481ede298",
"sha256:acd955f0315b5d17e3e8ddc2ef74d7f03c4ef37f0ceb042058637f7edfbbad4e"
],
"version": "==1.17.26"
"version": "==1.17.27"
},
"cfn-lint": {
"hashes": [
@ -82,7 +80,6 @@
"sha256:9e4d7ecfc600058e07ba661411a2b7de2fd0fafa17d1a7f7361cd47b1175c827",
"sha256:a2aeea129088da402665e92e0b25b04b073c04b2dce4ab65caaa38b7ce2e1a99"
],
"markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2'",
"version": "==0.15.2"
},
"isort": {
@ -90,7 +87,6 @@
"sha256:54da7e92468955c4fceacd0c86bd0ec997b0e1ee80d97f67c35a78b719dccab1",
"sha256:6e811fcb295968434526407adb8796944f1988c5b65e8139058f2014cbe100fd"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==4.3.21"
},
"jmespath": {
@ -98,7 +94,6 @@
"sha256:b85d0567b8666149a93172712e68920734333c0ce7e89b78b3e987f71e5ed4f9",
"sha256:cdf6525904cc597730141d61b36f2e4b8ecc257c420fa2f4549bac2c2d0cb72f"
],
"markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2'",
"version": "==0.10.0"
},
"jsonpatch": {
@ -114,7 +109,6 @@
"sha256:c192ba86648e05fdae4f08a17ec25180a9aef5008d973407b581798a83975362",
"sha256:ff379fa021d1b81ab539f5ec467c7745beb1a5671463f9dcc2b2d458bd361c1e"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==2.0"
},
"jsonschema": {
@ -154,7 +148,6 @@
"sha256:efa1909120ce98bbb3777e8b6f92237f5d5c8ea6758efea36a473e1d38f7d3e4",
"sha256:f3900e8a5de27447acbf900b4750b0ddfd7ec1ea7fbaf11dfa911141bc522af0"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==1.4.3"
},
"mccabe": {
@ -179,6 +172,12 @@
],
"version": "==0.8.0"
},
"pyhcl": {
"hashes": [
"sha256:2d9b9dcdf1023d812bfed561ba72c99104c5b3f52e558d595130a44ce081b003"
],
"version": "==0.4.4"
},
"pylint": {
"hashes": [
"sha256:7dd78437f2d8d019717dbf287772d0b2dbdfd13fc016aa7faa08d67bccc46adc",
@ -198,7 +197,6 @@
"sha256:73ebfe9dbf22e832286dafa60473e4cd239f8592f699aa5adaf10050e6e1823c",
"sha256:75bb3f31ea686f1197762692a9ee6a7550b59fc6ca3a1f4b5d7e32fb98e2da2a"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2'",
"version": "==2.8.1"
},
"pyyaml": {
@ -230,9 +228,16 @@
"sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259",
"sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2'",
"version": "==1.15.0"
},
"terrascan": {
"hashes": [
"sha256:2003638e2e38feba9215df3add2ee99565731b86dbd5c43fd8982b1a4ddac927",
"sha256:b44d8c7eac96aa8094865061783ab0e8e849690b8187b75778caf5dd34002d18"
],
"index": "pypi",
"version": "==0.2.3"
},
"toml": {
"hashes": [
"sha256:926b612be1e5ce0634a2ca03470f95169cf16f939018233a670519cb4ac58b0f",

View file

@ -353,6 +353,7 @@ function BuildFileList() {
# Append the file to the array #
################################
FILE_ARRAY_TERRAFORM+=("${FILE}")
FILE_ARRAY_TERRAFORM_TERRASCAN+=("${FILE}")
##########################################################
# Set the READ_ONLY_CHANGE_FLAG since this could be exec #
##########################################################

View file

@ -98,7 +98,7 @@ LINTER_ARRAY=('ansible-lint' 'arm-ttk' 'asl-validator' 'cfn-lint' 'clj-kondo'
'coffeelint' 'dart' 'dockerfilelint' 'dotenv-linter' 'eslint' 'golangci-lint'
'htmlhint' 'jsonlint' 'ktlint' 'markdownlint' 'npm-groovy-lint' 'perl'
'protolint' 'pwsh' 'pylint' 'raku' 'rubocop' 'shellcheck' 'spectral'
'standard' 'stylelint' 'tflint' 'xmllint' 'yamllint')
'standard' 'stylelint' 'terrascan' 'tflint' 'xmllint' 'yamllint')
#############################
@ -108,7 +108,7 @@ LANGUAGE_ARRAY=('ANSIBLE' 'ARM' 'BASH' 'CLOUDFORMATION' 'CLOJURE' 'COFFEESCRIPT'
'CSS' 'DART' 'DOCKER' 'ENV' 'GO' 'GROOVY' 'HTML' 'JAVASCRIPT_ES'
'JAVASCRIPT_STANDARD' 'JSON' 'JSX' 'KOTLIN' 'MARKDOWN' 'OPENAPI'
'PERL' 'PHP' 'POWERSHELL' 'PROTOBUF' 'PYTHON'
'RAKU' 'RUBY' 'STATES' 'TERRAFORM' 'TSX' 'TYPESCRIPT_ES'
'RAKU' 'RUBY' 'STATES' 'TERRAFORM' 'TERRAFORM_TERRASCAN' 'TSX' 'TYPESCRIPT_ES'
'TYPESCRIPT_STANDARD' 'XML' 'YML')
############################################
@ -161,6 +161,7 @@ VALIDATE_RAKU="${VALIDATE_RAKU}" # Boolean to vali
VALIDATE_RUBY="${VALIDATE_RUBY}" # Boolean to validate language
VALIDATE_STATES="${VALIDATE_STATES}" # Boolean to validate language
VALIDATE_TERRAFORM="${VALIDATE_TERRAFORM}" # Boolean to validate language
VALIDATE_TERRAFORM_TERRASCAN="${VALIDATE_TERRAFORM_TERRASCAN}" # Boolean to validate language
VALIDATE_TSX="${VALIDATE_TSX}" # Boolean to validate language
VALIDATE_TYPESCRIPT_ES="${VALIDATE_TYPESCRIPT_ES}" # Boolean to validate language
VALIDATE_TYPESCRIPT_STANDARD="${VALIDATE_TYPESCRIPT_STANDARD}" # Boolean to validate language
@ -304,6 +305,8 @@ ERRORS_FOUND_STATES=0 # Count of errors found
export ERRORS_FOUND_STATES # Workaround SC2034
ERRORS_FOUND_TERRAFORM=0 # Count of errors found
export ERRORS_FOUND_TERRAFORM # Workaround SC2034
ERRORS_FOUND_TERRAFORM_TERRASCAN=0 # Count of errors found
export ERRORS_FOUND_TERRAFORM_TERRASCAN # Workaround SC2034
ERRORS_FOUND_TSX=0 # Count of errors found
export ERRORS_FOUND_TSX # Workaround SC2034
ERRORS_FOUND_TYPESCRIPT_STANDARD=0 # Count of errors found
@ -1372,13 +1375,13 @@ if [ "${VALIDATE_JSON}" == "true" ]; then
LintCodebase "JSON" "jsonlint" "jsonlint" ".*\.\(json\)\$" "${FILE_ARRAY_JSON[@]}"
fi
######################
# JSX LINTING #
######################
###############
# JSX LINTING #
###############
if [ "${VALIDATE_JSX}" == "true" ]; then
#############################
# Lint the JSX files #
#############################
######################
# Lint the JSX files #
######################
# LintCodebase "FILE_TYPE" "LINTER_NAME" "LINTER_CMD" "FILE_TYPES_REGEX" "FILE_ARRAY"
LintCodebase "JSX" "eslint" "eslint --no-eslintrc -c ${JAVASCRIPT_LINTER_RULES}" ".*\.\(jsx\)\$" "${FILE_ARRAY_JSX[@]}"
fi
@ -1563,13 +1566,24 @@ if [ "${VALIDATE_TERRAFORM}" == "true" ]; then
LintCodebase "TERRAFORM" "tflint" "tflint -c ${TERRAFORM_LINTER_RULES}" ".*\.\(tf\)\$" "${FILE_ARRAY_TERRAFORM[@]}"
fi
######################
# TSX LINTING #
######################
###############################
# TERRAFORM TERRASCAN LINTING #
###############################
if [ "${VALIDATE_TERRAFORM_TERRASCAN}" == "true" ]; then
############################
# Lint the Terraform files #
############################
# LintCodebase "FILE_TYPE" "LINTER_NAME" "LINTER_CMD" "FILE_TYPES_REGEX" "FILE_ARRAY"
LintCodebase "TERRAFORM_TERRASCAN" "terrascan" "terrascan -f " ".*\.\(tf\)\$" "${FILE_ARRAY_TERRAFORM_TERRASCAN[@]}"
fi
###############
# TSX LINTING #
###############
if [ "${VALIDATE_TSX}" == "true" ]; then
#############################
# Lint the TSX files #
#############################
######################
# Lint the TSX files #
######################
LintCodebase "TSX" "eslint" "eslint --no-eslintrc -c ${TYPESCRIPT_LINTER_RULES}" ".*\.\(tsx\)\$" "${FILE_ARRAY_TSX[@]}"
fi

View file

@ -92,20 +92,6 @@ function GetValidationInfo() {
fi
done
######################################
# Validate if we should check GROOVY #
######################################
if [[ $ANY_SET == "true" ]]; then
# Some linter flags were set - only run those set to true
if [[ -z $VALIDATE_GROOVY ]]; then
# GROOVY flag was not set - default to false
VALIDATE_GROOVY="false"
fi
else
# No linter flags were set - default all to true
VALIDATE_GROOVY="true"
fi
#######################################
# Print which linters we are enabling #
#######################################

View file

@ -214,7 +214,6 @@ function LintCodebase() {
${LINTER_COMMAND} "${FILE}" 2>&1
)
fi
#######################
# Load the error code #
#######################
@ -607,6 +606,7 @@ function RunTestCases() {
TestCodebase "RUBY" "rubocop" "rubocop -c ${RUBY_LINTER_RULES}" ".*\.\(rb\)\$" "ruby"
TestCodebase "STATES" "asl-validator" "asl-validator --json-path" ".*\.\(json\)\$" "states"
TestCodebase "TERRAFORM" "tflint" "tflint -c ${TERRAFORM_LINTER_RULES}" ".*\.\(tf\)\$" "terraform"
TestCodebase "TERRAFORM_TERRASCAN" "terrascan" "terrascan -f " ".*\.\(tf\)\$" "terraform_terrascan"
TestCodebase "TYPESCRIPT_ES" "eslint" "eslint --no-eslintrc -c ${TYPESCRIPT_LINTER_RULES}" ".*\.\(ts\)\$" "typescript"
TestCodebase "TYPESCRIPT_STANDARD" "standard" "standard --parser @typescript-eslint/parser --plugin @typescript-eslint/eslint-plugin ${TYPESCRIPT_STANDARD_LINTER_RULES}" ".*\.\(ts\)\$" "typescript"
TestCodebase "XML" "xmllint" "xmllint" ".*\.\(xml\)\$" "xml"