diff --git a/.automation/test/terraform/README.md b/.automation/test/terraform/README.md index e69de29b..6cb4f692 100644 --- a/.automation/test/terraform/README.md +++ b/.automation/test/terraform/README.md @@ -0,0 +1,19 @@ +# AWS States language Test Cases + +This folder holds the test cases for **Terraform**. + +## Additional Docs + +No Additional information is needed for this test case. + +## Good Test Cases + +The test cases denoted: `LANGUAGE_good_FILE.EXTENSION` are all valid, and should pass successfully when linted. + +- **Note:** They are linted utilizing the default linter rules. + +## Bad Test Cases + +The test cases denoted: `LANGUAGE_bad_FILE.EXTENSION` are **NOT** valid, and should trigger errors when linted. + +- **Note:** They are linted utilizing the default linter rules. diff --git a/.automation/test/terraform_terrascan/README.md b/.automation/test/terraform_terrascan/README.md new file mode 100644 index 00000000..036699d9 --- /dev/null +++ b/.automation/test/terraform_terrascan/README.md @@ -0,0 +1,19 @@ +# AWS States language Test Cases + +This folder holds the test cases for **Terraform terrascan**. + +## Additional Docs + +No Additional information is needed for this test case. + +## Good Test Cases + +The test cases denoted: `LANGUAGE_good_FILE.EXTENSION` are all valid, and should pass successfully when linted. + +- **Note:** They are linted utilizing the default linter rules. + +## Bad Test Cases + +The test cases denoted: `LANGUAGE_bad_FILE.EXTENSION` are **NOT** valid, and should trigger errors when linted. + +- **Note:** They are linted utilizing the default linter rules. diff --git a/.automation/test/terraform_terrascan/bad/terraform_bad_1.tf b/.automation/test/terraform_terrascan/bad/terraform_bad_1.tf new file mode 100644 index 00000000..57b891dc --- /dev/null +++ b/.automation/test/terraform_terrascan/bad/terraform_bad_1.tf @@ -0,0 +1,9 @@ +resource "aws_instance" "bad" { + ami = "ami-0ff8a91507f77f867" + instance_type = "t2.small" + associate_public_ip_address = true + + ebs_block_device { + encrypted = true + } +} diff --git a/.automation/test/terraform_terrascan/good/terraform_good_1.tf b/.automation/test/terraform_terrascan/good/terraform_good_1.tf new file mode 100644 index 00000000..59d24f7e --- /dev/null +++ b/.automation/test/terraform_terrascan/good/terraform_good_1.tf @@ -0,0 +1,9 @@ +resource "aws_instance" "good" { + ami = "ami-0ff8a91507f77f867" + instance_type = "t2.small" + associate_public_ip_address = false + + ebs_block_device { + encrypted = true + } +} diff --git a/.automation/test/terraform_terrascan/reports/expected-TERRAFORM.tap b/.automation/test/terraform_terrascan/reports/expected-TERRAFORM.tap new file mode 100644 index 00000000..6fcc7cb9 --- /dev/null +++ b/.automation/test/terraform_terrascan/reports/expected-TERRAFORM.tap @@ -0,0 +1,22 @@ +TAP version 13 +1..2 +not ok 1 - terraform_bad_1.tf + terrascan version 0.2.3 + Logging level set to error. + ........................................................................ + ---------------------------------------------------------------------- + Ran 72 tests in 0.008s + + OK + + Processed 1 files in /tmp/lint/.terrascan + + + Processed on 07/24/2020 at 03:22 + Results (took 0.42 seconds): + + Failures: (1) + [high] [aws_instance.bad.associate_public_ip_address] should not be 'True'. Is: 'True' in module .terrascan, file /tmp/lint/.terrascan/terraform_bad_1.tf + + Errors: (0) +ok 2 - terraform_good_1.tf diff --git a/Dockerfile b/Dockerfile index 02452f59..2d143824 100644 --- a/Dockerfile +++ b/Dockerfile @@ -229,6 +229,7 @@ ENV ACTIONS_RUNNER_DEBUG=${ACTIONS_RUNNER_DEBUG} \ VALIDATE_RUBY=${VALIDATE_RUBY} \ VALIDATE_STATES=${VALIDATE_STATES} \ VALIDATE_TERRAFORM=${VALIDATE_TERRAFORM} \ + VALIDATE_TERRAFORM_TERRASCAN=${VALIDATE_TERRAFORM_TERRASCAN} \ VALIDATE_TYPESCRIPT_ES=${VALIDATE_TYPESCRIPT_ES} \ VALIDATE_TYPESCRIPT_STANDARD=${VALIDATE_TYPESCRIPT_STANDARD} \ VALIDATE_XML=${VALIDATE_XML} \ diff --git a/README.md b/README.md index aa163769..e9dd76be 100644 --- a/README.md +++ b/README.md @@ -69,7 +69,7 @@ Developers on **GitHub** can call the **GitHub Action** to lint their code base | **Raku** | [raku](https://raku.org) | | **Ruby** | [RuboCop](https://github.com/rubocop-hq/rubocop) | | **Shell** | [Shellcheck](https://github.com/koalaman/shellcheck) | -| **Terraform** | [tflint](https://github.com/terraform-linters/tflint) | +| **Terraform** | [tflint](https://github.com/terraform-linters/tflint) [terrascan](https://github.com/accurics/terrascan) | | **TypeScript** | [eslint](https://eslint.org/) [standard js](https://standardjs.com/) | | **XML** | [LibXML](http://xmlsoft.org/) | | **YAML** | [YamlLint](https://github.com/adrienverge/yamllint) | @@ -212,6 +212,7 @@ and won't run anything unexpected. | **VALIDATE_RUBY** | `true` | Flag to enable or disable the linting process of the Ruby language. | | **VALIDATE_STATES** | `true` | Flag to enable or disable the linting process for AWS States Language. | | **VALIDATE_TERRAFORM** | `true` | Flag to enable or disable the linting process of the Terraform language. | +| **VALIDATE_TERRAFORM_TERRASCAN** | `false` | Flag to enable or disable the linting process of the Terraform language for security related issues. | | **VALIDATE_TSX** | `true` | Flag to enable or disable the linting process for tsx files (Utilizing: eslint) | | **VALIDATE_TYPESCRIPT_ES** | `true` | Flag to enable or disable the linting process of the Typescript language. (Utilizing: eslint) | | **VALIDATE_TYPESCRIPT_STANDARD** | `true` | Flag to enable or disable the linting process of the Typescript language. (Utilizing: standard) | diff --git a/dependencies/Pipfile b/dependencies/Pipfile index b9df418b..dbc906c9 100644 --- a/dependencies/Pipfile +++ b/dependencies/Pipfile @@ -10,6 +10,7 @@ yamllint = "*" pylint = "*" yq = "*" cfn-lint = "*" +terrascan = "*" [requires] python_version = "3.8" diff --git a/dependencies/Pipfile.lock b/dependencies/Pipfile.lock index 356eeda1..32180e96 100644 --- a/dependencies/Pipfile.lock +++ b/dependencies/Pipfile.lock @@ -1,7 +1,7 @@ { "_meta": { "hash": { - "sha256": "1ccc4fd5c20ba56f1cca85abdd09b24798c3ad68b921cb42c501177598d986c9" + "sha256": "c62b95247cb67b10711da0012966cc031d5a9ec08885a45736c0ee77bba3a844" }, "pipfile-spec": 6, "requires": { @@ -28,7 +28,6 @@ "sha256:2f4078c2a41bf377eea06d71c9d2ba4eb8f6b1af2135bec27bbbb7d8f12bb703", "sha256:bc58d83eb610252fd8de6363e39d4f1d0619c894b0ed24603b881c02e64c7386" ], - "markers": "python_version >= '3.5'", "version": "==2.4.2" }, "attrs": { @@ -36,7 +35,6 @@ "sha256:08a96c641c3a74e44eb59afb61a24f2cb9f4d7188748e76ba4bb5edfa3cb7d1c", "sha256:f7b7ce16570fe9965acd6d30101a28f62fb4a7f9e926b3bbc9b61f8b04247e72" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==19.3.0" }, "aws-sam-translator": { @@ -49,17 +47,17 @@ }, "boto3": { "hashes": [ - "sha256:4735fdf490094537ea0cb93ba4237db442195c37f974ea4ad44b9a5af98e6d7b", - "sha256:838cea329851e11b9a9dae1c00cd5ef2f3b29ac83c061733b2e93b64c333750f" + "sha256:65c131b72c2a75e3cc6044e5fd6426719051b9b1f28bd026b4a5490648d13019", + "sha256:e1e09587763671cc07c9e6d349d93bf53a140f83947cb6cf1ec4cb9f07b0ff95" ], - "version": "==1.14.26" + "version": "==1.14.27" }, "botocore": { "hashes": [ - "sha256:0c4ed6349e8ef6bfe9648757f3ff66c33a8f37d9cbadd9c17987138184990cbd", - "sha256:28832be365204f00d5c7d2c2a0538d9d082dbfc39ed984fdc9556770470b7487" + "sha256:994a9f50e0e770c0f9ea74659f501848f7d12b22186026c219cde8a481ede298", + "sha256:acd955f0315b5d17e3e8ddc2ef74d7f03c4ef37f0ceb042058637f7edfbbad4e" ], - "version": "==1.17.26" + "version": "==1.17.27" }, "cfn-lint": { "hashes": [ @@ -82,7 +80,6 @@ "sha256:9e4d7ecfc600058e07ba661411a2b7de2fd0fafa17d1a7f7361cd47b1175c827", "sha256:a2aeea129088da402665e92e0b25b04b073c04b2dce4ab65caaa38b7ce2e1a99" ], - "markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2'", "version": "==0.15.2" }, "isort": { @@ -90,7 +87,6 @@ "sha256:54da7e92468955c4fceacd0c86bd0ec997b0e1ee80d97f67c35a78b719dccab1", "sha256:6e811fcb295968434526407adb8796944f1988c5b65e8139058f2014cbe100fd" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==4.3.21" }, "jmespath": { @@ -98,7 +94,6 @@ "sha256:b85d0567b8666149a93172712e68920734333c0ce7e89b78b3e987f71e5ed4f9", "sha256:cdf6525904cc597730141d61b36f2e4b8ecc257c420fa2f4549bac2c2d0cb72f" ], - "markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2'", "version": "==0.10.0" }, "jsonpatch": { @@ -114,7 +109,6 @@ "sha256:c192ba86648e05fdae4f08a17ec25180a9aef5008d973407b581798a83975362", "sha256:ff379fa021d1b81ab539f5ec467c7745beb1a5671463f9dcc2b2d458bd361c1e" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==2.0" }, "jsonschema": { @@ -154,7 +148,6 @@ "sha256:efa1909120ce98bbb3777e8b6f92237f5d5c8ea6758efea36a473e1d38f7d3e4", "sha256:f3900e8a5de27447acbf900b4750b0ddfd7ec1ea7fbaf11dfa911141bc522af0" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==1.4.3" }, "mccabe": { @@ -179,6 +172,12 @@ ], "version": "==0.8.0" }, + "pyhcl": { + "hashes": [ + "sha256:2d9b9dcdf1023d812bfed561ba72c99104c5b3f52e558d595130a44ce081b003" + ], + "version": "==0.4.4" + }, "pylint": { "hashes": [ "sha256:7dd78437f2d8d019717dbf287772d0b2dbdfd13fc016aa7faa08d67bccc46adc", @@ -198,7 +197,6 @@ "sha256:73ebfe9dbf22e832286dafa60473e4cd239f8592f699aa5adaf10050e6e1823c", "sha256:75bb3f31ea686f1197762692a9ee6a7550b59fc6ca3a1f4b5d7e32fb98e2da2a" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2'", "version": "==2.8.1" }, "pyyaml": { @@ -230,9 +228,16 @@ "sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259", "sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2'", "version": "==1.15.0" }, + "terrascan": { + "hashes": [ + "sha256:2003638e2e38feba9215df3add2ee99565731b86dbd5c43fd8982b1a4ddac927", + "sha256:b44d8c7eac96aa8094865061783ab0e8e849690b8187b75778caf5dd34002d18" + ], + "index": "pypi", + "version": "==0.2.3" + }, "toml": { "hashes": [ "sha256:926b612be1e5ce0634a2ca03470f95169cf16f939018233a670519cb4ac58b0f", diff --git a/lib/buildFileList.sh b/lib/buildFileList.sh index 468e0360..00aebf1f 100755 --- a/lib/buildFileList.sh +++ b/lib/buildFileList.sh @@ -353,6 +353,7 @@ function BuildFileList() { # Append the file to the array # ################################ FILE_ARRAY_TERRAFORM+=("${FILE}") + FILE_ARRAY_TERRAFORM_TERRASCAN+=("${FILE}") ########################################################## # Set the READ_ONLY_CHANGE_FLAG since this could be exec # ########################################################## diff --git a/lib/linter.sh b/lib/linter.sh index 06bb4884..d712ab4b 100755 --- a/lib/linter.sh +++ b/lib/linter.sh @@ -98,7 +98,7 @@ LINTER_ARRAY=('ansible-lint' 'arm-ttk' 'asl-validator' 'cfn-lint' 'clj-kondo' 'coffeelint' 'dart' 'dockerfilelint' 'dotenv-linter' 'eslint' 'golangci-lint' 'htmlhint' 'jsonlint' 'ktlint' 'markdownlint' 'npm-groovy-lint' 'perl' 'protolint' 'pwsh' 'pylint' 'raku' 'rubocop' 'shellcheck' 'spectral' - 'standard' 'stylelint' 'tflint' 'xmllint' 'yamllint') + 'standard' 'stylelint' 'terrascan' 'tflint' 'xmllint' 'yamllint') ############################# @@ -108,7 +108,7 @@ LANGUAGE_ARRAY=('ANSIBLE' 'ARM' 'BASH' 'CLOUDFORMATION' 'CLOJURE' 'COFFEESCRIPT' 'CSS' 'DART' 'DOCKER' 'ENV' 'GO' 'GROOVY' 'HTML' 'JAVASCRIPT_ES' 'JAVASCRIPT_STANDARD' 'JSON' 'JSX' 'KOTLIN' 'MARKDOWN' 'OPENAPI' 'PERL' 'PHP' 'POWERSHELL' 'PROTOBUF' 'PYTHON' - 'RAKU' 'RUBY' 'STATES' 'TERRAFORM' 'TSX' 'TYPESCRIPT_ES' + 'RAKU' 'RUBY' 'STATES' 'TERRAFORM' 'TERRAFORM_TERRASCAN' 'TSX' 'TYPESCRIPT_ES' 'TYPESCRIPT_STANDARD' 'XML' 'YML') ############################################ @@ -161,6 +161,7 @@ VALIDATE_RAKU="${VALIDATE_RAKU}" # Boolean to vali VALIDATE_RUBY="${VALIDATE_RUBY}" # Boolean to validate language VALIDATE_STATES="${VALIDATE_STATES}" # Boolean to validate language VALIDATE_TERRAFORM="${VALIDATE_TERRAFORM}" # Boolean to validate language +VALIDATE_TERRAFORM_TERRASCAN="${VALIDATE_TERRAFORM_TERRASCAN}" # Boolean to validate language VALIDATE_TSX="${VALIDATE_TSX}" # Boolean to validate language VALIDATE_TYPESCRIPT_ES="${VALIDATE_TYPESCRIPT_ES}" # Boolean to validate language VALIDATE_TYPESCRIPT_STANDARD="${VALIDATE_TYPESCRIPT_STANDARD}" # Boolean to validate language @@ -304,6 +305,8 @@ ERRORS_FOUND_STATES=0 # Count of errors found export ERRORS_FOUND_STATES # Workaround SC2034 ERRORS_FOUND_TERRAFORM=0 # Count of errors found export ERRORS_FOUND_TERRAFORM # Workaround SC2034 +ERRORS_FOUND_TERRAFORM_TERRASCAN=0 # Count of errors found +export ERRORS_FOUND_TERRAFORM_TERRASCAN # Workaround SC2034 ERRORS_FOUND_TSX=0 # Count of errors found export ERRORS_FOUND_TSX # Workaround SC2034 ERRORS_FOUND_TYPESCRIPT_STANDARD=0 # Count of errors found @@ -1372,13 +1375,13 @@ if [ "${VALIDATE_JSON}" == "true" ]; then LintCodebase "JSON" "jsonlint" "jsonlint" ".*\.\(json\)\$" "${FILE_ARRAY_JSON[@]}" fi -###################### -# JSX LINTING # -###################### +############### +# JSX LINTING # +############### if [ "${VALIDATE_JSX}" == "true" ]; then - ############################# - # Lint the JSX files # - ############################# + ###################### + # Lint the JSX files # + ###################### # LintCodebase "FILE_TYPE" "LINTER_NAME" "LINTER_CMD" "FILE_TYPES_REGEX" "FILE_ARRAY" LintCodebase "JSX" "eslint" "eslint --no-eslintrc -c ${JAVASCRIPT_LINTER_RULES}" ".*\.\(jsx\)\$" "${FILE_ARRAY_JSX[@]}" fi @@ -1563,13 +1566,24 @@ if [ "${VALIDATE_TERRAFORM}" == "true" ]; then LintCodebase "TERRAFORM" "tflint" "tflint -c ${TERRAFORM_LINTER_RULES}" ".*\.\(tf\)\$" "${FILE_ARRAY_TERRAFORM[@]}" fi -###################### -# TSX LINTING # -###################### +############################### +# TERRAFORM TERRASCAN LINTING # +############################### +if [ "${VALIDATE_TERRAFORM_TERRASCAN}" == "true" ]; then + ############################ + # Lint the Terraform files # + ############################ + # LintCodebase "FILE_TYPE" "LINTER_NAME" "LINTER_CMD" "FILE_TYPES_REGEX" "FILE_ARRAY" + LintCodebase "TERRAFORM_TERRASCAN" "terrascan" "terrascan -f " ".*\.\(tf\)\$" "${FILE_ARRAY_TERRAFORM_TERRASCAN[@]}" +fi + +############### +# TSX LINTING # +############### if [ "${VALIDATE_TSX}" == "true" ]; then - ############################# - # Lint the TSX files # - ############################# + ###################### + # Lint the TSX files # + ###################### LintCodebase "TSX" "eslint" "eslint --no-eslintrc -c ${TYPESCRIPT_LINTER_RULES}" ".*\.\(tsx\)\$" "${FILE_ARRAY_TSX[@]}" fi diff --git a/lib/validation.sh b/lib/validation.sh index 39618a3e..07387fd5 100755 --- a/lib/validation.sh +++ b/lib/validation.sh @@ -92,20 +92,6 @@ function GetValidationInfo() { fi done - ###################################### - # Validate if we should check GROOVY # - ###################################### - if [[ $ANY_SET == "true" ]]; then - # Some linter flags were set - only run those set to true - if [[ -z $VALIDATE_GROOVY ]]; then - # GROOVY flag was not set - default to false - VALIDATE_GROOVY="false" - fi - else - # No linter flags were set - default all to true - VALIDATE_GROOVY="true" - fi - ####################################### # Print which linters we are enabling # ####################################### diff --git a/lib/worker.sh b/lib/worker.sh index 607c3fd6..a7da7f04 100755 --- a/lib/worker.sh +++ b/lib/worker.sh @@ -214,7 +214,6 @@ function LintCodebase() { ${LINTER_COMMAND} "${FILE}" 2>&1 ) fi - ####################### # Load the error code # ####################### @@ -607,6 +606,7 @@ function RunTestCases() { TestCodebase "RUBY" "rubocop" "rubocop -c ${RUBY_LINTER_RULES}" ".*\.\(rb\)\$" "ruby" TestCodebase "STATES" "asl-validator" "asl-validator --json-path" ".*\.\(json\)\$" "states" TestCodebase "TERRAFORM" "tflint" "tflint -c ${TERRAFORM_LINTER_RULES}" ".*\.\(tf\)\$" "terraform" + TestCodebase "TERRAFORM_TERRASCAN" "terrascan" "terrascan -f " ".*\.\(tf\)\$" "terraform_terrascan" TestCodebase "TYPESCRIPT_ES" "eslint" "eslint --no-eslintrc -c ${TYPESCRIPT_LINTER_RULES}" ".*\.\(ts\)\$" "typescript" TestCodebase "TYPESCRIPT_STANDARD" "standard" "standard --parser @typescript-eslint/parser --plugin @typescript-eslint/eslint-plugin ${TYPESCRIPT_STANDARD_LINTER_RULES}" ".*\.\(ts\)\$" "typescript" TestCodebase "XML" "xmllint" "xmllint" ".*\.\(xml\)\$" "xml"