github/pre-commit-opentofu
1
0
Fork 1
mirror of https://github.com/tofuutils/pre-commit-opentofu.git synced 2025-10-15 17:38:54 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

feat: Support for TFSec (#103)

Browse source
This commit is contained in:
Jon Proietti 2020-04-23 09:56:33 -05:00 committed by GitHub
commit 2be8fe5453
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 576 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

6
.pre-commit-hooks.yaml
View file

@ -57,3 +57,9 @@
language: script
files: (\.hcl)$
exclude: \.terraform\/.*$
- id: terraform_tfsec
name: Terraform validate with tfsec
description: Static analysis of Terraform templates to spot potential security issues.
entry: terraform_tfsec.sh
language: script

20
README.md
View file

@ -9,11 +9,13 @@
* [`pre-commit`](https://pre-commit.com/#install)
* [`terraform-docs`](https://github.com/segmentio/terraform-docs) required for `terraform_docs` hooks. `GNU awk` is required if using `terraform-docs` older than 0.8.0 with Terraform 0.12.
* [`TFLint`](https://github.com/terraform-linters/tflint) required for `terraform_tflint` hook.
* [`TFSec`](https://github.com/liamg/tfsec) required for `terraform_tfsec` hook.
##### MacOS
```bash
brew install pre-commit gawk terraform-docs tflint
brew tap liamg/tfsec
brew install pre-commit gawk terraform-docs tflint tfsec
```
##### Ubuntu
@ -23,6 +25,7 @@ sudo apt install python3-pip gawk &&\
pip3 install pre-commit
curl -L "$(curl -s https://api.github.com/repos/segmentio/terraform-docs/releases/latest | grep -o -E "https://.+?-linux-amd64")" > terraform-docs && chmod +x terraform-docs && sudo mv terraform-docs /usr/bin/
curl -L "$(curl -s https://api.github.com/repos/terraform-linters/tflint/releases/latest | grep -o -E "https://.+?_linux_amd64.zip")" > tflint.zip && unzip tflint.zip && rm tflint.zip && sudo mv tflint /usr/bin/
env GO111MODULE=on go get -u github.com/liamg/tfsec/cmd/tfsec
```
### 2. Install the pre-commit hook globally
@ -69,6 +72,7 @@ There are several [pre-commit](https://pre-commit.com/) hooks to keep Terraform
| `terraform_docs_replace` | Runs `terraform-docs` and pipes the output directly to README.md |
| `terraform_tflint` | Validates all Terraform configuration files with [TFLint](https://github.com/terraform-linters/tflint). |
| `terragrunt_fmt` | Rewrites all [Terragrunt](https://github.com/gruntwork-io/terragrunt) configuration files (`*.hcl`) to a canonical format. |
| `terraform_tfsec` | [TFSec](https://github.com/liamg/tfsec) static analysis of terraform templates to spot potential security issues. |
Check the [source file](https://github.com/antonbabenko/pre-commit-terraform/blob/master/.pre-commit-hooks.yaml) to know arguments used for each hook.
@ -112,6 +116,20 @@ if they are present in `README.md`.
- 'args=--enable-rule=terraform_documented_variables'
```
## Notes about terraform_tfsec hooks
1. `terraform_tfsec` will recurse all directories/modules.
1. To ignore specific warnings, follow the convention from the
[documentation](https://github.com/liamg/tfsec#ignoring-warnings).
1. Example:
```hcl
resource "aws_security_group_rule" "my-rule" {
type = "ingress"
cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:AWS006
}
```
## Notes for developers
1. Python hooks are supported now too. All you have to do is:

551
terraform_tfsec.sh Executable file
View file

@ -0,0 +1,551 @@
#!/usr/bin/env bash
set -e
main() {
declare argv
argv=$(getopt -o a: --long args: -- "$@") || return
eval "set -- $argv"
declare args
declare files
for argv; do
case $argv in
-a | --args)
shift
args="$1"
shift
;;
--)
shift
files="$@"
break
;;
esac
done
tfsec_ "$args" "$files"
}
tfsec_() {
# Ignore $files because tfsec will recurse directories anyway.
tfsec $args .
}
getopt() {
# pure-getopt, a drop-in replacement for GNU getopt in pure Bash.
# version 1.4.3
#
# Copyright 2012-2018 Aron Griffis <aron@scampersand.com>
#
# Permission is hereby granted, free of charge, to any person obtaining
# a copy of this software and associated documentation files (the
# "Software"), to deal in the Software without restriction, including
# without limitation the rights to use, copy, modify, merge, publish,
# distribute, sublicense, and/or sell copies of the Software, and to
# permit persons to whom the Software is furnished to do so, subject to
# the following conditions:
#
# The above copyright notice and this permission notice shall be included
# in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
# IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
# CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
# TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
_getopt_main() {
# Returns one of the following statuses:
# 0 success
# 1 error parsing parameters
# 2 error in getopt invocation
# 3 internal error
# 4 reserved for -T
#
# For statuses 0 and 1, generates normalized and shell-quoted
# "options -- parameters" on stdout.
declare parsed status
declare short long name flags
declare have_short=false
# Synopsis from getopt man-page:
#
# getopt optstring parameters
# getopt [options] [--] optstring parameters
# getopt [options] -o|--options optstring [options] [--] parameters
#
# The first form can be normalized to the third form which
# _getopt_parse() understands. The second form can be recognized after
# first parse when $short hasn't been set.
if [[ -n ${GETOPT_COMPATIBLE+isset} || $1 == [^-]* ]]; then
# Enable compatibility mode
flags=c$flags
# Normalize first to third synopsis form
set -- -o "$1" -- "${@:2}"
fi
# First parse always uses flags=p since getopt always parses its own
# arguments effectively in this mode.
parsed=$(_getopt_parse getopt ahl:n:o:qQs:TuV \
alternative,help,longoptions:,name:,options:,quiet,quiet-output,shell:,test,version \
p "$@")
status=$?
if [[ $status != 0 ]]; then
if [[ $status == 1 ]]; then
echo "Try \`getopt --help' for more information." >&2
# Since this is the first parse, convert status 1 to 2
status=2
fi
return $status
fi
eval "set -- $parsed"
while [[ $# -gt 0 ]]; do
case $1 in
-a | --alternative)
flags=a$flags
;;
-h | --help)
_getopt_help
return 2 # as does GNU getopt
;;
-l | --longoptions)
long="$long${long:+,}$2"
shift
;;
-n | --name)
name=$2
shift
;;
-o | --options)
short=$2
have_short=true
shift
;;
-q | --quiet)
flags=q$flags
;;
-Q | --quiet-output)
flags=Q$flags
;;
-s | --shell)
case $2 in
sh | bash)
flags=${flags//t/}
;;
csh | tcsh)
flags=t$flags
;;
*)
echo 'getopt: unknown shell after -s or --shell argument' >&2
echo "Try \`getopt --help' for more information." >&2
return 2
;;
esac
shift
;;
-u | --unquoted)
flags=u$flags
;;
-T | --test)
return 4
;;
-V | --version)
echo "pure-getopt 1.4.3"
return 0
;;
--)
shift
break
;;
esac
shift
done
if ! $have_short; then
# $short was declared but never set, not even to an empty string.
# This implies the second form in the synopsis.
if [[ $# == 0 ]]; then
echo 'getopt: missing optstring argument' >&2
echo "Try \`getopt --help' for more information." >&2
return 2
fi
short=$1
have_short=true
shift
fi
if [[ $short == -* ]]; then
# Leading dash means generate output in place rather than reordering,
# unless we're already in compatibility mode.
[[ $flags == *c* ]] || flags=i$flags
short=${short#?}
elif [[ $short == +* ]]; then
# Leading plus means POSIXLY_CORRECT, unless we're already in
# compatibility mode.
[[ $flags == *c* ]] || flags=p$flags
short=${short#?}
fi
# This should fire if POSIXLY_CORRECT is in the environment, even if
# it's an empty string. That's the difference between :+ and +
flags=${POSIXLY_CORRECT+p}$flags
_getopt_parse "${name:-getopt}" "$short" "$long" "$flags" "$@"
}
_getopt_parse() {
# Inner getopt parser, used for both first parse and second parse.
# Returns 0 for success, 1 for error parsing, 3 for internal error.
# In the case of status 1, still generates stdout with whatever could
# be parsed.
#
# $flags is a string of characters with the following meanings:
# a - alternative parsing mode
# c - GETOPT_COMPATIBLE
# i - generate output in place rather than reordering
# p - POSIXLY_CORRECT
# q - disable error reporting
# Q - disable normal output
# t - quote for csh/tcsh
# u - unquoted output
declare name="$1" short="$2" long="$3" flags="$4"
shift 4
# Split $long on commas, prepend double-dashes, strip colons;
# for use with _getopt_resolve_abbrev
declare -a longarr
_getopt_split longarr "$long"
longarr=("${longarr[@]/#/--}")
longarr=("${longarr[@]%:}")
longarr=("${longarr[@]%:}")
# Parse and collect options and parameters
declare -a opts params
declare o alt_recycled=false error=0
while [[ $# -gt 0 ]]; do
case $1 in
--)
params=("${params[@]}" "${@:2}")
break
;;
--*=*)
o=${1%%=*}
if ! o=$(_getopt_resolve_abbrev "$o" "${longarr[@]}"); then
error=1
elif [[ ,"$long", == *,"${o#--}"::,* ]]; then
opts=("${opts[@]}" "$o" "${1#*=}")
elif [[ ,"$long", == *,"${o#--}":,* ]]; then
opts=("${opts[@]}" "$o" "${1#*=}")
elif [[ ,"$long", == *,"${o#--}",* ]]; then
if $alt_recycled; then o=${o#-}; fi
_getopt_err "$name: option '$o' doesn't allow an argument"
error=1
else
echo "getopt: assertion failed (1)" >&2
return 3
fi
alt_recycled=false
;;
--?*)
o=$1
if ! o=$(_getopt_resolve_abbrev "$o" "${longarr[@]}"); then
error=1
elif [[ ,"$long", == *,"${o#--}",* ]]; then
opts=("${opts[@]}" "$o")
elif [[ ,"$long", == *,"${o#--}::",* ]]; then
opts=("${opts[@]}" "$o" '')
elif [[ ,"$long", == *,"${o#--}:",* ]]; then
if [[ $# -ge 2 ]]; then
shift
opts=("${opts[@]}" "$o" "$1")
else
if $alt_recycled; then o=${o#-}; fi
_getopt_err "$name: option '$o' requires an argument"
error=1
fi
else
echo "getopt: assertion failed (2)" >&2
return 3
fi
alt_recycled=false
;;
-*)
if [[ $flags == *a* ]]; then
# Alternative parsing mode!
# Try to handle as a long option if any of the following apply:
# 1. There's an equals sign in the mix -x=3 or -xy=3
# 2. There's 2+ letters and an abbreviated long match -xy
# 3. There's a single letter and an exact long match
# 4. There's a single letter and no short match
o=${1::2} # temp for testing #4
if [[ $1 == *=* || $1 == -?? || \
,$long, == *,"${1#-}"[:,]* || \
,$short, != *,"${o#-}"[:,]* ]]; then
o=$(_getopt_resolve_abbrev "${1%%=*}" "${longarr[@]}" 2> /dev/null)
case $? in
0)
# Unambiguous match. Let the long options parser handle
# it, with a flag to get the right error message.
set -- "-$1" "${@:2}"
alt_recycled=true
continue
;;
1)
# Ambiguous match, generate error and continue.
_getopt_resolve_abbrev "${1%%=*}" "${longarr[@]}" > /dev/null
error=1
shift
continue
;;
2)
# No match, fall through to single-character check.
true
;;
*)
echo "getopt: assertion failed (3)" >&2
return 3
;;
esac
fi
fi
o=${1::2}
if [[ "$short" == *"${o#-}"::* ]]; then
if [[ ${#1} -gt 2 ]]; then
opts=("${opts[@]}" "$o" "${1:2}")
else
opts=("${opts[@]}" "$o" '')
fi
elif [[ "$short" == *"${o#-}":* ]]; then
if [[ ${#1} -gt 2 ]]; then
opts=("${opts[@]}" "$o" "${1:2}")
elif [[ $# -ge 2 ]]; then
shift
opts=("${opts[@]}" "$o" "$1")
else
_getopt_err "$name: option requires an argument -- '${o#-}'"
error=1
fi
elif [[ "$short" == *"${o#-}"* ]]; then
opts=("${opts[@]}" "$o")
if [[ ${#1} -gt 2 ]]; then
set -- "$o" "-${1:2}" "${@:2}"
fi
else
if [[ $flags == *a* ]]; then
# Alternative parsing mode! Report on the entire failed
# option. GNU includes =value but we omit it for sanity with
# very long values.
_getopt_err "$name: unrecognized option '${1%%=*}'"
else
_getopt_err "$name: invalid option -- '${o#-}'"
if [[ ${#1} -gt 2 ]]; then
set -- "$o" "-${1:2}" "${@:2}"
fi
fi
error=1
fi
;;
*)
# GNU getopt in-place mode (leading dash on short options)
# overrides POSIXLY_CORRECT
if [[ $flags == *i* ]]; then
opts=("${opts[@]}" "$1")
elif [[ $flags == *p* ]]; then
params=("${params[@]}" "$@")
break
else
params=("${params[@]}" "$1")
fi
;;
esac
shift
done
if [[ $flags == *Q* ]]; then
true # generate no output
else
echo -n ' '
if [[ $flags == *[cu]* ]]; then
printf '%s -- %s' "${opts[*]}" "${params[*]}"
else
if [[ $flags == *t* ]]; then
_getopt_quote_csh "${opts[@]}" -- "${params[@]}"
else
_getopt_quote "${opts[@]}" -- "${params[@]}"
fi
fi
echo
fi
return $error
}
_getopt_err() {
if [[ $flags != *q* ]]; then
printf '%s\n' "$1" >&2
fi
}
_getopt_resolve_abbrev() {
# Resolves an abbrevation from a list of possibilities.
# If the abbreviation is unambiguous, echoes the expansion on stdout
# and returns 0. If the abbreviation is ambiguous, prints a message on
# stderr and returns 1. (For first parse this should convert to exit
# status 2.) If there is no match at all, prints a message on stderr
# and returns 2.
declare a q="$1"
declare -a matches
shift
for a; do
if [[ $q == "$a" ]]; then
# Exact match. Squash any other partial matches.
matches=("$a")
break
elif [[ $flags == *a* && $q == -[^-]* && $a == -"$q" ]]; then
# Exact alternative match. Squash any other partial matches.
matches=("$a")
break
elif [[ $a == "$q"* ]]; then
# Abbreviated match.
matches=("${matches[@]}" "$a")
elif [[ $flags == *a* && $q == -[^-]* && $a == -"$q"* ]]; then
# Abbreviated alternative match.
matches=("${matches[@]}" "${a#-}")
fi
done
case ${#matches[@]} in
0)
[[ $flags == *q* ]] ||
printf "$name: unrecognized option %s\\n" \
"$(_getopt_quote "$q")" >&2
return 2
;;
1)
printf '%s' "${matches[0]}"
return 0
;;
*)
[[ $flags == *q* ]] ||
printf "$name: option %s is ambiguous; possibilities: %s\\n" \
"$(_getopt_quote "$q")" "$(_getopt_quote "${matches[@]}")" >&2
return 1
;;
esac
}
_getopt_split() {
# Splits $2 at commas to build array specified by $1
declare IFS=,
eval "$1=( \$2 )"
}
_getopt_quote() {
# Quotes arguments with single quotes, escaping inner single quotes
declare s space q=\'
for s; do
printf "$space'%s'" "${s//$q/$q\\$q$q}"
space=' '
done
}
_getopt_quote_csh() {
# Quotes arguments with single quotes, escaping inner single quotes,
# bangs, backslashes and newlines
declare s i c space
for s; do
echo -n "$space'"
for ((i = 0; i < ${#s}; i++)); do
c=${s:i:1}
case $c in
\\ | \' | !)
echo -n "'\\$c'"
;;
$'\n')
echo -n "\\$c"
;;
*)
echo -n "$c"
;;
esac
done
echo -n \'
space=' '
done
}
_getopt_help() {
cat <<- EOT >&2
Usage:
getopt <optstring> <parameters>
getopt [options] [--] <optstring> <parameters>
getopt [options] -o|--options <optstring> [options] [--] <parameters>
Parse command options.
Options:
-a, --alternative allow long options starting with single -
-l, --longoptions <longopts> the long options to be recognized
-n, --name <progname> the name under which errors are reported
-o, --options <optstring> the short options to be recognized
-q, --quiet disable error reporting by getopt(3)
-Q, --quiet-output no normal output
-s, --shell <shell> set quoting conventions to those of <shell>
-T, --test test for getopt(1) version
-u, --unquoted do not quote the output
-h, --help display this help and exit
-V, --version output version information and exit
For more details see getopt(1).
EOT
}
_getopt_version_check() {
if [[ -z $BASH_VERSION ]]; then
echo "getopt: unknown version of bash might not be compatible" >&2
return 1
fi
# This is a lexical comparison that should be sufficient forever.
if [[ $BASH_VERSION < 2.05b ]]; then
echo "getopt: bash $BASH_VERSION might not be compatible" >&2
return 1
fi
return 0
}
_getopt_version_check
_getopt_main "$@"
declare status=$?
unset -f _getopt_main _getopt_err _getopt_parse _getopt_quote \
_getopt_quote_csh _getopt_resolve_abbrev _getopt_split _getopt_help \
_getopt_version_check
return $status
}
[[ $BASH_SOURCE != "$0" ]] || main "$@"