Commit 9f97bc44 authored by Thomas Boni's avatar Thomas Boni
Browse files

Merge branch '632-new-job-tfsec' into 'latest' 

Resolve "[New job] - TFSec"

Closes #632

See merge request r2devops/hub!395
parents 939b3c8b 5a515528

jobs/tfsec/CHANGELOG.md

0 → 100644
+5 −0
Original line number Diff line number Diff line 
# Changelog

All notable changes to this job will be documented in this file.



## [0.1.0] - 2022-09-09

* Initial version
 
 No newline at end of file

jobs/tfsec/README.md

0 → 100644
+50 −0
Original line number Diff line number Diff line 
## Objective



Analyze the security for your Terraform code with [tfsec](https://github.com/aquasecurity/tfsec). It supports many popular cloud providers, such as AWS, Azure, GCP, DigitalOcean, and [others](https://github.com/aquasecurity/tfsec#included-checks) and is and ready to use out of the box.



## How to use it



1. Copy the job URL located in the `Install` part of the right panel and add it inside the `include` list of your `.gitlab-ci.yml` file (see the [quick setup](/use-the-hub/#quick-setup)). You can specify [a fixed version](#changelog) instead of `latest`.

1. If you need to customize the job (stage, variables, ...) 👉 check the [jobs

   customization](/use-the-hub/#jobs-customization)

1. Well done, your job is ready to work ! 😀



## Variables



| Name | Description | Default |

| ---- | ----------- | ------- |

| `TFSEC_CHECK_DIR` | The directory to check for Terraform files. | `terraform` |

| `TFSEC_CONFIG_FILE` <img width=100/> | The path or a remote link for the configuration file. See the [documentation](https://aquasecurity.github.io/tfsec/v1.27.6/guides/configuration/config/). <img width=175/>| `tfsec.config.yml` <img width=100/>|

| `TFSEC_FORMATS` | Outputs format list. Each format should be separate by a comma and are saved as artifacts. | `sarif` |

| `TFSEC_MIN_SEVERITY` | The minimum severity to report. One of CRITICAL, HIGH, MEDIUM, LOW. | `LOW` |

| `TFSEC_REGO_DIR` | The directory to check for [custom Rego policies](https://aquasecurity.github.io/tfsec/v1.27.6/guides/rego/rego/), if you wants to add your own rules. See the [documentation](https://www.openpolicyagent.org/docs/latest/policy-language/).  | `rego_policies` |

| `TFSEC_VERSION` | The version for the tfsec CLI. | `1.27.6` |

| `ADDITIONAL_OPTIONS` | Additional options for  the tfsec CLI. | ` ` |

| `IMAGE_TAG` | The default tag for the docker image | `18-alpine` |



## Job details



By default the job shows the results in the [Code Quality widget](https://docs.gitlab.com/ee/ci/testing/code_quality.html#code-quality-widget) inside the merge request. It also reports tests inside the `Test` section in the CI/CD pipeline.



## Artifacts



The result are also saved as artifacts. You can find them in the `artifacts` section of the job.  

Two formats are available by default :

- [JUnit](https://junit.org/junit5/)'s XML report to display error report directly in pipeline `Test` tab and in

merge request widget.

- [CodeClimate](https://codeclimate.com/quality)'s JSON report to display error report directly in merge request widget.



⚠️ Those report are only available if the variable `TFSEC_FORMATS` contains `sarif`.



!!! info "Formats"

    If you want to have more artifacts with other formats, you can add them in the `TFSEC_FORMATS` variable. Available formats can be found [here](https://aquasecurity.github.io/tfsec/v1.27.6/guides/usage/). All specified format will be saved in a file `tfsec-result.<format>`.



## Dependencies



The job uses the following dependencies for converting the `output` to `JUnit` or `CodeClimate`:

- [sarif-junit](https://www.npmjs.com/package/sarif-junit) tool to convert `SARIF` to `JUnit`

- [sarif-codeclimate](https://www.npmjs.com/package/sarif-codeclimate) tool to convert `SARIF` to `CodeClimate`





## Author

This resource is an **[official job](https://docs.r2devops.io/faq-labels/)** added in [**R2Devops repository**](https://gitlab.com/r2devops/hub) by [@GridexX](https://gitlab.com/GridexX)

jobs/tfsec/tfsec.yml

0 → 100644
+82 −0
Original line number Diff line number Diff line 
stages:

  - tests



tfsec:

  stage: tests

  image:

    name: node:${IMAGE_TAG}

    pull_policy: always

    entrypoint: [""]

  variables:

    TFSEC_CHECK_DIR: "terraform"

    TFSEC_CONFIG_FILE: "tfsec.config.yml"

    TFSEC_FORMATS: "sarif"

    TFSEC_MIN_SEVERITY: "LOW"

    TFSEC_REGO_DIR: "rego_policies"

    TFSEC_VERSION: "1.27.6"

    ADDITIONAL_OPTIONS: ""

    IMAGE_TAG: "18-alpine"



  script:

    # Install packages

    - wget -qO tfsec.tar.gz https://github.com/aquasecurity/tfsec/releases/download/v${TFSEC_VERSION}/tfsec_${TFSEC_VERSION}_linux_amd64.tar.gz

    - tar -xf tfsec.tar.gz

    - mv ${CI_PROJECT_DIR}/tfsec /bin



    # Create folder for artifacts and reports

    - mkdir ${CI_PROJECT_DIR}/reports

    - mkdir ${CI_PROJECT_DIR}/artifacts



    # Check if the config is fulfill and if it should search for a remote a or local configuration file

    - CONFIG_OPTION=""

    - if [ ! -z ${TFSEC_CONFIG_FILE} ]; then

    -   if [[ ${TFSEC_CONFIG_FILE} = "https://"* ]] || [[ ${TFSEC_CONFIG_FILE} = "http://"* ]] || [[ ${TFSEC_CONFIG_FILE} = "www."* ]]; then

    -     CONFIG_OPTION="--config-file-url ${TFSEC_CONFIG_FILE}"

    -   else

    -     CONFIG_OPTION="--config-file ${CI_PROJECT_DIR}/${TFSEC_CONFIG_FILE}"

    -   fi

    - fi

    

    # Add always the lovely format at the beginning if not present

    # It will print this format to the console and save the result into a file

    # See the output option below

    - if [[ ${TFSEC_FORMATS} != *"lovely"* ]]; then

    -    TFSEC_FORMATS="lovely,${TFSEC_FORMATS}"

    - fi

    - FORMAT_OPTION="-f ${TFSEC_FORMATS}"



    - SEVERITY_OPTION="-m ${TFSEC_MIN_SEVERITY}"

    - REGO_OPTION=""

    - if [ ! -z ${TFSEC_REGO_DIR} ]; then

    -   REGO_OPTION="--rego-policy-dir ${TFSEC_REGO_DIR}"

    - fi 



    # Save to the file with given format according to the variable

    - RESULT_FILE="${CI_PROJECT_DIR}/artifacts/tfsec-result"

    - OUTPUT_OPTION="-O ${RESULT_FILE}"



    - OPTIONS="${CONFIG_OPTION} ${FORMAT_OPTION} ${SEVERITY_OPTION} ${REGO_OPTION} ${OUTPUT_OPTION}"

    - FAILED=true

    - if tfsec ${CI_PROJECT_DIR}/${TFSEC_CHECK_DIR} ${OPTIONS} ${ADDITIONAL_OPTIONS}; then

    -   FAILED=false

    - fi



    # Generates reports for SARIF files

    - if [[ "${TFSEC_FORMATS}" = *"sarif"* ]]; then

    -   cp ${RESULT_FILE}.sarif.json ${CI_PROJECT_DIR}/reports

    -   cd ${CI_PROJECT_DIR}/reports

    -   npx -y sarif-codeclimate@1.0.1 -i ${RESULT_FILE}.sarif.json -o code-climate.json

    -   npx -y sarif-junit@1.1.2 -i ${RESULT_FILE}.sarif.json -o junit.xml --test-suite TfsecTestSuite

    - fi



    - if [ "$FAILED" = true ]; then

    -   exit 1

    - fi

    - exit 0

  artifacts:

    when: always

    paths: 

      - ${CI_PROJECT_DIR}/artifacts

    reports:

      junit: "${CI_PROJECT_DIR}/reports/junit.xml"

      codequality: "${CI_PROJECT_DIR}/reports/code-climate.json"