Merge branch 'feat/normalize-reports' into 'master'

| `TF_TFLINT_DISABLED`  | Set to `true` to disable tflint                    | _none_ (enabled)  |

| `TF_TFLINT_ARGS`      | tflint extra [options and args](https://github.com/terraform-linters/tflint/#usage) | `--enable-plugin=google --enable-plugin=azurerm --enable-plugin=aws` |

In addition to a textual report in the console, this job produces the following reports, kept for one day:

| Report         | Format                                                                       | Usage             |

| -------------- | ---------------------------------------------------------------------------- | ----------------- |

| `$TF_PROJECT_DIR/reports/tflint.xunit.xml` | [xUnit](https://en.wikipedia.org/wiki/XUnit) test report(s) | [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportsjunit) |

### `tfsec` job

[tfsec](https://github.com/tfsec/tfsec) uses static analysis of your terraform templates to spot potential security issues and uses the following variables:

| --------------------- | ---------------------------------------- | ----------------- |

| `TF_TFSEC_IMAGE`      | the Docker image used to run tfsec       | `tfsec/tfsec-ci`  |

| `TF_TFSEC_ENABLED`    | Set to `true` to enable tfsec            | _none_ (disabled) |

| `TF_TFSEC_ARGS`       | tfsec options and args                   | `.`               |

| `TF_TFSEC_ARGS`       | tfsec [options and args](https://aquasecurity.github.io/tfsec/latest/guides/usage/) | `.` |

In addition to a textual report in the console, this job produces the following reports, kept for one day:

| Report         | Format                                                                       | Usage             |

| -------------- | ---------------------------------------------------------------------------- | ----------------- |

| `$TF_PROJECT_DIR/reports/tfsec.xunit.xml` | [xUnit](https://en.wikipedia.org/wiki/XUnit) test report(s) | [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportsjunit) |

| `$TF_PROJECT_DIR/reports/tfsec.native.json` | tfsec JSON | [DefectDojo integration](https://defectdojo.github.io/django-DefectDojo/integrations/parsers/#tfsec)<br/>_This report is generated only if DefectDojo template is detected_ |

### `checkov` job

| `TF_CHECKOV_ENABLED` | Set to `true` to enable checkov                                                            | _none_ (disabled)    |

| `TF_CHECKOV_ARGS`    | checkov [options and args](https://www.checkov.io/2.Basics/CLI%20Command%20Reference.html) | `--directory .`      |

In addition to a textual report in the console, this job produces the following reports, kept for one day:

| Report         | Format                                                                       | Usage             |

| -------------- | ---------------------------------------------------------------------------- | ----------------- |

| `$TF_PROJECT_DIR/reports/checkov.xunit.xml` | [JUnit XML](https://www.checkov.io/8.Outputs/JUnit%20XML.html) | [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportsjunit) |

| `$TF_PROJECT_DIR/reports/checkov.native.json` | checkov JSON | [DefectDojo integration](https://defectdojo.github.io/django-DefectDojo/integrations/parsers/#checkov-report)<br/>_This report is generated only if DefectDojo template is detected_ |

You can skip checkov specific check adding following comment in code :

```terraform

      "variables": [

        {

          "name": "TF_TFSEC_IMAGE",

          "description": "Tfsec docker image",

          "description": "tfsec docker image",

          "default": "tfsec/tfsec-ci",

          "advanced": true

        },

        {

          "name": "TF_TFSEC_ARGS",

          "description": "Tfsec args",

          "description": "tfsec [options and args](https://aquasecurity.github.io/tfsec/latest/guides/usage/)",

          "default": "."

        }

      ]

  TF_IMAGE: "hashicorp/terraform:light"

  TF_TFSEC_IMAGE: "tfsec/tfsec-ci"

  TF_TFSEC_ARGS: "."

  TF_TFLINT_IMAGE: "ghcr.io/terraform-linters/tflint-bundle:latest"

  TF_TFLINT_ARGS: "--enable-plugin=google --enable-plugin=azurerm --enable-plugin=aws"

  TF_CHECKOV_IMAGE: "bridgecrew/checkov"

  before_script:

    - *tf-scripts

    - cd "$TF_PROJECT_DIR"

    - mkdir -p reports

    - mkdir -p -m 777 reports

  script:

    - tfsec --format junit --out "reports/tfsec.xml" $TF_TFSEC_ARGS || true

    - tfsec --format json --out "reports/tfsec.json" $TF_TFSEC_ARGS || true

    # tfsec allows generating several report formats at once using --format lovely,junit

    # but the --out option defines the report base name, and each report is generated as "<basename>.format"

    - tfsec --soft-fail --format junit --out "reports/tfsec.xunit.xml" $TF_TFSEC_ARGS

    - |

      if [[ "$DEFECTDOJO_TFSEC_REPORTS" ]]

      then

        tfsec --soft-fail --format json --out "reports/tfsec.native.json" $TF_TFSEC_ARGS

      fi

    - tfsec ${TRACE+--verbose} $TF_TFSEC_ARGS

  artifacts:

    name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"

    reports:

      junit: $TF_PROJECT_DIR/reports/tfsec.xml

      junit: $TF_PROJECT_DIR/reports/tfsec.xunit.xml

    paths:

      - $TF_PROJECT_DIR/reports/

      - "$TF_PROJECT_DIR/reports/tfsec.*"

  dependencies: []

  rules:

    - if: '$TF_TFSEC_ENABLED != "true"'

    - *tf-scripts

    - install_ca_certs "${CUSTOM_CA_CERTS:-$DEFAULT_CA_CERTS}"

    - cd "$TF_PROJECT_DIR"

    - mkdir -p reports

    - chmod 777 reports

    - mkdir -p -m 777 reports

  script:

    - tflint $TF_TFLINT_ARGS

    - tflint --format=junit $TF_TFLINT_ARGS > reports/tflint.xml

    - tflint --force --format=junit $TF_TFLINT_ARGS > reports/tflint.xunit.xml

    - tflint ${TRACE+--loglevel=debug} $TF_TFLINT_ARGS

  artifacts:

    name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"

    reports:

      junit: $TF_PROJECT_DIR/reports/tflint.xml

      junit: $TF_PROJECT_DIR/reports/tflint.xunit.xml

    paths:

      - $TF_PROJECT_DIR/reports/

      - "$TF_PROJECT_DIR/reports/tflint.*"

  dependencies: []

  rules:

    - if: '$TF_TFLINT_DISABLED == "true"'

    - *tf-scripts

    - install_ca_certs "${CUSTOM_CA_CERTS:-$DEFAULT_CA_CERTS}"

    - cd "$TF_PROJECT_DIR"

    - mkdir -p reports

    - mkdir -p -m 777 reports

  script:

    - checkov $TF_CHECKOV_ARGS || true

    - checkov $TF_CHECKOV_ARGS -o junitxml > "reports/checkov.xml" || true

    - checkov $TF_CHECKOV_ARGS -o json > "reports/checkov.json"

    # checkov allows generating several report formats at once using multiple --output options

    # and --output-file-path but the option defines an output directory, and report filenames 

    # can't be chosen ("results_junitxml.xml" and "results_cli.txt")

    - checkov --soft-fail --output junitxml $TF_CHECKOV_ARGS > "reports/checkov.xunit.xml"

    - |

      if [[ "$DEFECTDOJO_CHECKOV_REPORTS" ]]

      then

        checkov --soft-fail --output json $TF_CHECKOV_ARGS > "reports/checkov.native.json"

      fi

    - checkov $TF_CHECKOV_ARGS

  artifacts:

    name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"

    reports:

      junit: $TF_PROJECT_DIR/reports/checkov.xml

      junit: $TF_PROJECT_DIR/reports/checkov.xunit.xml

    paths:

      - $TF_PROJECT_DIR/reports/

      - "$TF_PROJECT_DIR/reports/checkov.*"

  dependencies: []

  rules:

    - if: '$TF_CHECKOV_ENABLED != "true"'