Skip to content

Commit

Permalink
add rule for enforcing terrascan pre-commit hook
Browse files Browse the repository at this point in the history
Co-authored-by: Giuseppe Scuglia <[email protected]>
  • Loading branch information
kantord and peppescg committed Dec 19, 2024
1 parent c09f5f3 commit 4b29121
Show file tree
Hide file tree
Showing 4 changed files with 104 additions and 0 deletions.
19 changes: 19 additions & 0 deletions rule-types/common/require_terrascan_pre_commit_hook.test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
tests:
- name: "Should have Talisman pre-commit hook configured"
def: {}
params: {}
expect: "pass"
git:
repo_base: correct
- name: "Should fail Talisman pre-commit hook is not configured"
def: {}
params: {}
expect: "fail"
git:
repo_base: misconfigured
- name: "Should fail is pre-commit is not configured at all"
def: {}
params: {}
expect: "fail"
git:
repo_base: empty
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v3.2.0
hooks:
- id: trailing-whitespace
- id: end-of-file-fixer
- id: check-yaml
- id: check-added-large-files

- repo: https://github.com/tenable/terrascan
rev: 'v1.28.0'
hooks:
- id: terraform-pre-commit
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v3.2.0
hooks:
- id: trailing-whitespace
- id: end-of-file-fixer
- id: check-yaml
- id: check-added-large-files
args: ['--maxkb=600']
63 changes: 63 additions & 0 deletions rule-types/common/require_terrascan_pre_commit_hook.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
---
version: v1
release_phase: alpha
type: rule-type
name: require_terrascan_pre_commit_hook
display_name: Enable Terrascan Pre-commit hooks for detecting compliance and security violations
short_failure_message: Terrascan Pre-commit hook is not configured for the repository
severity:
value: medium
context: {}
description: |
Verifies that Terrascan Pre-commit hook is configured for the repository
guidance: |
Ensure that Terrascan is configured as a (pre-commit)[https://pre-commit.com/]
hook for the repository.
Terrascan is a static code analyzer for Infrastructure as Code. Terrascan allows you to:
- Seamlessly scan infrastructure as code for misconfigurations.
- Monitor provisioned cloud infrastructure for configuration changes that introduce posture drift, and enables reverting to a secure posture.
- Detect security vulnerabilities and compliance violations.
- Mitigate risks before provisioning cloud native infrastructure.
- Offers flexibility to run locally or integrate with your CI\CD.
[Read more](https://runterrascan.io/)
def:
in_entity: repository
rule_schema:
type: object
properties: {}
ingest:
type: git
git: {}
eval:
type: rego
rego:
type: deny-by-default
def: |
package minder
import future.keywords.if
import future.keywords.every
default message := "Terrascan pre-commit hook is not configured for the repository"
default allow := false
# pre-commit hook
precommit := file.read(".pre-commit-config.yaml")
parsed_data := parse_yaml(precommit)
allow if {
some repo_id, hook_id
repo_data := parsed_data.repos[repo_id]
endswith(repo_data["repo"], "https://github.com/tenable/terrascan")
hooks = repo_data["hooks"]
hooks[hook_id].id == "terraform-pre-commit"
}
message := "" if allow
alert:
type: security_advisory
security_advisory: {}

0 comments on commit 4b29121

Please sign in to comment.