-
Notifications
You must be signed in to change notification settings - Fork 13
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add rule for enforcing terrascan pre-commit hook
Co-authored-by: Giuseppe Scuglia <[email protected]>
- Loading branch information
Showing
4 changed files
with
104 additions
and
0 deletions.
There are no files selected for viewing
19 changes: 19 additions & 0 deletions
19
rule-types/common/require_terrascan_pre_commit_hook.test.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
tests: | ||
- name: "Should have Talisman pre-commit hook configured" | ||
def: {} | ||
params: {} | ||
expect: "pass" | ||
git: | ||
repo_base: correct | ||
- name: "Should fail Talisman pre-commit hook is not configured" | ||
def: {} | ||
params: {} | ||
expect: "fail" | ||
git: | ||
repo_base: misconfigured | ||
- name: "Should fail is pre-commit is not configured at all" | ||
def: {} | ||
params: {} | ||
expect: "fail" | ||
git: | ||
repo_base: empty |
13 changes: 13 additions & 0 deletions
13
rule-types/common/require_terrascan_pre_commit_hook.testdata/correct/.pre-commit-config.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
repos: | ||
- repo: https://github.com/pre-commit/pre-commit-hooks | ||
rev: v3.2.0 | ||
hooks: | ||
- id: trailing-whitespace | ||
- id: end-of-file-fixer | ||
- id: check-yaml | ||
- id: check-added-large-files | ||
|
||
- repo: https://github.com/tenable/terrascan | ||
rev: 'v1.28.0' | ||
hooks: | ||
- id: terraform-pre-commit |
9 changes: 9 additions & 0 deletions
9
...s/common/require_terrascan_pre_commit_hook.testdata/misconfigured/.pre-commit-config.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
repos: | ||
- repo: https://github.com/pre-commit/pre-commit-hooks | ||
rev: v3.2.0 | ||
hooks: | ||
- id: trailing-whitespace | ||
- id: end-of-file-fixer | ||
- id: check-yaml | ||
- id: check-added-large-files | ||
args: ['--maxkb=600'] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
--- | ||
version: v1 | ||
release_phase: alpha | ||
type: rule-type | ||
name: require_terrascan_pre_commit_hook | ||
display_name: Enable Terrascan Pre-commit hooks for detecting compliance and security violations | ||
short_failure_message: Terrascan Pre-commit hook is not configured for the repository | ||
severity: | ||
value: medium | ||
context: {} | ||
description: | | ||
Verifies that Terrascan Pre-commit hook is configured for the repository | ||
guidance: | | ||
Ensure that Terrascan is configured as a (pre-commit)[https://pre-commit.com/] | ||
hook for the repository. | ||
Terrascan is a static code analyzer for Infrastructure as Code. Terrascan allows you to: | ||
- Seamlessly scan infrastructure as code for misconfigurations. | ||
- Monitor provisioned cloud infrastructure for configuration changes that introduce posture drift, and enables reverting to a secure posture. | ||
- Detect security vulnerabilities and compliance violations. | ||
- Mitigate risks before provisioning cloud native infrastructure. | ||
- Offers flexibility to run locally or integrate with your CI\CD. | ||
[Read more](https://runterrascan.io/) | ||
def: | ||
in_entity: repository | ||
rule_schema: | ||
type: object | ||
properties: {} | ||
ingest: | ||
type: git | ||
git: {} | ||
eval: | ||
type: rego | ||
rego: | ||
type: deny-by-default | ||
def: | | ||
package minder | ||
import future.keywords.if | ||
import future.keywords.every | ||
default message := "Terrascan pre-commit hook is not configured for the repository" | ||
default allow := false | ||
# pre-commit hook | ||
precommit := file.read(".pre-commit-config.yaml") | ||
parsed_data := parse_yaml(precommit) | ||
allow if { | ||
some repo_id, hook_id | ||
repo_data := parsed_data.repos[repo_id] | ||
endswith(repo_data["repo"], "https://github.com/tenable/terrascan") | ||
hooks = repo_data["hooks"] | ||
hooks[hook_id].id == "terraform-pre-commit" | ||
} | ||
message := "" if allow | ||
alert: | ||
type: security_advisory | ||
security_advisory: {} |