From 4b291213fc2f6d98543ffcc58d0e1e34c399885b Mon Sep 17 00:00:00 2001
From: Daniel Kantor <git@daniel-kantor.com>
Date: Thu, 19 Dec 2024 15:43:13 +0100
Subject: [PATCH] add rule for enforcing terrascan pre-commit hook

Co-authored-by: Giuseppe Scuglia <peppescg@gmail.com>
---
 ...equire_terrascan_pre_commit_hook.test.yaml | 19 ++++++
 .../correct/.pre-commit-config.yaml           | 13 ++++
 .../misconfigured/.pre-commit-config.yaml     |  9 +++
 .../require_terrascan_pre_commit_hook.yaml    | 63 +++++++++++++++++++
 4 files changed, 104 insertions(+)
 create mode 100644 rule-types/common/require_terrascan_pre_commit_hook.test.yaml
 create mode 100644 rule-types/common/require_terrascan_pre_commit_hook.testdata/correct/.pre-commit-config.yaml
 create mode 100644 rule-types/common/require_terrascan_pre_commit_hook.testdata/misconfigured/.pre-commit-config.yaml
 create mode 100644 rule-types/common/require_terrascan_pre_commit_hook.yaml

diff --git a/rule-types/common/require_terrascan_pre_commit_hook.test.yaml b/rule-types/common/require_terrascan_pre_commit_hook.test.yaml
new file mode 100644
index 0000000..0c961ca
--- /dev/null
+++ b/rule-types/common/require_terrascan_pre_commit_hook.test.yaml
@@ -0,0 +1,19 @@
+tests:
+  - name: "Should have Talisman pre-commit hook configured"
+    def: {}
+    params: {}
+    expect: "pass"
+    git:
+      repo_base: correct
+  - name: "Should fail Talisman pre-commit hook is not configured"
+    def: {}
+    params: {}
+    expect: "fail"
+    git:
+      repo_base: misconfigured
+  - name: "Should fail is pre-commit is not configured at all"
+    def: {}
+    params: {}
+    expect: "fail"
+    git:
+      repo_base: empty
diff --git a/rule-types/common/require_terrascan_pre_commit_hook.testdata/correct/.pre-commit-config.yaml b/rule-types/common/require_terrascan_pre_commit_hook.testdata/correct/.pre-commit-config.yaml
new file mode 100644
index 0000000..88bff22
--- /dev/null
+++ b/rule-types/common/require_terrascan_pre_commit_hook.testdata/correct/.pre-commit-config.yaml
@@ -0,0 +1,13 @@
+repos:
+-   repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v3.2.0
+    hooks:
+    -   id: trailing-whitespace
+    -   id: end-of-file-fixer
+    -   id: check-yaml
+    -   id: check-added-large-files
+
+-   repo: https://github.com/tenable/terrascan
+    rev: 'v1.28.0'
+    hooks:
+      - id: terraform-pre-commit
diff --git a/rule-types/common/require_terrascan_pre_commit_hook.testdata/misconfigured/.pre-commit-config.yaml b/rule-types/common/require_terrascan_pre_commit_hook.testdata/misconfigured/.pre-commit-config.yaml
new file mode 100644
index 0000000..98d3157
--- /dev/null
+++ b/rule-types/common/require_terrascan_pre_commit_hook.testdata/misconfigured/.pre-commit-config.yaml
@@ -0,0 +1,9 @@
+repos:
+-   repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v3.2.0
+    hooks:
+    -   id: trailing-whitespace
+    -   id: end-of-file-fixer
+    -   id: check-yaml
+    -   id: check-added-large-files
+        args: ['--maxkb=600']
diff --git a/rule-types/common/require_terrascan_pre_commit_hook.yaml b/rule-types/common/require_terrascan_pre_commit_hook.yaml
new file mode 100644
index 0000000..f1442ed
--- /dev/null
+++ b/rule-types/common/require_terrascan_pre_commit_hook.yaml
@@ -0,0 +1,63 @@
+---
+version: v1
+release_phase: alpha
+type: rule-type
+name: require_terrascan_pre_commit_hook
+display_name: Enable Terrascan Pre-commit hooks for detecting compliance and security violations
+short_failure_message: Terrascan Pre-commit hook is not configured for the repository
+severity:
+  value: medium
+context: {}
+description: |
+  Verifies that Terrascan Pre-commit hook is configured for the repository
+guidance: |
+  Ensure that Terrascan is configured as a (pre-commit)[https://pre-commit.com/]
+  hook for the repository.
+
+  Terrascan is a static code analyzer for Infrastructure as Code. Terrascan allows you to:
+    - Seamlessly scan infrastructure as code for misconfigurations.
+    - Monitor provisioned cloud infrastructure for configuration changes that introduce posture drift, and enables reverting to a secure posture.
+    - Detect security vulnerabilities and compliance violations.
+    - Mitigate risks before provisioning cloud native infrastructure.
+    - Offers flexibility to run locally or integrate with your CI\CD.
+
+  [Read more](https://runterrascan.io/)
+
+def:
+  in_entity: repository
+  rule_schema:
+    type: object
+    properties: {}
+  ingest:
+    type: git
+    git: {}
+  eval:
+    type: rego
+    rego:
+      type: deny-by-default
+      def: |
+        package minder
+        import future.keywords.if
+        import future.keywords.every
+
+        default message := "Terrascan pre-commit hook is not configured for the repository"
+        default allow := false
+
+        
+        # pre-commit hook
+        precommit := file.read(".pre-commit-config.yaml")
+        
+        parsed_data := parse_yaml(precommit)
+
+         allow if {
+          some repo_id, hook_id
+          repo_data := parsed_data.repos[repo_id]
+          endswith(repo_data["repo"], "https://github.com/tenable/terrascan")
+          hooks = repo_data["hooks"]
+          hooks[hook_id].id == "terraform-pre-commit"
+        }
+
+        message := "" if allow
+  alert:
+    type: security_advisory
+    security_advisory: {}