Merge branch 'enhancement/add_workers' of github.com:Checkmarx/kics i…

…nto enhancement/add_workers
Checkmarx · May 4, 2021 · 23c0e2a · 23c0e2a
2 parents 1131814 + b32444f
commit 23c0e2a
Show file tree

Hide file tree

Showing 280 changed files with 8,482 additions and 681 deletions.
diff --git a/.github/scripts/get-coverage.py b/.github/scripts/get-coverage.py
@@ -120,17 +120,17 @@ def main():
     args = parse_args()
     lines = load_coverage(args)
     stats = calc_file_stats(lines)
-    total = total_cov(stats)
+    total = round(total_cov(stats))
     if os.environ.get('GITHUB_RUN_ID'):
         if total >= 90:
-          color = 'brightgreen'
+            color = 'brightgreen'
         elif total >= 80:
-          color = 'green'
+            color = 'green'
         elif total >= 75:
-          color = 'orange'
+            color = 'orange'
         else:
-          color = 'red'
-        print("::set-output name=coverage::%.2f" % (total))
+            color = 'red'
+        print(f"::set-output name=coverage::{total}")
         print(f"::set-output name=color::{color}")
     print(f"Total coverage: {total}")
 

diff --git a/.github/scripts/samples-linters/ignore-list/terraform b/.github/scripts/samples-linters/ignore-list/terraform
@@ -8,3 +8,5 @@ assets/queries/terraform/aws/hardcoded_aws_access_key/test/positive.tf
 assets/queries/terraform/aws/hardcoded_aws_access_key/test/negative.tf
 assets/queries/terraform/aws/iam_role_allows_all_principals_to_assume/test/positive.tf
 assets/queries/terraform/aws/iam_role_allows_all_principals_to_assume/test/negative.tf
+assets/queries/terraform/aws/certificate_rsa_key_bytes_lower_than_128/test/positive2.tf
+assets/queries/terraform/aws/certificate_rsa_key_bytes_lower_than_128/test/negative2.tf
diff --git a/.github/workflows/go-ci-coverage.yaml b/.github/workflows/go-ci-coverage.yaml
@@ -69,5 +69,5 @@ jobs:
           git add coverage.svg
           git add coverage.html
           git status
-          git commit -m 'chore: updating coverage'
+          git commit -m 'chore(tests): updating test coverage report and badge'
           git push origin gh-pages
diff --git a/.github/workflows/go-ci-integration.yml b/.github/workflows/go-ci-integration.yml
@@ -9,82 +9,83 @@ jobs:
     name: integration-tests
     runs-on: ubuntu-latest
     steps:
-    - name: Cancel Previous Runs
-      uses: styfle/[email protected]
-      with:
-        access_token: ${{ github.token }}
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v2
-      with:
-        persist-credentials: false
-    - name: Set up Docker Buildx
-      id: buildx
-      uses: docker/setup-buildx-action@master
-    - name: Cache Docker layers
-      uses: actions/[email protected]
-      with:
-        path: /tmp/.buildx-cache
-        key: ${{ runner.os }}-buildx-${{ github.ref }}
-        restore-keys: |
-          ${{ runner.os }}-buildx-${{ github.ref }}
-    - name: Get short SHA
-      run: echo "GITHUB_SHA_SHORT=$(echo $GITHUB_SHA | cut -c 1-8)" >> $GITHUB_ENV
-    - name: Build
-      id: docker_build
-      uses: docker/build-push-action@v2
-      with:
-        load: true
-        context: ./
-        file: ./Dockerfile
-        builder: ${{ steps.buildx.outputs.name }}
-        push: false
-        tags:  kics:${{ github.sha }}
-        build-args: |
-          VERSION=${GITHUB_SHA_SHORT}
-          COMMIT=${GITHUB_SHA}
-        cache-from: type=local,src=/tmp/.buildx-cache
-        cache-to: type=local,dest=/tmp/.buildx-cache
-    - name: Image digest
-      run: echo ${{ steps.docker_build.outputs.digest }}
-    - name: Run docker image and generate results.json
-      run: |
-        docker run -v ${PWD}/assets/queries:/path \
-          -e SENTRY_DSN=${{secrets.SENTRY_DSN}} \
-          kics:${{ github.sha }} scan --silent --ignore-on-exit "results" --log-level DEBUG --log-file --log-path "/path/info.log" -p "/path" -o "/path/results.json"
-    - name: Archive test logs
-      uses: actions/upload-artifact@v2
-      if: always()
-      with:
-        name: integration-logs-${{ github.event.pull_request.head.sha }}
-        path: assets/queries/info.log
-    - name: Display results
-      run: |
-        cat  ${PWD}/assets/queries/results.json
-    - name: Archive test results
-      uses: actions/upload-artifact@v2
-      with:
-        name: integration-results-${{ github.event.pull_request.head.sha }}
-        path: assets/queries/results.json
-    - name: Assert results.json
-      run: |
-        set -eo pipefail
+      - name: Cancel Previous Runs
+        uses: styfle/[email protected]
+        with:
+          access_token: ${{ github.token }}
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v2
+        with:
+          persist-credentials: false
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@master
+      - name: Cache Docker layers
+        uses: actions/[email protected]
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-buildx-${{ github.ref }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-${{ github.ref }}
+      - name: Get short SHA
+        run: echo "GITHUB_SHA_SHORT=$(echo $GITHUB_SHA | cut -c 1-8)" >> $GITHUB_ENV
+      - name: Build
+        id: docker_build
+        uses: docker/build-push-action@v2
+        with:
+          load: true
+          context: ./
+          file: ./Dockerfile
+          builder: ${{ steps.buildx.outputs.name }}
+          push: false
+          tags: kics:${{ github.sha }}
+          build-args: |
+            VERSION=${GITHUB_SHA_SHORT}
+            COMMIT=${GITHUB_SHA}
+            SENTRY_DSN=${{ secrets.SENTRY_DSN }}
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,dest=/tmp/.buildx-cache
+      - name: Image digest
+        run: echo ${{ steps.docker_build.outputs.digest }}
+      - name: Run docker image and generate results.json
+        run: |
+          docker run -v ${PWD}/assets/queries:/path \
+            -e SENTRY_DSN=${{secrets.SENTRY_DSN}} \
+            kics:${{ github.sha }} scan --silent --ignore-on-exit "results" --log-level DEBUG --log-file --log-path "/path/info.log" -p "/path" -o "/path/results.json"
+      - name: Archive test logs
+        uses: actions/upload-artifact@v2
+        if: always()
+        with:
+          name: integration-logs-${{ github.event.pull_request.head.sha }}
+          path: assets/queries/info.log
+      - name: Display results
+        run: |
+          cat  ${PWD}/assets/queries/results.json
+      - name: Archive test results
+        uses: actions/upload-artifact@v2
+        with:
+          name: integration-results-${{ github.event.pull_request.head.sha }}
+          path: assets/queries/results.json
+      - name: Assert results.json
+        run: |
+          set -eo pipefail
 
-        COUNT=$(jq '.queries_total' ${PWD}/assets/queries/results.json)
-        echo "Assert queries_total > 0 in results.json :: ${COUNT}"
-        echo $COUNT | xargs -i{} test {} -gt 0
+          COUNT=$(jq '.queries_total' ${PWD}/assets/queries/results.json)
+          echo "Assert queries_total > 0 in results.json :: ${COUNT}"
+          echo $COUNT | xargs -i{} test {} -gt 0
 
-        COUNT=$(jq '.total_counter' ${PWD}/assets/queries/results.json)
-        echo "Assert total_counter > 0 in results.json :: ${COUNT}"
-        echo $COUNT | xargs -i{} test {} -gt 0
+          COUNT=$(jq '.total_counter' ${PWD}/assets/queries/results.json)
+          echo "Assert total_counter > 0 in results.json :: ${COUNT}"
+          echo $COUNT | xargs -i{} test {} -gt 0
 
-        COUNT=$(jq '.files_scanned' ${PWD}/assets/queries/results.json)
-        echo "Assert files_scanned > 0 in results.json :: ${COUNT}"
-        echo $COUNT | xargs -i{} test {} -gt 0
+          COUNT=$(jq '.files_scanned' ${PWD}/assets/queries/results.json)
+          echo "Assert files_scanned > 0 in results.json :: ${COUNT}"
+          echo $COUNT | xargs -i{} test {} -gt 0
 
-        COUNT=$(jq '.queries_failed_to_execute' ${PWD}/assets/queries/results.json)
-        echo "Assert queries_failed_to_execute == 0 in results.json :: ${COUNT}"
-        echo $COUNT | xargs -i{} test {} -eq 0
+          COUNT=$(jq '.queries_failed_to_execute' ${PWD}/assets/queries/results.json)
+          echo "Assert queries_failed_to_execute == 0 in results.json :: ${COUNT}"
+          echo $COUNT | xargs -i{} test {} -eq 0
 
-        COUNT=$(jq '.files_failed_to_scan' ${PWD}/assets/queries/results.json)
-        echo "Assert files_failed_to_scan == 0 in results.json :: ${COUNT}"
-        echo $COUNT | xargs -i{} test {} -eq 0
+          COUNT=$(jq '.files_failed_to_scan' ${PWD}/assets/queries/results.json)
+          echo "Assert files_failed_to_scan == 0 in results.json :: ${COUNT}"
+          echo $COUNT | xargs -i{} test {} -eq 0
diff --git a/.github/workflows/mkdocs.yml b/.github/workflows/mkdocs.yml
@@ -5,8 +5,8 @@ on:
     branches:
       - master
     paths:
-      - 'docs/**'
-      - 'mkdocs.yml'
+      - "docs/**"
+      - "mkdocs.yml"
 jobs:
   deploy:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/release-dkr-image-for-tag.yml b/.github/workflows/release-dkr-image-for-tag.yml
@@ -64,6 +64,7 @@ jobs:
           build-args: |
             VERSION=${{ github.event.inputs.tag }}
             COMMIT=${{ github.sha }}
+            SENTRY_DSN=${{ secrets.SENTRY_DSN }}
       - name: Push alpine to Docker Hub
         if: ${{ hashFiles('Dockerfile.integration') }} != ""
         uses: docker/build-push-action@v2
@@ -75,3 +76,4 @@ jobs:
           build-args: |
             VERSION=${{ github.event.inputs.tag }}
             COMMIT=${{ github.sha }}
+            SENTRY_DSN=${{ secrets.SENTRY_DSN }}
diff --git a/.github/workflows/release-dkr-image.yml b/.github/workflows/release-dkr-image.yml
@@ -49,6 +49,7 @@ jobs:
           build-args: |
             VERSION=${{ steps.get-version.outputs.version }}
             COMMIT=${{ github.sha }}
+            SENTRY_DSN=${{ secrets.SENTRY_DSN }}
       - name: Push alpine to Docker Hub
         uses: docker/build-push-action@v2
         id: build_alpine
@@ -60,6 +61,7 @@ jobs:
           build-args: |
             VERSION=${{ steps.get-version.outputs.version }}
             COMMIT=${{ github.sha }}
+            SENTRY_DSN=${{ secrets.SENTRY_DSN }}
       - name: Update repo description
         uses: peter-evans/dockerhub-description@v2
         with:

diff --git a/.github/workflows/release-nightly.yml b/.github/workflows/release-nightly.yml
@@ -59,6 +59,7 @@ jobs:
           args: release --rm-dist --snapshot --skip-validate --config="./.goreleaser-nightly.yml"
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
       - name: delete release
         uses: dev-drprasad/[email protected]
         with:

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -3,7 +3,7 @@ name: goreleaser
 on:
   push:
     tags:
-      - 'v*'
+      - "v*"
 
 jobs:
   goreleaser:
@@ -39,3 +39,4 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           KICS_BOT_PAT: ${{ secrets.KICS_BOT_PAT }}
+          SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
diff --git a/.github/workflows/update-docs-index.yaml b/.github/workflows/update-docs-index.yaml
@@ -38,9 +38,9 @@ jobs:
       - name: Create pull request
         uses: peter-evans/create-pull-request@v3
         with:
-          title: "docs(kicsbot): updating links in index page - ${{ steps.cversion.outputs.version }}"
+          title: "docs(index): updating links in index page - ${{ steps.cversion.outputs.version }}"
           token: ${{ secrets.KICS_BOT_PAT }}
-          commit-message: "docs(kicsbot): updating links in index page"
+          commit-message: "docs(index): updating links in index page"
           delete-branch: true
           branch: feature/kicsbot-update-docs-index
           base: master

diff --git a/.github/workflows/update-docs-queries.yaml b/.github/workflows/update-docs-queries.yaml
@@ -33,9 +33,9 @@ jobs:
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@v3
         with:
-          title: "docs(kicsbot): update queries catalog"
+          title: "docs(queries): update queries catalog"
           token: ${{ secrets.KICS_BOT_PAT }}
-          commit-message: "docs(kicsbot): update queries catalog"
+          commit-message: "docs(queries): update queries catalog"
           delete-branch: true
           branch: feature/kicsbot-update-queries-docs
           body: |

diff --git a/.github/workflows/update-install-script.yaml b/.github/workflows/update-install-script.yaml
@@ -54,10 +54,10 @@ jobs:
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@v3
         with:
-          title: "chore(kicsbot): update install script"
+          title: "chore(install): update install script"
           token: ${{ secrets.KICS_BOT_PAT }}
           delete-branch: true
-          commit-message: "chore(kicsbot): update install script"
+          commit-message: "chore(install): update install script"
           branch: feature/kicsbot-update-install-script
           base: master
           body: |

diff --git a/.goreleaser-nightly.yml b/.goreleaser-nightly.yml
@@ -10,8 +10,11 @@ builds:
     goarch:
       - amd64
     ldflags:
-      - -X github.com/Checkmarx/kics/internal/constants.Version={{.Version}}-{{.ShortCommit}}
-      - -X github.com/Checkmarx/kics/internal/constants.SCMCommit={{.Commit}}
+      - -s
+      - -w
+      - -X github.com/Checkmarx/kics/internal/constants.Version={{ .Version }}-{{ .ShortCommit }}
+      - -X github.com/Checkmarx/kics/internal/constants.SCMCommit={{ .Commit }}
+      - -X github.com/Checkmarx/kics/internal/constants.SentryDSN={{ .Env.SENTRY_DSN }}
 archives:
   - builds: [kics]
     format_overrides:

diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -18,8 +18,11 @@ builds:
       - goos: windows
         goarm: 7
     ldflags:
-      - -X github.com/Checkmarx/kics/internal/constants.Version={{.Version}}
-      - -X github.com/Checkmarx/kics/internal/constants.SCMCommit={{.Commit}}
+      - -s
+      - -w
+      - -X github.com/Checkmarx/kics/internal/constants.Version={{ .Version }}
+      - -X github.com/Checkmarx/kics/internal/constants.SCMCommit={{ .Commit }}
+      - -X github.com/Checkmarx/kics/internal/constants.SentryDSN={{ .Env.SENTRY_DSN }}
 archives:
   - builds: [kics]
     format_overrides:
@@ -39,7 +42,7 @@ brews:
       name: homebrew-tap
       token: "{{ .Env.KICS_BOT_PAT }}"
     folder: Formula
-    homepage:  https://github.com/Checkmarx/kics
+    homepage: https://github.com/Checkmarx/kics
     description: Find security vulnerabilities, compliance issues, and infrastructure misconfigurations in your IaC
     license: Apache
     test: |

diff --git a/Dockerfile b/Dockerfile
@@ -8,8 +8,9 @@ USER Checkmarx
 WORKDIR /app
 
 ENV GOPRIVATE=github.com/Checkmarx/*
-ARG VERSION="dev"
-ARG COMMIT="N/A"
+ARG VERSION="development"
+ARG COMMIT="NOCOMMIT"
+ARG SENTRY_DSN=""
 
 #Copy go mod and sum files
 COPY --chown=Checkmarx:Checkmarx go.mod .
@@ -24,7 +25,7 @@ COPY . .
 USER root
 # Build the Go app
 RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build \
-    -ldflags "-X github.com/Checkmarx/kics/internal/constants.Version=${VERSION} -X github.com/Checkmarx/kics/internal/constants.SCMCommit=${COMMIT}" \
+    -ldflags "-s -w -X github.com/Checkmarx/kics/internal/constants.Version=${VERSION} -X github.com/Checkmarx/kics/internal/constants.SCMCommit=${COMMIT} -X github.com/Checkmarx/kics/internal/constants.SentryDSN=${SENTRY_DSN}" \
     -a -installsuffix cgo \
     -o bin/kics cmd/console/main.go
 USER Checkmarx

diff --git a/Dockerfile.integration b/Dockerfile.integration
@@ -9,7 +9,9 @@ WORKDIR /app
 
 
 ENV GOPRIVATE=github.com/Checkmarx/*
-ARG VERSION=development
+ARG VERSION="development"
+ARG COMMIT="NOCOMMIT"
+ARG SENTRY_DSN=""
 
 #Copy go mod and sum files
 COPY --chown=Checkmarx:Checkmarx go.mod .
@@ -24,7 +26,7 @@ COPY . .
 USER root
 # Build the Go app
 RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build \
-  -ldflags "-X github.com/Checkmarx/kics/internal/constants.Version=${VERSION}" -a -installsuffix cgo \
+  -ldflags "-s -w -X github.com/Checkmarx/kics/internal/constants.Version=${VERSION} -X github.com/Checkmarx/kics/internal/constants.SCMCommit=${COMMIT} -X github.com/Checkmarx/kics/internal/constants.SentryDSN=${SENTRY_DSN}" -a -installsuffix cgo \
   -o bin/kics cmd/console/main.go
 USER Checkmarx