feat(analyzer): added support to Cloud Development Kit for Terraform …

…(CDKTF) (#4770)
Checkmarx · Feb 1, 2022 · b38bc28 · b38bc28
1 parent 8683d63
commit b38bc28
Show file tree

Hide file tree

Showing 5 changed files with 120 additions and 0 deletions.
diff --git a/assets/queries/terraform/aws/ec2_instance_monitoring_disabled/test/negative3.json b/assets/queries/terraform/aws/ec2_instance_monitoring_disabled/test/negative3.json
@@ -0,0 +1,45 @@
+{
+  "//": {
+    "metadata": {
+      "backend": "local",
+      "stackName": "cdktf-test",
+      "version": "0.9.0"
+    },
+    "outputs": {}
+  },
+  "provider": {
+    "aws": [
+      {
+        "region": "us-east-1"
+      }
+    ]
+  },
+  "resource": {
+    "aws_instance": {
+      "cdktf-test": {
+        "//": {
+          "metadata": {
+            "path": "cdktf-test/cdktf-test",
+            "uniqueId": "cdktf-test"
+          }
+        },
+        "ami": "ami-1212f123",
+        "instance_type": "t2.micro",
+        "monitoring": true
+      }
+    }
+  },
+  "terraform": {
+    "backend": {
+      "local": {
+        "path": "/terraform.cdktf-test.tfstate"
+      }
+    },
+    "required_providers": {
+      "aws": {
+        "source": "aws",
+        "version": "~> 3.0"
+      }
+    }
+  }
+}
diff --git a/assets/queries/terraform/aws/ec2_instance_monitoring_disabled/test/positive5.json b/assets/queries/terraform/aws/ec2_instance_monitoring_disabled/test/positive5.json
@@ -0,0 +1,45 @@
+{
+  "//": {
+    "metadata": {
+      "backend": "local",
+      "stackName": "cdktf-test",
+      "version": "0.9.0"
+    },
+    "outputs": {}
+  },
+  "provider": {
+    "aws": [
+      {
+        "region": "us-east-1"
+      }
+    ]
+  },
+  "resource": {
+    "aws_instance": {
+      "cdktf-test": {
+        "//": {
+          "metadata": {
+            "path": "cdktf-test/cdktf-test",
+            "uniqueId": "cdktf-test"
+          }
+        },
+        "ami": "ami-1212f123",
+        "instance_type": "t2.micro",
+        "monitoring": false
+      }
+    }
+  },
+  "terraform": {
+    "backend": {
+      "local": {
+        "path": "/terraform.cdktf-test.tfstate"
+      }
+    },
+    "required_providers": {
+      "aws": {
+        "source": "aws",
+        "version": "~> 3.0"
+      }
+    }
+  }
+}
diff --git a/...queries/terraform/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json b/...queries/terraform/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json
@@ -22,5 +22,11 @@
     "severity": "INFO",
     "line": 10,
     "fileName": "positive4.tf"
+  },
+  {
+    "queryName": "EC2 Instance Monitoring Disabled",
+    "severity": "INFO",
+    "line": 28,
+    "fileName": "positive5.json"
   }
 ]
diff --git a/docs/platforms.md b/docs/platforms.md
@@ -79,6 +79,17 @@ KICS supports some official modules for AWS that can be found on [Terraform regi
 
 Currently, KICS does not support unofficial or custom modules.
 
+### Cloud Development Kit for Terraform (CDKTF) 
+
+KICS supports scanning CDKTF output JSON. It recognizes it through the fields `metadata`, `stackName`, and `terraform`.
+
+To get your CDKTF output JSON, run the following command inside the directory that contains your app:
+```
+cdktf synth
+```
+
+You can also run the command `cdktf synth --json` to display it in the terminal.
+
 ### Limitations
 
 #### Ansible

diff --git a/pkg/analyzer/analyzer.go b/pkg/analyzer/analyzer.go
@@ -38,6 +38,9 @@ var (
 	tfPlanRegexRC                     = regexp.MustCompile("\\s*\"resource_changes\":")
 	tfPlanRegexConf                   = regexp.MustCompile("\\s*\"configuration\":")
 	tfPlanRegexTV                     = regexp.MustCompile("\\s*\"terraform_version\":")
+	cdkTfRegexMetadata                = regexp.MustCompile("\\s*\"metadata\":")
+	cdkTfRegexStackName               = regexp.MustCompile("\\s*\"stackName\":")
+	cdkTfRegexTerraform               = regexp.MustCompile("\\s*\"terraform\":")
 	blueprintArtifactsRegexKind       = regexp.MustCompile("(\\s*\"kind\":)|(\\s*kind:)")
 	blueprintArtifactsRegexProperties = regexp.MustCompile("(\\s*\"properties\":)|(\\s*properties:)")
 	blueprintRegexTargetScope         = regexp.MustCompile("(\\s*\"targetScope\":)|(\\s*targetScope:)")
@@ -181,6 +184,13 @@ var types = map[string]regexSlice{
 			tfPlanRegexTV,
 		},
 	},
+	"cdkTf": {
+		[]*regexp.Regexp{
+			cdkTfRegexMetadata,
+			cdkTfRegexStackName,
+			cdkTfRegexTerraform,
+		},
+	},
 	"blueprintsartifacts": {
 		[]*regexp.Regexp{
 			blueprintArtifactsRegexKind,
@@ -254,6 +264,9 @@ func checkContent(path string, results, unwanted chan<- string, ext string) {
 
 func checkReturnType(path, returnType, ext string, content []byte) string {
 	if returnType != "" {
+		if returnType == "cdkTf" {
+			return "terraform"
+		}
 		if returnType == "blueprint" || returnType == "blueprintsartifacts" {
 			return arm
 		}