Merge pull request #1 from aquasecurity/add-folder-scanning

add support for scanning folders

.vscode/launch.json

@@ -0,0 +1,16 @@
+{
+    // Use IntelliSense to learn about possible attributes.
+    // Hover to view descriptions of existing attributes.
+    // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
+    "version": "0.2.0",
+    "configurations": [
+        {
+            "name": "Basic cfsec",
+            "type": "go",
+            "request": "launch",
+            "mode": "auto",
+            "program": "${workspaceFolder}/cmd/cfsec/main.go",
+            "args": ["${workspaceFolder}/example/bucket.yaml"]
+          },
+    ]
+}

cmd/cfsec/main.go

@@ -1,28 +1,47 @@
 package main
 
 import (
+	"fmt"
 	"os"
 
 	"github.com/aquasecurity/cfsec/internal/app/cfsec/formatters"
 	"github.com/aquasecurity/cfsec/internal/app/cfsec/parser"
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/resource"
 	_ "github.com/aquasecurity/cfsec/internal/app/cfsec/rules"
 	"github.com/aquasecurity/cfsec/internal/app/cfsec/scanner"
 )
 
 func main() {
 
 	if len(os.Args) < 2 {
-		os.Args = append(os.Args, ".")
+		if wd, err := os.Getwd(); err != nil {
+			os.Args = append(os.Args, wd)
+		}
 	}
 	filepath := os.Args[1]
 
-	resources, err := parser.New(filepath)
+	var resources resource.Resources
+	var err error
+
+	if stat, err := os.Stat(filepath); err == nil {
+		if stat.IsDir() {
+			resources, err = parser.NewForDirectory(filepath)
+		} else {
+			resources, err = parser.New(filepath)
+		}
+		if err != nil {
+			fmt.Println(err.Error())
+			return
+		}
+	} else {
+		panic(fmt.Errorf("couldn't find the filepath when stating"))
+	}
+
 	if err != nil {
 		panic(err)
 	}
 	s := scanner.New()
 	results := s.Scan(resources)
 
 	formatters.FormatDefault(os.Stdout, results, "")
-
 }

example/bucket.json

@@ -0,0 +1,31 @@
+{
+  "Parameters": {
+    "BucketName": {
+      "Type": "String",
+      "Default": "naughty"
+    },
+    "BucketKeyEnabled": {
+      "Type": "Boolean",
+      "Default": false
+    }
+  },
+  "Resources": {
+    "S3Bucket": {
+      "Type": "AWS::S3::Bucket",
+      "Properties": {
+        "BucketName": {
+          "Ref": "BucketName"
+        },
+        "BucketEncryption": {
+          "ServerSideEncryptionConfiguration": [
+            {
+              "BucketKeyEnabled": {
+                "Ref": "BucketKeyEnabled"
+              }
+            }
+          ]
+        }
+      }
+    }
+  }
+}

internal/app/cfsec/formatters/default.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"regexp"
 	"strings"
 
 	"github.com/aquasecurity/cfsec/internal/app/cfsec/result"
@@ -76,14 +77,21 @@ func printResult(res result.Result, i int, includePassedChecks bool) {
 }
 
 func highlightRender(renderText string, attributeOfInterest string) {
+	fmt.Printf("attribute of interest is %s", attributeOfInterest)
+
 	if attributeOfInterest == "" {
 		tml.Println(renderText)
 	} else {
+
+		searchRegex, err := regexp.Compile(fmt.Sprintf("%s[\"|:]", attributeOfInterest))
+		if err != nil {
+			tml.Println(renderText)
+		}
 		var newLines []string
 
 		lines := strings.Split(renderText, "\n")
 		for _, line := range lines {
-			if strings.Contains(line, attributeOfInterest) {
+			if searchRegex.MatchString(line) {
 				newLines = append(newLines, fmt.Sprintf("  <red>%s</red>", line))
 			} else {
 				newLines = append(newLines, fmt.Sprintf("  %s", line))

internal/app/cfsec/parser/parser.go

@@ -1,6 +1,9 @@
 package parser
 
 import (
+	"fmt"
+	"os"
+	"path/filepath"
 	"strings"
 
 	"github.com/aquasecurity/cfsec/internal/app/cfsec/resource"
@@ -15,7 +18,7 @@ func New(filepaths ...string) (resource.Resources, error) {
 	for _, filepath := range filepaths {
 		template, err := goformation.Open(filepath)
 		if err != nil {
-			return nil, err
+			fmt.Printf("error occurred processing %s. %s", filepath, err.Error())
 		}
 
 		sourceFormat := resource.DefaultFormat
@@ -31,3 +34,33 @@ func New(filepaths ...string) (resource.Resources, error) {
 
 	return resources, nil
 }
+
+func NewForDirectory(dirpath string) (resource.Resources, error) {
+	if stat, err := os.Stat(dirpath); err != nil || !stat.IsDir() {
+		return nil, fmt.Errorf("cannot use the provided filepath: %s", dirpath)
+	}
+
+	var files []string
+
+	err := filepath.Walk(dirpath, func(path string, info os.FileInfo, err error) error {
+		if info.IsDir() || !includeFile(info.Name()) {
+			return nil
+		}
+		files = append(files, path)
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return New(files...)
+}
+
+func includeFile(filename string) bool {
+	for _, ext := range []string{".yml", ".yaml", ".json"} {
+		if strings.HasSuffix(strings.ToLower(filename), ext) {
+			return true
+		}
+	}
+	return false
+}

internal/app/cfsec/rules/aws/s3/enable_bucket_encryption_rule.go

@@ -76,7 +76,7 @@ resource "aws_s3_bucket" "good_example" {
 				if !sse.BucketKeyEnabled {
 					set.AddResult().
 						WithDescription("Resource '%s' has BucketKeyEnabled set to false", r.Name()).
-						WithAttributeAnnotation("BucketKeyEnabled:")
+						WithAttributeAnnotation("BucketKeyEnabled")
 				}
 			}