From eeb4c70362cbdf6fbc80988da0d8602d0fc98a09 Mon Sep 17 00:00:00 2001 From: mihirhasan <38732914+mihirhasan@users.noreply.github.com> Date: Thu, 29 Jul 2021 14:10:47 -0700 Subject: [PATCH 01/30] Add files via upload --- scripts/pre-commit-hook.sh | 78 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 78 insertions(+) create mode 100644 scripts/pre-commit-hook.sh diff --git a/scripts/pre-commit-hook.sh b/scripts/pre-commit-hook.sh new file mode 100644 index 000000000..8d4892c54 --- /dev/null +++ b/scripts/pre-commit-hook.sh @@ -0,0 +1,78 @@ +#!/usr/bin/env bash +set -eo pipefail + +main() { + initialize_ + parse_cmdline_ "$@" + + # propagate $FILES to custom function + terrascan_ "$ARGS" "$FILES" +} + +terrascan_() { + # consume modified files passed from pre-commit so that + # terrascan runs against only those relevant directories + for file_with_path in $FILES; do + file_with_path="${file_with_path// /__REPLACED__SPACE__}" + paths[index]=$(dirname "$file_with_path") + + let "index+=1" + done + + for path_uniq in $(echo "${paths[*]}" | tr ' ' '\n' | sort -u); do + path_uniq="${path_uniq//__REPLACED__SPACE__/ }" + pushd "$path_uniq" > /dev/null + terrascan scan $ARGS + popd > /dev/null + done +} + +initialize_() { + # get directory containing this script + local dir + local source + source="${BASH_SOURCE[0]}" + while [[ -L $source ]]; do # resolve $source until the file is no longer a symlink + dir="$(cd -P "$(dirname "$source")" > /dev/null && pwd)" + source="$(readlink "$source")" + # if $source was a relative symlink, we need to resolve it relative to the path where the symlink file was located + [[ $source != /* ]] && source="$dir/$source" + done + _SCRIPT_DIR="$(dirname "$source")" + + # source getopt function + # shellcheck source=lib_getopt + . "$_SCRIPT_DIR/lib_getopt" +} + +parse_cmdline_() { + declare argv + argv=$(getopt -n Terrascan -o hi: --long help,iac-type: -- "$@") || return + eval "set -- $argv" + + for argv; do + case $1 in + -i | --iac-type) #add support for all scan options ? + ARGS+=("$1") #add flag + ARGS+=("$2") #Add flag argument (iac provider type) to args array + shift 2 #shift up both args + ;; + -h | --help) + ARGS += ("$1") + shift + --) + shift + FILES+=("$@") #not sure what to do with this, replace with -f, -d handling? + break + ;; + *) + shift + esac + done +} + +# global arrays +declare -a ARGS=() +declare -a FILES=() + +[[ ${BASH_SOURCE[0]} != "$0" ]] || main "$@" \ No newline at end of file From c11c372fd4369d17a55eb17b717608181c946cbe Mon Sep 17 00:00:00 2001 From: mihirhasan <38732914+mihirhasan@users.noreply.github.com> Date: Thu, 29 Jul 2021 14:13:44 -0700 Subject: [PATCH 02/30] Create .pre-commit-config.yaml --- .pre-commit-config.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .pre-commit-config.yaml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 000000000..cd80e5b15 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,5 @@ +repos: +- repo: https://github.com/mihirhasan/terrascan + rev: v2.1.5 + hooks: + - id: pre-commit-hook From 34298f924d81d5ebb9537f6d1d63dfe9fd649cb1 Mon Sep 17 00:00:00 2001 From: mihirhasan <38732914+mihirhasan@users.noreply.github.com> Date: Thu, 29 Jul 2021 14:14:30 -0700 Subject: [PATCH 03/30] Create .pre-commit-hooks.yaml --- .pre-commit-hooks.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .pre-commit-hooks.yaml diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml new file mode 100644 index 000000000..92d922d2d --- /dev/null +++ b/.pre-commit-hooks.yaml @@ -0,0 +1,5 @@ +- id: pre-commit-hook + name: terrascan + description: Runs terrascan on supported IaC templates. + language: script + entry: scripts/pre-commit-hook.sh From 2bd288d4c5830620fc6b49a1bed468de1d966b9e Mon Sep 17 00:00:00 2001 From: mihirhasan <38732914+mihirhasan@users.noreply.github.com> Date: Thu, 29 Jul 2021 14:31:50 -0700 Subject: [PATCH 04/30] Update pre-commit-hook.sh --- scripts/pre-commit-hook.sh | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/scripts/pre-commit-hook.sh b/scripts/pre-commit-hook.sh index 8d4892c54..6e0c3e392 100644 --- a/scripts/pre-commit-hook.sh +++ b/scripts/pre-commit-hook.sh @@ -57,9 +57,6 @@ parse_cmdline_() { ARGS+=("$2") #Add flag argument (iac provider type) to args array shift 2 #shift up both args ;; - -h | --help) - ARGS += ("$1") - shift --) shift FILES+=("$@") #not sure what to do with this, replace with -f, -d handling? @@ -75,4 +72,4 @@ parse_cmdline_() { declare -a ARGS=() declare -a FILES=() -[[ ${BASH_SOURCE[0]} != "$0" ]] || main "$@" \ No newline at end of file +[[ ${BASH_SOURCE[0]} != "$0" ]] || main "$@" From 308f611ec26ed0628c0a5a319237b058825eed2c Mon Sep 17 00:00:00 2001 From: mihirhasan <38732914+mihirhasan@users.noreply.github.com> Date: Thu, 29 Jul 2021 14:42:51 -0700 Subject: [PATCH 05/30] Create lib_getopt --- scripts/lib_getopt | 489 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 489 insertions(+) create mode 100644 scripts/lib_getopt diff --git a/scripts/lib_getopt b/scripts/lib_getopt new file mode 100644 index 000000000..d9a0e9cdf --- /dev/null +++ b/scripts/lib_getopt @@ -0,0 +1,489 @@ +#!/bin/bash + +getopt() { + # pure-getopt, a drop-in replacement for GNU getopt in pure Bash. + # version 1.4.4 + # + # Copyright 2012-2020 Aron Griffis + # + # Permission is hereby granted, free of charge, to any person obtaining + # a copy of this software and associated documentation files (the + # "Software"), to deal in the Software without restriction, including + # without limitation the rights to use, copy, modify, merge, publish, + # distribute, sublicense, and/or sell copies of the Software, and to + # permit persons to whom the Software is furnished to do so, subject to + # the following conditions: + # + # The above copyright notice and this permission notice shall be included + # in all copies or substantial portions of the Software. + # + # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + # OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. + # IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY + # CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, + # TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE + # SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + + _getopt_main() { + # Returns one of the following statuses: + # 0 success + # 1 error parsing parameters + # 2 error in getopt invocation + # 3 internal error + # 4 reserved for -T + # + # For statuses 0 and 1, generates normalized and shell-quoted + # "options -- parameters" on stdout. + + declare parsed status + declare short long='' name flags='' + declare have_short=false + + # Synopsis from getopt man-page: + # + # getopt optstring parameters + # getopt [options] [--] optstring parameters + # getopt [options] -o|--options optstring [options] [--] parameters + # + # The first form can be normalized to the third form which + # _getopt_parse() understands. The second form can be recognized after + # first parse when $short hasn't been set. + + if [[ -n ${GETOPT_COMPATIBLE+isset} || $1 == [^-]* ]]; then + # Enable compatibility mode + flags=c$flags + # Normalize first to third synopsis form + set -- -o "$1" -- "${@:2}" + fi + + # First parse always uses flags=p since getopt always parses its own + # arguments effectively in this mode. + parsed=$(_getopt_parse getopt ahl:n:o:qQs:TuV \ + alternative,help,longoptions:,name:,options:,quiet,quiet-output,shell:,test,version \ + p "$@") + status=$? + if [[ $status != 0 ]]; then + if [[ $status == 1 ]]; then + echo "Try \`getopt --help' for more information." >&2 + # Since this is the first parse, convert status 1 to 2 + status=2 + fi + return $status + fi + eval "set -- $parsed" + + while [[ $# -gt 0 ]]; do + case $1 in + (-a|--alternative) + flags=a$flags ;; + + (-h|--help) + _getopt_help + return 2 # as does GNU getopt + ;; + + (-l|--longoptions) + long="$long${long:+,}$2" + shift ;; + + (-n|--name) + name=$2 + shift ;; + + (-o|--options) + short=$2 + have_short=true + shift ;; + + (-q|--quiet) + flags=q$flags ;; + + (-Q|--quiet-output) + flags=Q$flags ;; + + (-s|--shell) + case $2 in + (sh|bash) + flags=${flags//t/} ;; + (csh|tcsh) + flags=t$flags ;; + (*) + echo 'getopt: unknown shell after -s or --shell argument' >&2 + echo "Try \`getopt --help' for more information." >&2 + return 2 ;; + esac + shift ;; + + (-u|--unquoted) + flags=u$flags ;; + + (-T|--test) + return 4 ;; + + (-V|--version) + echo "pure-getopt 1.4.4" + return 0 ;; + + (--) + shift + break ;; + esac + + shift + done + + if ! $have_short; then + # $short was declared but never set, not even to an empty string. + # This implies the second form in the synopsis. + if [[ $# == 0 ]]; then + echo 'getopt: missing optstring argument' >&2 + echo "Try \`getopt --help' for more information." >&2 + return 2 + fi + short=$1 + have_short=true + shift + fi + + if [[ $short == -* ]]; then + # Leading dash means generate output in place rather than reordering, + # unless we're already in compatibility mode. + [[ $flags == *c* ]] || flags=i$flags + short=${short#?} + elif [[ $short == +* ]]; then + # Leading plus means POSIXLY_CORRECT, unless we're already in + # compatibility mode. + [[ $flags == *c* ]] || flags=p$flags + short=${short#?} + fi + + # This should fire if POSIXLY_CORRECT is in the environment, even if + # it's an empty string. That's the difference between :+ and + + flags=${POSIXLY_CORRECT+p}$flags + + _getopt_parse "${name:-getopt}" "$short" "$long" "$flags" "$@" + } + + _getopt_parse() { + # Inner getopt parser, used for both first parse and second parse. + # Returns 0 for success, 1 for error parsing, 3 for internal error. + # In the case of status 1, still generates stdout with whatever could + # be parsed. + # + # $flags is a string of characters with the following meanings: + # a - alternative parsing mode + # c - GETOPT_COMPATIBLE + # i - generate output in place rather than reordering + # p - POSIXLY_CORRECT + # q - disable error reporting + # Q - disable normal output + # t - quote for csh/tcsh + # u - unquoted output + + declare name="$1" short="$2" long="$3" flags="$4" + shift 4 + + # Split $long on commas, prepend double-dashes, strip colons; + # for use with _getopt_resolve_abbrev + declare -a longarr + _getopt_split longarr "$long" + longarr=( "${longarr[@]/#/--}" ) + longarr=( "${longarr[@]%:}" ) + longarr=( "${longarr[@]%:}" ) + + # Parse and collect options and parameters + declare -a opts params + declare o alt_recycled=false error=0 + + while [[ $# -gt 0 ]]; do + case $1 in + (--) + params=( "${params[@]}" "${@:2}" ) + break ;; + + (--*=*) + o=${1%%=*} + if ! o=$(_getopt_resolve_abbrev "$o" "${longarr[@]}"); then + error=1 + elif [[ ,"$long", == *,"${o#--}"::,* ]]; then + opts=( "${opts[@]}" "$o" "${1#*=}" ) + elif [[ ,"$long", == *,"${o#--}":,* ]]; then + opts=( "${opts[@]}" "$o" "${1#*=}" ) + elif [[ ,"$long", == *,"${o#--}",* ]]; then + if $alt_recycled; then o=${o#-}; fi + _getopt_err "$name: option '$o' doesn't allow an argument" + error=1 + else + echo "getopt: assertion failed (1)" >&2 + return 3 + fi + alt_recycled=false + ;; + + (--?*) + o=$1 + if ! o=$(_getopt_resolve_abbrev "$o" "${longarr[@]}"); then + error=1 + elif [[ ,"$long", == *,"${o#--}",* ]]; then + opts=( "${opts[@]}" "$o" ) + elif [[ ,"$long", == *,"${o#--}::",* ]]; then + opts=( "${opts[@]}" "$o" '' ) + elif [[ ,"$long", == *,"${o#--}:",* ]]; then + if [[ $# -ge 2 ]]; then + shift + opts=( "${opts[@]}" "$o" "$1" ) + else + if $alt_recycled; then o=${o#-}; fi + _getopt_err "$name: option '$o' requires an argument" + error=1 + fi + else + echo "getopt: assertion failed (2)" >&2 + return 3 + fi + alt_recycled=false + ;; + + (-*) + if [[ $flags == *a* ]]; then + # Alternative parsing mode! + # Try to handle as a long option if any of the following apply: + # 1. There's an equals sign in the mix -x=3 or -xy=3 + # 2. There's 2+ letters and an abbreviated long match -xy + # 3. There's a single letter and an exact long match + # 4. There's a single letter and no short match + o=${1::2} # temp for testing #4 + if [[ $1 == *=* || $1 == -?? || \ + ,$long, == *,"${1#-}"[:,]* || \ + ,$short, != *,"${o#-}"[:,]* ]]; then + o=$(_getopt_resolve_abbrev "${1%%=*}" "${longarr[@]}" 2>/dev/null) + case $? in + (0) + # Unambiguous match. Let the long options parser handle + # it, with a flag to get the right error message. + set -- "-$1" "${@:2}" + alt_recycled=true + continue ;; + (1) + # Ambiguous match, generate error and continue. + _getopt_resolve_abbrev "${1%%=*}" "${longarr[@]}" >/dev/null + error=1 + shift + continue ;; + (2) + # No match, fall through to single-character check. + true ;; + (*) + echo "getopt: assertion failed (3)" >&2 + return 3 ;; + esac + fi + fi + + o=${1::2} + if [[ "$short" == *"${o#-}"::* ]]; then + if [[ ${#1} -gt 2 ]]; then + opts=( "${opts[@]}" "$o" "${1:2}" ) + else + opts=( "${opts[@]}" "$o" '' ) + fi + elif [[ "$short" == *"${o#-}":* ]]; then + if [[ ${#1} -gt 2 ]]; then + opts=( "${opts[@]}" "$o" "${1:2}" ) + elif [[ $# -ge 2 ]]; then + shift + opts=( "${opts[@]}" "$o" "$1" ) + else + _getopt_err "$name: option requires an argument -- '${o#-}'" + error=1 + fi + elif [[ "$short" == *"${o#-}"* ]]; then + opts=( "${opts[@]}" "$o" ) + if [[ ${#1} -gt 2 ]]; then + set -- "$o" "-${1:2}" "${@:2}" + fi + else + if [[ $flags == *a* ]]; then + # Alternative parsing mode! Report on the entire failed + # option. GNU includes =value but we omit it for sanity with + # very long values. + _getopt_err "$name: unrecognized option '${1%%=*}'" + else + _getopt_err "$name: invalid option -- '${o#-}'" + if [[ ${#1} -gt 2 ]]; then + set -- "$o" "-${1:2}" "${@:2}" + fi + fi + error=1 + fi ;; + + (*) + # GNU getopt in-place mode (leading dash on short options) + # overrides POSIXLY_CORRECT + if [[ $flags == *i* ]]; then + opts=( "${opts[@]}" "$1" ) + elif [[ $flags == *p* ]]; then + params=( "${params[@]}" "$@" ) + break + else + params=( "${params[@]}" "$1" ) + fi + esac + + shift + done + + if [[ $flags == *Q* ]]; then + true # generate no output + else + echo -n ' ' + if [[ $flags == *[cu]* ]]; then + printf '%s -- %s' "${opts[*]}" "${params[*]}" + else + if [[ $flags == *t* ]]; then + _getopt_quote_csh "${opts[@]}" -- "${params[@]}" + else + _getopt_quote "${opts[@]}" -- "${params[@]}" + fi + fi + echo + fi + + return $error + } + + _getopt_err() { + if [[ $flags != *q* ]]; then + printf '%s\n' "$1" >&2 + fi + } + + _getopt_resolve_abbrev() { + # Resolves an abbrevation from a list of possibilities. + # If the abbreviation is unambiguous, echoes the expansion on stdout + # and returns 0. If the abbreviation is ambiguous, prints a message on + # stderr and returns 1. (For first parse this should convert to exit + # status 2.) If there is no match at all, prints a message on stderr + # and returns 2. + declare a q="$1" + declare -a matches=() + shift + for a; do + if [[ $q == "$a" ]]; then + # Exact match. Squash any other partial matches. + matches=( "$a" ) + break + elif [[ $flags == *a* && $q == -[^-]* && $a == -"$q" ]]; then + # Exact alternative match. Squash any other partial matches. + matches=( "$a" ) + break + elif [[ $a == "$q"* ]]; then + # Abbreviated match. + matches=( "${matches[@]}" "$a" ) + elif [[ $flags == *a* && $q == -[^-]* && $a == -"$q"* ]]; then + # Abbreviated alternative match. + matches=( "${matches[@]}" "${a#-}" ) + fi + done + case ${#matches[@]} in + (0) + [[ $flags == *q* ]] || \ + printf "$name: unrecognized option %s\\n" >&2 \ + "$(_getopt_quote "$q")" + return 2 ;; + (1) + printf '%s' "${matches[0]}"; return 0 ;; + (*) + [[ $flags == *q* ]] || \ + printf "$name: option %s is ambiguous; possibilities: %s\\n" >&2 \ + "$(_getopt_quote "$q")" "$(_getopt_quote "${matches[@]}")" + return 1 ;; + esac + } + + _getopt_split() { + # Splits $2 at commas to build array specified by $1 + declare IFS=, + eval "$1=( \$2 )" + } + + _getopt_quote() { + # Quotes arguments with single quotes, escaping inner single quotes + declare s space='' q=\' + for s; do + printf "$space'%s'" "${s//$q/$q\\$q$q}" + space=' ' + done + } + + _getopt_quote_csh() { + # Quotes arguments with single quotes, escaping inner single quotes, + # bangs, backslashes and newlines + declare s i c space + for s; do + echo -n "$space'" + for ((i=0; i<${#s}; i++)); do + c=${s:i:1} + case $c in + (\\|\'|!) + echo -n "'\\$c'" ;; + ($'\n') + echo -n "\\$c" ;; + (*) + echo -n "$c" ;; + esac + done + echo -n \' + space=' ' + done + } + + _getopt_help() { + cat <<-EOT >&2 + Usage: + getopt + getopt [options] [--] + getopt [options] -o|--options [options] [--] + Parse command options. + Options: + -a, --alternative allow long options starting with single - + -l, --longoptions the long options to be recognized + -n, --name the name under which errors are reported + -o, --options the short options to be recognized + -q, --quiet disable error reporting by getopt(3) + -Q, --quiet-output no normal output + -s, --shell set quoting conventions to those of + -T, --test test for getopt(1) version + -u, --unquoted do not quote the output + -h, --help display this help and exit + -V, --version output version information and exit + For more details see getopt(1). + EOT + } + + _getopt_version_check() { + if [[ -z $BASH_VERSION ]]; then + echo "getopt: unknown version of bash might not be compatible" >&2 + return 1 + fi + + # This is a lexical comparison that should be sufficient forever. + if [[ $BASH_VERSION < 2.05b ]]; then + echo "getopt: bash $BASH_VERSION might not be compatible" >&2 + return 1 + fi + + return 0 + } + + _getopt_version_check + _getopt_main "$@" + declare status=$? + unset -f _getopt_main _getopt_err _getopt_parse _getopt_quote \ + _getopt_quote_csh _getopt_resolve_abbrev _getopt_split _getopt_help \ + _getopt_version_check + return $status +} + +# vim:sw=2 From 85a3db49b4ec05d907772233f4b2be239735fddf Mon Sep 17 00:00:00 2001 From: mihirhasan <38732914+mihirhasan@users.noreply.github.com> Date: Thu, 29 Jul 2021 22:18:40 -0700 Subject: [PATCH 06/30] Update pre-commit-hook.sh --- scripts/pre-commit-hook.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/pre-commit-hook.sh b/scripts/pre-commit-hook.sh index 6e0c3e392..ea4f66063 100644 --- a/scripts/pre-commit-hook.sh +++ b/scripts/pre-commit-hook.sh @@ -22,6 +22,7 @@ terrascan_() { for path_uniq in $(echo "${paths[*]}" | tr ' ' '\n' | sort -u); do path_uniq="${path_uniq//__REPLACED__SPACE__/ }" pushd "$path_uniq" > /dev/null + echo $ARGS terrascan scan $ARGS popd > /dev/null done From 7d42111fb65f7f9489f4d7d65c0c57dfc7adea54 Mon Sep 17 00:00:00 2001 From: mihirhasan Date: Thu, 29 Jul 2021 23:06:07 -0700 Subject: [PATCH 07/30] test update --- scripts/pre-commit-hook.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/scripts/pre-commit-hook.sh b/scripts/pre-commit-hook.sh index ea4f66063..de8523f24 100644 --- a/scripts/pre-commit-hook.sh +++ b/scripts/pre-commit-hook.sh @@ -54,8 +54,10 @@ parse_cmdline_() { for argv; do case $1 in -i | --iac-type) #add support for all scan options ? - ARGS+=("$1") #add flag - ARGS+=("$2") #Add flag argument (iac provider type) to args array + ARGS+=("$2") #add flag + echo $2 + ARGS+=("$3") + echo $3 #Add flag argument (iac provider type) to args array shift 2 #shift up both args ;; --) From de25d42ce8954ad8bbbd1ead1860724d3c0e006e Mon Sep 17 00:00:00 2001 From: mihirhasan Date: Thu, 29 Jul 2021 23:12:04 -0700 Subject: [PATCH 08/30] Update pre-commit-hook.sh --- scripts/pre-commit-hook.sh | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/scripts/pre-commit-hook.sh b/scripts/pre-commit-hook.sh index de8523f24..2c505005b 100644 --- a/scripts/pre-commit-hook.sh +++ b/scripts/pre-commit-hook.sh @@ -22,7 +22,7 @@ terrascan_() { for path_uniq in $(echo "${paths[*]}" | tr ' ' '\n' | sort -u); do path_uniq="${path_uniq//__REPLACED__SPACE__/ }" pushd "$path_uniq" > /dev/null - echo $ARGS + echo 'args' $ARGS terrascan scan $ARGS popd > /dev/null done @@ -54,10 +54,8 @@ parse_cmdline_() { for argv; do case $1 in -i | --iac-type) #add support for all scan options ? - ARGS+=("$2") #add flag - echo $2 - ARGS+=("$3") - echo $3 #Add flag argument (iac provider type) to args array + ARGS+=("$1") #add flag + ARGS+=("$2") shift 2 #shift up both args ;; --) From 9c7518d0e54c504319bd175b18915ee2cc0085cd Mon Sep 17 00:00:00 2001 From: mihirhasan Date: Thu, 29 Jul 2021 23:17:50 -0700 Subject: [PATCH 09/30] 2 --- scripts/pre-commit-hook.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/pre-commit-hook.sh b/scripts/pre-commit-hook.sh index 2c505005b..6b17e1873 100644 --- a/scripts/pre-commit-hook.sh +++ b/scripts/pre-commit-hook.sh @@ -54,8 +54,8 @@ parse_cmdline_() { for argv; do case $1 in -i | --iac-type) #add support for all scan options ? - ARGS+=("$1") #add flag - ARGS+=("$2") + ARGS+=("$2") #add flag + ARGS+=("$3") shift 2 #shift up both args ;; --) From 403370a9ab74ddd2ce44b0dcf60a23d43a64c2fc Mon Sep 17 00:00:00 2001 From: mihirhasan Date: Thu, 29 Jul 2021 23:19:59 -0700 Subject: [PATCH 10/30] Update pre-commit-hook.sh --- scripts/pre-commit-hook.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/pre-commit-hook.sh b/scripts/pre-commit-hook.sh index 6b17e1873..13f1ab0b0 100644 --- a/scripts/pre-commit-hook.sh +++ b/scripts/pre-commit-hook.sh @@ -55,7 +55,7 @@ parse_cmdline_() { case $1 in -i | --iac-type) #add support for all scan options ? ARGS+=("$2") #add flag - ARGS+=("$3") + #ARGS+=("$3") shift 2 #shift up both args ;; --) From bfd5cfcdbd41b57a8b3217de6006cbf71a24f53e Mon Sep 17 00:00:00 2001 From: mihirhasan Date: Thu, 29 Jul 2021 23:21:32 -0700 Subject: [PATCH 11/30] Update pre-commit-hook.sh --- scripts/pre-commit-hook.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/pre-commit-hook.sh b/scripts/pre-commit-hook.sh index 13f1ab0b0..c99d20a36 100644 --- a/scripts/pre-commit-hook.sh +++ b/scripts/pre-commit-hook.sh @@ -54,7 +54,7 @@ parse_cmdline_() { for argv; do case $1 in -i | --iac-type) #add support for all scan options ? - ARGS+=("$2") #add flag + ARGS+=("$1") #add flag #ARGS+=("$3") shift 2 #shift up both args ;; From 6d7c828c422e3f67c4252982fdfe7649c7495d69 Mon Sep 17 00:00:00 2001 From: mihirhasan Date: Thu, 29 Jul 2021 23:26:55 -0700 Subject: [PATCH 12/30] Update pre-commit-hook.sh --- scripts/pre-commit-hook.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/pre-commit-hook.sh b/scripts/pre-commit-hook.sh index c99d20a36..2ff6b897d 100644 --- a/scripts/pre-commit-hook.sh +++ b/scripts/pre-commit-hook.sh @@ -22,7 +22,7 @@ terrascan_() { for path_uniq in $(echo "${paths[*]}" | tr ' ' '\n' | sort -u); do path_uniq="${path_uniq//__REPLACED__SPACE__/ }" pushd "$path_uniq" > /dev/null - echo 'args' $ARGS + echo 'args' ${ARGS[*]} terrascan scan $ARGS popd > /dev/null done From 4a535eb16479866724cdee60012b860db93b8183 Mon Sep 17 00:00:00 2001 From: mihirhasan Date: Thu, 29 Jul 2021 23:28:52 -0700 Subject: [PATCH 13/30] Update pre-commit-hook.sh --- scripts/pre-commit-hook.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/pre-commit-hook.sh b/scripts/pre-commit-hook.sh index 2ff6b897d..c77d2e02c 100644 --- a/scripts/pre-commit-hook.sh +++ b/scripts/pre-commit-hook.sh @@ -55,7 +55,7 @@ parse_cmdline_() { case $1 in -i | --iac-type) #add support for all scan options ? ARGS+=("$1") #add flag - #ARGS+=("$3") + ARGS+=("$2") shift 2 #shift up both args ;; --) From 62a63102927b08cc51b60ca38f396ef86eb70108 Mon Sep 17 00:00:00 2001 From: mihirhasan Date: Thu, 29 Jul 2021 23:35:38 -0700 Subject: [PATCH 14/30] Update pre-commit-hook.sh --- scripts/pre-commit-hook.sh | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/scripts/pre-commit-hook.sh b/scripts/pre-commit-hook.sh index c77d2e02c..48036eacb 100644 --- a/scripts/pre-commit-hook.sh +++ b/scripts/pre-commit-hook.sh @@ -18,11 +18,16 @@ terrascan_() { let "index+=1" done - + #put arguments array into runnable string + PARAMS = '' + for i in "${arr[@]}" + do + PARAMS= "${PARAMS} ${i}" + done + echo $PARAMS for path_uniq in $(echo "${paths[*]}" | tr ' ' '\n' | sort -u); do path_uniq="${path_uniq//__REPLACED__SPACE__/ }" pushd "$path_uniq" > /dev/null - echo 'args' ${ARGS[*]} terrascan scan $ARGS popd > /dev/null done From 58510893fe78d184226fbfc782658739c94a5393 Mon Sep 17 00:00:00 2001 From: mihirhasan Date: Thu, 29 Jul 2021 23:38:02 -0700 Subject: [PATCH 15/30] Update pre-commit-hook.sh --- scripts/pre-commit-hook.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/pre-commit-hook.sh b/scripts/pre-commit-hook.sh index 48036eacb..8b6666a26 100644 --- a/scripts/pre-commit-hook.sh +++ b/scripts/pre-commit-hook.sh @@ -19,7 +19,7 @@ terrascan_() { let "index+=1" done #put arguments array into runnable string - PARAMS = '' + PARAMS = "" for i in "${arr[@]}" do PARAMS= "${PARAMS} ${i}" From b6c73d744b1f915f4700414a3050745fc3c3925a Mon Sep 17 00:00:00 2001 From: mihirhasan Date: Thu, 29 Jul 2021 23:41:25 -0700 Subject: [PATCH 16/30] Update pre-commit-hook.sh --- scripts/pre-commit-hook.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/pre-commit-hook.sh b/scripts/pre-commit-hook.sh index 8b6666a26..b0ea078ff 100644 --- a/scripts/pre-commit-hook.sh +++ b/scripts/pre-commit-hook.sh @@ -19,7 +19,7 @@ terrascan_() { let "index+=1" done #put arguments array into runnable string - PARAMS = "" + local PARAMS = " " for i in "${arr[@]}" do PARAMS= "${PARAMS} ${i}" From ad7501b065c5525e9afbd063b2ef5e43e259162f Mon Sep 17 00:00:00 2001 From: mihirhasan Date: Thu, 29 Jul 2021 23:44:08 -0700 Subject: [PATCH 17/30] Update pre-commit-hook.sh --- scripts/pre-commit-hook.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/pre-commit-hook.sh b/scripts/pre-commit-hook.sh index b0ea078ff..d7d308b46 100644 --- a/scripts/pre-commit-hook.sh +++ b/scripts/pre-commit-hook.sh @@ -19,7 +19,7 @@ terrascan_() { let "index+=1" done #put arguments array into runnable string - local PARAMS = " " + PARAMS = "scan " for i in "${arr[@]}" do PARAMS= "${PARAMS} ${i}" From a3610b61417d66afeb3d705d85dbd895dbd843f4 Mon Sep 17 00:00:00 2001 From: mihirhasan Date: Thu, 29 Jul 2021 23:47:15 -0700 Subject: [PATCH 18/30] Update pre-commit-hook.sh --- scripts/pre-commit-hook.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/pre-commit-hook.sh b/scripts/pre-commit-hook.sh index d7d308b46..2a8acfa36 100644 --- a/scripts/pre-commit-hook.sh +++ b/scripts/pre-commit-hook.sh @@ -1,5 +1,6 @@ #!/usr/bin/env bash set -eo pipefail +PARAMS = "scan " main() { initialize_ @@ -19,7 +20,6 @@ terrascan_() { let "index+=1" done #put arguments array into runnable string - PARAMS = "scan " for i in "${arr[@]}" do PARAMS= "${PARAMS} ${i}" From 79c1fe510b874805c6b52d0b8afadc6de0ee0f7d Mon Sep 17 00:00:00 2001 From: mihirhasan Date: Thu, 29 Jul 2021 23:49:22 -0700 Subject: [PATCH 19/30] Update pre-commit-hook.sh --- scripts/pre-commit-hook.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/pre-commit-hook.sh b/scripts/pre-commit-hook.sh index 2a8acfa36..1a6c16a8a 100644 --- a/scripts/pre-commit-hook.sh +++ b/scripts/pre-commit-hook.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash set -eo pipefail -PARAMS = "scan " +PARAMS="scan " main() { initialize_ @@ -22,7 +22,7 @@ terrascan_() { #put arguments array into runnable string for i in "${arr[@]}" do - PARAMS= "${PARAMS} ${i}" + PARAMS="${PARAMS} ${i}" done echo $PARAMS for path_uniq in $(echo "${paths[*]}" | tr ' ' '\n' | sort -u); do From 682c7a54afb650dc2398141951761fc5d2b8a6d3 Mon Sep 17 00:00:00 2001 From: mihirhasan Date: Thu, 29 Jul 2021 23:53:22 -0700 Subject: [PATCH 20/30] Update pre-commit-hook.sh --- scripts/pre-commit-hook.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/pre-commit-hook.sh b/scripts/pre-commit-hook.sh index 1a6c16a8a..0a7551838 100644 --- a/scripts/pre-commit-hook.sh +++ b/scripts/pre-commit-hook.sh @@ -20,7 +20,7 @@ terrascan_() { let "index+=1" done #put arguments array into runnable string - for i in "${arr[@]}" + for i in "${ARGS[@]}" do PARAMS="${PARAMS} ${i}" done From c0db34d401a153c6eef5776acb27c53cb3df45dd Mon Sep 17 00:00:00 2001 From: mihirhasan Date: Thu, 29 Jul 2021 23:55:01 -0700 Subject: [PATCH 21/30] Update pre-commit-hook.sh --- scripts/pre-commit-hook.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/pre-commit-hook.sh b/scripts/pre-commit-hook.sh index 0a7551838..477c3ca59 100644 --- a/scripts/pre-commit-hook.sh +++ b/scripts/pre-commit-hook.sh @@ -28,7 +28,7 @@ terrascan_() { for path_uniq in $(echo "${paths[*]}" | tr ' ' '\n' | sort -u); do path_uniq="${path_uniq//__REPLACED__SPACE__/ }" pushd "$path_uniq" > /dev/null - terrascan scan $ARGS + terrascan scan PARAMS popd > /dev/null done } From e5e049e2e1ece7bd86b9e83454dfc2543fda82a1 Mon Sep 17 00:00:00 2001 From: mihirhasan Date: Thu, 29 Jul 2021 23:57:03 -0700 Subject: [PATCH 22/30] Update pre-commit-hook.sh --- scripts/pre-commit-hook.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/pre-commit-hook.sh b/scripts/pre-commit-hook.sh index 477c3ca59..5e59f6b46 100644 --- a/scripts/pre-commit-hook.sh +++ b/scripts/pre-commit-hook.sh @@ -28,7 +28,7 @@ terrascan_() { for path_uniq in $(echo "${paths[*]}" | tr ' ' '\n' | sort -u); do path_uniq="${path_uniq//__REPLACED__SPACE__/ }" pushd "$path_uniq" > /dev/null - terrascan scan PARAMS + terrascan scan -i k8s popd > /dev/null done } From 7a18b94d1d869fd1ae40b20d564ca3ffd8652567 Mon Sep 17 00:00:00 2001 From: mihirhasan Date: Thu, 29 Jul 2021 23:58:27 -0700 Subject: [PATCH 23/30] Update pre-commit-hook.sh --- scripts/pre-commit-hook.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/pre-commit-hook.sh b/scripts/pre-commit-hook.sh index 5e59f6b46..36853b34a 100644 --- a/scripts/pre-commit-hook.sh +++ b/scripts/pre-commit-hook.sh @@ -28,7 +28,7 @@ terrascan_() { for path_uniq in $(echo "${paths[*]}" | tr ' ' '\n' | sort -u); do path_uniq="${path_uniq//__REPLACED__SPACE__/ }" pushd "$path_uniq" > /dev/null - terrascan scan -i k8s + terrascan scan -i terraform popd > /dev/null done } From 5cc24f0ec0ff982cfea58136f812ea509d71af4d Mon Sep 17 00:00:00 2001 From: mihirhasan Date: Fri, 30 Jul 2021 00:00:13 -0700 Subject: [PATCH 24/30] Update pre-commit-hook.sh --- scripts/pre-commit-hook.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/pre-commit-hook.sh b/scripts/pre-commit-hook.sh index 36853b34a..2564be738 100644 --- a/scripts/pre-commit-hook.sh +++ b/scripts/pre-commit-hook.sh @@ -28,7 +28,7 @@ terrascan_() { for path_uniq in $(echo "${paths[*]}" | tr ' ' '\n' | sort -u); do path_uniq="${path_uniq//__REPLACED__SPACE__/ }" pushd "$path_uniq" > /dev/null - terrascan scan -i terraform + terrascan PARAMS popd > /dev/null done } From 6cd5239cab92f5f83a77b11b052c39a206147c0f Mon Sep 17 00:00:00 2001 From: mihirhasan Date: Fri, 30 Jul 2021 00:01:39 -0700 Subject: [PATCH 25/30] Update pre-commit-hook.sh --- scripts/pre-commit-hook.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/pre-commit-hook.sh b/scripts/pre-commit-hook.sh index 2564be738..cec2100dc 100644 --- a/scripts/pre-commit-hook.sh +++ b/scripts/pre-commit-hook.sh @@ -28,7 +28,7 @@ terrascan_() { for path_uniq in $(echo "${paths[*]}" | tr ' ' '\n' | sort -u); do path_uniq="${path_uniq//__REPLACED__SPACE__/ }" pushd "$path_uniq" > /dev/null - terrascan PARAMS + terrascan $PARAMS popd > /dev/null done } From 53c574d15b34cb5916cdfe164313d9d7fe5163f7 Mon Sep 17 00:00:00 2001 From: mihirhasan Date: Fri, 30 Jul 2021 12:04:48 -0700 Subject: [PATCH 26/30] made executable --- scripts/pre-commit-hook.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 scripts/pre-commit-hook.sh diff --git a/scripts/pre-commit-hook.sh b/scripts/pre-commit-hook.sh old mode 100644 new mode 100755 From c905368d364000496351b42db502541d1b6fb6e8 Mon Sep 17 00:00:00 2001 From: mihirhasan Date: Fri, 30 Jul 2021 12:42:18 -0700 Subject: [PATCH 27/30] removing config file --- .pre-commit-config.yaml | 5 ----- .pre-commit-hooks.yaml | 2 +- 2 files changed, 1 insertion(+), 6 deletions(-) delete mode 100644 .pre-commit-config.yaml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml deleted file mode 100644 index cd80e5b15..000000000 --- a/.pre-commit-config.yaml +++ /dev/null @@ -1,5 +0,0 @@ -repos: -- repo: https://github.com/mihirhasan/terrascan - rev: v2.1.5 - hooks: - - id: pre-commit-hook diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml index 92d922d2d..60a86d41a 100644 --- a/.pre-commit-hooks.yaml +++ b/.pre-commit-hooks.yaml @@ -1,4 +1,4 @@ -- id: pre-commit-hook +- id: terraform-pre-commit name: terrascan description: Runs terrascan on supported IaC templates. language: script From d4b7f174e9024b618f10e6c5cfb4eee4d4be4170 Mon Sep 17 00:00:00 2001 From: mihirhasan Date: Fri, 30 Jul 2021 13:30:40 -0700 Subject: [PATCH 28/30] Create pre-commit-integration.md --- docs/integrations/pre-commit-integration.md | 53 +++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 docs/integrations/pre-commit-integration.md diff --git a/docs/integrations/pre-commit-integration.md b/docs/integrations/pre-commit-integration.md new file mode 100644 index 000000000..ad75bcd25 --- /dev/null +++ b/docs/integrations/pre-commit-integration.md @@ -0,0 +1,53 @@ +# Integrating Terrascan with Pre-commit + +## Overview +Terrascan scan can be used as a pre-commit hook in order to automatically scan your IaC before every commit. +For more information about pre-commit hooks see https://pre-commit.com/#intro + +___ + +**Requirements** + * Ensure Terrascan is properly installed (See https://runterrascan.io/docs/getting-started/#installing-terrascan) + * Have Pre-commit package manager installed (See https://pre-commit.com/#install) +___ +## Integration Method +___ +### Add config file + 1) Add file called .pre-commit-config.yaml to root of repo you wish to scan with pre-commit. + It should look like this: + ```yaml + repos: + - repo: https://github.com/accurics/terrascan + rev: + hooks: + - id: terraform-pre-commit + args: [ '-i '] #optional + ``` +**Note** +The optional args line allows you to specify the IaC provider. For example, + ```yaml + repos: + - repo: https://github.com/accurics/terrascan + rev: + hooks: + - id: terraform-pre-commit + args: [ '-i k8s'] + ``` +will cause 'terrascan scan -i k8s' to run and thus scan kubernetes yaml files. You may exclude the args like so: + ```yaml + repos: + - repo: https://github.com/accurics/terrascan + rev: + hooks: + - id: terraform-pre-commit + ``` +which causes the default 'terrascan scan' to be run, scanning all IaC provider types. + +___ + +Once you have everything installed, and add the appropriate config file to your repo, +'Terrascan scan -i ' everytime you attempt to commit your staged changes. +You can also call the hook directly on all files using pre-commit run --all-files + + + From b3a9cb9dc518b42d05e48218defb902a52b4d402 Mon Sep 17 00:00:00 2001 From: mihirhasan Date: Fri, 30 Jul 2021 13:36:18 -0700 Subject: [PATCH 29/30] Update pre-commit-integration.md --- docs/integrations/pre-commit-integration.md | 66 +++++++++++---------- 1 file changed, 36 insertions(+), 30 deletions(-) diff --git a/docs/integrations/pre-commit-integration.md b/docs/integrations/pre-commit-integration.md index ad75bcd25..95a28caa2 100644 --- a/docs/integrations/pre-commit-integration.md +++ b/docs/integrations/pre-commit-integration.md @@ -7,47 +7,53 @@ For more information about pre-commit hooks see https://pre-commit.com/#intro ___ **Requirements** - * Ensure Terrascan is properly installed (See https://runterrascan.io/docs/getting-started/#installing-terrascan) - * Have Pre-commit package manager installed (See https://pre-commit.com/#install) + +* Ensure Terrascan is properly installed (See https://runterrascan.io/docs/getting-started/#installing-terrascan) +* Have Pre-commit package manager installed (See https://pre-commit.com/#install) ___ ## Integration Method ___ ### Add config file - 1) Add file called .pre-commit-config.yaml to root of repo you wish to scan with pre-commit. - It should look like this: - ```yaml - repos: - - repo: https://github.com/accurics/terrascan - rev: - hooks: - - id: terraform-pre-commit - args: [ '-i '] #optional - ``` +1. Add file called .pre-commit-config.yaml to root of repo you wish to scan with pre-commit. It should look like this: +```yaml +repos: + - repo: https://github.com/accurics/terrascan + rev: + hooks: + - id: terraform-pre-commit + args: [ '-i '] #optional +``` **Note** The optional args line allows you to specify the IaC provider. For example, - ```yaml - repos: - - repo: https://github.com/accurics/terrascan - rev: - hooks: - - id: terraform-pre-commit - args: [ '-i k8s'] - ``` +```yaml +repos: + - repo: https://github.com/accurics/terrascan + rev: + hooks: + - id: terraform-pre-commit + args: [ '-i k8s'] +``` will cause 'terrascan scan -i k8s' to run and thus scan kubernetes yaml files. You may exclude the args like so: - ```yaml - repos: - - repo: https://github.com/accurics/terrascan - rev: - hooks: - - id: terraform-pre-commit - ``` -which causes the default 'terrascan scan' to be run, scanning all IaC provider types. +```yaml +repos: + - repo: https://github.com/accurics/terrascan + rev: + hooks: + - id: terraform-pre-commit +``` +which causes the default +```bash +'terrascan scan' +``` +to be run, scanning all IaC provider types. ___ Once you have everything installed, and add the appropriate config file to your repo, -'Terrascan scan -i ' everytime you attempt to commit your staged changes. -You can also call the hook directly on all files using pre-commit run --all-files +```bash +'Terrascan scan -i ' +``` +everytime you attempt to commit your staged changes. You can also call the hook directly on all files using pre-commit run --all-files From f6c49aa646622877b6338aa0cc296f95d9e51e74 Mon Sep 17 00:00:00 2001 From: mihirhasan Date: Fri, 30 Jul 2021 13:37:36 -0700 Subject: [PATCH 30/30] Update pre-commit-integration.md --- docs/integrations/pre-commit-integration.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/docs/integrations/pre-commit-integration.md b/docs/integrations/pre-commit-integration.md index 95a28caa2..6455a511d 100644 --- a/docs/integrations/pre-commit-integration.md +++ b/docs/integrations/pre-commit-integration.md @@ -23,7 +23,7 @@ repos: - id: terraform-pre-commit args: [ '-i '] #optional ``` -**Note** +**Note:** The optional args line allows you to specify the IaC provider. For example, ```yaml repos: @@ -33,7 +33,11 @@ repos: - id: terraform-pre-commit args: [ '-i k8s'] ``` -will cause 'terrascan scan -i k8s' to run and thus scan kubernetes yaml files. You may exclude the args like so: +will cause +```bash +'terrascan scan -i k8s' +``` +to run and thus scan kubernetes yaml files. You may exclude the args like so: ```yaml repos: - repo: https://github.com/accurics/terrascan @@ -51,7 +55,7 @@ ___ Once you have everything installed, and add the appropriate config file to your repo, ```bash -'Terrascan scan -i ' +'terrascan scan -i ' ``` everytime you attempt to commit your staged changes. You can also call the hook directly on all files using pre-commit run --all-files