github.com/aquasecurity/trivy-iac@v0.8.1-0.20240127024015-3d8e412cf0ab/pkg/scanners/terraformplan/scanner_test.go (about) 1 package terraformplan 2 3 import ( 4 "bytes" 5 "context" 6 "fmt" 7 "os" 8 "testing" 9 10 "github.com/aquasecurity/defsec/pkg/scanners/options" 11 "github.com/aquasecurity/trivy-iac/test/testutil" 12 "github.com/stretchr/testify/assert" 13 "github.com/stretchr/testify/require" 14 ) 15 16 func Test_OptionWithPolicyDirs_OldRegoMetadata(t *testing.T) { 17 b, _ := os.ReadFile("test/testdata/plan.json") 18 fs := testutil.CreateFS(t, map[string]string{ 19 "/code/main.tfplan.json": string(b), 20 "/rules/test.rego": ` 21 package defsec.abcdefg 22 23 __rego_metadata__ := { 24 "id": "TEST123", 25 "avd_id": "AVD-TEST-0123", 26 "title": "Buckets should not be evil", 27 "short_code": "no-evil-buckets", 28 "severity": "CRITICAL", 29 "type": "DefSec Security Check", 30 "description": "You should not allow buckets to be evil", 31 "recommended_actions": "Use a good bucket instead", 32 "url": "https://google.com/search?q=is+my+bucket+evil", 33 } 34 35 __rego_input__ := { 36 "combine": false, 37 "selector": [{"type": "cloud", "subtypes": [{"service": "s3", "provider": "aws"}]}], 38 } 39 40 deny[cause] { 41 bucket := input.aws.s3.buckets[_] 42 bucket.name.value == "tfsec-plan-testing" 43 cause := bucket.name 44 } 45 `, 46 }) 47 48 debugLog := bytes.NewBuffer([]byte{}) 49 scanner := New( 50 options.ScannerWithDebug(debugLog), 51 options.ScannerWithPolicyFilesystem(fs), 52 options.ScannerWithPolicyDirs("rules"), 53 options.ScannerWithRegoOnly(true), 54 options.ScannerWithEmbeddedPolicies(false), 55 ) 56 57 results, err := scanner.ScanFS(context.TODO(), fs, "code") 58 require.NoError(t, err) 59 60 require.Len(t, results.GetFailed(), 1) 61 62 failure := results.GetFailed()[0] 63 64 assert.Equal(t, "AVD-TEST-0123", failure.Rule().AVDID) 65 if t.Failed() { 66 fmt.Printf("Debug logs:\n%s\n", debugLog.String()) 67 } 68 69 } 70 71 func Test_OptionWithPolicyDirs_WithUserNamespace(t *testing.T) { 72 b, _ := os.ReadFile("test/testdata/plan.json") 73 fs := testutil.CreateFS(t, map[string]string{ 74 "/code/main.tfplan.json": string(b), 75 "/rules/test.rego": ` 76 # METADATA 77 # title: Bad buckets are bad 78 # description: Bad buckets are bad because they are not good. 79 # scope: package 80 # schemas: 81 # - input: schema["input"] 82 # custom: 83 # avd_id: AVD-TEST-0123 84 # severity: CRITICAL 85 # short_code: very-bad-misconfig 86 # recommended_action: "Fix the s3 bucket" 87 88 package user.foobar.ABC001 89 90 deny[cause] { 91 bucket := input.aws.s3.buckets[_] 92 bucket.name.value == "tfsec-plan-testing" 93 cause := bucket.name 94 } 95 `, 96 }) 97 98 debugLog := bytes.NewBuffer([]byte{}) 99 scanner := New( 100 options.ScannerWithDebug(debugLog), 101 options.ScannerWithPolicyFilesystem(fs), 102 options.ScannerWithPolicyDirs("rules"), 103 options.ScannerWithRegoOnly(true), 104 options.ScannerWithPolicyNamespaces("user"), 105 options.ScannerWithEmbeddedPolicies(false), 106 ) 107 108 results, err := scanner.ScanFS(context.TODO(), fs, "code") 109 require.NoError(t, err) 110 111 require.Len(t, results.GetFailed(), 1) 112 113 failure := results.GetFailed()[0] 114 115 assert.Equal(t, "AVD-TEST-0123", failure.Rule().AVDID) 116 if t.Failed() { 117 fmt.Printf("Debug logs:\n%s\n", debugLog.String()) 118 } 119 120 }