github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/ecs/no_plaintext_secrets_test.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/ecs/no_plaintext_secrets_test.go (about)

     1  package ecs
     2  
     3  import (
     4  	"testing"
     5  
     6  	defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types"
     7  
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  
    10  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/ecs"
    11  	"github.com/khulnasoft-lab/defsec/pkg/scan"
    12  
    13  	"github.com/stretchr/testify/assert"
    14  )
    15  
    16  func TestCheckNoPlaintextSecrets(t *testing.T) {
    17  	tests := []struct {
    18  		name     string
    19  		input    ecs.ECS
    20  		expected bool
    21  	}{
    22  		{
    23  			name: "Task definition with plaintext sensitive information",
    24  			input: ecs.ECS{
    25  				TaskDefinitions: []ecs.TaskDefinition{
    26  					{
    27  						Metadata: defsecTypes.NewTestMetadata(),
    28  						ContainerDefinitions: []ecs.ContainerDefinition{
    29  							{
    30  								Metadata:  defsecTypes.NewTestMetadata(),
    31  								Name:      defsecTypes.String("my_service", defsecTypes.NewTestMetadata()),
    32  								Image:     defsecTypes.String("my_image", defsecTypes.NewTestMetadata()),
    33  								CPU:       defsecTypes.Int(2, defsecTypes.NewTestMetadata()),
    34  								Memory:    defsecTypes.Int(256, defsecTypes.NewTestMetadata()),
    35  								Essential: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()),
    36  								Environment: []ecs.EnvVar{
    37  									{
    38  										Name:  "ENVIRONMENT",
    39  										Value: "development",
    40  									},
    41  									{
    42  										Name:  "DATABASE_PASSWORD",
    43  										Value: "password123",
    44  									},
    45  								},
    46  							},
    47  						},
    48  					},
    49  				},
    50  			},
    51  			expected: true,
    52  		},
    53  		{
    54  			name: "Task definition without sensitive information",
    55  			input: ecs.ECS{
    56  				TaskDefinitions: []ecs.TaskDefinition{
    57  					{
    58  						Metadata: defsecTypes.NewTestMetadata(),
    59  						ContainerDefinitions: []ecs.ContainerDefinition{
    60  							{
    61  								Metadata:  defsecTypes.NewTestMetadata(),
    62  								Name:      defsecTypes.String("my_service", defsecTypes.NewTestMetadata()),
    63  								Image:     defsecTypes.String("my_image", defsecTypes.NewTestMetadata()),
    64  								CPU:       defsecTypes.Int(2, defsecTypes.NewTestMetadata()),
    65  								Memory:    defsecTypes.Int(256, defsecTypes.NewTestMetadata()),
    66  								Essential: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()),
    67  								Environment: []ecs.EnvVar{
    68  									{
    69  										Name:  "ENVIRONMENT",
    70  										Value: "development",
    71  									},
    72  								},
    73  							},
    74  						},
    75  					},
    76  				},
    77  			},
    78  			expected: false,
    79  		},
    80  	}
    81  	for _, test := range tests {
    82  		t.Run(test.name, func(t *testing.T) {
    83  			var testState state.State
    84  			testState.AWS.ECS = test.input
    85  			results := CheckNoPlaintextSecrets.Evaluate(&testState)
    86  			var found bool
    87  			for _, result := range results {
    88  				if result.Status() == scan.StatusFailed && result.Rule().LongID() == CheckNoPlaintextSecrets.Rule().LongID() {
    89  					found = true
    90  				}
    91  			}
    92  			if test.expected {
    93  				assert.True(t, found, "Rule should have been found")
    94  			} else {
    95  				assert.False(t, found, "Rule should not have been found")
    96  			}
    97  		})
    98  	}
    99  }