From 3d0be70b8e866afcb6e7fa78fcb84e7c5c04a346 Mon Sep 17 00:00:00 2001 From: Rohith Jayawardene Date: Fri, 15 Nov 2024 15:06:11 +0000 Subject: [PATCH 1/3] [FEATURE] - Verify Revision Update the links to the checkov documentation (easier to use homepage for now) and adding guileline, i.e. hyperlinks for the fixes --- pkg/cmd/tnctl/create/revision.go | 2 ++ pkg/cmd/tnctl/verify/revision.go | 11 ++++++++--- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/pkg/cmd/tnctl/create/revision.go b/pkg/cmd/tnctl/create/revision.go index 44a678bda..947d27439 100644 --- a/pkg/cmd/tnctl/create/revision.go +++ b/pkg/cmd/tnctl/create/revision.go @@ -114,6 +114,8 @@ func NewRevisionCommand(factory cmd.Factory) *cobra.Command { flags.StringVarP(&o.File, "file", "f", "", "The path to save the revision to") flags.StringVar(&o.Provider, "provider", "aws", "The name of the terranetes provider to use") + c.MarkFlagRequired("file") + return c } diff --git a/pkg/cmd/tnctl/verify/revision.go b/pkg/cmd/tnctl/verify/revision.go index 85c416ad2..8cadbedf3 100644 --- a/pkg/cmd/tnctl/verify/revision.go +++ b/pkg/cmd/tnctl/verify/revision.go @@ -92,6 +92,8 @@ type RevisionCommand struct { // EnableTerraformPlan indicates we should use a terraform plan to verify the security policy. // Note, this does require credentials to be configured EnableTerraformPlan bool + // ShowGuidelines indicates we should show the guidelines in the output + ShowGuidelines bool // Contexts is a list of contexts from the cluster Contexts *terraformv1alpha1.ContextList // Policies is a list of policies from the cluster @@ -129,6 +131,7 @@ func NewRevisionCommand(factory cmd.Factory) *cobra.Command { flags.BoolVar(&o.EnableCluster, "use-cluster", true, "Indicates if we should retrieve configuration from the current kubeconfig") flags.BoolVar(&o.EnableTerraformPlan, "use-terraform-plan", false, "Indicates if we should use a terraform plan to verify the security policy") flags.BoolVar(&o.KeepTempDir, "keep-temp-dir", false, "Indicates if we should keep the temporary directory") + flags.BoolVar(&o.ShowGuidelines, "show-guidelines", true, "Indicates if we should show the guidelines in the output") flags.StringVar(&o.CheckovImage, "checkov-image", "", "The docker image of checkov to use when validating the security policy") flags.StringVar(&o.TerraformImage, "terraform-image", "", "The docker image of terraform to use when generating a plan") flags.StringVarP(&o.Directory, "directory", "d", "", "Path to a directory to store temporary files") @@ -629,7 +632,7 @@ func (o *RevisionCommand) checkSecurityPolicy(ctx context.Context) error { failed := gjson.GetBytes(results, "results.failed_checks") if failed.Exists() && failed.IsArray() { if len(failed.Array()) > 0 { - v.Info("Check ID against documentation: https://docs.bridgecrew.io/docs") + v.Info("Check ID against documentation at https://www.checkov.io") } for _, check := range failed.Array() { @@ -640,6 +643,9 @@ func (o *RevisionCommand) checkSecurityPolicy(ctx context.Context) error { if check.Get("resource").String() != "" { v.Additional("Resource: %v", check.Get("resource")) } + if o.ShowGuidelines && check.Get("guideline").String() != "" { + v.Additional("Guideline: %v", check.Get("guideline")) + } } } @@ -667,8 +673,7 @@ func (o *RevisionCommand) checkValueFromReferences(revision *terraformv1alpha1.R } for _, x := range revision.Spec.Configuration.ValueFrom { - switch { - case o.Contexts == nil: + if o.Contexts == nil { v.Warning("Revision references a context: %q, key: %q, but none available to check against", *x.Context, x.Key) continue From ffe0a8605d4551d07a08898762d17fd83f7c1a75 Mon Sep 17 00:00:00 2001 From: Rohith Jayawardene Date: Fri, 15 Nov 2024 15:18:49 +0000 Subject: [PATCH 2/3] chore: ammending the link to the policies --- pkg/cmd/tnctl/verify/revision.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/cmd/tnctl/verify/revision.go b/pkg/cmd/tnctl/verify/revision.go index 8cadbedf3..939a69bd1 100644 --- a/pkg/cmd/tnctl/verify/revision.go +++ b/pkg/cmd/tnctl/verify/revision.go @@ -632,7 +632,7 @@ func (o *RevisionCommand) checkSecurityPolicy(ctx context.Context) error { failed := gjson.GetBytes(results, "results.failed_checks") if failed.Exists() && failed.IsArray() { if len(failed.Array()) > 0 { - v.Info("Check ID against documentation at https://www.checkov.io") + v.Info("Checks: https://www.checkov.io/5.Policy%%20Index/all.html") } for _, check := range failed.Array() { From 89df146df1e88bfa4aa4650dee6ab3e2a9d54d36 Mon Sep 17 00:00:00 2001 From: Rohith Jayawardene Date: Fri, 15 Nov 2024 15:24:29 +0000 Subject: [PATCH 3/3] fix: ignoring the linting errcheck error --- pkg/cmd/tnctl/create/revision.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/cmd/tnctl/create/revision.go b/pkg/cmd/tnctl/create/revision.go index 947d27439..e991a5c5b 100644 --- a/pkg/cmd/tnctl/create/revision.go +++ b/pkg/cmd/tnctl/create/revision.go @@ -114,7 +114,7 @@ func NewRevisionCommand(factory cmd.Factory) *cobra.Command { flags.StringVarP(&o.File, "file", "f", "", "The path to save the revision to") flags.StringVar(&o.Provider, "provider", "aws", "The name of the terranetes provider to use") - c.MarkFlagRequired("file") + _ = c.MarkFlagRequired("file") return c }