From 091592bfb09e7e994bd860fa3776e8cf4346bf5a Mon Sep 17 00:00:00 2001 From: thyme-87 Date: Sat, 11 Dec 2021 12:51:26 +0100 Subject: [PATCH] add support for checkov for linting terraform files (#4006) * add support for checkov for terraform * add tests for checkov handler * add basic linter config tests for checkov * update supported tools and languages lists * simplify ale_linters#terraform#checkov#Handle * ensure "-o json --quiet" is always set for checkov * add documentation for checkov including config options * fix tests after changing handling of default options for checkov * add checkov to list of tools in doc/ale.txt --- ale_linters/terraform/checkov.vim | 41 ++++++++++++++ doc/ale-supported-languages-and-tools.txt | 1 + doc/ale-terraform.txt | 19 +++++++ doc/ale.txt | 1 + supported-tools.md | 1 + test/handler/test_checkov_handler.vader | 66 +++++++++++++++++++++++ test/linter/test_checkov.vader | 14 +++++ 7 files changed, 143 insertions(+) create mode 100644 ale_linters/terraform/checkov.vim create mode 100644 test/handler/test_checkov_handler.vader create mode 100644 test/linter/test_checkov.vader diff --git a/ale_linters/terraform/checkov.vim b/ale_linters/terraform/checkov.vim new file mode 100644 index 00000000..568b46e1 --- /dev/null +++ b/ale_linters/terraform/checkov.vim @@ -0,0 +1,41 @@ +" Author: Thyme-87 +" Description: use checkov for providing warnings via ale + +call ale#Set('terraform_checkov_executable', 'checkov') +call ale#Set('terraform_checkov_options', '') + +function! ale_linters#terraform#checkov#GetExecutable(buffer) abort + return ale#Var(a:buffer, 'terraform_checkov_executable') +endfunction + +function! ale_linters#terraform#checkov#GetCommand(buffer) abort + return '%e ' . '-f %t -o json --quiet ' . ale#Var(a:buffer, 'terraform_checkov_options') +endfunction + +function! ale_linters#terraform#checkov#Handle(buffer, lines) abort + let l:output = [] + + let l:results = get(get(ale#util#FuzzyJSONDecode(a:lines, {}), 'results', []), 'failed_checks', []) + + for l:violation in l:results + call add(l:output, { + \ 'filename': l:violation['file_path'], + \ 'lnum': l:violation['file_line_range'][0], + \ 'end_lnum': l:violation['file_line_range'][1], + \ 'text': l:violation['check_name'] . ' [' . l:violation['check_id'] . ']', + \ 'detail': l:violation['check_id'] . ': ' . l:violation['check_name'] . "\n" . + \ 'For more information, see: '. l:violation['guideline'], + \ 'type': 'W', + \ }) + endfor + + return l:output +endfunction + +call ale#linter#Define('terraform', { +\ 'name': 'checkov', +\ 'output_stream': 'stdout', +\ 'executable': function('ale_linters#terraform#checkov#GetExecutable'), +\ 'command': function('ale_linters#terraform#checkov#GetCommand'), +\ 'callback': 'ale_linters#terraform#checkov#Handle', +\}) diff --git a/doc/ale-supported-languages-and-tools.txt b/doc/ale-supported-languages-and-tools.txt index df9b5dd6..f12e0c87 100644 --- a/doc/ale-supported-languages-and-tools.txt +++ b/doc/ale-supported-languages-and-tools.txt @@ -560,6 +560,7 @@ Notes: * Tcl * `nagelfar`!! * Terraform + * `checkov` * `terraform` * `terraform-fmt-fixer` * `terraform-ls` diff --git a/doc/ale-terraform.txt b/doc/ale-terraform.txt index 175bdf5c..6acf63ac 100644 --- a/doc/ale-terraform.txt +++ b/doc/ale-terraform.txt @@ -2,6 +2,25 @@ ALE Terraform Integration *ale-terraform-options* +=============================================================================== +checkov *ale-terraform-checkov* + +g:ale_terraform_checkov_executable *g:ale_terraform_checkov_executable* + *b:ale_terraform_checkov_executable* + + Type: |String| + Default: `'checkov'` + + This variable can be changed to use a different executable for checkov. + + +g:ale_terraform_checkov_options *g:ale_terraform_checkov_options* + *b:ale_terraform_checkov_options* + Type: |String| + Default: `''` + + This variable can be changed to set additional options for checkov. + =============================================================================== terraform-fmt-fixer *ale-terraform-fmt-fixer* diff --git a/doc/ale.txt b/doc/ale.txt index 0ac01305..dda7a712 100644 --- a/doc/ale.txt +++ b/doc/ale.txt @@ -3112,6 +3112,7 @@ documented in additional help files. tcl.....................................|ale-tcl-options| nagelfar..............................|ale-tcl-nagelfar| terraform...............................|ale-terraform-options| + checkov...............................|ale-terraform-checkov| terraform-fmt-fixer...................|ale-terraform-fmt-fixer| terraform.............................|ale-terraform-terraform| terraform-ls..........................|ale-terraform-terraform-ls| diff --git a/supported-tools.md b/supported-tools.md index 96063205..9e03ddbb 100644 --- a/supported-tools.md +++ b/supported-tools.md @@ -569,6 +569,7 @@ formatting. * Tcl * [nagelfar](http://nagelfar.sourceforge.net) :floppy_disk: * Terraform + * [checkov](https://github.com/bridgecrewio/checkov) * [terraform](https://github.com/hashicorp/terraform) * [terraform-fmt-fixer](https://github.com/hashicorp/terraform) * [terraform-ls](https://github.com/hashicorp/terraform-ls) diff --git a/test/handler/test_checkov_handler.vader b/test/handler/test_checkov_handler.vader new file mode 100644 index 00000000..9884113c --- /dev/null +++ b/test/handler/test_checkov_handler.vader @@ -0,0 +1,66 @@ +Before: + runtime ale_linters/terraform/checkov.vim + call ale#test#SetFilename('main.tf') + +After: + call ale#linter#Reset() + +Execute(The JSON output of checkov should be handled correctly): + AssertEqual + \ [ + \ { + \ 'filename': '/main.tf', + \ 'lnum': 22, + \ 'end_lnum': 27, + \ 'text': 'Enable VPC Flow Logs and Intranode Visibility [CKV_GCP_61]', + \ 'detail': "CKV_GCP_61: Enable VPC Flow Logs and Intranode Visibility\n" . + \ 'For more information, see: https://docs.bridgecrew.io/docs/enable-vpc-flow-logs-and-intranode-visibility', + \ 'type': 'W', + \ } + \ ], + \ ale_linters#terraform#checkov#Handle(bufnr(''), [ + \'{', + \' "check_type": "terraform",', + \' "results": {', + \' "failed_checks": [', + \' {', + \' "check_id": "CKV_GCP_61",', + \' "bc_check_id": "BC_GCP_KUBERNETES_18",', + \' "check_name": "Enable VPC Flow Logs and Intranode Visibility",', + \' "check_result": {', + \' "result": "FAILED",', + \' "evaluated_keys": [', + \' "enable_intranode_visibility"', + \' ]', + \' },', + \' "file_path": "/main.tf",', + \' "repo_file_path": "/main.tf",', + \' "file_line_range": [', + \' 22,', + \' 27', + \' ],', + \' "resource": "google_container_cluster.cluster-name",', + \' "evaluations": null,', + \' "check_class": "checkov.terraform.checks.resource.gcp.GKEEnableVPCFlowLogs",', + \' "entity_tags": null,', + \' "resource_address": null,', + \' "guideline": "https://docs.bridgecrew.io/docs/enable-vpc-flow-logs-and-intranode-visibility"', + \' }', + \' ]', + \' }', + \'}' + \ ]) + +Execute(Handle output for no findings correctly): + AssertEqual + \ [], + \ ale_linters#terraform#checkov#Handle(bufnr(''), [ + \'{', + \' "passed": 0,', + \' "failed": 0,', + \' "skipped": 0,', + \' "parsing_errors": 0,', + \' "resource_count": 0,', + \' "checkov_version": "2.0.632"', + \'}' + \]) diff --git a/test/linter/test_checkov.vader b/test/linter/test_checkov.vader new file mode 100644 index 00000000..f93d34f3 --- /dev/null +++ b/test/linter/test_checkov.vader @@ -0,0 +1,14 @@ +Before: + call ale#assert#SetUpLinterTest('terraform', 'checkov') + +After: + call ale#assert#TearDownLinterTest() + +Execute(The default command should be direct): + AssertLinter 'checkov', + \ ale#Escape('checkov') . ' -f %t -o json --quiet ' + +Execute(It should be possible to override the default command): + let b:ale_terraform_checkov_executable = '/bin/other/checkov' + AssertLinter '/bin/other/checkov', + \ ale#Escape('/bin/other/checkov') . ' -f %t -o json --quiet '