scanner

package

v1.0.0 Latest Latest Go to latest Published: Oct 8, 2020 License: MIT Imports: 7 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/hemanthgk10/tfsec

Links

Open Source Insights

Documentation ¶

Index ¶

func RegisterCheck(check Check)
type Check
- func GetRegisteredChecks() []Check
type Context
- func (c *Context) GetResourcesByType(t string) parser.Blocks
type Result
type RuleDescription
type RuleID
type RuleProvider
type Scanner
- func New() *Scanner
- func (scanner *Scanner) Scan(blocks []*parser.Block, excludedChecksList []string) []Result
type Severity

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func RegisterCheck ¶

func RegisterCheck(check Check)

RegisterCheck registers a new Check which should be run on future scans

Types ¶

type Check ¶

type Check struct {
	Code           RuleID
	Description    RuleDescription
	Provider       RuleProvider
	RequiredTypes  []string
	RequiredLabels []string
	CheckFunc      func(*Check, *parser.Block, *Context) []Result
}

Check is a targeted security test which can be applied to terraform templates. It includes the types to run on e.g. "resource", and the labels to run on e.g. "aws_s3_bucket".

func GetRegisteredChecks ¶

func GetRegisteredChecks() []Check

GetRegisteredChecks provides all Checks which have been registered with this package

func (*Check) IsRequiredForBlock ¶

func (check *Check) IsRequiredForBlock(block *parser.Block) bool

IsRequiredForBlock returns true if the Check should be applied to the given HCL block

func (*Check) NewResult ¶

func (check *Check) NewResult(description string, r parser.Range, severity Severity) Result

NewResult creates a new Result, containing the given description and range

func (*Check) NewResultWithValueAnnotation ¶

func (check *Check) NewResultWithValueAnnotation(description string, r parser.Range, attr *parser.Attribute, severity Severity) Result

func (*Check) Run ¶

func (check *Check) Run(block *parser.Block, context *Context) []Result

Run runs the check against the provided HCL block, including the hclEvalContext to evaluate expressions if it is provided.

type Context ¶

type Context struct {
	// contains filtered or unexported fields
}

func (*Context) GetResourcesByType ¶

func (c *Context) GetResourcesByType(t string) parser.Blocks

type Result ¶

type Result struct {
	RuleID          RuleID       `json:"rule_id"`
	Link            string       `json:"link"`
	Range           parser.Range `json:"location"`
	Description     string       `json:"description"`
	RangeAnnotation string       `json:"-"`
	Severity        Severity     `json:"severity"`
}

Result is a positive result for a security check. It encapsulates a code unique to the specific check it was raised by, a human-readable description and a range

type RuleDescription ¶

type RuleDescription string

type RuleID ¶

type RuleID string

RuleID is a unique identifier for a check

type RuleProvider ¶

type RuleProvider string

const (
	AWSProvider     RuleProvider = "aws"
	AzureProvider   RuleProvider = "azurerm"
	GCPProvider     RuleProvider = "google"
	GeneralProvider RuleProvider = "*"
)

type Scanner ¶

type Scanner struct {
}

Scanner scans HCL blocks by running all registered checks against them

func New ¶

func New() *Scanner

New creates a new Scanner

func (*Scanner) Scan ¶

func (scanner *Scanner) Scan(blocks []*parser.Block, excludedChecksList []string) []Result

Scan takes all available hcl blocks and an optional context, and returns a slice of results. Each result indicates a potential security problem.

type Severity ¶

type Severity string

const (
	SeverityError   Severity = "ERROR"
	SeverityWarning Severity = "WARNING"
	SeverityInfo    Severity = "INFO"
)

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL