search

GitGuardian / ggshield

Find and fix 400+ types of hardcoded secrets and 70+ types of infrastructure-as-code misconfigurations.
https://gitguardian.com
MIT License
1.62k stars 143 forks source link

refactor(iac): change iac diff scan json output format #790

Closed Paul-GitGuardian closed 10 months ago

Paul-GitGuardian commented 10 months ago

Changes the format of the JSON output for an iac diff scan.

Before ```json { "added_vulns": [ { "filename": "terraform/aws/s3.tf", "incidents": [ { "policy": "Allowing public exposure of a S3 bucket can lead to data leakage", "policy_id": "GG_IAC_0055", "line_end": 8, "line_start": 1, "description": "AWS S3 Block Public Access is a feature that allows setting up centralized controls\\nto manage public access to S3 resources.\\n\\nEnforcing the BlockPublicAcls, BlockPublicPolicy and IgnorePublicAcls rule on a bucket\\nallows to make sure that no ACL (Access control list) or policy giving public access\\ncan be associated with the bucket, and that existing ACL giving public access to\\nthe bucket will not be taken into account.", "documentation_url": "", "component": "aws_s3_bucket.test", "severity": "HIGH" } ], "total_incidents": 1 } ], "persisting_vulns": [ { "filename": "terraform/aws/db-app.tf", "incidents": [ { "policy": "EC2 instances use unencrypted block device", "policy_id": "GG_IAC_0033", "line_end": 413, "line_start": 243, "description": "Amazon EBS provides durable, block-level storage volumes that you can attach\\nto a running instance. They will typically be used to host the filesystem\\nfor an application (except for the boot volume). As such, they will often host\\nconfiguration files, and sometimes the secrets needed by the application to\\naccess external services.\\n\\nEncrypting your volumes ensures that your application runtime data will not be\\ncompromised from raw access to the disks.", "documentation_url": "", "component": "aws_instance.db_app", "severity": "HIGH" } ], "total_incidents": 1 } ], "removed_vulns": [] } ```
After ```json { "id": "fb0e9a92-de34-43f9-b779-17d25e99ab35", "iac_engine_version": "1.15.0", "type": "diff_scan", "entities_with_incidents": { "unchanged": [ { "filename": "s3.tf", "incidents": [ { "policy": "Allowing public exposure of a S3 bucket can lead to data leakage", "policy_id": "GG_IAC_0055", "line_end": 118, "line_start": 96, "description": "AWS S3 Block Public Access is a feature that allows setting up centralized controls\\nto manage public access to S3 resources.\\n\\nEnforcing the BlockPublicAcls, BlockPublicPolicy and IgnorePublicAcls rule on a bucket\\nallows to make sure that no ACL (Access control list) or policy giving public access\\ncan be associated with the bucket, and that existing ACL giving public access to\\nthe bucket will not be taken into account.", "documentation_url": "", "component": "aws_s3_bucket.operations", "severity": "HIGH" } ], "total_incidents": 1 } ], "deleted": [ { "filename": "s3.tf", "incidents": [ { "policy": "Allowing public exposure of a S3 bucket can lead to data leakage", "policy_id": "GG_IAC_0055", "line_end": 118, "line_start": 96, "description": "AWS S3 Block Public Access is a feature that allows setting up centralized controls\\nto manage public access to S3 resources.\\n\\nEnforcing the BlockPublicAcls, BlockPublicPolicy and IgnorePublicAcls rule on a bucket\\nallows to make sure that no ACL (Access control list) or policy giving public access\\ncan be associated with the bucket, and that existing ACL giving public access to\\nthe bucket will not be taken into account.", "documentation_url": "", "component": "aws_s3_bucket.operations", "severity": "HIGH", } ], "total_incidents": 1 } ], "new": [ { "filename": "s3.tf", "incidents": [ { "policy": "Allowing public exposure of a S3 bucket can lead to data leakage", "policy_id": "GG_IAC_0055", "line_end": 118, "line_start": 96, "description": "AWS S3 Block Public Access is a feature that allows setting up centralized controls\\nto manage public access to S3 resources.\\n\\nEnforcing the BlockPublicAcls, BlockPublicPolicy and IgnorePublicAcls rule on a bucket\\nallows to make sure that no ACL (Access control list) or policy giving public access\\ncan be associated with the bucket, and that existing ACL giving public access to\\nthe bucket will not be taken into account.", "documentation_url": "", "component": "aws_s3_bucket.operations", "severity": "HIGH" } ], "total_incidents": 1 } ] } } ```
codecov-commenter commented 10 months ago

Codecov Report

Merging #790 (418523f) into main (dad570f) will decrease coverage by 0.02%. Report is 9 commits behind head on main. The diff coverage is 96.00%.

:exclamation: Your organization needs to install the Codecov GitHub app to enable full functionality.

@@            Coverage Diff             @@
##             main     #790      +/-   ##
==========================================
- Coverage   91.75%   91.73%   -0.02%     
==========================================
  Files         154      154              
  Lines        6401     6428      +27     
==========================================
+ Hits         5873     5897      +24     
- Misses        528      531       +3
Flag Coverage Δ
unittests 91.73% <96.00%> (-0.02%) :arrow_down:

Flags with carried forward coverage won't be shown. Click here to find out more.

Files Coverage Δ
ggshield/verticals/iac/output/schemas.py 100.00% <100.00%> (ø)
...ld/verticals/iac/output/iac_json_output_handler.py 92.10% <85.71%> (-3.25%) :arrow_down:

... and 2 files with indirect coverage changes

GG-HH commented 10 months ago

And it lacks a changelog. This is a customer facing change that should be "changeloged"

Paul-GitGuardian commented 10 months ago

And it lacks a changelog. This is a customer facing change that should be "changeloged"

I also added an example inside a collapsible section, I assume these work in the Github changelog ?