search

tenable / terrascan

Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
https://runterrascan.io
Apache License 2.0
4.76k stars 500 forks source link

[Question] Best practice to test custom policies #1230

Open yu-iskw opened 2 years ago

yu-iskw commented 2 years ago

Description

This post is just a question about the best practice to test custom policies. We have just started taking advantage of custom policies. I am looking for a better way to implement something like unit tests for custom policies. I would like to know how others handle the issue.

We may have two possible approaches to improve features. That would be broadly helpful to the community.

  1. terrascan will support something like unit testing methods.
  2. We will write down the best practice about testing custom policies in the documents.

What I Did

I uses custom policies for a terraform project. So, I implement testing resources in terraform to make sure custom policies. in a dummy terraform project Moreover, I execute the shell script to check if violations are expected or not. We also run a github action to run tests on a pull request.

#!/usr/bin/env bash

SCRIPT_DIR="$(dirname "$(readlink -f "$0")")"

# A function to check if the given rule ID exists in the scan results.
function check_violations_by_rule() {
  local scan_results="${1:?}"
  local rule_id="${2:?}"
  local expected_violations="${3:?}"

  violations_count="$(echo "$scan_results" | jq -c -r "[.results.violations[] | select(.rule_id == \"${rule_id}\")] | length")"
  if [[ "$violations_count" != "$expected_violations" ]] ; then
    echo "[ERROR] The number of violations on ${rule_id} must be ${expected_violations}, but ${violations_count}."
    echo "$scan_results" | jq -r ".results.violations[] | select(.rule_id == \"${rule_id}\")"
    exit 1
  else
    echo "[PASS] The number of violations on ${rule_id} is ${violations_count} as expected."
  fi
}
export -f check_violations_by_rule

set -Eeuo pipefail

# Get the terrascan result
scan_results="$(terrascan scan --policy-path "${SCRIPT_DIR}/policy" \
    --iac-type terraform \
    --iac-dir "${SCRIPT_DIR}/tests" \
    --output json || :)"

# Test AC.gcp.IAM.spanner.001
check_violations_by_rule "$scan_results" "AC_GCP_IAM_spanner_001" 10
gaurav-gogia commented 2 years ago

Hi @yu-iskw,

This sounds like an interesting discussion point. Maybe you can bring this over to our Discord community and talk about it in more detail?

Here's the link: https://discord.gg/Z3TJw3NX

Hamdi-Hassan commented 2 years ago

Is it possible to write terrascan as a bash script so that it's executed automatically whenever terraform plan command is run ?

Is this helpfully specially when working huge modular terraform project