feat: support onlyContains custom check matchspec (#1902)

* feat: support optional provider and service name in custom checks * docs: add missing required type in docs * feat: support onlyContains in custom checks - updated docs to reflect new matchSpec - add example of it in use Signed-off-by: Owen Rumney <[email protected]>
aquasecurity · Sep 21, 2022 · aaaae87 · aaaae87
1 parent 57c9e4c
commit aaaae87
Show file tree

Hide file tree

Showing 7 changed files with 93 additions and 6 deletions.
diff --git a/_examples/cidrblocks/.tfsec/custom_tfchecks.yaml b/_examples/cidrblocks/.tfsec/custom_tfchecks.yaml
@@ -0,0 +1,21 @@
+---
+checks:
+  - code: limit-cidr-ranges
+    description: Custom check to ensure the only allowed cidr range are included for ingress
+    requiredTypes:
+      - resource
+    requiredLabels:
+      - aws_security_group
+    severity: HIGH
+    matchSpec:
+      name: ingress
+      action: isPresent
+      subMatch:
+        name: cidr_blocks
+        action: onlyContains
+        value:
+          - "1.2.3.4"
+          - "5.6.7.8"
+    errorMessage: There is a cidr range that is not allowed
+    relatedLinks:
+      - http://internal.acmecorp.com/standards/aws/networking.html
diff --git a/_examples/cidrblocks/main.tf b/_examples/cidrblocks/main.tf
@@ -0,0 +1,29 @@
+resource "aws_security_group" "example_security_group_compliance" {
+  name = "example_security_group_compliance"
+
+  description = "Example SG"
+
+  ingress {
+    description = "Allow SSH"
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["1.2.3.4", "5.6.7.8"]
+  }
+
+}
+
+resource "aws_security_group" "example_security_group_non_compliance" {
+  name = "example_security_group_non_compliance"
+
+  description = "Example SG"
+
+  ingress {
+    description = "Allow SSH"
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["1.2.3.4", "1.6.7.8"]
+  }
+
+}
diff --git a/docs/guides/configuration/custom-checks.md b/docs/guides/configuration/custom-checks.md
@@ -274,6 +274,32 @@ matchSpec:
   value: kms:*
 ```
 
+##### onlyContains
+The `onlyContains` check action ensures that a slice value only contains acceptable values.
+
+For example. if you want to ensure that the `tags` only contain `CostCentre` and `Environment` you might use the following `MatchSpec`:
+
+```json
+"matchSpec" : {
+  "name": "tags",
+  "action": "onlyContains",
+  "value": [
+    "Environment:prod",
+    "CostCentre:engineering"
+  ]
+]
+}
+```
+
+```yaml
+matchSpec:
+  name: tags
+  action: onlyContains
+  value:
+    - Environment:prod
+    - CostCentre:engineering
+```
+
 ##### equals 
 The `equals` check action passes if the checked attribute equals specified value. 
 The core primitive types are supported, if the subject attribute is a Boolean, the `MatchSpec` value will attempt to be cast to a Boolean for comparison.

diff --git a/go.mod b/go.mod
@@ -5,7 +5,7 @@ go 1.18
 require (
 	github.com/AlecAivazis/survey/v2 v2.3.5
 	github.com/Masterminds/semver v1.5.0
-	github.com/aquasecurity/defsec v0.73.0
+	github.com/aquasecurity/defsec v0.76.0
 	github.com/google/uuid v1.3.0
 	github.com/hashicorp/go-version v1.6.0
 	github.com/inconshreveable/go-update v0.0.0-20160112193335-8152e7eb6ccf
@@ -30,7 +30,7 @@ require (
 	github.com/alecthomas/chroma v0.10.0 // indirect
 	github.com/apparentlymart/go-cidr v1.1.0 // indirect
 	github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
-	github.com/aws/aws-sdk-go v1.44.77 // indirect
+	github.com/aws/aws-sdk-go v1.44.95 // indirect
 	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
 	github.com/bmatcuk/doublestar v1.3.4 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect

diff --git a/go.sum b/go.sum
@@ -142,8 +142,8 @@ github.com/apparentlymart/go-cidr v1.1.0/go.mod h1:EBcsNrHc3zQeuaeCeCtQruQm+n9/Y
 github.com/apparentlymart/go-textseg v1.0.0/go.mod h1:z96Txxhf3xSFMPmb5X/1W05FF/Nj9VFpLOpjS5yuumk=
 github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6iT90AvPUL1NNfNw=
 github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
-github.com/aquasecurity/defsec v0.73.0 h1:ewu4MtOHGkUJ4Ax2K8WAtj+AB5po2bB/DeqIwUZfOaQ=
-github.com/aquasecurity/defsec v0.73.0/go.mod h1:2jYgkIi3UFbkrbtpnr3Cu49JZ3MGuLMJAhyh63jV1I4=
+github.com/aquasecurity/defsec v0.76.0 h1:iWQAWkJDOsr1/zycFvImIGlHkuBpg3ld2MxxrPGppBs=
+github.com/aquasecurity/defsec v0.76.0/go.mod h1:XvXJkw8wiN7/rH913qAT4OoaPMoJeTIqZcevjZjUh3M=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
 github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
@@ -154,8 +154,8 @@ github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:l
 github.com/aws/aws-sdk-go v1.15.11/go.mod h1:mFuSZ37Z9YOHbQEwBWztmVzqXrEkub65tZoCYDt7FT0=
 github.com/aws/aws-sdk-go v1.15.78/go.mod h1:E3/ieXAlvM0XWO57iftYVDLLvQ824smPP3ATZkfNZeM=
 github.com/aws/aws-sdk-go v1.43.16/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
-github.com/aws/aws-sdk-go v1.44.77 h1:m5rTfdv04/swD+vTuS2zn4NEwKX3yEJPMhiVCFDL/mU=
-github.com/aws/aws-sdk-go v1.44.77/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
+github.com/aws/aws-sdk-go v1.44.95 h1:QwmA+PeR6v4pF0f/dPHVPWGAshAhb9TnGZBTM5uKuI8=
+github.com/aws/aws-sdk-go v1.44.95/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
 github.com/benbjohnson/clock v1.0.3/go.mod h1:bGMdMPoPVvcYyt1gHDf4J2KE153Yf9BuiUKYMaxlTDM=
 github.com/beorn7/perks v0.0.0-20160804104726-4c0e84591b9a/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=

diff --git a/internal/pkg/custom/custom_check.go b/internal/pkg/custom/custom_check.go
@@ -16,6 +16,7 @@ var ValidCheckActions = []CheckAction{
 	EndsWith,
 	Contains,
 	NotContains,
+	OnlyContains,
 	Equals,
 	NotEqual,
 	LessThan,
@@ -57,6 +58,9 @@ const Contains CheckAction = "contains"
 // NotContains checks that the named child attribute does not have a value in the map, list or attribute
 const NotContains CheckAction = "notContains"
 
+// OnlyContains checks that the slice only contains the values in the check value
+const OnlyContains CheckAction = "onlyContains"
+
 // Equals checks that the named child attribute has a value equal to the check value
 const Equals CheckAction = "equals"
 

diff --git a/internal/pkg/custom/processing.go b/internal/pkg/custom/processing.go
@@ -61,6 +61,13 @@ var matchFunctions = map[CheckAction]func(*terraform.Block, *MatchSpec, *customC
 		}
 		return !attribute.Contains(processMatchValueVariables(spec.MatchValue, customCtx.variables))
 	},
+	OnlyContains: func(b *terraform.Block, spec *MatchSpec, customCtx *customContext) bool {
+		attribute := b.GetAttribute(spec.Name)
+		if attribute.IsNil() {
+			return spec.IgnoreUndefined
+		}
+		return attribute.OnlyContains(processMatchValueVariables(spec.MatchValue, customCtx.variables))
+	},
 	Equals: func(b *terraform.Block, spec *MatchSpec, customCtx *customContext) bool {
 		attribute := b.GetAttribute(spec.Name)
 		if attribute.IsNil() {