cfn-nag 0.0.6 → 0.0.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/bin/cfn_nag +3 -3
- data/lib/cfn_nag.rb +46 -7
- data/lib/result_view/json_results.rb +6 -9
- data/lib/result_view/simple_stdout_results.rb +14 -9
- data/lib/rule.rb +10 -6
- data/lib/violation.rb +13 -2
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 56cf57973ea5a51f6165d0355ac413e2f7b19e71
|
|
4
|
+
data.tar.gz: 9f7a7d3c17486bc4bde0c8bd1dd31ea387c7f2cb
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 4fa7690fd912219ec16df21316844c2453881dd19bb76651f91d8d5c438a1e811c525d724120301b026f7e1c1a915c77e657d66d0814d4795f9b1e88d32541be
|
|
7
|
+
data.tar.gz: 0c1fda4f9df20aa7e7c0e8372fe41374c2c09eb9a8f6b426e6c765e3144f7d0ba00bc0fbee0345a1e3b8298b27f31fc190b50bfe9a8e727595ecd346b4a89201
|
data/bin/cfn_nag
CHANGED
|
@@ -4,7 +4,7 @@ require 'cfn_nag'
|
|
|
4
4
|
require 'logging'
|
|
5
5
|
|
|
6
6
|
opts = Trollop::options do
|
|
7
|
-
opt :
|
|
7
|
+
opt :input_json_path, 'Cloudformation template to nag on or directory of templates - all *.json and *.template recursively', type: :io, required: true
|
|
8
8
|
opt :output_format, 'Format of results: [txt, json]', type: :string, default: 'txt'
|
|
9
9
|
opt :debug, 'Enable debug output', type: :boolean, required: false, default: false
|
|
10
10
|
end
|
|
@@ -13,5 +13,5 @@ Trollop::die(:output_format,
|
|
|
13
13
|
'Must be txt or json') unless %w(txt json).include?(opts[:output_format])
|
|
14
14
|
|
|
15
15
|
CfnNag::configure_logging(opts)
|
|
16
|
-
exit CfnNag.new.audit(input_json_path: opts[:
|
|
17
|
-
output_format: opts[:output_format])
|
|
16
|
+
exit CfnNag.new.audit(input_json_path: opts[:input_json_path],
|
|
17
|
+
output_format: opts[:output_format])
|
data/lib/cfn_nag.rb
CHANGED
|
@@ -10,17 +10,20 @@ class CfnNag
|
|
|
10
10
|
|
|
11
11
|
def audit(input_json_path:,
|
|
12
12
|
output_format:'txt')
|
|
13
|
-
fail 'not even legit JSON' unless legal_json?(input_json_path)
|
|
14
|
-
|
|
15
|
-
@violations = []
|
|
16
13
|
|
|
17
|
-
|
|
14
|
+
templates = discover_templates(input_json_path)
|
|
18
15
|
|
|
19
|
-
|
|
16
|
+
aggregate_results = []
|
|
17
|
+
templates.each do |template|
|
|
18
|
+
aggregate_results << {
|
|
19
|
+
filename: template,
|
|
20
|
+
file_results: audit_file(input_json_path: template)
|
|
21
|
+
}
|
|
22
|
+
end
|
|
20
23
|
|
|
21
|
-
results_renderer(output_format).new.render(
|
|
24
|
+
results_renderer(output_format).new.render(aggregate_results)
|
|
22
25
|
|
|
23
|
-
|
|
26
|
+
aggregate_results.inject(0) { |total_failure_count, results| total_failure_count + results[:file_results][:failure_count] }
|
|
24
27
|
end
|
|
25
28
|
|
|
26
29
|
def self.configure_logging(opts)
|
|
@@ -36,6 +39,42 @@ class CfnNag
|
|
|
36
39
|
|
|
37
40
|
private
|
|
38
41
|
|
|
42
|
+
def audit_file(input_json_path:)
|
|
43
|
+
fail 'not even legit JSON' unless legal_json?(input_json_path)
|
|
44
|
+
@stop_processing = false
|
|
45
|
+
@violations = []
|
|
46
|
+
|
|
47
|
+
generic_json_rules input_json_path
|
|
48
|
+
|
|
49
|
+
custom_rules input_json_path unless @stop_processing == true
|
|
50
|
+
|
|
51
|
+
{
|
|
52
|
+
failure_count: Rule::count_failures(@violations),
|
|
53
|
+
violations: @violations
|
|
54
|
+
}
|
|
55
|
+
end
|
|
56
|
+
|
|
57
|
+
def discover_templates(input_json_path)
|
|
58
|
+
if ::File.directory? input_json_path
|
|
59
|
+
templates = find_templates_in_directory(directory: input_json_path)
|
|
60
|
+
elsif ::File.file? input_json_path
|
|
61
|
+
templates = [input_json_path]
|
|
62
|
+
else
|
|
63
|
+
fail "#{input_json_path} is not a proper path"
|
|
64
|
+
end
|
|
65
|
+
templates
|
|
66
|
+
end
|
|
67
|
+
|
|
68
|
+
def find_templates_in_directory(directory:,
|
|
69
|
+
cfn_extensions: %w(json template))
|
|
70
|
+
|
|
71
|
+
templates = []
|
|
72
|
+
cfn_extensions.each do |cfn_extension|
|
|
73
|
+
templates += Dir[File.join(directory, "**/*.#{cfn_extension}")]
|
|
74
|
+
end
|
|
75
|
+
templates
|
|
76
|
+
end
|
|
77
|
+
|
|
39
78
|
def results_renderer(output_format)
|
|
40
79
|
registry = {
|
|
41
80
|
'txt' => SimpleStdoutResults,
|
|
@@ -1,15 +1,12 @@
|
|
|
1
1
|
require 'json'
|
|
2
|
+
|
|
2
3
|
class JsonResults
|
|
4
|
+
def render(results)
|
|
3
5
|
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
{
|
|
7
|
-
type: violation.type,
|
|
8
|
-
message: violation.message,
|
|
9
|
-
logical_resource_ids: violation.logical_resource_ids,
|
|
10
|
-
violating_code: violation.violating_code
|
|
11
|
-
}
|
|
6
|
+
hashified_results = results.each do |result|
|
|
7
|
+
result[:file_results][:violations] = result[:file_results][:violations].map { |violation| violation.to_h }
|
|
12
8
|
end
|
|
13
|
-
|
|
9
|
+
|
|
10
|
+
puts JSON.pretty_generate(hashified_results)
|
|
14
11
|
end
|
|
15
12
|
end
|
|
@@ -2,16 +2,21 @@ require 'rule'
|
|
|
2
2
|
|
|
3
3
|
class SimpleStdoutResults
|
|
4
4
|
|
|
5
|
-
def render(
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
5
|
+
def render(results)
|
|
6
|
+
results.each do |result|
|
|
7
|
+
(1..60).each { print '-' }
|
|
8
|
+
puts "\n" + result[:filename]
|
|
9
|
+
(1..60).each { print '-' }
|
|
10
|
+
|
|
11
|
+
result[:file_results][:violations].each do |violation|
|
|
12
|
+
message message_type: violation.type,
|
|
13
|
+
message: violation.message,
|
|
14
|
+
logical_resource_ids: violation.logical_resource_ids,
|
|
15
|
+
violating_code: violation.violating_code
|
|
16
|
+
end
|
|
17
|
+
puts "\nViolations count: #{Rule::count_failures(result[:file_results][:violations])}"
|
|
18
|
+
puts "Warnings count: #{Rule::count_warnings(result[:file_results][:violations])}"
|
|
11
19
|
end
|
|
12
|
-
|
|
13
|
-
puts "Violations count: #{Rule::count_warnings(violations)}"
|
|
14
|
-
puts "Warnings count: #{Rule::count_failures(violations)}"
|
|
15
20
|
end
|
|
16
21
|
|
|
17
22
|
private
|
data/lib/rule.rb
CHANGED
|
@@ -17,6 +17,8 @@ module Rule
|
|
|
17
17
|
end
|
|
18
18
|
|
|
19
19
|
def warning(jq:, message:)
|
|
20
|
+
return if @stop_processing
|
|
21
|
+
|
|
20
22
|
Logging.logger['log'].debug jq
|
|
21
23
|
|
|
22
24
|
stdout = jq_command(@input_json_path, jq)
|
|
@@ -37,7 +39,7 @@ module Rule
|
|
|
37
39
|
fail_if_found: false,
|
|
38
40
|
fatal: true,
|
|
39
41
|
message: message,
|
|
40
|
-
message_type: Violation::
|
|
42
|
+
message_type: Violation::FAILING_VIOLATION,
|
|
41
43
|
raw: true)
|
|
42
44
|
end
|
|
43
45
|
|
|
@@ -46,7 +48,7 @@ module Rule
|
|
|
46
48
|
fail_if_found: false,
|
|
47
49
|
fatal: true,
|
|
48
50
|
message: message,
|
|
49
|
-
message_type: Violation::
|
|
51
|
+
message_type: Violation::FAILING_VIOLATION)
|
|
50
52
|
end
|
|
51
53
|
|
|
52
54
|
def raw_fatal_violation(jq:, message:)
|
|
@@ -54,7 +56,7 @@ module Rule
|
|
|
54
56
|
fail_if_found: true,
|
|
55
57
|
fatal: true,
|
|
56
58
|
message: message,
|
|
57
|
-
message_type: Violation::
|
|
59
|
+
message_type: Violation::FAILING_VIOLATION,
|
|
58
60
|
raw: true)
|
|
59
61
|
end
|
|
60
62
|
|
|
@@ -63,7 +65,7 @@ module Rule
|
|
|
63
65
|
fail_if_found: true,
|
|
64
66
|
fatal: true,
|
|
65
67
|
message: message,
|
|
66
|
-
message_type: Violation::
|
|
68
|
+
message_type: Violation::FAILING_VIOLATION)
|
|
67
69
|
end
|
|
68
70
|
|
|
69
71
|
def violation(jq:, message:)
|
|
@@ -143,6 +145,8 @@ module Rule
|
|
|
143
145
|
message_type:,
|
|
144
146
|
fatal: false,
|
|
145
147
|
raw: false)
|
|
148
|
+
return if @stop_processing
|
|
149
|
+
|
|
146
150
|
Logging.logger['log'].debug jq_expression
|
|
147
151
|
|
|
148
152
|
stdout = jq_command(@input_json_path, jq_expression)
|
|
@@ -157,7 +161,7 @@ module Rule
|
|
|
157
161
|
violating_code: stdout)
|
|
158
162
|
|
|
159
163
|
if fatal
|
|
160
|
-
|
|
164
|
+
@stop_processing = true
|
|
161
165
|
end
|
|
162
166
|
else
|
|
163
167
|
resource_ids = parse_logical_resource_ids(stdout)
|
|
@@ -168,7 +172,7 @@ module Rule
|
|
|
168
172
|
logical_resource_ids: resource_ids)
|
|
169
173
|
|
|
170
174
|
if fatal
|
|
171
|
-
|
|
175
|
+
@stop_processing = true
|
|
172
176
|
end
|
|
173
177
|
end
|
|
174
178
|
end
|
data/lib/violation.rb
CHANGED
|
@@ -1,7 +1,6 @@
|
|
|
1
|
-
|
|
1
|
+
require 'json'
|
|
2
2
|
class Violation
|
|
3
3
|
WARNING = 'warning'
|
|
4
|
-
FATAL_VIOLATION = 'fatal violation'
|
|
5
4
|
FAILING_VIOLATION = 'failing violation'
|
|
6
5
|
|
|
7
6
|
attr_reader :type, :message, :logical_resource_ids, :violating_code
|
|
@@ -14,9 +13,21 @@ class Violation
|
|
|
14
13
|
@message = message
|
|
15
14
|
@logical_resource_ids = logical_resource_ids
|
|
16
15
|
@violating_code = violating_code
|
|
16
|
+
|
|
17
|
+
fail if @type.nil?
|
|
18
|
+
fail if @message.nil?
|
|
17
19
|
end
|
|
18
20
|
|
|
19
21
|
def to_s
|
|
20
22
|
puts "#{@type} #{@message} #{@logical_resource_ids} #{@violating_code}"
|
|
21
23
|
end
|
|
24
|
+
|
|
25
|
+
def to_h
|
|
26
|
+
{
|
|
27
|
+
type: @type,
|
|
28
|
+
message: @message,
|
|
29
|
+
logical_resource_ids: @logical_resource_ids,
|
|
30
|
+
violating_code: @violating_code
|
|
31
|
+
}
|
|
32
|
+
end
|
|
22
33
|
end
|