cfn-nag 0.0.30 → 0.0.31

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 6f981fee0730b3714cf1dc3ff0dced4f10cc6f7a
-  data.tar.gz: 2c64b6aeca15247eedcb864c6765fa204044d978
+  metadata.gz: 56dbe4fbd39baa55a57bf08c76b3ded48d248259
+  data.tar.gz: 8453582e991ff40398cc05a0ebee7ef64d5b4291
 SHA512:
-  metadata.gz: a87e5a23f12728347ebc7a60acdbaf3b2a3efe2ad423e181f15d77793c44215fe5b030f37e1c0ecf13a63aceaa65c72256a23753d8dfe7e51e9bd2885ab270b1
-  data.tar.gz: 666e3f2926364b65347cb9027f04a180725b6030c78c4a9e548d5675547bb3366c2b73017efdb05f336be7ed2e564f9070e7e5c01d1ae9b76a4a2d997fef3568
+  metadata.gz: ee486be9d272ed90df3f5137358ecf33c719cec14b21acf2f9a9b6669d94ca9f7f227d0bc3916a8a02e368a519c7d07fa2582f529841e088318ba91f235013fd
+  data.tar.gz: d7394d24c0735afc252ffcd59e8d6dfa3419dc358c0dda691d1cfd6e061e01e1eec575e980967fda4418098c7a70ea734a5fac9a00f90acbd157bee26702f410

data/bin/cfn_nag

@@ -7,6 +7,7 @@ opts = Trollop::options do
   opt :input_json_path, 'CloudFormation template to nag on or directory of templates - all *.json and *.template recursively', type: :io, required: true
   opt :output_format, 'Format of results: [txt, json]', type: :string, default: 'txt'
   opt :debug, 'Enable debug output', type: :boolean, required: false, default: false
+  opt :rule_directory, 'Extra rule directories', type: :strings, require: false, default: [], multi: true
 end
 
 Trollop::die(:output_format,
@@ -14,4 +15,5 @@ Trollop::die(:output_format,
 
 CfnNag::configure_logging(opts)
 exit CfnNag.new.audit(input_json_path: opts[:input_json_path],
-                      output_format: opts[:output_format])
+                      output_format: opts[:output_format],
+                      rule_directories: opts[:rule_directory])

data/lib/cfn_nag.rb

@@ -13,6 +13,11 @@ class CfnNag
   def initialize
     @warning_registry = []
     @violation_registry = []
+    @custom_rule_registry = [
+      SecurityGroupMissingEgressRule,
+      UserMissingGroupRule,
+      UnencryptedS3PutObjectAllowedRule
+    ]
   end
 
   def dump_rules
@@ -47,16 +52,20 @@ class CfnNag
   end
 
   def audit(input_json_path:,
+            rule_directories: [],
             output_format:'txt')
+    validate_extra_rule_directories(rule_directories)
 
     aggregate_results = audit_results input_json_path: input_json_path,
-                                      output_format: output_format
+                                      output_format: output_format,
+                                      rule_directories: rule_directories.flatten
 
     aggregate_results.inject(0) { |total_failure_count, results| total_failure_count + results[:file_results][:failure_count] }
   end
 
   def audit_results(input_json_path:,
-                    output_format:'txt')
+                    output_format:'txt',
+                    rule_directories: [])
 
     templates = discover_templates(input_json_path)
 
@@ -64,7 +73,8 @@ class CfnNag
     templates.each do |template|
       aggregate_results << {
           filename: template,
-          file_results: audit_file(input_json_path: template)
+          file_results: audit_file(input_json_path: template,
+                                   rule_directories: rule_directories)
       }
     end
 
@@ -85,7 +95,7 @@ class CfnNag
     logger.add_appenders Logging.appenders.stdout
   end
 
-  def audit_template(input_json:)
+  def audit_template(input_json:, rule_directories: [])
     @stop_processing = false
     @violations = []
 
@@ -96,7 +106,7 @@ class CfnNag
       @stop_processing = true
     end
 
-    generic_json_rules input_json unless @stop_processing == true
+    generic_json_rules(input_json, rule_directories) unless @stop_processing == true
 
     custom_rules input_json unless @stop_processing == true
 
@@ -108,12 +118,20 @@ class CfnNag
 
   private
 
+  def validate_extra_rule_directories(rule_directories)
+    rule_directories.flatten.each do |rule_directory|
+      fail "Not a real directory #{rule_directory}" unless File.directory? rule_directory
+    end
+  end
+
+
   def render_results(aggregate_results:,output_format:)
     results_renderer(output_format).new.render(aggregate_results)
   end
 
-  def audit_file(input_json_path:)
-    audit_template(input_json: IO.read(input_json_path))
+  def audit_file(input_json_path:, rule_directories:)
+    audit_template(input_json: IO.read(input_json_path),
+                   rule_directories: rule_directories)
   end
 
   def discover_templates(input_json_path)
@@ -162,7 +180,7 @@ class CfnNag
     __dir__.start_with? '/uri:classloader'
   end
 
-  def generic_json_rules(input_json)
+  def generic_json_rules(input_json, rule_directories)
     unless command? 'jq'
       fail 'jq executable must be available in PATH'
     end
@@ -170,7 +188,6 @@ class CfnNag
     if jruby_in_a_jar?
       rules = %w(basic_rules cfn_rules cidr_rules cloudfront_rules ebs_rules iam_policy_rules iam_user_rules lambda_rules loadbalancer_rules port_rules s3_bucket_rules sns_rules sqs_rules)
       rules = rules.map { |rule| File.join(__dir__, 'json_rules', "#{rule}.rb")[1..-1] }
-      puts "Jruby it is: #{rules}"
     else
       rules = Dir[File.join(__dir__, 'json_rules', '*.rb')].sort
     end
@@ -179,21 +196,22 @@ class CfnNag
       @input_json = input_json
       eval IO.read(rule_file)
     end
+
+    rule_directories.each do |rule_directory|
+      rules = Dir[File.join(rule_directory, '*.rb')].sort
+
+      rules.each do |rule_file|
+        @input_json = input_json
+        eval IO.read(rule_file)
+      end
+    end
   end
 
   def custom_rules(input_json)
     cfn_model = CfnModel.new.parse(input_json)
-    custom_rule_registry.each do |rule_class|
+    @custom_rule_registry.each do |rule_class|
       audit_result = rule_class.new.audit(cfn_model)
       @violations << audit_result unless audit_result.nil?
     end
   end
-
-  def custom_rule_registry
-    [
-      SecurityGroupMissingEgressRule,
-      UserMissingGroupRule,
-      UnencryptedS3PutObjectAllowedRule
-    ]
-  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.0.30
+  version: 0.0.31
 platform: ruby
 authors:
 - someguy
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-01-24 00:00:00.000000000 Z
+date: 2017-02-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: logging