cfn-nag 0.0.6 → 0.0.7
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/bin/cfn_nag +3 -3
- data/lib/cfn_nag.rb +46 -7
- data/lib/result_view/json_results.rb +6 -9
- data/lib/result_view/simple_stdout_results.rb +14 -9
- data/lib/rule.rb +10 -6
- data/lib/violation.rb +13 -2
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 56cf57973ea5a51f6165d0355ac413e2f7b19e71
|
|
4
|
+
data.tar.gz: 9f7a7d3c17486bc4bde0c8bd1dd31ea387c7f2cb
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 4fa7690fd912219ec16df21316844c2453881dd19bb76651f91d8d5c438a1e811c525d724120301b026f7e1c1a915c77e657d66d0814d4795f9b1e88d32541be
|
|
7
|
+
data.tar.gz: 0c1fda4f9df20aa7e7c0e8372fe41374c2c09eb9a8f6b426e6c765e3144f7d0ba00bc0fbee0345a1e3b8298b27f31fc190b50bfe9a8e727595ecd346b4a89201
|
data/bin/cfn_nag
CHANGED
|
@@ -4,7 +4,7 @@ require 'cfn_nag'
|
|
|
4
4
|
require 'logging'
|
|
5
5
|
|
|
6
6
|
opts = Trollop::options do
|
|
7
|
-
opt :
|
|
7
|
+
opt :input_json_path, 'Cloudformation template to nag on or directory of templates - all *.json and *.template recursively', type: :io, required: true
|
|
8
8
|
opt :output_format, 'Format of results: [txt, json]', type: :string, default: 'txt'
|
|
9
9
|
opt :debug, 'Enable debug output', type: :boolean, required: false, default: false
|
|
10
10
|
end
|
|
@@ -13,5 +13,5 @@ Trollop::die(:output_format,
|
|
|
13
13
|
'Must be txt or json') unless %w(txt json).include?(opts[:output_format])
|
|
14
14
|
|
|
15
15
|
CfnNag::configure_logging(opts)
|
|
16
|
-
exit CfnNag.new.audit(input_json_path: opts[:
|
|
17
|
-
output_format: opts[:output_format])
|
|
16
|
+
exit CfnNag.new.audit(input_json_path: opts[:input_json_path],
|
|
17
|
+
output_format: opts[:output_format])
|
data/lib/cfn_nag.rb
CHANGED
|
@@ -10,17 +10,20 @@ class CfnNag
|
|
|
10
10
|
|
|
11
11
|
def audit(input_json_path:,
|
|
12
12
|
output_format:'txt')
|
|
13
|
-
fail 'not even legit JSON' unless legal_json?(input_json_path)
|
|
14
|
-
|
|
15
|
-
@violations = []
|
|
16
13
|
|
|
17
|
-
|
|
14
|
+
templates = discover_templates(input_json_path)
|
|
18
15
|
|
|
19
|
-
|
|
16
|
+
aggregate_results = []
|
|
17
|
+
templates.each do |template|
|
|
18
|
+
aggregate_results << {
|
|
19
|
+
filename: template,
|
|
20
|
+
file_results: audit_file(input_json_path: template)
|
|
21
|
+
}
|
|
22
|
+
end
|
|
20
23
|
|
|
21
|
-
results_renderer(output_format).new.render(
|
|
24
|
+
results_renderer(output_format).new.render(aggregate_results)
|
|
22
25
|
|
|
23
|
-
|
|
26
|
+
aggregate_results.inject(0) { |total_failure_count, results| total_failure_count + results[:file_results][:failure_count] }
|
|
24
27
|
end
|
|
25
28
|
|
|
26
29
|
def self.configure_logging(opts)
|
|
@@ -36,6 +39,42 @@ class CfnNag
|
|
|
36
39
|
|
|
37
40
|
private
|
|
38
41
|
|
|
42
|
+
def audit_file(input_json_path:)
|
|
43
|
+
fail 'not even legit JSON' unless legal_json?(input_json_path)
|
|
44
|
+
@stop_processing = false
|
|
45
|
+
@violations = []
|
|
46
|
+
|
|
47
|
+
generic_json_rules input_json_path
|
|
48
|
+
|
|
49
|
+
custom_rules input_json_path unless @stop_processing == true
|
|
50
|
+
|
|
51
|
+
{
|
|
52
|
+
failure_count: Rule::count_failures(@violations),
|
|
53
|
+
violations: @violations
|
|
54
|
+
}
|
|
55
|
+
end
|
|
56
|
+
|
|
57
|
+
def discover_templates(input_json_path)
|
|
58
|
+
if ::File.directory? input_json_path
|
|
59
|
+
templates = find_templates_in_directory(directory: input_json_path)
|
|
60
|
+
elsif ::File.file? input_json_path
|
|
61
|
+
templates = [input_json_path]
|
|
62
|
+
else
|
|
63
|
+
fail "#{input_json_path} is not a proper path"
|
|
64
|
+
end
|
|
65
|
+
templates
|
|
66
|
+
end
|
|
67
|
+
|
|
68
|
+
def find_templates_in_directory(directory:,
|
|
69
|
+
cfn_extensions: %w(json template))
|
|
70
|
+
|
|
71
|
+
templates = []
|
|
72
|
+
cfn_extensions.each do |cfn_extension|
|
|
73
|
+
templates += Dir[File.join(directory, "**/*.#{cfn_extension}")]
|
|
74
|
+
end
|
|
75
|
+
templates
|
|
76
|
+
end
|
|
77
|
+
|
|
39
78
|
def results_renderer(output_format)
|
|
40
79
|
registry = {
|
|
41
80
|
'txt' => SimpleStdoutResults,
|
|
@@ -1,15 +1,12 @@
|
|
|
1
1
|
require 'json'
|
|
2
|
+
|
|
2
3
|
class JsonResults
|
|
4
|
+
def render(results)
|
|
3
5
|
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
{
|
|
7
|
-
type: violation.type,
|
|
8
|
-
message: violation.message,
|
|
9
|
-
logical_resource_ids: violation.logical_resource_ids,
|
|
10
|
-
violating_code: violation.violating_code
|
|
11
|
-
}
|
|
6
|
+
hashified_results = results.each do |result|
|
|
7
|
+
result[:file_results][:violations] = result[:file_results][:violations].map { |violation| violation.to_h }
|
|
12
8
|
end
|
|
13
|
-
|
|
9
|
+
|
|
10
|
+
puts JSON.pretty_generate(hashified_results)
|
|
14
11
|
end
|
|
15
12
|
end
|
|
@@ -2,16 +2,21 @@ require 'rule'
|
|
|
2
2
|
|
|
3
3
|
class SimpleStdoutResults
|
|
4
4
|
|
|
5
|
-
def render(
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
5
|
+
def render(results)
|
|
6
|
+
results.each do |result|
|
|
7
|
+
(1..60).each { print '-' }
|
|
8
|
+
puts "\n" + result[:filename]
|
|
9
|
+
(1..60).each { print '-' }
|
|
10
|
+
|
|
11
|
+
result[:file_results][:violations].each do |violation|
|
|
12
|
+
message message_type: violation.type,
|
|
13
|
+
message: violation.message,
|
|
14
|
+
logical_resource_ids: violation.logical_resource_ids,
|
|
15
|
+
violating_code: violation.violating_code
|
|
16
|
+
end
|
|
17
|
+
puts "\nViolations count: #{Rule::count_failures(result[:file_results][:violations])}"
|
|
18
|
+
puts "Warnings count: #{Rule::count_warnings(result[:file_results][:violations])}"
|
|
11
19
|
end
|
|
12
|
-
|
|
13
|
-
puts "Violations count: #{Rule::count_warnings(violations)}"
|
|
14
|
-
puts "Warnings count: #{Rule::count_failures(violations)}"
|
|
15
20
|
end
|
|
16
21
|
|
|
17
22
|
private
|
data/lib/rule.rb
CHANGED
|
@@ -17,6 +17,8 @@ module Rule
|
|
|
17
17
|
end
|
|
18
18
|
|
|
19
19
|
def warning(jq:, message:)
|
|
20
|
+
return if @stop_processing
|
|
21
|
+
|
|
20
22
|
Logging.logger['log'].debug jq
|
|
21
23
|
|
|
22
24
|
stdout = jq_command(@input_json_path, jq)
|
|
@@ -37,7 +39,7 @@ module Rule
|
|
|
37
39
|
fail_if_found: false,
|
|
38
40
|
fatal: true,
|
|
39
41
|
message: message,
|
|
40
|
-
message_type: Violation::
|
|
42
|
+
message_type: Violation::FAILING_VIOLATION,
|
|
41
43
|
raw: true)
|
|
42
44
|
end
|
|
43
45
|
|
|
@@ -46,7 +48,7 @@ module Rule
|
|
|
46
48
|
fail_if_found: false,
|
|
47
49
|
fatal: true,
|
|
48
50
|
message: message,
|
|
49
|
-
message_type: Violation::
|
|
51
|
+
message_type: Violation::FAILING_VIOLATION)
|
|
50
52
|
end
|
|
51
53
|
|
|
52
54
|
def raw_fatal_violation(jq:, message:)
|
|
@@ -54,7 +56,7 @@ module Rule
|
|
|
54
56
|
fail_if_found: true,
|
|
55
57
|
fatal: true,
|
|
56
58
|
message: message,
|
|
57
|
-
message_type: Violation::
|
|
59
|
+
message_type: Violation::FAILING_VIOLATION,
|
|
58
60
|
raw: true)
|
|
59
61
|
end
|
|
60
62
|
|
|
@@ -63,7 +65,7 @@ module Rule
|
|
|
63
65
|
fail_if_found: true,
|
|
64
66
|
fatal: true,
|
|
65
67
|
message: message,
|
|
66
|
-
message_type: Violation::
|
|
68
|
+
message_type: Violation::FAILING_VIOLATION)
|
|
67
69
|
end
|
|
68
70
|
|
|
69
71
|
def violation(jq:, message:)
|
|
@@ -143,6 +145,8 @@ module Rule
|
|
|
143
145
|
message_type:,
|
|
144
146
|
fatal: false,
|
|
145
147
|
raw: false)
|
|
148
|
+
return if @stop_processing
|
|
149
|
+
|
|
146
150
|
Logging.logger['log'].debug jq_expression
|
|
147
151
|
|
|
148
152
|
stdout = jq_command(@input_json_path, jq_expression)
|
|
@@ -157,7 +161,7 @@ module Rule
|
|
|
157
161
|
violating_code: stdout)
|
|
158
162
|
|
|
159
163
|
if fatal
|
|
160
|
-
|
|
164
|
+
@stop_processing = true
|
|
161
165
|
end
|
|
162
166
|
else
|
|
163
167
|
resource_ids = parse_logical_resource_ids(stdout)
|
|
@@ -168,7 +172,7 @@ module Rule
|
|
|
168
172
|
logical_resource_ids: resource_ids)
|
|
169
173
|
|
|
170
174
|
if fatal
|
|
171
|
-
|
|
175
|
+
@stop_processing = true
|
|
172
176
|
end
|
|
173
177
|
end
|
|
174
178
|
end
|
data/lib/violation.rb
CHANGED
|
@@ -1,7 +1,6 @@
|
|
|
1
|
-
|
|
1
|
+
require 'json'
|
|
2
2
|
class Violation
|
|
3
3
|
WARNING = 'warning'
|
|
4
|
-
FATAL_VIOLATION = 'fatal violation'
|
|
5
4
|
FAILING_VIOLATION = 'failing violation'
|
|
6
5
|
|
|
7
6
|
attr_reader :type, :message, :logical_resource_ids, :violating_code
|
|
@@ -14,9 +13,21 @@ class Violation
|
|
|
14
13
|
@message = message
|
|
15
14
|
@logical_resource_ids = logical_resource_ids
|
|
16
15
|
@violating_code = violating_code
|
|
16
|
+
|
|
17
|
+
fail if @type.nil?
|
|
18
|
+
fail if @message.nil?
|
|
17
19
|
end
|
|
18
20
|
|
|
19
21
|
def to_s
|
|
20
22
|
puts "#{@type} #{@message} #{@logical_resource_ids} #{@violating_code}"
|
|
21
23
|
end
|
|
24
|
+
|
|
25
|
+
def to_h
|
|
26
|
+
{
|
|
27
|
+
type: @type,
|
|
28
|
+
message: @message,
|
|
29
|
+
logical_resource_ids: @logical_resource_ids,
|
|
30
|
+
violating_code: @violating_code
|
|
31
|
+
}
|
|
32
|
+
end
|
|
22
33
|
end
|