cfn-nag 0.4.7 → 0.4.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/bin/cfn_nag +2 -101
- data/bin/cfn_nag_scan +3 -103
- data/lib/cfn-nag.rb +1 -0
- data/lib/cfn-nag/cfn_nag.rb +12 -23
- data/lib/cfn-nag/cfn_nag_config.rb +30 -0
- data/lib/cfn-nag/cfn_nag_executor.rb +102 -0
- data/lib/cfn-nag/cli_options.rb +165 -0
- metadata +4 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 6d85a44eca7647f151c4cdc8824e7ce8664eeafda1739cbdabeae094ba1a0831
|
|
4
|
+
data.tar.gz: 92375694b6b968bdc588229e7c4d50ae6feba4aeb05b4e7d450d1060444aa938
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: a95e5fb81745dc369c348acbc0cf2a605e9638bf74a8586c20da8fbc0a1ad24a8d9734226f5cbc805a02edb2bf2b701453649cadad267047ada5ba935407eec4
|
|
7
|
+
data.tar.gz: 121fc4bdc07e51b00cf8fb7b33598a47af5b58b14f5f0f7056b122005b4ebd851feb5831750de0f29ac01187239e395d6cdf0d4460bd7fc7f636bedc351b96f1
|
data/bin/cfn_nag
CHANGED
|
@@ -1,110 +1,11 @@
|
|
|
1
1
|
#!/usr/bin/env ruby
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
|
-
require 'trollop'
|
|
5
4
|
require 'cfn-nag'
|
|
6
5
|
require 'logging'
|
|
7
6
|
require 'json'
|
|
8
7
|
require 'rubygems/specification'
|
|
9
8
|
|
|
10
|
-
|
|
11
|
-
opts = Trollop.options do
|
|
12
|
-
options_message = '[options] <cloudformation template path ...>|' \
|
|
13
|
-
'<cloudformation template in STDIN>'
|
|
14
|
-
custom_rule_exceptions_message = 'Isolate custom rule exceptions - ' \
|
|
15
|
-
'just emit the exception without stack ' \
|
|
16
|
-
' trace and keep chugging'
|
|
17
|
-
usage options_message
|
|
18
|
-
version Gem::Specification.find_by_name('cfn-nag').version
|
|
9
|
+
exec = CfnNagExecutor.new
|
|
19
10
|
|
|
20
|
-
|
|
21
|
-
'Enable debug output',
|
|
22
|
-
type: :boolean,
|
|
23
|
-
required: false,
|
|
24
|
-
default: false
|
|
25
|
-
opt :allow_suppression,
|
|
26
|
-
'Allow using Metadata to suppress violations',
|
|
27
|
-
type: :boolean,
|
|
28
|
-
required: false,
|
|
29
|
-
default: true
|
|
30
|
-
opt :print_suppression,
|
|
31
|
-
'Emit suppressions to stderr',
|
|
32
|
-
type: :boolean,
|
|
33
|
-
required: false,
|
|
34
|
-
default: false
|
|
35
|
-
opt :rule_directory,
|
|
36
|
-
'Extra rule directory',
|
|
37
|
-
type: :io,
|
|
38
|
-
required: false,
|
|
39
|
-
default: nil
|
|
40
|
-
opt :profile_path,
|
|
41
|
-
'Path to a profile file',
|
|
42
|
-
type: :io,
|
|
43
|
-
required: false,
|
|
44
|
-
default: nil
|
|
45
|
-
opt :blacklist_path,
|
|
46
|
-
'Path to a blacklist file',
|
|
47
|
-
type: :io,
|
|
48
|
-
required: false,
|
|
49
|
-
default: nil
|
|
50
|
-
opt :parameter_values_path,
|
|
51
|
-
'Path to a JSON file to pull Parameter values from',
|
|
52
|
-
type: :io,
|
|
53
|
-
required: false,
|
|
54
|
-
default: nil
|
|
55
|
-
opt :isolate_custom_rule_exceptions,
|
|
56
|
-
custom_rule_exceptions_message,
|
|
57
|
-
type: :boolean,
|
|
58
|
-
required: false,
|
|
59
|
-
default: false
|
|
60
|
-
opt :fail_on_warnings,
|
|
61
|
-
'Treat warnings as failing violations',
|
|
62
|
-
type: :boolean,
|
|
63
|
-
required: false,
|
|
64
|
-
default: false
|
|
65
|
-
end
|
|
66
|
-
# rubocop:enable Metrics/BlockLength
|
|
67
|
-
|
|
68
|
-
CfnNagLogging.configure_logging(opts)
|
|
69
|
-
|
|
70
|
-
profile_definition = nil
|
|
71
|
-
unless opts[:profile_path].nil?
|
|
72
|
-
profile_definition = IO.read(opts[:profile_path])
|
|
73
|
-
end
|
|
74
|
-
|
|
75
|
-
blacklist_definition = nil
|
|
76
|
-
unless opts[:blacklist_path].nil?
|
|
77
|
-
blacklist_definition = IO.read(opts[:blacklist_path])
|
|
78
|
-
end
|
|
79
|
-
|
|
80
|
-
parameter_values_string = nil
|
|
81
|
-
unless opts[:parameter_values_path].nil?
|
|
82
|
-
parameter_values_string = IO.read(opts[:parameter_values_path])
|
|
83
|
-
end
|
|
84
|
-
|
|
85
|
-
cfn_nag = CfnNag.new(
|
|
86
|
-
profile_definition: profile_definition,
|
|
87
|
-
blacklist_definition: blacklist_definition,
|
|
88
|
-
rule_directory: opts[:rule_directory],
|
|
89
|
-
allow_suppression: opts[:allow_suppression],
|
|
90
|
-
print_suppression: opts[:print_suppression],
|
|
91
|
-
isolate_custom_rule_exceptions: opts[:isolate_custom_rule_exceptions]
|
|
92
|
-
)
|
|
93
|
-
|
|
94
|
-
total_failure_count = 0
|
|
95
|
-
until ARGF.closed? || ARGF.eof?
|
|
96
|
-
results = cfn_nag.audit(cloudformation_string: ARGF.file.read,
|
|
97
|
-
parameter_values_string: parameter_values_string)
|
|
98
|
-
ARGF.close
|
|
99
|
-
|
|
100
|
-
total_failure_count += if opts[:fail_on_warnings]
|
|
101
|
-
results[:violations].length
|
|
102
|
-
else
|
|
103
|
-
results[:failure_count]
|
|
104
|
-
end
|
|
105
|
-
|
|
106
|
-
results[:violations] = results[:violations].map(&:to_h)
|
|
107
|
-
puts JSON.pretty_generate(results)
|
|
108
|
-
end
|
|
109
|
-
|
|
110
|
-
exit total_failure_count
|
|
11
|
+
exit exec.scan(options_type: 'file')
|
data/bin/cfn_nag_scan
CHANGED
|
@@ -1,113 +1,13 @@
|
|
|
1
1
|
#!/usr/bin/env ruby
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
|
-
require 'trollop'
|
|
5
4
|
require 'cfn-nag'
|
|
6
5
|
require 'logging'
|
|
7
6
|
require 'json'
|
|
8
7
|
require 'rubygems/specification'
|
|
9
8
|
|
|
10
|
-
|
|
11
|
-
opts = Trollop.options do
|
|
12
|
-
version Gem::Specification.find_by_name('cfn-nag').version
|
|
9
|
+
exec = CfnNagExecutor.new
|
|
13
10
|
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
'and *.template recursively, but can be constrained ' \
|
|
17
|
-
'by --template-pattern'
|
|
18
|
-
|
|
19
|
-
custom_rule_exceptions_message = 'Isolate custom rule exceptions - just ' \
|
|
20
|
-
'emit the exception without stack trace ' \
|
|
21
|
-
'and keep chugging'
|
|
22
|
-
|
|
23
|
-
template_pattern_message = 'Within the --input-path, match files to scan ' \
|
|
24
|
-
'against this regular expression'
|
|
25
|
-
|
|
26
|
-
opt :input_path,
|
|
27
|
-
input_path_message,
|
|
28
|
-
type: :io,
|
|
29
|
-
required: true
|
|
30
|
-
opt :output_format,
|
|
31
|
-
'Format of results: [txt, json]',
|
|
32
|
-
type: :string,
|
|
33
|
-
default: 'txt'
|
|
34
|
-
opt :debug,
|
|
35
|
-
'Enable debug output',
|
|
36
|
-
type: :boolean,
|
|
37
|
-
required: false,
|
|
38
|
-
default: false
|
|
39
|
-
opt :rule_directory,
|
|
40
|
-
'Extra rule directory',
|
|
41
|
-
type: :io,
|
|
42
|
-
required: false,
|
|
43
|
-
default: nil
|
|
44
|
-
opt :profile_path,
|
|
45
|
-
'Path to a profile file',
|
|
46
|
-
type: :io,
|
|
47
|
-
required: false,
|
|
48
|
-
default: nil
|
|
49
|
-
opt :blacklist_path,
|
|
50
|
-
'Path to a blacklist file',
|
|
51
|
-
type: :io,
|
|
52
|
-
required: false,
|
|
53
|
-
default: nil
|
|
54
|
-
opt :parameter_values_path,
|
|
55
|
-
'Path to a JSON file to pull Parameter values from',
|
|
56
|
-
type: :io,
|
|
57
|
-
required: false,
|
|
58
|
-
default: nil
|
|
59
|
-
opt :allow_suppression,
|
|
60
|
-
'Allow using Metadata to suppress violations',
|
|
61
|
-
type: :boolean,
|
|
62
|
-
required: false,
|
|
63
|
-
default: true
|
|
64
|
-
opt :print_suppression,
|
|
65
|
-
'Emit suppressions to stderr',
|
|
66
|
-
type: :boolean,
|
|
67
|
-
required: false,
|
|
68
|
-
default: false
|
|
69
|
-
opt :isolate_custom_rule_exceptions,
|
|
70
|
-
custom_rule_exceptions_message,
|
|
71
|
-
type: :boolean,
|
|
72
|
-
required: false,
|
|
73
|
-
default: false
|
|
74
|
-
opt :template_pattern,
|
|
75
|
-
template_pattern_message,
|
|
76
|
-
type: :string,
|
|
77
|
-
required: false,
|
|
78
|
-
default: '..*\.json|..*\.yaml|..*\.yml|..*\.template'
|
|
79
|
-
end
|
|
80
|
-
# rubocop:enable Metrics/BlockLength
|
|
81
|
-
|
|
82
|
-
unless %w[txt json].include?(opts[:output_format])
|
|
83
|
-
Trollop.die(:output_format,
|
|
84
|
-
'Must be txt or json')
|
|
85
|
-
end
|
|
86
|
-
|
|
87
|
-
CfnNagLogging.configure_logging(opts)
|
|
88
|
-
|
|
89
|
-
profile_definition = nil
|
|
90
|
-
unless opts[:profile_path].nil?
|
|
91
|
-
profile_definition = IO.read(opts[:profile_path])
|
|
92
|
-
end
|
|
93
|
-
|
|
94
|
-
blacklist_definition = nil
|
|
95
|
-
unless opts[:blacklist_path].nil?
|
|
96
|
-
blacklist_definition = IO.read(opts[:blacklist_path])
|
|
97
|
-
end
|
|
98
|
-
|
|
99
|
-
cfn_nag = CfnNag.new(
|
|
100
|
-
profile_definition: profile_definition,
|
|
101
|
-
blacklist_definition: blacklist_definition,
|
|
102
|
-
rule_directory: opts[:rule_directory],
|
|
103
|
-
allow_suppression: opts[:allow_suppression],
|
|
104
|
-
print_suppression: opts[:print_suppression],
|
|
105
|
-
isolate_custom_rule_exceptions: opts[:isolate_custom_rule_exceptions]
|
|
106
|
-
)
|
|
107
|
-
|
|
108
|
-
exit cfn_nag.audit_aggregate_across_files_and_render_results(
|
|
109
|
-
input_path: opts[:input_path],
|
|
110
|
-
output_format: opts[:output_format],
|
|
111
|
-
parameter_values_path: opts[:parameter_values_path],
|
|
112
|
-
template_pattern: opts[:template_pattern]
|
|
11
|
+
exit exec.scan(
|
|
12
|
+
options_type: 'scan'
|
|
113
13
|
)
|
data/lib/cfn-nag.rb
CHANGED
data/lib/cfn-nag/cfn_nag.rb
CHANGED
|
@@ -12,24 +12,9 @@ require 'cfn-model'
|
|
|
12
12
|
class CfnNag
|
|
13
13
|
include ViolationFiltering
|
|
14
14
|
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
blacklist_definition: nil,
|
|
18
|
-
rule_directory: nil,
|
|
19
|
-
allow_suppression: true,
|
|
20
|
-
print_suppression: false,
|
|
21
|
-
isolate_custom_rule_exceptions: false)
|
|
22
|
-
@rule_directory = rule_directory
|
|
23
|
-
@custom_rule_loader = CustomRuleLoader.new(
|
|
24
|
-
rule_directory: rule_directory,
|
|
25
|
-
allow_suppression: allow_suppression,
|
|
26
|
-
print_suppression: print_suppression,
|
|
27
|
-
isolate_custom_rule_exceptions: isolate_custom_rule_exceptions
|
|
28
|
-
)
|
|
29
|
-
@profile_definition = profile_definition
|
|
30
|
-
@blacklist_definition = blacklist_definition
|
|
15
|
+
def initialize(config:)
|
|
16
|
+
@config = config
|
|
31
17
|
end
|
|
32
|
-
# rubocop:enable Metrics/ParameterLists
|
|
33
18
|
|
|
34
19
|
##
|
|
35
20
|
# Given a file or directory path, emit aggregate results to stdout
|
|
@@ -48,7 +33,11 @@ class CfnNag
|
|
|
48
33
|
output_format: output_format)
|
|
49
34
|
|
|
50
35
|
aggregate_results.inject(0) do |total_failure_count, results|
|
|
51
|
-
|
|
36
|
+
if @config.fail_on_warnings
|
|
37
|
+
total_failure_count + results[:file_results][:violations].length
|
|
38
|
+
else
|
|
39
|
+
total_failure_count + results[:file_results][:failure_count]
|
|
40
|
+
end
|
|
52
41
|
end
|
|
53
42
|
end
|
|
54
43
|
|
|
@@ -87,7 +76,7 @@ class CfnNag
|
|
|
87
76
|
cfn_model = CfnParser.new.parse cloudformation_string,
|
|
88
77
|
parameter_values_string,
|
|
89
78
|
true
|
|
90
|
-
violations += @custom_rule_loader.execute_custom_rules(cfn_model)
|
|
79
|
+
violations += @config.custom_rule_loader.execute_custom_rules(cfn_model)
|
|
91
80
|
|
|
92
81
|
violations = filter_violations_by_blacklist_and_profile(violations)
|
|
93
82
|
violations = mark_line_numbers(violations, cfn_model)
|
|
@@ -115,15 +104,15 @@ class CfnNag
|
|
|
115
104
|
|
|
116
105
|
def filter_violations_by_blacklist_and_profile(violations)
|
|
117
106
|
violations = filter_violations_by_profile(
|
|
118
|
-
profile_definition: @profile_definition,
|
|
119
|
-
rule_definitions: @custom_rule_loader.rule_definitions,
|
|
107
|
+
profile_definition: @config.profile_definition,
|
|
108
|
+
rule_definitions: @config.custom_rule_loader.rule_definitions,
|
|
120
109
|
violations: violations
|
|
121
110
|
)
|
|
122
111
|
|
|
123
112
|
# this must come after - blacklist should always win
|
|
124
113
|
violations = filter_violations_by_blacklist(
|
|
125
|
-
blacklist_definition: @blacklist_definition,
|
|
126
|
-
rule_definitions: @custom_rule_loader.rule_definitions,
|
|
114
|
+
blacklist_definition: @config.blacklist_definition,
|
|
115
|
+
rule_definitions: @config.custom_rule_loader.rule_definitions,
|
|
127
116
|
violations: violations
|
|
128
117
|
)
|
|
129
118
|
violations
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
class CfnNagConfig
|
|
4
|
+
# rubocop:disable Metrics/ParameterLists
|
|
5
|
+
def initialize(profile_definition: nil,
|
|
6
|
+
blacklist_definition: nil,
|
|
7
|
+
rule_directory: nil,
|
|
8
|
+
allow_suppression: true,
|
|
9
|
+
print_suppression: false,
|
|
10
|
+
isolate_custom_rule_exceptions: false,
|
|
11
|
+
fail_on_warnings: false)
|
|
12
|
+
@rule_directory = rule_directory
|
|
13
|
+
@custom_rule_loader = CustomRuleLoader.new(
|
|
14
|
+
rule_directory: rule_directory,
|
|
15
|
+
allow_suppression: allow_suppression,
|
|
16
|
+
print_suppression: print_suppression,
|
|
17
|
+
isolate_custom_rule_exceptions: isolate_custom_rule_exceptions
|
|
18
|
+
)
|
|
19
|
+
@profile_definition = profile_definition
|
|
20
|
+
@blacklist_definition = blacklist_definition
|
|
21
|
+
@fail_on_warnings = fail_on_warnings
|
|
22
|
+
end
|
|
23
|
+
# rubocop:enable Metrics/ParameterLists
|
|
24
|
+
|
|
25
|
+
attr_reader :rule_directory
|
|
26
|
+
attr_reader :custom_rule_loader
|
|
27
|
+
attr_reader :profile_definition
|
|
28
|
+
attr_reader :blacklist_definition
|
|
29
|
+
attr_reader :fail_on_warnings
|
|
30
|
+
end
|
|
@@ -0,0 +1,102 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require 'trollop'
|
|
4
|
+
require 'cfn-nag/cli_options'
|
|
5
|
+
require 'cfn-nag/cfn_nag_config'
|
|
6
|
+
|
|
7
|
+
class CfnNagExecutor
|
|
8
|
+
def initialize
|
|
9
|
+
@profile_definition = nil
|
|
10
|
+
@blacklist_definition = nil
|
|
11
|
+
@parameter_values_string = nil
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
def scan(options_type:)
|
|
15
|
+
options = Options.for(options_type)
|
|
16
|
+
validate_options(options)
|
|
17
|
+
execute_io_options(options)
|
|
18
|
+
|
|
19
|
+
CfnNagLogging.configure_logging(options)
|
|
20
|
+
|
|
21
|
+
cfn_nag = CfnNag.new(
|
|
22
|
+
config: cfn_nag_config(options)
|
|
23
|
+
)
|
|
24
|
+
|
|
25
|
+
options_type == 'scan' ? execute_aggregate_scan(cfn_nag, options) : execute_file_or_piped_scan(cfn_nag, options)
|
|
26
|
+
end
|
|
27
|
+
|
|
28
|
+
private
|
|
29
|
+
|
|
30
|
+
def execute_file_or_piped_scan(cfn_nag, opts)
|
|
31
|
+
total_failure_count = 0
|
|
32
|
+
until argf_finished?
|
|
33
|
+
results = cfn_nag.audit(cloudformation_string: argf_read,
|
|
34
|
+
parameter_values_string: @parameter_values_string)
|
|
35
|
+
argf_close
|
|
36
|
+
|
|
37
|
+
total_failure_count += if opts[:fail_on_warnings]
|
|
38
|
+
results[:violations].length
|
|
39
|
+
else
|
|
40
|
+
results[:failure_count]
|
|
41
|
+
end
|
|
42
|
+
|
|
43
|
+
results[:violations] = results[:violations].map(&:to_h)
|
|
44
|
+
puts JSON.pretty_generate(results)
|
|
45
|
+
end
|
|
46
|
+
total_failure_count
|
|
47
|
+
end
|
|
48
|
+
|
|
49
|
+
def execute_aggregate_scan(cfn_nag, opts)
|
|
50
|
+
cfn_nag.audit_aggregate_across_files_and_render_results(
|
|
51
|
+
input_path: opts[:input_path],
|
|
52
|
+
output_format: opts[:output_format],
|
|
53
|
+
parameter_values_path: opts[:parameter_values_path],
|
|
54
|
+
template_pattern: opts[:template_pattern]
|
|
55
|
+
)
|
|
56
|
+
end
|
|
57
|
+
|
|
58
|
+
def validate_options(opts)
|
|
59
|
+
unless opts[:output_format].nil? || %w[txt json].include?(opts[:output_format])
|
|
60
|
+
Trollop.die(:output_format,
|
|
61
|
+
'Must be txt or json')
|
|
62
|
+
end
|
|
63
|
+
end
|
|
64
|
+
|
|
65
|
+
def execute_io_options(opts)
|
|
66
|
+
unless opts[:profile_path].nil?
|
|
67
|
+
@profile_definition = IO.read(opts[:profile_path])
|
|
68
|
+
end
|
|
69
|
+
|
|
70
|
+
unless opts[:blacklist_path].nil?
|
|
71
|
+
@blacklist_definition = IO.read(opts[:blacklist_path])
|
|
72
|
+
end
|
|
73
|
+
|
|
74
|
+
unless opts[:parameter_values_path].nil?
|
|
75
|
+
@parameter_values_string = IO.read(opts[:parameter_values_path])
|
|
76
|
+
end
|
|
77
|
+
end
|
|
78
|
+
|
|
79
|
+
def cfn_nag_config(opts)
|
|
80
|
+
CfnNagConfig.new(
|
|
81
|
+
profile_definition: @profile_definition,
|
|
82
|
+
blacklist_definition: @blacklist_definition,
|
|
83
|
+
rule_directory: opts[:rule_directory],
|
|
84
|
+
allow_suppression: opts[:allow_suppression],
|
|
85
|
+
print_suppression: opts[:print_suppression],
|
|
86
|
+
isolate_custom_rule_exceptions: opts[:isolate_custom_rule_exceptions],
|
|
87
|
+
fail_on_warnings: opts[:fail_on_warnings]
|
|
88
|
+
)
|
|
89
|
+
end
|
|
90
|
+
|
|
91
|
+
def argf_finished?
|
|
92
|
+
ARGF.closed? || ARGF.eof?
|
|
93
|
+
end
|
|
94
|
+
|
|
95
|
+
def argf_close
|
|
96
|
+
ARGF.close
|
|
97
|
+
end
|
|
98
|
+
|
|
99
|
+
def argf_read
|
|
100
|
+
ARGF.file.read
|
|
101
|
+
end
|
|
102
|
+
end
|
|
@@ -0,0 +1,165 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require 'trollop'
|
|
4
|
+
|
|
5
|
+
# rubocop:disable Metrics/ClassLength
|
|
6
|
+
class Options
|
|
7
|
+
@custom_rule_exceptions_message = 'Isolate custom rule exceptions - just ' \
|
|
8
|
+
'emit the exception without stack trace ' \
|
|
9
|
+
'and keep chugging'
|
|
10
|
+
|
|
11
|
+
@version = Gem::Specification.find_by_name('cfn-nag').version
|
|
12
|
+
|
|
13
|
+
def self.for(type)
|
|
14
|
+
case type
|
|
15
|
+
when 'file'
|
|
16
|
+
file_options
|
|
17
|
+
when 'scan'
|
|
18
|
+
scan_options
|
|
19
|
+
else
|
|
20
|
+
raise "Unsupported Options type #{type}; use 'file' or 'scan'"
|
|
21
|
+
end
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
# rubocop:disable Metrics/BlockLength
|
|
25
|
+
# rubocop:disable Metrics/MethodLength
|
|
26
|
+
def self.file_options
|
|
27
|
+
options_message = '[options] <cloudformation template path ...>|' \
|
|
28
|
+
'<cloudformation template in STDIN>'
|
|
29
|
+
custom_rule_exceptions_message = @custom_rule_exceptions_message
|
|
30
|
+
version = @version
|
|
31
|
+
|
|
32
|
+
Trollop.options do
|
|
33
|
+
usage options_message
|
|
34
|
+
version version
|
|
35
|
+
|
|
36
|
+
opt :debug,
|
|
37
|
+
'Enable debug output',
|
|
38
|
+
type: :boolean,
|
|
39
|
+
required: false,
|
|
40
|
+
default: false
|
|
41
|
+
opt :allow_suppression,
|
|
42
|
+
'Allow using Metadata to suppress violations',
|
|
43
|
+
type: :boolean,
|
|
44
|
+
required: false,
|
|
45
|
+
default: true
|
|
46
|
+
opt :print_suppression,
|
|
47
|
+
'Emit suppressions to stderr',
|
|
48
|
+
type: :boolean,
|
|
49
|
+
required: false,
|
|
50
|
+
default: false
|
|
51
|
+
opt :rule_directory,
|
|
52
|
+
'Extra rule directory',
|
|
53
|
+
type: :io,
|
|
54
|
+
required: false,
|
|
55
|
+
default: nil
|
|
56
|
+
opt :profile_path,
|
|
57
|
+
'Path to a profile file',
|
|
58
|
+
type: :io,
|
|
59
|
+
required: false,
|
|
60
|
+
default: nil
|
|
61
|
+
opt :blacklist_path,
|
|
62
|
+
'Path to a blacklist file',
|
|
63
|
+
type: :io,
|
|
64
|
+
required: false,
|
|
65
|
+
default: nil
|
|
66
|
+
opt :parameter_values_path,
|
|
67
|
+
'Path to a JSON file to pull Parameter values from',
|
|
68
|
+
type: :io,
|
|
69
|
+
required: false,
|
|
70
|
+
default: nil
|
|
71
|
+
opt :isolate_custom_rule_exceptions,
|
|
72
|
+
custom_rule_exceptions_message,
|
|
73
|
+
type: :boolean,
|
|
74
|
+
required: false,
|
|
75
|
+
default: false
|
|
76
|
+
opt :fail_on_warnings,
|
|
77
|
+
'Treat warnings as failing violations',
|
|
78
|
+
type: :boolean,
|
|
79
|
+
required: false,
|
|
80
|
+
default: false
|
|
81
|
+
opt :output_format,
|
|
82
|
+
'Format of results: [txt, json]',
|
|
83
|
+
type: :string,
|
|
84
|
+
default: 'txt'
|
|
85
|
+
end
|
|
86
|
+
end
|
|
87
|
+
|
|
88
|
+
def self.scan_options
|
|
89
|
+
input_path_message = 'CloudFormation template to nag on or directory of ' \
|
|
90
|
+
'templates. Default is all *.json, *.yaml, *.yml ' \
|
|
91
|
+
'and *.template recursively, but can be constrained ' \
|
|
92
|
+
'by --template-pattern'
|
|
93
|
+
|
|
94
|
+
template_pattern_message = 'Within the --input-path, match files to scan ' \
|
|
95
|
+
'against this regular expression'
|
|
96
|
+
|
|
97
|
+
custom_rule_exceptions_message = @custom_rule_exceptions_message
|
|
98
|
+
version = @version
|
|
99
|
+
|
|
100
|
+
Trollop.options do
|
|
101
|
+
version version
|
|
102
|
+
opt :input_path,
|
|
103
|
+
input_path_message,
|
|
104
|
+
type: :io,
|
|
105
|
+
required: true
|
|
106
|
+
opt :output_format,
|
|
107
|
+
'Format of results: [txt, json]',
|
|
108
|
+
type: :string,
|
|
109
|
+
default: 'txt'
|
|
110
|
+
opt :debug,
|
|
111
|
+
'Enable debug output',
|
|
112
|
+
type: :boolean,
|
|
113
|
+
required: false,
|
|
114
|
+
default: false
|
|
115
|
+
opt :rule_directory,
|
|
116
|
+
'Extra rule directory',
|
|
117
|
+
type: :io,
|
|
118
|
+
required: false,
|
|
119
|
+
default: nil
|
|
120
|
+
opt :profile_path,
|
|
121
|
+
'Path to a profile file',
|
|
122
|
+
type: :io,
|
|
123
|
+
required: false,
|
|
124
|
+
default: nil
|
|
125
|
+
opt :blacklist_path,
|
|
126
|
+
'Path to a blacklist file',
|
|
127
|
+
type: :io,
|
|
128
|
+
required: false,
|
|
129
|
+
default: nil
|
|
130
|
+
opt :parameter_values_path,
|
|
131
|
+
'Path to a JSON file to pull Parameter values from',
|
|
132
|
+
type: :io,
|
|
133
|
+
required: false,
|
|
134
|
+
default: nil
|
|
135
|
+
opt :allow_suppression,
|
|
136
|
+
'Allow using Metadata to suppress violations',
|
|
137
|
+
type: :boolean,
|
|
138
|
+
required: false,
|
|
139
|
+
default: true
|
|
140
|
+
opt :print_suppression,
|
|
141
|
+
'Emit suppressions to stderr',
|
|
142
|
+
type: :boolean,
|
|
143
|
+
required: false,
|
|
144
|
+
default: false
|
|
145
|
+
opt :isolate_custom_rule_exceptions,
|
|
146
|
+
custom_rule_exceptions_message,
|
|
147
|
+
type: :boolean,
|
|
148
|
+
required: false,
|
|
149
|
+
default: false
|
|
150
|
+
opt :template_pattern,
|
|
151
|
+
template_pattern_message,
|
|
152
|
+
type: :string,
|
|
153
|
+
required: false,
|
|
154
|
+
default: '..*\.json|..*\.yaml|..*\.yml|..*\.template'
|
|
155
|
+
opt :fail_on_warnings,
|
|
156
|
+
'Treat warnings as failing violations',
|
|
157
|
+
type: :boolean,
|
|
158
|
+
required: false,
|
|
159
|
+
default: false
|
|
160
|
+
end
|
|
161
|
+
end
|
|
162
|
+
# rubocop:enable Metrics/BlockLength
|
|
163
|
+
# rubocop:enable Metrics/MethodLength
|
|
164
|
+
end
|
|
165
|
+
# rubocop:enable Metrics/ClassLength
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: cfn-nag
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.4.
|
|
4
|
+
version: 0.4.8
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Eric Kascic
|
|
@@ -151,7 +151,10 @@ files:
|
|
|
151
151
|
- lib/cfn-nag.rb
|
|
152
152
|
- lib/cfn-nag/blacklist_loader.rb
|
|
153
153
|
- lib/cfn-nag/cfn_nag.rb
|
|
154
|
+
- lib/cfn-nag/cfn_nag_config.rb
|
|
155
|
+
- lib/cfn-nag/cfn_nag_executor.rb
|
|
154
156
|
- lib/cfn-nag/cfn_nag_logging.rb
|
|
157
|
+
- lib/cfn-nag/cli_options.rb
|
|
155
158
|
- lib/cfn-nag/custom_rule_loader.rb
|
|
156
159
|
- lib/cfn-nag/custom_rules/BatchJobDefinitionContainerPropertiesPrivilegedRule.rb
|
|
157
160
|
- lib/cfn-nag/custom_rules/CloudFormationAuthenticationRule.rb
|