Add support for tfsec Terraform linter (#4323)

2026-05-24 17:28:42 +08:00 · 2022-10-04 11:47:00 +09:00
parent 4094426c70
commit 14d2b261ce
11 changed files with 199 additions and 0 deletions
@@ -0,0 +1,87 @@
 " Description: tfsec for Terraform files
 "
 " See: https://www.terraform.io/
 "      https://github.com/aquasecurity/tfsec
 call ale#Set('terraform_tfsec_options', '')
 call ale#Set('terraform_tfsec_executable', 'tfsec')
 let s:separator = has('win32') ? '\' : '/'
 function! ale_linters#terraform#tfsec#Handle(buffer, lines) abort
    let l:output = []
    let l:json = ale#util#FuzzyJSONDecode(a:lines, {})
    " if there's no warning, 'result' is `null`.
    if empty(get(l:json, 'results'))
        return l:output
    endif
    for l:result in get(l:json, 'results', [])
        if l:result.severity is# 'LOW'
            let l:type = 'I'
        elseif l:result.severity is# 'CRITICAL'
            let l:type = 'E'
        else
            let l:type = 'W'
        endif
        call add(l:output, {
        \   'filename': l:result.location.filename,
        \   'lnum': l:result.location.start_line,
        \   'end_lnum': l:result.location.end_line,
        \   'text': l:result.description,
        \   'code': l:result.long_id,
        \   'type': l:type,
        \})
    endfor
    return l:output
 endfunction
 " Construct command arguments to tfsec with `terraform_tfsec_options`.
 function! ale_linters#terraform#tfsec#GetCommand(buffer) abort
    let l:cmd = '%e'
    let l:config = ale_linters#terraform#tfsec#FindConfig(a:buffer)
    if !empty(l:config)
        let l:cmd .= ' --config-file ' . l:config
    endif
    let l:opts = ale#Var(a:buffer, 'terraform_tfsec_options')
    if !empty(l:opts)
        let l:cmd .= ' ' . l:opts
    endif
    let l:cmd .= ' --format json'
    return l:cmd
 endfunction
 " Find the nearest configuration file of tfsec.
 function! ale_linters#terraform#tfsec#FindConfig(buffer) abort
    let l:config_dir = ale#path#FindNearestDirectory(a:buffer, '.tfsec')
    if !empty(l:config_dir)
        " https://aquasecurity.github.io/tfsec/v1.28.0/guides/configuration/config/
        for l:basename in ['config.yml', 'config.json']
            let l:config = ale#path#Simplify(join([l:config_dir, l:basename], s:separator))
            if filereadable(l:config)
                return ale#Escape(l:config)
            endif
        endfor
    endif
    return ''
 endfunction
 call ale#linter#Define('terraform', {
 \   'name': 'tfsec',
 \   'executable': {b -> ale#Var(b, 'terraform_tfsec_executable')},
 \   'cwd': '%s:h',
 \   'command': function('ale_linters#terraform#tfsec#GetCommand'),
 \   'callback': 'ale_linters#terraform#tfsec#Handle',
 \})
@@ -597,6 +597,7 @@ Notes:
  * `terraform-ls`
  * `terraform-lsp`
  * `tflint`
  * `tfsec`
 * Texinfo
  * `alex`
  * `cspell`
@@ -114,6 +114,25 @@ g:ale_terraform_tflint_options                 *g:ale_terraform_tflint_options*
  to include '-f json' in your new value.
 ===============================================================================
 tfsec                                                     *ale-terraform-tfsec*
 g:ale_terraform_tfsec_executable             *g:ale_terraform_tfsec_executable*
                                             *b:ale_terraform_tfsec_executable*
  Type: |String|
  Default: `'tfsec'`
  This variable can be changed to use a different executable for tfsec.
 g:ale_terraform_tfsec_options                *g:ale_terraform_tfsec_executable*
                                             *b:ale_terraform_tfsec_executable*
  Type: |String|
  Default: `''`
  This variable can be changed to pass custom CLI flags to tfsec.
 ===============================================================================
  vim:tw=78:ts=2:sts=2:sw=2:ft=help:norl:
@@ -3261,6 +3261,7 @@ documented in additional help files.
    terraform-ls..........................|ale-terraform-terraform-ls|
    terraform-lsp.........................|ale-terraform-terraform-lsp|
    tflint................................|ale-terraform-tflint|
    tfsec.................................|ale-terraform-tfsec|
  tex.....................................|ale-tex-options|
    chktex................................|ale-tex-chktex|
    cspell................................|ale-tex-cspell|
@@ -606,6 +606,7 @@ formatting.
  * [terraform-ls](https://github.com/hashicorp/terraform-ls)
  * [terraform-lsp](https://github.com/juliosueiras/terraform-lsp)
  * [tflint](https://github.com/wata727/tflint)
  * [tfsec](https://github.com/aquasecurity/tfsec)
 * Texinfo
  * [alex](https://github.com/get-alex/alex)
  * [cspell](https://github.com/streetsidesoftware/cspell/tree/main/packages/cspell)
@@ -0,0 +1,52 @@
 Before:
  runtime ale_linters/terraform/tfsec.vim
 After:
  call ale#linter#Reset()
 Execute(The tfsec handler should handle empty outout):
  AssertEqual
  \ [],
  \ ale_linters#terraform#tfsec#Handle(bufnr(''), ['{"results": null}'])
 Execute(The tfsec handler should parse results correctly):
  AssertEqual
  \ [
  \   {
  \     'filename': '/test/main.tf',
  \     'lnum': 10,
  \     'end_lnum': 12,
  \     'text': "IAM policy document uses sensitive action 'iam:PassRole' on wildcarded resource '*'",
  \     'code': 'aws-iam-no-policy-wildcards',
  \     'type': 'W',
  \   },
  \],
  \ ale_linters#terraform#tfsec#Handle(bufnr(''), json_encode(
  \ {
  \   "results": [
  \     {
  \       "rule_id": "AVD-AWS-0057",
  \       "long_id": "aws-iam-no-policy-wildcards",
  \       "rule_description": "IAM policy should avoid use of wildcards and instead apply the principle of least privilege",
  \       "rule_provider": "aws",
  \       "rule_service": "iam",
  \       "impact": "Overly permissive policies may grant access to sensitive resources",
  \       "resolution": "Specify the exact permissions required, and to which resources they should apply instead of using wildcards.",
  \       "links": [
  \         "https://aquasecurity.github.io/tfsec/v1.28.0/checks/aws/iam/no-policy-wildcards/",
  \         "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document"
  \       ],
  \       "description": "IAM policy document uses sensitive action 'iam:PassRole' on wildcarded resource '*'",
  \       "severity": "HIGH",
  \       "warning": v:false,
  \       "status": 0,
  \       "resource": "data.aws_iam_policy_document.default",
  \       "location": {
  \          "filename": "/test/main.tf",
  \          "start_line": 10,
  \          "end_line": 12
  \       }
  \     }
  \   ]
  \ }
  \))
@@ -0,0 +1,38 @@
 Before:
  call ale#assert#SetUpLinterTest('terraform', 'tfsec')
 After:
  call ale#assert#TearDownLinterTest()
 Execute(The default command should be correct):
  AssertLinter 'tfsec', ale#Escape('tfsec') . ' --format json'
 Execute(The default executable should be configurable):
  let b:ale_terraform_tfsec_executable = '/usr/bin/tfsec'
  AssertLinter '/usr/bin/tfsec', ale#Escape('/usr/bin/tfsec') . ' --format json'
 Execute(Overriding options should work):
  let g:ale_terraform_tfsec_executable = '/usr/local/bin/tfsec'
  let g:ale_terraform_tfsec_options = '--minimum-severity MEDIUM'
  AssertLinter '/usr/local/bin/tfsec',
  \ ale#Escape('/usr/local/bin/tfsec') . ' --minimum-severity MEDIUM --format json'
 Execute(Configuration yml file should be found):
  call ale#test#SetFilename('../test-files/tfsec/yml/main.tf')
  AssertLinter 'tfsec',
  \ ale#Escape('tfsec')
  \   . ' --config-file '
  \   . ale#Escape(ale#path#Simplify(g:dir . '/../test-files/tfsec/yml/.tfsec/config.yml'))
  \   . ' --format json'
 Execute(Configuration json file should be found):
  call ale#test#SetFilename('../test-files/tfsec/json/main.tf')
  AssertLinter 'tfsec',
  \ ale#Escape('tfsec')
  \   . ' --config-file '
  \   . ale#Escape(ale#path#Simplify(g:dir . '/../test-files/tfsec/json/.tfsec/config.json'))
  \   . ' --format json'