CCM-6245: TFSec Scanning

scripts/terraform/tfsec.sh

@@ -1,33 +1,59 @@
 #!/usr/bin/env bash
 
-# Check if tfsec is installed
-if ! command -v tfsec &> /dev/null; then
-    echo "tfsec could not be found, please install it first."
-    exit 1
-fi
+# WARNING: Please DO NOT edit this file! It is maintained in the Repository Template (https://github.com/nhs-england-tools/repository-template). Raise a PR instead.
+
+set -euo pipefail
+
+# Run tfsec for security checks on Terraform code.
+#
+# Usage:
+#   $ ./tfsec.sh [directory]
+# ==============================================================================
+
+function main() {
+
+  cd "$(git rev-parse --show-toplevel)"
+
+  local dir_to_scan=${1:-.}
+  run-tfsec "$dir_to_scan"
+}
 
-# Check if a directory was passed as an argument
-if [ "$#" -eq 1 ]; then
-    DIR_TO_SCAN="$1"
-elif [ "$#" -gt 1 ]; then
-    echo "Usage: $0 [directory]"
+# Run tfsec on the specified directory.
+# Arguments:
+#   $1 - Directory to scan
+function run-tfsec() {
+
+  local dir_to_scan="$1"
+
+  if ! command -v tfsec &> /dev/null; then
+    echo "tfsec could not be found, please install it first."
     exit 1
-fi
+  fi
 
-# Run tfsec
-echo "Running tfsec on directory: $DIR_TO_SCAN"
-tfsec \
+  echo "Running tfsec on directory: $dir_to_scan"
+  tfsec \
     --concise-output \
     --force-all-dirs \
     --exclude-downloaded-modules \
-    --config-file ../config/tfsec.yaml
-    "$DIR_TO_SCAN"
+    --config-file ../config/tfsec.yaml \
+    "$dir_to_scan"
+
+  check-tfsec-status
+}
 
+# Check the exit status of tfsec.
+function check-tfsec-status() {
 
-# Check the exit status of tfsec
-if [ $? -eq 0 ]; then
-    echo "tfsec completed successfully."
-else
-    echo "tfsec found issues."
+  if [ $? -eq 0 ]; then
+    echo "TFSec completed successfully."
+  else
+    echo "TFSec found issues."
     exit 1
-fi
+  fi
+}
+
+# ==============================================================================
+
+main "$@"
+
+exit 0