Merge pull request #39 from NHSDigital/feature/CCM-6245_TFSec_Scanning

Feature/CCM-6245 TFSec scanning
NHSDigital · Aug 21, 2024 · fac6cf9 · fac6cf9
2 parents 437e1a4 + c6ab5db
commit fac6cf9
Show file tree

Hide file tree

Showing 8 changed files with 217 additions and 1 deletion.
diff --git a/.github/actions/setup/action.yaml b/.github/actions/setup/action.yaml
@@ -0,0 +1,10 @@
+name: Make Config Action
+description: Install dependencies and execute make config
+
+runs:
+  using: composite
+  steps:
+    - name: Install dependencies and execute make config
+      shell: bash
+      run: |
+        scripts/setup/setup.sh
diff --git a/.github/actions/tfsec/action.yaml b/.github/actions/tfsec/action.yaml
@@ -0,0 +1,17 @@
+name: "TFSec Scan"
+description: "Scan HCL using TFSec"
+runs:
+  using: "composite"
+  steps:
+    - name: "TFSec Scan - Components"
+      shell: bash
+      run: |
+        for component in $(find infrastructure/terraform/components -mindepth 1 -type d); do
+          scripts/terraform/tfsec.sh $component
+        done
+    - name: "TFSec Scan - Modules"
+      shell: bash
+      run: |
+        for module in $(find infrastructure/terraform/modules -mindepth 1 -type d); do
+          scripts/terraform/tfsec.sh $module
+        done
diff --git a/.github/workflows/stage-1-commit.yaml b/.github/workflows/stage-1-commit.yaml
@@ -77,15 +77,55 @@ jobs:
           fetch-depth: 0 # Full history is needed to compare branches
       - name: "Check English usage"
         uses: ./.github/actions/check-english-usage
+  detect-terraform-changes:
+    name: "Detect Terraform Changes"
+    runs-on: ubuntu-latest
+    outputs:
+      terraform_changed: ${{ steps.check.outputs.terraform_changed }}
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v4
+
+      - name: "Check for Terraform changes"
+        id: check
+        run: |
+          git fetch origin main || true  # Ensure you have the latest main branch
+          CHANGED_FILES=$(git diff --name-only HEAD origin/main)
+          echo "Changed files: $CHANGED_FILES"
+
+          if echo "$CHANGED_FILES" | grep -qE '\.tf$'; then
+            echo "Terraform files have changed."
+            echo "terraform_changed=true" >> $GITHUB_OUTPUT
+          else
+            echo "No Terraform changes detected."
+            echo "terraform_changed=false" >> $GITHUB_OUTPUT
+          fi
   lint-terraform:
     name: "Lint Terraform"
     runs-on: ubuntu-latest
     timeout-minutes: 2
+    needs: detect-terraform-changes
+    if: needs.detect-terraform-changes.outputs.terraform_changed == 'true'
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v4
       - name: "Lint Terraform"
         uses: ./.github/actions/lint-terraform
+  tfsec:
+    name: "TFSec Scan"
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    needs: detect-terraform-changes
+    if: needs.detect-terraform-changes.outputs.terraform_changed == 'true'
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v4
+      - name: "Setup ASDF"
+        uses: asdf-vm/actions/setup@v3
+      - name: "Perform Setup"
+        uses: ./.github/actions/setup
+      - name: "TFSec Scan"
+        uses: ./.github/actions/tfsec
   count-lines-of-code:
     name: "Count lines of code"
     runs-on: ubuntu-latest

diff --git a/.tool-versions b/.tool-versions
@@ -4,6 +4,7 @@ terraform 1.9.1
 pre-commit 3.6.0
 nodejs 18.18.2
 gitleaks 8.18.4
+tfsec 1.28.10
 
 # ==============================================================================
 # The section below is reserved for Docker image versions.

diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -9,7 +9,7 @@
     "**/CVS": true,
     "**/Thumbs.db": true,
     ".devcontainer": true,
-    ".github": true,
+    ".github": false,
     ".vscode": false
   }
 }
diff --git a/scripts/config/tfsec.yaml b/scripts/config/tfsec.yaml
@@ -0,0 +1,2 @@
+---
+minimum_severity: MEDIUM
diff --git a/scripts/setup/setup.sh b/scripts/setup/setup.sh
@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+# WARNING: Please DO NOT edit this file! It is maintained in the Repository Template (https://github.com/NHSDigital/nhs-notify-repository-template). Raise a PR instead.
+
+set -euo pipefail
+
+# Pre-Install dependencies and run make config on Github Runner.
+#
+# Usage:
+#   $ ./setup.sh
+# ==============================================================================
+
+function main() {
+
+  cd "$(git rev-parse --show-toplevel)"
+
+  run-setup
+}
+
+function run-setup() {
+
+  sudo apt install bundler -y
+  time make config
+
+  check-setup-status
+}
+
+# Check the exit status of tfsec.
+function check-setup-status() {
+
+  if [ $? -eq 0 ]; then
+    echo "Setup completed successfully."
+  else
+    echo "Setup was unsuccessful."
+    exit 1
+  fi
+}
+
+# ==============================================================================
+
+main "$@"
+
+exit 0
diff --git a/scripts/terraform/tfsec.sh b/scripts/terraform/tfsec.sh
@@ -0,0 +1,103 @@
+#!/usr/bin/env bash
+
+# WARNING: Please DO NOT edit this file! It is maintained in the Repository Template (https://github.com/NHSDigital/nhs-notify-repository-template). Raise a PR instead.
+
+set -euo pipefail
+
+# TFSec command wrapper. It will run the command natively if TFSec is
+# installed, otherwise it will run it in a Docker container.
+# Run tfsec for security checks on Terraform code.
+#
+# Usage:
+#   $ ./tfsec.sh [directory]
+# ==============================================================================
+
+function main() {
+
+  cd "$(git rev-parse --show-toplevel)"
+
+  local dir_to_scan=${1:-.}
+
+  if command -v tfsec > /dev/null 2>&1 && ! is-arg-true "${FORCE_USE_DOCKER:-false}"; then
+    # shellcheck disable=SC2154
+    run-tfsec-natively "$dir_to_scan"
+  else
+    run-tfsec-in-docker "$dir_to_scan"
+  fi
+}
+
+# Run tfsec on the specified directory.
+# Arguments:
+#   $1 - Directory to scan
+function run-tfsec-natively() {
+
+  local dir_to_scan="$1"
+
+  echo "TFSec found locally, running natively"
+
+  echo "Running TFSec on directory: $dir_to_scan"
+  tfsec \
+    --concise-output \
+    --force-all-dirs \
+    --exclude-downloaded-modules \
+    --config-file scripts/config/tfsec.yaml \
+    --format text \
+    --soft-fail \
+    "$dir_to_scan"
+
+  check-tfsec-status
+}
+
+# Check the exit status of tfsec.
+function check-tfsec-status() {
+
+  if [ $? -eq 0 ]; then
+    echo "TFSec completed successfully."
+  else
+    echo "TFSec found issues."
+    exit 1
+  fi
+}
+
+function run-tfsec-in-docker() {
+
+  # shellcheck disable=SC1091
+  source ./scripts/docker/docker.lib.sh
+  local dir_to_scan="$1"
+
+  # shellcheck disable=SC2155
+  local image=$(name=aquasec/tfsec docker-get-image-version-and-pull)
+  # shellcheck disable=SC2086
+  echo "TFSec not found locally, running in Docker Container"
+  echo "Running TFSec on directory: $dir_to_scan"
+  docker run --rm --platform linux/amd64 \
+    --volume "$PWD":/workdir \
+    --workdir /workdir \
+    "$image" \
+        --concise-output \
+        --force-all-dirs \
+        --exclude-downloaded-modules \
+        --config-file scripts/config/tfsec.yaml \
+        --format text \
+        --soft-fail \
+        "$dir_to_scan"
+    check-tfsec-status
+}
+# ==============================================================================
+
+function is-arg-true() {
+
+  if [[ "$1" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$ ]]; then
+    return 0
+  else
+    return 1
+  fi
+}
+
+# ==============================================================================
+
+is-arg-true "${VERBOSE:-false}" && set -x
+
+main "$@"
+
+exit 0