Merge pull request #76 from liamg/liamg-improve-output

Improve output

README.md

@@ -73,7 +73,7 @@ docker run --rm -it -v "$(pwd):/workdir" tfsec .
 ## Ignoring Warnings
 
 You may wish to ignore some warnings. If you'd like to do so, you can
-simply add a comment containing `tfsec:ignore:<CODE>` to the offending
+simply add a comment containing `tfsec:ignore:<RULE>` to the offending
 line in your templates. If the problem refers to a block of code, such
 as a multiline string, you can add the comment on the line above the
 block, by itself.
@@ -105,7 +105,7 @@ tfsec output for the line number of the discovered problem.
 Currently, checks are mostly limited to AWS/Azure/GCP resources, but
 there are also checks which are provider agnostic.
 
-| Code    | Provider | Description |
+| Rule    | Provider | Description |
 |---------|----------|-------------|
 | GEN001  | *        | Potentially sensitive data stored in "default" value of variable.
 | GEN002  | *        | Potentially sensitive data stored in local value.

go.mod

@@ -31,8 +31,6 @@ require (
 	github.com/liamg/clinch v1.0.0
 	github.com/liamg/tml v0.2.0
 	github.com/mitchellh/go-wordwrap v1.0.0 // indirect
-	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.1 // indirect
 	github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f // indirect
 	github.com/pelletier/go-toml v1.6.0 // indirect
 	github.com/prometheus/client_golang v1.2.1 // indirect

internal/app/tfsec/aws_acl_test.go

@@ -13,8 +13,8 @@ func Test_AWSACL(t *testing.T) {
 	var tests = []struct {
 		name                  string
 		source                string
-		mustIncludeResultCode scanner.CheckCode
-		mustExcludeResultCode scanner.CheckCode
+		mustIncludeResultCode scanner.RuleID
+		mustExcludeResultCode scanner.RuleID
 	}{
 		{
 			name: "check aws_s3_bucket with acl=public-read",

internal/app/tfsec/aws_bucket_logging_test.go

@@ -13,8 +13,8 @@ func Test_AWSBucketLogging(t *testing.T) {
 	var tests = []struct {
 		name                  string
 		source                string
-		mustIncludeResultCode scanner.CheckCode
-		mustExcludeResultCode scanner.CheckCode
+		mustIncludeResultCode scanner.RuleID
+		mustExcludeResultCode scanner.RuleID
 	}{
 		{
 			name: "check bucket with logging disabled",

internal/app/tfsec/aws_classic_test.go

@@ -13,8 +13,8 @@ func Test_AWSClassicUsage(t *testing.T) {
 	var tests = []struct {
 		name                  string
 		source                string
-		mustIncludeResultCode scanner.CheckCode
-		mustExcludeResultCode scanner.CheckCode
+		mustIncludeResultCode scanner.RuleID
+		mustExcludeResultCode scanner.RuleID
 	}{
 		{
 			name:                  "check aws_db_security_group",

internal/app/tfsec/aws_http_test.go

@@ -13,8 +13,8 @@ func Test_AWSPlainHTTP(t *testing.T) {
 	var tests = []struct {
 		name                  string
 		source                string
-		mustIncludeResultCode scanner.CheckCode
-		mustExcludeResultCode scanner.CheckCode
+		mustIncludeResultCode scanner.RuleID
+		mustExcludeResultCode scanner.RuleID
 	}{
 		{
 			name: "check aws_alb_listener using plain HTTP",

internal/app/tfsec/aws_missing_description_for_security_group_test.go

@@ -13,8 +13,8 @@ func Test_AWSMissingDescriptionForSecurityGroup(t *testing.T) {
 	var tests = []struct {
 		name                  string
 		source                string
-		mustIncludeResultCode scanner.CheckCode
-		mustExcludeResultCode scanner.CheckCode
+		mustIncludeResultCode scanner.RuleID
+		mustExcludeResultCode scanner.RuleID
 	}{
 		{
 			name: "check aws_security_group without description",

internal/app/tfsec/aws_not_internal_test.go

@@ -13,8 +13,8 @@ func Test_AWSNotInternal(t *testing.T) {
 	var tests = []struct {
 		name                  string
 		source                string
-		mustIncludeResultCode scanner.CheckCode
-		mustExcludeResultCode scanner.CheckCode
+		mustIncludeResultCode scanner.RuleID
+		mustExcludeResultCode scanner.RuleID
 	}{
 		{
 			name: "check aws_alb when not internal",

internal/app/tfsec/aws_open_security_group_rule_test.go

@@ -13,8 +13,8 @@ func Test_AWSOpenSecurityGroupRule(t *testing.T) {
 	var tests = []struct {
 		name                  string
 		source                string
-		mustIncludeResultCode scanner.CheckCode
-		mustExcludeResultCode scanner.CheckCode
+		mustIncludeResultCode scanner.RuleID
+		mustExcludeResultCode scanner.RuleID
 	}{
 		{
 			name: "check aws_security_group_rule ingress on 0.0.0.0/0",

internal/app/tfsec/aws_open_security_group_test.go

@@ -13,8 +13,8 @@ func Test_AWSOpenSecurityGroup(t *testing.T) {
 	var tests = []struct {
 		name                  string
 		source                string
-		mustIncludeResultCode scanner.CheckCode
-		mustExcludeResultCode scanner.CheckCode
+		mustIncludeResultCode scanner.RuleID
+		mustExcludeResultCode scanner.RuleID
 	}{
 		{
 			name: "check aws_security_group ingress on 0.0.0.0/0",

internal/app/tfsec/aws_outdated_ssl_test.go

@@ -13,8 +13,8 @@ func Test_AWSOutdatedSSLPolicy(t *testing.T) {
 	var tests = []struct {
 		name                  string
 		source                string
-		mustIncludeResultCode scanner.CheckCode
-		mustExcludeResultCode scanner.CheckCode
+		mustIncludeResultCode scanner.RuleID
+		mustExcludeResultCode scanner.RuleID
 	}{
 		{
 			name: "check aws_alb_listener with outdated policy",

internal/app/tfsec/aws_public_ip_test.go

@@ -13,8 +13,8 @@ func Test_AWSPublicIP(t *testing.T) {
 	var tests = []struct {
 		name                  string
 		source                string
-		mustIncludeResultCode scanner.CheckCode
-		mustExcludeResultCode scanner.CheckCode
+		mustIncludeResultCode scanner.RuleID
+		mustExcludeResultCode scanner.RuleID
 	}{
 		{
 			name: "check aws_launch_configuration with public ip associated",

internal/app/tfsec/aws_public_test.go

@@ -13,8 +13,8 @@ func Test_AWSPublic(t *testing.T) {
 	var tests = []struct {
 		name                  string
 		source                string
-		mustIncludeResultCode scanner.CheckCode
-		mustExcludeResultCode scanner.CheckCode
+		mustIncludeResultCode scanner.RuleID
+		mustExcludeResultCode scanner.RuleID
 	}{
 		{
 			name: "check aws_db_instance when publicly exposed",

internal/app/tfsec/aws_task_definition_includes_sensitive_data_test.go

@@ -13,8 +13,8 @@ func Test_AWSTaskDefinitionIncludesSensitiveData(t *testing.T) {
 	var tests = []struct {
 		name                  string
 		source                string
-		mustIncludeResultCode scanner.CheckCode
-		mustExcludeResultCode scanner.CheckCode
+		mustIncludeResultCode scanner.RuleID
+		mustExcludeResultCode scanner.RuleID
 	}{
 		{
 			name: "check aws_ecs_task_definition when sensitive env vars are included",

internal/app/tfsec/aws_unencrypted_block_device_test.go

@@ -13,8 +13,8 @@ func Test_AWSUnencryptedBlockDevice(t *testing.T) {
 	var tests = []struct {
 		name                  string
 		source                string
-		mustIncludeResultCode scanner.CheckCode
-		mustExcludeResultCode scanner.CheckCode
+		mustIncludeResultCode scanner.RuleID
+		mustExcludeResultCode scanner.RuleID
 	}{
 		{
 			name: "check no root_block_device configured in launch configuration",

internal/app/tfsec/aws_unencrypted_s3_bucket_test.go

@@ -13,8 +13,8 @@ func Test_AWSUnencryptedS3Bucket(t *testing.T) {
 	var tests = []struct {
 		name                  string
 		source                string
-		mustIncludeResultCode scanner.CheckCode
-		mustExcludeResultCode scanner.CheckCode
+		mustIncludeResultCode scanner.RuleID
+		mustExcludeResultCode scanner.RuleID
 	}{
 		{
 			name: "check no server_side_encryption_configuration aws_s3_bucket",

internal/app/tfsec/aws_unencrypted_sns_topic_test.go

@@ -13,8 +13,8 @@ func Test_AWSUnencryptedSNSTopic(t *testing.T) {
 	var tests = []struct {
 		name                  string
 		source                string
-		mustIncludeResultCode scanner.CheckCode
-		mustExcludeResultCode scanner.CheckCode
+		mustIncludeResultCode scanner.RuleID
+		mustExcludeResultCode scanner.RuleID
 	}{
 		{
 			name: "check no encryption key id specified for aws_sns_topic",

internal/app/tfsec/aws_unencrypted_sqs_queue_test.go

@@ -13,8 +13,8 @@ func Test_AWSUnencryptedSQSQueue(t *testing.T) {
 	var tests = []struct {
 		name                  string
 		source                string
-		mustIncludeResultCode scanner.CheckCode
-		mustExcludeResultCode scanner.CheckCode
+		mustIncludeResultCode scanner.RuleID
+		mustExcludeResultCode scanner.RuleID
 	}{
 		{
 			name: "check no encryption key id specified for aws_sqs_queue",

internal/app/tfsec/azurerm_open_network_security_rules_test.go

@@ -13,8 +13,8 @@ func Test_AzureOpenNetworkSecurityGroupRule(t *testing.T) {
 	var tests = []struct {
 		name                  string
 		source                string
-		mustIncludeResultCode scanner.CheckCode
-		mustExcludeResultCode scanner.CheckCode
+		mustIncludeResultCode scanner.RuleID
+		mustExcludeResultCode scanner.RuleID
 	}{
 		{
 			name: "check azurerm_network_security_rule inbound on 0.0.0.0/0",

internal/app/tfsec/azurerm_unencrypted_data_lake_store_test.go

@@ -13,8 +13,8 @@ func Test_AzureUnencryptedDataLakeStore(t *testing.T) {
 	var tests = []struct {
 		name                  string
 		source                string
-		mustIncludeResultCode scanner.CheckCode
-		mustExcludeResultCode scanner.CheckCode
+		mustIncludeResultCode scanner.RuleID
+		mustExcludeResultCode scanner.RuleID
 	}{
 		{
 			name: "check azurerm_data_lake_store with encryption disabled",

internal/app/tfsec/azurerm_unencrypted_managed_disk_test.go

@@ -13,8 +13,8 @@ func Test_AzureUnencryptedManagedDisk(t *testing.T) {
 	var tests = []struct {
 		name                  string
 		source                string
-		mustIncludeResultCode scanner.CheckCode
-		mustExcludeResultCode scanner.CheckCode
+		mustIncludeResultCode scanner.RuleID
+		mustExcludeResultCode scanner.RuleID
 	}{
 		{
 			name: "check azurerm_managed_disk with no encryption_settings",

internal/app/tfsec/azurerm_virtual_machine_with_password_authentication_test.go

@@ -13,8 +13,8 @@ func Test_AzureVMWithPasswordAuth(t *testing.T) {
 	var tests = []struct {
 		name                  string
 		source                string
-		mustIncludeResultCode scanner.CheckCode
-		mustExcludeResultCode scanner.CheckCode
+		mustIncludeResultCode scanner.RuleID
+		mustExcludeResultCode scanner.RuleID
 	}{
 		{
 			name: "check azurerm_virtual_machine with password auth",

internal/app/tfsec/checks/aws_acl.go

@@ -11,7 +11,7 @@ import (
 )
 
 // AWSBadBucketACL See https://github.com/liamg/tfsec#included-checks for check info
-const AWSBadBucketACL scanner.CheckCode = "AWS001"
+const AWSBadBucketACL scanner.RuleID = "AWS001"
 
 func init() {
 	scanner.RegisterCheck(scanner.Check{
@@ -27,6 +27,7 @@ func init() {
 							fmt.Sprintf("Resource '%s' has an ACL which allows public read access.", block.Name()),
 							attr.Range(),
 							attr,
+							scanner.SeverityWarning,
 						),
 					}
 				}

internal/app/tfsec/checks/aws_bucket_logging.go

@@ -9,7 +9,7 @@ import (
 )
 
 // AWSNoBucketLogging See https://github.com/liamg/tfsec#included-checks for check info
-const AWSNoBucketLogging scanner.CheckCode = "AWS002"
+const AWSNoBucketLogging scanner.RuleID = "AWS002"
 
 func init() {
 	scanner.RegisterCheck(scanner.Check{
@@ -22,6 +22,7 @@ func init() {
 					check.NewResult(
 						fmt.Sprintf("Resource '%s' does not have logging enabled.", block.Name()),
 						block.Range(),
+						scanner.SeverityError,
 					),
 				}
 			}

internal/app/tfsec/checks/aws_classic.go

@@ -9,7 +9,7 @@ import (
 )
 
 // AWSClassicUsage See https://github.com/liamg/tfsec#included-checks for check info
-const AWSClassicUsage scanner.CheckCode = "AWS003"
+const AWSClassicUsage scanner.RuleID = "AWS003"
 
 func init() {
 	scanner.RegisterCheck(scanner.Check{
@@ -21,6 +21,7 @@ func init() {
 				check.NewResult(
 					fmt.Sprintf("Resource '%s' uses EC2 Classic. Use a VPC instead.", block.Name()),
 					block.Range(),
+					scanner.SeverityError,
 				),
 			}
 		},

internal/app/tfsec/checks/aws_http.go

@@ -10,7 +10,7 @@ import (
 )
 
 // AWSPlainHTTP See https://github.com/liamg/tfsec#included-checks for check info
-const AWSPlainHTTP scanner.CheckCode = "AWS004"
+const AWSPlainHTTP scanner.RuleID = "AWS004"
 
 func init() {
 	scanner.RegisterCheck(scanner.Check{
@@ -40,6 +40,7 @@ func init() {
 						fmt.Sprintf("Resource '%s' uses plain HTTP instead of HTTPS.", block.Name()),
 						reportRange,
 						protocolAttr,
+						scanner.SeverityError,
 					),
 				}
 			}

internal/app/tfsec/checks/aws_missing_description_in_security_group.go

@@ -10,7 +10,7 @@ import (
 )
 
 // AWSNoDescriptionInSecurityGroup See https://github.com/liamg/tfsec#included-checks for check info
-const AWSNoDescriptionInSecurityGroup scanner.CheckCode = "AWS018"
+const AWSNoDescriptionInSecurityGroup scanner.RuleID = "AWS018"
 
 func init() {
 	scanner.RegisterCheck(scanner.Check{
@@ -25,6 +25,7 @@ func init() {
 					check.NewResult(
 						fmt.Sprintf("Resource '%s' should include a description for auditing purposes.", block.Name()),
 						block.Range(),
+						scanner.SeverityError,
 					),
 				}
 			}
@@ -35,6 +36,7 @@ func init() {
 						fmt.Sprintf("Resource '%s' should include a non-empty description for auditing purposes.", block.Name()),
 						descriptionAttr.Range(),
 						descriptionAttr,
+						scanner.SeverityError,
 					),
 				}
 			}

internal/app/tfsec/checks/aws_not_internal.go

@@ -11,7 +11,7 @@ import (
 )
 
 // AWSExternallyExposedLoadBalancer See https://github.com/liamg/tfsec#included-checks for check info
-const AWSExternallyExposedLoadBalancer scanner.CheckCode = "AWS005"
+const AWSExternallyExposedLoadBalancer scanner.RuleID = "AWS005"
 
 func init() {
 	scanner.RegisterCheck(scanner.Check{
@@ -24,6 +24,7 @@ func init() {
 					check.NewResult(
 						fmt.Sprintf("Resource '%s' is exposed publicly.", block.Name()),
 						block.Range(),
+						scanner.SeverityWarning,
 					),
 				}
 			} else if internalAttr.Type() == cty.Bool && internalAttr.Value().False() {
@@ -32,6 +33,7 @@ func init() {
 						fmt.Sprintf("Resource '%s' is exposed publicly.", block.Name()),
 						internalAttr.Range(),
 						internalAttr,
+						scanner.SeverityWarning,
 					),
 				}
 			}

internal/app/tfsec/checks/aws_open_security_group_rules.go

@@ -12,10 +12,10 @@ import (
 )
 
 // AWSOpenIngressSecurityGroupRule See https://github.com/liamg/tfsec#included-checks for check info
-const AWSOpenIngressSecurityGroupRule scanner.CheckCode = "AWS006"
+const AWSOpenIngressSecurityGroupRule scanner.RuleID = "AWS006"
 
 // AWSOpenEgressSecurityGroupRule See https://github.com/liamg/tfsec#included-checks for check info
-const AWSOpenEgressSecurityGroupRule scanner.CheckCode = "AWS007"
+const AWSOpenEgressSecurityGroupRule scanner.RuleID = "AWS007"
 
 func init() {
 	scanner.RegisterCheck(scanner.Check{
@@ -45,6 +45,7 @@ func init() {
 							check.NewResult(
 								fmt.Sprintf("Resource '%s' defines a fully open ingress security group rule.", block.Name()),
 								cidrBlocksAttr.Range(),
+								scanner.SeverityWarning,
 							),
 						}
 					}
@@ -84,6 +85,7 @@ func init() {
 								fmt.Sprintf("Resource '%s' defines a fully open egress security group rule.", block.Name()),
 								cidrBlocksAttr.Range(),
 								cidrBlocksAttr,
+								scanner.SeverityWarning,
 							),
 						}
 					}