constellation/bazel/ci/tfsec.sh.in

#!/usr/bin/env bash

###### script header ######

lib=$(realpath @@BASE_LIB@@) || exit 1
stat "${lib}" >> /dev/null || exit 1

# shellcheck source=../sh/lib.bash
if ! source "${lib}"; then
  echo "Error: could not find import"
  exit 1
fi

tfsec=$(realpath @@TFSEC@@)
stat "${tfsec}" >> /dev/null

cd "${BUILD_WORKSPACE_DIRECTORY}"

###### script body ######

readarray -t <<< "$(find "$(pwd)" -type f -name "*.tf" -exec dirname "{}" \; | sort -ud)"
terraformModules=("${MAPFILE[@]}")

excludeDirs=(
  "build"
)

echo "The following Terraform modules are excluded and won't be scanned with tfsec:"
for exclude in "${excludeDirs[@]}"; do
  for i in "${!terraformModules[@]}"; do
    if [[ ${terraformModules[i]} == "${BUILD_WORKSPACE_DIRECTORY}/${exclude}"* ]]; then
      echo "  ${terraformModules[i]}"
      unset 'terraformModules[i]'
    fi
  done
done

statuscode=0

for module in "${terraformModules[@]}"; do
  echo -n "Scanning Terraform module \"${module}\" with tfsec:"
  ${tfsec} \
    --concise-output \
    --exclude-downloaded-modules \
    --no-module-downloads \
    "${module}" || statuscode=$?
done

exit "${statuscode}"
bazel: add target for tfsec but don't include in //:check yet, there are to many false positives. Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 2023-03-17 06:54:47 -04:00			`#!/usr/bin/env bash`

bazel: improve script template resilience Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 2023-03-29 08:13:26 -04:00			`###### script header ######`

bazel: add target for tfsec but don't include in //:check yet, there are to many false positives. Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 2023-03-17 06:54:47 -04:00			`lib=$(realpath @@BASE_LIB@@) \|\| exit 1`
bazel: improve script template resilience Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 2023-03-29 08:13:26 -04:00			`stat "${lib}" >> /dev/null \|\| exit 1`
bazel: add target for tfsec but don't include in //:check yet, there are to many false positives. Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 2023-03-17 06:54:47 -04:00
			`# shellcheck source=../sh/lib.bash`
			`if ! source "${lib}"; then`
			`echo "Error: could not find import"`
			`exit 1`
			`fi`

bazel: improve script template resilience Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 2023-03-29 08:13:26 -04:00			`tfsec=$(realpath @@TFSEC@@)`
			`stat "${tfsec}" >> /dev/null`

			`cd "${BUILD_WORKSPACE_DIRECTORY}"`

			`###### script body ######`
bazel: add target for tfsec but don't include in //:check yet, there are to many false positives. Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 2023-03-17 06:54:47 -04:00
			`readarray -t <<< "$(find "$(pwd)" -type f -name "*.tf" -exec dirname "{}" \; \| sort -ud)"`
			`terraformModules=("${MAPFILE[@]}")`

			`excludeDirs=(`
			`"build"`
			`)`

			`echo "The following Terraform modules are excluded and won't be scanned with tfsec:"`
			`for exclude in "${excludeDirs[@]}"; do`
			`for i in "${!terraformModules[@]}"; do`
			`if [[ ${terraformModules[i]} == "${BUILD_WORKSPACE_DIRECTORY}/${exclude}"* ]]; then`
			`echo " ${terraformModules[i]}"`
			`unset 'terraformModules[i]'`
			`fi`
			`done`
			`done`

			`statuscode=0`

			`for module in "${terraformModules[@]}"; do`
			`echo -n "Scanning Terraform module \"${module}\" with tfsec:"`
			`${tfsec} \`
			`--concise-output \`
			`--exclude-downloaded-modules \`
			`--no-module-downloads \`
			`"${module}" \|\| statuscode=$?`
			`done`

			`exit "${statuscode}"`