diff --git a/pkg/iac-providers/kubernetes/v1/normalize.go b/pkg/iac-providers/kubernetes/v1/normalize.go index 88ff6d91d..d81870bb7 100644 --- a/pkg/iac-providers/kubernetes/v1/normalize.go +++ b/pkg/iac-providers/kubernetes/v1/normalize.go @@ -29,7 +29,7 @@ import ( ) const ( - terrascanSkip = "terrascanSkip" + terrascanSkip = "terrascan/skip" terrascanSkipRule = "rule" terrascanSkipComment = "comment" terrascanMaxSeverity = "terrascan/maxseverity" @@ -172,13 +172,13 @@ func readSkipRulesFromAnnotations(annotations map[string]interface{}, resourceID skipRules := make([]output.SkipRule, 0) err := json.Unmarshal([]byte(rules), &skipRules) if err != nil { - zap.S().Errorf("json string %s cannot be unmarshalled to []output.SkipRules struct schema", rules) + zap.S().Debugf("json string %s cannot be unmarshalled to []output.SkipRules struct schema", rules) return nil } return skipRules } - zap.S().Errorf("%s must be a string containing an json array like [{rule: ruleID, comment: reason for skipping}]", terrascanSkip) + zap.S().Debugf("%s must be a string containing an json array like [{rule: ruleID, comment: reason for skipping}]", terrascanSkip) return nil } diff --git a/pkg/iac-providers/kubernetes/v1/normalize_test.go b/pkg/iac-providers/kubernetes/v1/normalize_test.go index 6c587ba11..425984227 100644 --- a/pkg/iac-providers/kubernetes/v1/normalize_test.go +++ b/pkg/iac-providers/kubernetes/v1/normalize_test.go @@ -56,7 +56,7 @@ kind: Pod metadata: name: myapp-pod annotations: - terrascanSkip: | + terrascan/skip: | [{"rule": "accurics.kubernetes.IAM.109", "comment": "reason to skip the rule"}] spec: containers: @@ -68,7 +68,7 @@ kind: CRD metadata: generateName: myapp-pod-prefix- annotations: - terrascanSkip: | + terrascan/skip: | [{"rule": "accurics.kubernetes.IAM.109", "comment": "reason to skip the rule"}] spec: containers: @@ -414,7 +414,7 @@ func TestReadSkipRulesFromAnnotations(t *testing.T) { } } -func Test_readMinMaxSeverityFromAnnotations(t *testing.T) { +func TestReadMinMaxSeverityFromAnnotations(t *testing.T) { type args struct { annotations map[string]interface{} resourceID string @@ -438,7 +438,7 @@ func Test_readMinMaxSeverityFromAnnotations(t *testing.T) { { name: "min severity set to high", args: args{annotations: map[string]interface{}{ - "terrascan/minseverity": "High", + terrascanMinSeverity: "High", }}, wantMinSeverity: "High", wantMaxSeverity: "", @@ -446,7 +446,7 @@ func Test_readMinMaxSeverityFromAnnotations(t *testing.T) { { name: "max severity set to low", args: args{annotations: map[string]interface{}{ - "terrascan/maxseverity": "Low", + terrascanMaxSeverity: "Low", }}, wantMinSeverity: "", wantMaxSeverity: "Low", @@ -454,15 +454,15 @@ func Test_readMinMaxSeverityFromAnnotations(t *testing.T) { { name: "max severity set to None", args: args{annotations: map[string]interface{}{ - "terrascan/maxseverity": "None"}}, + terrascanMaxSeverity: "None"}}, wantMinSeverity: "", wantMaxSeverity: "None", }, { name: "max severity set to low and Min severity set to high", args: args{annotations: map[string]interface{}{ - "terrascan/maxseverity": "LOw", - "terrascan/minseverity": "hiGh", + terrascanMaxSeverity: "LOw", + terrascanMinSeverity: "hiGh", }}, wantMinSeverity: "hiGh", wantMaxSeverity: "LOw", diff --git a/pkg/policy/opa/engine.go b/pkg/policy/opa/engine.go index e7d08239c..2811b2b9b 100644 --- a/pkg/policy/opa/engine.go +++ b/pkg/policy/opa/engine.go @@ -303,7 +303,9 @@ func (e *Engine) reportViolation(regoData *RegoData, resource *output.ResourceCo } if !strings.EqualFold(resource.MaxSeverity, "none") { - // if both values are set then max severity will be applicable and it will also change according to resource config and min severity value + // if both values are set then max severity will be applicable + // if minseverity is also provided then it will be applied first and over that change maxseverity will be applied. + // eg. resource.Violation = medium -> minseverity = High -> resource.Violation = High -> maxseverity = Low -> resource.Violation = Low if utils.MinSeverityApplicable(regoData.Metadata.Severity, resource.MinSeverity) { violation.Severity = strings.ToUpper(resource.MinSeverity) } diff --git a/pkg/utils/severity.go b/pkg/utils/severity.go index c21dea295..4b37d72d1 100644 --- a/pkg/utils/severity.go +++ b/pkg/utils/severity.go @@ -61,7 +61,7 @@ func CheckSeverity(ruleSeverity, desiredSeverity string) bool { // MinSeverityApplicable verifies if the severity of policy rule need to be changed to the minimum severity level func MinSeverityApplicable(ruleSeverity, minSeverity string) bool { - // this case will never arise added for safe checks + // this case will never arise, added for safe check if !ValidateSeverityInput(minSeverity) { return false } @@ -81,7 +81,7 @@ func MinSeverityApplicable(ruleSeverity, minSeverity string) bool { // MaxSeverityApplicable verifies if the severity of policy rule need to be changed to the maximum severity level func MaxSeverityApplicable(ruleSeverity, maxSeverity string) bool { - // this case will never arise added for safe checks + // this case will never arise, added for safe check if !ValidateSeverityInput(maxSeverity) { return false } diff --git a/test/e2e/scan/golden/resource_prioritising/max_severity_set/k8s/k8s_file_setting_max_severity.txt b/test/e2e/scan/golden/resource_prioritising/max_severity_set/k8s/k8s_file_setting_max_severity.txt index 7801e971b..23b14933b 100644 --- a/test/e2e/scan/golden/resource_prioritising/max_severity_set/k8s/k8s_file_setting_max_severity.txt +++ b/test/e2e/scan/golden/resource_prioritising/max_severity_set/k8s/k8s_file_setting_max_severity.txt @@ -2,68 +2,13 @@ "results": { "violations": [ { - "rule_name": "imageWithLatestTag", - "description": "No tag or container image with :Latest tag makes difficult to rollback and track", - "rule_id": "AC-K8-OE-PO-L-0134", + "rule_name": "noHttps", + "description": "TLS disabled can affect the confidentiality of the data in transit", + "rule_id": "AC-K8-NS-IN-H-0020", "severity": "LOW", - "category": "Security Best Practices", - "resource_name": "backend-server", - "resource_type": "kubernetes_pod", - "file": "config.yaml", - "line": 1 - }, - { - "rule_name": "secCompProfile", - "description": "Default seccomp profile not enabled will make the container to make non-essential system calls", - "rule_id": "AC-K8-IA-PO-M-0141", - "severity": "LOW", - "category": "Identity and Access Management", - "resource_name": "backend-server", - "resource_type": "kubernetes_pod", - "file": "config.yaml", - "line": 1 - }, - { - "rule_name": "privilegeEscalationCheck", - "description": "Containers Should Not Run with AllowPrivilegeEscalation", - "rule_id": "AC-K8-CA-PO-H-0165", - "severity": "LOW", - "category": "Compliance Validation", - "resource_name": "backend-server", - "resource_type": "kubernetes_pod", - "file": "config.yaml", - "line": 1 - }, - { - "rule_name": "imageWithoutDigest", - "description": "Image without digest affects the integrity principle of image security", - "rule_id": "AC-K8-NS-PO-M-0133", - "severity": "LOW", - "category": "Infrastructure Security", - "resource_name": "backend-server", - "resource_type": "kubernetes_pod", - "file": "config.yaml", - "line": 1 - }, - { - "rule_name": "appArmorProfile", - "description": "AppArmor profile not set to default or custom profile will make the container vulnerable to kernel level threats", - "rule_id": "AC-K8-IA-PO-M-0135", - "severity": "LOW", - "category": "Identity and Access Management", - "resource_name": "backend-server", - "resource_type": "kubernetes_pod", - "file": "config.yaml", - "line": 1 - }, - { - "rule_name": "defaultNamespaceUsed", - "description": "The default namespace should not be used", - "rule_id": "accurics.kubernetes.OPS.460", - "severity": "LOW", - "category": "Operational Efficiency", - "resource_name": "backend-server", - "resource_type": "kubernetes_pod", + "category": "Network Security", + "resource_name": "ingress-demo-disallowed", + "resource_type": "kubernetes_ingress", "file": "config.yaml", "line": 1 } @@ -72,10 +17,10 @@ "scan_summary": { "file/folder": "/Users/suvarna/go/src/github.com/rchanger/terrascan/test/e2e/test_data/iac/resource_prioritising/max_severity_set/k8s", "iac_type": "k8s", - "scanned_at": "2021-05-24 11:19:12.941151 +0000 UTC", - "policies_validated": 607, - "violated_policies": 6, - "low": 6, + "scanned_at": "2021-05-26 08:22:49.108823 +0000 UTC", + "policies_validated": 7, + "violated_policies": 1, + "low": 1, "medium": 0, "high": 0 } diff --git a/test/e2e/scan/golden/resource_prioritising/max_severity_set/terraform/terraform_file_setting_max_severity.txt b/test/e2e/scan/golden/resource_prioritising/max_severity_set/terraform/terraform_file_setting_max_severity.txt index 0faaad2aa..bd3f0a62a 100644 --- a/test/e2e/scan/golden/resource_prioritising/max_severity_set/terraform/terraform_file_setting_max_severity.txt +++ b/test/e2e/scan/golden/resource_prioritising/max_severity_set/terraform/terraform_file_setting_max_severity.txt @@ -6,20 +6,7 @@ "description": "Ensure that your RDS database has IAM Authentication enabled.", "rule_id": "AWS.RDS.DataSecurity.High.0577", "severity": "LOW", - "category": "Data Protection", - "resource_name": "PtShGgAdi4", - "resource_type": "aws_db_instance", - "module_name": "root", - "file": "main.tf", - "plan_root": "./", - "line": 1 - }, - { - "rule_name": "dbInstanceLoggingDisabled", - "description": "Ensure AWS RDS instances have logging enabled.", - "rule_id": "AC_AWS_076", - "severity": "LOW", - "category": "Logging and Monitoring", + "category": "Data Security", "resource_name": "PtShGgAdi4", "resource_type": "aws_db_instance", "module_name": "root", @@ -32,7 +19,7 @@ "description": "Ensure that your RDS database instances encrypt the underlying storage. Encrypted RDS instances use the industry standard AES-256 encryption algorithm to encrypt data on the server that hosts RDS DB instances. After data is encrypted, RDS handles authentication of access and descryption of data transparently with minimal impact on performance.", "rule_id": "AWS.RDS.DataSecurity.High.0414", "severity": "LOW", - "category": "Data Protection", + "category": "Data Security", "resource_name": "PtShGgAdi4", "resource_type": "aws_db_instance", "module_name": "root", @@ -43,12 +30,12 @@ ], "skipped_violations": null, "scan_summary": { - "file/folder": "/Users/suvarna/go/src/github.com/rchanger/terrascan/test/e2e/test_data/iac/resource_prioritising/max_severity_set", + "file/folder": "/Users/suvarna/go/src/github.com/rchanger/terrascan/test/e2e/test_data/iac/resource_prioritising/max_severity_set/terraform", "iac_type": "terraform", - "scanned_at": "2021-05-21 13:44:04.418159 +0000 UTC", - "policies_validated": 607, - "violated_policies": 3, - "low": 3, + "scanned_at": "2021-05-26 08:32:20.553515 +0000 UTC", + "policies_validated": 7, + "violated_policies": 2, + "low": 2, "medium": 0, "high": 0 } diff --git a/test/e2e/scan/golden/resource_prioritising/max_severity_set_none/k8s/k8s_file_setting_max_severity_none.txt b/test/e2e/scan/golden/resource_prioritising/max_severity_set_none/k8s/k8s_file_setting_max_severity_none.txt index 53aa40e90..60d682e90 100644 --- a/test/e2e/scan/golden/resource_prioritising/max_severity_set_none/k8s/k8s_file_setting_max_severity_none.txt +++ b/test/e2e/scan/golden/resource_prioritising/max_severity_set_none/k8s/k8s_file_setting_max_severity_none.txt @@ -3,13 +3,13 @@ "violations": null, "skipped_violations": [ { - "rule_name": "noOwnerLabel", - "description": "No owner for namespace affects the operations", - "rule_id": "AC-K8-OE-NS-L-0128", - "severity": "LOW", - "category": "Security Best Practices", - "resource_name": "production", - "resource_type": "kubernetes_namespace", + "rule_name": "noHttps", + "description": "TLS disabled can affect the confidentiality of the data in transit", + "rule_id": "AC-K8-NS-IN-H-0020", + "severity": "HIGH", + "category": "Network Security", + "resource_name": "ingress-demo-disallowed", + "resource_type": "kubernetes_ingress", "file": "config.yaml", "line": 1 } @@ -17,8 +17,8 @@ "scan_summary": { "file/folder": "/Users/suvarna/go/src/github.com/rchanger/terrascan/test/e2e/test_data/iac/resource_prioritising/max_severity_set_none/k8s", "iac_type": "k8s", - "scanned_at": "2021-05-24 11:12:18.816109 +0000 UTC", - "policies_validated": 607, + "scanned_at": "2021-05-26 08:26:12.117853 +0000 UTC", + "policies_validated": 7, "violated_policies": 0, "low": 0, "medium": 0, diff --git a/test/e2e/scan/golden/resource_prioritising/max_severity_set_none/terraform/terraform_file_setting_max_severity_none.txt b/test/e2e/scan/golden/resource_prioritising/max_severity_set_none/terraform/terraform_file_setting_max_severity_none.txt index 04a7e5801..a85e17d93 100644 --- a/test/e2e/scan/golden/resource_prioritising/max_severity_set_none/terraform/terraform_file_setting_max_severity_none.txt +++ b/test/e2e/scan/golden/resource_prioritising/max_severity_set_none/terraform/terraform_file_setting_max_severity_none.txt @@ -7,7 +7,7 @@ "description": "Ensure that your RDS database instances encrypt the underlying storage. Encrypted RDS instances use the industry standard AES-256 encryption algorithm to encrypt data on the server that hosts RDS DB instances. After data is encrypted, RDS handles authentication of access and descryption of data transparently with minimal impact on performance.", "rule_id": "AWS.RDS.DataSecurity.High.0414", "severity": "HIGH", - "category": "Data Protection", + "category": "Data Security", "resource_name": "PtShGgAdi4", "resource_type": "aws_db_instance", "module_name": "root", @@ -20,20 +20,7 @@ "description": "Ensure that your RDS database has IAM Authentication enabled.", "rule_id": "AWS.RDS.DataSecurity.High.0577", "severity": "HIGH", - "category": "Data Protection", - "resource_name": "PtShGgAdi4", - "resource_type": "aws_db_instance", - "module_name": "root", - "file": "main.tf", - "plan_root": "./", - "line": 1 - }, - { - "rule_name": "dbInstanceLoggingDisabled", - "description": "Ensure AWS RDS instances have logging enabled.", - "rule_id": "AC_AWS_076", - "severity": "MEDIUM", - "category": "Logging and Monitoring", + "category": "Data Security", "resource_name": "PtShGgAdi4", "resource_type": "aws_db_instance", "module_name": "root", @@ -43,10 +30,10 @@ } ], "scan_summary": { - "file/folder": "/Users/suvarna/go/src/github.com/rchanger/terrascan/test/e2e/test_data/iac/resource_prioritising/max_severity_set_none", + "file/folder": "/Users/suvarna/go/src/github.com/rchanger/terrascan/test/e2e/test_data/iac/resource_prioritising/max_severity_set_none/terraform", "iac_type": "terraform", - "scanned_at": "2021-05-21 15:44:35.448128 +0000 UTC", - "policies_validated": 607, + "scanned_at": "2021-05-26 08:34:10.87025 +0000 UTC", + "policies_validated": 7, "violated_policies": 0, "low": 0, "medium": 0, diff --git a/test/e2e/scan/golden/resource_prioritising/min_severity_set/k8s/k8s_file_setting_min_severity.txt b/test/e2e/scan/golden/resource_prioritising/min_severity_set/k8s/k8s_file_setting_min_severity.txt index 70d74fa50..5c293bb8e 100644 --- a/test/e2e/scan/golden/resource_prioritising/min_severity_set/k8s/k8s_file_setting_min_severity.txt +++ b/test/e2e/scan/golden/resource_prioritising/min_severity_set/k8s/k8s_file_setting_min_severity.txt @@ -2,13 +2,13 @@ "results": { "violations": [ { - "rule_name": "noOwnerLabel", - "description": "No owner for namespace affects the operations", - "rule_id": "AC-K8-OE-NS-L-0128", + "rule_name": "noHttps", + "description": "TLS disabled can affect the confidentiality of the data in transit", + "rule_id": "AC-K8-NS-IN-H-0020", "severity": "HIGH", - "category": "Security Best Practices", - "resource_name": "production", - "resource_type": "kubernetes_namespace", + "category": "Network Security", + "resource_name": "ingress-demo-disallowed", + "resource_type": "kubernetes_ingress", "file": "config.yaml", "line": 1 } @@ -17,8 +17,8 @@ "scan_summary": { "file/folder": "/Users/suvarna/go/src/github.com/rchanger/terrascan/test/e2e/test_data/iac/resource_prioritising/min_severity_set/k8s", "iac_type": "k8s", - "scanned_at": "2021-05-24 11:04:50.218849 +0000 UTC", - "policies_validated": 607, + "scanned_at": "2021-05-26 09:17:52.348215 +0000 UTC", + "policies_validated": 7, "violated_policies": 1, "low": 0, "medium": 0, diff --git a/test/e2e/scan/golden/resource_prioritising/min_severity_set/terraform/terraform_file_setting_min_severity.txt b/test/e2e/scan/golden/resource_prioritising/min_severity_set/terraform/terraform_file_setting_min_severity.txt index 4082cd71f..fd7b1d325 100644 --- a/test/e2e/scan/golden/resource_prioritising/min_severity_set/terraform/terraform_file_setting_min_severity.txt +++ b/test/e2e/scan/golden/resource_prioritising/min_severity_set/terraform/terraform_file_setting_min_severity.txt @@ -6,7 +6,7 @@ "description": "Ensure that your RDS database instances encrypt the underlying storage. Encrypted RDS instances use the industry standard AES-256 encryption algorithm to encrypt data on the server that hosts RDS DB instances. After data is encrypted, RDS handles authentication of access and descryption of data transparently with minimal impact on performance.", "rule_id": "AWS.RDS.DataSecurity.High.0414", "severity": "HIGH", - "category": "Data Protection", + "category": "Data Security", "resource_name": "PtShGgAdi4", "resource_type": "aws_db_instance", "module_name": "root", @@ -19,20 +19,7 @@ "description": "Ensure that your RDS database has IAM Authentication enabled.", "rule_id": "AWS.RDS.DataSecurity.High.0577", "severity": "HIGH", - "category": "Data Protection", - "resource_name": "PtShGgAdi4", - "resource_type": "aws_db_instance", - "module_name": "root", - "file": "main.tf", - "plan_root": "./", - "line": 1 - }, - { - "rule_name": "dbInstanceLoggingDisabled", - "description": "Ensure AWS RDS instances have logging enabled.", - "rule_id": "AC_AWS_076", - "severity": "HIGH", - "category": "Logging and Monitoring", + "category": "Data Security", "resource_name": "PtShGgAdi4", "resource_type": "aws_db_instance", "module_name": "root", @@ -43,14 +30,14 @@ ], "skipped_violations": null, "scan_summary": { - "file/folder": "/Users/suvarna/go/src/github.com/rchanger/terrascan/test/e2e/test_data/iac/resource_prioritising/min_severity_set", + "file/folder": "/Users/suvarna/go/src/github.com/rchanger/terrascan/test/e2e/test_data/iac/resource_prioritising/min_severity_set/terraform", "iac_type": "terraform", - "scanned_at": "2021-05-21 15:35:14.458679 +0000 UTC", - "policies_validated": 607, - "violated_policies": 3, + "scanned_at": "2021-05-26 08:35:52.681856 +0000 UTC", + "policies_validated": 7, + "violated_policies": 2, "low": 0, "medium": 0, - "high": 3 + "high": 2 } } } diff --git a/test/e2e/scan/golden/resource_skipping/kubernetes_file_resource_skipping.txt b/test/e2e/scan/golden/resource_skipping/kubernetes_file_resource_skipping.txt index 900816327..fd2c30da9 100644 --- a/test/e2e/scan/golden/resource_skipping/kubernetes_file_resource_skipping.txt +++ b/test/e2e/scan/golden/resource_skipping/kubernetes_file_resource_skipping.txt @@ -1,11 +1,24 @@ { "results": { "violations": null, - "skipped_violations": null, + "skipped_violations": [ + { + "rule_name": "noHttps", + "description": "TLS disabled can affect the confidentiality of the data in transit", + "rule_id": "AC-K8-NS-IN-H-0020", + "severity": "HIGH", + "category": "Network Security", + "skip_comment": "reason to skip the rule", + "resource_name": "ingress-demo-disallowed", + "resource_type": "kubernetes_ingress", + "file": "config.yaml", + "line": 1 + } + ], "scan_summary": { - "file/folder": "/Users/apple/go/src/github.com/patilpankaj212/terrascan/test/e2e/test_data/iac/resource_skipping/kubernetes", + "file/folder": "/Users/suvarna/go/src/github.com/rchanger/terrascan/test/e2e/test_data/iac/resource_skipping/kubernetes", "iac_type": "k8s", - "scanned_at": "2021-03-02 16:01:16.973652 +0000 UTC", + "scanned_at": "2021-05-26 08:16:33.670841 +0000 UTC", "policies_validated": 7, "violated_policies": 0, "low": 0, @@ -13,4 +26,4 @@ "high": 0 } } -} \ No newline at end of file +} diff --git a/test/e2e/scan/scan_rules_filtering_test.go b/test/e2e/scan/scan_rules_filtering_test.go index 422251dbf..f67beeb07 100644 --- a/test/e2e/scan/scan_rules_filtering_test.go +++ b/test/e2e/scan/scan_rules_filtering_test.go @@ -268,42 +268,42 @@ var _ = Describe("Scan command with rule filtering options", func() { Context("resource max severity set to Low in tf files", func() { iacDir := filepath.Join(resourcePrioritisingIacRelPath, "max_severity_set", "terraform") It("should display violations with change priority to Low for the resource and exit with status code 3", func() { - scanArgs := []string{scanUtils.ScanCommand, "-i", "terraform", "-d", iacDir, "-o", "json"} + scanArgs := []string{"-p", policyDir, "-i", "terraform", "-d", iacDir, "-o", "json"} scanUtils.RunScanAndAssertJSONOutput(terrascanBinaryPath, filepath.Join(resourcePrioritisingGoldenRelPath, "max_severity_set", "terraform", "terraform_file_setting_max_severity.txt"), helper.ExitCodeThree, false, true, outWriter, errWriter, scanArgs...) }) }) Context("resource min severity set to High in tf files", func() { iacDir := filepath.Join(resourcePrioritisingIacRelPath, "min_severity_set", "terraform") It("should display violations with change priority to High for the resource and exit with status code 3", func() { - scanArgs := []string{scanUtils.ScanCommand, "-i", "terraform", "-d", iacDir, "-o", "json"} + scanArgs := []string{"-p", policyDir, "-i", "terraform", "-d", iacDir, "-o", "json"} scanUtils.RunScanAndAssertJSONOutput(terrascanBinaryPath, filepath.Join(resourcePrioritisingGoldenRelPath, "min_severity_set", "terraform", "terraform_file_setting_min_severity.txt"), helper.ExitCodeThree, false, true, outWriter, errWriter, scanArgs...) }) }) Context("resource max severity set to none in tf files", func() { iacDir := filepath.Join(resourcePrioritisingIacRelPath, "max_severity_set_none", "terraform") It("should skip all violations for the resource and exit with status code 0 since only one resource is in tf file", func() { - scanArgs := []string{scanUtils.ScanCommand, "-i", "terraform", "-d", iacDir, "-o", "json"} + scanArgs := []string{"-p", policyDir, "-i", "terraform", "-d", iacDir, "-o", "json"} scanUtils.RunScanAndAssertJSONOutput(terrascanBinaryPath, filepath.Join(resourcePrioritisingGoldenRelPath, "max_severity_set_none", "terraform", "terraform_file_setting_max_severity_none.txt"), helper.ExitCodeZero, false, true, outWriter, errWriter, scanArgs...) }) }) Context("resource max severity set to Low in k8s files", func() { iacDir := filepath.Join(resourcePrioritisingIacRelPath, "max_severity_set", "k8s") It("should display violations with change priority to Low for the resource and exit with status code 3", func() { - scanArgs := []string{scanUtils.ScanCommand, "-i", "k8s", "-d", iacDir, "-o", "json"} + scanArgs := []string{"-p", policyDir, "-i", "k8s", "-d", iacDir, "-o", "json"} scanUtils.RunScanAndAssertJSONOutput(terrascanBinaryPath, filepath.Join(resourcePrioritisingGoldenRelPath, "max_severity_set", "k8s", "k8s_file_setting_max_severity.txt"), helper.ExitCodeThree, false, true, outWriter, errWriter, scanArgs...) }) }) Context("resource min severity set to High in k8s files", func() { iacDir := filepath.Join(resourcePrioritisingIacRelPath, "min_severity_set", "k8s") It("should display violations with change priority to High for the resource and exit with status code 3", func() { - scanArgs := []string{scanUtils.ScanCommand, "-i", "k8s", "-d", iacDir, "-o", "json"} + scanArgs := []string{"-p", policyDir, "-i", "k8s", "-d", iacDir, "-o", "json"} scanUtils.RunScanAndAssertJSONOutput(terrascanBinaryPath, filepath.Join(resourcePrioritisingGoldenRelPath, "min_severity_set", "k8s", "k8s_file_setting_min_severity.txt"), helper.ExitCodeThree, false, true, outWriter, errWriter, scanArgs...) }) }) Context("resource max severity set to none in k8s files", func() { iacDir := filepath.Join(resourcePrioritisingIacRelPath, "max_severity_set_none", "k8s") It("should skip all violations for the resource and exit with status code 0", func() { - scanArgs := []string{scanUtils.ScanCommand, "-i", "k8s", "-d", iacDir, "-o", "json"} + scanArgs := []string{"-p", policyDir, "-i", "k8s", "-d", iacDir, "-o", "json"} scanUtils.RunScanAndAssertJSONOutput(terrascanBinaryPath, filepath.Join(resourcePrioritisingGoldenRelPath, "max_severity_set_none", "k8s", "k8s_file_setting_max_severity_none.txt"), helper.ExitCodeZero, false, true, outWriter, errWriter, scanArgs...) }) }) diff --git a/test/e2e/test_data/iac/resource_prioritising/max_severity_set/k8s/config.yaml b/test/e2e/test_data/iac/resource_prioritising/max_severity_set/k8s/config.yaml index b61c89dca..028159618 100644 --- a/test/e2e/test_data/iac/resource_prioritising/max_severity_set/k8s/config.yaml +++ b/test/e2e/test_data/iac/resource_prioritising/max_severity_set/k8s/config.yaml @@ -1,40 +1,14 @@ -apiVersion: v1 -kind: Pod -metadata: - name: backend-server - labels: - tier: backend - app: goserver - annotations: - terrascan/maxseverity: Low +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: ingress-demo-disallowed + annotations: + terrascan/maxseverity: Low spec: - securityContext: - seccompProfile: - type: RuntimeDefault - containers: - - name: goserver - image: testgoserver - securityContext: - readOnlyRootFilesystem: true - runAsNonRoot: true - resources: - requests: - cpu: "1" - memory: "256Mi" - limits: - cpu: "1" - memory: "256Mi" - livenessProbe: - exec: - command: - - go - - version - periodSeconds: 10 - initialDelaySeconds: 10 - readinessProbe: - exec: - command: - - go - - version - periodSeconds: 10 - initialDelaySeconds: 10 \ No newline at end of file + rules: + - host: example-host.example.com + http: + paths: + - backend: + serviceName: nginx + servicePort: 80 \ No newline at end of file diff --git a/test/e2e/test_data/iac/resource_prioritising/max_severity_set_none/k8s/config.yaml b/test/e2e/test_data/iac/resource_prioritising/max_severity_set_none/k8s/config.yaml index 8ab385fdd..fe4e80a70 100644 --- a/test/e2e/test_data/iac/resource_prioritising/max_severity_set_none/k8s/config.yaml +++ b/test/e2e/test_data/iac/resource_prioritising/max_severity_set_none/k8s/config.yaml @@ -1,9 +1,14 @@ -apiVersion: v1 -kind: Namespace +apiVersion: extensions/v1beta1 +kind: Ingress metadata: - name: production - labels: - "hey": test + name: ingress-demo-disallowed annotations: terrascan/maxseverity: None - \ No newline at end of file +spec: + rules: + - host: example-host.example.com + http: + paths: + - backend: + serviceName: nginx + servicePort: 80 \ No newline at end of file diff --git a/test/e2e/test_data/iac/resource_prioritising/min_severity_set/k8s/config.yaml b/test/e2e/test_data/iac/resource_prioritising/min_severity_set/k8s/config.yaml index de6da5a86..667bb87bc 100644 --- a/test/e2e/test_data/iac/resource_prioritising/min_severity_set/k8s/config.yaml +++ b/test/e2e/test_data/iac/resource_prioritising/min_severity_set/k8s/config.yaml @@ -1,9 +1,14 @@ -apiVersion: v1 -kind: Namespace +apiVersion: extensions/v1beta1 +kind: Ingress metadata: - name: production - labels: - "hey": test + name: ingress-demo-disallowed annotations: - terrascan/minseverity: High - \ No newline at end of file + terrascan/minseverity: Medium +spec: + rules: + - host: example-host.example.com + http: + paths: + - backend: + serviceName: nginx + servicePort: 80 \ No newline at end of file diff --git a/test/e2e/test_data/iac/resource_skipping/kubernetes/config.yaml b/test/e2e/test_data/iac/resource_skipping/kubernetes/config.yaml index 596d393a0..acdf2f6f9 100644 --- a/test/e2e/test_data/iac/resource_skipping/kubernetes/config.yaml +++ b/test/e2e/test_data/iac/resource_skipping/kubernetes/config.yaml @@ -1,8 +1,14 @@ -apiVersion: v1 -kind: Namespace +apiVersion: extensions/v1beta1 +kind: Ingress metadata: - name: production - labels: - "hey": + name: ingress-demo-disallowed annotations: - terrascanSkip: "[{\"rule\": \"AC-K8-OE-NS-L-0128\", \"comment\": \"reason to skip the rule\"}]" \ No newline at end of file + terrascan/skip: "[{\"rule\": \"AC-K8-NS-IN-H-0020\", \"comment\": \"reason to skip the rule\"}]" +spec: + rules: + - host: example-host.example.com + http: + paths: + - backend: + serviceName: nginx + servicePort: 80 \ No newline at end of file