feat: Add OPA tests to Github Actions (#535)

aquasecurity · Feb 25, 2021 · d286732 · d286732
1 parent 5dc1352
commit d286732
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 4 deletions.
diff --git a/.github/workflows/pr-rules.yaml b/.github/workflows/pr-rules.yaml
@@ -29,5 +29,5 @@ jobs:
         run: make build
       - name: Build signatures
         run: make rules
-      - name: Test
-        run: make test
+      - name: Run Tests
+        run: make test DOCKER=1
diff --git a/tracee-rules/Dockerfile.builder b/tracee-rules/Dockerfile.builder
@@ -0,0 +1,4 @@
+FROM golang:1.15-buster as builder
+RUN DEBIAN_FRONTEND=noninteractive apt-get update -y && apt-get install -y --no-install-recommends curl && \
+    curl -L -o /usr/bin/opa https://github.com/open-policy-agent/opa/releases/download/v0.26.0/opa_linux_amd64 && chmod 755 /usr/bin/opa
+WORKDIR /tracee
diff --git a/tracee-rules/Makefile b/tracee-rules/Makefile
@@ -1,6 +1,9 @@
 .PHONY: all
 all: build rules
 
+CMD_DOCKER ?= docker
+CMD_GO ?= go
+CMD_OPA ?= opa
 OUT_DIR ?= dist
 OUT_BIN := $(OUT_DIR)/tracee-rules
 OUT_RULES := $(OUT_DIR)/rules
@@ -10,6 +13,7 @@ GOSIGNATURES_SRC := $(shell find $(GOSIGNATURES_DIR) -type f -name '*.go' ! -nam
 OUT_GOSIGNATURES := $(OUT_RULES)/builtin.so
 REGO_SIGNATURES_DIR ?= signatures/rego
 REGO_SIGNATURES_SRC := $(shell find $(REGO_SIGNATURES_DIR) -type f -name '*.rego' ! -name '*_test.rego' ! -path '$(REGO_SIGNATURES_DIR)/examples/*')
+DOCKER_BUILDER ?= tracee-rules-builder
 
 $(OUT_DIR):
 	mkdir -p $@
@@ -27,11 +31,38 @@ $(OUT_RULES): $(GOSIGNATURES_DIR) $(REGO_SIGNATURES_SRC) | $(OUT_DIR)
 	mkdir -p $(OUT_RULES)
 	go build -buildmode=plugin -o $(OUT_GOSIGNATURES) $(GOSIGNATURES_SRC)
 	cp $(REGO_SIGNATURES_SRC) $(OUT_RULES)
-
+
+check_%:
+	@command -v $* >/dev/null || (echo "missing required tool $*" ; false)
+
+tools = $(CMD_OPA) $(CMD_GO)
+.PHONY: $(tools)
+$(tools): % : check_%
+
 .PHONY: test
-test: $(GO_SRC)
+ifndef DOCKER
+test: $(GO_SRC) $(tools)
 	go test -v ./...
+	opa test . --verbose --ignore="examples" --ignore="dist"
+else
+test: $(DOCKER_BUILDER)
+	$(call docker_builder_make,$@)
+endif
 
 .PHONY: clean mostlyclean
 clean mostlyclean:
+	-$(CMD_DOCKER) rmi $(file < $(docker_builder_file))
 	-rm -rf $(OUT_DIR)
+
+# docker_builder_make runs a make command in the tracee-builder container
+define docker_builder_make
+	$(CMD_DOCKER) run --rm \
+	-v $(abspath .):/tracee/tracee-rules \
+	-w /tracee/tracee-rules \
+	--entrypoint make $(DOCKER_BUILDER) $(1)
+endef
+
+docker_builder_file := $(OUT_DIR)/$(DOCKER_BUILDER)
+.PHONY: $(DOCKER_BUILDER)
+$(DOCKER_BUILDER) $(docker_builder_file) &: Dockerfile.builder | $(OUT_DIR) check_$(CMD_DOCKER)
+	$(CMD_DOCKER) build -t $(DOCKER_BUILDER) --iidfile $(docker_builder_file) - < $<