Skip to content

feat(core): template validation after synthesis#23951

Merged
mergify[bot] merged 112 commits intomainfrom
otaviom/checkov-poc
Mar 27, 2023
Merged

feat(core): template validation after synthesis#23951
mergify[bot] merged 112 commits intomainfrom
otaviom/checkov-poc

Conversation

@otaviomacedo
Copy link
Copy Markdown
Contributor

@otaviomacedo otaviomacedo commented Feb 1, 2023
edited
Loading

Integrate policy as code tools into CDK synthesis via a plugin mechanism. Immediately after synthesis, the framework invokes all the registered plugins, collect the results and, if there are any violations, show a report to the user.

Application developers register plugins to a Stage:

const app = new App({
  validationPlugins: [
	new SomePolicyAgentPlugin(),
	new AnotherPolicyAgentPugin(),
  ]
});

Plugin authors must implement the IPolicyValidationPlugin interface. Hypothetical example of a CloudFormation Guard plugin:

export class CfnGuardValidator implements IPolicyValidationPlugin {
  public readonly name = 'cfn-guard-validator';
  constructor() {}

  validate(context: IPolicyValidationContext): PolicyValidationPluginReport {
    // execute the cfn-guard cli and get the JSON response from the tool
    const cliResultJson = executeCfnGuardCli();

    // parse the results and return the violations format
    // that the framework expects
    const violations = parseGuardResults(cliResultJson);

    // construct the report and return it to the framework
    // this is a vastly over simplified example that is only
    // meant to show the structure of the report that is returned
    return {
      success: false,
      violations: [{
        ruleName: violations.ruleName,
        recommendation: violations.recommendation,
        fix: violations.fix,
        violatingResources: [{
          resourceName: violations.resourceName,
          locations: violations.locations,
          templatePath: violations.templatePath,
        }],
      }],
    };
  }
}

Co-authored-by: corymhall 43035978+corymhall@users.noreply.github.com

@gitpod-io
Copy link
Copy Markdown

gitpod-io bot commented Feb 1, 2023

@github-actions github-actions bot added the p2 label Feb 1, 2023
@aws-cdk-automation aws-cdk-automation requested a review from a team February 1, 2023 11:17
@otaviomacedo otaviomacedo changed the title First draft First draft fo the Checkov plugin Feb 1, 2023
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Feb 1, 2023
aws-cdk-automation
aws-cdk-automation previously requested changes Feb 1, 2023
View reviewed changes
Copy link
Copy Markdown
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

@otaviomacedo otaviomacedo changed the title First draft fo the Checkov plugin First draft of the Checkov plugin (proof of concept) Feb 1, 2023
@otaviomacedo otaviomacedo changed the title First draft of the Checkov plugin (proof of concept) Checkov and KICS plugins (proof of concept) Feb 7, 2023
corymhall
corymhall reviewed Feb 14, 2023
View reviewed changes
corymhall
corymhall reviewed Feb 21, 2023
View reviewed changes
corymhall
corymhall reviewed Mar 27, 2023
View reviewed changes
corymhall
corymhall reviewed Mar 27, 2023
View reviewed changes
otaviomacedo and others added 8 commits March 27, 2023 12:09
@otaviomacedo @corymhall
Update packages/@aws-cdk/core/README.md
cc4144c 
Co-authored-by: Cory Hall <43035978+corymhall@users.noreply.github.com>
@otaviomacedo @corymhall
Update packages/@aws-cdk/core/README.md
85e2e0d 
Co-authored-by: Cory Hall <43035978+corymhall@users.noreply.github.com>
@otaviomacedo @corymhall
Update packages/@aws-cdk/core/README.md
5c5a87c 
Co-authored-by: Cory Hall <43035978+corymhall@users.noreply.github.com>
@otaviomacedo @corymhall
Update packages/@aws-cdk/core/README.md
dbe5cc7 
Co-authored-by: Cory Hall <43035978+corymhall@users.noreply.github.com>
@otaviomacedo @corymhall
Apply suggestions from code review
3e73679 
Co-authored-by: Cory Hall <43035978+corymhall@users.noreply.github.com>
@corymhall
fixing build
f15a688
@corymhall
removing from feature flags
0a2e6b9
@corymhall
fixing build
3ef2a76
@iliapolo iliapolo added the pr/do-not-merge This PR should not be merged at this time. label Mar 27, 2023
@corymhall corymhall removed the pr/do-not-merge This PR should not be merged at this time. label Mar 27, 2023
@aws-cdk-automation
Copy link
Copy Markdown
Collaborator

aws-cdk-automation commented Mar 27, 2023

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 4746872
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify
Copy link
Copy Markdown
Contributor

mergify bot commented Mar 27, 2023

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit 20aeb0f into main Mar 27, 2023
@mergify mergify bot deleted the otaviom/checkov-poc branch March 27, 2023 20:55
corymhall added a commit that referenced this pull request Mar 28, 2023
@otaviomacedo @corymhall
feat(core): template validation after synthesis (#23951)
d94a48b 
Integrate policy as code tools into CDK synthesis via a plugin mechanism. Immediately after synthesis, the framework invokes all the registered plugins, collect the results and, if there are any violations, show a report to the user.

Application developers register plugins to a `Stage`:

```ts
const app = new App({
  validationPlugins: [
	new SomePolicyAgentPlugin(),
	new AnotherPolicyAgentPugin(),
  ]
});
```

Plugin authors must implement the `IPolicyValidationPlugin` interface. Hypothetical example of a CloudFormation Guard plugin:

```ts
export class CfnGuardValidator implements IPolicyValidationPlugin {
  public readonly name = 'cfn-guard-validator';
  constructor() {}

  validate(context: IPolicyValidationContext): PolicyValidationPluginReport {
    // execute the cfn-guard cli and get the JSON response from the tool
    const cliResultJson = executeCfnGuardCli();

    // parse the results and return the violations format
    // that the framework expects
    const violations = parseGuardResults(cliResultJson);

    // construct the report and return it to the framework
    // this is a vastly over simplified example that is only
    // meant to show the structure of the report that is returned
    return {
      success: false,
      violations: [{
        ruleName: violations.ruleName,
        recommendation: violations.recommendation,
        fix: violations.fix,
        violatingResources: [{
          resourceName: violations.resourceName,
          locations: violations.locations,
          templatePath: violations.templatePath,
        }],
      }],
    };
  }
}
```

Co-authored-by: corymhall <43035978+corymhall@users.noreply.github.com>
corymhall added a commit that referenced this pull request Mar 28, 2023
@otaviomacedo @corymhall
feat(core): template validation after synthesis (#23951)
91d6509 
Integrate policy as code tools into CDK synthesis via a plugin mechanism. Immediately after synthesis, the framework invokes all the registered plugins, collect the results and, if there are any violations, show a report to the user.

Application developers register plugins to a `Stage`:

```ts
const app = new App({
  validationPlugins: [
	new SomePolicyAgentPlugin(),
	new AnotherPolicyAgentPugin(),
  ]
});
```

Plugin authors must implement the `IPolicyValidationPlugin` interface. Hypothetical example of a CloudFormation Guard plugin:

```ts
export class CfnGuardValidator implements IPolicyValidationPlugin {
  public readonly name = 'cfn-guard-validator';
  constructor() {}

  validate(context: IPolicyValidationContext): PolicyValidationPluginReport {
    // execute the cfn-guard cli and get the JSON response from the tool
    const cliResultJson = executeCfnGuardCli();

    // parse the results and return the violations format
    // that the framework expects
    const violations = parseGuardResults(cliResultJson);

    // construct the report and return it to the framework
    // this is a vastly over simplified example that is only
    // meant to show the structure of the report that is returned
    return {
      success: false,
      violations: [{
        ruleName: violations.ruleName,
        recommendation: violations.recommendation,
        fix: violations.fix,
        violatingResources: [{
          resourceName: violations.resourceName,
          locations: violations.locations,
          templatePath: violations.templatePath,
        }],
      }],
    };
  }
}
```

Co-authored-by: corymhall <43035978+corymhall@users.noreply.github.com>
homakk pushed a commit to homakk/aws-cdk that referenced this pull request Mar 28, 2023
@otaviomacedo @corymhall @homakk
feat(core): template validation after synthesis (aws#23951)
7f1e706 
Integrate policy as code tools into CDK synthesis via a plugin mechanism. Immediately after synthesis, the framework invokes all the registered plugins, collect the results and, if there are any violations, show a report to the user.

Application developers register plugins to a `Stage`:

```ts
const app = new App({
  validationPlugins: [
	new SomePolicyAgentPlugin(),
	new AnotherPolicyAgentPugin(),
  ]
});
```

Plugin authors must implement the `IPolicyValidationPlugin` interface. Hypothetical example of a CloudFormation Guard plugin:

```ts
export class CfnGuardValidator implements IPolicyValidationPlugin {
  public readonly name = 'cfn-guard-validator';
  constructor() {}

  validate(context: IPolicyValidationContext): PolicyValidationPluginReport {
    // execute the cfn-guard cli and get the JSON response from the tool
    const cliResultJson = executeCfnGuardCli();

    // parse the results and return the violations format
    // that the framework expects
    const violations = parseGuardResults(cliResultJson);

    // construct the report and return it to the framework
    // this is a vastly over simplified example that is only
    // meant to show the structure of the report that is returned
    return {
      success: false,
      violations: [{
        ruleName: violations.ruleName,
        recommendation: violations.recommendation,
        fix: violations.fix,
        violatingResources: [{
          resourceName: violations.resourceName,
          locations: violations.locations,
          templatePath: violations.templatePath,
        }],
      }],
    };
  }
}
```

Co-authored-by: corymhall <43035978+corymhall@users.noreply.github.com>
@deftomat deftomat mentioned this pull request Apr 25, 2023
Closed
@filletofish filletofish mentioned this pull request Jul 2, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@iliapolo iliapolo iliapolo approved these changes

@aws-cdk-automation aws-cdk-automation aws-cdk-automation left review comments

+2 more reviewers

@RichiCoder1 RichiCoder1 RichiCoder1 left review comments

@corymhall corymhall corymhall left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

contribution/core This is a PR that came from AWS. p2 pr-linter/exempt-integ-test The PR linter will not require integ test changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@otaviomacedo @aws-cdk-automation @iliapolo @RichiCoder1 @corymhall @SankyRed