New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Basic support for generic json document scanning #1598
Conversation
) | ||
for check, result in results.items(): | ||
result_config = result["results_configuration"] | ||
start = result_config.start_mark.line |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
are we populating this var with a value somewhere?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes. This is using the json parser that is already in the codebase for terraform plans which captures line numbers along with the deserialized values. The custom checks should return the passing/failing configuration along with the check status. That configuration will have the start/end mark properties as a result of the tf plan parser. Does that make sense?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was also wondering if you would want to do something like move the tf plan parser into common as a general JSON parser? There doesn't seem to be anything terraform specific about it, but I didn't want to move something like that without discussing it first.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i think it is the right thing to do. you'll need to rebase from master because we had a contribution with performance enhancement there a day ago
@schosterbarak I started pulling all of the json parsing out into |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Very nice @BrentSouza !
Some minor comments
thank you @BrentSouza don't forget to apply for hacktober fest 👍 https://bridgecrew.io/blog/happy-hacktoberfest-2021/ |
Epic contribution @BrentSouza!!!! 🎉 |
My company is currently evaluating Bridgecrew and one of the things that we're looking for in a policy as code framework is the ability to scan arbitrary json input. The thinking here is that:
Using the json parser from the terraform plan implementation, this turns out to be pretty trivial to implement with a very basic feature set. This is a very quick first pass at providing the following functionality:
a.b.c[0]
I've tested this locally with some checks we would like to run against our internal GitLab repositories, which can help show how this feature is useful.
Two checks we would like to run are:
Here's an example of the MR approvals check:
Before we go much further with building this out, I wanted to get the checkov team's feedback on the concept of a generic json runner. Is this something that makes sense to include with the project?
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.