This repo provides 2 go utility scripts for handling the response from gcloud scc iac-validation-reports create
command.
- SARIF converter
- Report validator
SARIF Converter converters the response generated by gcloud scc iac-validation-reports create
command to the industry stardard SARIF format. This takes the response from the gcloud command as the input, converts it to the SARIF format and writes the output to a file.
Example invocation of the script from CLI -
go run github.com/google/gcp-scc-iac-validation-utils/SARIFConverter@latest
--inputFilePath=IaCScanReport.json
--outputFilePath=IaCScanReport.sarif.json
where "IaCScanReport.json" is the report that is generated from the gcloud command and "IaCScanReport.sarif.json" is the name of the output file.
This validates the resopnse generated by gcloud scc iac-validation-reports create
against thresholds set by "failure_expression" argument to the command. The command returns a success (exit(0)) or fail (exit(1)) code as a result of the validation. The threshold criteria is based on the number of critical, high, medium, and low severity issues that the IaC validation scan encounters.
-
The failure_expression argument to the command specifies how many issues of each severity are permitted, and also specifies how the issues are aggregated (either AND or OR). For example, if you want the validation to fail if it encounters one critical issue or one high severity issue, set the failure_expression to
'Critical:1,High:1,Operator:OR'
-
If no expression is passed to the scipt, the default criteria is used to perform these validation. The default criteria is
'Critical:1,High:1,Medium:1,Low:1,Operator:OR'
which means that if the IaC validation scan contains any violation of any severity, the validator will return a "fail" response.
Example invocation of the script from CLI -
go run github.com/google/gcp-scc-iac-validation-utils/ReportValidator@latest \
--inputFilePath=IaCScanReport.json --failure_expression=FAILURE_CRITERIA
where "IaCScanReport.json" is the report that is generated from the gcloud command and FAILURE_CRITERIA is the expression agains which the IaCScanReport will be evaluated.
NOTE
- For "Operator" only AND and OR operators are supported.
- Each expression should have an operator only once.
- All Severity: Critical, High, Medium, Low can be present in the expression at most once.