temp

tenable · May 3, 2021 · 9c4df1a · 9c4df1a
1 parent b999472
commit 9c4df1a
Show file tree

Hide file tree

Showing 6 changed files with 53 additions and 13 deletions.
diff --git a/atlantis/Dockerfile b/atlantis/Dockerfile
@@ -1,10 +1,12 @@
-FROM runatlantis/atlantis
-ENV DEFAULT_TERRASCAN_VERSION=1.5.0
+FROM runatlantis/atlantis:v0.16.1
+ENV DEFAULT_TERRASCAN_VERSION=1.5.1
 ENV PLANFILE tfplan
 ADD setup.sh terrascan.sh launch-atlantis.sh entrypoint.sh /usr/local/bin/
-RUN touch ${PLANFILE} && mkdir -p /etc/atlantis/ && /
-    chmod +x /usr/local/bin/setup.sh /usr/local/bin/terrascan.sh /usr/local/bin/launch-atlantis.sh /usr/local/bin/entrypoint.sh && /
+RUN mkdir -p /etc/atlantis/ && \
+    chmod +x /usr/local/bin/*.sh && \
     /usr/local/bin/setup.sh
 ADD terrascan-workflow.yaml /etc/atlantis/workflow.yaml
+USER atlantis
+RUN terrascan init
 ENTRYPOINT ["/bin/bash", "entrypoint.sh"]
 CMD ["server"]
diff --git a/atlantis/data/terrascan-workflow.yaml b/atlantis/data/terrascan-workflow.yaml
@@ -0,0 +1,26 @@
+#   Copyright (C) 2020 Accurics, Inc.
+#
+#	  Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#		http://www.apache.org/licenses/LICENSE-2.0
+#
+#	  Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+
+repos:
+- id: "/.*/"
+  workflow: terrascan
+workflows:
+    terrascan:
+     plan:
+        steps:
+        - run: terraform init -input=false -no-color
+        - run: terraform workspace select -no-color $WORKSPACE
+        - run: terraform plan -input=false -refresh -no-color -out $PLANFILE
+        - run: terraform show -no-color -json $PLANFILE > ${PLANFILE}.json
+        - run: terrascan.sh
diff --git a/atlantis/entrypoint.sh b/atlantis/entrypoint.sh
@@ -30,7 +30,7 @@ function fetch_configfile() {
             else
                 eval var='$'$(( count + 1 ))
                 eval config_file="$var"
-                copy=$(echo "$@" | sed "s/-c//")
+                copy=$(echo "$@" | sed "s/ -c//")
                 copy=${copy/$config_file}
             fi
         fi

diff --git a/atlantis/launch-atlantis.sh b/atlantis/launch-atlantis.sh
@@ -72,12 +72,10 @@ to_exec=""
 
 lookup_repo_config_flag $@
 
-if [[ $flag != "true" ]] && [[ "$@" == *"atlantis"* ]] && [[ "$@" == *"server"* ]] && [[ -f /etc/atlantis/terrascan_workflow.yaml ]]; then
-    echo "using the default repo-config"
+if [[ $flag != "true" ]] && [[ "$@" == *"atlantis"* ]] && [[ "$@" == *"server"* ]] && [[ -f /etc/atlantis/workflow.yaml ]]; then
     to_exec="$@ --repo-config=/etc/atlantis/workflow.yaml"
 else
     to_exec="$@"
 fi
 
-echo "executing command : $to_exec"
 exec $to_exec
diff --git a/atlantis/setup.sh b/atlantis/setup.sh
@@ -12,6 +12,8 @@
 #   See the License for the specific language governing permissions and
 #   limitations under the License.
 
+#!/bin/bash
+set -ex
 
 if [[ -z "${TERRASCAN_VERSION}" ]]; then
   TERRASCAN_VERSION=${DEFAULT_TERRASCAN_VERSION}

diff --git a/atlantis/terrascan.sh b/atlantis/terrascan.sh
@@ -15,10 +15,22 @@
 #!/bin/bash
 
 terrascan scan -i tfplan --iac-version v1 -f ${PLANFILE}.json -l error > output
+exitcode=$?
 
-#Formatting- create Terrascan block:
-sed -i '1s/^/<details><Summary>Terrascan Scan Results<\/Summary>\n\n```diff\n/' output
-#Close up original block
-sed -i '1s/^/```\n<\/details>\n/' output
+if [[ ! $exitcode -eq 0 ]]; then
+    echo
+    echo '- Terrascan identified IAC policy violations:'
+    echo
+    echo 'Scan Results:'
+    cat output
+    echo
+    echo '```'
+    echo '</details>'
+    echo '<p><strong>Further atlantis details below:</strong></p>'
+    echo '<details>'
+    echo
+    echo '```diff'
+    echo
+fi
 
-cat output
+exit $exitcode