support for credential scan #83
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ms-henglu
approved these changes
Feb 19, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
credscancommand will scan.tffiles under the target working directory, and build index based on given swagger repo if provided or download online index file if not provided, then match properties set inazapi_resourcein.tffiles and the corrspondingx-ms-secretmarked properties in swagger, fire error if these credential fields set inazapi_resource:sensitive: trueAnd the errors is saved in json/markdown format, specifically
armstrong_credscan_{date}/error.jsonandarmstrong_credscan_{data}/error.mdunder the working directory.example
[ { "file_name": "/home/xxx/projects/go/armstrong/hcl/testdata/test.tf", "resource_name": "azapi_resource.virtualMachine", "resource_type": "Microsoft.Compute/virtualMachines@2023-03-01", "property_name": "#.properties.osProfile.adminPassword", "error_message": "must use variable for secret field", "line_number": 108 }, { "file_name": "/home/xxx/projects/go/armstrong/hcl/testdata/test.tf", "resource_name": "azapi_resource.virtualMachine2", "resource_type": "Microsoft.Compute/virtualMachines@2023-03-01", "property_name": "#.properties.osProfile.adminPassword", "error_message": "variable \"password\" used in secret field but has a default value, please remove the default value", "line_number": 156 }, { "file_name": "/home/xxx/projects/go/armstrong/hcl/testdata/test.tf", "resource_name": "azapi_resource.virtualMachine2", "resource_type": "Microsoft.Compute/virtualMachines@2023-03-01", "property_name": "#.properties.osProfile.adminPassword", "error_message": "variable \"password\" used in secret field but is not marked as sensitive, please add \"sensitive: true\" for the variable", "line_number": 156 } ]current limitations:
To match azapi_resource and swagger model, we mock resource ID based on
azapi_resource.type, and then use mocked resource ID to find the swagger model. The resource ID is simply mocked by adding subscription and resource group prefix and then add customized resource names, e.g.,Microsoft.Network/virtualNetworkstosubscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg/providers/Microsoft.Network/virtualNetworks/xxx. So in some cases the mocked resource ID is not correct, e.g.,Microsoft.Resources/resourceGroups. But this might be OK for we only cares about credential field, and most of these resource should be under resource group level.Only simple
variableusage can be processed. Other terraform grammer likemodule,for_each,dynamicblock or etc is not supported.