CCM-6245: TFSec Scanning

NHSDigital · Aug 20, 2024 · 553b7a6 · 553b7a6
1 parent 120308f
commit 553b7a6
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 8 deletions.
diff --git a/.github/workflows/stage-1-commit.yaml b/.github/workflows/stage-1-commit.yaml
@@ -115,8 +115,8 @@ jobs:
     name: "TFSec Scan"
     runs-on: ubuntu-latest
     timeout-minutes: 2
-    needs: detect-terraform-changes
-    if: needs.detect-terraform-changes.outputs.terraform_changed == 'true'
+    # needs: detect-terraform-changes
+    # if: needs.detect-terraform-changes.outputs.terraform_changed == 'true'
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v4

diff --git a/scripts/terraform/tfsec.sh b/scripts/terraform/tfsec.sh
@@ -4,6 +4,8 @@
 
 set -euo pipefail
 
+# TFSec command wrapper. It will run the command natively if TFSec is
+# installed, otherwise it will run it in a Docker container.
 # Run tfsec for security checks on Terraform code.
 #
 # Usage:
@@ -15,20 +17,23 @@ function main() {
   cd "$(git rev-parse --show-toplevel)"
 
   local dir_to_scan=${1:-.}
-  run-tfsec "$dir_to_scan"
+
+  if command -v tfsec > /dev/null 2>&1 && ! is-arg-true "${FORCE_USE_DOCKER:-false}"; then
+    # shellcheck disable=SC2154
+    run-tfsec-natively "$dir_to_scan"
+  else
+    run-tfsec-in-docker "$dir_to_scan"
+  fi
 }
 
 # Run tfsec on the specified directory.
 # Arguments:
 #   $1 - Directory to scan
-function run-tfsec() {
+function run-tfsec-natively() {
 
   local dir_to_scan="$1"
 
-  if ! command -v tfsec &> /dev/null; then
-    echo "TFSec could not be found. Please install using 'asdf install tfsec'."
-    exit 1
-  fi
+  echo "TFSec found locally, running natively"
 
   echo "Running TFSec on directory: $dir_to_scan"
   tfsec \
@@ -53,8 +58,44 @@ function check-tfsec-status() {
   fi
 }
 
+function run-tfsec-in-docker() {
+
+  # shellcheck disable=SC1091
+  source ./scripts/docker/docker.lib.sh
+  local dir_to_scan="$1"
+
+  # shellcheck disable=SC2155
+  local image=$(name=aquasec/tfsec docker-get-image-version-and-pull)
+  # shellcheck disable=SC2086
+  echo "TFSec not found locally, running in Docker Container"
+  echo "Running TFSec on directory: $dir_to_scan"
+  docker run --rm --platform linux/amd64 \
+    --volume "$PWD":/workdir \
+    --workdir /workdir \
+    "$image" \
+        --concise-output \
+        --force-all-dirs \
+        --exclude-downloaded-modules \
+        --config-file ../config/tfsec.yaml \
+        --format text \
+        "$dir_to_scan"
+    check-tfsec-status
+}
+# ==============================================================================
+
+function is-arg-true() {
+
+  if [[ "$1" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$ ]]; then
+    return 0
+  else
+    return 1
+  fi
+}
+
 # ==============================================================================
 
+is-arg-true "${VERBOSE:-false}" && set -x
+
 main "$@"
 
 exit 0