Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Adds support for Helm v3 #377

Merged
merged 9 commits into from
Nov 12, 2020
Merged

Adds support for Helm v3 #377

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
e1a0422
adds initial helm support
Nov 11, 2020
daecab4
fix unit tests
Nov 11, 2020
772901b
fix sonarcloud issues
Nov 11, 2020
83473ea
fix sonarcloud issues
Nov 11, 2020
48b6ea8
fixes review comments
Nov 11, 2020
9385d11
remove Chart.yml from valid helm chart names
Nov 11, 2020
b2ea41d
adds helm docs
Nov 12, 2020
20f32e0
rewording
Nov 12, 2020
aea0e0b
rewording
Nov 12, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ Detect compliance and security violations across Infrastructure as Code to mitig
## Features
* 500+ Policies for security best practices
* Scanning of Terraform 12+ (HCL2)
* Scanning of Kubernetes YAML/JSON
* Scanning of Kubernetes (JSON/YAML), and Helm v3
* Support for AWS, Azure, GCP, Kubernetes and GitHub

## Installing
Expand Down
33 changes: 28 additions & 5 deletions docs/getting-started.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,7 @@ By default Terrascan defaults to scanning Terraform HCL files, you can change th
$ terrascan scan -t k8s -i k8s
```

The `scan` command support flags to configure: the directory being scanned, scanning of a specific file, IaC provier type, path to policies, and policy type. The full list of flags can be found by typing `terrascan scan -h`
The `scan` command support flags to configure: the directory being scanned, scanning of a specific file, IaC provider type, path to policies, and policy type. The full list of flags can be found by typing `terrascan scan -h`

``` Bash
$ terrascan scan -h
Expand All @@ -117,8 +117,8 @@ Flags:
-h, --help help for scan
-d, --iac-dir string path to a directory containing one or more IaC files (default ".")
-f, --iac-file string path to a single IaC file
-i, --iac-type string iac type (k8s, terraform)
--iac-version string iac version (k8s: v1, terraform: v12)
-i, --iac-type string iac type (helm, k8s, terraform)
--iac-version string iac version (helm: v3, k8s: v1, terraform: v12)
-p, --policy-path stringArray policy path directory
-t, --policy-type strings policy type (all, aws, azure, gcp, github, k8s) (default [all])
-r, --remote-type string type of remote backend (git, s3, gcs, http)
Expand All @@ -136,6 +136,29 @@ By default Terrascan will output YAML. This can be changed to JSON or XML by usi

Terrascan will exit 3 if any issues are found.

#### Scanning code remotely

Terrascan can download and scan remote repositories/code sources by using the `-r` and `-u` flags. Here's and example:

``` Bash
$ terrascan scan -t aws -r git -u git@github.com:accurics/KaiMonkey.git//terraform/aws
```

The URLs for the remote should follow similar naming as the source argument for modules in Terraform. More details [here](https://www.terraform.io/docs/modules/sources.html).

#### Helm

Helm chart can be scanned by specifying "helm" on the -i flag as follows:

```
$ terrascan scan -t k8s -i helm
```

This command will recursively look for Chart.yaml files in the current directory and scans rendered .yaml, .yml, .tpl template files found under the corresponding /templates directory.

A specific directory to scan can be specified using the `-d` flag. The Helm IaC provider does not support scanning of individual files using the `-f` flag.


### CLI Output types
#### Violations
Terrascan's default output is a list of violations present in the scanned IaC.
Expand All @@ -159,7 +182,7 @@ results:
total: 1
```
##### Resource Config
Terrascan while scanning the IaC, loads all the IaC files, creates a list of resource configs and then processes this list to report violations. For debugging purposes, it possible to print this resource configs list as an output by providing the `--config-only` flag to the `terrascan scan` command.
Terrascan while scanning the IaC, loads all the IaC files, creates a list of resource configs and then processes this list to report violations. For debugging purposes, it is possible to print this resource configs list as an output by providing the `--config-only` flag to the `terrascan scan` command.
``` Bash
$ terrascan scan -t aws --config-only
aws_ecr_repository:
Expand Down Expand Up @@ -282,7 +305,7 @@ Transfer-Encoding: chunked
```

### Config File
The `-c` or `--config-path` global variable allows you to provide a TOML configuration file for Terrascan. This file can be use to configure the webhook notifications. Here's an example configuration:
The `-c` or `--config-path` global variable allows you to provide a TOML configuration file for Terrascan. This file can be used to configure the webhook notifications. Here's an example configuration:

``` TOML
[notifications]
Expand Down
11 changes: 4 additions & 7 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,14 +18,11 @@ require (
github.com/pkg/errors v0.9.1
github.com/spf13/afero v1.3.4
github.com/spf13/cobra v1.0.0
github.com/spf13/pflag v1.0.5 // indirect
github.com/zclconf/go-cty v1.2.1
go.uber.org/zap v1.10.0
golang.org/x/net v0.0.0-20200822124328-c89045814202 // indirect
golang.org/x/sys v0.0.0-20200814200057-3d37ad5750ed // indirect
golang.org/x/tools v0.0.0-20201009162240-fcf82128ed91 // indirect
go.uber.org/zap v1.13.0
golang.org/x/tools v0.0.0-20201110030525-169ad6d6ecb2 // indirect
gopkg.in/src-d/go-git.v4 v4.13.1
gopkg.in/yaml.v2 v2.3.0
gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776
honnef.co/go/tools v0.0.1-2020.1.5 // indirect
helm.sh/helm/v3 v3.4.0
honnef.co/go/tools v0.0.1-2020.1.6 // indirect
)
36 changes: 36 additions & 0 deletions pkg/iac-providers/helm.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
/*
Copyright (C) 2020 Accurics, Inc.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package iacprovider

import (
"reflect"

helmv3 "github.com/accurics/terrascan/pkg/iac-providers/helm/v3"
)

// terraform specific constants
const (
helm supportedIacType = "helm"
helmV3 supportedIacVersion = "v3"
helmDefaultIacVersion = helmV3
)

// register helm as an IaC provider with terrascan
func init() {
// register iac provider
RegisterIacProvider(helm, helmV3, helmDefaultIacVersion, reflect.TypeOf(helmv3.HelmV3{}))
}
Loading