add terraform checkcov support

example-policy-org-demo · Mar 31, 2022 · d8623aa · d8623aa
1 parent ed14441
commit d8623aa
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 10 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -2,8 +2,22 @@ FROM ghcr.io/kyverno/kyverno-cli:1.6-dev-latest as kyverno-cli
 
 FROM alpine/k8s:1.20.7
 
-RUN apk add --no-cache yq
+RUN apk add --no-cache\ 
+  yq \
+  python3 \
+  python3-dev \
+  alpine-sdk \
+  libffi-dev \
+  py3-wheel \
+  go
+
+RUN GO11MODULE=on go get github.com/tmccombs/hcl2json
+
+COPY requirements.txt ./
+RUN pip install -r requirements.txt
+
 COPY --from=kyverno-cli /kyverno /usr/local/bin/kyverno
+
 COPY run.sh /usr/local/bin/run.sh
 
 ENV POLICY_VERSION=0.0.0

diff --git a/requirements.txt b/requirements.txt
@@ -0,0 +1 @@
+checkov==2.0.1019
diff --git a/run.sh b/run.sh
@@ -2,19 +2,46 @@
 
 set -e
 
-echo "Checking policy version..."
+if test -f "kustomization.yaml"; then
+  echo "Found kustomization.yaml"
 
-FETCHED_POLICY_VERSION=$(yq eval '.commonLabels["mycompany.com/policy-version"]' kustomization.yaml)
+  echo "Checking policy version..."
 
-POLICY_VERSION="${FETCHED_POLICY_VERSION:=$POLICY_VERSION}"
+  FETCHED_POLICY_VERSION=$(yq eval '.commonLabels["mycompany.com/policy-version"]' kustomization.yaml)
 
-echo "Policy version: ${POLICY_VERSION}"
+  POLICY_VERSION="${FETCHED_POLICY_VERSION:=$POLICY_VERSION}"
 
-echo "Fetching Policy..."
+  echo "Policy version: ${POLICY_VERSION}"
 
-git clone --quiet --depth 1 --branch ${POLICY_VERSION} https://github.com/example-policy-org/policy.git /policy
+  echo "Fetching Policy..."
 
-echo "Policy fetched."
-echo "Running policy checker..."
+  git clone --quiet --depth 1 --branch ${POLICY_VERSION} https://github.com/example-policy-org/policy.git /policy
 
-kubectl kustomize . | kyverno apply  /policy/kubernetes/kyverno/*/policy.yaml --resource -
+  echo "Policy fetched."
+  echo "Running policy checker..."
+
+  kubectl kustomize . | kyverno apply  /policy/kubernetes/kyverno/*/policy.yaml --resource -
+fi
+
+
+if compgen -G "./*.tf" > /dev/null; then
+  echo "Found Terraform files"
+
+  echo "Checking policy version..."
+  hcl2tojson -s . /tmp/hcl2tojson
+
+  FETCHED_POLICY_VERSION=$(jq -n '[inputs]' /tmp/hcl2tojson/*.json | jq -r 'map(select(.variable))[].variable|map(select(.["mycompany.com/policy-version"]))[0]["mycompany.com/policy-version"].default[0]') 
+  POLICY_VERSION="${FETCHED_POLICY_VERSION:=$POLICY_VERSION}"
+
+  echo "Policy version: ${POLICY_VERSION}"
+
+  echo "Fetching Policy..."
+  git clone --quiet --depth 1 --branch ${POLICY_VERSION} https://github.com/example-policy-org/policy.git /policy
+
+  echo "Policy fetched."
+
+  echo "Running policy checker..."
+  checkov \
+    --config-file ../policy/infra/checkov/config.yaml \
+    --directory ./
+fi