Skip to content

Commit

Permalink
feat(misconf): add ability to disable checks by ID
Browse files Browse the repository at this point in the history
Signed-off-by: nikpivkin <[email protected]>
  • Loading branch information
nikpivkin committed Sep 18, 2024
1 parent 7ca118f commit 701d6d1
Show file tree
Hide file tree
Showing 4 changed files with 83 additions and 6 deletions.
4 changes: 4 additions & 0 deletions pkg/iac/rego/load.go
Original file line number Diff line number Diff line change
Expand Up @@ -295,6 +295,10 @@ func (s *Scanner) filterModules(retriever *MetadataRetriever) error {
continue
}

if _, disabled := s.disabledCheckIDs[meta.ID]; disabled {
continue
}

if len(meta.InputOptions.Selectors) == 0 {
s.logger.Warn(
"Module has no input selectors - it will be loaded for all inputs!",
Expand Down
11 changes: 11 additions & 0 deletions pkg/iac/rego/options.go
Original file line number Diff line number Diff line change
Expand Up @@ -106,3 +106,14 @@ func WithCustomSchemas(schemas map[string][]byte) options.ScannerOption {
}
}
}

// WithDisabledCheckIDs disables checks by their ID (ID field in metadata)
func WithDisabledCheckIDs(ids ...string) options.ScannerOption {
return func(s options.ConfigurableScanner) {
if ss, ok := s.(*Scanner); ok {
for _, id := range ids {
ss.disabledCheckIDs[id] = struct{}{}
}
}
}
}
15 changes: 9 additions & 6 deletions pkg/iac/rego/scanner.go
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,8 @@ type Scanner struct {
embeddedLibs map[string]*ast.Module
embeddedChecks map[string]*ast.Module
customSchemas map[string][]byte

disabledCheckIDs map[string]struct{}
}

func (s *Scanner) SetIncludeDeprecatedChecks(b bool) {
Expand Down Expand Up @@ -109,12 +111,13 @@ func NewScanner(source types.Source, opts ...options.ScannerOption) *Scanner {
}

s := &Scanner{
regoErrorLimit: ast.CompileErrorLimitDefault,
sourceType: source,
ruleNamespaces: make(map[string]struct{}),
runtimeValues: addRuntimeValues(),
logger: log.WithPrefix("rego"),
customSchemas: make(map[string][]byte),
regoErrorLimit: ast.CompileErrorLimitDefault,
sourceType: source,
ruleNamespaces: make(map[string]struct{}),
runtimeValues: addRuntimeValues(),
logger: log.WithPrefix("rego"),
customSchemas: make(map[string][]byte),
disabledCheckIDs: make(map[string]struct{}),
}

maps.Copy(s.ruleNamespaces, builtinNamespaces)
Expand Down
59 changes: 59 additions & 0 deletions pkg/iac/rego/scanner_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -1153,3 +1153,62 @@ deny {
})
}
}

func Test_RegoScanner_WithDisabledCheckIDs(t *testing.T) {

check := `# METADATA
# custom:
# id: TEST-001
# avd_id: AVD-TEST-001
# severity: LOW
# provider: aws
# service: s3
# short_code: test
package user.test
deny {
true
}
`

tests := []struct {
name string
disabledChecks []string
expected bool
}{
{
name: "no disabled checks",
expected: true,
},
{
name: "disable check by ID",
disabledChecks: []string{"TEST-001"},
},
{
name: "disabling a non-existent check",
disabledChecks: []string{"FOO"},
expected: true,
},
{
name: "one of the identifiers does not exist",
disabledChecks: []string{"FOO", "TEST-001"},
},
}

for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
scanner := rego.NewScanner(
types.SourceYAML,
rego.WithPolicyNamespaces("user"),
rego.WithPolicyReader(strings.NewReader(check)),
rego.WithDisabledCheckIDs(tt.disabledChecks...),
)

require.NoError(t, scanner.LoadPolicies(nil))
results, err := scanner.ScanInput(context.TODO(), rego.Input{})
require.NoError(t, err)

require.Equal(t, tt.expected, len(results.GetFailed()) > 0)
})
}
}

0 comments on commit 701d6d1

Please sign in to comment.