BAH-1615 | add. tfsec to pre-commit hooks

Co-authored-by: mradul1807 <[email protected]> Co-authored-by: Umair Fayaz <[email protected]>
IPLit · Apr 25, 2022 · b2ae53d · b2ae53d
1 parent 9841abe
commit b2ae53d
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 0 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -13,3 +13,7 @@ repos:
       name: TFLint
       language: script
       entry: ./tflint/tflint.sh
+    - id: tfsec
+      name: TFSec
+      language: script
+      entry: ./tfsec/tfsec.sh
diff --git a/tfsec/tfsec.sh b/tfsec/tfsec.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+set -e
+SCRIPT_PATH=$(realpath "${BASH_SOURCE[0]}")
+SCRIPT_DIRECTORY=$(dirname "$SCRIPT_PATH")
+GREEN_COLOR="\033[1;32m"
+YELLOW_COLOR="\033[1;33m"
+NO_COLOR="\033[0m"
+
+run_scan(){
+    folder=$1
+
+    cd $folder
+    if [[ $GITHUB_ACTIONS ]]
+    then
+        terraform init -backend=false
+    fi
+
+    echo -e "${GREEN_COLOR}TFSec Scanning $folder....$NO_COLOR"
+    tfsec --config-file $SCRIPT_DIRECTORY/tfsec.yml --tfvars-file=terraform.tfvars --verbose
+
+    cd - > /dev/null
+    echo -e "\n"
+}
+
+run_scan terraform/shared
+for folder in terraform/environment/*
+do
+    run_scan $folder
+done;
diff --git a/tfsec/tfsec.yml b/tfsec/tfsec.yml
@@ -0,0 +1,7 @@
+exclude:
+  - aws-eks-no-public-cluster-access          # Cluster Public access for deploying from Github CI
+  - aws-eks-no-public-cluster-access-to-cidr  # Cluster Public access for deploying from Github CI
+  - aws-eks-encrypt-secrets                   # Secret Encryption
+  - aws-rds-enable-performance-insights       # Performance insights are optional and costs additionaly
+  - aws-vpc-no-public-egress-sgr              # External access by instances to the internet
+  - aws-vpc-no-public-ingress-sgr             # Public access from anywhere to bastion host