BAH-1566 | add. terrascan to pre-commit hook

Co-authored-by: Umair Fayaz <[email protected]>
IPLit · Apr 18, 2022 · e8bc2cd · e8bc2cd
1 parent ca1a8d3
commit e8bc2cd
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 1 deletion.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -3,3 +3,9 @@ repos:
   rev: v0.1.17
   hooks:
     - id: terraform-fmt
+- repo: local
+  hooks:
+    - id: terrascan
+      name: Terrascan
+      language: script
+      entry : ./terrascan/terrascan.sh
diff --git a/README.md b/README.md
@@ -18,7 +18,11 @@ This is a one-time setup that needs to be run only when the repo is cloned.
         pip install pre-commit 
         (or)
         brew install pre-commit
-2. Initialise pre-commit hooks
+2. Install pre-commit dependencies
+
+      - [terrascan](https://github.com/accurics/terrascan)
+
+3. Initialise pre-commit hooks
 
         pre-commit install --install-hooks
 

diff --git a/terrascan/terrascan-config.yaml b/terrascan/terrascan-config.yaml
@@ -0,0 +1,3 @@
+rules:
+  skip-rules:
+    - AC_AWS_0480   # Skips validation of detailed monitoring for EC2 Instances
diff --git a/terrascan/terrascan.sh b/terrascan/terrascan.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+# Terrascan scan and save output to scan_results
+scan_results="$(terrascan scan --config-path terrascan/terrascan-config.yaml --iac-type terraform)"
+
+# Get scan summary from scan_results
+scan_summary=$(echo "$scan_results" | sed -n -e '/Scan Summary -/,$p')
+
+#Extract values from scan_summary
+low_level_violations=$(grep "Low" <<< "$scan_summary" | grep -o -E "[0-9]+")
+medium_level_violations=$(grep "Medium" <<< "$scan_summary" | grep -o -E "[0-9]+")
+high_level_violations=$(grep "High" <<< "$scan_summary" | grep -o -E "[0-9]+") 
+
+#Show Scan Output
+echo "$scan_results"
+
+#Check for violations
+if [[ $high_level_violations -gt 0 ]]
+then
+    echo "High Level Voilations Found"
+    exit 1
+fi
+echo "No Violations found"
+exit 0