forked from iacsecurity/tool-compare
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathrun_all_tools.sh
executable file
·166 lines (149 loc) · 4.74 KB
/
run_all_tools.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
#!/usr/bin/env bash
# Checkov
function run_checkov {
echo Now running Checkov on all cases
docker pull bridgecrew/checkov:latest
docker run -t -v $PWD:/tf bridgecrew/checkov --version >version_checkov.txt
find . -name "main.tf" -exec dirname {} \; | grep -v "\.terraform" | while read -r test_case; do
echo $test_case
ORG_PATH=$PWD
cd $test_case
if [ ! -f checkov_results.txt ]; then docker run -t -v $PWD:/tf bridgecrew/checkov --quiet -d /tf | sed 's/\[[0-9;]*m//g' | sed "s~$ORG_PATH~tool-compare~" >checkov_results.txt; fi
cd $ORG_PATH
done
}
# tfsec
function run_tfsec {
echo Now running tfsec on all cases
docker pull aquasec/tfsec:latest
docker run -t -v $PWD:/tf aquasec/tfsec --version >version_tfsec.txt
find . -name "main.tf" -exec dirname {} \; | grep -v "\.terraform" | while read -r test_case; do
echo $test_case
ORG_PATH=$PWD
cd $test_case
if [ ! -f tfsec_results.txt ]; then docker run --rm -v "$(pwd):/src" aquasec/tfsec /src --no-color | sed "s~$ORG_PATH~tool-compare~" >tfsec_results.txt; fi
cd $ORG_PATH
done
}
# KICS
function run_kics {
echo Now running KICS on all cases
docker pull checkmarx/kics:latest
docker run -t -v $PWD:/tf checkmarx/kics version | awk '{print $NF}' >version_kics.txt
find . -name "main.tf" -exec dirname {} \; | grep -v "\.terraform" | while read -r test_case; do
echo $test_case
ORG_PATH=$PWD
cd $test_case
if [ ! -f kics_results.txt ]; then docker run --rm -v "$(pwd):/src" checkmarx/kics:latest scan -p /src | sed "s~$ORG_PATH~tool-compare~" | grep -v "Executing queries" >kics_results.txt; fi
cd $ORG_PATH
done
}
# Terrascan
function run_terrascan {
echo Now running Terrascan on all cases
docker pull accurics/terrascan:latest
docker run --rm accurics/terrascan version | awk '{print $NF}' >version_terrascan.txt
find . -name "main.tf" -exec dirname {} \; | grep -v "\.terraform" | while read -r test_case; do
echo $test_case
ORG_PATH=$PWD
cd $test_case
if [ ! -f terrascan_results.txt ]; then docker run --rm -v "$(pwd):/iac" -w /iac accurics/terrascan scan | sed "s~$ORG_PATH~tool-compare~" >terrascan_results.txt; fi
cd $ORG_PATH
done
}
# Snyk
function run_snyk {
echo Now running Snyk on all cases
if [ -z "$SNYK_TOKEN" ]; then
echo "To run this script, you'll need to provide the SNYK_TOKEN environment variable."
exit 1
fi
docker pull snyk/snyk-cli:docker
docker run -t -v empty:/project -e SNYK_TOKEN snyk/snyk-cli:docker --version | tail -n 1 >version_snyk.txt
find . -name "main.tf" -exec dirname {} \; | grep -v "\.terraform" | while read -r test_case; do
echo $test_case
ORG_PATH=$PWD
cd $test_case
if [ ! -f snyk_results.txt ]; then docker run --rm -v "$(pwd):/project" -e SNYK_TOKEN snyk/snyk-cli:docker iac test /project | sed "s~$ORG_PATH~tool-compare~" >snyk_results.txt; fi
cd $ORG_PATH
done
}
# Cloudrail
function run_cloudrail {
echo Now running Cloudrail on all cases
if [ -z "$CLOUDRAIL_API_KEY" ]; then
echo "To run this script, you'll need to provide the CLOUDRAIL_API_KEY environment variable."
exit 1
fi
docker pull indeni/cloudrail-cli:latest
docker run -t -v $PWD:/tf indeni/cloudrail-cli --version | awk '{print $NF}' | head -n 1 >version_cloudrail.txt
find . -name "main.tf" -exec dirname {} \; | grep -v "\.terraform" | while read -r test_case; do
echo $test_case
ORG_PATH=$PWD
cd $test_case
if [ ! -f cloudrail_results.txt ]; then docker run --rm $IT_FLAG -u 0:0 -v $PWD:/data -e CLOUDRAIL_API_KEY indeni/cloudrail-cli run --tf-plan plan.out --output-file cloudrail_results.txt --no-cloud-account --auto-approve -v; fi
cd $ORG_PATH
done
}
function run_all {
run_checkov
run_cloudrail
run_kics
run_snyk
run_terrascan
run_tfsec
}
# Verify AWS access for plan
if [ -z "$AWS_ACCESS_KEY_ID" -a -z "$AWS_DEFAULT_PROFILE" ]; then
echo "To run this script, you'll need AWS credentials (for use with terraform plan)."
exit 1
fi
export AWS_REGION=us-west-1
# Verify Azure access for plan
az account list > /dev/null
if [ $? -ne 0 ]; then
echo "To run this script, you'll need working Azure credentials (for use with terraform plan). Make sure you use 'az login'."
exit 1
fi
# Generate all plan files
echo Generating plan files, where they do not exist yet
find . -name "main.tf" -exec dirname {} \; | grep -v "\.terraform" | while read -r test_case; do
echo $test_case
ORG_PATH=$PWD
cd $test_case
if [ ! -f plan.out ]; then
terraform init
terraform plan -out=plan.out
fi
cd $ORG_PATH
done
case $1 in
run_checkov)
"$@"
exit
;;
run_cloudrail)
"$@"
exit
;;
run_kics)
"$@"
exit
;;
run_snyk)
"$@"
exit
;;
run_terrascan)
"$@"
exit
;;
run_tfsec)
"$@"
exit
;;
*)
run_all
exit
;;
esac