aquasecurity · nikpivkin · Sep 20, 2023 · Sep 20, 2023 · Sep 22, 2023 · Sep 22, 2023
@@ -36,7 +36,7 @@ jobs:
         uses: golangci/[email protected]
         with:
           version: v1.54
-          args: --deadline=30m --out-format=line-number
+          args: --deadline=30m
           skip-cache: true # https://github.com/golangci/golangci-lint-action/issues/244#issuecomment-1052197778
         if: matrix.operating-system == 'ubuntu-latest'
 

@@ -279,7 +279,7 @@ func (a Artifact) inspectLayer(ctx context.Context, layerInfo LayerInfo, disable
 
 	// Walk a tar layer
 	opqDirs, whFiles, err := a.walker.Walk(rc, func(filePath string, info os.FileInfo, opener analyzer.Opener) error {
-		if err = a.analyzer.AnalyzeFile(ctx, &wg, limit, result, "", filePath, info, opener, disabled, opts); err != nil {
+		if err := a.analyzer.AnalyzeFile(ctx, &wg, limit, result, "", filePath, info, opener, disabled, opts); err != nil {
 			return xerrors.Errorf("failed to analyze %s: %w", filePath, err)
 		}
 
@@ -294,7 +294,7 @@ func (a Artifact) inspectLayer(ctx context.Context, layerInfo LayerInfo, disable
 		if err != nil {
 			return xerrors.Errorf("failed to copy file to temp: %w", err)
 		}
-		if err = composite.CreateLink(analyzerTypes, "", filePath, tmpFilePath); err != nil {
+		if err := composite.CreateLink(analyzerTypes, "", filePath, tmpFilePath); err != nil {
 			return xerrors.Errorf("failed to write a file: %w", err)
 		}
 
@@ -308,7 +308,7 @@ func (a Artifact) inspectLayer(ctx context.Context, layerInfo LayerInfo, disable
 	wg.Wait()
 
 	// Post-analysis
-	if err = a.analyzer.PostAnalyze(ctx, composite, result, opts); err != nil {
+	if err := a.analyzer.PostAnalyze(ctx, composite, result, opts); err != nil {
 		return types.BlobInfo{}, xerrors.Errorf("post analysis error: %w", err)
 	}
 
@@ -336,7 +336,7 @@ func (a Artifact) inspectLayer(ctx context.Context, layerInfo LayerInfo, disable
 	}
 
 	// Call post handlers to modify blob info
-	if err = a.handlerManager.PostHandle(ctx, result, &blobInfo); err != nil {
+	if err := a.handlerManager.PostHandle(ctx, result, &blobInfo); err != nil {
 		return types.BlobInfo{}, xerrors.Errorf("post handler error: %w", err)
 	}
 

@@ -143,7 +143,7 @@ func (a Artifact) Inspect(ctx context.Context) (types.ArtifactReference, error)
 			dir, filePath = path.Split(a.rootPath)
 		}
 
-		if err = a.analyzer.AnalyzeFile(ctx, &wg, limit, result, dir, filePath, info, opener, nil, opts); err != nil {
+		if err := a.analyzer.AnalyzeFile(ctx, &wg, limit, result, dir, filePath, info, opener, nil, opts); err != nil {
 			return xerrors.Errorf("analyze file (%s): %w", filePath, err)
 		}
 
@@ -154,7 +154,7 @@ func (a Artifact) Inspect(ctx context.Context) (types.ArtifactReference, error)
 		}
 
 		// Build filesystem for post analysis
-		if err = composite.CreateLink(analyzerTypes, dir, filePath, filepath.Join(dir, filePath)); err != nil {
+		if err := composite.CreateLink(analyzerTypes, dir, filePath, filepath.Join(dir, filePath)); err != nil {
 			return xerrors.Errorf("failed to create link: %w", err)
 		}
 
@@ -168,7 +168,7 @@ func (a Artifact) Inspect(ctx context.Context) (types.ArtifactReference, error)
 	wg.Wait()
 
 	// Post-analysis
-	if err = a.analyzer.PostAnalyze(ctx, composite, result, opts); err != nil {
+	if err := a.analyzer.PostAnalyze(ctx, composite, result, opts); err != nil {
 		return types.ArtifactReference{}, xerrors.Errorf("post analysis error: %w", err)
 	}
 
@@ -187,7 +187,7 @@ func (a Artifact) Inspect(ctx context.Context) (types.ArtifactReference, error)
 		CustomResources:   result.CustomResources,
 	}
 
-	if err = a.handlerManager.PostHandle(ctx, result, &blobInfo); err != nil {
+	if err := a.handlerManager.PostHandle(ctx, result, &blobInfo); err != nil {
 		return types.ArtifactReference{}, xerrors.Errorf("failed to call hooks: %w", err)
 	}
 
@@ -196,7 +196,7 @@ func (a Artifact) Inspect(ctx context.Context) (types.ArtifactReference, error)
 		return types.ArtifactReference{}, xerrors.Errorf("failed to calculate a cache key: %w", err)
 	}
 
-	if err = a.cache.PutBlob(cacheKey, blobInfo); err != nil {
+	if err := a.cache.PutBlob(cacheKey, blobInfo); err != nil {
 		return types.ArtifactReference{}, xerrors.Errorf("failed to store blob (%s) in cache: %w", cacheKey, err)
 	}
 

@@ -658,6 +658,56 @@ func TestTerraformMisconfigurationScan(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "tfvars outside the scan folder",
+			fields: fields{
+				dir: "./testdata/misconfig/terraform/tfvar-outside/tf",
+			},
+			artifactOpt: artifact.Option{
+				MisconfScannerOption: misconf.ScannerOption{
+					RegoOnly:                true,
+					Namespaces:              []string{"user"},
+					PolicyPaths:             []string{"./testdata/misconfig/terraform/rego"},
+					TerraformTFVars:         []string{"./testdata/misconfig/terraform/tfvar-outside/main.tfvars"},
+					TfExcludeDownloaded:     true,
+					DisableEmbeddedPolicies: true,
+				},
+			},
+			putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
+				Args: cache.ArtifactCachePutBlobArgs{
+					BlobIDAnything: true,
+					BlobInfo: types.BlobInfo{
+						SchemaVersion: 2,
+						Misconfigurations: []types.Misconfiguration{
+							{
+								FileType: types.Terraform,
+								FilePath: ".",
+								Successes: types.MisconfResults{
+									{
+										Namespace:      "user.something",
+										Query:          "data.user.something.deny",
+										PolicyMetadata: policyMetadata,
+										CauseMetadata: types.CauseMetadata{
+											Provider: "Generic",
+											Service:  "general",
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+				Returns: cache.ArtifactCachePutBlobReturns{},
+			},
+			want: types.ArtifactReference{
+				Name: "testdata/misconfig/terraform/tfvar-outside/tf",
+				Type: types.ArtifactFilesystem,
+				ID:   "sha256:4e2b9cba04625f1d9cc57f74640d039779b0ee176e958aaea37883e03842056d",
+				BlobIDs: []string{
+					"sha256:4e2b9cba04625f1d9cc57f74640d039779b0ee176e958aaea37883e03842056d",
+				},
+			},
+		},
 		{
 			name: "relative paths",
 			fields: fields{

@@ -0,0 +1 @@
+bucket_name = "test"
@@ -0,0 +1,7 @@
+resource "aws_s3_bucket" "this" {
+    bucket = var.bucket_name
+}
+
+variable "bucket_name" {
+    type = "string"
+}
@@ -71,6 +71,7 @@ type Scanner struct {
 	fileType       detection.FileType
 	scanner        scanners.FSScanner
 	hasFilePattern bool
+	configFiles    []string
 }
 
 func NewAzureARMScanner(filePatterns []string, opt ScannerOption) (*Scanner, error) {
@@ -108,6 +109,7 @@ func newScanner(t detection.FileType, filePatterns []string, opt ScannerOption)
 	}
 
 	var scanner scanners.FSScanner
+	var configFiles []string
 	switch t {
 	case detection.FileTypeAzureARM:
 		scanner = arm.New(opts...)
@@ -117,10 +119,12 @@ func newScanner(t detection.FileType, filePatterns []string, opt ScannerOption)
 		scanner = dfscanner.NewScanner(opts...)
 	case detection.FileTypeHelm:
 		scanner = helm.New(opts...)
+		configFiles = append(opt.HelmFileValues, opt.HelmValueFiles...)
 	case detection.FileTypeKubernetes:
 		scanner = k8sscanner.NewScanner(opts...)
 	case detection.FileTypeTerraform:
 		scanner = tfscanner.New(opts...)
+		configFiles = opt.TerraformTFVars
 	case detection.FileTypeTerraformPlan:
 		scanner = tfpscanner.New(opts...)
 	}
@@ -129,6 +133,7 @@ func newScanner(t detection.FileType, filePatterns []string, opt ScannerOption)
 		fileType:       t,
 		scanner:        scanner,
 		hasFilePattern: hasFilePattern(t, filePatterns),
+		configFiles:    configFiles,
 	}, nil
 }
 
@@ -141,10 +146,15 @@ func (s *Scanner) Scan(ctx context.Context, fsys fs.FS) ([]types.Misconfiguratio
 		return nil, nil
 	}
 
+	if err := addConfigFilesToFS(newfs, s.configFiles); err != nil {
+		return nil, xerrors.Errorf("failed to add config files to fs: %w", err)
+	}
+
 	log.Logger.Debugf("Scanning %s files for misconfigurations...", s.scanner.Name())
 	results, err := s.scanner.ScanFS(ctx, newfs, ".")
 	if err != nil {
-		if _, ok := err.(*cfparser.InvalidContentError); ok {
+		var invalidContentError *cfparser.InvalidContentError
+		if errors.As(err, &invalidContentError) {
 			log.Logger.Errorf("scan %q was broken with InvalidContentError: %v", s.scanner.Name(), err)
 			return nil, nil
 		}
@@ -164,6 +174,30 @@ func (s *Scanner) Scan(ctx context.Context, fsys fs.FS) ([]types.Misconfiguratio
 	return misconfs, nil
 }
 
+func addConfigFilesToFS(fsys fs.FS, configFiles []string) error {
+	if len(configFiles) == 0 {
+		return nil
+	}
+
+	mfs, ok := fsys.(*mapfs.FS)
+	if !ok {
+		return xerrors.Errorf("type assertion error: %T is not a *mapfs.FS", fsys)
+	}
+	for _, configFile := range configFiles {
+		if _, err := os.Stat(configFile); err != nil {
+			return xerrors.Errorf("config file %q not found: %w", configFile, err)
+		}
+		if err := mfs.MkdirAll(filepath.Dir(configFile), os.ModePerm); err != nil && !errors.Is(err, fs.ErrExist) {
+			return xerrors.Errorf("mkdir error: %w", err)
+		}
+		if err := mfs.WriteFile(configFile, configFile); err != nil {
+			return xerrors.Errorf("write file error: %w", err)
+		}
+	}
+
+	return nil
+}
+
 func (s *Scanner) filterFS(fsys fs.FS) (fs.FS, error) {
 	mfs, ok := fsys.(*mapfs.FS)
 	if !ok {