feat!: Initial commit

.dockerignore

@@ -0,0 +1,11 @@
+# General
+CITATION.cff
+CONTRIBUTING.md
+LICENSE
+README.md
+
+# Frontend
+./frontend/node_modules
+
+# terraform
+./terraform/

.github/workflows/README.md

@@ -0,0 +1,7 @@
+### Manual Todos
+- Create initial tag (e.g., `v0.0.1`)
+
+### Sources
+- [Semantic Versioning](https://github.com/marketplace/actions/git-semantic-version)
+- [Release](https://github.com/marketplace/actions/create-release)
+- [Changelog](https://github.com/marketplace/actions/release-changelog-builder)

.github/workflows/github-actions.yml

@@ -0,0 +1,172 @@
+defaults:
+  run:
+    working-directory: ./terraform/
+
+name: Lint, Build, Release, and Deploy
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+jobs:
+  # Validate the YAML files
+  validate-yaml:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: checkout repo content
+        uses: actions/checkout@v2
+      - name: setup python
+        uses: actions/setup-python@v2
+        with:
+          python-version: '3.10.5'  
+      - name: Install packages
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt
+        working-directory: data/validation/
+      - name: Validate the YAML files
+        run: python validate.py
+        shell: sh
+        working-directory: data/validation/
+  # Geneate a new Version
+  generate-semantic-version:
+    name: Generate semantic version
+    needs: [validate-yaml]
+    runs-on: ubuntu-22.04
+    outputs:
+      next-version: ${{ steps.sem-ver.outputs.version }}
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - uses: paulhatch/[email protected]
+        id: sem-ver
+        # Major and Minor patterns are adopted from the Coventional Commits Guidelines
+        with:
+          tag_prefix: "v"
+          major_pattern: "feat!"
+          minor_pattern: "feat:"
+          format: "v${major}.${minor}.${patch}"
+          bump_each_commit: true
+  # Lint the Dockerfile
+  hadolint:
+    name: hadolint
+    needs: [validate-yaml]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 0 
+      - uses: hadolint/[email protected]
+  # Build and Push the Docker Image
+  docker:
+    needs: [hadolint, generate-semantic-version]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: Login to DockerHub
+        if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Build and push
+        if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+        uses: docker/build-push-action@v3
+        with:
+          context: .
+          push: true
+          tags: nileger/iac-analyzers:${{ needs.generate-semantic-version.outputs.next-version }}
+  # Run tfsec on the Terraform files
+  tfsec:
+    name: tfsec
+    needs: [validate-yaml]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Clone repo
+        uses: actions/checkout@master
+      - name: tfsec
+        uses: aquasecurity/[email protected]
+        with:
+          working_directory: terraform/
+  # Create a New GitHub Release
+  release:
+    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+    needs: [hadolint, tfsec, generate-semantic-version]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: read
+    steps:
+    - uses: actions/checkout@v2
+      with:
+          fetch-depth: 0
+    - uses: mikepenz/release-changelog-builder-action@v3
+      id: build_changelog
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - uses: ncipollo/release-action@v1
+      with:
+        commit: main
+        body: ${{ steps.build_changelog.outputs.changelog }}
+        tag: ${{ needs.generate-semantic-version.outputs.next-version }}
+        token: ${{ secrets.GITHUB_TOKEN }}
+  # Lint the Terraform Code and Deploy the Application via Terraform Cloud
+  terraform:
+    needs: [release, tfsec, generate-semantic-version, docker]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v1
+        with:
+          cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
+      - name: Terraform Format
+        id: fmt
+        run: terraform fmt -check
+      - name: Terraform Init
+        id: init
+        run: terraform init
+      - name: Terraform Validate
+        id: validate
+        run: terraform validate -no-color
+      - name: Terraform Plan
+        id: plan
+        if: github.event_name == 'pull_request'
+        run: terraform plan -no-color -input=false -var image_tag=${{ needs.generate-semantic-version.outputs.next-version }}
+        continue-on-error: true
+      - uses: actions/github-script@v6
+        if: github.event_name == 'pull_request'
+        env:
+          PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
+            #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
+            #### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`
+            #### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
+            <details><summary>Show Plan</summary>
+            \`\`\`\n
+            ${process.env.PLAN}
+            \`\`\`
+            </details>
+            *Pushed by: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: output
+            })
+      - name: Terraform Plan Status
+        if: steps.plan.outcome == 'failure'
+        run: exit 1
+      - name: Terraform Apply
+        if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+        run: terraform apply -auto-approve -input=false -var image_tag=${{ needs.generate-semantic-version.outputs.next-version }}

.gitignore

@@ -0,0 +1 @@
+backend/tmp/**

.vscode/extensions.json

@@ -0,0 +1,5 @@
+{
+    "recommendations": [
+        "hashicorp.terraform"
+    ]
+}

CITATION.cff

@@ -0,0 +1,86 @@
+# This CITATION.cff file was generated with cffinit.
+# Visit https://bit.ly/cffinit to generate yours today!
+
+cff-version: 1.2.0
+title: >-
+  Static IaC Analysis – Bridging the Gap between
+  Research and Practice
+message: >-
+  If you use this software, please cite it using the
+  metadata from this file.
+type: software
+authors:
+  - given-names: Nils
+    family-names: Leger
+repository-code: 'https://github.com/nileger/iac-analyzers'
+url: 'https://iac-analyzers.dev/'
+repository-artifact: 'https://hub.docker.com/r/nileger/iac-analyzers'
+abstract: >-
+  Context: Infrastructure as code is one of the main
+  pillars in DevOps adopted by many companies. Since
+  each infrastructure as code (IaC) tool has its own
+  domain-specific language (DSL), practitioners must
+  learn the IaC tool-specific DSL. This poses the
+  threat of misconfiguration and security flaws.
+  Unit, integration, and end-to-end testing for
+  infrastructure code are more challenging than for
+  application code. Thus, static code analysis plays
+  an essential role in IaC quality assurance.
+
+  Objective: Researchers investigated defects in IaC
+  scripts in various research studies. The findings
+  of these studies, however, only benefit
+  practitioners if they are incorporated into static
+  infrastructure code analyzers (SICAs). No prior
+  work has studied the state-of-the-art static
+  infrastructure code analyzers from both a practical
+  and academic perspective. This work bridges the gap
+  between research and the various static code
+  analyzers developed by practitioners. Furthermore,
+  it provides decision support for practitioners and
+  researchers.
+
+  Methodology: Because no prior work has been done in
+  the field of static infrastructure code analysis in
+  formal literature considering informal literature,
+  too, existing static infrastructure code analyzers
+  are identified using a multivocal literature review
+  (MLR). MLRs are often used to investigate the state
+  of practice. The identified tools are assessed via
+  qualitative analysis. The decision support is
+  developed via design science research.
+
+  Results: Practitioners and researchers have
+  developed various static infrastructure code
+  analysis tools. Since each IaC tool has its own
+  DSL, static analyzers must be adapted to each IaC
+  tool. While many static analysis tools exist for
+  popular IaC tools like Ansible and Terraform,
+  development for other IaC tools and categories like
+  resource visualization remains a gap.
+
+  Conclusion: The main contribution of this work is
+  the application of the multivocal literature review
+  methodology, which allows the inclusion of grey
+  literature, thereby identifying a large number of
+  static infrastructure code analyzers which have
+  been ignored in formal literature so far.
+  Researchers may use the result of this work to
+  focus their research on yet understudied research
+  areas. Furthermore, they may use existing static
+  code analyzers to incorporate their findings into
+  those tools instead of reinventing the wheel. If
+  they decide to create a new SICA, researchers may
+  refer to other SICAs to learn about implementation
+  approaches. Practitioners can use the IaC Analyzer
+  Decision Guide to decide on tools supporting the
+  quality assurance of their infrastructure code.
+keywords:
+  - Infrastructure as Code
+  - IaC tools
+  - static code analysis
+  - infrastructure code analysis tools
+  - multivocal literature review
+  - design science research
+license: Apache-2.0
+date-released: '2022-10-07'

CONTRIBUTING.md

@@ -0,0 +1,13 @@
+# Contributing to the IaC Analyzer Decision Guide
+Many thanks for contributing to the IaC Analyzer Decision Guide!
+# How Can I Contribute?
+- Improve the documentation: Add a concise description to the `README.md` file.
+- Report a bug: Make sure that the bug hasn't already been reported by someone else.
+- Fix a bug: See the styleguides below.
+- Add a new feature: Be consistent with the existing code. If you create a new endpoint, re-generate the `Swagger` files as described in the backend's `README`.
+- Add or update SICA information: Be consistent with the already used terms (e.g., use `Apache-2.0` instead of `Apache 2.0` or `Apache 2`). Furhtermore, when introducing new terms use lower case letters.
+
+# Styleguides
+## Git Commit Messages
+- Use the present tense.
+- Follow the [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/#summary) guidelines.

Dockerfile

@@ -0,0 +1,26 @@
+FROM golang:1.18-alpine as go-builder
+WORKDIR /app
+COPY ./backend/go.mod ./
+COPY ./backend/go.sum ./
+RUN go mod download
+COPY ./backend/*.go ./
+COPY ./backend/docs ./docs
+RUN go build -o bin/main
+
+FROM node:13.12.0-alpine as react-builder
+WORKDIR /app
+COPY ./frontend/package.json ./
+COPY ./frontend/package-lock.json ./ 
+RUN npm ci --silent \
+ && npm install [email protected] -g --silent
+COPY ./frontend ./
+RUN npm run build
+
+FROM alpine:3.16
+RUN apk --no-cache add ca-certificates=20220614-r0
+WORKDIR /usr/local/bin/
+COPY ./data/ /usr/local/data/
+COPY --from=go-builder /app/bin/main /usr/local/bin/
+COPY --from=react-builder /app/build /usr/local/frontend/
+EXPOSE 8080
+CMD ["main"]