Created
November 10, 2020 13:25
-
-
Save RafaAguilar/5872e9579c308f0209290001496c1a2b to your computer and use it in GitHub Desktop.
Using a .terraignore file to mimic Ignoring Policies behavior
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# How to ignore specific terrascan meanwhile gets implemented | |
## Let's suppose we want to ignore policies XXX and YYY, we could create a file with that information: | |
accurics.azure.NS.XXX | |
accurics.azure.NS.YYY | |
## Later we could add make a dirty and short but yet practical bash snippet to mimic the "ignore" behavior: | |
PATH_TO_TERRAIGNORE=./.terraignore | |
PATH_TO_TERRAOUTPUT=./terrascan.out | |
terrascan scan -t azure -o json > $PATH_TO_TERRAOUTPUT | |
TERRASCAN_EXIT_CODE=$(echo $?) | |
NOT_IGNORED_COUNT=$(cat terrascan.out | jq ".results.violations[].rule_id" | grep -Ev $(cat $PATH_TO_TERRAIGNORE | paste -sd "|" -) | wc -l) | |
if [ "$NOT_IGNORED_COUNT" -gt "0" ]; then | |
>$2 echo "Failed: Currently there are $NOT_IGNORED_COUNT policies broken." | |
cat $PATH_TO_TERRAOUTPUT | |
exit $TERRASCAN_EXIT_CODE | |
fi | |
## We could easily ignore HIGH priority policies ignored by error, so we could refactor to always count them by replacing changing just some bits | |
... | |
NOT_IGNORED_COUNT=$(cat terrascan.out | jq ".results.violations[].rule_id" | grep -Ev $(cat $PATH_TO_TERRAIGNORE | paste -sd "|" -) | wc -l) | |
HIGH_FAILED_COUNT=$(cat terrascan.out | jq ".results.violations[].severity" | grep "HIGH" | wc -l) | |
TOTAL=$((NOT_IGNORED_COUNT + HIGH_FAILED_COUNT)) | |
if [ "$TOTAL" -gt "0" ]; then | |
>$2 echo "Failed: Currently there are $NOT_IGNORED_COUNT policies broken and $HIGH_FAILED_COUNT with High priority." | |
cat $PATH_TO_TERRAOUTPUT | |
exit $TERRASCAN_EXIT_CODE | |
fi | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment