README
¶
GCP SCC IaC validation utilities
Description
This repo provides 2 go utility scripts for handling the response from gcloud scc iac-validation-reports create command.
- SARIF converter
- Report validator
SARIF converter
SARIF Converter converters the response generated by gcloud scc iac-validation-reports create command to the industry stardard SARIF format. This takes the response from the gcloud command as the input, converts it to the SARIF format and writes the output to a file.
Example invocation of the script from CLI -
go run github.com/google/gcp-scc-iac-validation-utils/SARIFConverter@latest
--inputFilePath=IaCScanReport.json
--outputFilePath=IaCScanReport.sarif.json
where "IaCScanReport.json" is the report that is generated from the gcloud command and "IaCScanReport.sarif.json" is the name of the output file.
Report validator
This validates the resopnse generated by gcloud scc iac-validation-reports create against thresholds set by "failure_expression" argument to the command. The command returns a success (exit(0)) or fail (exit(1)) code as a result of the validation. The threshold criteria is based on the number of critical, high, medium, and low severity issues that the IaC validation scan encounters.
-
The failure_expression argument to the command specifies how many issues of each severity are permitted, and also specifies how the issues are aggregated (either AND or OR). For example, if you want the validation to fail if it encounters one critical issue or one high severity issue, set the failure_expression to
'Critical:1,High:1,Operator:OR' -
If no expression is passed to the scipt, the default criteria is used to perform these validation. The default criteria is
'Critical:1,High:1,Medium:1,Low:1,Operator:OR'which means that if the IaC validation scan contains any violation of any severity, the validator will return a "fail" response.
Example invocation of the script from CLI -
go run github.com/google/gcp-scc-iac-validation-utils/ReportValidator@latest \
--inputFilePath=IaCScanReport.json --failure_expression=FAILURE_CRITERIA
where "IaCScanReport.json" is the report that is generated from the gcloud command and FAILURE_CRITERIA is the expression agains which the IaCScanReport will be evaluated.
NOTE
- For "Operator" only AND and OR operators are supported.
- Each expression should have an operator only once.
- All Severity: Critical, High, Medium, Low can be present in the expression at most once.
Directories
¶
| Path | Synopsis |
|---|---|
|
Package main checks the scc iac-validation-report against the failure criteria and returns the validation state.
|
Package main checks the scc iac-validation-report against the failure criteria and returns the validation state. |
|
expressionprocessor
package expressionprocessor validates the input expression and extracts operator and threshold values.
|
package expressionprocessor validates the input expression and extracts operator and threshold values. |
|
validator
package validator evaluates the IaC report voilation against the threshold limit.
|
package validator evaluates the IaC report voilation against the threshold limit. |
|
Package main converts IaC validation report to SARIF JSON format.
|
Package main converts IaC validation report to SARIF JSON format. |
|
converter
package converter constructs the IaC SCC scan report in to SARIF json format.
|
package converter constructs the IaC SCC scan report in to SARIF json format. |