gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-12 15:50:15 -08:00
Code Issues Packages Projects Releases Wiki Activity

refactor(misconf): make Rego scanner independent of config type (#7517)

Browse Source 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
This commit is contained in:
Nikita Pivkin
2025-02-22 04:56:12 +06:00
committed by GitHub
parent a3cd693a5e
commit 9c609c44a3
15 changed files with 65 additions and 134 deletions
Download Patch File Download Diff File Expand all files Collapse all files

70
pkg/iac/rego/scanner_test.go
View File

@@ -44,12 +44,11 @@ deny {
})
scanner := rego.NewScanner(
types.SourceJSON,
rego.WithPolicyDirs("policies"),
)
require.NoError(t, scanner.LoadPolicies(srcFS))
results, err := scanner.ScanInput(context.TODO(), rego.Input{
results, err := scanner.ScanInput(context.TODO(), types.SourceJSON, rego.Input{
Path: "/evil.lol",
Contents: map[string]any{
"evil": true,
@@ -78,12 +77,11 @@ deny {
srcFS := os.DirFS(tmp)
scanner := rego.NewScanner(
types.SourceJSON,
rego.WithPolicyDirs("policies"),
)
require.NoError(t, scanner.LoadPolicies(srcFS))
results, err := scanner.ScanInput(context.TODO(), rego.Input{
results, err := scanner.ScanInput(context.TODO(), types.SourceJSON, rego.Input{
Path: "/evil.lol",
Contents: map[string]any{
"evil": true,
@@ -111,12 +109,11 @@ deny {
})
scanner := rego.NewScanner(
types.SourceJSON,
rego.WithPolicyDirs("policies"),
)
require.NoError(t, scanner.LoadPolicies(srcFS))
results, err := scanner.ScanInput(context.TODO(), rego.Input{
results, err := scanner.ScanInput(context.TODO(), types.SourceJSON, rego.Input{
Path: "/evil.lol",
Contents: map[string]any{
"evil": false,
@@ -147,12 +144,11 @@ deny_evil {
})
scanner := rego.NewScanner(
types.SourceJSON,
rego.WithPolicyDirs("policies"),
)
require.NoError(t, scanner.LoadPolicies(srcFS))
results, err := scanner.ScanInput(context.TODO(), rego.Input{
results, err := scanner.ScanInput(context.TODO(), types.SourceJSON, rego.Input{
Path: "/evil.lol",
Contents: map[string]any{
"evil": true,
@@ -178,12 +174,11 @@ deny[msg] {
})
scanner := rego.NewScanner(
types.SourceJSON,
rego.WithPolicyDirs("policies"),
)
require.NoError(t, scanner.LoadPolicies(srcFS))
results, err := scanner.ScanInput(context.TODO(), rego.Input{
results, err := scanner.ScanInput(context.TODO(), types.SourceJSON, rego.Input{
Path: "/evil.lol",
Contents: map[string]any{
"evil": true,
@@ -216,12 +211,11 @@ deny[res] {
})
scanner := rego.NewScanner(
types.SourceJSON,
rego.WithPolicyDirs("policies"),
)
require.NoError(t, scanner.LoadPolicies(srcFS))
results, err := scanner.ScanInput(context.TODO(), rego.Input{
results, err := scanner.ScanInput(context.TODO(), types.SourceJSON, rego.Input{
Path: "/evil.lol",
Contents: map[string]any{
"evil": true,
@@ -258,12 +252,11 @@ deny[res] {
})
scanner := rego.NewScanner(
types.SourceJSON,
rego.WithPolicyDirs("policies"),
)
require.NoError(t, scanner.LoadPolicies(srcFS))
results, err := scanner.ScanInput(context.TODO(), rego.Input{
results, err := scanner.ScanInput(context.TODO(), types.SourceJSON, rego.Input{
Path: "/evil.lol",
Contents: map[string]any{
"evil": true,
@@ -312,12 +305,11 @@ deny[res] {
})
scanner := rego.NewScanner(
types.SourceJSON,
rego.WithPolicyDirs("policies"),
)
require.NoError(t, scanner.LoadPolicies(srcFS))
results, err := scanner.ScanInput(context.TODO(), rego.Input{
results, err := scanner.ScanInput(context.TODO(), types.SourceJSON, rego.Input{
Path: "/evil.lol",
Contents: map[string]any{
"evil": true,
@@ -361,12 +353,11 @@ deny {
})
scanner := rego.NewScanner(
types.SourceJSON,
rego.WithPolicyDirs("policies"),
)
require.NoError(t, scanner.LoadPolicies(srcFS))
results, err := scanner.ScanInput(context.TODO(), rego.Input{
results, err := scanner.ScanInput(context.TODO(), types.SourceJSON, rego.Input{
Path: "/evil.lol",
Contents: map[string]any{
"evil": true,
@@ -395,12 +386,11 @@ deny {
})
scanner := rego.NewScanner(
types.SourceJSON,
rego.WithPolicyDirs("policies"),
)
require.NoError(t, scanner.LoadPolicies(srcFS))
results, err := scanner.ScanInput(context.TODO(), rego.Input{
results, err := scanner.ScanInput(context.TODO(), types.SourceJSON, rego.Input{
Path: "/evil.lol",
Contents: map[string]any{
"evil": true,
@@ -426,12 +416,11 @@ deny {
})
scanner := rego.NewScanner(
types.SourceJSON,
rego.WithPolicyDirs("policies"),
)
require.NoError(t, scanner.LoadPolicies(srcFS))
results, err := scanner.ScanInput(context.TODO(), rego.Input{
results, err := scanner.ScanInput(context.TODO(), types.SourceJSON, rego.Input{
Path: "/evil.lol",
Contents: map[string]any{
"evil": true,
@@ -461,13 +450,12 @@ deny {
traceBuffer := bytes.NewBuffer([]byte{})
scanner := rego.NewScanner(
types.SourceJSON,
rego.WithTrace(traceBuffer),
rego.WithPolicyDirs("policies"),
)
require.NoError(t, scanner.LoadPolicies(srcFS))
results, err := scanner.ScanInput(context.TODO(), rego.Input{
results, err := scanner.ScanInput(context.TODO(), types.SourceJSON, rego.Input{
Path: "/evil.lol",
Contents: map[string]any{
"evil": true,
@@ -496,13 +484,12 @@ deny {
})
scanner := rego.NewScanner(
types.SourceJSON,
rego.WithPerResultTracing(true),
rego.WithPolicyDirs("policies"),
)
require.NoError(t, scanner.LoadPolicies(srcFS))
results, err := scanner.ScanInput(context.TODO(), rego.Input{
results, err := scanner.ScanInput(context.TODO(), types.SourceJSON, rego.Input{
Path: "/evil.lol",
Contents: map[string]any{
"evil": true,
@@ -535,12 +522,11 @@ deny {
})
scanner := rego.NewScanner(
types.SourceJSON,
rego.WithPolicyDirs("policies"),
)
require.NoError(t, scanner.LoadPolicies(srcFS))
results, err := scanner.ScanInput(context.TODO(), rego.Input{
results, err := scanner.ScanInput(context.TODO(), types.SourceJSON, rego.Input{
Path: "/evil.lol",
Contents: map[string]any{
"text": "dynamic",
@@ -568,12 +554,11 @@ deny {
})
scanner := rego.NewScanner(
types.SourceJSON,
rego.WithPolicyDirs("policies"),
)
require.NoError(t, scanner.LoadPolicies(srcFS))
results, err := scanner.ScanInput(context.TODO(), rego.Input{
results, err := scanner.ScanInput(context.TODO(), types.SourceJSON, rego.Input{
Path: "/evil.lol",
Contents: map[string]any{
"text": "test",
@@ -615,13 +600,12 @@ deny {
})
scanner := rego.NewScanner(
types.SourceJSON,
rego.WithPerResultTracing(true),
rego.WithPolicyDirs("policies"),
)
require.NoError(t, scanner.LoadPolicies(srcFS))
results, err := scanner.ScanInput(context.TODO(), rego.Input{
results, err := scanner.ScanInput(context.TODO(), types.SourceJSON, rego.Input{
Path: "/evil.lol",
Contents: map[string]any{
"text": "test",
@@ -654,7 +638,6 @@ deny {
})
scanner := rego.NewScanner(
types.SourceDockerfile,
rego.WithPolicyDirs("policies"),
)
require.NoError(t, scanner.LoadPolicies(srcFS))
@@ -675,7 +658,6 @@ deny {
})
scanner := rego.NewScanner(
types.SourceDockerfile,
rego.WithPolicyDirs("policies"),
)
require.NoError(t, scanner.LoadPolicies(srcFS))
@@ -695,7 +677,6 @@ deny {
})
scanner := rego.NewScanner(
types.SourceJSON,
rego.WithRegoErrorLimits(0),
rego.WithPolicyDirs("policies"),
)
@@ -731,7 +712,6 @@ deny {
})
scanner := rego.NewScanner(
types.SourceJSON,
rego.WithDataFilesystem(dataFS),
rego.WithDataDirs("."),
rego.WithPolicyDirs("policies"),
@@ -739,7 +719,7 @@ deny {
require.NoError(t, scanner.LoadPolicies(srcFS))
results, err := scanner.ScanInput(context.TODO(), rego.Input{})
results, err := scanner.ScanInput(context.TODO(), types.SourceJSON, rego.Input{})
require.NoError(t, err)
assert.Len(t, results.GetFailed(), 1)
@@ -771,7 +751,6 @@ deny {
})
scanner := rego.NewScanner(
types.SourceJSON,
rego.WithDataFilesystem(dataFS),
rego.WithDataDirs("X://"),
rego.WithPolicyDirs("policies"),
@@ -779,7 +758,7 @@ deny {
require.NoError(t, scanner.LoadPolicies(srcFS))
results, err := scanner.ScanInput(context.TODO(), rego.Input{})
results, err := scanner.ScanInput(context.TODO(), types.SourceJSON, rego.Input{})
require.NoError(t, err)
assert.Len(t, results.GetFailed(), 1)
@@ -807,11 +786,10 @@ deny {
}
scanner := rego.NewScanner(
types.SourceYAML,
rego.WithPolicyDirs("checks"),
)
require.NoError(t, scanner.LoadPolicies(fsys))
_, err := scanner.ScanInput(context.TODO(), rego.Input{})
_, err := scanner.ScanInput(context.TODO(), types.SourceYAML, rego.Input{})
require.NoError(t, err)
}
@@ -872,10 +850,10 @@ deny {
"policies/test.rego": tc.policy,
})
scanner := rego.NewScanner(types.SourceJSON, rego.WithPolicyDirs("policies"))
scanner := rego.NewScanner(rego.WithPolicyDirs("policies"))
require.NoError(t, scanner.LoadPolicies(srcFS))
results, err := scanner.ScanInput(context.TODO(), rego.Input{
results, err := scanner.ScanInput(context.TODO(), types.SourceJSON, rego.Input{
Path: "/evil.lol",
Contents: map[string]any{
"text": "test",
@@ -937,7 +915,6 @@ deny {
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
scanner := rego.NewScanner(
types.SourceYAML,
rego.WithCustomSchemas(map[string][]byte{
"test": []byte(schema),
}),
@@ -947,7 +924,7 @@ deny {
require.NoError(t, scanner.LoadPolicies(nil))
results, err := scanner.ScanInput(context.TODO(), rego.Input{
results, err := scanner.ScanInput(context.TODO(), types.SourceYAML, rego.Input{
Path: "test.yaml",
Contents: map[string]any{"service": "test"},
})
@@ -1026,14 +1003,13 @@ deny {
t.Run(tt.name, func(t *testing.T) {
scanner := rego.NewScanner(
types.SourceYAML,
rego.WithPolicyReader(strings.NewReader(tt.inputCheck)),
rego.WithDisabledCheckIDs(tt.disabledChecks...),
rego.WithPolicyNamespaces("user"),
)
require.NoError(t, scanner.LoadPolicies(nil))
results, err := scanner.ScanInput(context.TODO(), rego.Input{})
results, err := scanner.ScanInput(context.TODO(), types.SourceYAML, rego.Input{})
require.NoError(t, err)
require.Equal(t, tt.expected, len(results.GetFailed()) > 0)