Skip to content
/ gcp-scc-iac-validation-utils Public

Utility scripts for handling the response from `gcloud scc iac-validation-reports create` command.

License

Apache-2.0 license
1 star 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

google/gcp-scc-iac-validation-utils

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
ReportValidator
ReportValidator
 
 
SARIFConverter
SARIFConverter
 
 
templates
templates
 
 
.gitignore
.gitignore
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
CONTRIBUTORS.md
CONTRIBUTORS.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 

Repository files navigation

GCP SCC IaC validation utilities

Description

This repo provides 2 go utility scripts for handling the response from gcloud scc iac-validation-reports create command.

  1. SARIF converter
  2. Report validator

SARIF converter

SARIF Converter converters the response generated by gcloud scc iac-validation-reports create command to the industry stardard SARIF format. This takes the response from the gcloud command as the input, converts it to the SARIF format and writes the output to a file.

Example invocation of the script from CLI -

go run github.com/google/gcp-scc-iac-validation-utils/SARIFConverter@latest 
    --inputFilePath=IaCScanReport.json
    --outputFilePath=IaCScanReport.sarif.json

where "IaCScanReport.json" is the report that is generated from the gcloud command and "IaCScanReport.sarif.json" is the name of the output file.

Report validator

This validates the resopnse generated by gcloud scc iac-validation-reports create against thresholds set by "failure_expression" argument to the command. The command returns a success (exit(0)) or fail (exit(1)) code as a result of the validation. The threshold criteria is based on the number of critical, high, medium, and low severity issues that the IaC validation scan encounters.

  • The failure_expression argument to the command specifies how many issues of each severity are permitted, and also specifies how the issues are aggregated (either AND or OR). For example, if you want the validation to fail if it encounters one critical issue or one high severity issue, set the failure_expression to 'Critical:1,High:1,Operator:OR'

  • If no expression is passed to the scipt, the default criteria is used to perform these validation. The default criteria is 'Critical:1,High:1,Medium:1,Low:1,Operator:OR' which means that if the IaC validation scan contains any violation of any severity, the validator will return a "fail" response.

Example invocation of the script from CLI -

go run github.com/google/gcp-scc-iac-validation-utils/ReportValidator@latest \
    --inputFilePath=IaCScanReport.json --failure_expression=FAILURE_CRITERIA

where "IaCScanReport.json" is the report that is generated from the gcloud command and FAILURE_CRITERIA is the expression agains which the IaCScanReport will be evaluated.

NOTE

  • For "Operator" only AND and OR operators are supported.
  • Each expression should have an operator only once.
  • All Severity: Critical, High, Medium, Low can be present in the expression at most once.

About

Utility scripts for handling the response from `gcloud scc iac-validation-reports create` command.

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

1 star

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages