Merge pull request #48 from liamg/liamg-ignore-specific-checks

Ignore specific checks
aquasecurity · Nov 11, 2019 · 5a5e940 · 5a5e940
2 parents a759f35 + 2ca9f61
commit 5a5e940
Show file tree

Hide file tree

Showing 4 changed files with 54 additions and 12 deletions.
diff --git a/README.md b/README.md
@@ -45,14 +45,14 @@ tfsec .
 
 ## Ignoring Warnings
 
-You may wish to ignore some warnings. If you'd like to do so, you can simply add a comment containing `tfsec:ignore` to the offending line in your templates. If the problem refers to a block of code, such as a multiline string, you can add the comment on the line above the block, by itself.
+You may wish to ignore some warnings. If you'd like to do so, you can simply add a comment containing `tfsec:ignore:<CODE>` to the offending line in your templates. If the problem refers to a block of code, such as a multiline string, you can add the comment on the line above the block, by itself.
 
-For example, to ignore any warnings about an open security group rule:
+For example, to ignore an open security group rule:
 
 ```hcl
 resource "aws_security_group_rule" "my-rule" {
     type = "ingress"
-    cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore
+    cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:AWS006
 }
 ```
 
@@ -61,7 +61,7 @@ resource "aws_security_group_rule" "my-rule" {
 ```hcl
 resource "aws_security_group_rule" "my-rule" {
     type = "ingress"
-    #tfsec:ignore
+    #tfsec:ignore:AWS006
     cidr_blocks = ["0.0.0.0/0"] 
 }
 ```

diff --git a/internal/app/tfsec/aws_task_definition_includes_sensitive_data_test.go b/internal/app/tfsec/aws_task_definition_includes_sensitive_data_test.go
@@ -62,7 +62,7 @@ EOF
 			name: "check aws_ecs_task_definition when sensitive env vars are included but ignored",
 			source: `
 resource "aws_ecs_task_definition" "my-task" {
-  #tfsec:ignore
+  #tfsec:ignore:*
   container_definitions = <<EOF
 [
   {

diff --git a/internal/app/tfsec/ignore_test.go b/internal/app/tfsec/ignore_test.go
@@ -3,17 +3,52 @@ package tfsec
 import (
 	"testing"
 
+	"github.com/stretchr/testify/require"
+
+	"github.com/liamg/tfsec/internal/app/tfsec/parser"
+	"github.com/liamg/tfsec/internal/app/tfsec/scanner"
+
 	"github.com/stretchr/testify/assert"
 )
 
-func Test_Ignore(t *testing.T) {
+func Test_IgnoreAll(t *testing.T) {
 
 	results := scanSource(`
 resource "aws_security_group_rule" "my-rule" {
     type        = "ingress"
-    cidr_blocks = ["0.0.0.0/0"] // tfsec:ignore
+    cidr_blocks = ["0.0.0.0/0"] // tfsec:ignore:*
 }
 `)
 	assert.Len(t, results, 0)
 
 }
+
+func Test_IgnoreSpecific(t *testing.T) {
+
+	scanner.RegisterCheck(scanner.Check{
+		Code:           "ABC123",
+		RequiredLabels: []string{"bad"},
+		CheckFunc: func(check *scanner.Check, block *parser.Block, _ *scanner.Context) []scanner.Result {
+			return []scanner.Result{
+				check.NewResult("example problem", block.Range()),
+			}
+		},
+	})
+
+	scanner.RegisterCheck(scanner.Check{
+		Code:           "DEF456",
+		RequiredLabels: []string{"bad"},
+		CheckFunc: func(check *scanner.Check, block *parser.Block, _ *scanner.Context) []scanner.Result {
+			return []scanner.Result{
+				check.NewResult("example problem", block.Range()),
+			}
+		},
+	})
+
+	results := scanSource(`
+resource "bad" "my-bad" {} //tfsec:ignore:ABC123
+`)
+	require.Len(t, results, 1)
+	assert.Equal(t, results[0].Code, scanner.CheckCode("DEF456"))
+
+}
diff --git a/internal/app/tfsec/scanner/scanner.go b/internal/app/tfsec/scanner/scanner.go
@@ -1,6 +1,7 @@
 package scanner
 
 import (
+	"fmt"
 	"io/ioutil"
 	"strings"
 
@@ -24,7 +25,7 @@ func (scanner *Scanner) Scan(blocks []*parser.Block) []Result {
 		for _, check := range GetRegisteredChecks() {
 			if check.IsRequiredForBlock(block) {
 				for _, result := range check.Run(block, context) {
-					if !scanner.checkRangeIgnored(result.Range) {
+					if !scanner.checkRangeIgnored(result.Code, result.Range) {
 						results = append(results, result)
 					}
 				}
@@ -34,27 +35,33 @@ func (scanner *Scanner) Scan(blocks []*parser.Block) []Result {
 	return results
 }
 
-func (scanner *Scanner) checkRangeIgnored(r parser.Range) bool {
+func (scanner *Scanner) checkRangeIgnored(code CheckCode, r parser.Range) bool {
 	raw, err := ioutil.ReadFile(r.Filename)
 	if err != nil {
 		return false
 	}
+	ignoreAll := "tfsec:ignore:*"
+	ignoreCode := fmt.Sprintf("tfsec:ignore:%s", code)
 	lines := append([]string{""}, strings.Split(string(raw), "\n")...)
 	for number := r.StartLine; number <= r.EndLine; number++ {
 		if number <= 0 || number >= len(lines) {
 			continue
 		}
-		if strings.Contains(lines[number], "tfsec:ignore") {
+		if strings.Contains(lines[number], ignoreAll) || strings.Contains(lines[number], ignoreCode) {
 			return true
 		}
 	}
 
 	if r.StartLine-1 > 0 {
 		line := lines[r.StartLine-1]
 		line = strings.TrimSpace(strings.ReplaceAll(strings.ReplaceAll(line, "//", ""), "#", ""))
-		if line == "tfsec:ignore" {
-			return true
+		segments := strings.Split(line, " ")
+		for _, segment := range segments {
+			if segment == ignoreAll || segment == ignoreCode {
+				return true
+			}
 		}
+
 	}
 
 	return false