arno
/
kube-bench
mirror of https://github.com/aquasecurity/kube-bench.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Add --skip command to skip groups and checks (#751)

Browse Source
pull/760/head
Wicked 4 years ago committed by GitHub
parent 519f632147
commit 3a35c039e5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 74 additions and 10 deletions
Show Stats Download Patch File Download Diff File

8
check/controls.go
Unescape View File

@ -75,7 +75,7 @@ func NewControls(t NodeType, in []byte) (*Controls, error) {
} }
// RunChecks runs the checks with the given Runner. Only checks for which the filter Predicate returns `true` will run. // RunChecks runs the checks with the given Runner. Only checks for which the filter Predicate returns `true` will run.
func (controls *Controls) RunChecks(runner Runner, filter Predicate) Summary { func (controls *Controls) RunChecks(runner Runner, filter Predicate, skipIdMap map[string]bool) Summary {
var g []*Group var g []*Group
m := make(map[string]*Group) m := make(map[string]*Group)
controls.Summary.Pass, controls.Summary.Fail, controls.Summary.Warn, controls.Info = 0, 0, 0, 0 controls.Summary.Pass, controls.Summary.Fail, controls.Summary.Warn, controls.Info = 0, 0, 0, 0
@ -87,8 +87,10 @@ func (controls *Controls) RunChecks(runner Runner, filter Predicate) Summary {
continue continue
} }
// propagate skip type to check if set at the group level. _, groupSkippedViaCmd := skipIdMap[group.ID]
if group.Skip { _, checkSkippedViaCmd := skipIdMap[check.ID]
if group.Skip || groupSkippedViaCmd || checkSkippedViaCmd {
check.Type = SKIP check.Type = SKIP
} }

49
check/controls_test.go
Unescape View File

@ -69,7 +69,6 @@ func TestYamlFiles(t *testing.T) {
} }
func TestNewControls(t *testing.T) { func TestNewControls(t *testing.T) {
t.Run("Should return error when node type is not specified", func(t *testing.T) { t.Run("Should return error when node type is not specified", func(t *testing.T) {
// given // given
in := []byte(` in := []byte(`
@ -95,9 +94,48 @@ groups:
} }
func TestControls_RunChecks_SkippedCmd(t *testing.T) {
t.Run("Should skip checks and groups specified by skipMap", func(t *testing.T) {
// given
normalRunner := &defaultRunner{}
// and
in := []byte(`
---
type: "master"
groups:
- id: G1
checks:
- id: G1/C1
- id: G1/C2
- id: G1/C3
- id: G2
checks:
- id: G2/C1
- id: G2/C2
`)
controls, err := NewControls(MASTER, in)
assert.NoError(t, err)
var allChecks Predicate = func(group *Group, c *Check) bool {
return true
}
skipMap := make(map[string]bool, 0)
skipMap["G1"] = true
skipMap["G2/C1"] = true
skipMap["G2/C2"] = true
controls.RunChecks(normalRunner, allChecks, skipMap)
G1 := controls.Groups[0]
assertEqualGroupSummary(t, 0, 0, 3, 0, G1)
G2 := controls.Groups[1]
assertEqualGroupSummary(t, 0, 0, 2, 0, G2)
})
}
func TestControls_RunChecks_Skipped(t *testing.T) { func TestControls_RunChecks_Skipped(t *testing.T) {
t.Run("Should run checks matching the filter and update summaries", func(t *testing.T) { t.Run("Should skip checks where the parent group is marked as skip", func(t *testing.T) {
// given // given
normalRunner := &defaultRunner{} normalRunner := &defaultRunner{}
// and // and
@ -116,12 +154,12 @@ groups:
var allChecks Predicate = func(group *Group, c *Check) bool { var allChecks Predicate = func(group *Group, c *Check) bool {
return true return true
} }
controls.RunChecks(normalRunner, allChecks) emptySkipList := make(map[string]bool, 0)
controls.RunChecks(normalRunner, allChecks, emptySkipList)
G1 := controls.Groups[0] G1 := controls.Groups[0]
assertEqualGroupSummary(t, 0, 0, 1, 0, G1) assertEqualGroupSummary(t, 0, 0, 1, 0, G1)
}) })
} }
func TestControls_RunChecks(t *testing.T) { func TestControls_RunChecks(t *testing.T) {
@ -162,8 +200,9 @@ groups:
var runAll Predicate = func(group *Group, c *Check) bool { var runAll Predicate = func(group *Group, c *Check) bool {
return true return true
} }
var emptySkipList = make(map[string]bool, 0)
// when // when
controls.RunChecks(runner, runAll) controls.RunChecks(runner, runAll, emptySkipList)
// then // then
assert.Equal(t, 2, len(controls.Groups)) assert.Equal(t, 2, len(controls.Groups))
// and // and

13
cmd/common.go
Unescape View File

@ -32,7 +32,6 @@ import (
// NewRunFilter constructs a Predicate based on FilterOpts which determines whether tested Checks should be run or not. // NewRunFilter constructs a Predicate based on FilterOpts which determines whether tested Checks should be run or not.
func NewRunFilter(opts FilterOpts) (check.Predicate, error) { func NewRunFilter(opts FilterOpts) (check.Predicate, error) {
if opts.CheckList != "" && opts.GroupList != "" { if opts.CheckList != "" && opts.GroupList != "" {
return nil, fmt.Errorf("group option and check option can't be used together") return nil, fmt.Errorf("group option and check option can't be used together")
} }
@ -118,10 +117,20 @@ func runChecks(nodetype check.NodeType, testYamlFile string) {
exitWithError(fmt.Errorf("error setting up run filter: %v", err)) exitWithError(fmt.Errorf("error setting up run filter: %v", err))
} }
controls.RunChecks(runner, filter) controls.RunChecks(runner, filter, parseSkipIds(skipIds))
controlsCollection = append(controlsCollection, controls) controlsCollection = append(controlsCollection, controls)
} }
func parseSkipIds(skipIds string) map[string]bool {
var skipIdMap = make(map[string]bool, 0)
if skipIds != "" {
for _, id := range strings.Split(skipIds, ",") {
skipIdMap[strings.Trim(id, " ")] = true
}
}
return skipIdMap
}
// colorPrint outputs the state in a specific colour, along with a message string // colorPrint outputs the state in a specific colour, along with a message string
func colorPrint(state check.State, s string) { func colorPrint(state check.State, s string) {
colors[state].Printf("[%s] ", state) colors[state].Printf("[%s] ", state)

12
cmd/common_test.go
Unescape View File

@ -30,6 +30,18 @@ import (
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
) )
func TestParseSkipIds(t *testing.T) {
skipMap := parseSkipIds("4.12,4.13,5")
_, fourTwelveExists := skipMap["4.12"]
_, fourThirteenExists := skipMap["4.13"]
_, fiveExists := skipMap["5"]
_, other := skipMap["G1"]
assert.True(t, fourThirteenExists)
assert.True(t, fourTwelveExists)
assert.True(t, fiveExists)
assert.False(t, other)
}
func TestNewRunFilter(t *testing.T) { func TestNewRunFilter(t *testing.T) {
type TestCase struct { type TestCase struct {

2
cmd/root.go
Unescape View File

@ -51,6 +51,7 @@ var (
noResults bool noResults bool
noSummary bool noSummary bool
noRemediations bool noRemediations bool
skipIds string
filterOpts FilterOpts filterOpts FilterOpts
includeTestOutput bool includeTestOutput bool
outputFile string outputFile string
@ -153,6 +154,7 @@ func init() {
RootCmd.PersistentFlags().BoolVar(&pgSQL, "pgsql", false, "Save the results to PostgreSQL") RootCmd.PersistentFlags().BoolVar(&pgSQL, "pgsql", false, "Save the results to PostgreSQL")
RootCmd.PersistentFlags().BoolVar(&filterOpts.Scored, "scored", true, "Run the scored CIS checks") RootCmd.PersistentFlags().BoolVar(&filterOpts.Scored, "scored", true, "Run the scored CIS checks")
RootCmd.PersistentFlags().BoolVar(&filterOpts.Unscored, "unscored", true, "Run the unscored CIS checks") RootCmd.PersistentFlags().BoolVar(&filterOpts.Unscored, "unscored", true, "Run the unscored CIS checks")
RootCmd.PersistentFlags().StringVar(&skipIds, "skip", "", "List of comma separated values of checks to be skipped")
RootCmd.PersistentFlags().BoolVar(&includeTestOutput, "include-test-output", false, "Prints the actual result when test fails") RootCmd.PersistentFlags().BoolVar(&includeTestOutput, "include-test-output", false, "Prints the actual result when test fails")
RootCmd.PersistentFlags().StringVar(&outputFile, "outputfile", "", "Writes the JSON results to output file") RootCmd.PersistentFlags().StringVar(&outputFile, "outputfile", "", "Writes the JSON results to output file")

Write Preview
Loading…
Cancel
Save