23177125175

Committed 17 Mar 2026 03:32AM UTC coverage: 52.677% (-40.3%) from 92.932%

Build # 23177125175

Build Type

Pull #23177

github

Committed by

web-flow

Commit Message

Merge 1824dfbf4 into 0b9fdfb0e

Pull Request Pull Request #23177: Bump the gha-deps group across 1 directory with 4 updates

Coverage Stats

31687 of 60153 relevant lines covered (52.68%)

1.05 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

78.38

/src/python/pants/backend/terraform/lint/tfsec/tfsec_integration_test.py

# Copyright 2023 Pants project contributors (see CONTRIBUTORS.md).
# Licensed under the Apache License, Version 2.0 (see LICENSE).
from textwrap import dedent

import pytest

from pants.backend.terraform import tool
from pants.backend.terraform.lint.tffmt.tffmt import PartitionMetadata
from pants.backend.terraform.lint.tfsec.rules import rules as tfsec_rules
from pants.backend.terraform.lint.tfsec.tfsec import TfSecRequest
from pants.backend.terraform.target_types import (
    TerraformDeploymentTarget,
    TerraformFieldSet,
    TerraformModuleTarget,
)
from pants.core.goals.lint import LintResult
from pants.core.util_rules import source_files
from pants.engine.internals.native_engine import EMPTY_DIGEST, Address
from pants.engine.rules import QueryRule
from pants.testutil.rule_runner import RuleRunner

TFSEC_CUSTOM_ERROR_CODE = "CUS001"
TFSEC_CUSTOM_CHECK = f"""\
checks:
  - code: {TFSEC_CUSTOM_ERROR_CODE}
    description: Custom check taken from the docs, lightly adapted to apply to this test case
    impact: By not having CostCentre we can't keep track of billing
    resolution: Add the CostCentre tag
    requiredTypes:
      - resource
    requiredLabels:
      - aws_s3_bucket
    severity: ERROR
    matchSpec:
      name: tags
      action: contains
      value: CostCentre
    errorMessage: The required CostCentre tag was missing
    relatedLinks:
      - https://aquasecurity.github.io/tfsec/latest/guides/configuration/custom-checks/
"""


def set_up_rule_runner(tfsec_args: list[str]) -> RuleRunner:
    rule_runner = RuleRunner(
        target_types=[TerraformModuleTarget, TerraformDeploymentTarget],
        rules=[
            *tfsec_rules(),
            *tool.rules(),
            *source_files.rules(),
            QueryRule(LintResult, (TfSecRequest.Batch,)),
        ],
        bootstrap_args=["--pants-ignore=['!/.tfsec/']"],
    )

    rule_runner.set_options(
        [
            "--terraform-tfsec-args='--no-colour'",
            "--terraform-tfsec-config=.tfsec_config.json",  # the config dir is readable, but we're testing the extra setting
            *tfsec_args,
        ]
    )

    rule_runner.write_files(
        {
            "BUILD": dedent(
                """\
                terraform_deployment(name="tgt_good", root_module=":good")
                terraform_module(name="good", sources=["main.tf"])
                """
            ),
            "main.tf": dedent(
                """\
                resource "aws_s3_bucket" "my-bucket" {
                  bucket = "foobar"
                  acl    = "private"
                }
                """
            ),
            ".tfsec_config.json": '{"exclude":["aws-s3-block-public-acls"]}',
            ".tfsec/custom_tfchecks.yaml": TFSEC_CUSTOM_CHECK,  # this is the default, config discovery should still work even though we've specified a value for the config itself
        }
    )

    return rule_runner


@pytest.mark.platform_specific_behavior
def test_run_tfsec():
    rule_runner = set_up_rule_runner([])

    target = rule_runner.get_target(Address("", target_name="good"))

    result = rule_runner.request(
        LintResult,
        [TfSecRequest.Batch("tfsec", (TerraformFieldSet.create(target),), PartitionMetadata(""))],
    )

    assert result.exit_code == 1
    assert "1 ignored" in result.stdout, "Error wasn't ignored, did we pull in the config file?"
    assert "\x1b[1m" not in result.stdout, (
        "Found colour control code in ouput, are extra-args being passed?"
    )
    assert TFSEC_CUSTOM_ERROR_CODE.lower() in result.stdout, (
        "Custom check code wasn't found in output, did we pull in our custom config (all files in .tfsec folder)?"
    )


def test_run_tfsec_with_report():
    rule_runner = set_up_rule_runner(
        [
            "--terraform-tfsec-report-name=tfsec.txt",
        ]
    )

    target = rule_runner.get_target(Address("", target_name="good"))

    result = rule_runner.request(
        LintResult,
        [TfSecRequest.Batch("tfsec", (TerraformFieldSet.create(target),), PartitionMetadata(""))],
    )

    assert result.exit_code == 1
    assert "1 file(s) written: reports/tfsec.txt" in result.stderr, (
        "No file was written, are extra args being passed?"
    )
    assert result.report != EMPTY_DIGEST
    assert "1 ignored" in result.stdout, "Error wasn't ignored, did we pull in the config file?"
    assert "\x1b[1m" not in result.stdout, (
        "Found colour control code in ouput, are extra-args being passed?"
    )

1	# Copyright 2023 Pants project contributors (see CONTRIBUTORS.md).
2	# Licensed under the Apache License, Version 2.0 (see LICENSE).
3	from textwrap import dedent	2✔
4
5	import pytest	2✔
6
7	from pants.backend.terraform import tool	2✔
8	from pants.backend.terraform.lint.tffmt.tffmt import PartitionMetadata	2✔
9	from pants.backend.terraform.lint.tfsec.rules import rules as tfsec_rules	2✔
10	from pants.backend.terraform.lint.tfsec.tfsec import TfSecRequest	2✔
11	from pants.backend.terraform.target_types import (	2✔
12	TerraformDeploymentTarget,
13	TerraformFieldSet,
14	TerraformModuleTarget,
15	)
16	from pants.core.goals.lint import LintResult	2✔
17	from pants.core.util_rules import source_files	2✔
18	from pants.engine.internals.native_engine import EMPTY_DIGEST, Address	2✔
19	from pants.engine.rules import QueryRule	2✔
20	from pants.testutil.rule_runner import RuleRunner	2✔
21
22	TFSEC_CUSTOM_ERROR_CODE = "CUS001"	2✔
23	TFSEC_CUSTOM_CHECK = f"""\	2✔
24	checks:
25	- code: {TFSEC_CUSTOM_ERROR_CODE}
26	description: Custom check taken from the docs, lightly adapted to apply to this test case
27	impact: By not having CostCentre we can't keep track of billing
28	resolution: Add the CostCentre tag
29	requiredTypes:
30	- resource
31	requiredLabels:
32	- aws_s3_bucket
33	severity: ERROR
34	matchSpec:
35	name: tags
36	action: contains
37	value: CostCentre
38	errorMessage: The required CostCentre tag was missing
39	relatedLinks:
40	- https://aquasecurity.github.io/tfsec/latest/guides/configuration/custom-checks/
41	"""
42
43
44	def set_up_rule_runner(tfsec_args: list[str]) -> RuleRunner:	2✔
45	rule_runner = RuleRunner(	2✔
46	target_types=[TerraformModuleTarget, TerraformDeploymentTarget],
47	rules=[
48	*tfsec_rules(),
49	*tool.rules(),
50	*source_files.rules(),
51	QueryRule(LintResult, (TfSecRequest.Batch,)),
52	],
53	bootstrap_args=["--pants-ignore=['!/.tfsec/']"],
54	)
55
56	rule_runner.set_options(	2✔
57	[
58	"--terraform-tfsec-args='--no-colour'",
59	"--terraform-tfsec-config=.tfsec_config.json", # the config dir is readable, but we're testing the extra setting
60	*tfsec_args,
61	]
62	)
63
64	rule_runner.write_files(	2✔
65	{
66	"BUILD": dedent(
67	"""\
68	terraform_deployment(name="tgt_good", root_module=":good")
69	terraform_module(name="good", sources=["main.tf"])
70	"""
71	),
72	"main.tf": dedent(
73	"""\
74	resource "aws_s3_bucket" "my-bucket" {
75	bucket = "foobar"
76	acl = "private"
77	}
78	"""
79	),
80	".tfsec_config.json": '{"exclude":["aws-s3-block-public-acls"]}',
81	".tfsec/custom_tfchecks.yaml": TFSEC_CUSTOM_CHECK, # this is the default, config discovery should still work even though we've specified a value for the config itself
82	}
83	)
84
85	return rule_runner	2✔
86
87
88	@pytest.mark.platform_specific_behavior	2✔
89	def test_run_tfsec():	2✔
90	rule_runner = set_up_rule_runner([])	2✔
91
92	target = rule_runner.get_target(Address("", target_name="good"))	2✔
93
94	result = rule_runner.request(	2✔
95	LintResult,
96	[TfSecRequest.Batch("tfsec", (TerraformFieldSet.create(target),), PartitionMetadata(""))],
97	)
98
99	assert result.exit_code == 1	2✔
100	assert "1 ignored" in result.stdout, "Error wasn't ignored, did we pull in the config file?"	2✔
101	assert "\x1b[1m" not in result.stdout, (	2✔
102	"Found colour control code in ouput, are extra-args being passed?"
103	)
104	assert TFSEC_CUSTOM_ERROR_CODE.lower() in result.stdout, (	2✔
105	"Custom check code wasn't found in output, did we pull in our custom config (all files in .tfsec folder)?"
106	)
107
108
109	def test_run_tfsec_with_report():	2✔
110	rule_runner = set_up_rule_runner(	×
111	[
112	"--terraform-tfsec-report-name=tfsec.txt",
113	]
114	)
115
116	target = rule_runner.get_target(Address("", target_name="good"))	×
117
118	result = rule_runner.request(	×
119	LintResult,
120	[TfSecRequest.Batch("tfsec", (TerraformFieldSet.create(target),), PartitionMetadata(""))],
121	)
122
123	assert result.exit_code == 1	×
124	assert "1 file(s) written: reports/tfsec.txt" in result.stderr, (	×
125	"No file was written, are extra args being passed?"
126	)
127	assert result.report != EMPTY_DIGEST	×
128	assert "1 ignored" in result.stdout, "Error wasn't ignored, did we pull in the config file?"	×
129	assert "\x1b[1m" not in result.stdout, (	×
130	"Found colour control code in ouput, are extra-args being passed?"
131	)

pantsbuild / pants / 23177125175

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous