added tests for:

1. rule filtering
2. resource skipping
3. remote types

test/e2e/help/help_test.go

@@ -6,7 +6,6 @@ import (
 	helpUtils "github.com/accurics/terrascan/test/e2e/help"
 	"github.com/accurics/terrascan/test/helper"
 	. "github.com/onsi/ginkgo"
-	. "github.com/onsi/gomega"
 	"github.com/onsi/gomega/gbytes"
 	"github.com/onsi/gomega/gexec"
 )
@@ -39,65 +38,64 @@ var _ = Describe("Help", func() {
 	Describe("terrascan is run without any command", func() {
 		It("should print all supported commands and exit with status code 0", func() {
 			session = helper.RunCommand(terrascanBinaryPath, outWriter, errWriter)
-			helpUtils.ValidateExitCodeAndOutput(session, 0, "golden/help_command.txt", true)
+			helpUtils.ValidateExitCodeAndOutput(session, helper.ExitCodeZero, "golden/help_command.txt", true)
 		})
 	})
 
 	Describe("terrascan is run -h flag", func() {
 		It("should print all supported commands and exit with status code 0", func() {
 			session = helper.RunCommand(terrascanBinaryPath, outWriter, errWriter, "-h")
-			helpUtils.ValidateExitCodeAndOutput(session, 0, "golden/help_flag.txt", true)
+			helpUtils.ValidateExitCodeAndOutput(session, helper.ExitCodeZero, "golden/help_flag.txt", true)
 		})
 	})
 
 	Describe("terrascan is run with an unkonwn command", func() {
 		It("should exit with status code 1 and display a error message", func() {
 			session = helper.RunCommand(terrascanBinaryPath, outWriter, errWriter, "test")
-			helpUtils.ValidateExitCodeAndOutput(session, 1, "golden/incorrect_command.txt", false)
+			helpUtils.ValidateExitCodeAndOutput(session, helper.ExitCodeOne, "golden/incorrect_command.txt", false)
 		})
 	})
 
 	Describe("help is run", func() {
 		Context("with no arguments", func() {
 			It("should print the terrascan help and exit with status code 0", func() {
 				session = helper.RunCommand(terrascanBinaryPath, outWriter, errWriter, helpCommand)
-				helpUtils.ValidateExitCodeAndOutput(session, 0, "golden/help_command.txt", true)
-				Eventually(session).Should(gexec.Exit(0))
+				helpUtils.ValidateExitCodeAndOutput(session, helper.ExitCodeZero, "golden/help_command.txt", true)
 			})
 		})
 
 		Context("for init command", func() {
 			It("should print help for init and exit with status code 0", func() {
 				session = helper.RunCommand(terrascanBinaryPath, outWriter, errWriter, helpCommand, "init")
-				helpUtils.ValidateExitCodeAndOutput(session, 0, "golden/help_init.txt", true)
+				helpUtils.ValidateExitCodeAndOutput(session, helper.ExitCodeZero, "golden/help_init.txt", true)
 			})
 		})
 
 		Context("for scan command", func() {
 			It("should print help for init and exit with status code 0", func() {
 				session = helper.RunCommand(terrascanBinaryPath, outWriter, errWriter, helpCommand, "scan")
-				helpUtils.ValidateExitCodeAndOutput(session, 0, "golden/help_scan.txt", true)
+				helpUtils.ValidateExitCodeAndOutput(session, helper.ExitCodeZero, "golden/help_scan.txt", true)
 			})
 		})
 
 		Context("for server command", func() {
 			It("should print help for init and exit with status code 0", func() {
 				session = helper.RunCommand(terrascanBinaryPath, outWriter, errWriter, helpCommand, "server")
-				helpUtils.ValidateExitCodeAndOutput(session, 0, "golden/help_server.txt", true)
+				helpUtils.ValidateExitCodeAndOutput(session, helper.ExitCodeZero, "golden/help_server.txt", true)
 			})
 		})
 
 		Context("for version command", func() {
 			It("should print help for init and exit with status code 0", func() {
 				session = helper.RunCommand(terrascanBinaryPath, outWriter, errWriter, helpCommand, "version")
-				helpUtils.ValidateExitCodeAndOutput(session, 0, "golden/help_version.txt", true)
+				helpUtils.ValidateExitCodeAndOutput(session, helper.ExitCodeZero, "golden/help_version.txt", true)
 			})
 		})
 
 		Context("for an unkonwn command", func() {
 			It("should display that help topic is not available for entered command and exit with status code 0", func() {
 				session = helper.RunCommand(terrascanBinaryPath, outWriter, errWriter, helpCommand, "test")
-				helpUtils.ValidateExitCodeAndOutput(session, 0, "golden/help_unsupported_command.txt", false)
+				helpUtils.ValidateExitCodeAndOutput(session, helper.ExitCodeZero, "golden/help_unsupported_command.txt", false)
 			})
 		})
 	})

test/e2e/init/init_test.go

@@ -48,7 +48,7 @@ var _ = Describe("Init", func() {
 	Describe("terrascan init is run", func() {
 		When("without any flags", func() {
 			It("should download policies and exit with status code 0", func() {
-				session = initUtil.RunInitCommand(terrascanBinaryPath, outWriter, errWriter, 0)
+				session = initUtil.RunInitCommand(terrascanBinaryPath, outWriter, errWriter, helper.ExitCodeZero)
 				Expect(outWriter).Should(gbytes.Say(""))
 			})
 
@@ -82,7 +82,7 @@ var _ = Describe("Init", func() {
 
 			It("should exit with status code 0", func() {
 				session = helper.RunCommand(terrascanBinaryPath, outWriter, errWriter, initCommand, "-h")
-				Eventually(session).Should(gexec.Exit(0))
+				Eventually(session).Should(gexec.Exit(helper.ExitCodeZero))
 			})
 		})
 
@@ -96,7 +96,7 @@ var _ = Describe("Init", func() {
 
 			It("should exit with status code 1", func() {
 				session = helper.RunCommand(terrascanBinaryPath, outWriter, errWriter, "inti")
-				Eventually(session, 5).Should(gexec.Exit(1))
+				Eventually(session, 5).Should(gexec.Exit(helper.ExitCodeOne))
 			})
 		})
 
@@ -118,7 +118,7 @@ var _ = Describe("Init", func() {
 				os.Setenv(terrascanConfigEnvName, "")
 			})
 			It("should error out and exit with status code 1", func() {
-				session = initUtil.RunInitCommand(terrascanBinaryPath, outWriter, errWriter, 1)
+				session = initUtil.RunInitCommand(terrascanBinaryPath, outWriter, errWriter, helper.ExitCodeOne)
 				helper.ContainsErrorSubString(session, `failed to download policies. error: 'Get "https://repository/url/info/refs?service=git-upload-pack": dial tcp:`)
 			})
 		})
@@ -130,7 +130,7 @@ var _ = Describe("Init", func() {
 				os.Setenv(terrascanConfigEnvName, "")
 			})
 			It("should error out and exit with status code 1", func() {
-				session = initUtil.RunInitCommand(terrascanBinaryPath, outWriter, errWriter, 1)
+				session = initUtil.RunInitCommand(terrascanBinaryPath, outWriter, errWriter, helper.ExitCodeOne)
 				helper.ContainsErrorSubString(session, `failed to initialize terrascan. error : failed to checkout git branch 'invalid-branch'. error: 'reference not found'`)
 			})
 		})
@@ -142,7 +142,7 @@ var _ = Describe("Init", func() {
 				os.Setenv(terrascanConfigEnvName, "")
 			})
 			It("should error out and exit with status code 1", func() {
-				session = initUtil.RunInitCommand(terrascanBinaryPath, outWriter, errWriter, 1)
+				session = initUtil.RunInitCommand(terrascanBinaryPath, outWriter, errWriter, helper.ExitCodeOne)
 				helper.ContainsErrorSubString(session, "invalid/path: no such file or directory")
 			})
 		})
@@ -154,7 +154,7 @@ var _ = Describe("Init", func() {
 				os.Setenv(terrascanConfigEnvName, "")
 			})
 			It("should download policies and exit with status code 0", func() {
-				initUtil.RunInitCommand(terrascanBinaryPath, outWriter, errWriter, 0)
+				initUtil.RunInitCommand(terrascanBinaryPath, outWriter, errWriter, helper.ExitCodeZero)
 			})
 		})
 		Context("the config file has valid data", func() {
@@ -166,7 +166,7 @@ var _ = Describe("Init", func() {
 					os.Setenv(terrascanConfigEnvName, "")
 				})
 				It("init should download the repo provided in the config file", func() {
-					initUtil.RunInitCommand(terrascanBinaryPath, outWriter, errWriter, 0)
+					initUtil.RunInitCommand(terrascanBinaryPath, outWriter, errWriter, helper.ExitCodeZero)
 				})
 				Context("Kai Monkey git repo is downloaded", func() {
 					It("should validate Kai Monkey repo in the policy path", func() {
@@ -183,14 +183,14 @@ var _ = Describe("Init", func() {
 			Context("running init the first time", func() {
 				var modifiedTime time.Time
 				It("should download policies at the default policy path", func() {
-					initUtil.RunInitCommand(terrascanBinaryPath, outWriter, errWriter, 0)
+					initUtil.RunInitCommand(terrascanBinaryPath, outWriter, errWriter, helper.ExitCodeZero)
 					fi, err := os.Stat(defaultPolicyRepoPath)
 					Expect(err).ToNot(HaveOccurred())
 					modifiedTime = fi.ModTime()
 				})
 				Context("running init the second time", func() {
 					It("should download policies again at the default policy path", func() {
-						initUtil.RunInitCommand(terrascanBinaryPath, outWriter, errWriter, 0)
+						initUtil.RunInitCommand(terrascanBinaryPath, outWriter, errWriter, helper.ExitCodeZero)
 						fi, err := os.Stat(defaultPolicyRepoPath)
 						Expect(err).ToNot(HaveOccurred())
 						Expect(fi.ModTime()).To(BeTemporally(">", modifiedTime))

test/e2e/scan/config/invalid_severity.toml

@@ -0,0 +1,2 @@
+[severity]
+level = "test"

test/e2e/scan/config/scan_and_skip_rules.toml

@@ -0,0 +1,9 @@
+[rules]
+    scan-rules = [
+        "AWS.RDS.DS.High.1041",
+        "AWS.AWS RDS.NS.High.0101",
+        "AWS.RDS.DataSecurity.High.0577"
+    ]
+    skip-rules = [
+        "AWS.RDS.DataSecurity.High.0577"
+    ]

test/e2e/scan/golden/resource_skipping/kubernetes_file_resource_skipping.txt

@@ -0,0 +1,29 @@
+{
+  "results": {
+    "violations": null,
+    "skipped_violations": [
+      {
+        "rule_name": "noOwnerLabel",
+        "description": "No owner for namespace affects the operations",
+        "rule_id": "AC-K8-OE-NS-L-0128",
+        "severity": "LOW",
+        "category": "Operational Efficiency",
+        "skip_comment": "reason to skip the rule",
+        "resource_name": "production",
+        "resource_type": "kubernetes_namespace",
+        "file": "/Users/apple/go/src/github.com/patilpankaj212/terrascan/test/e2e/test_data/iac/resource_skipping/kubernetes/config.yaml",
+        "line": 1
+      }
+    ],
+    "scan_summary": {
+      "file/folder": "/Users/apple/go/src/github.com/patilpankaj212/terrascan/test/e2e/test_data/iac/resource_skipping/kubernetes",
+      "iac_type": "k8s",
+      "scanned_at": "2021-02-26 17:22:16.050445 +0000 UTC",
+      "policies_validated": 53,
+      "violated_policies": 0,
+      "low": 0,
+      "medium": 0,
+      "high": 0
+    }
+  }
+}

test/e2e/scan/golden/resource_skipping/terraform_file_resource_skipping.txt

@@ -0,0 +1,142 @@
+{
+  "results": {
+    "violations": [
+      {
+        "rule_name": "ec2UsingIMDSv1",
+        "description": "EC2 instances should disable IMDS or require IMDSv2 as this can be related to the weaponization phase of kill chain",
+        "rule_id": "AC-AWS-NS-IN-M-1172",
+        "severity": "MEDIUM",
+        "category": "Network Security",
+        "resource_name": "instanceWithIMDv1_emptyblock",
+        "resource_type": "aws_instance",
+        "file": "main.tf",
+        "line": 70
+      },
+      {
+        "rule_name": "ec2UsingIMDSv1",
+        "description": "EC2 instances should disable IMDS or require IMDSv2 as this can be related to the weaponization phase of kill chain",
+        "rule_id": "AC-AWS-NS-IN-M-1172",
+        "severity": "MEDIUM",
+        "category": "Network Security",
+        "resource_name": "instanceWithIMDv1_fullblock",
+        "resource_type": "aws_instance",
+        "file": "main.tf",
+        "line": 77
+      },
+      {
+        "rule_name": "ec2UsingIMDSv1",
+        "description": "EC2 instances should disable IMDS or require IMDSv2 as this can be related to the weaponization phase of kill chain",
+        "rule_id": "AC-AWS-NS-IN-M-1172",
+        "severity": "MEDIUM",
+        "category": "Network Security",
+        "resource_name": "instanceWithIMDv1_endpoint_not_present",
+        "resource_type": "aws_instance",
+        "file": "main.tf",
+        "line": 98
+      },
+      {
+        "rule_name": "instanceWithNoVpc",
+        "description": "Ensure that your AWS application is not deployed within the default Virtual Private Cloud in order to follow security best practices",
+        "rule_id": "AC-AW-IS-IN-M-0144",
+        "severity": "MEDIUM",
+        "category": "Infrastructure Security",
+        "resource_name": "instanceWithNoVpc",
+        "resource_type": "aws_instance",
+        "file": "main.tf",
+        "line": 51
+      },
+      {
+        "rule_name": "instanceWithNoVpc",
+        "description": "Ensure that your AWS application is not deployed within the default Virtual Private Cloud in order to follow security best practices",
+        "rule_id": "AC-AW-IS-IN-M-0144",
+        "severity": "MEDIUM",
+        "category": "Infrastructure Security",
+        "resource_name": "instanceWithIMDv1_emptyblock",
+        "resource_type": "aws_instance",
+        "file": "main.tf",
+        "line": 70
+      },
+      {
+        "rule_name": "instanceWithNoVpc",
+        "description": "Ensure that your AWS application is not deployed within the default Virtual Private Cloud in order to follow security best practices",
+        "rule_id": "AC-AW-IS-IN-M-0144",
+        "severity": "MEDIUM",
+        "category": "Infrastructure Security",
+        "resource_name": "instanceWithIMDv1_fullblock",
+        "resource_type": "aws_instance",
+        "file": "main.tf",
+        "line": 77
+      },
+      {
+        "rule_name": "instanceWithNoVpc",
+        "description": "Ensure that your AWS application is not deployed within the default Virtual Private Cloud in order to follow security best practices",
+        "rule_id": "AC-AW-IS-IN-M-0144",
+        "severity": "MEDIUM",
+        "category": "Infrastructure Security",
+        "resource_name": "instanceWithIMDv1_endpoint_not_present",
+        "resource_type": "aws_instance",
+        "file": "main.tf",
+        "line": 98
+      },
+      {
+        "rule_name": "instanceWithNoVpc",
+        "description": "Ensure that your AWS application is not deployed within the default Virtual Private Cloud in order to follow security best practices",
+        "rule_id": "AC-AW-IS-IN-M-0144",
+        "severity": "MEDIUM",
+        "category": "Infrastructure Security",
+        "resource_name": "instanceWithPublicIp",
+        "resource_type": "aws_instance",
+        "file": "main.tf",
+        "line": 61
+      }
+    ],
+    "skipped_violations": [
+      {
+        "rule_name": "ec2UsingIMDSv1",
+        "description": "EC2 instances should disable IMDS or require IMDSv2 as this can be related to the weaponization phase of kill chain",
+        "rule_id": "AC-AWS-NS-IN-M-1172",
+        "severity": "MEDIUM",
+        "category": "Network Security",
+        "skip_comment": "should skip this rule",
+        "resource_name": "instanceWithPublicIp",
+        "resource_type": "aws_instance",
+        "file": "main.tf",
+        "line": 61
+      },
+      {
+        "rule_name": "ec2UsingIMDSv1",
+        "description": "EC2 instances should disable IMDS or require IMDSv2 as this can be related to the weaponization phase of kill chain",
+        "rule_id": "AC-AWS-NS-IN-M-1172",
+        "severity": "MEDIUM",
+        "category": "Network Security",
+        "skip_comment": "need to skip this rule",
+        "resource_name": "instanceWithIMDv1_token_not_present",
+        "resource_type": "aws_instance",
+        "file": "main.tf",
+        "line": 87
+      },
+      {
+        "rule_name": "instanceWithNoVpc",
+        "description": "Ensure that your AWS application is not deployed within the default Virtual Private Cloud in order to follow security best practices",
+        "rule_id": "AC-AW-IS-IN-M-0144",
+        "severity": "MEDIUM",
+        "category": "Infrastructure Security",
+        "skip_comment": "can skip this rule",
+        "resource_name": "instanceWithIMDv1_token_not_present",
+        "resource_type": "aws_instance",
+        "file": "main.tf",
+        "line": 87
+      }
+    ],
+    "scan_summary": {
+      "file/folder": "/Users/apple/go/src/github.com/patilpankaj212/terrascan/test/e2e/test_data/iac/resource_skipping/terraform",
+      "iac_type": "terraform",
+      "scanned_at": "2021-02-26 17:05:56.671863 +0000 UTC",
+      "policies_validated": 53,
+      "violated_policies": 8,
+      "low": 0,
+      "medium": 8,
+      "high": 0
+    }
+  }
+}