Generate homebrew tap with goreleaser (#2667)

.github/workflows/release.yml

@@ -38,3 +38,4 @@ jobs:
           args: release --rm-dist
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          KICS_BOT_PAT: ${{ secrets.KICS_BOT_PAT }}

.goreleaser.yml

@@ -9,6 +9,15 @@ builds:
       - windows
     goarch:
       - amd64
+      - arm
+      - arm64
+    ignore:
+      - goos: darwin
+        goarch: 386
+      - goos: linux
+        goarm: 7
+      - goos: linux
+        goarm: 6
     ldflags:
       - -X github.com/Checkmarx/kics/internal/constants.Version={{.Version}}
       - -X github.com/Checkmarx/kics/internal/constants.SCMCommit={{.Commit}}
@@ -22,7 +31,34 @@ archives:
       386: x32
     files:
       - LICENSE
-      - assets/queries
+      - assets/queries/**/metadata.json
+      - assets/queries/**/*.rego
       - assets/libraries
+brews:
+  - tap:
+      owner: checkmarx
+      name: homebrew-tap
+      token: "{{ .Env.KICS_BOT_PAT }}"
+    folder: Formula
+    homepage:  https://github.com/Checkmarx/kics
+    description: Find security vulnerabilities, compliance issues, and infrastructure misconfigurations in your IaC
+    license: Apache
+    test: |
+      system "#{bin}/kics version"
+    install: |-
+      pkgshare.mkpath
+      cp_r "assets", pkgshare
+      bin.install "kics"
+    custom_block: |
+      def caveats
+        <<~EOS
+          KICS queries are placed under #{pkgshare}/assets/queries
+
+          To use KICS default queries add KICS_QUERIES_PATH env to your ~/.zshrc or ~/.zprofile:
+              "echo 'export KICS_QUERIES_PATH=#{pkgshare}/assets/queries' >> ~/.zshrc"
+
+          usage of CLI flag --queries-path takes precedence.
+        EOS
+      end
 release:
   prerelease: true

Makefile

@@ -7,6 +7,7 @@ GOLINT := golangci-lint
 COMMIT := $(shell git rev-parse HEAD)
 VERSION := snapshot-$(shell echo ${COMMIT} | cut -c1-8)
 IMAGE_TAG := dev
+TARGET_BIN ?= bin/kics
 
 .PHONY: clean
 clean: ## remove files created during build
@@ -19,13 +20,13 @@ clean: ## remove files created during build
 .PHONY: mod-tidy
 mod-tidy: ## go mod tidy - download and cleanup modules
 	$(call print-target)
-	go mod tidy
+	@go mod tidy
 	cd tools && go mod tidy
 
 .PHONY: vendor
 vendor: ## go mod vendor - download vendor modules
 	$(call print-target)
-	go mod vendor
+	@go mod vendor
 
 .PHONY: install
 install: ## go install tools
@@ -38,46 +39,55 @@ lint: mod-tidy
 	$(call print-target)
 	$(GOLINT) run -c .golangci.yml
 
+.PHONY: build-all
+build-all: ## go build for both kics and query builder
+build-all: lint generate
+	$(call print-target)
+	@go build -o bin/ \
+		-ldflags "-X github.com/Checkmarx/kics/internal/constants.Version=${VERSION} -X github.com/Checkmarx/kics/internal/constants.SCMCommit=${COMMIT}" ./...
+	@mv bin/console bin/kics
+
 .PHONY: build
 build: ## go build
 build: lint generate
 	$(call print-target)
-	go build -o bin/ -ldflags "-X github.com/Checkmarx/kics/internal/constants.Version=${VERSION} -X github.com/Checkmarx/kics/internal/constants.SCMCommit=${COMMIT}" ./...
-	@mv bin/console bin/kics
+	@go build -o ${TARGET_BIN} \
+		-ldflags "-X github.com/Checkmarx/kics/internal/constants.Version=${VERSION} -X github.com/Checkmarx/kics/internal/constants.SCMCommit=${COMMIT}" \
+		cmd/console/main.go
 
 .PHONY: go-clean
 go-clean: ## Go clean build, test and modules caches
 	$(call print-target)
-	go clean -r -i -cache -testcache -modcache
+	@go clean -r -i -cache -testcache -modcache
 
 .PHONY: generate
 generate: mod-tidy ## go generate
 	$(call print-target)
-	go generate ./...
+	@go generate ./...
 
 .PHONY: test
 test-short: # Run sanity unit tests
 test-short: generate
 	$(call print-target)
-	go test -short ./...
+	@go test -short ./...
 
 .PHONY: test
 test: ## Run tests with race detector and code covarage
 test: generate
 	$(call print-target)
-	go test -race -covermode=atomic -coverprofile=coverage.out ./...
-	go tool cover -html=coverage.out -o coverage.html
+	@go test -race -covermode=atomic -coverprofile=coverage.out ./...
+	@go tool cover -html=coverage.out -o coverage.html
 
 .PHONY: cover
 cover: ## generate coverage report
 cover: test
 	$(call print-target)
-	go tool cover -html=coverage.out -o coverage.html
+	@go tool cover -html=coverage.out -o coverage.html
 
 .PHONY: docker
 docker: ## build docker image
 	$(call print-target)
-	docker build --build-arg VERSION=${VERSION} --build-arg COMMIT=${COMMIT} -t "kics:${IMAGE_TAG}" .
+	@docker build --build-arg VERSION=${VERSION} --build-arg COMMIT=${COMMIT} -t "kics:${IMAGE_TAG}" .
 
 .PHONY: docker-compose
 dkr-compose: ## build docker image and runs docker-compose up
@@ -88,7 +98,29 @@ dkr-compose: ## build docker image and runs docker-compose up
 release: ## goreleaser --rm-dist
 release: install
 	$(call print-target)
-	goreleaser --rm-dist
+	@goreleaser --rm-dist
+
+.PHONY: run-local
+run-local: ## run agains local kics.config
+run-local: build
+	$(call print-target)
+	@./bin/kics scan --config kics.config
+
+.PHONY: generate-queries-docs
+generate-queries-docs: ## generate queries catalog md files
+	$(call print-target)
+	@pip3 install -r .github/generators/requirements.txt
+	@python3 -u .github/generators/docs_generator.py \
+		-p ./assets/queries/ \
+		-o ./docs/queries/ \
+		-f md \
+		-t .github/generators/templates
+	@echo "\033[36mQueries catalog updated\033[0m"
+
+.PHONY: integration
+integration: ## run kics against all its samples
+	$(call print-target)
+	@go run cmd/console/main.go -p assets/queries --log-level DEBUG --log-file
 
 .PHONY: help
 help:

internal/console/helpers/helpers.go

@@ -253,6 +253,36 @@ func GenerateReport(path, filename string, body interface{}, formats []string) e
 	return err
 }
 
+// GetExecutableDirectory - returns the path to the directory containing KICS executable
+func GetExecutableDirectory() string {
+	log.Debug().Msg("helpers.GetExecutableDirectory()")
+	path, err := os.Executable()
+	if err != nil {
+		log.Err(err)
+	}
+	return filepath.Dir(path)
+}
+
+// GetDefaultQueryPath - returns the default query path
+func GetDefaultQueryPath(queriesPath string) (string, error) {
+	log.Debug().Msg("helpers.GetDefaultQueryPath()")
+	executableDirPath := GetExecutableDirectory()
+	queriesDirectory := filepath.Join(executableDirPath, queriesPath)
+	if _, err := os.Stat(queriesDirectory); os.IsNotExist(err) {
+		currentWorkDir, err := os.Getwd()
+		if err != nil {
+			return "", err
+		}
+		queriesDirectory = filepath.Join(currentWorkDir, queriesPath)
+		if _, err := os.Stat(queriesDirectory); os.IsNotExist(err) {
+			return "", err
+		}
+	}
+
+	log.Debug().Msgf("Queries found in %s", queriesDirectory)
+	return queriesDirectory, nil
+}
+
 // ValidateReportFormats returns an error if output format is not supported
 func ValidateReportFormats(formats []string) error {
 	log.Debug().Msg("helpers.ValidateReportFormats()")

internal/console/scan.go

@@ -25,6 +25,7 @@ import (
 	"github.com/Checkmarx/kics/pkg/resolver"
 	"github.com/Checkmarx/kics/pkg/resolver/helm"
 	"github.com/getsentry/sentry-go"
+	"github.com/pkg/errors"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
@@ -51,19 +52,29 @@ var (
 	banner string
 )
 
+const (
+	queriesPathCmdName = "queries-path"
+)
+
 var scanCmd = &cobra.Command{
 	Use:   "scan",
 	Short: "Executes a scan analysis",
 	PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
 		return initializeConfig(cmd)
 	},
 	RunE: func(cmd *cobra.Command, args []string) error {
-		return scan()
+		changedDefaultQueryPath := cmd.Flags().Lookup(queriesPathCmdName).Changed
+		return scan(changedDefaultQueryPath)
 	},
 }
 
 func initializeConfig(cmd *cobra.Command) error {
 	log.Debug().Msg("console.initializeConfig()")
+	v := viper.New()
+	v.SetEnvPrefix("KICS")
+	v.AutomaticEnv()
+	bindFlags(cmd, v)
+
 	if cfgFile == "" {
 		configpath := path
 		info, err := os.Stat(path)
@@ -83,7 +94,6 @@ func initializeConfig(cmd *cobra.Command) error {
 		cfgFile = filepath.ToSlash(filepath.Join(path, constants.DefaultConfigFilename))
 	}
 
-	v := viper.New()
 	base := filepath.Base(cfgFile)
 	v.SetConfigName(base)
 	v.AddConfigPath(filepath.Dir(cfgFile))
@@ -95,8 +105,7 @@ func initializeConfig(cmd *cobra.Command) error {
 	if err := v.ReadInConfig(); err != nil {
 		return err
 	}
-	v.SetEnvPrefix("KICS_")
-	v.AutomaticEnv()
+
 	bindFlags(cmd, v)
 	return nil
 }
@@ -108,7 +117,8 @@ func bindFlags(cmd *cobra.Command, v *viper.Viper) {
 		settingsMap[f.Name] = true
 		if strings.Contains(f.Name, "-") {
 			envVarSuffix := strings.ToUpper(strings.ReplaceAll(f.Name, "-", "_"))
-			if err := v.BindEnv(f.Name, fmt.Sprintf("%s_%s", "KICS", envVarSuffix)); err != nil {
+			variableName := fmt.Sprintf("%s_%s", "KICS", envVarSuffix)
+			if err := v.BindEnv(f.Name, variableName); err != nil {
 				log.Err(err).Msg("Failed to bind Viper flags")
 			}
 		}
@@ -154,7 +164,7 @@ func initScanCmd() {
 	scanCmd.Flags().StringVarP(&cfgFile, "config", "", "", "path to configuration file")
 	scanCmd.Flags().StringVarP(
 		&queryPath,
-		"queries-path",
+		queriesPathCmdName,
 		"q",
 		"./assets/queries",
 		"path to directory with queries",
@@ -297,7 +307,7 @@ func createService(inspector *engine.Inspector,
 	}, nil
 }
 
-func scan() error {
+func scan(changedDefaultQueryPath bool) error {
 	log.Debug().Msg("console.scan()")
 
 	if errlog := setupLogs(); errlog != nil {
@@ -319,6 +329,16 @@ func scan() error {
 		return err
 	}
 
+	if changedDefaultQueryPath {
+		log.Debug().Msgf("Trying to load queries from %s", queryPath)
+	} else {
+		log.Debug().Msgf("Looking for queries in executable path and in current work directory")
+		queryPath, err = consoleHelpers.GetDefaultQueryPath(queryPath)
+		if err != nil {
+			return errors.Wrap(err, "unable to find queries")
+		}
+	}
+
 	querySource := source.NewFilesystemSource(queryPath, types)
 	store := storage.NewMemoryStorage()