diff --git a/.github/scripts/metrics/get_metrics.py b/.github/scripts/metrics/get_metrics.py
index b194935f922..5a53fd03562 100644
--- a/.github/scripts/metrics/get_metrics.py
+++ b/.github/scripts/metrics/get_metrics.py
@@ -20,6 +20,7 @@
'grpc': os.path.join(queries_basepath, 'grpc', '*'),
'gdm': os.path.join(queries_basepath, 'googleDeploymentManager', '*'),
'dockerCompose': os.path.join(queries_basepath, 'dockerCompose', '*'),
+ 'pulumi': os.path.join(queries_basepath, 'pulumi', '*'),
}
samples_ext = {
'azureresourcemanager': ['json'],
@@ -35,7 +36,7 @@
'grpc': ['proto'],
'gdm': ['yaml'],
'dockerCompose': ['dockerCompose'],
-
+ 'pulumi': ['yaml'],
}
summary = {
'total': 0,
diff --git a/.github/scripts/queries-validator/metadata-schema.json b/.github/scripts/queries-validator/metadata-schema.json
index 34d18648c68..d1ebfcaed91 100644
--- a/.github/scripts/queries-validator/metadata-schema.json
+++ b/.github/scripts/queries-validator/metadata-schema.json
@@ -95,7 +95,8 @@
"Knative",
"Kubernetes",
"OpenAPI",
- "Terraform"
+ "Terraform",
+ "Pulumi"
]
},
"descriptionID": {
diff --git a/README.md b/README.md
index a8042cf5f64..7739fe98a03 100644
--- a/README.md
+++ b/README.md
@@ -43,6 +43,13 @@ Find security vulnerabilities, compliance issues, and infrastructure misconfigur
+
+
+
+
+
+
+
Support of other solutions and additional cloud providers are on the [roadmap](docs/roadmap.md).
diff --git a/assets/libraries/pulumi.rego b/assets/libraries/pulumi.rego
new file mode 100644
index 00000000000..1348211bdd6
--- /dev/null
+++ b/assets/libraries/pulumi.rego
@@ -0,0 +1 @@
+package generic.pulumi
diff --git a/docs/commands.md b/docs/commands.md
index c60857d5d90..b9cf25f9e78 100644
--- a/docs/commands.md
+++ b/docs/commands.md
@@ -92,7 +92,7 @@ Flags:
-r, --secrets-regexes-path string path to secrets regex rules configuration file
--timeout int number of seconds the query has to execute before being canceled (default 60)
-t, --type strings case insensitive list of platform types to scan
- (Ansible, AzureResourceManager, Buildah, CloudFormation, Crossplane, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Knative, Kubernetes, OpenAPI, Terraform)
+ (Ansible, AzureResourceManager, Buildah, CloudFormation, Crossplane, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Knative, Kubernetes, OpenAPI, Pulumi, Terraform)
Global Flags:
--ci display only log messages to CLI output (mutually exclusive with silent)
diff --git a/docs/dockerhub.md b/docs/dockerhub.md
index efa8f067f8d..71a1b559f01 100644
--- a/docs/dockerhub.md
+++ b/docs/dockerhub.md
@@ -102,7 +102,7 @@ Flags:
-r, --secrets-regexes-path string path to secrets regex rules configuration file
--timeout int number of seconds the query has to execute before being canceled (default 60)
-t, --type strings case insensitive list of platform types to scan
- (Ansible, AzureResourceManager, Buildah, CloudFormation, Crossplane, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Knative, Kubernetes, OpenAPI, Terraform)
+ (Ansible, AzureResourceManager, Buildah, CloudFormation, Crossplane, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Knative, Kubernetes, OpenAPI, Pulumi, Terraform)
Global Flags:
--ci display only log messages to CLI output (mutually exclusive with silent)
diff --git a/docs/img/logo-crossplane.png b/docs/img/logo-crossplane.png
new file mode 100644
index 00000000000..96bd88c2cad
Binary files /dev/null and b/docs/img/logo-crossplane.png differ
diff --git a/docs/img/logo-knative.png b/docs/img/logo-knative.png
new file mode 100644
index 00000000000..a33a4bcdff9
Binary files /dev/null and b/docs/img/logo-knative.png differ
diff --git a/docs/img/logo-pulumi.png b/docs/img/logo-pulumi.png
new file mode 100644
index 00000000000..36433ed9b80
Binary files /dev/null and b/docs/img/logo-pulumi.png differ
diff --git a/docs/platforms.md b/docs/platforms.md
index 208f2723003..a8a52bfedd7 100644
--- a/docs/platforms.md
+++ b/docs/platforms.md
@@ -109,6 +109,11 @@ KICS supports scanning Kubernetes manifests with `.yaml` extension.
KICS supports scanning Swagger 2.0 and OpenAPI 3.0 specs with `.json` and `.yaml` extension.
+## Pulumi
+
+KICS supports scanning Pulumi manifests with `.yaml` extension.
+
+
## Google Deployment Manager
KICS supports scanning Google Deployment Manager files with `.yaml` extension.
diff --git a/e2e/fixtures/E2E_CLI_010 b/e2e/fixtures/E2E_CLI_010
index 9a81c961927..2b86b7ebf8a 100644
--- a/e2e/fixtures/E2E_CLI_010
+++ b/e2e/fixtures/E2E_CLI_010
@@ -12,5 +12,6 @@ valid arguments:
Knative
Kubernetes
OpenAPI
+ Pulumi
Terraform
{{.ScanHelp}}
diff --git a/e2e/fixtures/E2E_CLI_013 b/e2e/fixtures/E2E_CLI_013
index 64257458626..a468cd86dde 100644
--- a/e2e/fixtures/E2E_CLI_013
+++ b/e2e/fixtures/E2E_CLI_013
@@ -10,4 +10,5 @@ GoogleDeploymentManager
Knative
Kubernetes
OpenAPI
+Pulumi
Terraform
diff --git a/e2e/fixtures/assets/scan_help b/e2e/fixtures/assets/scan_help
index b14ce35f359..31b264af26b 100644
--- a/e2e/fixtures/assets/scan_help
+++ b/e2e/fixtures/assets/scan_help
@@ -51,7 +51,7 @@ Flags:
-r, --secrets-regexes-path string path to secrets regex rules configuration file
--timeout int number of seconds the query has to execute before being canceled (default 60)
-t, --type strings case insensitive list of platform types to scan
- (Ansible, AzureResourceManager, Buildah, CloudFormation, Crossplane, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Knative, Kubernetes, OpenAPI, Terraform)
+ (Ansible, AzureResourceManager, Buildah, CloudFormation, Crossplane, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Knative, Kubernetes, OpenAPI, Pulumi, Terraform)
Global Flags:
--ci display only log messages to CLI output (mutually exclusive with silent)
diff --git a/e2e/fixtures/schemas/result.json b/e2e/fixtures/schemas/result.json
index 447685ea486..401d200e76d 100644
--- a/e2e/fixtures/schemas/result.json
+++ b/e2e/fixtures/schemas/result.json
@@ -102,6 +102,7 @@
"Knative",
"Kubernetes",
"OpenAPI",
+ "Pulumi",
"Terraform"
]
},
diff --git a/e2e/fixtures/schemas/resultBoM.json b/e2e/fixtures/schemas/resultBoM.json
index 520cf8c6927..a967f9c91b0 100644
--- a/e2e/fixtures/schemas/resultBoM.json
+++ b/e2e/fixtures/schemas/resultBoM.json
@@ -55,6 +55,7 @@
"Knative",
"Kubernetes",
"OpenAPI",
+ "Pulumi",
"Terraform"
]
},
diff --git a/internal/constants/constants.go b/internal/constants/constants.go
index 7ee44bf95a5..2a8a3ef3e76 100644
--- a/internal/constants/constants.go
+++ b/internal/constants/constants.go
@@ -53,6 +53,7 @@ var (
"GoogleDeploymentManager": "googleDeploymentManager",
"GRPC": "grpc",
"Buildah": "buildah",
+ "Pulumi": "pulumi",
}
// AvailableSeverities - All severities available
diff --git a/pkg/analyzer/analyzer.go b/pkg/analyzer/analyzer.go
index deaa3e84e2a..e11f3c482d6 100644
--- a/pkg/analyzer/analyzer.go
+++ b/pkg/analyzer/analyzer.go
@@ -57,6 +57,9 @@ var (
dockerComposeServicesRegex = regexp.MustCompile(`\s*services\s*:`)
crossPlaneRegex = regexp.MustCompile(`\s*\"?apiVersion\"?\s*:\s*(\w+\.)+crossplane\.io/v\w+\s*`)
knativeRegex = regexp.MustCompile(`\s*\"?apiVersion\"?\s*:\s*(\w+\.)+knative\.dev/v\w+\s*`)
+ pulumiNameRegex = regexp.MustCompile(`\s*name\s*:`)
+ pulumiRuntimeRegex = regexp.MustCompile(`\s*runtime\s*:`)
+ pulumiResourcesRegex = regexp.MustCompile(`\s*resources\s*:`)
)
var (
@@ -86,6 +89,7 @@ var (
"kubernetes": {"kubernetes"},
"openapi": {"openapi"},
"terraform": {"terraform", "cdkTf"},
+ "pulumi": {"pulumi"},
}
)
@@ -209,6 +213,13 @@ var types = map[string]regexSlice{
dockerComposeServicesRegex,
},
},
+ "pulumi": {
+ []*regexp.Regexp{
+ pulumiNameRegex,
+ pulumiRuntimeRegex,
+ pulumiResourcesRegex,
+ },
+ },
}
// Analyze will go through the slice paths given and determine what type of queries should be loaded
diff --git a/pkg/analyzer/analyzer_test.go b/pkg/analyzer/analyzer_test.go
index 25b271a4fd2..fe12df5f3ee 100644
--- a/pkg/analyzer/analyzer_test.go
+++ b/pkg/analyzer/analyzer_test.go
@@ -19,7 +19,7 @@ func TestAnalyzer_Analyze(t *testing.T) {
{
name: "analyze_test_dir_single_path",
paths: []string{filepath.FromSlash("../../test/fixtures/analyzer_test")},
- wantTypes: []string{"dockerfile", "googledeploymentmanager", "cloudformation", "crossplane", "knative", "kubernetes", "openapi", "terraform", "ansible", "azureresourcemanager", "dockercompose"},
+ wantTypes: []string{"dockerfile", "googledeploymentmanager", "cloudformation", "crossplane", "knative", "kubernetes", "openapi", "terraform", "ansible", "azureresourcemanager", "dockercompose", "pulumi"},
wantExclude: []string{},
wantErr: false,
},
diff --git a/pkg/engine/source/filesystem.go b/pkg/engine/source/filesystem.go
index 8a165719894..f50086689d8 100644
--- a/pkg/engine/source/filesystem.go
+++ b/pkg/engine/source/filesystem.go
@@ -406,39 +406,31 @@ func ReadMetadata(queryDir string) (map[string]interface{}, error) {
return metadata, nil
}
+type supportedPlatforms map[string]string
+
+var supPlatforms = &supportedPlatforms{
+ "Ansible": "ansible",
+ "CloudFormation": "cloudFormation",
+ "Common": "common",
+ "Crossplane": "crossplane",
+ "Dockerfile": "dockerfile",
+ "DockerCompose": "dockerCompose",
+ "Knative": "knative",
+ "Kubernetes": "k8s",
+ "OpenAPI": "openAPI",
+ "Terraform": "terraform",
+ "AzureResourceManager": "azureResourceManager",
+ "GRPC": "grpc",
+ "GoogleDeploymentManager": "googleDeploymentManager",
+ "Buildah": "buildah",
+ "Pulumi": "pulumi",
+}
+
func getPlatform(metadataPlatform string) string {
- switch metadataPlatform {
- case "Ansible":
- return "ansible"
- case "CloudFormation":
- return "cloudFormation"
- case "Common":
- return "common"
- case "Crossplane":
- return "crossplane"
- case "Dockerfile":
- return "dockerfile"
- case "DockerCompose":
- return "dockerCompose"
- case "Knative":
- return "knative"
- case "Kubernetes":
- return "k8s"
- case "OpenAPI":
- return "openAPI"
- case "Terraform":
- return "terraform"
- case "AzureResourceManager":
- return "azureResourceManager"
- case "GRPC":
- return "grpc"
- case "GoogleDeploymentManager":
- return "googleDeploymentManager"
- case "Buildah":
- return "buildah"
- default:
- return "unknown"
+ if p, ok := (*supPlatforms)[metadataPlatform]; ok {
+ return p
}
+ return "unknown"
}
func readInputData(inputDataPath string) (string, error) {
diff --git a/pkg/engine/source/filesystem_test.go b/pkg/engine/source/filesystem_test.go
index 61f23fa9dcb..202338df705 100644
--- a/pkg/engine/source/filesystem_test.go
+++ b/pkg/engine/source/filesystem_test.go
@@ -645,6 +645,7 @@ func TestListSupportedPlatforms(t *testing.T) {
"Knative",
"Kubernetes",
"OpenAPI",
+ "Pulumi",
"Terraform",
}
listActual := ListSupportedPlatforms()
diff --git a/pkg/parser/yaml/parser.go b/pkg/parser/yaml/parser.go
index 0597fc1a8f4..527289c0b0b 100644
--- a/pkg/parser/yaml/parser.go
+++ b/pkg/parser/yaml/parser.go
@@ -107,6 +107,7 @@ func (p *Parser) SupportedTypes() map[string]bool {
"openapi": true,
"googledeploymentmanager": true,
"dockercompose": true,
+ "pulumi": true,
}
}
diff --git a/pkg/parser/yaml/parser_test.go b/pkg/parser/yaml/parser_test.go
index b8af20318b7..7c340d32103 100644
--- a/pkg/parser/yaml/parser_test.go
+++ b/pkg/parser/yaml/parser_test.go
@@ -35,6 +35,7 @@ func TestParser_SupportedTypes(t *testing.T) {
"openapi": true,
"googledeploymentmanager": true,
"dockercompose": true,
+ "pulumi": true,
}, p.SupportedTypes())
}
diff --git a/res/demoPulumi.yaml b/res/demoPulumi.yaml
new file mode 100644
index 00000000000..aa87f9b15ec
--- /dev/null
+++ b/res/demoPulumi.yaml
@@ -0,0 +1,28 @@
+name: aws-eks
+runtime: yaml
+description: An EKS cluster
+variables:
+ vpcId:
+ Fn::Invoke:
+ Function: aws:ec2:getVpc
+ Arguments:
+ default: true
+ Return: id
+ subnetIds:
+ Fn::Invoke:
+ Function: aws:ec2:getSubnetIds
+ Arguments:
+ vpcId: ${vpcId}
+ Return: ids
+resources:
+ cluster:
+ type: eks:Cluster
+ properties:
+ vpcId: ${vpcId}
+ subnetIds: ${subnetIds}
+ instanceType: "t2.medium"
+ desiredCapacity: 2
+ minSize: 1
+ maxSize: 2
+outputs:
+ kubeconfig: ${cluster.kubeconfig}
diff --git a/test/fixtures/analyzer_test/pulumi.yaml b/test/fixtures/analyzer_test/pulumi.yaml
new file mode 100644
index 00000000000..aa87f9b15ec
--- /dev/null
+++ b/test/fixtures/analyzer_test/pulumi.yaml
@@ -0,0 +1,28 @@
+name: aws-eks
+runtime: yaml
+description: An EKS cluster
+variables:
+ vpcId:
+ Fn::Invoke:
+ Function: aws:ec2:getVpc
+ Arguments:
+ default: true
+ Return: id
+ subnetIds:
+ Fn::Invoke:
+ Function: aws:ec2:getSubnetIds
+ Arguments:
+ vpcId: ${vpcId}
+ Return: ids
+resources:
+ cluster:
+ type: eks:Cluster
+ properties:
+ vpcId: ${vpcId}
+ subnetIds: ${subnetIds}
+ instanceType: "t2.medium"
+ desiredCapacity: 2
+ minSize: 1
+ maxSize: 2
+outputs:
+ kubeconfig: ${cluster.kubeconfig}