feat(pulumi): add support to Pulumi yaml parsing

.github/scripts/metrics/get_metrics.py

@@ -20,6 +20,7 @@
     'grpc': os.path.join(queries_basepath, 'grpc', '*'),
     'gdm': os.path.join(queries_basepath, 'googleDeploymentManager', '*'),
     'dockerCompose': os.path.join(queries_basepath, 'dockerCompose', '*'),
+    'pulumi': os.path.join(queries_basepath, 'pulumi', '*'),
 }
 samples_ext = {
     'azureresourcemanager': ['json'],
@@ -35,7 +36,7 @@
     'grpc': ['proto'],
     'gdm': ['yaml'],
     'dockerCompose': ['dockerCompose'],
-
+    'pulumi': ['yaml'],
 }
 summary = {
     'total': 0,

.github/scripts/queries-validator/metadata-schema.json

@@ -95,7 +95,8 @@
                 "Knative",
                 "Kubernetes",
                 "OpenAPI",
-                "Terraform"
+                "Terraform",
+                "Pulumi"
             ]
         },
         "descriptionID": {

README.md

@@ -43,6 +43,13 @@ Find security vulnerabilities, compliance issues, and infrastructure misconfigur
 <img alt="Cloud Deployment Kit" src="docs/img/logo-cdk.png" width="150">&nbsp;&nbsp;&nbsp;
 <img alt="SAM" src="docs/img/logo-sam.png" width="55">&nbsp;&nbsp;&nbsp;
 <img alt="Docker Compose" src="docs/img/logo-dockercompose.png" width="80">&nbsp;&nbsp;&nbsp;
+<img alt="Knative" src="docs/img/logo-knative.png" width="80">&nbsp;&nbsp;&nbsp;
+<br>
+<br>
+<img alt="Crossplane" src="docs/img/logo-crossplane.png" width="150">&nbsp;&nbsp;&nbsp;
+<img alt="Pulumi" src="docs/img/logo-pulumi.png" width="130">&nbsp;&nbsp;&nbsp;
+
+
 
 Support of other solutions and additional cloud providers are on the [roadmap](docs/roadmap.md).
 

assets/libraries/pulumi.rego

@@ -0,0 +1 @@
+package generic.pulumi

docs/commands.md

@@ -92,7 +92,7 @@ Flags:
   -r, --secrets-regexes-path string   path to secrets regex rules configuration file
       --timeout int                   number of seconds the query has to execute before being canceled (default 60)
   -t, --type strings                  case insensitive list of platform types to scan
-                                      (Ansible, AzureResourceManager, Buildah, CloudFormation, Crossplane, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Knative, Kubernetes, OpenAPI, Terraform)
+                                      (Ansible, AzureResourceManager, Buildah, CloudFormation, Crossplane, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Knative, Kubernetes, OpenAPI, Pulumi, Terraform)
 
 Global Flags:
       --ci                  display only log messages to CLI output (mutually exclusive with silent)

docs/dockerhub.md

@@ -102,7 +102,7 @@ Flags:
   -r, --secrets-regexes-path string   path to secrets regex rules configuration file
       --timeout int                   number of seconds the query has to execute before being canceled (default 60)
   -t, --type strings                  case insensitive list of platform types to scan
-                                      (Ansible, AzureResourceManager, Buildah, CloudFormation, Crossplane, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Knative, Kubernetes, OpenAPI, Terraform)
+                                      (Ansible, AzureResourceManager, Buildah, CloudFormation, Crossplane, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Knative, Kubernetes, OpenAPI, Pulumi, Terraform)
 
 Global Flags:
       --ci                  display only log messages to CLI output (mutually exclusive with silent)

docs/platforms.md

@@ -109,6 +109,11 @@ KICS supports scanning Kubernetes manifests with `.yaml` extension.
 
 KICS supports scanning Swagger 2.0 and OpenAPI 3.0 specs with `.json` and `.yaml` extension.
 
+## Pulumi
+
+KICS supports scanning Pulumi manifests with `.yaml` extension.
+
+
 ## Google Deployment Manager
 
 KICS supports scanning Google Deployment Manager files with `.yaml` extension.

e2e/fixtures/E2E_CLI_010

@@ -12,5 +12,6 @@ valid arguments:
   Knative
   Kubernetes
   OpenAPI
+  Pulumi
   Terraform
 {{.ScanHelp}}

e2e/fixtures/E2E_CLI_013

@@ -10,4 +10,5 @@ GoogleDeploymentManager
 Knative
 Kubernetes
 OpenAPI
+Pulumi
 Terraform

e2e/fixtures/assets/scan_help

@@ -51,7 +51,7 @@ Flags:
   -r, --secrets-regexes-path string   path to secrets regex rules configuration file
       --timeout int                   number of seconds the query has to execute before being canceled (default 60)
   -t, --type strings                  case insensitive list of platform types to scan
-                                      (Ansible, AzureResourceManager, Buildah, CloudFormation, Crossplane, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Knative, Kubernetes, OpenAPI, Terraform)
+                                      (Ansible, AzureResourceManager, Buildah, CloudFormation, Crossplane, DockerCompose, Dockerfile, GRPC, GoogleDeploymentManager, Knative, Kubernetes, OpenAPI, Pulumi, Terraform)
 
 Global Flags:
       --ci                  display only log messages to CLI output (mutually exclusive with silent)

e2e/fixtures/schemas/result.json

@@ -102,6 +102,7 @@
               "Knative",
               "Kubernetes",
               "OpenAPI",
+              "Pulumi",
               "Terraform"
             ]
           },

e2e/fixtures/schemas/resultBoM.json

@@ -55,6 +55,7 @@
                   "Knative",
                   "Kubernetes",
                   "OpenAPI",
+                  "Pulumi",
                   "Terraform"
                 ]
               },

internal/constants/constants.go

@@ -53,6 +53,7 @@ var (
 		"GoogleDeploymentManager": "googleDeploymentManager",
 		"GRPC":                    "grpc",
 		"Buildah":                 "buildah",
+		"Pulumi":                  "pulumi",
 	}
 
 	// AvailableSeverities - All severities available

pkg/analyzer/analyzer.go

@@ -57,6 +57,9 @@ var (
 	dockerComposeServicesRegex                      = regexp.MustCompile(`\s*services\s*:`)
 	crossPlaneRegex                                 = regexp.MustCompile(`\s*\"?apiVersion\"?\s*:\s*(\w+\.)+crossplane\.io/v\w+\s*`)
 	knativeRegex                                    = regexp.MustCompile(`\s*\"?apiVersion\"?\s*:\s*(\w+\.)+knative\.dev/v\w+\s*`)
+	pulumiNameRegex                                 = regexp.MustCompile(`\s*name\s*:`)
+	pulumiRuntimeRegex                              = regexp.MustCompile(`\s*runtime\s*:`)
+	pulumiResourcesRegex                            = regexp.MustCompile(`\s*resources\s*:`)
 )
 
 var (
@@ -86,6 +89,7 @@ var (
 		"kubernetes":           {"kubernetes"},
 		"openapi":              {"openapi"},
 		"terraform":            {"terraform", "cdkTf"},
+		"pulumi":               {"pulumi"},
 	}
 )
 
@@ -209,6 +213,13 @@ var types = map[string]regexSlice{
 			dockerComposeServicesRegex,
 		},
 	},
+	"pulumi": {
+		[]*regexp.Regexp{
+			pulumiNameRegex,
+			pulumiRuntimeRegex,
+			pulumiResourcesRegex,
+		},
+	},
 }
 
 // Analyze will go through the slice paths given and determine what type of queries should be loaded

pkg/analyzer/analyzer_test.go

@@ -19,7 +19,7 @@ func TestAnalyzer_Analyze(t *testing.T) {
 		{
 			name:        "analyze_test_dir_single_path",
 			paths:       []string{filepath.FromSlash("../../test/fixtures/analyzer_test")},
-			wantTypes:   []string{"dockerfile", "googledeploymentmanager", "cloudformation", "crossplane", "knative", "kubernetes", "openapi", "terraform", "ansible", "azureresourcemanager", "dockercompose"},
+			wantTypes:   []string{"dockerfile", "googledeploymentmanager", "cloudformation", "crossplane", "knative", "kubernetes", "openapi", "terraform", "ansible", "azureresourcemanager", "dockercompose", "pulumi"},
 			wantExclude: []string{},
 			wantErr:     false,
 		},

pkg/engine/source/filesystem.go

@@ -406,39 +406,31 @@ func ReadMetadata(queryDir string) (map[string]interface{}, error) {
 	return metadata, nil
 }
 
+type supportedPlatforms map[string]string
+
+var supPlatforms = &supportedPlatforms{
+	"Ansible":                 "ansible",
+	"CloudFormation":          "cloudFormation",
+	"Common":                  "common",
+	"Crossplane":              "crossplane",
+	"Dockerfile":              "dockerfile",
+	"DockerCompose":           "dockerCompose",
+	"Knative":                 "knative",
+	"Kubernetes":              "k8s",
+	"OpenAPI":                 "openAPI",
+	"Terraform":               "terraform",
+	"AzureResourceManager":    "azureResourceManager",
+	"GRPC":                    "grpc",
+	"GoogleDeploymentManager": "googleDeploymentManager",
+	"Buildah":                 "buildah",
+	"Pulumi":                  "pulumi",
+}
+
 func getPlatform(metadataPlatform string) string {
-	switch metadataPlatform {
-	case "Ansible":
-		return "ansible"
-	case "CloudFormation":
-		return "cloudFormation"
-	case "Common":
-		return "common"
-	case "Crossplane":
-		return "crossplane"
-	case "Dockerfile":
-		return "dockerfile"
-	case "DockerCompose":
-		return "dockerCompose"
-	case "Knative":
-		return "knative"
-	case "Kubernetes":
-		return "k8s"
-	case "OpenAPI":
-		return "openAPI"
-	case "Terraform":
-		return "terraform"
-	case "AzureResourceManager":
-		return "azureResourceManager"
-	case "GRPC":
-		return "grpc"
-	case "GoogleDeploymentManager":
-		return "googleDeploymentManager"
-	case "Buildah":
-		return "buildah"
-	default:
-		return "unknown"
+	if p, ok := (*supPlatforms)[metadataPlatform]; ok {
+		return p
 	}
+	return "unknown"
 }
 
 func readInputData(inputDataPath string) (string, error) {

pkg/engine/source/filesystem_test.go

@@ -645,6 +645,7 @@ func TestListSupportedPlatforms(t *testing.T) {
 		"Knative",
 		"Kubernetes",
 		"OpenAPI",
+		"Pulumi",
 		"Terraform",
 	}
 	listActual := ListSupportedPlatforms()

pkg/parser/yaml/parser.go

@@ -107,6 +107,7 @@ func (p *Parser) SupportedTypes() map[string]bool {
 		"openapi":                 true,
 		"googledeploymentmanager": true,
 		"dockercompose":           true,
+		"pulumi":                  true,
 	}
 }
 

pkg/parser/yaml/parser_test.go

@@ -35,6 +35,7 @@ func TestParser_SupportedTypes(t *testing.T) {
 		"openapi":                 true,
 		"googledeploymentmanager": true,
 		"dockercompose":           true,
+		"pulumi":                  true,
 	}, p.SupportedTypes())
 }
 

res/demoPulumi.yaml

@@ -0,0 +1,28 @@
+name: aws-eks
+runtime: yaml
+description: An EKS cluster
+variables:
+  vpcId:
+    Fn::Invoke:
+      Function: aws:ec2:getVpc
+      Arguments:
+        default: true
+      Return: id
+  subnetIds:
+    Fn::Invoke:
+      Function: aws:ec2:getSubnetIds
+      Arguments:
+        vpcId: ${vpcId}
+      Return: ids
+resources:
+  cluster:
+    type: eks:Cluster
+    properties:
+      vpcId: ${vpcId}
+      subnetIds: ${subnetIds}
+      instanceType: "t2.medium"
+      desiredCapacity: 2
+      minSize: 1
+      maxSize: 2
+outputs:
+  kubeconfig: ${cluster.kubeconfig}

test/fixtures/analyzer_test/pulumi.yaml

@@ -0,0 +1,28 @@
+name: aws-eks
+runtime: yaml
+description: An EKS cluster
+variables:
+  vpcId:
+    Fn::Invoke:
+      Function: aws:ec2:getVpc
+      Arguments:
+        default: true
+      Return: id
+  subnetIds:
+    Fn::Invoke:
+      Function: aws:ec2:getSubnetIds
+      Arguments:
+        vpcId: ${vpcId}
+      Return: ids
+resources:
+  cluster:
+    type: eks:Cluster
+    properties:
+      vpcId: ${vpcId}
+      subnetIds: ${subnetIds}
+      instanceType: "t2.medium"
+      desiredCapacity: 2
+      minSize: 1
+      maxSize: 2
+outputs:
+  kubeconfig: ${cluster.kubeconfig}