fix(misconf): do not filter Terraform plan JSON by name (#7406)

Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
2025-12-05 20:40:16 -08:00 · 2024-08-29 05:51:25 +06:00
parent 44e468603d
commit 9d7264af8e
5 changed files with 73 additions and 81 deletions
--- a/pkg/iac/scanners/terraformplan/tfjson/scanner_test.go
+++ b/pkg/iac/scanners/terraformplan/tfjson/scanner_test.go
@@ -12,20 +12,7 @@ import (
 	"github.com/aquasecurity/trivy/pkg/iac/scanners/options"
 )

-func Test_TerraformScanner(t *testing.T) {
-	t.Parallel()
-
-	testCases := []struct {
-		name      string
-		inputFile string
-		inputRego string
-		options   []options.ScannerOption
-	}{
-		{
-			name:      "old rego metadata",
-			inputFile: "test/testdata/plan.json",
-			inputRego: `
-package defsec.abcdefg
+const defaultCheck = `package defsec.abcdefg

 __rego_metadata__ := {
 	"id": "TEST123",
@@ -48,48 +35,40 @@ deny[cause] {
 	bucket := input.aws.s3.buckets[_]
 	bucket.name.value == "tfsec-plan-testing"
 	cause := bucket.name
-}
-`,
+}`
+
+func Test_TerraformScanner(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name      string
+		inputFile string
+		check     string
+		options   []options.ScannerOption
+	}{
+		{
+			name:      "old rego metadata",
+			inputFile: "test/testdata/plan.json",
+			check:     defaultCheck,
 			options: []options.ScannerOption{
 				options.ScannerWithPolicyDirs("rules"),
 				options.ScannerWithRegoOnly(true),
-				options.ScannerWithEmbeddedPolicies(false)},
+			},
 		},
 		{
 			name:      "with user namespace",
 			inputFile: "test/testdata/plan.json",
-			inputRego: ` 
-# METADATA
-# title: Bad buckets are bad
-# description: Bad buckets are bad because they are not good.
-# scope: package
-# schemas:
-#   - input: schema["input"]
-# custom:
-#   avd_id: AVD-TEST-0123
-#   severity: CRITICAL
-#   short_code: very-bad-misconfig
-#   recommended_action: "Fix the s3 bucket"
-
-package user.foobar.ABC001
-
-deny[cause] {
-	bucket := input.aws.s3.buckets[_]
-	bucket.name.value == "tfsec-plan-testing"
-	cause := bucket.name
-}
-`,
+			check:     defaultCheck,
 			options: []options.ScannerOption{
 				options.ScannerWithPolicyDirs("rules"),
 				options.ScannerWithRegoOnly(true),
-				options.ScannerWithEmbeddedPolicies(false),
 				options.ScannerWithPolicyNamespaces("user"),
 			},
 		},
 		{
 			name:      "with templated plan json",
 			inputFile: "test/testdata/plan_with_template.json",
-			inputRego: `
+			check: `
 # METADATA
 # title: Bad buckets are bad
 # description: Bad buckets are bad because they are not good.
@@ -113,19 +92,27 @@ deny[cause] {
 			options: []options.ScannerOption{
 				options.ScannerWithPolicyDirs("rules"),
 				options.ScannerWithRegoOnly(true),
-				options.ScannerWithEmbeddedPolicies(false),
+				options.ScannerWithPolicyNamespaces("user"),
+			},
+		},
+		{
+			name:      "plan with arbitrary name",
+			inputFile: "test/testdata/arbitrary_name.json",
+			check:     defaultCheck,
+			options: []options.ScannerOption{
+				options.ScannerWithPolicyDirs("rules"),
+				options.ScannerWithRegoOnly(true),
 				options.ScannerWithPolicyNamespaces("user"),
 			},
 		},
 	}

 	for _, tc := range testCases {
-		tc := tc
 		t.Run(tc.name, func(t *testing.T) {
 			b, _ := os.ReadFile(tc.inputFile)
 			fs := testutil.CreateFS(t, map[string]string{
 				"/code/main.tfplan.json": string(b),
-				"/rules/test.rego":       tc.inputRego,
+				"/rules/test.rego":       tc.check,
 			})

 			so := append(tc.options, options.ScannerWithPolicyFilesystem(fs))