updates from review comments

Author: bradegler

.github/actions/secure-setup-terraform/action.yml

@@ -38,14 +38,14 @@ runs:
         tar xf secure-setup-terraform_${{env.release_version}}_linux_amd64.tar.gz
 
     # Recursively search for terraform files in the current repo and run a linter that fails when it finds calls to 'local-exec'
-    - name: 'lint-local-exec'
+    - name: 'lint-terraform'
       shell: 'bash'
-      run: ./lint-local-exec ./
+      run: ./lint-terraform ./
 
     # Search the .github/workflows for this project and run a linter that fails if it finds a direct call to the 'hashicorp/setup-terraform' action
-    - name: 'lint-setup-terraform'
+    - name: 'lint-action'
       shell: 'bash'
-      run: ./lint-setup-terraform ./.github/workflows
+      run: ./lint-action ./.github/workflows
 
     - name: 'setup-terraform'
       uses: 'hashicorp/setup-terraform@v2'

.goreleaser.yaml

@@ -27,19 +27,19 @@ before:
 
 builds:
   -
-    id: 'lint-local-exec'
-    main: './cmd/lint-local-exec'
-    binary: 'lint-local-exec'
+    id: 'lint-terraform'
+    main: './cmd/lint-terraform'
+    binary: 'lint-terraform'
     mod_timestamp: '{{ .CommitTimestamp }}'
     flags:
       - '-a'
       - '-trimpath'
     ldflags:
       - '-s'
       - '-w'
-      - '-X={{ .ModulePath }}/cmd/lint-local-exec/version.Name=lint-local-exec'
-      - '-X={{ .ModulePath }}/cmd/lint-local-exec/version.Version={{ .Version }}'
-      - '-X={{ .ModulePath }}/cmd/lint-local-exec/version.Commit={{ .Commit }}'
+      - '-X={{ .ModulePath }}/pkg/internal/version.Name=lint-terraform'
+      - '-X={{ .ModulePath }}/pkg/internal/version.Version={{ .Version }}'
+      - '-X={{ .ModulePath }}/pkg/internal/version.Commit={{ .Commit }}'
       - '-extldflags=-static'
     goos:
       - 'darwin'
@@ -48,19 +48,19 @@ builds:
       - 'amd64'
       - 'arm64'
   -
-    id: 'lint-setup-terraform'
-    main: './cmd/lint-setup-terraform'
-    binary: 'lint-setup-terraform'
+    id: 'lint-action'
+    main: './cmd/lint-action'
+    binary: 'lint-action'
     mod_timestamp: '{{ .CommitTimestamp }}'
     flags:
       - '-a'
       - '-trimpath'
     ldflags:
       - '-s'
       - '-w'
-      - '-X={{ .ModulePath }}/cmd/lint-setup-terraform/version.Name=lint-setup-terraform'
-      - '-X={{ .ModulePath }}/cmd/lint-setup-terraform/version.Version={{ .Version }}'
-      - '-X={{ .ModulePath }}/cmd/lint-setup-terraform/version.Commit={{ .Commit }}'
+      - '-X={{ .ModulePath }}/pkg/internal/version.Name=lint-action'
+      - '-X={{ .ModulePath }}/pkg/internal/version.Version={{ .Version }}'
+      - '-X={{ .ModulePath }}/pkg/internal/version.Commit={{ .Commit }}'
       - '-extldflags=-static'
     goos:
       - 'darwin'

Dockerfile

@@ -1,6 +1,6 @@
 # Secure Setup Terraform
 
-This repository contains a composite GitHub action + two linters that are built to meet the requirements set out to lightly secure the usage of Hashicorp's Terraform product from a GitHub action.
+This repository contains a composite GitHub Action and two linters that are built to meet the requirements set out to lightly secure the usage of HashiCorp's Terraform product from a GitHub Action.
 
 ## Linters
 
@@ -40,11 +40,12 @@ jobs:
 ```
 
 ## Building the linters
+
 ```sh
 # Linter to find calls to the 'local-exec' terraform provider
-go build -o lint-local-exec ./cmd/lint-local-exec
+go build ./cmd/lint-local-exec
 
 # Linter to find calls to the 'setup-terraform' GitHub
 # action from Hashicopr
-go build -o lint-setup-terraform ./cmd/lint-setup-terraform
+go build ./cmd/lint-setup-terraform
 ```

README.md

@@ -20,12 +20,11 @@ import (
 	"io"
 	"strings"
 
-	"github.com/bradegler/secure-setup-terraform/cmd/lint-setup-terraform/version"
 	"github.com/bradegler/secure-setup-terraform/pkg/lint"
 	"gopkg.in/yaml.v3"
 )
 
-const violationType = "setup-terraform"
+const tokenSetupTerraform = "setup-terraform"
 
 var selectors []string = []string{".yml", ".yaml"}
 
@@ -34,7 +33,7 @@ type GitHubActionLinter struct{}
 // FindViolations inspects a set of bytes that represent a YAML document that defines
 // a GitHub action workflow looking for steps that use the 'hashicorp/setup-terraform'
 // action.
-func (tfl *GitHubActionLinter) FindViolations(content []byte, path string) ([]lint.ViolationInstance, error) {
+func (tfl *GitHubActionLinter) FindViolations(content []byte, path string) ([]*lint.ViolationInstance, error) {
 	reader := bytes.NewReader(content)
 	node, err := parseYAML(reader)
 	if err != nil {
@@ -46,7 +45,8 @@ func (tfl *GitHubActionLinter) FindViolations(content []byte, path string) ([]li
 	if node.Kind != yaml.DocumentNode {
 		return nil, fmt.Errorf("expected document node, got %v", node.Kind)
 	}
-	violations := []lint.ViolationInstance{}
+
+	var violations []*lint.ViolationInstance
 	// Top-level object map
 	for _, docMap := range node.Content {
 		_ = docMap
@@ -85,7 +85,7 @@ func (tfl *GitHubActionLinter) FindViolations(content []byte, path string) ([]li
 											uses := step.Content[k+1]
 											// Looking for the specific 'hashicorp/setup-terraform' action
 											if strings.HasPrefix(uses.Value, "hashicorp/setup-terraform") {
-												violations = append(violations, lint.ViolationInstance{Path: path, Line: uses.Line})
+												violations = append(violations, &lint.ViolationInstance{ViolationType: tokenSetupTerraform, Path: path, Line: uses.Line})
 											}
 										}
 									}
@@ -101,9 +101,7 @@ func (tfl *GitHubActionLinter) FindViolations(content []byte, path string) ([]li
 	return violations, nil
 }
 
-func (tfl *GitHubActionLinter) Selectors() []string   { return selectors }
-func (tfl *GitHubActionLinter) ViolationType() string { return violationType }
-func (tfl *GitHubActionLinter) Version() string       { return version.HumanVersion }
+func (tfl *GitHubActionLinter) Selectors() []string { return selectors }
 
 // parseYAML parses the given reader as a yaml node.
 func parseYAML(r io.Reader) (*yaml.Node, error) {

cmd/lint-setup-terraform/linter/lint.go renamed to cmd/lint-action/linter/lint.go

@@ -93,34 +93,35 @@ jobs:
 		filename    string
 		content     string
 		expectCount int
-		expect      []lint.ViolationInstance
+		expect      []*lint.ViolationInstance
 		wantError   bool
 	}{
 		{
 			name:        "yaml without setup-terraform action",
 			filename:    "/test/myfile1",
 			content:     withoutSetupTerraform,
 			expectCount: 0,
-			expect:      []lint.ViolationInstance{},
+			expect:      nil,
 			wantError:   false,
 		},
 		{
 			name:        "yaml with setup-terraform action",
 			filename:    "/test/myfile2",
 			content:     withSetupTerraform,
 			expectCount: 1,
-			expect: []lint.ViolationInstance{
+			expect: []*lint.ViolationInstance{
 				{
-					Path: "/test/myfile2",
-					Line: 31,
+					ViolationType: "setup-terraform",
+					Path:          "/test/myfile2",
+					Line:          31,
 				},
 			},
 			wantError: false,
 		},
 	}
 
 	for _, tc := range cases {
-		tc := tc // IMPORTANT: don't shadow the test case
+		tc := tc
 
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()

cmd/lint-setup-terraform/linter/lint_test.go renamed to cmd/lint-action/linter/lint_test.go

@@ -0,0 +1,72 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package main
+
+import (
+	"context"
+	"flag"
+	"fmt"
+	"os"
+	"os/signal"
+	"strings"
+	"syscall"
+
+	"github.com/bradegler/secure-setup-terraform/cmd/lint-action/linter"
+	"github.com/bradegler/secure-setup-terraform/pkg/lint"
+	"github.com/bradegler/secure-setup-terraform/pkg/version"
+)
+
+const lintCommandHelp = `
+The "lint" command 
+EXAMPLES
+  lint-action <file1> <file2> <directory>
+FLAGS
+`
+
+func main() {
+	if err := realMain(); err != nil {
+		fmt.Fprintln(os.Stderr, err.Error())
+		os.Exit(1)
+	}
+}
+
+func realMain() error {
+	ctx, done := signal.NotifyContext(context.Background(),
+		syscall.SIGINT, syscall.SIGTERM)
+	defer done()
+
+	f := flag.NewFlagSet("", flag.ExitOnError)
+	f.Usage = func() {
+		fmt.Fprintf(os.Stderr, "%s\n\n", strings.TrimSpace(lintCommandHelp))
+		f.PrintDefaults()
+	}
+	showVersion := f.Bool("version", false, "display version information")
+
+	if err := f.Parse(os.Args[1:]); err != nil {
+		return fmt.Errorf("failed to parse flags: %w", err)
+	}
+	if *showVersion {
+		fmt.Fprintln(os.Stderr, version.HumanVersion)
+		return nil
+	}
+
+	// The linter needs at least one file or directory
+	args := f.Args()
+	if got := len(args); got < 1 {
+		return fmt.Errorf("expected atleast one argument, got %d", got)
+	}
+
+	return lint.RunLinter(ctx, args, &linter.GitHubActionLinter{})
+}