Merge pull request #13 from aws-samples/sast

update sast and lint to use specified versions

Author: jakebark

README.md

@@ -69,7 +69,7 @@ module "pipeline" {
   build_timeout     = 10
   terraform_version = "1.5.7"
   checkov_version   = "3.2.0"
-  tflint_version    = "0.33.0"
+  tflint_version    = "0.48.0"
   
 
   checkov_skip = [
@@ -91,11 +91,11 @@ module "pipeline" {
 
 `build_timeout` is the CodeBuild project build timeout. It defaults to 10 (minutes). 
 
-`terraform_version` controls the terraform version. It defaults to latest.
+`terraform_version` controls the terraform version. It defaults to 1.5.7.
 
 `checkov_version` controls the [Checkov](https://www.checkov.io/) version. It defaults to latest.
 
-`tflint_version` controls the [tflint](https://github.com/terraform-linters/tflint) version. It defaults to 0.33.0.
+`tflint_version` controls the [tflint](https://github.com/terraform-linters/tflint) version. It defaults to 0.48.0.
 
 `checkov_skip` defines [Checkov](https://www.checkov.io/) skips for the pipeline. This is useful for organization-wide policies, removing the need to add individual resource skips. 
 

locals.tf

@@ -8,12 +8,13 @@ locals {
     validate = "hashicorp/terraform:${var.terraform_version}"
     fmt      = "hashicorp/terraform:${var.terraform_version}"
     lint     = "aws/codebuild/amazonlinux2-x86_64-standard:5.0"
-    sast     = "bridgecrew/checkov:${var.checkov_version}"
+    sast     = "aws/codebuild/amazonlinux2-x86_64-standard:5.0"
   }
 
   env_var = {
     TFLINT_VERSION  = var.tflint_version
     SAST_REPORT_ARN = aws_codebuild_report_group.sast.arn
     CHECKOV_SKIPS   = join(",", "${var.checkov_skip}")
+    TF_VERSION      = "1.5.7"
   }
 }

modules/codebuild/buildspecs/lint.yml

@@ -7,7 +7,7 @@ phases:
       - cd /usr/bin
       - yum install -y yum-utils
       - yum-config-manager --add-repo https://rpm.releases.hashicorp.com/AmazonLinux/hashicorp.repo
-      - yum install -y terraform
+      - yum install -y terraform-${TF_VERSION}
       - curl --location https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/tflint_linux_amd64.zip --output tflint_linux_amd64.zip
       - curl --location https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt --output checksums.txt
       - file=$(sha256sum tflint_linux_amd64.zip | cut -d" " -f1)

modules/codebuild/buildspecs/sast.yml

@@ -1,6 +1,18 @@
 version: 0.2
 
 phases:
+
+  install:
+    runtime-versions:
+       python: 3.12
+    commands:
+      - cd /usr/bin
+      - yum install -y yum-utils
+      - yum-config-manager --add-repo https://rpm.releases.hashicorp.com/AmazonLinux/hashicorp.repo
+      - yum install -y terraform-${TF_VERSION}
+      - python -V
+      - pip3 install checkov
+
   build:
     commands:   
       - cd "$CODEBUILD_SRC_DIR"
@@ -11,8 +23,6 @@ phases:
           checkov --directory ./ --skip-path ./deploy --skip-check ${CHECKOV_SKIPS} -o junitxml > checkov.xml
         fi
 
-      - cat checkov.xml
-
   post_build:
     commands:
       - echo "checkov complete, see report for details"
@@ -23,4 +33,3 @@ reports:
       - checkov.xml
     base-directory: ./
     file-format: JUNITXML
-      

variables.tf

@@ -73,10 +73,10 @@ variable "kms_key" {
 
 variable "terraform_version" {
   type    = string
-  default = "latest"
+  default = "1.5.7"
 }
 
 variable "tflint_version" {
   type    = string
-  default = "0.33.0"
+  default = "0.48.0"
 }