Dont use cfn-guard make target

wildjames · wildjames · commit 16d01461ccad · 2024-09-18T10:19:22.000+01:00
diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml
@@ -93,8 +93,47 @@ jobs:
       - name: Run unit tests
         run: make test
 
-      - name: Run cfn-guard
-        run: make cfn-guard
+      - name: Install AWS SAM CLI
+        if: steps.check_cfn_templates.outputs.exists == 'true'
+        run: |
+          pip install aws-sam-cli
+
+      - name: Run cfn-guard script
+        if: steps.check_cfn_templates.outputs.exists == 'true'
+        run: |
+          #!/usr/bin/env bash
+          set -eou pipefail
+
+          rm -rf /tmp/ruleset
+          rm -rf cfn_guard_output
+
+          wget -O /tmp/ruleset.zip https://github.com/aws-cloudformation/aws-guard-rules-registry/releases/download/1.0.2/ruleset-build-v1.0.2.zip >/dev/null 2>&1
+          unzip /tmp/ruleset.zip -d /tmp/ruleset/ >/dev/null 2>&1
+
+          curl --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/aws-cloudformation/cloudformation-guard/main/install-guard.sh | sh >/dev/null 2>&1
+
+          mkdir -p cfn_guard_output
+
+          declare -a rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar")
+          for ruleset in "${rulesets[@]}"
+          do
+            while IFS= read -r -d '' file
+            do
+              echo "checking SAM template $file with ruleset $ruleset"
+              mkdir -p "$(dirname cfn_guard_output/"$file")"
+
+              # Transform the SAM template to CloudFormation and then run through cfn-guard
+              SAM_OUTPUT=$(sam validate -t "$file" --region eu-west-2 --debug 2>&1 | \
+                  grep -Pazo '(?s)AWSTemplateFormatVersion.*\n\/' | tr -d '\0')
+              echo "${SAM_OUTPUT::-1}" | ~/.guard/bin/cfn-guard validate \
+                  --rules "/tmp/ruleset/output/$ruleset.guard" \
+                  --show-summary fail \
+                  > "cfn_guard_output/${file}_${ruleset}.txt"
+
+            done < <(find ./SAMtemplates -name '*.y*ml' -print0)
+          done
+
+          rm -rf /tmp/ruleset
 
       - name: Show cfn-guard output
         if: failure()
