feat: Check if checkov is already installed (#3)

* check if checkov already exists

* move code from index to plugin

* fix build error

* fix PR comments

Author: gruebel

.projenrc.ts

@@ -35,6 +35,6 @@ const project = new cdk.JsiiProject({
 
 project.gitignore.exclude('.idea');
 
-project.addScripts({ postinstall: 'pip install -U checkov' });
+project.addScripts({ postinstall: '[ \"$(command -v checkov)\" ] && exit 0; pip install -U checkov' });
 
 project.synth();

package.json

@@ -1,94 +1 @@
-import {
-  IPolicyValidationPluginBeta1,
-  IPolicyValidationContextBeta1,
-  PolicyValidationPluginReportBeta1,
-} from 'aws-cdk-lib';
-import { Report, processReport } from './report';
-import { exec } from './utils';
-
-export interface CheckovValidatorProps {
-  /**
-   * List of checks to run
-   *
-   * @default - all checks are run
-   */
-  readonly check?: string[];
-
-  /**
-   * List of checks to skip
-   *
-   * @default - no checks are skipped
-   */
-  readonly skipCheck?: string[];
-}
-
-/**
- * A validation plugin using checkov
- */
-export class CheckovValidator implements IPolicyValidationPluginBeta1 {
-  public readonly name: string;
-
-  private readonly checkov: string;
-  private readonly check: string[];
-  private readonly skipCheck: string[];
-
-  private templatePaths: string[] = [];
-
-  constructor(props: CheckovValidatorProps = {}) {
-    this.name = 'cdk-validator-checkov';
-
-    this.checkov = 'checkov'; // possible improvement allow Docker usage
-    this.check = props.check ?? [];
-    this.skipCheck = props.skipCheck ?? [];
-  }
-
-  validate(context: IPolicyValidationContextBeta1): PolicyValidationPluginReportBeta1 {
-    this.templatePaths = context.templatePaths;
-
-    return this.execCheckov();
-  }
-
-  private execCheckov(): PolicyValidationPluginReportBeta1 {
-    const flags = [
-      '--framework',
-      'cloudformation',
-      'terraform_json',
-      '--output',
-      'json',
-      '--soft-fail',
-    ];
-
-    this.templatePaths.forEach((templatePath) => {
-      flags.push('-f');
-      flags.push(templatePath);
-    });
-
-    if (this.check?.length) {
-      flags.push('--check');
-      flags.push(this.check.join(','));
-    }
-
-    if (this.skipCheck?.length) {
-      flags.push('--skip-check');
-      flags.push(this.skipCheck.join(','));
-    }
-
-    try {
-      const report: Report = exec([this.checkov, ...flags], {
-        json: true,
-        env: {
-          LOG_LEVEL: 'ERROR',
-        },
-      });
-
-      return processReport(report);
-    } catch (e) {
-      console.error(`checkov plugin failed to scan the given templates. Error: ${e}`);
-
-      return {
-        success: false,
-        violations: [],
-      };
-    }
-  }
-}
+export { CheckovValidator, CheckovValidatorProps } from './plugin';

src/index.ts

@@ -0,0 +1,90 @@
+import {
+  IPolicyValidationPluginBeta1,
+  IPolicyValidationContextBeta1,
+  PolicyValidationPluginReportBeta1,
+} from 'aws-cdk-lib';
+import { Report, processReport } from './report';
+import { exec } from './utils';
+
+export interface CheckovValidatorProps {
+  /**
+     * List of checks to run
+     *
+     * @default - all checks are run
+     */
+  readonly check?: string[];
+
+  /**
+     * List of checks to skip
+     *
+     * @default - no checks are skipped
+     */
+  readonly skipCheck?: string[];
+}
+
+/**
+ * A validation plugin using checkov
+ */
+export class CheckovValidator implements IPolicyValidationPluginBeta1 {
+  public readonly name: string;
+
+  private readonly checkov: string;
+  private readonly check: string[];
+  private readonly skipCheck: string[];
+
+  constructor(props: CheckovValidatorProps = {}) {
+    this.name = 'cdk-validator-checkov';
+
+    this.checkov = 'checkov'; // possible improvement allow Docker usage
+    this.check = props.check ?? [];
+    this.skipCheck = props.skipCheck ?? [];
+  }
+
+  validate(context: IPolicyValidationContextBeta1): PolicyValidationPluginReportBeta1 {
+    return this.execCheckov(context.templatePaths);
+  }
+
+  private execCheckov(templatePaths: string[]): PolicyValidationPluginReportBeta1 {
+    const flags = [
+      '--framework',
+      'cloudformation',
+      'terraform_json',
+      '--output',
+      'json',
+      '--soft-fail',
+    ];
+
+    templatePaths.forEach((templatePath) => {
+      flags.push('-f');
+      flags.push(templatePath);
+    });
+
+    if (this.check?.length) {
+      flags.push('--check');
+      flags.push(this.check.join(','));
+    }
+
+    if (this.skipCheck?.length) {
+      flags.push('--skip-check');
+      flags.push(this.skipCheck.join(','));
+    }
+
+    try {
+      const report: Report = exec([this.checkov, ...flags], {
+        json: true,
+        env: {
+          LOG_LEVEL: 'ERROR',
+        },
+      });
+
+      return processReport(report);
+    } catch (e) {
+      console.error(`checkov plugin failed to scan the given templates. ${e}`);
+
+      return {
+        success: false,
+        violations: [],
+      };
+    }
+  }
+}

src/plugin.ts

@@ -40,7 +40,7 @@ export function processReport(report: Report): PolicyValidationPluginReportBeta1
   if ('checkov_version' in report) {
     // empty result
     return {
-      pluginVersion: report.checkov_version as string,
+      pluginVersion: report.checkov_version!.toString(),
       success: true,
       violations: [],
     };
@@ -51,7 +51,7 @@ export function processReport(report: Report): PolicyValidationPluginReportBeta1
   const violationsMap: Record<string, PolicyViolationBeta1> = {};
 
   report.results.failed_checks.forEach((check) => {
-    const violation: PolicyViolationBeta1 = {
+    const violation = {
       ruleName: check.check_id,
       description: check.check_name,
       violatingResources: [{
@@ -64,7 +64,7 @@ export function processReport(report: Report): PolicyValidationPluginReportBeta1
       ruleMetadata: {
         DocumentationUrl: check.guideline,
       },
-    };
+    } satisfies PolicyViolationBeta1;
 
     if (check.check_id in violationsMap) {
       violationsMap[check.check_id].violatingResources.push({
@@ -77,6 +77,8 @@ export function processReport(report: Report): PolicyValidationPluginReportBeta1
     }
   });
 
+  console.log(`More details: ${report.url}\n`);
+
   return {
     pluginVersion,
     success,