tenable · williepaul · Jan 8, 2021 · Jan 6, 2021 · Jan 6, 2021 · Jan 6, 2021
@@ -29,15 +29,18 @@ var initCmd = &cobra.Command{
 
 Initializes Terrascan and clones policies from the Terrascan GitHub repository.
 `,
-	Run: initial,
+	RunE:          initial,
+	SilenceUsage:  true,
+	SilenceErrors: true,
 }
 
-func initial(cmd *cobra.Command, args []string) {
+func initial(cmd *cobra.Command, args []string) error {
 	// initialize terrascan
 	if err := initialize.Run(); err != nil {
 		zap.S().Error("failed to initialize terrascan")
-		return
+		return err
 	}
+	return nil
 }
 
 func init() {

@@ -18,7 +18,6 @@ package cli
 
 import (
 	"flag"
-	"fmt"
 	"os"
 
 	"github.com/accurics/terrascan/pkg/config"
@@ -31,27 +30,6 @@ func RegisterCommand(baseCommand *cobra.Command, command *cobra.Command) {
 	baseCommand.AddCommand(command)
 }
 
-func subCommands() (commandNames []string) {
-	for _, command := range rootCmd.Commands() {
-		commandNames = append(commandNames, append(command.Aliases, command.Name())...)
-	}
-	return
-}
-
-// setDefaultCommand sets `scan` as default command if no other command is specified
-func setDefaultCommandIfNonePresent() {
-	if len(os.Args) > 1 {
-		potentialCommand := os.Args[1]
-		for _, command := range subCommands() {
-			if command == potentialCommand {
-				return
-			}
-		}
-		os.Args = append([]string{os.Args[0], "scan"}, os.Args[1:]...)
-	}
-
-}
-
 // Execute the entrypoint called by main
 func Execute() {
 	rootCmd.PersistentFlags().StringVarP(&LogLevel, "log-level", "l", "info", "log level (debug, info, warn, error, panic, fatal)")
@@ -81,9 +59,7 @@ func Execute() {
 		}
 	}
 
-	setDefaultCommandIfNonePresent()
 	if err := rootCmd.Execute(); err != nil {
-		fmt.Println(err)
 		os.Exit(1)
 	}
 }
@@ -35,15 +35,17 @@ var scanCmd = &cobra.Command{
 
 Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
 `,
-	PreRun: initial,
-	Run:    scan,
+	PreRunE:       initial,
+	RunE:          scan,
+	SilenceUsage:  true,
+	SilenceErrors: true,
 }
 
-func scan(cmd *cobra.Command, args []string) {
+func scan(cmd *cobra.Command, args []string) error {
 	zap.S().Debug("running terrascan in cli mode")
 	scanOptions.configFile = ConfigFile
 	scanOptions.outputType = OutputType
-	scanOptions.Scan()
+	return scanOptions.Scan()
 }
 
 func init() {

@@ -6,6 +6,8 @@ metadata:
     app: myapp
     test: someupdate
     test2: someupdate3
+  annotations:
+    terrascanSkip: [accurics.kubernetes.IAM.109]
 spec:
   containers:
   - name: myapp-container
@@ -22,6 +24,8 @@ metadata:
     app: myapp
     test: someupdate
     test2: someupdate3
+  annotations:
+    terrascanSkip: [accurics.kubernetes.IAM.3, accurics.kubernetes.OPS.461]
 spec:
   template:
     spec:

@@ -66,6 +66,12 @@ func TestLoadIacFile(t *testing.T) {
 			k8sV1:    K8sV1{},
 			wantErr:  nil,
 		},
+		{
+			name:     "file with skip rules in annotations",
+			filePath: "./testdata/file-test-data/test_pod_skip_rules.yaml",
+			k8sV1:    K8sV1{},
+			wantErr:  nil,
+		},
 	}
 
 	for _, tt := range table {

@@ -24,19 +24,23 @@ import (
 	"github.com/accurics/terrascan/pkg/utils"
 	yamltojson "github.com/ghodss/yaml"
 	"github.com/iancoleman/strcase"
+	"go.uber.org/zap"
 	"gopkg.in/yaml.v3"
 )
 
+const terrascanSkip = "terrascanSkip"
+
 var (
 	errUnsupportedDoc = fmt.Errorf("unsupported document type")
 	// ErrNoKind is returned when the "kind" key is not available (not a valid kubernetes resource)
 	ErrNoKind = fmt.Errorf("kind does not exist")
 )
 
-// k8sMetadata is used to pull the name and namespace types for a given resource
+// k8sMetadata is used to pull the name, namespace types and annotations for a given resource
 type k8sMetadata struct {
-	Name      string `yaml:"name" json:"name"`
-	Namespace string `yaml:"namespace" json:"namespace"`
+	Name        string                 `yaml:"name" json:"name"`
+	Namespace   string                 `yaml:"namespace" json:"namespace"`
+	Annotations map[string]interface{} `yaml:"annotations" json:"annotations"`
 }
 
 // k8sResource is a generic struct to handle all k8s resource types
@@ -116,6 +120,12 @@ func (k *K8sV1) Normalize(doc *utils.IacDocument) (*output.ResourceConfig, error
 		resourceConfig.ID = resourceConfig.Type + "." + resource.Metadata.Name + "." + namespace
 	}
 
+	// read and update skip rules, if present
+	skipRules := readSkipRulesFromAnnotations(resource.Metadata.Annotations, resourceConfig.ID)
+	if skipRules != nil {
+		resourceConfig.SkipRules = append(resourceConfig.SkipRules, skipRules...)
+	}
+
 	configData := make(map[string]interface{})
 	if err = json.Unmarshal(*jsonData, &configData); err != nil {
 		return nil, err
@@ -126,3 +136,28 @@ func (k *K8sV1) Normalize(doc *utils.IacDocument) (*output.ResourceConfig, error
 
 	return &resourceConfig, nil
 }
+
+func readSkipRulesFromAnnotations(annotations map[string]interface{}, resourceID string) []string {
+
+	var skipRulesFromAnnotations interface{}
+	var ok bool
+	if skipRulesFromAnnotations, ok = annotations[terrascanSkip]; !ok {
+		zap.S().Debugf("%s not present for resource: %s", terrascanSkip, resourceID)
+		return nil
+	}
+
+	skipRules := make([]string, 0)
+	if rules, ok := skipRulesFromAnnotations.([]interface{}); ok {
+		for _, rule := range rules {
+			if value, ok := rule.(string); ok {
+				skipRules = append(skipRules, value)
+			} else {
+				zap.S().Debugf("each rule in %s must be of string type", terrascanSkip)
+			}
+		}
+	} else {
+		zap.S().Debugf("%s must be an array of rules to skip", terrascanSkip)
+	}
+
+	return skipRules
+}