Comments (7)
Hey @ajkerrigan thanks for the info and suggestions. Happy to bring it up in Slack if you think itβs worthwhile.
The way Iβve seen it done elsewhere is to provide both a dockerized and non dockerized version of the hook. I can put together a PR in my spare time.
from cloud-custodian.
Hey, just fyi, you tagged the wrong account.
Thanks!
from cloud-custodian.
I believe the idea has come up before, though at a glance I don't see other issues so thanks for filing π . There's nothing official today, though you can certainly use local hooks effectively if that's helpful. If you're running in an environment that already has custodian installed locally, you can use something like:
.pre-commit-config.yaml
repos:
- repo: local
hooks:
- id: c7n-validate
entry: custodian validate
language: system
name: Validate Cloud Custodian Policies
files: policies/.*\.y?ml$
While if you're looking for something that doesn't assume that custodian is already available, you could lean on the Custodian Docker image instead. (Note: I've tried the docker and docker_image support which sounds smoother in theory, but it auto-mounts local code to /src
inside the container which clobbers the custodian source and prevents the image from working properly).
./bin/c7n-validate.sh
#!/usr/bin/env bash
set -euo pipefail
for f in $*; do
echo "Validating $f..."
docker run -v "$PWD":/precommit:rw,Z "cloudcustodian/c7n:0.9.37.0" validate "/precommit/$f"
done
.pre-commit-config.yaml
repos:
- repo: local
hooks:
- id: c7n-validate
name: Validate Cloud Custodian Policies
language: script
entry: ./bin/c7n-validate.sh
files: policies/.*\.y.*ml$
It's worth raising this on a community meeting call or in Slack though - if it's something folks are interested in, it could be reasonable to provide an official hook π€ .
from cloud-custodian.
Hey @ajkerrigan just opened #9581 let me know what you think. I mentioned it in the PR but I was thinking of adding Docker support in a future PR when I get more time to play with it.
from cloud-custodian.
Thanks again, just saw this was merged. But since @kapilt mentioned supply chain risk...
I think the main mitigation for supply chain attacks is pinning repo tags/hashes in your pre commit config, since under the hood it's effectively checking out that repo, running a dev install and then whatever command is defined in the repo's hook config.
@jmreicha's point about splitting hook definitions into a separate repo is a good callout though. That lets us use a pyproject.toml explicitly for pre-commit's use, which also means we'd install a built wheel rather than running a dev install (which would also mean a quicker first run). I think there's value in starting simple, but it's worth keeping this stuff in mind π€·
from cloud-custodian.
Hey, just fyi, you tagged the wrong account. Thanks!
Oops, apologies and thanks for the heads up :)
from cloud-custodian.
I think the main mitigation for supply chain attacks is pinning repo tags/hashes in your pre commit config, since under the hood it's effectively checking out that repo, running a dev install and then whatever command is defined in the repo's hook config.
@ajkerrigan sounds good, I will take a look at how other folks are handling this and see how to get it addressed.
from cloud-custodian.
Related Issues (20)
- aws - networkmanager - add Devices, Links & Sites support
- KMS Related Filter fails on certain resources where KmsKeyId contains an alias.
- Key Error on ECR cross-account filter when using Config source
- aws - add subnet filter for workspaces-web
- aws - add UserSettings filter for workspaces-web
- aws - add UserAccessLogging filter for workspaces-web
- Add gateway-information filter for aws.storage-gateway
- AWS Lambda function are failing with the latest version 0.9.38 HOT 4
- Error throws while executing policies using Tencentcloud metrics as a filter
- Add a browser-policy filter to workspaces-web resource HOT 1
- app-elb type target-group TargetHealthDescriptions[] size 0 returns load balancers with valid targets HOT 2
- c7n-org: attempts to load all providers resulting in "module not found" errors
- ApiGatewayV2 Routes Check Authorization Type
- AWS Middle East region Authentication is not working when giving it as a non default region HOT 3
- Don't invoke AWS Lambda functions for failed operations HOT 2
- cloudcustodian.io search is broken HOT 1
- Support Opensearch Injestion Pipeline Resource
- c7n not deleting matched SG rule
- c7n not deleting matched SG rule HOT 4
- Azure policy-compliant filter error
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cloud-custodian.