SUP-3846: Add additional File Output Formats (#28)

* feat: produce additional output file for non-human output formats

* feat: update parameters and format

* docs: update README to reflect parameter changes

* feat: reflect paramter changes in hook

* test: reflect parameter changes in tests

* fix: add set -e to ensure hook doesn't silently fail

* chore: remove version, pin images and remove Read Only

* feat/fix: add shared lib for handling reading env vars correctly for strings or arrays parameters

* Revert "fix: add set -e to ensure hook doesn't silently fail"

This reverts commit f0bc975.

* fix/test: correct Env Var used to read and add test

* fix: make shared.bash executable for shellcheck

* fix: update pipeline for shellcheck shared.bash

* chore: re-add read-only for volume mounts as read-write not required

* feat: add check for duplicate file formats
* set a default output that will be used for the Build Annotations so that can be refactored separately
* added notes for future changes required for loop to support multiple output files with the same file format per Wiz CLI docs

Signed-off-by: Tom Watt <tom@buildkite.com>

* tests: add tests for duplicate file output formats

Signed-off-by: Tom Watt <tom@buildkite.com>

* docs/chore: file-output-format is optional with no default

Signed-off-by: Tom Watt <tom@buildkite.com>

---------

Signed-off-by: Tom Watt <tom@buildkite.com>
Co-authored-by: Shimon Ulewicz <sulewicz@groq.com>

Author: tomowatt

.buildkite/pipeline.yml

@@ -9,6 +9,7 @@ steps:
       - shellcheck#v1.3.0:
           files:
             - hooks/**
+            - lib/**
 
   - label: ":shell: Tests"
     plugins:

README.md

@@ -172,11 +172,15 @@ Used when `scan-type` is `iac`.
 
 The path to image file, if the `scan-type` is `docker`.
 
-### `output-format` (Optional, string): `human | json | sarif`
+### `scan-format` (Optional, string): `human | json | sarif`
 
 Scans output format.
 Defaults to: `human`
 
+### `file-output-format` (Optional, string or array): `human | json | sarif | csv-zip`
+
+Generates an additional output file with the specified format.
+
 ### `parameter-files` (Optional, string)
 
 Comma separated list of globs of external parameter files to include while scanning e.g., `variables.tf`
@@ -197,7 +201,7 @@ Defaults to: `false`
 To run the tests:
 
 ```shell
-docker-compose run --rm tests
+docker compose run --rm tests
 ```
 
 ## Contributing

docker-compose.yml

@@ -1,11 +1,10 @@
-version: '2'
 services:
   tests:
-    image: buildkite/plugin-tester
+    image: buildkite/plugin-tester:v4.2.0
     volumes:
       - ".:/plugin:ro"
   lint:
-    image: buildkite/plugin-linter
+    image: buildkite/plugin-linter:v2.1.0
     command: ['--id', 'wiz']
     volumes:
       - ".:/plugin:ro"

hooks/post-command

@@ -2,12 +2,17 @@
 
 set -uo pipefail
 
+DIR="$(cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd)"
+
+# shellcheck source=lib/shared.bash
+. "$DIR/../lib/shared.bash"
+
 WIZ_DIR="$HOME/.wiz"
 SCAN_TYPE="${BUILDKITE_PLUGIN_WIZ_SCAN_TYPE:-}"
 FILE_PATH="${BUILDKITE_PLUGIN_WIZ_PATH:-}"
 PARAMETER_FILES="${BUILDKITE_PLUGIN_WIZ_PARAMETER_FILES:-}"
 IAC_TYPE="${BUILDKITE_PLUGIN_WIZ_IAC_TYPE:-}"
-OUTPUT_FORMAT="${BUILDKITE_PLUGIN_WIZ_OUTPUT_FORMAT:=human}"
+SCAN_FORMAT="${BUILDKITE_PLUGIN_WIZ_SCAN_FORMAT:=human}"
 SHOW_SECRET_SNIPPETS="${BUILDKITE_PLUGIN_WIZ_SHOW_SECRET_SNIPPETS:=false}"
 
 if [[ -z "${SCAN_TYPE}" ]]; then
@@ -39,15 +44,51 @@ if [[ "${SHOW_SECRET_SNIPPETS}" == "true" ]]; then
     args+=("--show-secret-snippets")
 fi
 
-output_formats=("human" "json" "sarif")
-if [[ ${output_formats[*]} =~ ${OUTPUT_FORMAT} ]]; then
-    args+=("--format=${OUTPUT_FORMAT}")
+scan_formats=("human" "json" "sarif")
+if [[ ${scan_formats[*]} =~ ${SCAN_FORMAT} ]]; then
+    args+=("--format=${SCAN_FORMAT}")
 else
-    echo "+++ 🚨 Invalid Output Format: ${OUTPUT_FORMAT}"
-    echo "Valid Formats: ${output_formats[*]}"
+    echo "+++ 🚨 Invalid Scan Format: ${SCAN_FORMAT}"
+    echo "Valid Formats: ${scan_formats[*]}"
     exit 1
 fi
 
+# Define valid formats
+valid_file_formats=("human" "json" "sarif" "csv-zip")
+
+# Default file output which is used for build annotation
+args+=("--output=/scan/result/output,human")
+
+# Declare result array
+declare -a result
+
+# Read file output formats into result array
+if plugin_read_list_into_result "BUILDKITE_PLUGIN_WIZ_FILE_OUTPUT_FORMAT"; then
+    declare -A seen_formats
+    for format in "${result[@]}"; do
+        # Multiple output files with the same format are supported
+        # but would need to rework this loop to handle and validate i.e., specifying file names, etc.,
+        #  -o, --output file-outputs             Output to file, can be passed multiple times to output to multiple files with possibly different formats.
+        #                                        Must be specified in the following format: file-path[,file-format[,policy-hits-only[,group-by[,include-audit-policy-hits]]]]
+        #                                        Options for file-format: [csv-zip, human, json, sarif], policy-hits-only: [true, false], group-by: [default, layer, resource], include-audit-policy-hits: [true, false]
+        # Check for duplicates
+        if [[ -n "${seen_formats[$format]:-}" ]]; then
+            echo "+++ ⚠️  Duplicate file output format ignored: ${format}"
+            continue
+        fi
+        seen_formats["$format"]=1
+
+        # Check for invalid formats
+        if in_array "$format" "${valid_file_formats[@]}"; then
+            args+=("--output=/scan/result/output-${format},${format}")
+        else
+            echo "+++ 🚨 Invalid File Output Format: ${format}"
+            echo "Valid Formats: ${valid_file_formats[*]}"
+            exit 1
+        fi
+    done
+fi
+
 ## IAC Scanning Parameters
 
 if [[ "${SCAN_TYPE}" == "iac" ]]; then
@@ -133,7 +174,7 @@ dockerImageScan() {
         "${wiz_cli_container}" \
         docker scan --image "$IMAGE" \
         --policy-hits-only \
-        -o /scan/result/output,human,true ${args:+"${args[@]}"}
+        ${args:+"${args[@]}"}
 
     exit_code="$?"
     image_name=$(echo "$IMAGE" | cut -d "/" -f 2)
@@ -158,7 +199,6 @@ iacScan() {
         --mount type=bind,src="$PWD",dst=/scan \
         "${wiz_cli_container}" \
         iac scan \
-        -o /scan/result/output,human \
         --name "$BUILDKITE_JOB_ID" \
         --path "/scan/$FILE_PATH" ${args:+"${args[@]}"}
 
@@ -186,7 +226,6 @@ dirScan() {
         --mount type=bind,src="$PWD",dst=/scan \
         "${wiz_cli_container}" \
         dir scan \
-        -o /scan/result/output,human \
         --name "$BUILDKITE_JOB_ID" \
         --path "/scan/$FILE_PATH" ${args:+"${args[@]}"}
 

lib/shared.bash

@@ -0,0 +1,103 @@
+#!/bin/bash
+
+# Show a prompt for a command
+function plugin_prompt() {
+  if [[ -z "${HIDE_PROMPT:-}" ]] ; then
+    echo -ne '\033[90m$\033[0m' >&2
+    for arg in "${@}" ; do
+      if [[ $arg =~ [[:space:]] ]] ; then
+        echo -n " '$arg'" >&2
+      else
+        echo -n " $arg" >&2
+      fi
+    done
+    echo >&2
+  fi
+}
+
+# Shorthand for reading env config
+function plugin_read_config() {
+  local var="BUILDKITE_PLUGIN_WIZ_${1}"
+  local default="${2:-}"
+  echo "${!var:-$default}"
+}
+
+# Reads either a value or a list from plugin config
+function plugin_read_list() {
+  prefix_read_list "BUILDKITE_PLUGIN_WIZ_$1"
+}
+
+# Reads either a value or a list from the given env prefix
+function prefix_read_list() {
+  local prefix="$1"
+  local parameter="${prefix}_0"
+
+  if [[ -n "${!parameter:-}" ]]; then
+    local i=0
+    local parameter="${prefix}_${i}"
+    while [[ -n "${!parameter:-}" ]]; do
+      echo "${!parameter}"
+      i=$((i+1))
+      parameter="${prefix}_${i}"
+    done
+  elif [[ -n "${!prefix:-}" ]]; then
+    echo "${!prefix}"
+  fi
+}
+
+# Reads either a value or a list from plugin config into a global result array
+# Returns success if values were read
+function plugin_read_list_into_result() {
+  local prefix="$1"
+  local parameter="${prefix}_0"
+  result=()
+
+  if [[ -n "${!parameter:-}" ]]; then
+    local i=0
+    local parameter="${prefix}_${i}"
+    while [[ -n "${!parameter:-}" ]]; do
+      result+=("${!parameter}")
+      i=$((i+1))
+      parameter="${prefix}_${i}"
+    done
+  elif [[ -n "${!prefix:-}" ]]; then
+    result+=("${!prefix}")
+  fi
+
+  [[ ${#result[@]} -gt 0 ]] || return 1
+}
+
+function plugin_config_exists() {
+  local var="BUILDKITE_PLUGIN_WIZ_${1}"
+
+  # Check if the variable is set
+  [ "${!var+is_set}" != "" ]
+}
+
+function in_array() {
+  local e
+  for e in "${@:2}"; do [[ "$e" == "$1" ]] && return 0; done
+  return 1
+}
+
+# retry <number-of-retries> <command>
+function retry {
+  local retries=$1; shift
+  local attempts=1
+  local status=0
+
+  until "$@"; do
+    status=$?
+    echo "Exited with $status"
+    if (( retries == "0" )); then
+      return $status
+    elif (( attempts == retries )); then
+      echo "Failed $attempts retries"
+      return $status
+    else
+      echo "Retrying $((retries - attempts)) more times..."
+      attempts=$((attempts + 1))
+      sleep $(((attempts - 2) * 2))
+    fi
+  done
+}

plugin.yml

@@ -10,13 +10,20 @@ configuration:
       type: string
     image-address:
       type: string
-    output-format:
+    scan-format:
       type: string
       enum:
         - human
         - json
         - sarif
       default: human
+    file-output-format:
+      type: [string, array]
+      enum:
+        - human
+        - json
+        - sarif
+        - csv-zip
     parameter-files:
       type: string
     path:
@@ -26,18 +33,18 @@ configuration:
       enum:
         - dir
         - docker
-        - iac  
+        - iac
     show-secret-snippets:
       type: boolean
       default: false
     iac-type:
       type: string
       enum:
         - Ansible
-        - AzureResourceManager 
-        - Cloudformation 
-        - Dockerfile 
-        - GoogleCloudDeploymentManager 
+        - AzureResourceManager
+        - Cloudformation
+        - Dockerfile
+        - GoogleCloudDeploymentManager
         - Kubernetes
         - Terraform
   required:

tests/post-command.bats

@@ -104,12 +104,62 @@ setup() {
   assert_failure
 }
 
-@test "Invalid Output Format" {
+@test "Invalid Scan Format" {
   export WIZ_API_SECRET="secret"
-  export BUILDKITE_PLUGIN_WIZ_OUTPUT_FORMAT="wrong-format"
+  export BUILDKITE_PLUGIN_WIZ_SCAN_FORMAT="wrong-format"
 
   run "$PWD/hooks/post-command"
-  assert_output --partial "+++ 🚨 Invalid Output Format: $BUILDKITE_PLUGIN_WIZ_OUTPUT_FORMAT"
+  assert_output --partial "+++ 🚨 Invalid Scan Format: $BUILDKITE_PLUGIN_WIZ_SCAN_FORMAT"
 
+  assert_failure
+}
+
+@test "Invalid File Output Format" {
+  export WIZ_API_SECRET="secret"
+  export BUILDKITE_PLUGIN_WIZ_FILE_OUTPUT_FORMAT="wrong-format"
+
+  run "$PWD/hooks/post-command"
+  assert_output --partial "+++ 🚨 Invalid File Output Format: $BUILDKITE_PLUGIN_WIZ_FILE_OUTPUT_FORMAT"
+
+  assert_failure
+}
+
+@test "Invalid File Output Format (multiple)" {
+  export WIZ_API_SECRET="secret"
+  export BUILDKITE_PLUGIN_WIZ_FILE_OUTPUT_FORMAT_0="human"
+  export BUILDKITE_PLUGIN_WIZ_FILE_OUTPUT_FORMAT_1="wrong-format"
+
+  run "$PWD/hooks/post-command"
+  assert_output --partial "+++ 🚨 Invalid File Output Format: $BUILDKITE_PLUGIN_WIZ_FILE_OUTPUT_FORMAT_1"
+
+  assert_failure
+}
+
+@test "Duplicate File Output Formats" {
+  export WIZ_API_SECRET="secret"
+  export WIZ_API_ID="test"
+  export BUILDKITE_PLUGIN_WIZ_FILE_OUTPUT_FORMAT_0="human"
+  export BUILDKITE_PLUGIN_WIZ_FILE_OUTPUT_FORMAT_1="human"
+
+  stub docker : 'exit 0'
+  mkdir -p "$WIZ_DIR"
+  touch "$WIZ_DIR/key"
+
+  run "$PWD/hooks/post-command"
+  assert_output --partial "+++ ⚠️  Duplicate file output format ignored: $BUILDKITE_PLUGIN_WIZ_FILE_OUTPUT_FORMAT_1"
+
+  assert_success
+}
+
+@test "Invalid File Output Format (multiple with duplicates)" {
+  export WIZ_API_SECRET="secret"
+  export BUILDKITE_PLUGIN_WIZ_FILE_OUTPUT_FORMAT_0="human"
+  export BUILDKITE_PLUGIN_WIZ_FILE_OUTPUT_FORMAT_1="human"
+  export BUILDKITE_PLUGIN_WIZ_FILE_OUTPUT_FORMAT_2="wrong-format"
+  
+  run "$PWD/hooks/post-command"
+  assert_output --partial "+++ ⚠️  Duplicate file output format ignored: $BUILDKITE_PLUGIN_WIZ_FILE_OUTPUT_FORMAT_1"
+  assert_output --partial "+++ 🚨 Invalid File Output Format: $BUILDKITE_PLUGIN_WIZ_FILE_OUTPUT_FORMAT_2"
+
   assert_failure
 }