-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathlocal-test-thorough.sh
More file actions
executable file
·73 lines (61 loc) · 2.8 KB
/
local-test-thorough.sh
File metadata and controls
executable file
·73 lines (61 loc) · 2.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
#!/usr/bin/env bash
# Local runner for the DEEP (enumerated) audits in scripts/discover.py:
# s3, aws-regions, gcp-org, azure-org.
# Run from the repo root. Each target runs only if its creds + scope are present.
#
# Put creds/scope in cicd/vendor-secrets/secrets.sh, e.g.:
# export AWS_ACCESS_KEY_ID=... AWS_SECRET_ACCESS_KEY=...
# export AZURE_TENANT_ID=... AZURE_CLIENT_ID=... AZURE_CLIENT_SECRET=...
# export AZURE_MGMT_GROUP=... # optional; omit -> all tenant subscriptions
# export GOOGLE_ORG_ID=123456789012
# and a GCP service-account key at cicd/vendor-secrets/google-sa.json.
set -uo pipefail
export AWS_REGION="${AWS_REGION:-ap-southeast-2}" # s3 endpoint + region-sweep seed
if [ -f "$(pwd)/cicd/vendor-secrets/google-sa.json" ]; then
export STACKQL_AUDIT_GCP_CREDS="$(pwd)/cicd/vendor-secrets/google-sa.json"
fi
if [ -f "$(pwd)/cicd/vendor-secrets/secrets.sh" ]; then
source "$(pwd)/cicd/vendor-secrets/secrets.sh"
fi
export ACTION_PATH="$(pwd)"
export FAIL_ON_SEVERITY=NONE # don't exit 1 while iterating
export RUN_STAMP="$(date '+%s')"
export GITHUB_STEP_SUMMARY="$(pwd)/cicd/tmp/${RUN_STAMP}-thorough-summary.md" # all targets append here
# Safety caps for local runs so a big org / thousands of buckets can't run away.
# Each target gets its own budget; set any to -1 for an unlimited (full) run.
export STACKQL_DEEP_MAX_NODES="${STACKQL_DEEP_MAX_NODES:-50}"
export STACKQL_DEEP_MAX_QUERIES="${STACKQL_DEEP_MAX_QUERIES:--1}"
export STACKQL_DEEP_TIMEOUT="${STACKQL_DEEP_TIMEOUT:-600}"
python3 -m venv .venv
source .venv/bin/activate
python3 -m pip install -q -r cicd/requirements.txt
run_target () {
echo ""
echo "=================== deep: $1 ==================="
python3 scripts/discover.py "$1" || echo "::warning::$1 exited non-zero"
}
# --- AWS: S3 full audit + all-regions sweep ---
if [ -n "${AWS_ACCESS_KEY_ID:-}" ] && [ -n "${AWS_SECRET_ACCESS_KEY:-}" ]; then
stackql exec 'registry pull aws v26.05.00395;'
run_target s3
run_target aws-regions
else
echo "skip aws (s3, aws-regions): set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY"
fi
# --- GCP: org folder/project descent ---
if [ -n "${STACKQL_AUDIT_GCP_CREDS:-}" ] && [ -n "${GOOGLE_ORG_ID:-}" ]; then
stackql exec 'registry pull google v25.12.00357;'
run_target gcp-org
else
echo "skip gcp-org: need cicd/vendor-secrets/google-sa.json and GOOGLE_ORG_ID"
fi
# --- Azure: management-group subscription descent ---
if [ -n "${AZURE_TENANT_ID:-}" ] || [ -n "${AZURE_CLIENT_ID:-}" ]; then
stackql exec 'registry pull azure v24.10.00267;'
run_target azure-org
else
echo "skip azure-org: set AZURE_TENANT_ID / AZURE_CLIENT_ID / AZURE_CLIENT_SECRET"
fi
echo ""
echo "=== summary: ${GITHUB_STEP_SUMMARY}"
echo "=== logs + findings: $(pwd)/cicd/log/${RUN_STAMP}/ (per-bucket logs + *-findings.jsonl)"