feat: add support for checkov (#267)

* feat: add support for checkov

---------

Co-authored-by: Dias Saparov <dias@digger.dev>

Author: fleroux514

action.yml

@@ -56,6 +56,14 @@ inputs:
   upload-plan-destination:
     description: Destination to upload the plan to. gcp and github are currently supported
     required: false
+  setup-checkov:
+    description: Setup Checkov
+    required: false
+    default: 'false'
+  checkov-version:
+    description: Checkov version
+    required: false
+    default: '2.3.245'
 
 outputs:
   output:
@@ -126,11 +134,22 @@ runs:
         terragrunt_version: ${{ inputs.terragrunt-version }}
       if: inputs.setup-terragrunt == 'true'
 
+    - name: Setup Checkov
+      run: |
+        python3 -m venv .venv
+        source .venv/bin/activate
+        pip3 install --upgrade pip
+        pip3 install --upgrade setuptools
+        pip3 install -U checkov==${{ inputs.checkov-version }}
+      shell: bash
+      if: inputs.setup-checkov == 'true'
+
     - name: build and run digger
       if: ${{ !startsWith(github.action_ref, 'v') }}
       shell: bash
       env:
         PLAN_UPLOAD_DESTINATION: ${{ inputs.upload-plan-destination }}
+        ACTIVATE_VENV: ${{ inputs.setup-checkov == 'true' }}
       run: |
           cd ${{ github.action_path }}
           go build -o digger ./cmd/digger

pkg/digger/digger.go

@@ -11,6 +11,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"log"
 	"os"
 	"os/exec"
@@ -373,25 +374,42 @@ type DiggerExecutor struct {
 }
 
 type CommandRun interface {
-	Run(workingDir string, shell string, command string) (string, string, error)
+	Run(workingDir string, shell string, commands []string) (string, string, error)
 }
 
 type CommandRunner struct {
 }
 
-func (c CommandRunner) Run(workingDir string, shell string, command string) (string, string, error) {
+func (c CommandRunner) Run(workingDir string, shell string, commands []string) (string, string, error) {
+	var args []string
 	if shell == "" {
 		shell = "bash"
+		args = []string{"-eo", "pipefail"}
 	}
-	cmd := exec.Command(shell, "-c", command)
+
+	scriptFile, err := ioutil.TempFile("", "run-script")
+	if err != nil {
+		return "", "", fmt.Errorf("error creating script file: %v", err)
+	}
+	defer os.Remove(scriptFile.Name())
+
+	for _, command := range commands {
+		_, err := scriptFile.WriteString(command + "\n")
+		if err != nil {
+			return "", "", fmt.Errorf("error writing to script file: %v", err)
+		}
+	}
+	args = append(args, scriptFile.Name())
+
+	cmd := exec.Command(shell, args...)
 	cmd.Dir = workingDir
 
 	var stdout, stderr bytes.Buffer
 	mwout := io.MultiWriter(os.Stdout, &stdout)
 	mwerr := io.MultiWriter(os.Stderr, &stderr)
 	cmd.Stdout = mwout
 	cmd.Stderr = mwerr
-	err := cmd.Run()
+	err = cmd.Run()
 
 	if err != nil {
 		return stdout.String(), stderr.String(), fmt.Errorf("error: %v", err)
@@ -458,8 +476,13 @@ func (d DiggerExecutor) Plan(prNumber int) error {
 				d.CIService.PublishComment(prNumber, comment)
 			}
 			if step.Action == "run" {
-				stdout, stderr, err := d.CommandRunner.Run(d.ProjectPath, step.Shell, step.Value)
-				log.Printf("Running %v for **%v**\n%v%v", step.Value, d.ProjectLock.LockId(), stdout, stderr)
+				var commands []string
+				if os.Getenv("ACTIVATE_VENV") == "true" {
+					commands = append(commands, fmt.Sprintf("source %v/.venv/bin/activate", os.Getenv("GITHUB_WORKSPACE")))
+				}
+				commands = append(commands, step.Value)
+				log.Printf("Running %v for **%v**\n", step.Value, d.ProjectLock.LockId())
+				_, _, err := d.CommandRunner.Run(d.ProjectPath, step.Shell, commands)
 				if err != nil {
 					return fmt.Errorf("error running command: %v", err)
 				}
@@ -522,8 +545,13 @@ func (d DiggerExecutor) Apply(prNumber int) error {
 					}
 				}
 				if step.Action == "run" {
-					stdout, stderr, err := d.CommandRunner.Run(d.ProjectPath, step.Shell, step.Value)
-					log.Printf("Running %v for **%v**\n%v%v", step.Value, d.ProjectLock.LockId(), stdout, stderr)
+					var commands []string
+					if os.Getenv("ACTIVATE_VENV") == "true" {
+						commands = append(commands, fmt.Sprintf("source %v/.venv/bin/activate", os.Getenv("GITHUB_WORKSPACE")))
+					}
+					commands = append(commands, step.Value)
+					log.Printf("Running %v for **%v**\n", step.Value, d.ProjectLock.LockId())
+					_, _, err := d.CommandRunner.Run(d.ProjectPath, step.Shell, commands)
 					if err != nil {
 						return fmt.Errorf("error running command: %v", err)
 					}

pkg/digger/digger_test.go

@@ -21,8 +21,8 @@ type MockCommandRunner struct {
 	Commands []RunInfo
 }
 
-func (m *MockCommandRunner) Run(workDir string, shell string, command string) (string, string, error) {
-	m.Commands = append(m.Commands, RunInfo{"Run", workDir + " " + shell + " " + command, time.Now()})
+func (m *MockCommandRunner) Run(workDir string, shell string, commands []string) (string, string, error) {
+	m.Commands = append(m.Commands, RunInfo{"Run", workDir + " " + shell + " " + strings.Join(commands, " "), time.Now()})
 	return "", "", nil
 }
 
@@ -182,7 +182,7 @@ func TestCorrectCommandExecutionWhenApplying(t *testing.T) {
 
 	commandStrings := allCommandsInOrderWithParams(terraformExecutor, commandRunner, prManager, lock, planStorage)
 
-	assert.Equal(t, []string{"RetrievePlan #.tfplan", "IsMergeable 1", "Lock 1", "Init ", "Apply ", "LockId ", "PublishComment 1 <details>\n  <summary>Apply for ****</summary>\n\n  ```terraform\n\n  ```\n</details>", "Run   echo", "LockId "}, commandStrings)
+	assert.Equal(t, []string{"RetrievePlan #.tfplan", "IsMergeable 1", "Lock 1", "Init ", "Apply ", "LockId ", "PublishComment 1 <details>\n  <summary>Apply for ****</summary>\n\n  ```terraform\n\n  ```\n</details>", "LockId ", "Run   echo"}, commandStrings)
 }
 
 func TestCorrectCommandExecutionWhenPlanning(t *testing.T) {
@@ -224,7 +224,7 @@ func TestCorrectCommandExecutionWhenPlanning(t *testing.T) {
 
 	commandStrings := allCommandsInOrderWithParams(terraformExecutor, commandRunner, prManager, lock, planStorage)
 
-	assert.Equal(t, []string{"Lock 1", "Init ", "Plan -out #.tfplan", "StorePlan #.tfplan", "LockId ", "PublishComment 1 <details>\n  <summary>Plan for ****</summary>\n\n  ```terraform\n\n  ```\n</details>", "Run   echo", "LockId "}, commandStrings)
+	assert.Equal(t, []string{"Lock 1", "Init ", "Plan -out #.tfplan", "StorePlan #.tfplan", "LockId ", "PublishComment 1 <details>\n  <summary>Plan for ****</summary>\n\n  ```terraform\n\n  ```\n</details>", "LockId ", "Run   echo"}, commandStrings)
 }
 
 func allCommandsInOrderWithParams(terraformExecutor *MockTerraformExecutor, commandRunner *MockCommandRunner, prManager *MockPRManager, lock *MockProjectLock, planStorage *MockPlanStorage) []string {