Merge pull request #1904 from snyk/feat/iac-new-flow-ga

feat: iac new flow ga

help/commands-docs/_EXAMPLES.md

@@ -26,4 +26,4 @@ See `snyk iac --help` for more details and examples:
 
     $ snyk iac test /path/to/Kubernetes.yaml
     $ snyk iac test /path/to/terraform_file.tf
-    $ snyk iac test /path/to/tf-plan.json --experimental
+    $ snyk iac test /path/to/tf-plan.json

help/commands-docs/iac-examples.md

@@ -9,7 +9,7 @@
   \$ snyk iac test /path/to/terraform_file.tf
 
 - `Test terraform plan file`:
-  \$ snyk iac test /path/to/tf-plan.json --experimental
+  \$ snyk iac test /path/to/tf-plan.json
 
 - `Test matching files in a directory`:
   \$ snyk iac test /path/to/directory

help/commands-docs/iac.md

@@ -44,13 +44,8 @@ Find security issues in your Infrastructure as Code files.
   Save test output in SARIF format directly to the <OUTPUT_FILE_PATH> file, regardless of whether or not you use the `--sarif` option.
   This is especially useful if you want to display the human-readable test output via stdout and at the same time save the SARIF format output to a file.
 
-- `--experimental`:
-  (only in `test` command)
-  Enable an experimental feature to scan configuration files locally on your machine. 
-  This feature also gives you the ability to scan terraform plan JSON files.
-
 - `--scan=`<TERRAFORM_PLAN_SCAN_MODE>:
-  Dedicated flag for Terraform plan scanning modes (available only under `--experimental` mode).  
+  Dedicated flag for Terraform plan scanning modes.  
   It enables to control whether the scan should analyse the full final state (e.g. `planned-values`), or the proposed changes only  (e.g. `resource-changes`).  
   Default: If the `--scan` flag is not provided it would scan the proposed changes only by default.  
   Example #1: `--scan=planned-values` (full state scan)

src/cli/commands/test/iac-local-execution/assert-iac-options-flag.ts

@@ -6,7 +6,6 @@ import { IaCErrorCodes, IaCTestFlags, TerraformPlanScanMode } from './types';
 const keys: (keyof IaCTestFlags)[] = [
   'debug',
   'insecure',
-  'experimental',
   'detectionDepth',
   'severityThreshold',
   'json',
@@ -20,6 +19,7 @@ const keys: (keyof IaCTestFlags)[] = [
   'q',
   'quiet',
   'scan',
+  'legacy',
 ];
 const allowed = new Set<string>(keys);
 

src/cli/commands/test/iac-local-execution/index.ts

@@ -19,9 +19,7 @@ import {
   cleanLocalCache,
 } from './measurable-methods';
 // this method executes the local processing engine and then formats the results to adapt with the CLI output.
-// the current version is dependent on files to be present locally which are not part of the source code.
-// without these files this method would fail.
-// if you're interested in trying out the experimental local execution model for IaC scanning, please reach-out.
+// this flow is the default GA flow for IAC scanning.
 export async function test(
   pathToScan: string,
   options: IaCTestFlags,

src/cli/commands/test/iac-local-execution/types.ts

@@ -132,6 +132,9 @@ export type IaCTestFlags = Pick<
   help?: 'help';
   q?: boolean;
   quiet?: boolean;
+  // This flag is internal and is used merely to route the smoke tests of the old flow.
+  // it should be removed together when the GA version completely deprecates the legacy remote processing flow.
+  legacy?: boolean;
 } & TerraformPlanFlags;
 
 // Flags specific for Terraform plan scanning

src/cli/commands/test/iac-test-shim.ts

@@ -2,9 +2,12 @@ import { assertIaCOptionsFlags } from './iac-local-execution/assert-iac-options-
 import { IaCTestOptions, TestReturnValue } from './iac-local-execution/types';
 import { localTest } from './iac-local-execution/measurable-methods';
 import { test as legacyTest } from '../../../lib';
+import { getIacOrgSettings } from './iac-local-execution/org-settings/get-iac-org-settings';
+import { isFeatureFlagSupportedForOrg } from '../../../lib/feature-flags';
+const camelCase = require('lodash.camelcase');
 
 /**
- * Shim around the new local execution test path and the existing remote
+ * Shim around the new local execution test path and the legacy remote
  * test flow. We also locally deal with the way the legacy test flow exposes
  * the scanned files via the `options.iacDirFiles` object here so that
  * in the new flow we do not mutate the options object.
@@ -17,16 +20,18 @@ export async function test(
   // caller doesn't accidentally mistype --experimental and send their
   // configuration files to our backend by accident.
   assertIaCOptionsFlags(process.argv);
-
-  if (options.experimental) {
-    // this path is an experimental feature feature for IaC which does issue scanning locally without sending files to our Backend servers.
-    // once ready for GA, it is aimed to deprecate our remote-processing model, so IaC file scanning in the CLI is done locally.
-    return localTest(pathToScan, options);
+  const iacOrgSettings = await getIacOrgSettings();
+  const shouldOptOutFromLocalExec = await isFeatureFlagSupportedForOrg(
+    camelCase('opt-out-from-local-exec-iac'),
+    iacOrgSettings.meta.org,
+  );
+  if (shouldOptOutFromLocalExec.ok || options.legacy) {
+    // this path allows users to opt-out from the local IaC scan which is GA and continue using the remote-processing legacy flow.
+    const results = await legacyTest(pathToScan, options);
+    return {
+      failures: options.iacDirFiles?.filter((file) => !!file.failureReason),
+      results,
+    };
   }
-
-  const results = await legacyTest(pathToScan, options);
-  return {
-    failures: options.iacDirFiles?.filter((file) => !!file.failureReason),
-    results,
-  };
+  return localTest(pathToScan, options);
 }

src/cli/index.ts

@@ -3,8 +3,6 @@ import 'source-map-support/register';
 import * as Debug from 'debug';
 import * as pathLib from 'path';
 
-const camelCase = require('lodash.camelcase');
-
 // import args as a first internal module
 import { args as argsLib, Args, ArgsOptions } from './args';
 // parse args as a first thing; argsLib modifies global namespace
@@ -46,8 +44,6 @@ import {
 } from '../lib/types';
 import { SarifFileOutputEmptyError } from '../lib/errors/empty-sarif-output-error';
 import { InvalidDetectionDepthValue } from '../lib/errors/invalid-detection-depth-value';
-import { getIacOrgSettings } from './commands/test/iac-local-execution/org-settings/get-iac-org-settings';
-import { isFeatureFlagSupportedForOrg } from '../lib/feature-flags';
 
 const debug = Debug('snyk');
 const EXIT_CODES = {
@@ -249,22 +245,6 @@ async function main() {
       (globalArgs.options as unknown) as AllSupportedCliOptions,
     );
 
-    // IaC only: used for rolling out the experimental flow
-    // modify args if experimental flag not provided, based on feature flag
-    // this can be removed once experimental becomes the default
-    if (
-      globalArgs.options['iac'] &&
-      globalArgs.command === 'test' &&
-      !globalArgs.options['experimental']
-    ) {
-      const iacOrgSettings = await getIacOrgSettings();
-      const experimentalFlowEnabled = await isFeatureFlagSupportedForOrg(
-        camelCase('experimental-local-exec-iac'),
-        iacOrgSettings.meta.org,
-      );
-      globalArgs.options['experimental'] = !!experimentalFlowEnabled.ok;
-    }
-
     if (globalArgs.options['app-vulns'] && globalArgs.options['json']) {
       throw new UnsupportedOptionCombinationError([
         'Application vulnerabilities is currently not supported with JSON output. ' +

test/acceptance/cli-test/cli-test.acceptance.test.ts

@@ -26,8 +26,6 @@ import { RubyTests } from './cli-test.ruby.spec';
 import { SbtTests } from './cli-test.sbt.spec';
 import { YarnTests } from './cli-test.yarn.spec';
 import { ElixirTests } from './cli-test.elixir.spec';
-import { IacK8sTests } from './iac/cli-test.iac-k8s.spec';
-import { IacDirTests } from './iac/cli-test.iac-dir.spec';
 import { YarnWorkspacesTests } from './cli-test.yarn-workspaces.spec';
 // import { AllProjectsTests } from './cli-test.all-projects.spec'; TODO @boost temporary disable flaky test
 
@@ -44,8 +42,6 @@ const languageTests: AcceptanceTests[] = [
   RubyTests,
   SbtTests,
   YarnTests,
-  IacK8sTests,
-  IacDirTests,
   YarnWorkspacesTests,
   ElixirTests,
 ];