chore: generate JSON Schema

INSTALL.md

@@ -0,0 +1,117 @@
+# Install
+
+tfprovidercheck is written in Go. So you only have to install a binary in your `PATH`.
+
+There are some ways to install tfprovidercheck.
+
+1. [Homebrew](#homebrew)
+1. [Scoop](#scoop)
+1. [aqua](#aqua)
+1. [GitHub Releases](#github-releases)
+1. [Build an executable binary from source code yourself using Go](#build-an-executable-binary-from-source-code-yourself-using-go)
+
+## Homebrew
+
+You can install tfprovidercheck using [Homebrew](https://brew.sh/).
+
+```sh
+brew install suzuki-shunsuke/tfprovidercheck/tfprovidercheck
+```
+
+## Scoop
+
+You can install tfprovidercheck using [Scoop](https://scoop.sh/).
+
+```sh
+scoop bucket add suzuki-shunsuke https://github.com/suzuki-shunsuke/scoop-bucket
+scoop install tfprovidercheck
+```
+
+## aqua
+
+You can install tfprovidercheck using [aqua](https://aquaproj.github.io/).
+
+```sh
+aqua g -i suzuki-shunsuke/tfprovidercheck
+```
+
+## Build an executable binary from source code yourself using Go
+
+```sh
+go install github.com/suzuki-shunsuke/tfprovidercheck/cmd/tfprovidercheck@latest
+```
+
+## GitHub Releases
+
+You can download an asset from [GitHub Releases](https://github.com/suzuki-shunsuke/tfprovidercheck/releases).
+Please unarchive it and install a pre built binary into `$PATH`. 
+
+### Verify downloaded assets from GitHub Releases
+
+You can verify downloaded assets using some tools.
+
+1. [GitHub CLI](https://cli.github.com/)
+1. [slsa-verifier](https://github.com/slsa-framework/slsa-verifier)
+1. [Cosign](https://github.com/sigstore/cosign)
+
+### 1. GitHub CLI
+
+You can install GitHub CLI by aqua.
+
+```sh
+aqua g -i cli/cli
+```
+
+```sh
+version=v1.0.1
+asset=tfprovidercheck_darwin_arm64.tar.gz
+gh release download -R suzuki-shunsuke/tfprovidercheck "$version" -p "$asset"
+gh attestation verify "$asset" \
+  -R suzuki-shunsuke/tfprovidercheck \
+  --signer-workflow suzuki-shunsuke/go-release-workflow/.github/workflows/release.yaml
+```
+
+### 2. slsa-verifier
+
+You can install slsa-verifier by aqua.
+
+```sh
+aqua g -i slsa-framework/slsa-verifier
+```
+
+```sh
+version=v1.0.1
+asset=tfprovidercheck_darwin_arm64.tar.gz
+gh release download -R suzuki-shunsuke/tfprovidercheck "$version" -p "$asset" -p multiple.intoto.jsonl
+slsa-verifier verify-artifact "$asset" \
+  --provenance-path multiple.intoto.jsonl \
+  --source-uri github.com/suzuki-shunsuke/tfprovidercheck \
+  --source-tag "$version"
+```
+
+### 3. Cosign
+
+You can install Cosign by aqua.
+
+```sh
+aqua g -i sigstore/cosign
+```
+
+```sh
+version=v1.0.1
+checksum_file="tfprovidercheck_${version#v}_checksums.txt"
+asset=tfprovidercheck_darwin_arm64.tar.gz
+gh release download "$version" \
+  -R suzuki-shunsuke/tfprovidercheck \
+  -p "$asset" \
+  -p "$checksum_file" \
+  -p "${checksum_file}.pem" \
+  -p "${checksum_file}.sig"
+cosign verify-blob \
+  --signature "${checksum_file}.sig" \
+  --certificate "${checksum_file}.pem" \
+  --certificate-identity-regexp 'https://github\.com/suzuki-shunsuke/go-release-workflow/\.github/workflows/release\.yaml@.*' \
+  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+  "$checksum_file"
+cat "$checksum_file" | sha256sum -c --ignore-missing
+```

README.md

@@ -1,6 +1,6 @@
 # tfprovidercheck
 
-[Install](#install) | [Usage](#usage) | [Config](#configuration)
+[Install](Install.md) | [Usage](#usage) | [Config](#configuration)
 
 Censor [Terraform Providers](https://developer.hashicorp.com/terraform/language/providers).
 
@@ -21,135 +21,6 @@ tfprovidercheck is a command line tool to execute Terraform security.
 It prevents malicious Terraform Providers from being executed.
 You can define the allow list of Terraform Providers and their versions, and check if disallowed providers aren't used.
 
-## Install
-
-tfprovidercheck is a single binary written in [Go](https://go.dev/). So you only need to install an execurable file into `$PATH`.
-
-1. [Homebrew](https://brew.sh/)
-
-```sh
-brew install suzuki-shunsuke/tfprovidercheck/tfprovidercheck
-```
-
-2. [Scoop](https://scoop.sh/)
-
-```sh
-scoop bucket add suzuki-shunsuke https://github.com/suzuki-shunsuke/scoop-bucket
-scoop install tfprovidercheck
-```
-
-3. [aqua](https://aquaproj.github.io/)
-
-```sh
-aqua g -i suzuki-shunsuke/tfprovidercheck
-```
-
-4. Download a prebuilt binary from [GitHub Releases](https://github.com/suzuki-shunsuke/tfprovidercheck/releases) and install it into `$PATH`
-
-<details>
-<summary>Verify downloaded assets from GitHub Releases</summary>
-
-You can verify downloaded assets using some tools.
-
-1. [GitHub CLI](https://cli.github.com/)
-1. [slsa-verifier](https://github.com/slsa-framework/slsa-verifier)
-1. [Cosign](https://github.com/sigstore/cosign)
-
---
-
-1. GitHub CLI
-
-tfprovidercheck >= v1.0.1
-
-You can install GitHub CLI by aqua.
-
-```sh
-aqua g -i cli/cli
-```
-
-```sh
-gh release download -R suzuki-shunsuke/tfprovidercheck v1.0.1 -p tfprovidercheck_darwin_arm64.tar.gz
-gh attestation verify tfprovidercheck_darwin_arm64.tar.gz \
-  -R suzuki-shunsuke/tfprovidercheck \
-  --signer-workflow suzuki-shunsuke/go-release-workflow/.github/workflows/release.yaml
-```
-
-Output:
-
-```
-Loaded digest sha256:4e444f43865f52c1d969a9af9691f062f60e0bc64c713ee2e90c2163c8ce0d67 for file://tfprovidercheck_darwin_arm64.tar.gz
-Loaded 1 attestation from GitHub API
-✓ Verification succeeded!
-
-sha256:4e444f43865f52c1d969a9af9691f062f60e0bc64c713ee2e90c2163c8ce0d67 was attested by:
-REPO                                 PREDICATE_TYPE                  WORKFLOW
-suzuki-shunsuke/go-release-workflow  https://slsa.dev/provenance/v1  .github/workflows/release.yaml@7f97a226912ee2978126019b1e95311d7d15c97a
-```
-
-2. slsa-verifier
-
-You can install slsa-verifier by aqua.
-
-```sh
-aqua g -i slsa-framework/slsa-verifier
-```
-
-```sh
-gh release download -R suzuki-shunsuke/tfprovidercheck v1.0.1 -p tfprovidercheck_darwin_arm64.tar.gz  -p multiple.intoto.jsonl
-slsa-verifier verify-artifact tfprovidercheck_darwin_arm64.tar.gz \
-  --provenance-path multiple.intoto.jsonl \
-  --source-uri github.com/suzuki-shunsuke/tfprovidercheck \
-  --source-tag v1.0.1
-```
-
-Output:
-
-```
-Verified signature against tlog entry index 137013754 at URL: https://rekor.sigstore.dev/api/v1/log/entries/108e9186e8c5677a1d8396570e05ff2dccf0d5060dbf587764f72ac809690392674ad9b57aa6bcf7
-Verified build using builder "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v2.0.0" at commit 877e39ddd975a45a467fc4a5bacdf55d374df198
-Verifying artifact tfprovidercheck_darwin_arm64.tar.gz: PASSED
-
-PASSED: SLSA verification passed
-```
-
-3. Cosign
-
-You can install Cosign by aqua.
-
-```sh
-aqua g -i sigstore/cosign
-```
-
-```sh
-gh release download -R suzuki-shunsuke/tfprovidercheck v1.0.1
-cosign verify-blob \
-  --signature tfprovidercheck_1.0.1_checksums.txt.sig \
-  --certificate tfprovidercheck_1.0.1_checksums.txt.pem \
-  --certificate-identity-regexp 'https://github\.com/suzuki-shunsuke/go-release-workflow/\.github/workflows/release\.yaml@.*' \
-  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
-  tfprovidercheck_1.0.1_checksums.txt
-```
-
-Output:
-
-```
-Verified OK
-```
-
-After verifying the checksum, verify the artifact.
-
-```sh
-cat tfprovidercheck_1.0.1_checksums.txt | sha256sum -c --ignore-missing
-```
-
-</details>
-
-5. go install
-
-```sh
-go install github.com/suzuki-shunsuke/tfprovidercheck/cmd/tfprovidercheck@latest
-```
-
 ## Usage
 
 Please run `terraform init` in advance to update the list of Terraform Providers.
@@ -222,6 +93,23 @@ e.g.
 
 Then you can prevent configuration from being tampered by `pull_request_target` event.
 
+### JSON Schema
+
+- [tfprovidercheck.json](json-schema/tfprovidercheck.json)
+- https://raw.githubusercontent.com/suzuki-shunsuke/tfprovidercheck/refs/heads/main/json-schema/tfprovidercheck.json
+
+If you look for a CLI tool to validate configuration with JSON Schema, [ajv-cli](https://ajv.js.org/packages/ajv-cli.html) is useful.
+
+```sh
+ajv --spec=draft2020 -s json-schema/tfprovidercheck.json -d tfprovidercheck.yaml
+```
+
+#### Input Complementation by YAML Language Server
+
+```yaml
+# yaml-language-server: $schema=https://raw.githubusercontent.com/suzuki-shunsuke/tfprovidercheck/refs/heads/main/json-schema/tfprovidercheck.json
+```
+
 ## Compared with .terraform.lock.hcl and required_providers block
 
 About [.terraform.lock.hcl](https://developer.hashicorp.com/terraform/language/files/dependency-lock), .terraform.lock.hcl doesn't work as the allow list of providers because `terraform init` adds missing providers automatically.

cmd/gen-jsonschema/main.go

@@ -0,0 +1,22 @@
+package main
+
+import (
+	"fmt"
+	"log"
+
+	"github.com/suzuki-shunsuke/gen-go-jsonschema/jsonschema"
+	"github.com/suzuki-shunsuke/tfprovidercheck/pkg/controller"
+)
+
+func main() {
+	if err := core(); err != nil {
+		log.Fatal(err)
+	}
+}
+
+func core() error {
+	if err := jsonschema.Write(&controller.Config{}, "json-schema/tfprovidercheck.json"); err != nil {
+		return fmt.Errorf("create or update a JSON Schema: %w", err)
+	}
+	return nil
+}

cmdx.yaml

@@ -46,3 +46,7 @@ tasks:
     usage: Run tfprovidercheck via go run
     script: |
       go run ./cmd/tfprovidercheck {{._builtin.args_string}}
+  - name: js
+    description: Generate JSON Schema
+    usage: Generate JSON Schema
+    script: "go run ./cmd/gen-jsonschema"

go.mod

@@ -1,23 +1,29 @@
 module github.com/suzuki-shunsuke/tfprovidercheck
 
-go 1.23.2
+go 1.23.4
 
 require (
 	github.com/hashicorp/go-version v1.7.0
 	github.com/mattn/go-colorable v0.1.13
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/afero v1.11.0
+	github.com/suzuki-shunsuke/gen-go-jsonschema v0.1.0
 	github.com/suzuki-shunsuke/logrus-error v0.1.4
 	github.com/urfave/cli/v2 v2.27.5
 	golang.org/x/term v0.27.0
 	gopkg.in/yaml.v3 v3.0.1
 )
 
 require (
+	github.com/bahlo/generic-list-go v0.2.0 // indirect
+	github.com/buger/jsonparser v1.1.1 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.5 // indirect
+	github.com/invopop/jsonschema v0.12.0 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-isatty v0.0.17 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/stretchr/testify v1.8.4 // indirect
+	github.com/wk8/go-ordered-map/v2 v2.1.8 // indirect
 	github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect
 	golang.org/x/sys v0.28.0 // indirect
 	golang.org/x/text v0.14.0 // indirect

go.sum

@@ -1,15 +1,24 @@
+github.com/bahlo/generic-list-go v0.2.0 h1:5sz/EEAK+ls5wF+NeqDpk5+iNdMDXrh3z3nPnH1Wvgk=
+github.com/bahlo/generic-list-go v0.2.0/go.mod h1:2KvAjgMlE5NNynlg/5iLrrCCZ2+5xWbdbCW3pNTGyYg=
+github.com/buger/jsonparser v1.1.1 h1:2PnMjfWD7wBILjqQbt530v576A/cAbQvEW9gGIpYMUs=
+github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx27UK13J/0=
 github.com/cpuguy83/go-md2man/v2 v2.0.5 h1:ZtcqGrnekaHpVLArFSe4HK5DoKx1T0rq2DwVB0alcyc=
 github.com/cpuguy83/go-md2man/v2 v2.0.5/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/hashicorp/go-version v1.7.0 h1:5tqGy27NaOTB8yJKUZELlFAS/LTKJkrmONwQKeRZfjY=
 github.com/hashicorp/go-version v1.7.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
+github.com/invopop/jsonschema v0.12.0 h1:6ovsNSuvn9wEQVOyc72aycBMVQFKz7cPdMJn10CvzRI=
+github.com/invopop/jsonschema v0.12.0/go.mod h1:ffZ5Km5SWWRAIN6wbDXItl95euhFz2uON45H2qjYt+0=
+github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
+github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
@@ -27,10 +36,14 @@ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/suzuki-shunsuke/gen-go-jsonschema v0.1.0 h1:g7askc+nskCkKRWTVOdsAT8nMhwiaVT6Dmlnh6uvITM=
+github.com/suzuki-shunsuke/gen-go-jsonschema v0.1.0/go.mod h1:yFO7h5wwFejxi6jbtazqmk7b/JSBxHcit8DGwb1bhg0=
 github.com/suzuki-shunsuke/logrus-error v0.1.4 h1:nWo98uba1fANHdZ9Y5pJ2RKs/PpVjrLzRp5m+mRb9KE=
 github.com/suzuki-shunsuke/logrus-error v0.1.4/go.mod h1:WsVvvw6SKSt08/fB2qbnsKIMJA4K1MYCUprqsBJbMiM=
 github.com/urfave/cli/v2 v2.27.5 h1:WoHEJLdsXr6dDWoJgMq/CboDmyY/8HMMH1fTECbih+w=
 github.com/urfave/cli/v2 v2.27.5/go.mod h1:3Sevf16NykTbInEnD0yKkjDAeZDS0A6bzhBH5hrMvTQ=
+github.com/wk8/go-ordered-map/v2 v2.1.8 h1:5h/BUHu93oj4gIdvHHHGsScSTMijfx5PeYkE/fJgbpc=
+github.com/wk8/go-ordered-map/v2 v2.1.8/go.mod h1:5nJHM5DyteebpVlHnWMV0rPz6Zp7+xBAnxjb1X5vnTw=
 github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 h1:gEOO8jv9F4OT7lGCjxCBTO/36wtF6j2nSip77qHd4x4=
 github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1/go.mod h1:Ohn+xnUBiLI6FVj/9LpzZWtj1/D6lUovWYBkxHVV3aM=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=