Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
plugin-framework
pulumi-ai
pulumi-cdk
pulumi-cloud
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Title
b
big-finland-87761
05/18/2022, 7:04 PMWhat's the best policy checker for pulumi? We currently use checkov for our CFN templates, but checkov doesn't support pulumi (yet? https://github.com/bridgecrewio/checkov/issues/568 )
The AWS policy validators in the Pulumi repo are... pretty barebones. Looks like only one has been added in the last couple years. I really don't want to lose coverage and/or rewrite all of the checkov tests.
when I poked around in the checkov code, it looks like a decent chunk of the IAM validation in Checkov actually delegates to Salesforce's cloudsplainer library. May or may not be relevant, but I thought it was an interesting bit of trivia
v
victorious-church-57397
05/18/2022, 7:27 PMunsure of any checkov integration, however you can validate your resources using https://www.pulumi.com/docs/guides/crossguard/core-concepts/#:~:text=Policies%20validation%20functions%20are%20executed,up%20into%20a%20final%20report.
b
big-finland-87761
05/18/2022, 7:36 PMI linked that issue in my original message 😛
and I would greatly prefer not to reimplement the entirety of checkov
v
victorious-church-57397
05/18/2022, 7:37 PMhaha sorry, long day 😂 yeah of course, that would be a pain. I’d maybe suggest bumping that post or contributing maybe 🤷
b
big-finland-87761
05/18/2022, 7:38 PMI commented on the issue; we'll see where it goes from here
v
victorious-church-57397
05/18/2022, 7:39 PMgood luck
lmk if you hear anything positive back, would be interested to have a play with it
b
big-finland-87761
05/18/2022, 7:40 PMwant to bump the issue too?
v
victorious-church-57397
05/18/2022, 7:42 PMdone 🙂
b
big-finland-87761
05/18/2022, 7:43 PM\o/
welp, if I end up having to write my own on company time, I'll see if I can get legal clearance to put them in a public repo or open a PR to Pulumi's
v
victorious-church-57397
05/18/2022, 7:46 PMi was thinking of doing something similar, we have a ticket to enforce tagging policies in our next sprint which starts on monday, so could probably get a core policy set knocked out in a sprint and then publish, if I beat you to it I’ll share a link
b
big-finland-87761
05/18/2022, 7:49 PMHeck yeah!!!
Thanks so much!
v
victorious-church-57397
05/18/2022, 7:52 PMno problem 🙂
b
big-finland-87761
06/06/2022, 11:05 PM@victorious-church-57397 did you end up taking a look at this?
v
victorious-church-57397
06/07/2022, 11:35 AMhey, sorry no not just yet. priorities changed! we enforced the tagging policy but didnt do any other stuff just yet