Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

CLI should return non-zero when stack is invalid

See original GitHub issue

I’m setting up a quick demo infrastructure that includes an RDS instance. I hardcode the master password for my database because it’s the easiest thing to do.

  RDSInstance:
    Type: AWS::RDS::DBInstance
    Properties:
      DBInstanceIdentifier: !Ref DBInstanceIdentifier
      DBInstanceClass: db.t3.micro
      Engine: mysql
      EngineVersion: 8.0.21
      DBSubnetGroupName: !Ref DBSubnetGroup
      PubliclyAccessible: false
      StorageEncrypted: true
      AllocatedStorage: "20"
      MasterUsername: root
      MasterUserPassword: password

CFRipper correctly calls me out on that and declares the stack invalid from a security perspective. Great!

$ cfripper stack.yml
Analysing stack.yml...
Valid: False
Issues found:
	- HardcodedRDSPasswordRule: RDS Instance password parameter missing NoEcho for RDSInstance.
$ echo $?
0

However, as you can see, the exit code is still 0.

That means this doesn’t automatically trigger a failure in my CI system.

I was expecting to see a 1 or something else falsy.

I’m using Bitbucket Pipelines which passes each step if the exit code is 0 and fails otherwise. I believe most other CI systems work the same way.

Because this looks like a pass to Bitbucket Pipelines, I have to remember to inspect the output every time I want to know if there’s a potential security issue.

So could we have CFRipper return a non-zero exit code when the stack is found to be invalid?

It could just be as simple as 0 for valid and 1 for invalid without any more detail.

The other tools in my pipeline work in a similar way, although they are more complex or nuanced that what is porbably needed in CFRipper.

  • cfn_nag

    • A failing violation will return a non-zero exit code.
    • A warning will return a zero/success exit code.

  • cfn-lint

    • 0 is no issue was found
    • 2 is an error
    • 4 is a warning
    • 6 is an error and a warning
    • 8 is an informational
    • 10 is an error and informational
    • 12 is an warning and informational
    • 14 is an error and a warning and an informational

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:5 (3 by maintainers)

github_iconTop GitHub Comments

1reaction
ocrawford555commented, Jan 26, 2021

@iainelder 0.23.1 now released and README updated

0reactions
iaineldercommented, Jan 26, 2021

Yes, thanks, confirmed working with 0.23.1!

For anyone else reading this thread, the meaning of the error codes changed in #145.

From my informal local testing:

  • a deployable CloudFormation template that passes all security checks returns 0
  • a file that isn’t a CloudFormation template returns 1
  • a deployable CloudFormation template that fails a security check returns 2
  • I was unable to provoke a return value of 3
Read more comments on GitHub >

github_iconTop Results From Across the Web

Aborting a shell script if any command returns a non-zero value
Add this to the beginning of the script: set -e. This will cause the shell to exit immediately if a simple command exits...
Read more >
Can I make `find` return non-0 when no matching files are ...
To answer whether find depends on the exit code of -exec , the following blurb from the manual is useful: "If any invocation...
Read more >
Understanding return codes from the AWS CLI
Understand the return codes provided by the AWS Command Line Interface (AWS CLI). ... This will generally indicate incorrect API usage or other...
Read more >
List user and return non zero exit code if the user not in the ...
A good way of testing whether a user exists on a system is by using getent . The getent utility can return various...
Read more >
How to stop the bash script when a condition fails? - Ask Ubuntu
You could start the script with: #!/bin/bash -e. The -e ensures that the script exits the moment something returns false (or any non-zero ......
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

AttributeError: 'NoneType' object has no attribute 'arn'

Next page

Cannot install