Augmented Mixins ✅

[MChorfa]

I want my mixin to not only do the common actions like install, upgrade, and so on, but I want my mixin to perform some extra verification. For linting my code, scanning for vulnerabilities before doing the install or upgrade. The augmentation can be ensured by Porter when receiving the appropriate flags within the mixin configuration.

- kubernetes:
    clientVersion: v1.15.5
    lint: true
    scan: true

If those flags are defined. The mixin will go ahead and install the recommended tool to do the linting or security scanning, then Porter will call that special operation during the action execution.

Is this too much of responsibility for a mixin or it will bloat the Porter image?

[carolynvs]

For the lint command, Porter attempts to call lint on every mixin used in a bundle (during the porter build command). If the mixin supports that command, the results of calling MIXIN lint are included in the results. Do you think that opting in to linting at the mixin level (as opposed to per bundle) is sufficient?

[MChorfa]

I think if the mixin lint is called at the mixin level and if the lint results in an error it would either break porter build or warn the user

[carolynvs]

Correct, depending on the severity of the problem found, it will either stop the build or only print an error. The user can always decide to ignore the problem with --no-lint so that they are never prevented from building a bundle due to a lint error.

[carolynvs]

For scan, what types of problems do you see the mixin identifying that it couldn't detect at build time? Is it using your credentials and scanning the target environment? Something else?

[MChorfa]

The main idea is to avoid common secuity issues, including credentials. I would like to take advantage of those tools like Checkov, TFScan, or TFSec.

An example that I use for my pre-commit config:

  - repo: https://github.com/gruntwork-io/pre-commit
    rev: v0.1.12 # Get the latest from: https://github.com/gruntwork-io/pre-commit/releases
    hooks:
      - id: shellcheck
      - id: helmlint

  - repo: git://github.com/antonbabenko/pre-commit-terraform
    rev: v1.49.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
    hooks:
      - id: terraform_fmt
      - id: terraform_validate
      - id: terraform_tflint
      - id: terraform_docs
      - id: terraform_tfsec
      - id: checkov

[carolynvs]

It looks like all of these checks can be run at porter build time? I don't see any that need to use the credentials, but I'm not familiar with these hooks so maybe I'm missing something.

[carolynvs]

After yesterday's dev meeting, we decided that this can be accomplished with just changes to the mixins that want to add more interesting lint checks

• mixin globally configures which lints to run at buildtime
• mixin lint command can download the linter(s) on the fly and run them
• mixins at runtime can expose a command (or have the user use a exec style dynamic command) to run lint checks that require credentials.

We'd like to start with helm since it's just a build check. We'd also like to have terraform implement dynamic exec style commands, and maybe add custom commands for common linters.