* chore(lint): setup golangci-lint

* linters: gofmt, goimports and misspell

* Update build.yml

Co-authored-by: Matthieu MOREL <mmorel-35@users.noreply.github.com>
Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>

Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>

* Migrate from github.com/jinzhu/gorm to gorm.io/gorm

* apply gofmt

* github.com/aws/aws-sdk-go

* fix

ASFF ProductFields[] string can't be longer than 1024 characters, could explain https://github.com/aquasecurity/kube-bench/issues/903
`Message:Finding does not adhere to Amazon Finding Format. data.Remediation.Recommendation.Text should NOT be longer than 512 characters.
Error Code:InvalidInput`

* Add detected kubernetes version to controls

* Refactore NewControls function

Now new Control function is expecting detected version argument.

* Refactore NewControls function

Now new Control function is expecting detected version argument.

* Refactore NewControls function

New Control function is expecting detected version argument.

* Add detected kube version

* add detecetedKubeVersion

* Add detecetedKubeVersion

* Add detectedKubeVersion

* Add detecetedKubeVersion

* Fix missing version

* Change version

Change version from 3.10 to rh-0.7

* fix version: "cis-1.5"

* fix version: "cis-1.5"

* fix version: "cis-1.5"

* Fix version: "cis-1.5"

* Fix version: "cis-1.5"

* Fix version: "cis-1.6"

* Fix version: "cis-1.6"

* Fix version: "cis-1.6"

* Fix version: "cis-1.6"

* Fix version: "cis-1.6"

* Add more logging

The old logging could was lacking and in some cases misleading

* Add Logging

Add more logs and change some old messages, the important part is make each test log more readable by adding ------ test id ------ section in logs

* Fix typos

* more info

add more info in comment about the function and it use cases

Co-authored-by: Liz Rice <liz@lizrice.com>

* Use switch case

Change the logic from if to switch and tidy up the code

* Add expectedResultPattern to invalid test

when testing and try convert to numeric we didn't set expectedResultPattern value.

* check for auditconfig before using it

The current state is that when ever audit output is not what we search for we check for auditConfig output which is sometime empty and therefore create empty expected result as described in #694

* Fix issue about expectedResultPattern

expectedResultPattern not always shown and wasn't accurate enough 
Issue #705

* Add tests for ExpectedResult and fixes

Add tests for ExpectedResult with the new output and the verify that the fix is working

* Add missing flags

In some cases not having audit or audit_config flag would fail the test.
So added just a simple commands like echo something to solve this issue 
Also add bitmask checks

* Add example IAM policy

* Pass RotateKubeletServerCertificate related checks if it's not found (#767)

* Allow for environment variables to be checked in tests (#755)

* Initial commit for checking environment variables for etcd

* Revert config changes

* Remove redundant struct data

* Fix issues with failing tests

* Initial changes based on code review

* Add option to disable envTesting + Update docs

* Initial tests

* Finished testing

* Fix broken tests

* Add a total summary and always show all tests. (#759)

Whether the total summary is shown can be specified with an option.

Fixes #528

Signed-off-by: Christian Zunker <christian.zunker@codecentric.cloud>

* Update Readme.md file with link to Contribution guide (#754)

* Update License with the year and the owner name

Please add this to make your license agreement strong

* Updated Readme.md file with license and proper documentation links

I have added a proper license agreement to the documentation. Also shortened the links to the issues so that it does not break in any on the forks.

* Update LICENSE

* Update README.md

* Update README.md

* Remove erroneous license info

Co-authored-by: Liz Rice <liz@lizrice.com>

* Support auto-detect platform when running on EKS or GKE (#683)

* Support auto-detect platform when running on EKS or GKE

* Change to get platform name from `kubectl version`

* fix regexp and add test

* Update Server Version match for EKS

* try to get version info from api sever at first

* Change expected expectedResultPattern

Now expectedResultPattern is more verbose

* Update ops tests

* Fix unit tests

* Fix bitmask output syntax

* Changes to be committed:
	modified:   check/check.go
	modified:   check/test.go
	modified:   check/test_test.go
fix unit testing and test.go to resolve conflicts.

* Change found to flagFound

* add missing }

* change found to flag found

Co-authored-by: yoavrotems <yoavrotems97@gmail.com>

* Add example IAM policy

* Pass RotateKubeletServerCertificate related checks if it's not found (#767)

* Allow for environment variables to be checked in tests (#755)

* Initial commit for checking environment variables for etcd

* Revert config changes

* Remove redundant struct data

* Fix issues with failing tests

* Initial changes based on code review

* Add option to disable envTesting + Update docs

* Initial tests

* Finished testing

* Fix broken tests

* Add a total summary and always show all tests. (#759)

Whether the total summary is shown can be specified with an option.

Fixes #528

Signed-off-by: Christian Zunker <christian.zunker@codecentric.cloud>

* Update Readme.md file with link to Contribution guide (#754)

* Update License with the year and the owner name

Please add this to make your license agreement strong

* Updated Readme.md file with license and proper documentation links

I have added a proper license agreement to the documentation. Also shortened the links to the issues so that it does not break in any on the forks.

* Update LICENSE

* Update README.md

* Update README.md

* Remove erroneous license info

Co-authored-by: Liz Rice <liz@lizrice.com>

* Support auto-detect platform when running on EKS or GKE (#683)

* Support auto-detect platform when running on EKS or GKE

* Change to get platform name from `kubectl version`

* fix regexp and add test

* Update Server Version match for EKS

* try to get version info from api sever at first

* Refactor group skip

changed group 'skip' from being a bool to be 'type' string as done in check

* Change skip: true -> type: skip

Co-authored-by: Huang Huang <mozillazg101@gmail.com>
Co-authored-by: Wicked <jason_attwood@hotmail.co.uk>
Co-authored-by: Christian Zunker <827818+czunker@users.noreply.github.com>
Co-authored-by: Kaiwalya Koparkar <kaiwalyakoparkar@gmail.com>
Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>

* add aasf

* add AASF format

* credentials provider

* add finding publisher

* add finding publisher

* add write AASF path

* add testing

* read config from file

* update docker file

* refactor

* remove sample

* add comments

* Add comment in EKS config.yaml

* Fix comment typo

* Fix spelling of ASFF

* Fix typo and other small code review suggestions

* Limit length of Actual result field

Avoids this message seen in testing:
  Message:Finding does not adhere to Amazon Finding Format. data.ProductFields['Actual result'] should NOT be longer than 1024 characters.

* Add comment for ASFF schema

* Add Security Hub documentation

* go mod tidy

* remove dupe lines in docs

* support integration in any region

* fix README link

* fix README links

Co-authored-by: Liz Rice <liz@lizrice.com>

* Allow for skip to be defined on a group-level skipping all checks inside

* Refactor skip code to not run skipped checks

* Fix go vet issues

* to omit the property from JSON parsing one should use "-". "omit" in
that case would use omit tag
* The error was not reachable in the tests, so I moved it to the place
where it make sense for me (but maybe it was just unnecessary)

* Run all go vet linters in CI

* This return breaks the test

actual Result is used later on to get actual value and the --include-test-output values but it never got set so its always empty.

* Code quality improvements such -

1. Improves empty string test (len vs str == "")
2. Converts fmt.Sprintf to string literal and Printf to Print where possible (as the dynamic args are missing!)

* Delete .deepsource.toml

Co-authored-by: DeepSource Bot <bot@deepsource.io>
Co-authored-by: Liz Rice <liz@lizrice.com>

* read-only-port defaults are correct

* Tests that should catch good read-only-port

* Rework checks & tests

* Linting on issue template YAML

* More explicit test for 4.2.4

* Remove verbosity for ease of reading results

* Use subtests

* Tidy more test cases

* read-only-port defaults are correct

* Tests that should catch good read-only-port

* Rework checks & tests

* Linting on issue template YAML

* More explicit test for 4.2.4

* set: default true

Refactor testitem-set to be default true

* fix typo

Co-authored-by: Liz Rice <liz@lizrice.com>

Co-authored-by: Liz Rice <liz@lizrice.com>

* Update test.go

* Update test_test.go

* Run audit as shell script instead of as single line command

* Rename runExecCommands to runAudit

* Fix tests

Co-authored-by: Liz Rice <liz@lizrice.com>

* Add option to do bitwise and between two value in order to compare permissions

* Update test.go

Removed self debug note

* Update test_test.go

FIx typo

* Update test.go

* Update test.go

Switched between max and requested value, because accidentally assigned them oppositely  and remove old function relate to octal base

* Update test_test.go

* Update test_test.go

* Update check.go

Added new warn_reason value which gives a brief explanation about why the not scored tests failed

* Update common.go

Changed when a not scored test fails because it has a wrong syntax audit command or just running something that can't be run the print the failure. but if the test just fails because it doesn't line up with the cis hardening recommendations then print the remediation text.

* Update check/check.go

fix typo

Co-Authored-By: Liz Rice <liz@lizrice.com>

* Update check.go

* Update common.go

* Update check.go

added back os.Exit(1) to  exitWithError

* Update job-master.data

Change some tests output to fit warn reason. (No change to the summary)

* Update job-node.data

Changed some tests output to fit warn reason. (No change to the summary)

* Update job.data

Change some tests output to fit warn reason. (No change to the summary)

* Update common.go

Keep to old way to print manual test output

Co-authored-by: Liz Rice <liz@lizrice.com>
Co-authored-by: Roberto Rojas <robertojrojas@gmail.com>

* Support parse boolean flag with no value

* Add test for parse boolean flag with false value

Co-authored-by: Roberto Rojas <robertojrojas@gmail.com>

* Add initial commit for CIS GKE 1.0 benchmark

* Update README with GKE instructions

* Fix YAML linter issues

* Set GKE benchmark k8s version to gke-1.0

* Add tests for gke-1.0

Co-authored-by: Roberto Rojas <robertojrojas@gmail.com>

- Tests that did not increase coverage and were redundant are removed.
- New tests reflecting the meaning of the state as explained in the
  README are added.

Co-authored-by: s-nirali <25746945+s-nirali@users.noreply.github.com>

* Adds openshift to autodetect node type

* detect okd node units

* OCP fixes

* Initial commit.

* Add master and node config.

* Add section 5 of CIS 1.5.1.

* Split sections into section files

* Fix YAML issues.

* adds target translation

* adds target translation

* adds cis-1.5 mapping

* fixed tests

* fixes are per PR

* fixed intergration test

* integration kind test file to appropriate ks8 version

* fixed etcd text

* fixed README

* fixed text

* etcd: fixed grep path

* etcd: fixes

* fixed error message bug

* Update README.md

Co-Authored-By: Liz Rice <liz@lizrice.com>

* Update README.md

Co-Authored-By: Liz Rice <liz@lizrice.com>

* fixes as per PR review

If running these checks in a CI system it may be beneficial
to output in a more standardized format such as JUnit for
parsing by other tools in a consistent manner.

Fixes #460

Signed-off-by: John Schnake <jschnake@vmware.com>

As the length of a nil slice is defined as 0, the nil check is
redundand. (suggested by golanci-lint/gosimple)

Using `buf.String()` instead of `fmt.Sprintf` is simpler

* removed version prior to 1.11

* removed references to kubernetes versions prior to 1.11

* starts fixes #353

* new approach to minize duplications

* applied merged yaml files for v1.11 and v1.13

* yaml files json/params merged

* fixes to remove double quotes from numbers and booleans

* fixed bug

* fixed certificate check

* removed -json files

* changes based on PR review

* Update check/check_test.go

Yay more tests!

Co-Authored-By: Liz Rice <liz@lizrice.com>

* changes as PR review

* fixed bug when scored check is missing tests

* attempt to improve the code

* fixed list breaks

* removes handleError function

* Update check/check.go

Accepting suggested log level.

Co-Authored-By: Liz Rice <liz@lizrice.com>

* fixes issue #364

* fixed unit test error text

* issue #344: Adds support for array comparison. Every element in the source array must exist in the target array.

* issue #344: Fixed typo and found if condition based on code review

* adds unit tests for valid_elements comparison

* removes spaces from split strings

* issue #363: starts unit tests for Test Comparison.

* issue #363: Adds tests for "eq" operation

* changes test result message

* issue #363: Adds tests for "noteq" operation

* issue #363: Adds tests for "gt" operation

* issue #363: Adds tests for "lt" operation

* issue #363: Adds tests for "gte" operation

* issue #363: Adds tests for "lte" operation

* issue #363: Adds tests for "has" operation

* issue #363: Adds tests for "nothave" operation

* issue #363: Adds tests for "regex" operation

* issue #243: Changes condition so that score: false tests are performed

* issue #243: Changes comments.