google-github-actions · pankhurisaxena28 · Jun 27, 2024 · Jun 27, 2024 · Jun 27, 2024 · Jun 27, 2024
@@ -108,7 +108,7 @@ jobs:
           if [ "${{ steps.violations-found.outputs.iac_scan_result }}" != "passed" ]; then
             exit 1
           fi
-      
+
       - id: 'no-violations-found'
         name: 'No violations found in plan file'
         uses: './'
@@ -119,13 +119,15 @@ jobs:
           failure_criteria: 'CRITICAL:2, Operator:OR'
       - name: 'Check scan result and report not generated.'
         run: |
-          if [ "${{ steps.no-violations-found.outputs.iac_scan_result_sarif_path }}" != "" ]; then
+          report_expected="tests/resources/zero_violations_sarif.json"
+          report_generated="${{ steps.no-violations-found.outputs.iac_scan_result_sarif_path }}"
+          if cmp -s "$report_expected" "$report_generated"; then
             exit 1
           fi
           if [ "${{ steps.no-violations-found.outputs.iac_scan_result }}" != "passed" ]; then
             exit 1
           fi
-    
+
       - id: 'failure-criteria-satisfied'
         name: 'Failure criteria satisfied'
         uses: './'

@@ -1,5 +1,6 @@
 node_modules/
 runner/
+dist/
 
 # Rest of the file pulled from https://github.com/github/gitignore/blob/main/Node.gitignore
 # Logs

@@ -43,11 +43,6 @@ export abstract class IACScanReportProcessor {
     reportGenerator: ReportGenerator,
     reportName: string,
   ) {
-    if (report.violations?.length == 0) {
-      // no violations, returning as no action to take.
-      return;
-    }
-
     const generatedReport = reportGenerator.generate(report);
     logDebug(`IaC scan report generated`);
 
@@ -85,10 +80,14 @@ export class SarifReportGenerator implements ReportGenerator {
    * @param violations non empty list of violation fetched from scan API response.
    */
   generate(report: IACValidationReport): string {
+    const note: string = <string>report.note;
+    if (report.violations?.length === 0) {
+      const sarifReport: SARIFTemplate = this.constructSARIFReport(<Rule[]>[], <Result[]>[], note);
+      return JSON.stringify(sarifReport, null, 2);
+    }
     const policyToViolationMap = this.getUniqueViolation(<Violation[]>report.violations);
     const rules: Rule[] = this.constructRules(policyToViolationMap);
     const results: Result[] = this.constructResults(<Violation[]>report.violations);
-    const note: string = <string>report.note;
     const sarifReport: SARIFTemplate = this.constructSARIFReport(rules, results, note);
     return JSON.stringify(sarifReport, null, 2);
   }

@@ -157,5 +157,21 @@ test(
         assert.deepStrictEqual(sarifJson.runs.at(0)?.results.length, 2);
       },
     );
+
+    await suite.test('zero violations, generates report with only the note', async () => {
+      const reportGenerator = new SarifReportGenerator('version');
+
+      const report: IACValidationReport = {
+        note: 'IaC validation is limited to certain asset types and policies. For information about supported asset types and policies for IaC validation, see https://cloud.google.com/security-command-center/docs/supported-iac-assets-policies.',
+        violations: <Violation[]>[],
+      };
+
+      await IACScanReportProcessor.processReport(report, reportGenerator, 'sarif.json');
+      const sarif = await fs.readFile('./sarif.json', 'utf-8');
+      const sarifJson: SARIFTemplate = JSON.parse(sarif);
+
+      assert.deepStrictEqual(sarifJson.runs.at(0)?.tool.driver.rules.length, 0);
+      assert.deepStrictEqual(sarifJson.runs.at(0)?.results.length, 0);
+    });
   },
 );
@@ -3,6 +3,7 @@
     "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
     "runs": [
       {
+        "note": "IaC validation is limited to certain asset types and policies. For information about supported asset types and policies for IaC validation, see https://cloud.google.com/security-command-center/docs/supported-iac-assets-policies.",
         "tool": {
           "driver": {
             "name": "analyze-code-security-scc",