Add extractTerraformChanges filter plugin #726
Conversation
Analyzes Terraform HCL file changes to extract highest privilege level from modified JIT access configurations. Returns 'rw' for read-write, 'ro' for read-only, or null if no JIT objects modified.
![orca-security-us[bot]](https://avatars.githubusercontent.com/in/276250?s=60&v=4){kind=small}
There was a problem hiding this comment.
Orca Security Scan Summary
| Status | Check | Issues by priority | |
|---|---|---|---|
 Passed |
Infrastructure as Code |  0  0  0  0 |
View in Orca |
| Passed |
SAST | 0 2 0 0 |
View in Orca |
| Passed |
Secrets | 0 0 0 0 |
View in Orca |
| Passed |
Vulnerabilities | 0 0 0 0 |
View in Orca |
🛡️ The following SAST misconfigurations have been detected
| NAME | FILE | ||
|---|---|---|---|
|
Dynamic File Path Construction from User Input Can Lead to Path Traversal Attacks | ...aformChanges/test.js | View in code |
|
Dynamic File Path Construction from User Input Can Lead to Path Traversal Attacks | ...aformChanges/test.js | View in code |
|
Please mark which AI tools you used for this PR by checking the appropriate boxes:
Tip: If you want to avoid this comment in the future, you can add a label of the format |
![gitstream-cm[bot]](https://avatars.githubusercontent.com/in/230441?s=60&v=4){kind=small}
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
There was a problem hiding this comment.
Orca Security Scan Summary
| Status | Check | Issues by priority | |
|---|---|---|---|
| Passed |
Infrastructure as Code | 0 0 0 0 |
View in Orca |
| Passed |
SAST | 0 3 0 0 |
View in Orca |
| Passed |
Secrets | 0 0 0 0 |
View in Orca |
| Passed |
Vulnerabilities | 0 0 0 0 |
View in Orca |
🛡️ The following SAST misconfigurations have been detected
| NAME | FILE | ||
|---|---|---|---|
|
Dynamic File Path Construction from User Input Can Lead to Path Traversal Attacks | ...aformChanges/test.js | View in code |
|
Dynamic File Path Construction from User Input Can Lead to Path Traversal Attacks | ...aformChanges/test.js | View in code |
|
Dynamic File Path Construction from User Input Can Lead to Path Traversal Attacks | ...aformChanges/test.js | View in code |
There was a problem hiding this comment.
✨ PR Review
The PR introduces a new filter plugin for analyzing Terraform HCL changes to extract privilege levels from JIT configurations. The implementation includes comprehensive parsing logic with good error handling and test coverage.
1 issues detected:
🐞 Bug - Deleted lines are incorrectly tracked with the new file's line numbers instead of the original file's line numbers
Details: The diff parsing logic has an error in line number tracking. When processing deleted lines (lines starting with '-'), the code adds them to changedLines but doesn't increment currentLine. This causes incorrect line number mapping between the diff and the original content, leading to wrong JIT object detection.
File:plugins/filters/extractTerraformChanges/index.js (72-72)
Generated by LinearB AI and added by gitStream.
AI-generated content may contain inaccuracies. Please verify before using. We'd love your feedback! 🚀
gitstream-cm
bot
added
3 Unresolved Thread(s)
🤖 ai-other
and removed
2 Unresolved Thread(s)
3 Unresolved Thread(s)
labels
2 participants
Analyzes Terraform HCL file changes to extract highest privilege level from modified JIT access configurations. Returns 'rw' for read-write, 'ro' for read-only, or null if no JIT objects modified.
✨ PR Description
The purpose and impact of these changes is to introduce a new GitStream filter called extractTerraformChanges that analyzes Terraform HCL file changes to extract the highest privilege level from modified JIT access configurations.
Main changes:
Generated by LinearB AI and added by gitStream.
AI-generated content may contain inaccuracies. Please verify before using. We'd love your feedback! 🚀