refactor: update test scripts and add new parameterized tests

tests/lib/common.sh

@@ -25,9 +25,19 @@ echo "🧪 Setting up test environment: ${TMPDIR}"
 # Generate pre-commit config for a specific hook
 # Arguments:
 #   $1 - hook ID to select from .pre-commit-hooks.yaml
+#   $@ - remaining arguments to add to the hook (optional)
+# Example:
+#   generate_precommit_config "wizcli-scan-dir" "--no-publish" "--policies=Default IaC policy"
 generate_precommit_config() {
   local HOOK_ID="$1"
+  shift
+  local ARGS=("$@")
+
   yq -n '{"fail_fast": true, "repos": [{"repo": "local", "hooks": [load("'"${HOOKS_FILE}"'")[] | select(.id == "'"${HOOK_ID}"'")]}]}' > "${TMPDIR}/.pre-commit-config.yaml"
+
+  for ARG in "${ARGS[@]}"; do
+    ARG="${ARG}" yq -i '((.repos[].hooks[] | select(.id == "'"${HOOK_ID}"'")).args |= (.[:-1] + [strenv(ARG) | . style="double"] + .[-1:]))' "${TMPDIR}/.pre-commit-config.yaml"
+  done
 }
 
 # Configure client credentials in the pre-commit config
@@ -37,21 +47,13 @@ configure_client_credentials() {
   yq -i '.repos[].hooks[].args |= (.[:-1] + ["--client-id=" + strenv(WIZ_CLIENT_ID), "--client-secret=" + strenv(WIZ_CLIENT_SECRET)] + .[-1:])' "${TMPDIR}/.pre-commit-config.yaml"
 }
 
-# Add policies to the hook args
-# Arguments:
-#   $1 - comma-separated list of policy names
-add_policies() {
-  local POLICIES="$1"
-  yq -i '.repos[].hooks[].args |= (.[:-1] + ["--policies='"${POLICIES}"'"] + .[-1:])' "${TMPDIR}/.pre-commit-config.yaml"
-}
-
 # Initialize git repo and run pre-commit
 run_precommit_test() {
   cd "${TMPDIR}"
   git init --quiet
   git add .pre-commit-config.yaml
 
-  echo -e "🚀 Running pre-commit hooks:\n\n*******************************************************************************"
+  echo -e "\n🚀 Running pre-commit hooks:\n*******************************************************************************"
   if prek run --verbose --log-file "${LOG_FILE}"; then
     echo -e "*******************************************************************************\n\n✅ All hooks passed successfully"
   else

tests/run-all-tests.sh

@@ -3,14 +3,16 @@
 
 set -euo pipefail
 
-# Verify required environment variables are set
-if [[ -z "${WIZ_CLIENT_ID:-}" ]]; then
-  echo "❌ Error: WIZ_CLIENT_ID environment variable is not set" >&2
-  exit 1
-fi
-if [[ -z "${WIZ_CLIENT_SECRET:-}" ]]; then
-  echo "❌ Error: WIZ_CLIENT_SECRET environment variable is not set" >&2
-  exit 1
+# Verify authentication: either ~/.wiz/auth.json exists or env vars are set
+if [[ ! -f "${HOME}/.wiz/auth.json" ]]; then
+  if [[ -z "${WIZ_CLIENT_ID:-}" ]]; then
+    echo "❌ Error: WIZ_CLIENT_ID environment variable is not set" >&2
+    exit 1
+  fi
+  if [[ -z "${WIZ_CLIENT_SECRET:-}" ]]; then
+    echo "❌ Error: WIZ_CLIENT_SECRET environment variable is not set" >&2
+    exit 1
+  fi
 fi
 
 # Check required dependencies

tests/wizcli-scan-dir-params/private-s3-bucket.yaml

@@ -0,0 +1,239 @@
+# Deploy with AWS CLI:
+# aws cloudformation deploy --region=us-east-1 --stack-name private-s3-bucket \
+#   --template-file private-s3-bucket.yaml --capabilities CAPABILITY_IAM
+
+AWSTemplateFormatVersion: "2010-09-09"
+Description: Secure private S3 bucket with logging - Checkov compliant
+
+Parameters:
+  BucketNamePrefix:
+    Type: String
+    Default: my-secure-bucket
+    Description: Prefix for the S3 bucket names
+
+Resources:
+  # IAM Access Analyzer for continuous monitoring
+  S3AccessAnalyzer:
+    Type: AWS::AccessAnalyzer::Analyzer
+    Properties:
+      AnalyzerName: !Sub "${BucketNamePrefix}-analyzer"
+      Type: ACCOUNT
+      Tags:
+        - Key: Purpose
+          Value: S3BucketAccessMonitoring
+
+  # KMS Key for S3 encryption
+  S3KMSKey:
+    Type: AWS::KMS::Key
+    DeletionPolicy: Retain
+    UpdateReplacePolicy: Retain
+    Properties:
+      Description: KMS key for S3 bucket encryption
+      EnableKeyRotation: true
+      KeyPolicy:
+        Version: "2012-10-17"
+        Statement:
+          - Sid: AllowKeyAdministration
+            Effect: Allow
+            Principal:
+              AWS: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:root"
+            Action:
+              - kms:Create*
+              - kms:Describe*
+              - kms:Enable*
+              - kms:List*
+              - kms:Put*
+              - kms:Update*
+              - kms:Revoke*
+              - kms:Disable*
+              - kms:Get*
+              - kms:Delete*
+              - kms:TagResource
+              - kms:UntagResource
+              - kms:ScheduleKeyDeletion
+              - kms:CancelKeyDeletion
+            Resource: "*"
+          - Sid: AllowKeyUsage
+            Effect: Allow
+            Principal:
+              AWS: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:root"
+            Action:
+              - kms:Encrypt
+              - kms:Decrypt
+              - kms:ReEncrypt*
+              - kms:GenerateDataKey*
+              - kms:DescribeKey
+            Resource: "*"
+          - Sid: AllowS3Service
+            Effect: Allow
+            Principal:
+              Service: s3.amazonaws.com
+            Action:
+              - kms:Decrypt
+              - kms:GenerateDataKey*
+            Resource: "*"
+            Condition:
+              StringEquals:
+                aws:SourceAccount: !Ref AWS::AccountId
+          - Sid: AllowS3LoggingService
+            Effect: Allow
+            Principal:
+              Service: logging.s3.amazonaws.com
+            Action:
+              - kms:Encrypt
+              - kms:Decrypt
+              - kms:GenerateDataKey*
+            Resource: "*"
+            Condition:
+              StringEquals:
+                aws:SourceAccount: !Ref AWS::AccountId
+
+  S3KMSKeyAlias:
+    Type: AWS::KMS::Alias
+    Properties:
+      AliasName: !Sub "alias/${BucketNamePrefix}-key"
+      TargetKeyId: !Ref S3KMSKey
+
+  # Logging bucket for access logs (logs to itself to satisfy security scanners)
+  LoggingBucket:
+    # kics-scan ignore-line
+    Type: AWS::S3::Bucket
+    Properties:
+      BucketName: !Sub "${BucketNamePrefix}-logs-${AWS::AccountId}"
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: aws:kms
+              KMSMasterKeyID: !GetAtt S3KMSKey.Arn
+            BucketKeyEnabled: true
+      PublicAccessBlockConfiguration:
+        BlockPublicAcls: true
+        BlockPublicPolicy: true
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true
+      VersioningConfiguration:
+        Status: Enabled
+      OwnershipControls:
+        Rules:
+          - ObjectOwnership: BucketOwnerPreferred
+      LoggingConfiguration:
+        LogFilePrefix: self-logs/
+      LifecycleConfiguration:
+        Rules:
+          - Id: DeleteOldLogs
+            Status: Enabled
+            ExpirationInDays: 90
+            NoncurrentVersionExpiration:
+              NoncurrentDays: 30
+
+  LoggingBucketPolicy:
+    Type: AWS::S3::BucketPolicy
+    Properties:
+      Bucket: !Ref LoggingBucket
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Sid: AllowSSLRequestsOnly
+            Effect: Deny
+            Principal: "*"
+            Action: s3:*
+            Resource:
+              - !GetAtt LoggingBucket.Arn
+              - !Sub "${LoggingBucket.Arn}/*"
+            Condition:
+              Bool:
+                aws:SecureTransport: "false"
+          - Sid: S3ServerAccessLogsPolicy
+            Effect: Allow
+            Principal:
+              Service: logging.s3.amazonaws.com
+            Action: s3:PutObject
+            Resource: !Sub "${LoggingBucket.Arn}/*"
+            Condition:
+              ArnLike:
+                aws:SourceArn:
+                  - !Sub "arn:${AWS::Partition}:s3:::${BucketNamePrefix}-${AWS::AccountId}"
+                  - !Sub "arn:${AWS::Partition}:s3:::${BucketNamePrefix}-logs-${AWS::AccountId}"
+              StringEquals:
+                aws:SourceAccount: !Ref AWS::AccountId
+
+  # Main private S3 bucket
+  PrivateS3Bucket:
+    Type: AWS::S3::Bucket
+    DependsOn: LoggingBucketPolicy
+    Properties:
+      BucketName: !Sub "${BucketNamePrefix}-${AWS::AccountId}"
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: aws:kms
+              KMSMasterKeyID: !GetAtt S3KMSKey.Arn
+            BucketKeyEnabled: true
+      PublicAccessBlockConfiguration:
+        BlockPublicAcls: true
+        BlockPublicPolicy: true
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true
+      VersioningConfiguration:
+        Status: Enabled
+      OwnershipControls:
+        Rules:
+          - ObjectOwnership: BucketOwnerEnforced
+      LoggingConfiguration:
+        DestinationBucketName: !Ref LoggingBucket
+        LogFilePrefix: access-logs/
+      LifecycleConfiguration:
+        Rules:
+          - Id: TransitionToIA
+            Status: Enabled
+            Transitions:
+              - StorageClass: STANDARD_IA
+                TransitionInDays: 90
+            NoncurrentVersionTransitions:
+              - StorageClass: STANDARD_IA
+                TransitionInDays: 30
+            NoncurrentVersionExpiration:
+              NoncurrentDays: 365
+      NotificationConfiguration:
+        EventBridgeConfiguration:
+          EventBridgeEnabled: true
+
+  PrivateBucketPolicy:
+    Type: AWS::S3::BucketPolicy
+    Properties:
+      Bucket: !Ref PrivateS3Bucket
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Sid: AllowSSLRequestsOnly
+            Effect: Deny
+            Principal: "*"
+            Action: s3:*
+            Resource:
+              - !GetAtt PrivateS3Bucket.Arn
+              - !Sub "${PrivateS3Bucket.Arn}/*"
+            Condition:
+              Bool:
+                aws:SecureTransport: "false"
+
+Outputs:
+  BucketName:
+    Description: Name of the private S3 bucket
+    Value: !Ref PrivateS3Bucket
+    Export:
+      Name: !Sub "${AWS::StackName}-BucketName"
+  BucketArn:
+    Description: ARN of the private S3 bucket
+    Value: !GetAtt PrivateS3Bucket.Arn
+    Export:
+      Name: !Sub "${AWS::StackName}-BucketArn"
+  LoggingBucketName:
+    Description: Name of the logging S3 bucket
+    Value: !Ref LoggingBucket
+    Export:
+      Name: !Sub "${AWS::StackName}-LoggingBucketName"
+  KMSKeyArn:
+    Description: ARN of the KMS key used for encryption
+    Value: !GetAtt S3KMSKey.Arn
+    Export:
+      Name: !Sub "${AWS::StackName}-KMSKeyArn"

tests/wizcli-scan-dir-params/run.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+# Test script for wizcli-scan-dir pre-commit hook with parametrized scanning
+# Creates a temporary git repo with the hooks and runs pre-commit
+
+SCRIPT_DIR="$(dirname "$(realpath "${BASH_SOURCE[0]}")")"
+# shellcheck source=tests/lib/common.sh
+source "${SCRIPT_DIR}/../lib/common.sh"
+
+# Generate pre-commit config with only wizcli-scan-dir hook and custom arguments
+generate_precommit_config "wizcli-scan-dir" "--no-publish" "--disabled-scanners=Vulnerability,Secret,SensitiveData,SoftwareSupplyChain,AIModels,SAST,Malware" "--by-policy-hits=DISABLED" "--policies=Default IaC policy"
+
+echo "🔍 Pre-commit config:"
+cat "${TMPDIR}/.pre-commit-config.yaml"
+
+# Configure client credentials
+configure_client_credentials
+
+# Run the test
+run_precommit_test

tests/wizcli-scan-dir-secret/run.sh

@@ -6,11 +6,11 @@ SCRIPT_DIR="$(dirname "$(realpath "${BASH_SOURCE[0]}")")"
 # shellcheck source=tests/lib/common.sh
 source "${SCRIPT_DIR}/../lib/common.sh"
 
-# Generate pre-commit config with only wizcli-scan-dir-secrets hook
-generate_precommit_config "wizcli-scan-dir-secrets"
+# Generate pre-commit config with only wizcli-scan-dir-secrets hook and custom arguments
+generate_precommit_config "wizcli-scan-dir-secrets" "--policies=Default secrets policy"
 
-# Add policies
-add_policies "Default secrets policy"
+echo "🔍 Pre-commit config:"
+cat "${TMPDIR}/.pre-commit-config.yaml"
 
 # Configure client credentials
 configure_client_credentials

tests/wizcli-scan-dir/run.sh

@@ -6,14 +6,14 @@ SCRIPT_DIR="$(dirname "$(realpath "${BASH_SOURCE[0]}")")"
 # shellcheck source=tests/lib/common.sh
 source "${SCRIPT_DIR}/../lib/common.sh"
 
-# Generate pre-commit config with only wizcli-scan-dir hook
-generate_precommit_config "wizcli-scan-dir"
+# Generate pre-commit config with only wizcli-scan-dir hook and custom arguments
+generate_precommit_config "wizcli-scan-dir" "--policies=Default IaC policy,Default malware policy,Default SAST policy (Wiz CI/CD scan),Default secrets policy,Default sensitive data policy"
+
+echo "🔍 Pre-commit config:"
+cat "${TMPDIR}/.pre-commit-config.yaml"
 
 # Configure client credentials
 configure_client_credentials
 
-# Add policies
-add_policies "Default IaC policy,Default malware policy,Default SAST policy (Wiz CI/CD scan),Default secrets policy,Default sensitive data policy"
-
 # Run the test
 run_precommit_test