✨ github/gitlab: discover CloudFormation, Dockerfile, Bicep, Helm, and Kustomize IaC

Extend the GitHub and GitLab providers' infrastructure-as-code discovery
beyond Terraform and Kubernetes manifests to also detect CloudFormation
templates, Dockerfiles, Bicep files, Helm charts, and Kustomize
configurations in repositories.

Discovery (github + gitlab):
- New targets: cloudformation, dockerfiles, bicep, helm, kustomize —
  wired into org()/repo(), the "all" expansion, and the CLI config.
- CloudFormation is detected via a content heuristic (the
  AWSTemplateFormatVersion marker) since templates share .yaml/.json with
  many other files; one child asset per template. On GitLab this uses
  project blob search and is skipped gracefully on instances without
  advanced search.
- Dockerfiles via the filename:Dockerfile qualifier, accepting the common
  Dockerfile.* / *.Dockerfile conventions; one child asset per file.
- Bicep via extension:bicep; one child asset per repo (the connection
  walks the checkout).
- Helm via filename:Chart.yaml; one asset per chart directory.
- Kustomize via filename:kustomization (kustomization.yaml/.yml /
  Kustomization); one asset per kustomization directory, so base and
  overlays each become their own asset.
- Deduped the credential-cloning into a gitCredentials helper, and routed
  GitHub code search through a paginating searchCode helper (100/page,
  follows NextPage) so large repos aren't truncated to the first page.
  Existence checks (hasBicep) use searchCodeExists, which pages with an
  early return on the first non-hidden match instead of pulling every page.

Git-clone support (downstream providers):
- None of bicep, cloudformation, helm, kustomize, or the os dockerfile
  connection could clone before. Each now clones on http-url, resolves a
  repo-relative path/dir within the checkout where applicable, and cleans
  up its temp dir via Close(). A deferred cleanup guard is armed right
  after the clone and disarmed once the connection owns the closer, so
  every error path removes the checkout.

Repo-based naming & stable identity:
- k8s, bicep, cloudformation, helm, and kustomize now name discovered
  assets from the git repo (org/repo[/path]) like Terraform/Dockerfile,
  instead of the temporary clone directory.
- Platform IDs and asset.Id are derived from the repo (and template/dir
  path) rather than a hash of the temp clone path, which previously
  changed on every scan. The bicep connection no longer overwrites
  cc.Options["path"] with the non-deterministic clone directory.
- Asset names dropped the verbose "Static Analysis" verbiage (e.g.
  "CloudFormation template tas50/iac_tests/...", "Helm Chart tas50/...").

Note: on GitLab, Chart.yaml and kustomization.yaml now match their own
discovery cases ahead of the k8s YAML branch, so a repo whose only YAML
files are Helm/Kustomize entry points no longer also registers as a k8s
manifest asset. This is intentional — those files aren't k8s manifests.

Verified end-to-end against tas50/iac_tests: discovery, naming, and
content queries resolve for all IaC types.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: tas50

providers/bicep/connection/connection.go

@@ -15,7 +15,10 @@ import (
 	"go.mondoo.com/mql/v13/providers-sdk/v1/plugin"
 )
 
-var _ plugin.Connection = (*BicepConnection)(nil)
+var (
+	_ plugin.Connection = (*BicepConnection)(nil)
+	_ plugin.Closer     = (*BicepConnection)(nil)
+)
 
 type BicepConnection struct {
 	plugin.Connection
@@ -25,6 +28,7 @@ type BicepConnection struct {
 	bicepFiles      []*BicepFile
 	bicepParamFiles []*BicepParamFile
 	armTemplate     *ARMTemplate
+	closer          func()
 }
 
 // BicepFile holds a Bicep source file path and its raw content.
@@ -60,8 +64,36 @@ func NewBicepConnection(id uint32, asset *inventory.Asset, conf *inventory.Confi
 		asset:      asset,
 	}
 
+	// If a git clone is performed below, clean up the temporary directory on any
+	// error path. Close() is a no-op when nothing was cloned, and the guard is
+	// disarmed once the connection is returned and takes ownership of cleanup.
+	cleanup := true
+	defer func() {
+		if cleanup {
+			conn.Close()
+		}
+	}()
+
 	cc := asset.Connections[0]
 	bicepPath := cc.Options["path"]
+	// When discovered from a git repository (e.g. by the GitHub provider) the
+	// asset carries the repo URL instead of a local path. Clone the repo and
+	// scan the resulting directory for Bicep/ARM files.
+	if bicepPath == "" {
+		if _, ok := cc.Options["http-url"]; ok {
+			clonePath, closer, err := plugin.NewGitClone(asset)
+			if err != nil {
+				return nil, err
+			}
+			conn.closer = closer
+			bicepPath = clonePath
+			// Intentionally do NOT overwrite cc.Options["path"]: the detector
+			// reads it to derive a platform ID, and a non-deterministic temp
+			// clone path would produce a different ID on every scan. The
+			// detector's git-discovered branch (ssh-url) handles naming for
+			// this path.
+		}
+	}
 	conn.path = bicepPath
 
 	fi, err := os.Stat(bicepPath)
@@ -108,9 +140,17 @@ func NewBicepConnection(id uint32, asset *inventory.Asset, conf *inventory.Confi
 		conn.bicepFiles = []*BicepFile{{Path: bicepPath, Content: string(content)}}
 	}
 
+	cleanup = false
 	return conn, nil
 }
 
+// Close cleans up any temporary directory created by a git clone.
+func (c *BicepConnection) Close() {
+	if c.closer != nil {
+		c.closer()
+	}
+}
+
 func (c *BicepConnection) Name() string {
 	return "bicep"
 }

providers/bicep/provider/provider.go

@@ -19,6 +19,7 @@ import (
 	"go.mondoo.com/mql/v13/providers-sdk/v1/upstream"
 	"go.mondoo.com/mql/v13/providers/bicep/connection"
 	"go.mondoo.com/mql/v13/providers/bicep/resources"
+	"go.mondoo.com/mql/v13/utils/urlx"
 )
 
 const (
@@ -141,6 +142,21 @@ func (s *Service) detect(asset *inventory.Asset, conn *connection.BicepConnectio
 		TechnologyUrlSegments: []string{"iac", "bicep", "template"},
 	}
 
+	// When discovered from a git repository (e.g. by the GitHub provider) prefer
+	// the repo (org/repo) for the name and platform ID. The local path is a
+	// temporary clone directory whose hash would change on every scan.
+	if url, ok := asset.Connections[0].Options["ssh-url"]; ok {
+		domain, org, repo, err := urlx.ParseGitSshUrl(url)
+		if err == nil {
+			platformID := "//platformid.api.mondoo.app/runtime/bicep/domain/" + domain + "/org/" + org + "/repo/" + repo
+			asset.Id = platformID
+			asset.Connections[0].PlatformId = platformID
+			asset.PlatformIds = []string{platformID}
+			asset.Name = "Bicep file " + org + "/" + repo
+			return nil
+		}
+	}
+
 	projectPath, ok := asset.Connections[0].Options["path"]
 	if ok {
 		absPath, _ := filepath.Abs(projectPath)
@@ -150,7 +166,7 @@ func (s *Service) detect(asset *inventory.Asset, conn *connection.BicepConnectio
 		platformID := "//platformid.api.mondoo.app/runtime/bicep/hash/" + hash
 		asset.Connections[0].PlatformId = platformID
 		asset.PlatformIds = []string{platformID}
-		asset.Name = "Bicep Static Analysis " + parseNameFromPath(projectPath)
+		asset.Name = "Bicep file " + parseNameFromPath(projectPath)
 		return nil
 	}
 
@@ -182,7 +198,7 @@ func parseNameFromPath(file string) string {
 
 	// When the user passed a bare "." (current directory) the loop above
 	// hands back "." via path.Base, which makes the asset name read
-	// "Bicep Static Analysis .". Resolve to the absolute path so the
+	// "Bicep file .". Resolve to the absolute path so the
 	// recursion picks up the actual directory basename instead.
 	if name == "." {
 		abspath, err := filepath.Abs(file)

providers/bicep/provider/provider_test.go

@@ -14,8 +14,8 @@ import (
 
 // parseNameFromPath used to call filepath.Abs(name) — i.e. on the
 // "." sentinel instead of the original path argument — so the asset
-// name read "Bicep Static Analysis .". The fix passes `file` to Abs
-// so the directory basename is recovered.
+// name read "Bicep file .". The fix passes `file` to Abs so the
+// directory basename is recovered.
 func TestParseNameFromPath_DotResolvesToBasename(t *testing.T) {
 	dir := t.TempDir()
 	cwd, err := os.Getwd()

providers/cloudformation/connection/connection.go

@@ -6,14 +6,18 @@ package connection
 import (
 	"errors"
 	"os"
+	"path/filepath"
 
 	"github.com/aws-cloudformation/rain/cft"
 	"github.com/aws-cloudformation/rain/cft/parse"
 	"go.mondoo.com/mql/v13/providers-sdk/v1/inventory"
 	"go.mondoo.com/mql/v13/providers-sdk/v1/plugin"
 )
 
-var _ plugin.Connection = (*CloudformationConnection)(nil)
+var (
+	_ plugin.Connection = (*CloudformationConnection)(nil)
+	_ plugin.Closer     = (*CloudformationConnection)(nil)
+)
 
 type CloudformationConnection struct {
 	plugin.Connection
@@ -22,6 +26,7 @@ type CloudformationConnection struct {
 	// Add custom connection fields here
 	path        string
 	cftTemplate cft.Template
+	closer      func()
 }
 
 func NewCloudformationConnection(id uint32, asset *inventory.Asset, conf *inventory.Config) (*CloudformationConnection, error) {
@@ -30,9 +35,33 @@ func NewCloudformationConnection(id uint32, asset *inventory.Asset, conf *invent
 		Conf:       conf,
 		asset:      asset,
 	}
-	// initialize your connection here
+
+	// If a git clone is performed below, clean up the temporary directory on any
+	// error path. Close() is a no-op when nothing was cloned, and the guard is
+	// disarmed once the connection is returned and takes ownership of cleanup.
+	cleanupClone := true
+	defer func() {
+		if cleanupClone {
+			conn.Close()
+		}
+	}()
+
 	cc := asset.Connections[0]
 	path := cc.Options["path"]
+	// When discovered from a git repository (e.g. by the GitHub provider) the
+	// asset carries the repo URL plus a repo-relative path to the template.
+	// Clone the repo and resolve the template within the checkout. We keep the
+	// repo-relative path in the options so the detector can build a stable,
+	// human-friendly asset name and platform ID from the repo rather than the
+	// temporary clone directory.
+	if _, ok := cc.Options["http-url"]; ok {
+		clonePath, closer, err := plugin.NewGitClone(asset)
+		if err != nil {
+			return nil, err
+		}
+		conn.closer = closer
+		path = filepath.Join(clonePath, path)
+	}
 	conn.path = path
 
 	f, err := os.Open(path)
@@ -50,9 +79,17 @@ func NewCloudformationConnection(id uint32, asset *inventory.Asset, conf *invent
 	}
 	conn.cftTemplate = *cftTemplate
 
+	cleanupClone = false
 	return conn, nil
 }
 
+// Close cleans up any temporary directory created by a git clone.
+func (c *CloudformationConnection) Close() {
+	if c.closer != nil {
+		c.closer()
+	}
+}
+
 func (c *CloudformationConnection) Name() string {
 	return "cloudformation"
 }

providers/cloudformation/provider/provider.go

@@ -19,6 +19,7 @@ import (
 	"go.mondoo.com/mql/v13/providers-sdk/v1/upstream"
 	"go.mondoo.com/mql/v13/providers/cloudformation/connection"
 	"go.mondoo.com/mql/v13/providers/cloudformation/resources"
+	"go.mondoo.com/mql/v13/utils/urlx"
 )
 
 const (
@@ -139,6 +140,29 @@ func (s *Service) detect(asset *inventory.Asset, conn *connection.Cloudformation
 		TechnologyUrlSegments: []string{"iac", "cloudformation", "template"},
 	}
 
+	// When discovered from a git repository (e.g. by the GitHub provider) prefer
+	// the repo (org/repo) plus the repo-relative template path for the name and
+	// platform ID. The local path is a temporary clone directory whose hash
+	// would change on every scan.
+	if url, ok := asset.Connections[0].Options["ssh-url"]; ok {
+		domain, org, repo, err := urlx.ParseGitSshUrl(url)
+		if err == nil {
+			name := org + "/" + repo
+			platformID := "//platformid.api.mondoo.app/runtime/cloudformation/domain/" + domain + "/org/" + org + "/repo/" + repo
+			// A repository can hold multiple templates; qualify by the
+			// repo-relative path so each one is a distinct asset.
+			if relPath := asset.Connections[0].Options["path"]; relPath != "" {
+				platformID += "/path/" + relPath
+				name += "/" + relPath
+			}
+			asset.Id = platformID
+			asset.Connections[0].PlatformId = platformID
+			asset.PlatformIds = []string{platformID}
+			asset.Name = "CloudFormation template " + name
+			return nil
+		}
+	}
+
 	projectPath, ok := asset.Connections[0].Options["path"]
 	if ok {
 		absPath, _ := filepath.Abs(projectPath)
@@ -148,7 +172,7 @@ func (s *Service) detect(asset *inventory.Asset, conn *connection.Cloudformation
 		platformID := "//platformid.api.mondoo.app/runtime/cloudformation/hash/" + hash
 		asset.Connections[0].PlatformId = platformID
 		asset.PlatformIds = []string{platformID}
-		asset.Name = "CloudFormation Static Analysis " + parseNameFromPath(projectPath)
+		asset.Name = "CloudFormation template " + parseNameFromPath(projectPath)
 		return nil
 	}
 

providers/github/config/config.go

@@ -47,6 +47,11 @@ Notes:
 				connection.DiscoveryOrganization,
 				connection.DiscoveryTerraform,
 				connection.DiscoveryK8sManifests,
+				connection.DiscoveryCloudformation,
+				connection.DiscoveryDockerfiles,
+				connection.DiscoveryBicep,
+				connection.DiscoveryHelm,
+				connection.DiscoveryKustomize,
 			},
 			Flags: []plugin.Flag{
 				{

providers/github/connection/platform.go

@@ -9,13 +9,18 @@ import (
 )
 
 const (
-	DiscoveryAll          = "all"
-	DiscoveryAuto         = "auto"
-	DiscoveryRepos        = "repos"
-	DiscoveryUsers        = "users"
-	DiscoveryOrganization = "organization"
-	DiscoveryTerraform    = "terraform"
-	DiscoveryK8sManifests = "k8s-manifests"
+	DiscoveryAll            = "all"
+	DiscoveryAuto           = "auto"
+	DiscoveryRepos          = "repos"
+	DiscoveryUsers          = "users"
+	DiscoveryOrganization   = "organization"
+	DiscoveryTerraform      = "terraform"
+	DiscoveryK8sManifests   = "k8s-manifests"
+	DiscoveryCloudformation = "cloudformation"
+	DiscoveryDockerfiles    = "dockerfiles"
+	DiscoveryBicep          = "bicep"
+	DiscoveryHelm           = "helm"
+	DiscoveryKustomize      = "kustomize"
 )
 
 var (