@iacmp/cli 1.1.0

package/dist/commands/audit-security.js

@@ -0,0 +1,351 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/commands/audit-security.ts
+var audit_security_exports = {};
+__export(audit_security_exports, {
+  default: () => AuditSecurity
+});
+module.exports = __toCommonJS(audit_security_exports);
+var import_core = require("@oclif/core");
+var import_chalk = __toESM(require("chalk"));
+
+// src/audit.ts
+var fs2 = __toESM(require("fs"));
+var path = __toESM(require("path"));
+
+// src/utils.ts
+var fs = __toESM(require("fs"));
+function readJsonFile(filePath) {
+  let content;
+  try {
+    content = fs.readFileSync(filePath, "utf-8");
+  } catch (e) {
+    throw new Error(`Falha ao ler '${filePath}': ${errMessage(e)}`);
+  }
+  try {
+    return JSON.parse(content);
+  } catch (e) {
+    throw new Error(`JSON inv\xE1lido em '${filePath}': ${errMessage(e)}`);
+  }
+}
+function errMessage(e) {
+  if (e instanceof Error) return e.message;
+  if (typeof e === "string") return e;
+  try {
+    return JSON.stringify(e);
+  } catch {
+    return String(e);
+  }
+}
+
+// src/audit.ts
+function readConfig(cwd) {
+  const configPath = path.join(cwd, "iacmp.json");
+  if (!fs2.existsSync(configPath)) throw new Error("iacmp.json n\xE3o encontrado. Rode: iacmp init");
+  const config = readJsonFile(configPath);
+  return {
+    name: config.name ?? path.basename(cwd),
+    provider: config.provider ?? "aws"
+  };
+}
+function resolveTsNode(projectDir) {
+  const dirs = [];
+  let dir = projectDir;
+  for (let i = 0; i < 5; i++) {
+    dirs.push(dir);
+    const parent = path.dirname(dir);
+    if (parent === dir) break;
+    dir = parent;
+  }
+  for (const d of dirs) {
+    const tsNodePath = path.join(d, "node_modules", "ts-node");
+    if (fs2.existsSync(tsNodePath)) return tsNodePath;
+  }
+  return null;
+}
+function findStackFiles(dir) {
+  const entries = fs2.readdirSync(dir, { withFileTypes: true });
+  const files = [];
+  for (const entry of entries) {
+    const full = path.join(dir, entry.name);
+    if (entry.isDirectory()) {
+      files.push(...findStackFiles(full));
+    } else if (entry.name.endsWith(".ts") || entry.name.endsWith(".js")) {
+      files.push(full);
+    }
+  }
+  return files;
+}
+function loadStacks(cwd) {
+  const stacksDir = path.join(cwd, "stacks");
+  if (!fs2.existsSync(stacksDir)) throw new Error("Diret\xF3rio stacks/ n\xE3o encontrado.");
+  const stackFiles = findStackFiles(stacksDir);
+  if (stackFiles.length === 0) throw new Error("Nenhuma stack encontrada em stacks/");
+  const tsNodePath = resolveTsNode(cwd);
+  if (tsNodePath) {
+    require(tsNodePath).register({
+      transpileOnly: true,
+      skipProject: true,
+      compilerOptions: {
+        target: "ES2022",
+        module: "commonjs",
+        moduleResolution: "node",
+        esModuleInterop: true,
+        strict: false,
+        skipLibCheck: true
+      }
+    });
+  }
+  const result = [];
+  for (const stackPath of stackFiles) {
+    const stackName = path.basename(stackPath).replace(/\.(ts|js)$/, "");
+    try {
+      const mod = require(stackPath);
+      const raw = mod.default ?? mod.stack ?? mod;
+      if (!raw || typeof raw !== "object" || !("constructs" in raw)) {
+        console.warn(`[audit] ${path.basename(stackPath)} n\xE3o exporta uma Stack v\xE1lida \u2014 ignorado.`);
+        continue;
+      }
+      result.push({ name: stackName, stack: raw });
+    } catch (err) {
+      console.warn(`[audit] falha ao carregar ${path.basename(stackPath)}: ${errMessage(err)}`);
+    }
+  }
+  return result;
+}
+function saveReport(cwd, commandName, content) {
+  const auditDir = path.join(cwd, "audit");
+  if (!fs2.existsSync(auditDir)) fs2.mkdirSync(auditDir, { recursive: true });
+  const date = (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
+  const fileName = `${commandName}-${date}.md`;
+  const filePath = path.join(auditDir, fileName);
+  fs2.writeFileSync(filePath, content, "utf-8");
+  return path.join("audit", fileName);
+}
+function today() {
+  return (/* @__PURE__ */ new Date()).toLocaleDateString("pt-BR");
+}
+
+// src/commands/audit-security.ts
+function shouldFail(failOn, critical, warnings) {
+  if (failOn === "critical") return critical > 0;
+  if (failOn === "warning") return critical > 0 || warnings > 0;
+  return false;
+}
+function analyzeStack(stackName, stack) {
+  const findings = [];
+  const ok = [];
+  for (const c of stack.constructs) {
+    const p = c.props;
+    let hasIssue = false;
+    if (c.type === "Storage.Bucket") {
+      if (p.publicAccess === true) {
+        findings.push({
+          level: "critical",
+          stackName,
+          construct: c,
+          title: `Storage.Bucket '${c.id}' \u2014 public access enabled`,
+          problem: "publicAccess is enabled. Anyone can read/list objects in this bucket.",
+          recommendation: "Set `publicAccess: false` unless this is an intentional static website bucket."
+        });
+        hasIssue = true;
+      }
+      if (p.versioning !== true) {
+        findings.push({
+          level: "warning",
+          stackName,
+          construct: c,
+          title: `Storage.Bucket '${c.id}' \u2014 versioning disabled`,
+          problem: "Versioning is not enabled. Deleted or overwritten objects cannot be recovered.",
+          recommendation: "Set `versioning: true` to enable object rollback."
+        });
+        hasIssue = true;
+      }
+    }
+    if (c.type === "Database.SQL") {
+      if (p.multiAz !== true) {
+        findings.push({
+          level: "warning",
+          stackName,
+          construct: c,
+          title: `Database.SQL '${c.id}' \u2014 no Multi-AZ`,
+          problem: "multiAz is not enabled. A failure in the availability zone will make the database unavailable.",
+          recommendation: "Set `multiAz: true` for high availability."
+        });
+        hasIssue = true;
+      }
+    }
+    if (c.type === "Function.Lambda") {
+      if (p.memory === void 0 || p.memory === null) {
+        findings.push({
+          level: "warning",
+          stackName,
+          construct: c,
+          title: `Function.Lambda '${c.id}' \u2014 memory not defined`,
+          problem: "memory is not set. The function will use the provider default, which may be insufficient.",
+          recommendation: "Set `memory` explicitly (e.g. 256 or 512 MB)."
+        });
+        hasIssue = true;
+      }
+    }
+    if (c.type === "Network.VPC") {
+      if (p.cidr === void 0 || p.cidr === null) {
+        findings.push({
+          level: "warning",
+          stackName,
+          construct: c,
+          title: `Network.VPC '${c.id}' \u2014 default CIDR`,
+          problem: "cidr is not defined. The provider default CIDR may conflict with existing networks.",
+          recommendation: 'Set `cidr` explicitly (e.g. "10.0.0.0/16").'
+        });
+        hasIssue = true;
+      }
+    }
+    if (c.type === "Compute.Instance") {
+      if (p.publicAccess === true) {
+        findings.push({
+          level: "critical",
+          stackName,
+          construct: c,
+          title: `Compute.Instance '${c.id}' \u2014 public access enabled`,
+          problem: "publicAccess is enabled. The instance is directly exposed to the internet.",
+          recommendation: "Disable public access and use a load balancer or bastion host."
+        });
+        hasIssue = true;
+      }
+    }
+    if (!hasIssue) ok.push(c);
+  }
+  return { findings, ok };
+}
+var AuditSecurity = class _AuditSecurity extends import_core.Command {
+  static description = "Audit stacks for security issues";
+  static examples = [
+    "$ iacmp audit-security",
+    "$ iacmp audit-security --fail-on=critical",
+    "$ iacmp audit-security --fail-on=warning"
+  ];
+  static flags = {
+    "fail-on": import_core.Flags.string({
+      description: "Sai com exit 1 quando h\xE1 achados no n\xEDvel indicado",
+      options: ["critical", "warning", "none"],
+      default: "none"
+    })
+  };
+  async run() {
+    const { flags } = await this.parse(_AuditSecurity);
+    const failOn = flags["fail-on"];
+    const cwd = process.cwd();
+    let config;
+    try {
+      config = readConfig(cwd);
+    } catch (err) {
+      this.error(err.message);
+    }
+    let stacks;
+    try {
+      stacks = loadStacks(cwd);
+    } catch (err) {
+      this.error(err.message);
+    }
+    const allFindings = [];
+    const allOk = [];
+    for (const { name, stack } of stacks) {
+      const { findings, ok } = analyzeStack(name, stack);
+      allFindings.push(...findings);
+      allOk.push(...ok);
+    }
+    const critical = allFindings.filter((f) => f.level === "critical");
+    const warnings = allFindings.filter((f) => f.level === "warning");
+    this.log(import_chalk.default.bold("\nSecurity Audit"));
+    this.log("\u2500".repeat(40));
+    this.log(`Critical issues: ${critical.length > 0 ? import_chalk.default.red(critical.length) : import_chalk.default.green(0)}`);
+    this.log(`Warnings:        ${warnings.length > 0 ? import_chalk.default.yellow(warnings.length) : import_chalk.default.green(0)}`);
+    this.log(`OK:              ${import_chalk.default.green(allOk.length)}`);
+    this.log("");
+    for (const f of critical) {
+      this.log(`${import_chalk.default.red("\u2717 [CRITICAL]")} ${f.title}`);
+    }
+    for (const f of warnings) {
+      this.log(`${import_chalk.default.yellow("\u26A0 [WARNING]")} ${f.title}`);
+    }
+    for (const c of allOk) {
+      this.log(`${import_chalk.default.green("\u2713")} ${c.type} '${c.id}' \u2014 OK`);
+    }
+    let md = `# Security Audit Report \u2014 ${config.name}
+`;
+    md += `Date: ${today()}
+`;
+    md += `Provider: ${config.provider}
+
+`;
+    md += `## Summary
+`;
+    md += `- Critical issues: ${critical.length}
+`;
+    md += `- Warnings: ${warnings.length}
+`;
+    md += `- OK: ${allOk.length}
+
+`;
+    md += `## Findings
+
+`;
+    for (const f of allFindings) {
+      const label = f.level === "critical" ? "CRITICAL" : "WARNING";
+      md += `### [${label}] ${f.title}
+`;
+      md += `Stack: ${f.stackName}
+`;
+      md += `Resource: ${f.construct.id} (${f.construct.type})
+`;
+      md += `Problem: ${f.problem}
+`;
+      md += `Recommendation: ${f.recommendation}
+
+`;
+    }
+    if (allOk.length > 0) {
+      md += `## Resources with no issues
+`;
+      for (const c of allOk) {
+        md += `- ${c.type} '${c.id}' \u2014 OK
+`;
+      }
+      md += "\n";
+    }
+    const relPath = saveReport(cwd, "security", md);
+    this.log(`
+Report saved to ${relPath}`);
+    if (shouldFail(failOn, critical.length, warnings.length)) {
+      this.exit(1);
+    }
+  }
+};