@j-schreiber/sf-cli-security-audit 0.2.0

package/README.md

@@ -0,0 +1,104 @@
+# @j-schreiber/sf-cli-security-audit
+
+> This plugin is still in beta and under active development. Command signatures may be subject to change.
+
+# Installation
+
+This plugin is not yet published on NPM. You must check out the repo and link it locally.
+
+```bash
+git clone https://...
+mkdir sf-cli-security-audit
+yarn && yarn build
+sf plugins link .
+```
+
+# Contribute
+
+Contributers are welcome! Please reach out on [Linkedin](https://www.linkedin.com/in/jannis-schreiber/) or via [Email](mailto:info@lietzau-consulting.de).
+
+# Documentation
+
+<!-- commands -->
+
+- [`sf org audit init`](#sf-org-audit-init)
+- [`sf org audit run`](#sf-org-audit-run)
+
+## `sf org audit init`
+
+Initialises classifications and policies for a security audit.
+
+```
+USAGE
+  $ sf org audit init -o <value> [--json] [--flags-dir <value>] [-d <value>] [--api-version <value>]
+
+FLAGS
+  -d, --output-dir=<value>   Directory where the audit config is initialised. If not set, the root directory will be
+                             used.
+  -o, --target-org=<value>   (required) Target org to export permissions, profiles, users, etc.
+      --api-version=<value>  Override the api version used for api requests made by this command
+
+GLOBAL FLAGS
+  --flags-dir=<value>  Import flag values from a directory.
+  --json               Format output as json.
+
+DESCRIPTION
+  Initialises classifications and policies for a security audit.
+
+  Exports permissions (standard and custom), permission sets, profiles, users, etc from the target org. All
+  classifications are initialised with sane defaults that you can customize later.
+
+EXAMPLES
+  Initialise audit policies at the root directory
+
+    $ sf org audit init -o MyTargetOrg
+```
+
+_See code: [src/commands/org/audit/init.ts](https://github.com/j-schreiber/js-sf-cli-security-audit/blob/v0.1.0/src/commands/org/audit/init.ts)_
+
+## `sf org audit run`
+
+Audit your org.
+
+```
+USAGE
+  $ sf org audit run -o <value> -d <value> [--json] [--flags-dir <value>] [--api-version <value>]
+
+FLAGS
+  -d, --source-dir=<value>   (required) Location of the audit config.
+  -o, --target-org=<value>   (required) The org that is audited.
+      --api-version=<value>  Override the api version used for api requests made by this command
+
+GLOBAL FLAGS
+  --flags-dir=<value>  Import flag values from a directory.
+  --json               Format output as json.
+
+DESCRIPTION
+  Audit your org.
+
+  Loads a given audit config (a set of classifications and policies) and runs the policies against the target org. The
+  audit run creates a comprehensive report that lists all executed policies and all resolved entities that were audited.
+
+EXAMPLES
+  Audit the org MyTargetOrg with the config in configs/prod
+
+    $ sf org audit run -o MyTargetOrg -d configs/prod
+```
+
+_See code: [src/commands/org/audit/run.ts](https://github.com/j-schreiber/js-sf-cli-security-audit/blob/v0.1.0/src/commands/org/audit/run.ts)_
+
+<!-- commandsstop -->
+
+# Development
+
+Make sure the dev plugin is installed
+
+```bash
+sf plugins install @salesforce/plugin-dev
+```
+
+Generate a new command (initialises messages, tests, etc)
+
+```bash
+sf dev generate command -n my:command:name
+```

package/bin/dev.js

@@ -0,0 +1,8 @@
+#!/usr/bin/env -S node --loader ts-node/esm --no-warnings=ExperimentalWarning
+// eslint-disable-next-line node/shebang
+async function main() {
+  const { execute } = await import('@oclif/core');
+  await execute({ development: true, dir: import.meta.url });
+}
+
+await main();

package/messages/org.audit.init.md

@@ -0,0 +1,29 @@
+# summary
+
+Initialises classifications and policies for a security audit.
+
+# description
+
+Exports permissions (standard and custom), permission sets, profiles, users, etc from the target org. All classifications are initialised with sane defaults that you can customize later.
+
+# flags.target-org.summary
+
+Target org to export permissions, profiles, users, etc.
+
+# flags.output-dir.summary
+
+Directory where the audit config is initialised. If not set, the root directory will be used.
+
+# examples
+
+- Initialise audit policies at the root directory
+
+  <%= config.bin %> <%= command.id %> -o MyTargetOrg
+
+# success.perm-classification-summary
+
+Initialised %s permissions at %s.
+
+# success.policy-summary
+
+Initialised policy "%s" with %s items at %s.

package/messages/org.audit.run.md

@@ -0,0 +1,41 @@
+# summary
+
+Audit your org.
+
+# description
+
+Loads a given audit config (a set of classifications and policies) and runs the policies against the target org. The audit run creates a comprehensive report that lists all executed policies and all resolved entities that were audited.
+
+# flags.target-org.summary
+
+The org that is audited.
+
+# flags.source-dir.summary
+
+Location of the audit config.
+
+# flags.source-dir.description
+
+Loads all classifications and policies from the directory and uses them to audit the org. Only policies that are enabled and that exist in the directory are executed.
+
+# examples
+
+- Audit the org MyTargetOrg with the config in configs/prod
+
+  <%= config.bin %> <%= command.id %> -o MyTargetOrg -d configs/prod
+
+# success.summary
+
+Successfully executed %s policies.
+
+# success.all-policies-compliant
+
+All policies are compliant.
+
+# summary-non-compliant
+
+At least one policy is not compliant. Review details below.
+
+# info.report-file-location
+
+Full report was written to: %s.

package/messages/policies.general.md

@@ -0,0 +1,7 @@
+# entity-not-found
+
+Entity was not found on the target org.
+
+# preset-unknown
+
+%ss with preset UNKNOWN are ignored.

package/messages/policyclassifications.md

@@ -0,0 +1,35 @@
+# CustomizeApplication
+
+Allows to modify all parts of the app, including security settings.
+
+# Packaging
+
+Allows to create, manage and install packages.
+
+# ViewSetup
+
+Allows to browse setup and view sensitive configurations.
+
+# ViewAllData
+
+Bypass all sharing, making all sharing architecture obsolete.
+
+# AuthorApex
+
+Apex can perform harmful actions, and deployed Apex runs in system mode.
+
+# ApiEnabled
+
+Api access allows to perform a vast amount of actions and should be restricted to integrations, admins, and developers.
+
+# ManageAuthProviders
+
+Enables the user to set up external identity provider for SSO.
+
+# ManageTwoFactor
+
+Set up and reset the connected MFA for a user.
+
+# CanApproveUninstalledApps
+
+Allows to authorize new connected apps and therefore new integrations.

package/messages/rules.enforceClassificationPresets.md

@@ -0,0 +1,19 @@
+# violations.classification-preset-mismatch
+
+Permission is classified as "%s" and not allowed in preset "%s".
+
+# violations.permission-is-blocked
+
+Permission is BLOCKED and not allowed in any preset.
+
+# warnings.permission-unknown
+
+Permission classified as UNKNOWN. Update classification to LOW or higher to resolve.
+
+# warnings.permission-not-classified-in-profile
+
+Profile assigns the permission, but it was not found in classification. Refresh or add manually.
+
+# warnings.permission-not-classified-in-permission-set
+
+PermissionSet assigns the permission, but it was not found in classification. Refresh or add manually.