@raghulm/aegis-mcp 1.0.5 → 1.0.9

package/tools/cicd/pipeline.py

@@ -1,33 +1,33 @@
-from __future__ import annotations
-
-import requests
-
-
-def pipeline_status(base_url: str, pipeline_id: str, api_token: str) -> dict:
-    """Fetch the status of a CI/CD pipeline by its ID.
-
-    Args:
-        base_url: Base URL of the CI/CD service API.
-        pipeline_id: Unique identifier of the pipeline.
-        api_token: API token for authenticating with the CI/CD service.
-
-    Returns:
-        Pipeline status as a JSON-compatible dict.
-    """
-    try:
-        response = requests.get(
-            f"{base_url.rstrip('/')}/pipelines/{pipeline_id}",
-            headers={"Authorization": f"Bearer {api_token}"},
-            timeout=15,
-        )
-        response.raise_for_status()
-    except requests.ConnectionError as exc:
-        raise RuntimeError(f"Cannot connect to CI/CD service at '{base_url}': {exc}") from exc
-    except requests.HTTPError as exc:
-        raise RuntimeError(
-            f"CI/CD API error for pipeline '{pipeline_id}': {exc.response.status_code}"
-        ) from exc
-    except requests.Timeout as exc:
-        raise RuntimeError(f"CI/CD API request timed out for pipeline '{pipeline_id}'") from exc
-
-    return response.json()
+from __future__ import annotations
+
+import requests
+
+
+def pipeline_status(base_url: str, pipeline_id: str, api_token: str) -> dict:
+    """Fetch the status of a CI/CD pipeline by its ID.
+
+    Args:
+        base_url: Base URL of the CI/CD service API.
+        pipeline_id: Unique identifier of the pipeline.
+        api_token: API token for authenticating with the CI/CD service.
+
+    Returns:
+        Pipeline status as a JSON-compatible dict.
+    """
+    try:
+        response = requests.get(
+            f"{base_url.rstrip('/')}/pipelines/{pipeline_id}",
+            headers={"Authorization": f"Bearer {api_token}"},
+            timeout=15,
+        )
+        response.raise_for_status()
+    except requests.ConnectionError as exc:
+        raise RuntimeError(f"Cannot connect to CI/CD service at '{base_url}': {exc}") from exc
+    except requests.HTTPError as exc:
+        raise RuntimeError(
+            f"CI/CD API error for pipeline '{pipeline_id}': {exc.response.status_code}"
+        ) from exc
+    except requests.Timeout as exc:
+        raise RuntimeError(f"CI/CD API request timed out for pipeline '{pipeline_id}'") from exc
+
+    return response.json()

package/tools/git/repo.py

@@ -1,22 +1,22 @@
-from __future__ import annotations
-
-import subprocess
-
-
-def get_recent_commits(limit: int = 10) -> list[dict[str, str]]:
-    try:
-        raw = subprocess.check_output(
-            ["git", "log", f"-{limit}", "--pretty=format:%H|%an|%s"],
-            text=True,
-        )
-    except FileNotFoundError as exc:
-        raise RuntimeError("git is not installed or not on PATH") from exc
-    except subprocess.CalledProcessError as exc:
-        raise RuntimeError(f"git log failed: {exc.output}") from exc
-
-    commits = []
-    for line in raw.splitlines():
-        parts = line.split("|", maxsplit=2)
-        if len(parts) == 3:
-            commits.append({"hash": parts[0], "author": parts[1], "subject": parts[2]})
-    return commits
+from __future__ import annotations
+
+import subprocess
+
+
+def get_recent_commits(limit: int = 10) -> list[dict[str, str]]:
+    try:
+        raw = subprocess.check_output(
+            ["git", "log", f"-{limit}", "--pretty=format:%H|%an|%s"],
+            text=True,
+        )
+    except FileNotFoundError as exc:
+        raise RuntimeError("git is not installed or not on PATH") from exc
+    except subprocess.CalledProcessError as exc:
+        raise RuntimeError(f"git log failed: {exc.output}") from exc
+
+    commits = []
+    for line in raw.splitlines():
+        parts = line.split("|", maxsplit=2)
+        if len(parts) == 3:
+            commits.append({"hash": parts[0], "author": parts[1], "subject": parts[2]})
+    return commits

package/tools/kubernetes/audit.py

@@ -1,108 +1,108 @@
-from __future__ import annotations
-
-import json
-import subprocess
-from typing import Any
-
-
-def k8s_security_audit(namespace: str = "") -> list[dict[str, Any]]:
-    findings = []
-
-    cmd_base = ["kubectl", "get"]
-    if namespace:
-        ns_args = ["-n", namespace]
-    else:
-        ns_args = ["-A"]
-
-    try:
-        pods_result = subprocess.check_output(
-            cmd_base + ["pods"] + ns_args + ["-o", "json"],
-            stderr=subprocess.STDOUT,
-            text=True,
-        )
-        pods_payload = json.loads(pods_result)
-    except Exception as exc:
-        print(f"Warning: Failed to get pods: {exc}")
-        pods_payload = {"items": []}
-
-    try:
-        services_result = subprocess.check_output(
-            cmd_base + ["svc"] + ns_args + ["-o", "json"],
-            stderr=subprocess.STDOUT,
-            text=True,
-        )
-        svcs_payload = json.loads(services_result)
-    except Exception as exc:
-        print(f"Warning: Failed to get services: {exc}")
-        svcs_payload = {"items": []}
-
-    try:
-        roles_result = subprocess.check_output(
-            cmd_base + ["clusterrolebindings", "-o", "json"],
-            stderr=subprocess.STDOUT,
-            text=True,
-        )
-        crb_payload = json.loads(roles_result)
-    except Exception as exc:
-        print(f"Warning: Failed to get clusterrolebindings: {exc}")
-        crb_payload = {"items": []}
-
-    # Parse pods
-    for pod in pods_payload.get("items", []):
-        metadata = pod.get("metadata", {})
-        pod_name = metadata.get("name", "unknown")
-        pod_ns = metadata.get("namespace", "unknown")
-        spec = pod.get("spec", {})
-
-        # Check hostNetwork
-        if spec.get("hostNetwork") is True:
-            findings.append({
-                "type": "hostNetwork",
-                "severity": "HIGH",
-                "resource": f"Pod/{pod_ns}/{pod_name}",
-                "message": "Pod is using host network."
-            })
-
-        # Check privileged containers
-        for container in spec.get("containers", []):
-            sec_ctx = container.get("securityContext", {})
-            if sec_ctx.get("privileged") is True:
-                findings.append({
-                    "type": "privileged_container",
-                    "severity": "CRITICAL",
-                    "resource": f"Pod/{pod_ns}/{pod_name}",
-                    "message": f"Container '{container.get('name')}' is running as privileged.",
-                })
-
-    # Parse services
-    for svc in svcs_payload.get("items", []):
-        metadata = svc.get("metadata", {})
-        svc_name = metadata.get("name", "unknown")
-        svc_ns = metadata.get("namespace", "unknown")
-        spec = svc.get("spec", {})
-
-        if spec.get("type") == "NodePort":
-            findings.append({
-                "type": "exposed_nodeport",
-                "severity": "MEDIUM",
-                "resource": f"Service/{svc_ns}/{svc_name}",
-                "message": "Service is exposed via NodePort."
-            })
-
-    # Parse cluster role bindings
-    for crb in crb_payload.get("items", []):
-        metadata = crb.get("metadata", {})
-        crb_name = metadata.get("name", "unknown")
-        role_ref = crb.get("roleRef", {})
-
-        if role_ref.get("name") == "cluster-admin":
-            for subj in crb.get("subjects", []):
-                if subj.get("kind") == "ServiceAccount":
-                    findings.append({
-                        "type": "cluster_admin_sa",
-                        "severity": "CRITICAL",
-                        "resource": f"ClusterRoleBinding/{crb_name}",
-                        "message": f"ServiceAccount '{subj.get('namespace')}/{subj.get('name')}' is bound to cluster-admin."
-                    })
-
-    return findings
+from __future__ import annotations
+
+import json
+import subprocess
+from typing import Any
+
+
+def k8s_security_audit(namespace: str = "") -> list[dict[str, Any]]:
+    findings = []
+
+    cmd_base = ["kubectl", "get"]
+    if namespace:
+        ns_args = ["-n", namespace]
+    else:
+        ns_args = ["-A"]
+
+    try:
+        pods_result = subprocess.check_output(
+            cmd_base + ["pods"] + ns_args + ["-o", "json"],
+            stderr=subprocess.STDOUT,
+            text=True,
+        )
+        pods_payload = json.loads(pods_result)
+    except Exception as exc:
+        print(f"Warning: Failed to get pods: {exc}")
+        pods_payload = {"items": []}
+
+    try:
+        services_result = subprocess.check_output(
+            cmd_base + ["svc"] + ns_args + ["-o", "json"],
+            stderr=subprocess.STDOUT,
+            text=True,
+        )
+        svcs_payload = json.loads(services_result)
+    except Exception as exc:
+        print(f"Warning: Failed to get services: {exc}")
+        svcs_payload = {"items": []}
+
+    try:
+        roles_result = subprocess.check_output(
+            cmd_base + ["clusterrolebindings", "-o", "json"],
+            stderr=subprocess.STDOUT,
+            text=True,
+        )
+        crb_payload = json.loads(roles_result)
+    except Exception as exc:
+        print(f"Warning: Failed to get clusterrolebindings: {exc}")
+        crb_payload = {"items": []}
+
+    # Parse pods
+    for pod in pods_payload.get("items", []):
+        metadata = pod.get("metadata", {})
+        pod_name = metadata.get("name", "unknown")
+        pod_ns = metadata.get("namespace", "unknown")
+        spec = pod.get("spec", {})
+
+        # Check hostNetwork
+        if spec.get("hostNetwork") is True:
+            findings.append({
+                "type": "hostNetwork",
+                "severity": "HIGH",
+                "resource": f"Pod/{pod_ns}/{pod_name}",
+                "message": "Pod is using host network."
+            })
+
+        # Check privileged containers
+        for container in spec.get("containers", []):
+            sec_ctx = container.get("securityContext", {})
+            if sec_ctx.get("privileged") is True:
+                findings.append({
+                    "type": "privileged_container",
+                    "severity": "CRITICAL",
+                    "resource": f"Pod/{pod_ns}/{pod_name}",
+                    "message": f"Container '{container.get('name')}' is running as privileged.",
+                })
+
+    # Parse services
+    for svc in svcs_payload.get("items", []):
+        metadata = svc.get("metadata", {})
+        svc_name = metadata.get("name", "unknown")
+        svc_ns = metadata.get("namespace", "unknown")
+        spec = svc.get("spec", {})
+
+        if spec.get("type") == "NodePort":
+            findings.append({
+                "type": "exposed_nodeport",
+                "severity": "MEDIUM",
+                "resource": f"Service/{svc_ns}/{svc_name}",
+                "message": "Service is exposed via NodePort."
+            })
+
+    # Parse cluster role bindings
+    for crb in crb_payload.get("items", []):
+        metadata = crb.get("metadata", {})
+        crb_name = metadata.get("name", "unknown")
+        role_ref = crb.get("roleRef", {})
+
+        if role_ref.get("name") == "cluster-admin":
+            for subj in crb.get("subjects", []):
+                if subj.get("kind") == "ServiceAccount":
+                    findings.append({
+                        "type": "cluster_admin_sa",
+                        "severity": "CRITICAL",
+                        "resource": f"ClusterRoleBinding/{crb_name}",
+                        "message": f"ServiceAccount '{subj.get('namespace')}/{subj.get('name')}' is bound to cluster-admin."
+                    })
+
+    return findings

package/tools/kubernetes/pods.py

@@ -1,27 +1,27 @@
-from __future__ import annotations
-
-import json
-import subprocess
-from typing import Any
-
-
-def list_pods(namespace: str = "default") -> list[dict[str, Any]]:
-    try:
-        result = subprocess.check_output(
-            ["kubectl", "get", "pods", "-n", namespace, "-o", "json"],
-            stderr=subprocess.STDOUT,
-            text=True,
-        )
-    except FileNotFoundError as exc:
-        raise RuntimeError("kubectl is not installed or not on PATH") from exc
-    except subprocess.CalledProcessError as exc:
-        raise RuntimeError(f"kubectl error (namespace '{namespace}'): {exc.output}") from exc
-
-    payload = json.loads(result)
-    return [
-        {
-            "name": item["metadata"]["name"],
-            "phase": item["status"].get("phase"),
-        }
-        for item in payload.get("items", [])
-    ]
+from __future__ import annotations
+
+import json
+import subprocess
+from typing import Any
+
+
+def list_pods(namespace: str = "default") -> list[dict[str, Any]]:
+    try:
+        result = subprocess.check_output(
+            ["kubectl", "get", "pods", "-n", namespace, "-o", "json"],
+            stderr=subprocess.STDOUT,
+            text=True,
+        )
+    except FileNotFoundError as exc:
+        raise RuntimeError("kubectl is not installed or not on PATH") from exc
+    except subprocess.CalledProcessError as exc:
+        raise RuntimeError(f"kubectl error (namespace '{namespace}'): {exc.output}") from exc
+
+    payload = json.loads(result)
+    return [
+        {
+            "name": item["metadata"]["name"],
+            "phase": item["status"].get("phase"),
+        }
+        for item in payload.get("items", [])
+    ]

package/tools/network/headers.py

@@ -1,99 +1,99 @@
-from __future__ import annotations
-
-from typing import Any
-
-import requests
-
-_SECURITY_HEADERS = {
-    "Strict-Transport-Security": {
-        "description": "Enforces HTTPS connections",
-        "recommended": True,
-    },
-    "Content-Security-Policy": {
-        "description": "Controls resources the browser is allowed to load",
-        "recommended": True,
-    },
-    "X-Content-Type-Options": {
-        "description": "Prevents MIME-type sniffing",
-        "recommended": True,
-        "expected_value": "nosniff",
-    },
-    "X-Frame-Options": {
-        "description": "Controls whether the page can be embedded in iframes",
-        "recommended": True,
-    },
-    "Referrer-Policy": {
-        "description": "Controls how much referrer information is sent",
-        "recommended": True,
-    },
-    "Permissions-Policy": {
-        "description": "Controls browser features available to the page",
-        "recommended": True,
-    },
-    "X-XSS-Protection": {
-        "description": "Legacy XSS filter (mostly deprecated but still checked)",
-        "recommended": False,
-    },
-    "Cache-Control": {
-        "description": "Controls caching behavior for sensitive data",
-        "recommended": True,
-    },
-}
-
-
-def check_http_headers(url: str) -> dict[str, Any]:
-    """Audit HTTP security headers for a given URL.
-
-    Args:
-        url: The target URL to check (must include scheme, e.g. https://example.com).
-
-    Returns:
-        Dict with header analysis, score, and recommendations.
-    """
-    if not url.startswith(("http://", "https://")):
-        url = "https://" + url
-
-    try:
-        resp = requests.head(url, timeout=10, allow_redirects=True)
-    except requests.ConnectionError as exc:
-        raise RuntimeError(f"Cannot connect to '{url}': {exc}") from exc
-    except requests.Timeout as exc:
-        raise RuntimeError(f"Request to '{url}' timed out") from exc
-
-    headers_lower = {k.lower(): v for k, v in resp.headers.items()}
-    total_recommended = sum(1 for h in _SECURITY_HEADERS.values() if h["recommended"])
-    present_recommended = 0
-
-    results: list[dict[str, Any]] = []
-    for header_name, info in _SECURITY_HEADERS.items():
-        value = headers_lower.get(header_name.lower())
-        is_present = value is not None
-        if is_present and info["recommended"]:
-            present_recommended += 1
-
-        entry: dict[str, Any] = {
-            "header": header_name,
-            "present": is_present,
-            "value": value or "",
-            "description": info["description"],
-        }
-
-        expected = info.get("expected_value")
-        if expected and is_present and value != expected:
-            entry["warning"] = f"Expected '{expected}', got '{value}'"
-
-        results.append(entry)
-
-    score = round((present_recommended / total_recommended) * 100) if total_recommended else 0
-    grade = "A" if score >= 85 else "B" if score >= 70 else "C" if score >= 50 else "D" if score >= 30 else "F"
-
-    missing = [r["header"] for r in results if not r["present"] and _SECURITY_HEADERS[r["header"]]["recommended"]]
-
-    return {
-        "url": url,
-        "status_code": resp.status_code,
-        "score": score,
-        "grade": grade,
-        "headers": results,
-        "missing_recommended": missing,
-    }
+from __future__ import annotations
+
+from typing import Any
+
+import requests
+
+_SECURITY_HEADERS = {
+    "Strict-Transport-Security": {
+        "description": "Enforces HTTPS connections",
+        "recommended": True,
+    },
+    "Content-Security-Policy": {
+        "description": "Controls resources the browser is allowed to load",
+        "recommended": True,
+    },
+    "X-Content-Type-Options": {
+        "description": "Prevents MIME-type sniffing",
+        "recommended": True,
+        "expected_value": "nosniff",
+    },
+    "X-Frame-Options": {
+        "description": "Controls whether the page can be embedded in iframes",
+        "recommended": True,
+    },
+    "Referrer-Policy": {
+        "description": "Controls how much referrer information is sent",
+        "recommended": True,
+    },
+    "Permissions-Policy": {
+        "description": "Controls browser features available to the page",
+        "recommended": True,
+    },
+    "X-XSS-Protection": {
+        "description": "Legacy XSS filter (mostly deprecated but still checked)",
+        "recommended": False,
+    },
+    "Cache-Control": {
+        "description": "Controls caching behavior for sensitive data",
+        "recommended": True,
+    },
+}
+
+
+def check_http_headers(url: str) -> dict[str, Any]:
+    """Audit HTTP security headers for a given URL.
+
+    Args:
+        url: The target URL to check (must include scheme, e.g. https://example.com).
+
+    Returns:
+        Dict with header analysis, score, and recommendations.
+    """
+    if not url.startswith(("http://", "https://")):
+        url = "https://" + url
+
+    try:
+        resp = requests.head(url, timeout=10, allow_redirects=True)
+    except requests.ConnectionError as exc:
+        raise RuntimeError(f"Cannot connect to '{url}': {exc}") from exc
+    except requests.Timeout as exc:
+        raise RuntimeError(f"Request to '{url}' timed out") from exc
+
+    headers_lower = {k.lower(): v for k, v in resp.headers.items()}
+    total_recommended = sum(1 for h in _SECURITY_HEADERS.values() if h["recommended"])
+    present_recommended = 0
+
+    results: list[dict[str, Any]] = []
+    for header_name, info in _SECURITY_HEADERS.items():
+        value = headers_lower.get(header_name.lower())
+        is_present = value is not None
+        if is_present and info["recommended"]:
+            present_recommended += 1
+
+        entry: dict[str, Any] = {
+            "header": header_name,
+            "present": is_present,
+            "value": value or "",
+            "description": info["description"],
+        }
+
+        expected = info.get("expected_value")
+        if expected and is_present and value != expected:
+            entry["warning"] = f"Expected '{expected}', got '{value}'"
+
+        results.append(entry)
+
+    score = round((present_recommended / total_recommended) * 100) if total_recommended else 0
+    grade = "A" if score >= 85 else "B" if score >= 70 else "C" if score >= 50 else "D" if score >= 30 else "F"
+
+    missing = [r["header"] for r in results if not r["present"] and _SECURITY_HEADERS[r["header"]]["recommended"]]
+
+    return {
+        "url": url,
+        "status_code": resp.status_code,
+        "score": score,
+        "grade": grade,
+        "headers": results,
+        "missing_recommended": missing,
+    }