aws-inventory-manager 0.13.2__py3-none-any.whl

src/security/models.py

@@ -0,0 +1,53 @@
+"""Security scan result model for aggregating security findings."""
+
+from __future__ import annotations
+
+from dataclasses import dataclass, field
+from datetime import datetime, timezone
+from typing import List
+
+from ..models.security_finding import SecurityFinding, Severity
+
+
+@dataclass
+class SecurityScanResult:
+    """Aggregates security findings from scanning a snapshot.
+
+    Attributes:
+        findings: List of all security findings
+        total_findings: Total count of findings
+        snapshot_name: Name of the snapshot that was scanned
+        scan_timestamp: When the scan was executed
+    """
+
+    snapshot_name: str
+    scan_timestamp: datetime = field(default_factory=lambda: datetime.now(timezone.utc))
+    findings: List[SecurityFinding] = field(default_factory=list)
+
+    @property
+    def total_findings(self) -> int:
+        """Get total count of findings.
+
+        Returns:
+            Number of findings in the result
+        """
+        return len(self.findings)
+
+    def add_finding(self, finding: SecurityFinding) -> None:
+        """Add a security finding to the result.
+
+        Args:
+            finding: SecurityFinding to add
+        """
+        self.findings.append(finding)
+
+    def get_findings_by_severity(self, severity: Severity) -> List[SecurityFinding]:
+        """Get all findings matching a specific severity level.
+
+        Args:
+            severity: Severity level to filter by
+
+        Returns:
+            List of findings with the specified severity
+        """
+        return [f for f in self.findings if f.severity == severity]

src/security/reporter.py

@@ -0,0 +1,174 @@
+"""Security findings reporter with multiple output formats."""
+
+from __future__ import annotations
+
+import csv
+import json
+from pathlib import Path
+from typing import Dict, List
+
+from rich.console import Console
+from rich.table import Table
+
+from src.models.security_finding import SecurityFinding, Severity
+
+
+class SecurityReporter:
+    """Report security findings in various formats (terminal, JSON, CSV)."""
+
+    def format_terminal(self, findings: List[SecurityFinding]) -> str:
+        """Format findings for terminal output using Rich.
+
+        Args:
+            findings: List of security findings
+
+        Returns:
+            Formatted string for terminal display
+        """
+        if not findings:
+            return "No security findings detected."
+
+        # Create a Rich table
+        table = Table(title="Security Findings")
+        table.add_column("Severity", style="bold")
+        table.add_column("Resource")
+        table.add_column("Finding Type")
+        table.add_column("Description")
+
+        for finding in findings:
+            # Color code severity
+            severity_str = finding.severity.value.upper()
+            if finding.severity == Severity.CRITICAL:
+                severity_display = f"[red]{severity_str}[/red]"
+            elif finding.severity == Severity.HIGH:
+                severity_display = f"[orange1]{severity_str}[/orange1]"
+            elif finding.severity == Severity.MEDIUM:
+                severity_display = f"[yellow]{severity_str}[/yellow]"
+            else:
+                severity_display = f"[cyan]{severity_str}[/cyan]"
+
+            # Truncate description if too long
+            description = finding.description
+            if len(description) > 60:
+                description = description[:57] + "..."
+
+            # Extract resource ID from ARN for display
+            resource_display = (
+                finding.resource_arn.split("/")[-1]
+                if "/" in finding.resource_arn
+                else finding.resource_arn.split(":")[-1]
+            )
+
+            table.add_row(
+                severity_display,
+                resource_display,
+                finding.finding_type,
+                description,
+            )
+
+        # Render table to string
+        console = Console()
+        with console.capture() as capture:
+            console.print(table)
+
+        return capture.get()
+
+    def export_json(self, findings: List[SecurityFinding], filepath: str) -> None:
+        """Export findings to JSON format.
+
+        Args:
+            findings: List of security findings
+            filepath: Output file path
+        """
+        # Generate summary statistics
+        summary = self.generate_summary(findings)
+
+        # Convert findings to dictionaries
+        findings_data = [finding.to_dict() for finding in findings]
+
+        output = {
+            "findings": findings_data,
+            "summary": summary,
+        }
+
+        # Write to file
+        output_path = Path(filepath)
+        output_path.parent.mkdir(parents=True, exist_ok=True)
+
+        with open(output_path, "w") as f:
+            json.dump(output, f, indent=2)
+
+    def export_csv(self, findings: List[SecurityFinding], filepath: str) -> None:
+        """Export findings to CSV format.
+
+        Args:
+            findings: List of security findings
+            filepath: Output file path
+        """
+        output_path = Path(filepath)
+        output_path.parent.mkdir(parents=True, exist_ok=True)
+
+        # Define CSV columns
+        fieldnames = [
+            "resource_arn",
+            "finding_type",
+            "severity",
+            "description",
+            "remediation",
+            "cis_control",
+        ]
+
+        with open(output_path, "w", newline="") as f:
+            writer = csv.DictWriter(f, fieldnames=fieldnames)
+            writer.writeheader()
+
+            for finding in findings:
+                row = {
+                    "resource_arn": finding.resource_arn,
+                    "finding_type": finding.finding_type,
+                    "severity": finding.severity.value,
+                    "description": finding.description,
+                    "remediation": finding.remediation,
+                    "cis_control": finding.cis_control or "",
+                }
+                writer.writerow(row)
+
+    def group_by_severity(self, findings: List[SecurityFinding]) -> Dict[Severity, List[SecurityFinding]]:
+        """Group findings by severity level.
+
+        Args:
+            findings: List of security findings
+
+        Returns:
+            Dictionary mapping Severity to lists of findings
+        """
+        grouped: Dict[Severity, List[SecurityFinding]] = {
+            Severity.CRITICAL: [],
+            Severity.HIGH: [],
+            Severity.MEDIUM: [],
+            Severity.LOW: [],
+        }
+
+        for finding in findings:
+            grouped[finding.severity].append(finding)
+
+        return grouped
+
+    def generate_summary(self, findings: List[SecurityFinding]) -> dict:
+        """Generate summary statistics for findings.
+
+        Args:
+            findings: List of security findings
+
+        Returns:
+            Dictionary with counts by severity
+        """
+        grouped = self.group_by_severity(findings)
+
+        return {
+            "total_findings": len(findings),
+            "critical_count": len(grouped[Severity.CRITICAL]),
+            "high_count": len(grouped[Severity.HIGH]),
+            "medium_count": len(grouped[Severity.MEDIUM]),
+            "low_count": len(grouped[Severity.LOW]),
+        }

src/security/scanner.py

@@ -0,0 +1,87 @@
+"""Security scanner for detecting misconfigurations in AWS snapshots."""
+
+from __future__ import annotations
+
+import importlib
+import inspect
+import pkgutil
+from typing import List, Optional
+
+from ..models.security_finding import Severity
+from ..models.snapshot import Snapshot
+from .checks.base import SecurityCheck
+from .models import SecurityScanResult
+
+
+class SecurityScanner:
+    """Scans AWS snapshots for security misconfigurations.
+
+    The scanner automatically discovers and loads all security check modules
+    from the checks package and executes them against snapshots.
+    """
+
+    def __init__(self) -> None:
+        """Initialize the security scanner and load all security checks."""
+        self.checks: List[SecurityCheck] = []
+        self._load_checks()
+
+    def _load_checks(self) -> None:
+        """Dynamically load all security check modules from the checks package.
+
+        Discovers all Python modules in src/security/checks/, finds SecurityCheck
+        subclasses, and instantiates them.
+        """
+        from . import checks
+
+        # Discover all check modules
+        for importer, modname, ispkg in pkgutil.iter_modules(checks.__path__):
+            # Skip the base module and __init__
+            if modname in ("base", "__init__"):
+                continue
+
+            # Import the module
+            try:
+                module = importlib.import_module(f".checks.{modname}", package="src.security")
+
+                # Find all SecurityCheck subclasses in the module
+                for name, obj in inspect.getmembers(module, inspect.isclass):
+                    # Check if it's a subclass of SecurityCheck (but not SecurityCheck itself)
+                    if issubclass(obj, SecurityCheck) and obj is not SecurityCheck:
+                        # Instantiate and add to checks list
+                        check_instance = obj()
+                        self.checks.append(check_instance)
+
+            except Exception as e:
+                # Log the error but continue loading other checks
+                print(f"Warning: Failed to load check module {modname}: {e}")
+                continue
+
+    def scan(self, snapshot: Snapshot, severity_filter: Optional[Severity] = None) -> SecurityScanResult:
+        """Scan a snapshot for security misconfigurations.
+
+        Args:
+            snapshot: Snapshot to scan
+            severity_filter: Optional severity level to filter findings (only include findings
+                           matching this severity)
+
+        Returns:
+            SecurityScanResult containing all findings from the scan
+        """
+        result = SecurityScanResult(snapshot_name=snapshot.name)
+
+        # Execute all checks on the snapshot
+        for check in self.checks:
+            try:
+                findings = check.execute(snapshot)
+
+                # Add findings to result, applying severity filter if specified
+                for finding in findings:
+                    if severity_filter is None or finding.severity == severity_filter:
+                        result.add_finding(finding)
+
+            except Exception as e:
+                # Log the error but continue with other checks
+                print(f"Warning: Check {check.check_id} failed: {e}")
+                continue
+
+        return result

src/snapshot/__init__.py

@@ -0,0 +1,6 @@
+"""Snapshot capture and storage functionality."""
+
+from .inventory_storage import InventoryNotFoundError, InventoryStorage
+from .storage import SnapshotStorage
+
+__all__ = ["SnapshotStorage", "InventoryStorage", "InventoryNotFoundError"]