cloud-audit 0.1.0__py3-none-any.whl

cloud_audit/__init__.py

@@ -0,0 +1,3 @@
+"""cloud-audit — Scan your cloud infrastructure for security, cost, and reliability issues."""
+
+__version__ = "0.1.0"

cloud_audit/__main__.py

@@ -0,0 +1,5 @@
+"""Allow running as `python -m cloud_audit`."""
+
+from cloud_audit.cli import app
+
+app()

cloud_audit/cli.py

@@ -0,0 +1,229 @@
+"""CLI interface for cloud-audit."""
+
+from __future__ import annotations
+
+from typing import TYPE_CHECKING, Annotated
+
+import typer
+from rich.console import Console
+from rich.panel import Panel
+from rich.table import Table
+
+from cloud_audit import __version__
+from cloud_audit.models import Severity
+
+if TYPE_CHECKING:
+    from pathlib import Path
+
+    from cloud_audit.models import ScanReport
+
+app = typer.Typer(
+    name="cloud-audit",
+    help="Scan your cloud infrastructure for security, cost, and reliability issues.",
+    no_args_is_help=True,
+)
+console = Console()
+
+SEVERITY_COLORS = {
+    Severity.CRITICAL: "bold red",
+    Severity.HIGH: "red",
+    Severity.MEDIUM: "yellow",
+    Severity.LOW: "cyan",
+    Severity.INFO: "dim",
+}
+
+SEVERITY_ICONS = {
+    Severity.CRITICAL: "\u2716",
+    Severity.HIGH: "\u2716",
+    Severity.MEDIUM: "\u26a0",
+    Severity.LOW: "\u25cb",
+    Severity.INFO: "\u2139",
+}
+
+
+def _print_summary(report: ScanReport) -> None:
+    """Print a rich summary of the scan results to the console."""
+    s = report.summary
+    all_errored = s.checks_errored > 0 and s.checks_passed == 0 and s.checks_failed == 0
+
+    # If all checks errored, show error banner instead of fake score
+    if all_errored:
+        console.print()
+        console.print(
+            Panel(
+                "[bold red]SCAN FAILED[/bold red]\n\nAll checks returned errors. No resources were scanned.",
+                title="[bold red]Error[/bold red]",
+                border_style="red",
+                width=60,
+            )
+        )
+
+        # Show error details
+        errored_results = [r for r in report.results if r.error]
+        if errored_results:
+            # Deduplicate error messages
+            unique_errors: dict[str, list[str]] = {}
+            for r in errored_results:
+                err = r.error or "Unknown error"
+                err_short = err.split("\n")[0][:120]
+                unique_errors.setdefault(err_short, []).append(r.check_id)
+
+            console.print("\n[bold]Errors:[/bold]")
+            for err_msg, check_ids in unique_errors.items():
+                console.print(f"  [red]{err_msg}[/red]")
+                console.print(f"  [dim]Affected checks: {', '.join(check_ids)}[/dim]\n")
+
+        # Common fix suggestions
+        console.print("[bold]Common fixes:[/bold]")
+        console.print("  1. Check your AWS credentials: [cyan]aws sts get-caller-identity[/cyan]")
+        console.print("  2. Refresh expired token: [cyan]aws sso login --profile <name>[/cyan]")
+        console.print("  3. Verify region: [cyan]cloud-audit scan --regions eu-central-1[/cyan]")
+        console.print("  4. Use a specific profile: [cyan]cloud-audit scan --profile <name>[/cyan]")
+        return
+
+    # Score panel
+    score = s.score
+    if score >= 80:
+        score_color = "green"
+    elif score >= 50:
+        score_color = "yellow"
+    else:
+        score_color = "red"
+
+    console.print()
+    console.print(
+        Panel(
+            f"[bold {score_color}]{score}[/bold {score_color}] / 100",
+            title="[bold]Health Score[/bold]",
+            border_style=score_color,
+            width=30,
+        )
+    )
+
+    # Summary table
+    table = Table(show_header=False, box=None, padding=(0, 2))
+    table.add_column(style="dim")
+    table.add_column()
+    table.add_row("Provider", report.provider.upper())
+    table.add_row("Account", report.account_id or "unknown")
+    table.add_row("Regions", ", ".join(report.regions) if report.regions else "default")
+    table.add_row("Duration", f"{report.duration_seconds}s")
+    table.add_row("Resources scanned", str(s.resources_scanned))
+    table.add_row("Checks passed", f"[green]{s.checks_passed}[/green]")
+    table.add_row("Checks failed", f"[red]{s.checks_failed}[/red]" if s.checks_failed else "0")
+    if s.checks_errored:
+        table.add_row("Checks errored", f"[yellow]{s.checks_errored}[/yellow]")
+    console.print(table)
+
+    # Show errors if any (partial failure)
+    if s.checks_errored:
+        errored_results = [r for r in report.results if r.error]
+        console.print(f"\n[yellow]Warning: {s.checks_errored} check(s) failed with errors:[/yellow]")
+        for r in errored_results:
+            err_short = (r.error or "Unknown")[:100]
+            console.print(f"  [dim]{r.check_name}:[/dim] [yellow]{err_short}[/yellow]")
+
+    # Findings by severity
+    if s.by_severity:
+        console.print("\n[bold]Findings by severity:[/bold]")
+        for sev in Severity:
+            count = s.by_severity.get(sev, 0)
+            if count:
+                color = SEVERITY_COLORS[sev]
+                icon = SEVERITY_ICONS[sev]
+                console.print(f"  [{color}]{icon} {sev.value.upper()}: {count}[/{color}]")
+
+    # Top findings
+    findings = report.all_findings
+    if findings:
+        severity_order = list(Severity)
+        findings_sorted = sorted(findings, key=lambda f: severity_order.index(f.severity))
+
+        shown = min(len(findings_sorted), 10)
+        console.print(f"\n[bold]Top findings ({shown} of {len(findings_sorted)}):[/bold]\n")
+
+        findings_table = Table(box=None, padding=(0, 1), show_header=True, header_style="bold")
+        findings_table.add_column("Sev", width=8)
+        findings_table.add_column("Region", width=14)
+        findings_table.add_column("Check")
+        findings_table.add_column("Resource")
+        findings_table.add_column("Title", max_width=60)
+
+        for f in findings_sorted[:10]:
+            sev_color = SEVERITY_COLORS[f.severity]
+            findings_table.add_row(
+                f"[{sev_color}]{f.severity.value.upper()}[/{sev_color}]",
+                f"[dim]{f.region or 'global'}[/dim]",
+                f.check_id,
+                f.resource_id[:40],
+                f.title[:60],
+            )
+
+        console.print(findings_table)
+
+        if len(findings_sorted) > 10:
+            remaining = len(findings_sorted) - 10
+            console.print(f"\n  [dim]... and {remaining} more. See full report for details.[/dim]")
+    elif not s.checks_errored:
+        console.print("\n[bold green]No issues found. Your infrastructure looks great![/bold green]")
+
+
+@app.command()
+def scan(
+    provider: Annotated[str, typer.Option("--provider", "-p", help="Cloud provider")] = "aws",
+    profile: Annotated[str | None, typer.Option("--profile", help="AWS profile name")] = None,
+    regions: Annotated[str | None, typer.Option("--regions", "-r", help="Comma-separated regions, or 'all'")] = None,
+    categories: Annotated[
+        str | None, typer.Option("--categories", "-c", help="Filter: security,cost,reliability")
+    ] = None,
+    output: Annotated[Path | None, typer.Option("--output", "-o", help="Output file path (.html, .json)")] = None,
+) -> None:
+    """Scan cloud infrastructure and generate an audit report."""
+    from pathlib import Path as PathCls
+
+    from cloud_audit.scanner import run_scan
+
+    region_list = [r.strip() for r in regions.split(",")] if regions else None
+    category_list = [c.strip() for c in categories.split(",")] if categories else None
+
+    # Initialize provider
+    if provider == "aws":
+        from cloud_audit.providers.aws import AWSProvider
+
+        cloud_provider = AWSProvider(profile=profile, regions=region_list)
+    else:
+        console.print(f"[red]Provider '{provider}' is not supported yet. Available: aws[/red]")
+        raise typer.Exit(1)
+
+    # Run scan
+    report = run_scan(cloud_provider, categories=category_list)
+
+    # Print summary
+    _print_summary(report)
+
+    # Write output
+    if output:
+        out_path = PathCls(output) if not isinstance(output, PathCls) else output
+        suffix = out_path.suffix.lower()
+        if suffix == ".html":
+            from cloud_audit.reports.html import render_html
+
+            html = render_html(report)
+            out_path.write_text(html, encoding="utf-8")
+            console.print(f"\n[green]HTML report saved to {out_path}[/green]")
+        elif suffix == ".json":
+            out_path.write_text(report.model_dump_json(indent=2), encoding="utf-8")
+            console.print(f"\n[green]JSON report saved to {out_path}[/green]")
+        else:
+            console.print(f"[red]Unsupported output format: {suffix}. Use .html or .json[/red]")
+            raise typer.Exit(1)
+
+
+@app.command()
+def version() -> None:
+    """Show version."""
+    console.print(f"cloud-audit {__version__}")
+
+
+if __name__ == "__main__":
+    app()

cloud_audit/models.py

@@ -0,0 +1,120 @@
+"""Core data models for cloud-audit findings and reports."""
+
+from __future__ import annotations
+
+from datetime import datetime, timezone
+from enum import Enum
+
+from pydantic import BaseModel, Field
+
+
+class Severity(str, Enum):
+    CRITICAL = "critical"
+    HIGH = "high"
+    MEDIUM = "medium"
+    LOW = "low"
+    INFO = "info"
+
+
+class Category(str, Enum):
+    SECURITY = "security"
+    COST = "cost"
+    RELIABILITY = "reliability"
+    PERFORMANCE = "performance"
+
+
+SEVERITY_SCORE = {
+    Severity.CRITICAL: 0,
+    Severity.HIGH: 5,
+    Severity.MEDIUM: 15,
+    Severity.LOW: 25,
+    Severity.INFO: 35,
+}
+
+SEVERITY_WEIGHT = {
+    Severity.CRITICAL: 20,
+    Severity.HIGH: 10,
+    Severity.MEDIUM: 5,
+    Severity.LOW: 2,
+    Severity.INFO: 0,
+}
+
+
+class Finding(BaseModel):
+    """A single audit finding — one issue detected in the infrastructure."""
+
+    check_id: str = Field(description="Unique check identifier, e.g. 'aws-iam-001'")
+    title: str = Field(description="Short human-readable title")
+    severity: Severity
+    category: Category
+    resource_type: str = Field(description="AWS resource type, e.g. 'AWS::IAM::User'")
+    resource_id: str = Field(description="Resource identifier (ARN, ID, or name)")
+    region: str = Field(default="global")
+    description: str = Field(description="What is wrong")
+    recommendation: str = Field(description="How to fix it")
+
+
+class CheckResult(BaseModel):
+    """Result of running a single check — may produce 0..N findings."""
+
+    check_id: str
+    check_name: str
+    findings: list[Finding] = Field(default_factory=list)
+    resources_scanned: int = 0
+    error: str | None = None
+
+
+class ScanSummary(BaseModel):
+    """Aggregated summary of a full scan."""
+
+    total_findings: int = 0
+    by_severity: dict[Severity, int] = Field(default_factory=dict)
+    by_category: dict[Category, int] = Field(default_factory=dict)
+    resources_scanned: int = 0
+    checks_passed: int = 0
+    checks_failed: int = 0
+    checks_errored: int = 0
+    score: int = Field(default=100, description="Overall health score 0-100")
+
+
+class ScanReport(BaseModel):
+    """Complete scan report — the top-level output."""
+
+    provider: str
+    account_id: str = ""
+    regions: list[str] = Field(default_factory=list)
+    timestamp: datetime = Field(default_factory=lambda: datetime.now(timezone.utc))
+    duration_seconds: float = 0.0
+    summary: ScanSummary = Field(default_factory=ScanSummary)
+    results: list[CheckResult] = Field(default_factory=list)
+
+    @property
+    def all_findings(self) -> list[Finding]:
+        findings: list[Finding] = []
+        for result in self.results:
+            findings.extend(result.findings)
+        return findings
+
+    def compute_summary(self) -> None:
+        findings = self.all_findings
+        self.summary.total_findings = len(findings)
+        self.summary.resources_scanned = sum(r.resources_scanned for r in self.results)
+        self.summary.checks_passed = sum(1 for r in self.results if not r.findings and not r.error)
+        self.summary.checks_failed = sum(1 for r in self.results if r.findings)
+        self.summary.checks_errored = sum(1 for r in self.results if r.error)
+
+        self.summary.by_severity = {}
+        for sev in Severity:
+            count = sum(1 for f in findings if f.severity == sev)
+            if count:
+                self.summary.by_severity[sev] = count
+
+        self.summary.by_category = {}
+        for cat in Category:
+            count = sum(1 for f in findings if f.category == cat)
+            if count:
+                self.summary.by_category[cat] = count
+
+        # Score: start at 100, subtract based on severity weights
+        penalty = sum(SEVERITY_WEIGHT[f.severity] for f in findings)
+        self.summary.score = max(0, 100 - penalty)

cloud_audit/providers/__init__.py

@@ -0,0 +1 @@
+"""Cloud providers for cloud-audit."""

cloud_audit/providers/aws/__init__.py

@@ -0,0 +1,5 @@
+"""AWS provider for cloud-audit."""
+
+from cloud_audit.providers.aws.provider import AWSProvider
+
+__all__ = ["AWSProvider"]

cloud_audit/providers/aws/checks/__init__.py

@@ -0,0 +1 @@
+"""AWS checks registry."""

cloud_audit/providers/aws/checks/ec2.py

@@ -0,0 +1,132 @@
+"""EC2 security and cost checks."""
+
+from __future__ import annotations
+
+from functools import partial
+from typing import TYPE_CHECKING
+
+from cloud_audit.models import Category, CheckResult, Finding, Severity
+
+if TYPE_CHECKING:
+    from cloud_audit.providers.aws.provider import AWSProvider
+    from cloud_audit.providers.base import CheckFn
+
+
+def check_public_amis(provider: AWSProvider) -> CheckResult:
+    """Check for AMIs that are publicly shared."""
+    result = CheckResult(check_id="aws-ec2-001", check_name="Public AMIs")
+
+    try:
+        for region in provider.regions:
+            ec2 = provider.session.client("ec2", region_name=region)
+            images = ec2.describe_images(Owners=["self"])["Images"]
+            for image in images:
+                result.resources_scanned += 1
+                if image.get("Public", False):
+                    result.findings.append(
+                        Finding(
+                            check_id="aws-ec2-001",
+                            title=f"AMI '{image['ImageId']}' is publicly shared",
+                            severity=Severity.HIGH,
+                            category=Category.SECURITY,
+                            resource_type="AWS::EC2::Image",
+                            resource_id=image["ImageId"],
+                            region=region,
+                            description=f"AMI {image['ImageId']} ({image.get('Name', 'unnamed')}) is publicly accessible to all AWS accounts.",
+                            recommendation="Make the AMI private unless public sharing is intentional.",
+                        )
+                    )
+    except Exception as e:
+        result.error = str(e)
+
+    return result
+
+
+def check_unencrypted_volumes(provider: AWSProvider) -> CheckResult:
+    """Check for EBS volumes without encryption."""
+    result = CheckResult(check_id="aws-ec2-002", check_name="Unencrypted EBS volumes")
+
+    try:
+        for region in provider.regions:
+            ec2 = provider.session.client("ec2", region_name=region)
+            paginator = ec2.get_paginator("describe_volumes")
+            for page in paginator.paginate():
+                for volume in page["Volumes"]:
+                    result.resources_scanned += 1
+                    if not volume.get("Encrypted", False):
+                        vol_id = volume["VolumeId"]
+                        size = volume["Size"]
+                        result.findings.append(
+                            Finding(
+                                check_id="aws-ec2-002",
+                                title=f"EBS volume '{vol_id}' is not encrypted",
+                                severity=Severity.MEDIUM,
+                                category=Category.SECURITY,
+                                resource_type="AWS::EC2::Volume",
+                                resource_id=vol_id,
+                                region=region,
+                                description=f"Volume {vol_id} ({size} GiB) is not encrypted at rest.",
+                                recommendation="Enable EBS default encryption in account settings and migrate existing volumes.",
+                            )
+                        )
+    except Exception as e:
+        result.error = str(e)
+
+    return result
+
+
+def check_stopped_instances(provider: AWSProvider) -> CheckResult:
+    """Check for EC2 instances that have been stopped for more than 7 days."""
+    result = CheckResult(check_id="aws-ec2-003", check_name="Stopped EC2 instances (cost)")
+
+    try:
+        from datetime import datetime, timezone
+
+        datetime.now(timezone.utc)
+        for region in provider.regions:
+            ec2 = provider.session.client("ec2", region_name=region)
+            paginator = ec2.get_paginator("describe_instances")
+            for page in paginator.paginate(Filters=[{"Name": "instance-state-name", "Values": ["stopped"]}]):
+                for reservation in page["Reservations"]:
+                    for instance in reservation["Instances"]:
+                        result.resources_scanned += 1
+                        instance_id = instance["InstanceId"]
+                        instance_type = instance["InstanceType"]
+
+                        # Check state transition time
+                        instance.get("StateTransitionReason", "")
+                        name_tag = next(
+                            (t["Value"] for t in instance.get("Tags", []) if t["Key"] == "Name"),
+                            "unnamed",
+                        )
+
+                        result.findings.append(
+                            Finding(
+                                check_id="aws-ec2-003",
+                                title=f"EC2 instance '{name_tag}' ({instance_id}) is stopped",
+                                severity=Severity.LOW,
+                                category=Category.COST,
+                                resource_type="AWS::EC2::Instance",
+                                resource_id=instance_id,
+                                region=region,
+                                description=f"Instance {instance_id} ({instance_type}) is stopped. EBS volumes are still incurring charges.",
+                                recommendation="Terminate the instance if no longer needed, or create an AMI and terminate to save on EBS costs.",
+                            )
+                        )
+    except Exception as e:
+        result.error = str(e)
+
+    return result
+
+
+def get_checks(provider: AWSProvider) -> list[CheckFn]:
+    """Return all EC2 checks bound to the provider."""
+    checks: list[CheckFn] = [
+        partial(check_public_amis, provider),
+        partial(check_unencrypted_volumes, provider),
+        partial(check_stopped_instances, provider),
+    ]
+    for fn in checks:
+        fn.category = Category.SECURITY
+    checks[2].category = Category.COST
+    return checks

cloud_audit/providers/aws/checks/eip.py

@@ -0,0 +1,54 @@
+"""Elastic IP cost checks."""
+
+from __future__ import annotations
+
+from functools import partial
+from typing import TYPE_CHECKING
+
+from cloud_audit.models import Category, CheckResult, Finding, Severity
+
+if TYPE_CHECKING:
+    from cloud_audit.providers.aws.provider import AWSProvider
+    from cloud_audit.providers.base import CheckFn
+
+
+def check_unattached_eips(provider: AWSProvider) -> CheckResult:
+    """Check for Elastic IPs that are not associated with any resource."""
+    result = CheckResult(check_id="aws-eip-001", check_name="Unattached Elastic IPs")
+
+    try:
+        for region in provider.regions:
+            ec2 = provider.session.client("ec2", region_name=region)
+            addresses = ec2.describe_addresses()["Addresses"]
+
+            for addr in addresses:
+                result.resources_scanned += 1
+                if not addr.get("AssociationId"):
+                    eip = addr.get("PublicIp", addr.get("AllocationId", "unknown"))
+                    result.findings.append(
+                        Finding(
+                            check_id="aws-eip-001",
+                            title=f"Elastic IP {eip} is not attached to any resource",
+                            severity=Severity.LOW,
+                            category=Category.COST,
+                            resource_type="AWS::EC2::EIP",
+                            resource_id=addr.get("AllocationId", eip),
+                            region=region,
+                            description=f"Elastic IP {eip} is allocated but not associated. Unattached EIPs cost ~$3.65/month.",
+                            recommendation="Release the Elastic IP if no longer needed, or associate it with an instance/NAT gateway.",
+                        )
+                    )
+    except Exception as e:
+        result.error = str(e)
+
+    return result
+
+
+def get_checks(provider: AWSProvider) -> list[CheckFn]:
+    """Return all EIP checks bound to the provider."""
+    checks: list[CheckFn] = [
+        partial(check_unattached_eips, provider),
+    ]
+    for fn in checks:
+        fn.category = Category.COST
+    return checks