cloud-audit 1.2.0__tar.gz → 1.2.2__tar.gz

{cloud_audit-1.2.0 → cloud_audit-1.2.2}/.github/workflows/release.yml

@@ -6,7 +6,7 @@ on:
       - "v*"
 
 permissions:
-  contents: read
+  contents: write
 
 jobs:
   ci:
@@ -87,3 +87,28 @@ jobs:
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+
+  github-release:
+    name: Create GitHub Release
+    needs: [build, publish, docker]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
+      - name: Extract changelog for this version
+        id: changelog
+        run: |
+          VERSION="${GITHUB_REF#refs/tags/v}"
+          # Extract section between this version header and the next version header
+          awk "/^## \[${VERSION}\]/{flag=1; next} /^## \[/{flag=0} flag" CHANGELOG.md > release_notes.md
+          if [ ! -s release_notes.md ]; then
+            echo "Release v${VERSION}" > release_notes.md
+          fi
+      - name: Create GitHub Release
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          gh release create "${{ github.ref_name }}" \
+            --title "${{ github.ref_name }}" \
+            --notes-file release_notes.md

{cloud_audit-1.2.0 → cloud_audit-1.2.2}/CHANGELOG.md

@@ -7,6 +7,54 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.2.2] - 2026-04-01
+
+### Added
+
+- Parallel check execution via ThreadPoolExecutor for faster scans on large accounts
+- Wildcard pattern support in suppressions (`aws-iam-*`, `arn:aws:*:*:*:role/deploy-*`)
+- Debug logging in attack chain correlation engine for diagnosing collection failures
+- Makefile with `make all` (lint + format + typecheck + test), `make test-cov`, `make security`
+- `provider.client()` method with boto3 adaptive retry (max 5 attempts) and per-service client caching
+- `_region_overlap()` helper for shared region-matching logic in attack chain rules
+- 7 new tests for attack chains AC-25, AC-26, AC-27 and wildcard suppressions (345 total)
+
+### Changed
+
+- Thread-safe module-level caches in S3 and CloudTrail checks (threading.Lock)
+- Cache reset abstracted into `BaseProvider.reset_caches()` (was hardcoded S3-only import)
+- Scanner enforces canonical check_id from make_check metadata (single source of truth)
+- `compute_summary()` optimized to single pass over findings (was 5+ iterations)
+- IAM checks migrated to `provider.client()` for adaptive retry and client caching
+- Demo command updated to show 80 checks (was 47)
+
+### Fixed
+
+- SARIF `artifactLocation.uri` now uses valid relative URI format (`checks/{check_id}`)
+- Progress bar no longer advances past 100% in interactive mode
+- Documentation URL in pyproject.toml points to docs site instead of GitHub README
+
+## [1.2.1] - 2026-04-01
+
+### Added
+
+- **Attack chain visualization** in HTML reports - interactive SVG graphs showing attack paths with node-and-edge diagrams, color-coded by resource type (compute, identity, network, storage), animated edges, and glow effects on entry/impact nodes
+- `VizStep` model with `Literal` type validation for node types
+- 3 new tests for viz_steps validation (structure, types, edge labels)
+- `viz_steps` field on `AttackChain` model (backward compatible, defaults to empty list)
+
+### Changed
+
+- `VizStep.type` constrained to Literal type (internet, compute, identity, network, storage, finding, impact) with Pydantic validation
+- Attack chain cards in HTML report now have header/graph/body layout instead of flat text
+- Sub-labels in visualization truncated to 22 characters to prevent overflow
+- ROADMAP.md merged duplicate v1.3.0 sections into single entry
+- SOC 2 docs clarified Automated column includes partially automated criteria
+
+### Fixed
+
+- Long resource IDs in visualization labels truncated to prevent SVG overflow
+
 ## [1.2.0] - 2026-04-01
 
 ### Added
@@ -353,7 +401,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Docker image support
 - Rich terminal UI with progress bar and color-coded findings
 
-[Unreleased]: https://github.com/gebalamariusz/cloud-audit/compare/v1.0.1...HEAD
+[Unreleased]: https://github.com/gebalamariusz/cloud-audit/compare/v1.2.2...HEAD
+[1.2.2]: https://github.com/gebalamariusz/cloud-audit/compare/v1.2.1...v1.2.2
+[1.2.1]: https://github.com/gebalamariusz/cloud-audit/compare/v1.2.0...v1.2.1
+[1.2.0]: https://github.com/gebalamariusz/cloud-audit/compare/v1.1.0...v1.2.0
+[1.1.0]: https://github.com/gebalamariusz/cloud-audit/compare/v1.0.1...v1.1.0
 [1.0.1]: https://github.com/gebalamariusz/cloud-audit/compare/v1.0.0...v1.0.1
 [1.0.0]: https://github.com/gebalamariusz/cloud-audit/compare/v0.9.1...v1.0.0
 [0.9.1]: https://github.com/gebalamariusz/cloud-audit/compare/v0.9.0...v0.9.1

{cloud_audit-1.2.0 → cloud_audit-1.2.2}/CONTRIBUTING.md

@@ -20,20 +20,21 @@ pip install -e ".[dev]"
 
 ## Code Quality Checks
 
-Before submitting a PR, make sure all checks pass:
+Before submitting a PR, run all checks with one command:
 
 ```bash
-# Lint
-ruff check src/ tests/
-
-# Format
-ruff format --check src/ tests/
+make all    # runs lint + format-check + typecheck + test
+```
 
-# Type check
-mypy src/
+Or individually:
 
-# Tests
-pytest -v
+```bash
+make lint        # ruff check src/ tests/
+make format      # ruff format src/ tests/
+make typecheck   # mypy src/
+make test        # pytest -v
+make test-cov    # pytest with coverage report
+make security    # pip-audit dependency scan
 ```
 
 ## Adding a New AWS Check
@@ -65,7 +66,7 @@ def check_cloudtrail_enabled(provider: AWSProvider) -> CheckResult:
         check_name="CloudTrail enabled",
     )
 
-    client = provider.session.client("cloudtrail")
+    client = provider.client("cloudtrail")  # adaptive retry + client caching
     trails = client.describe_trails()["trailList"]
     result.resources_scanned = len(trails)
 
@@ -74,13 +75,12 @@ def check_cloudtrail_enabled(provider: AWSProvider) -> CheckResult:
     return result
 
 
-def get_checks(provider: AWSProvider) -> list[partial[CheckResult]]:
-    checks = [
-        partial(check_cloudtrail_enabled, provider),
+def get_checks(provider: AWSProvider) -> list[CheckFn]:
+    from cloud_audit.providers.base import make_check
+    from cloud_audit.models import Category
+    return [
+        make_check(check_cloudtrail_enabled, provider, check_id="aws-ct-001", category=Category.SECURITY),
     ]
-    for check in checks:
-        check.category = Category.SECURITY  # type: ignore[attr-defined]
-    return checks
 ```
 
 ### 2. Register the module

cloud_audit-1.2.2/Makefile

@@ -0,0 +1,30 @@
+.PHONY: install lint format format-check typecheck test test-cov security all clean
+
+install:
+	pip install -e ".[dev]"
+
+lint:
+	ruff check src/ tests/
+
+format:
+	ruff format src/ tests/
+
+format-check:
+	ruff format --check src/ tests/
+
+typecheck:
+	mypy src/
+
+test:
+	pytest -v --tb=short
+
+test-cov:
+	pytest -v --tb=short --cov=cloud_audit --cov-report=term-missing --cov-report=html
+
+security:
+	pip-audit --strict
+
+all: lint format-check typecheck test
+
+clean:
+	rm -rf .mypy_cache .pytest_cache .ruff_cache htmlcov .coverage dist build *.egg-info

{cloud_audit-1.2.0 → cloud_audit-1.2.2}/PKG-INFO

@@ -1,9 +1,9 @@
 Metadata-Version: 2.4
 Name: cloud-audit
-Version: 1.2.0
+Version: 1.2.2
 Summary: Open-source AWS security scanner with CIS AWS v3.0 and SOC 2 Type II compliance, attack chains, breach cost estimation, and MCP server. 80 checks, 20 attack chain rules. Every finding includes CLI + Terraform remediation.
 Project-URL: Homepage, https://github.com/gebalamariusz/cloud-audit
-Project-URL: Documentation, https://github.com/gebalamariusz/cloud-audit#readme
+Project-URL: Documentation, https://haitmg.pl/cloud-audit/
 Project-URL: Repository, https://github.com/gebalamariusz/cloud-audit
 Project-URL: Issues, https://github.com/gebalamariusz/cloud-audit/issues
 Project-URL: Changelog, https://github.com/gebalamariusz/cloud-audit/blob/main/CHANGELOG.md
@@ -281,6 +281,9 @@ suppressions:
     reason: "Legacy VPC, migration planned for Q3"
     accepted_by: "jane@example.com"
     expires: "2026-09-30"
+  - check_id: "aws-cw-*"
+    reason: "CloudWatch alarms managed by separate team"
+    accepted_by: "ops@example.com"
 ```
 
 </details>

{cloud_audit-1.2.0 → cloud_audit-1.2.2}/README.md

@@ -235,6 +235,9 @@ suppressions:
     reason: "Legacy VPC, migration planned for Q3"
     accepted_by: "jane@example.com"
     expires: "2026-09-30"
+  - check_id: "aws-cw-*"
+    reason: "CloudWatch alarms managed by separate team"
+    accepted_by: "ops@example.com"
 ```
 
 </details>

{cloud_audit-1.2.0 → cloud_audit-1.2.2}/ROADMAP.md

@@ -1,6 +1,6 @@
 # Roadmap
 
-> Current version: **v1.2.0** (April 2026)
+> Current version: **v1.2.1** (April 2026)
 
 ## Completed
 
@@ -115,18 +115,14 @@
 
 ## What's Next
 
-### v1.3.0 - Multi-Framework Compliance
+### v1.3.0 - Multi-Framework Compliance & Intelligence
 - **BSI C5:2020** compliance mapping (121 criteria -- zero open-source competition)
 - **ISO 27001:2022** compliance mapping (93 Annex A controls)
 - **HIPAA Security Rule** compliance mapping (36 implementation specifications)
 - **NIS2 Directive** compliance mapping (~40 technical measures)
-- Compliance report improvements based on feedback
-
-### v1.3.0 - Automation & Intelligence
-- **Terraform Drift Detection** -- compare scan results against tfstate to find security-relevant drift
 - **Root Cause Grouping** -- "fix 1 setting, close 12 findings" for account-level misconfigurations
 - **Historical Score Tracking** -- persistent score history with trends for Type II audits
-- **More attack chain rules** -- expand based on community feedback and new attack research
+- Compliance report improvements based on feedback
 
 ### v1.4.0 - Enterprise Ready
 - **Multi-account scanning** -- AWS Organizations support, aggregate attack chains across accounts

{cloud_audit-1.2.0 → cloud_audit-1.2.2}/SECURITY.md

@@ -6,7 +6,7 @@
 |---------|-----------|
 | 1.2.x   | Yes       |
 | 1.1.x   | Yes       |
-| 1.0.x   | Yes       |
+| < 1.1   | No        |
 | < 1.0   | No        |
 
 ## Reporting a Vulnerability

{cloud_audit-1.2.0 → cloud_audit-1.2.2}/mkdocs.yml

@@ -30,6 +30,13 @@ theme:
   icon:
     repo: fontawesome/brands/github
 
+extra:
+  social:
+    - icon: fontawesome/brands/github
+      link: https://github.com/gebalamariusz/cloud-audit
+    - icon: fontawesome/brands/python
+      link: https://pypi.org/project/cloud-audit/
+
 markdown_extensions:
   - admonition
   - pymdownx.details

{cloud_audit-1.2.0 → cloud_audit-1.2.2}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "cloud-audit"
-version = "1.2.0"
+version = "1.2.2"
 description = "Open-source AWS security scanner with CIS AWS v3.0 and SOC 2 Type II compliance, attack chains, breach cost estimation, and MCP server. 80 checks, 20 attack chain rules. Every finding includes CLI + Terraform remediation."
 readme = "README.md"
 license = "MIT"
@@ -57,7 +57,7 @@ cloud-audit-mcp = "cloud_audit.mcp_server:main"
 
 [project.urls]
 Homepage = "https://github.com/gebalamariusz/cloud-audit"
-Documentation = "https://github.com/gebalamariusz/cloud-audit#readme"
+Documentation = "https://haitmg.pl/cloud-audit/"
 Repository = "https://github.com/gebalamariusz/cloud-audit"
 Issues = "https://github.com/gebalamariusz/cloud-audit/issues"
 Changelog = "https://github.com/gebalamariusz/cloud-audit/blob/main/CHANGELOG.md"

{cloud_audit-1.2.0 → cloud_audit-1.2.2}/src/cloud_audit/cli.py

@@ -793,15 +793,15 @@ def demo() -> None:
 
     # Simulate progress bar
     with Progress(
-        TextColumn("[bold]Running 47 checks on AWS..."),
+        TextColumn("[bold]Running 80 checks on AWS..."),
         BarColumn(bar_width=40),
         TextColumn("{task.completed}/{task.total}"),
         TimeElapsedColumn(),
         console=console,
     ) as progress:
-        task = progress.add_task("Scanning", total=47)
-        for _ in range(47):
-            time.sleep(0.08)
+        task = progress.add_task("Scanning", total=80)
+        for _ in range(80):
+            time.sleep(0.04)
             progress.advance(task)
 
     # Health score

{cloud_audit-1.2.0 → cloud_audit-1.2.2}/src/cloud_audit/config.py

@@ -2,6 +2,7 @@
 
 from __future__ import annotations
 
+import fnmatch
 from datetime import date
 from pathlib import Path
 from typing import Any
@@ -36,11 +37,11 @@ class Suppression(BaseModel):
         return (today or date.today()) > self.expires
 
     def matches(self, check_id: str, resource_id: str) -> bool:
-        if self.check_id != check_id:
+        if not fnmatch.fnmatchcase(check_id, self.check_id):
             return False
         if self.resource_id is None:
             return True
-        return self.resource_id == resource_id
+        return fnmatch.fnmatchcase(resource_id, self.resource_id)
 
 
 class CloudAuditConfig(BaseModel):