cmmc2-toolkit 0.2.0__tar.gz

cmmc2_toolkit-0.2.0/PKG-INFO

@@ -0,0 +1,109 @@
+Metadata-Version: 2.4
+Name: cmmc2-toolkit
+Version: 0.2.0
+Summary: CMMC 2.0 Level 2 compliance scanner and admin dashboard for web application teams
+Author-email: David Moorhead <david.moorhead37@gmail.com>
+License-Expression: MIT
+Keywords: cmmc,compliance,nist,800-171,security
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Developers
+Classifier: Topic :: Security
+Classifier: Programming Language :: Python :: 3
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+Requires-Dist: flask>=3.0
+Requires-Dist: click>=8.0
+Requires-Dist: openpyxl>=3.1
+Requires-Dist: bcrypt>=4.0
+Requires-Dist: flask-login>=0.6
+Requires-Dist: flask-wtf>=1.2
+Requires-Dist: pyotp>=2.9
+Requires-Dist: qrcode[pil]>=7.4
+Requires-Dist: flask-limiter>=3.5
+Requires-Dist: waitress>=3.0
+Provides-Extra: mongo
+Requires-Dist: pymongo>=4.0; extra == "mongo"
+Provides-Extra: dev
+Requires-Dist: pytest>=8.0; extra == "dev"
+Requires-Dist: pytest-cov; extra == "dev"
+
+# cmmc2-toolkit
+
+A self-contained Python package that gives any web application team a **CMMC 2.0 Level 2** compliance scanner and admin dashboard — installable via pip, zero infrastructure required.
+
+## Features
+
+- **62 controls** — all CMMC Level 1 (17), Level 2 practices, and optional Level 3 (24) controls
+- **Auto-scan** for 5 platforms: Flask, Django, FastAPI, Express/Node.js, Spring Boot
+- **Dashboard** — per-project compliance tracker with status, progress, target dates, and audit log
+- **POA&M** — Plan of Action & Milestones view for Gap / Partial / Manual controls
+- **Excel export** — one-click 3-tab workbook (Dashboard, POA&M, Audit Log)
+- **Audit log** — every status change timestamped and attributed to a user
+- **REST API** — agent ingest endpoint for CI/CD pipeline integration
+
+## Quickstart
+
+```bash
+pip install cmmc2-toolkit
+
+cmmc2 serve                        # launch dashboard at http://localhost:5050
+cmmc2 scan --path /path/to/project # run programmatic checks (CLI mode)
+cmmc2 export --out poam.xlsx       # export POA&M to Excel
+```
+
+On first launch the dashboard creates an admin account automatically (`admin` / `BWIadmin!2026` — change it immediately).
+
+## Supported platforms
+
+| Platform | Auto-detected by | Auto-checks |
+|---|---|---|
+| Flask | `flask` in requirements / `app.py` | 25 controls |
+| Django | `django` in requirements / `manage.py` | 25 controls |
+| FastAPI | `fastapi` in requirements / `main.py` | 25 controls |
+| Express / Next.js | `express` or `next` in `package.json` | 25 controls |
+| Spring Boot / WildFly | `spring-boot` in `pom.xml` / `WEB-INF` | 25 controls |
+
+Unsupported platforms fall back to full manual tracking mode.
+
+## Dashboard
+
+```
+cmmc2 serve --port 5050
+```
+
+- Create projects by URL or local path
+- Run a live scan against a local codebase
+- Track status (Pass / Gap / Partial / Manual) per control
+- Every status change requires a note — written to the immutable audit log
+- Level 3 controls (NIST SP 800-172) are opt-in per project
+- Export the full workbook (Dashboard + POA&M + Audit Log tabs) with one click
+
+On Windows, use the included `serve.ps1` launcher if `cmmc2` is not yet on your PATH.
+
+## Architecture
+
+```
+cmmc2toolkit/
+├── controls.py          # 62 CMMC control definitions (L1 + L2 + L3)
+├── models.py            # Control, Finding dataclasses
+├── cli.py               # click CLI (scan | serve | export | init)
+├── detector/            # auto-detect platform from project files
+├── adapters/            # platform-specific check runners
+├── checks/              # atomic grep-based check functions
+├── store/               # SQLiteStore + StoreBase ABC
+├── auth/                # password hashing, TOTP, session management
+├── dashboard/           # Flask micro-app (routes + Jinja2 templates)
+└── export.py            # openpyxl 3-tab Excel export
+```
+
+## Contributing an adapter
+
+1. Subclass `AdapterBase` in `cmmc2toolkit/adapters/adapter_<platform>.py`
+2. Implement `check_all() -> list[Finding]`
+3. Register it in `adapters/base.py` → `get_adapter()` registry
+4. Add fingerprint rules in `detector/fingerprints.py`
+5. Open a PR
+
+## License
+
+MIT

cmmc2_toolkit-0.2.0/README.md

@@ -0,0 +1,80 @@
+# cmmc2-toolkit
+
+A self-contained Python package that gives any web application team a **CMMC 2.0 Level 2** compliance scanner and admin dashboard — installable via pip, zero infrastructure required.
+
+## Features
+
+- **62 controls** — all CMMC Level 1 (17), Level 2 practices, and optional Level 3 (24) controls
+- **Auto-scan** for 5 platforms: Flask, Django, FastAPI, Express/Node.js, Spring Boot
+- **Dashboard** — per-project compliance tracker with status, progress, target dates, and audit log
+- **POA&M** — Plan of Action & Milestones view for Gap / Partial / Manual controls
+- **Excel export** — one-click 3-tab workbook (Dashboard, POA&M, Audit Log)
+- **Audit log** — every status change timestamped and attributed to a user
+- **REST API** — agent ingest endpoint for CI/CD pipeline integration
+
+## Quickstart
+
+```bash
+pip install cmmc2-toolkit
+
+cmmc2 serve                        # launch dashboard at http://localhost:5050
+cmmc2 scan --path /path/to/project # run programmatic checks (CLI mode)
+cmmc2 export --out poam.xlsx       # export POA&M to Excel
+```
+
+On first launch the dashboard creates an admin account automatically (`admin` / `BWIadmin!2026` — change it immediately).
+
+## Supported platforms
+
+| Platform | Auto-detected by | Auto-checks |
+|---|---|---|
+| Flask | `flask` in requirements / `app.py` | 25 controls |
+| Django | `django` in requirements / `manage.py` | 25 controls |
+| FastAPI | `fastapi` in requirements / `main.py` | 25 controls |
+| Express / Next.js | `express` or `next` in `package.json` | 25 controls |
+| Spring Boot / WildFly | `spring-boot` in `pom.xml` / `WEB-INF` | 25 controls |
+
+Unsupported platforms fall back to full manual tracking mode.
+
+## Dashboard
+
+```
+cmmc2 serve --port 5050
+```
+
+- Create projects by URL or local path
+- Run a live scan against a local codebase
+- Track status (Pass / Gap / Partial / Manual) per control
+- Every status change requires a note — written to the immutable audit log
+- Level 3 controls (NIST SP 800-172) are opt-in per project
+- Export the full workbook (Dashboard + POA&M + Audit Log tabs) with one click
+
+On Windows, use the included `serve.ps1` launcher if `cmmc2` is not yet on your PATH.
+
+## Architecture
+
+```
+cmmc2toolkit/
+├── controls.py          # 62 CMMC control definitions (L1 + L2 + L3)
+├── models.py            # Control, Finding dataclasses
+├── cli.py               # click CLI (scan | serve | export | init)
+├── detector/            # auto-detect platform from project files
+├── adapters/            # platform-specific check runners
+├── checks/              # atomic grep-based check functions
+├── store/               # SQLiteStore + StoreBase ABC
+├── auth/                # password hashing, TOTP, session management
+├── dashboard/           # Flask micro-app (routes + Jinja2 templates)
+└── export.py            # openpyxl 3-tab Excel export
+```
+
+## Contributing an adapter
+
+1. Subclass `AdapterBase` in `cmmc2toolkit/adapters/adapter_<platform>.py`
+2. Implement `check_all() -> list[Finding]`
+3. Register it in `adapters/base.py` → `get_adapter()` registry
+4. Add fingerprint rules in `detector/fingerprints.py`
+5. Open a PR
+
+## License
+
+MIT

cmmc2_toolkit-0.2.0/cmmc2_toolkit.egg-info/PKG-INFO

@@ -0,0 +1,109 @@
+Metadata-Version: 2.4
+Name: cmmc2-toolkit
+Version: 0.2.0
+Summary: CMMC 2.0 Level 2 compliance scanner and admin dashboard for web application teams
+Author-email: David Moorhead <david.moorhead37@gmail.com>
+License-Expression: MIT
+Keywords: cmmc,compliance,nist,800-171,security
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Developers
+Classifier: Topic :: Security
+Classifier: Programming Language :: Python :: 3
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+Requires-Dist: flask>=3.0
+Requires-Dist: click>=8.0
+Requires-Dist: openpyxl>=3.1
+Requires-Dist: bcrypt>=4.0
+Requires-Dist: flask-login>=0.6
+Requires-Dist: flask-wtf>=1.2
+Requires-Dist: pyotp>=2.9
+Requires-Dist: qrcode[pil]>=7.4
+Requires-Dist: flask-limiter>=3.5
+Requires-Dist: waitress>=3.0
+Provides-Extra: mongo
+Requires-Dist: pymongo>=4.0; extra == "mongo"
+Provides-Extra: dev
+Requires-Dist: pytest>=8.0; extra == "dev"
+Requires-Dist: pytest-cov; extra == "dev"
+
+# cmmc2-toolkit
+
+A self-contained Python package that gives any web application team a **CMMC 2.0 Level 2** compliance scanner and admin dashboard — installable via pip, zero infrastructure required.
+
+## Features
+
+- **62 controls** — all CMMC Level 1 (17), Level 2 practices, and optional Level 3 (24) controls
+- **Auto-scan** for 5 platforms: Flask, Django, FastAPI, Express/Node.js, Spring Boot
+- **Dashboard** — per-project compliance tracker with status, progress, target dates, and audit log
+- **POA&M** — Plan of Action & Milestones view for Gap / Partial / Manual controls
+- **Excel export** — one-click 3-tab workbook (Dashboard, POA&M, Audit Log)
+- **Audit log** — every status change timestamped and attributed to a user
+- **REST API** — agent ingest endpoint for CI/CD pipeline integration
+
+## Quickstart
+
+```bash
+pip install cmmc2-toolkit
+
+cmmc2 serve                        # launch dashboard at http://localhost:5050
+cmmc2 scan --path /path/to/project # run programmatic checks (CLI mode)
+cmmc2 export --out poam.xlsx       # export POA&M to Excel
+```
+
+On first launch the dashboard creates an admin account automatically (`admin` / `BWIadmin!2026` — change it immediately).
+
+## Supported platforms
+
+| Platform | Auto-detected by | Auto-checks |
+|---|---|---|
+| Flask | `flask` in requirements / `app.py` | 25 controls |
+| Django | `django` in requirements / `manage.py` | 25 controls |
+| FastAPI | `fastapi` in requirements / `main.py` | 25 controls |
+| Express / Next.js | `express` or `next` in `package.json` | 25 controls |
+| Spring Boot / WildFly | `spring-boot` in `pom.xml` / `WEB-INF` | 25 controls |
+
+Unsupported platforms fall back to full manual tracking mode.
+
+## Dashboard
+
+```
+cmmc2 serve --port 5050
+```
+
+- Create projects by URL or local path
+- Run a live scan against a local codebase
+- Track status (Pass / Gap / Partial / Manual) per control
+- Every status change requires a note — written to the immutable audit log
+- Level 3 controls (NIST SP 800-172) are opt-in per project
+- Export the full workbook (Dashboard + POA&M + Audit Log tabs) with one click
+
+On Windows, use the included `serve.ps1` launcher if `cmmc2` is not yet on your PATH.
+
+## Architecture
+
+```
+cmmc2toolkit/
+├── controls.py          # 62 CMMC control definitions (L1 + L2 + L3)
+├── models.py            # Control, Finding dataclasses
+├── cli.py               # click CLI (scan | serve | export | init)
+├── detector/            # auto-detect platform from project files
+├── adapters/            # platform-specific check runners
+├── checks/              # atomic grep-based check functions
+├── store/               # SQLiteStore + StoreBase ABC
+├── auth/                # password hashing, TOTP, session management
+├── dashboard/           # Flask micro-app (routes + Jinja2 templates)
+└── export.py            # openpyxl 3-tab Excel export
+```
+
+## Contributing an adapter
+
+1. Subclass `AdapterBase` in `cmmc2toolkit/adapters/adapter_<platform>.py`
+2. Implement `check_all() -> list[Finding]`
+3. Register it in `adapters/base.py` → `get_adapter()` registry
+4. Add fingerprint rules in `detector/fingerprints.py`
+5. Open a PR
+
+## License
+
+MIT

cmmc2_toolkit-0.2.0/cmmc2_toolkit.egg-info/SOURCES.txt

@@ -0,0 +1,57 @@
+README.md
+pyproject.toml
+cmmc2_toolkit.egg-info/PKG-INFO
+cmmc2_toolkit.egg-info/SOURCES.txt
+cmmc2_toolkit.egg-info/dependency_links.txt
+cmmc2_toolkit.egg-info/entry_points.txt
+cmmc2_toolkit.egg-info/requires.txt
+cmmc2_toolkit.egg-info/top_level.txt
+cmmc2agent/__init__.py
+cmmc2agent/cli.py
+cmmc2agent/config.py
+cmmc2agent/poster.py
+cmmc2toolkit/__init__.py
+cmmc2toolkit/cli.py
+cmmc2toolkit/controls.py
+cmmc2toolkit/export.py
+cmmc2toolkit/models.py
+cmmc2toolkit/adapters/__init__.py
+cmmc2toolkit/adapters/adapter_django.py
+cmmc2toolkit/adapters/adapter_express.py
+cmmc2toolkit/adapters/adapter_fastapi.py
+cmmc2toolkit/adapters/adapter_flask.py
+cmmc2toolkit/adapters/adapter_spring.py
+cmmc2toolkit/adapters/base.py
+cmmc2toolkit/auth/__init__.py
+cmmc2toolkit/auth/models.py
+cmmc2toolkit/auth/passwords.py
+cmmc2toolkit/auth/store.py
+cmmc2toolkit/auth/totp.py
+cmmc2toolkit/checks/__init__.py
+cmmc2toolkit/checks/access.py
+cmmc2toolkit/checks/audit.py
+cmmc2toolkit/checks/auth.py
+cmmc2toolkit/checks/config.py
+cmmc2toolkit/checks/integrity.py
+cmmc2toolkit/checks/transport.py
+cmmc2toolkit/dashboard/__init__.py
+cmmc2toolkit/dashboard/app.py
+cmmc2toolkit/dashboard/templates/audit_log.html
+cmmc2toolkit/dashboard/templates/dashboard.html
+cmmc2toolkit/dashboard/templates/home.html
+cmmc2toolkit/dashboard/templates/login.html
+cmmc2toolkit/dashboard/templates/mfa.html
+cmmc2toolkit/dashboard/templates/poam.html
+cmmc2toolkit/dashboard/templates/register.html
+cmmc2toolkit/dashboard/templates/setup_mfa.html
+cmmc2toolkit/detector/__init__.py
+cmmc2toolkit/detector/base.py
+cmmc2toolkit/detector/fingerprints.py
+cmmc2toolkit/detector/profile.py
+cmmc2toolkit/store/__init__.py
+cmmc2toolkit/store/base.py
+cmmc2toolkit/store/registry.py
+cmmc2toolkit/store/store_sqlite.py
+tests/test_adapter_flask.py
+tests/test_detector.py
+tests/test_store_sqlite.py

cmmc2_toolkit-0.2.0/cmmc2_toolkit.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

cmmc2_toolkit-0.2.0/cmmc2_toolkit.egg-info/entry_points.txt

@@ -0,0 +1,3 @@
+[console_scripts]
+cmmc2 = cmmc2toolkit.cli:main
+cmmc2agent = cmmc2agent.cli:main

cmmc2_toolkit-0.2.0/cmmc2_toolkit.egg-info/requires.txt

@@ -0,0 +1,17 @@
+flask>=3.0
+click>=8.0
+openpyxl>=3.1
+bcrypt>=4.0
+flask-login>=0.6
+flask-wtf>=1.2
+pyotp>=2.9
+qrcode[pil]>=7.4
+flask-limiter>=3.5
+waitress>=3.0
+
+[dev]
+pytest>=8.0
+pytest-cov
+
+[mongo]
+pymongo>=4.0

cmmc2_toolkit-0.2.0/cmmc2_toolkit.egg-info/top_level.txt

@@ -0,0 +1,2 @@
+cmmc2agent
+cmmc2toolkit

cmmc2_toolkit-0.2.0/cmmc2agent/__init__.py

@@ -0,0 +1,2 @@
+"""cmmc2-agent — lightweight scanner agent for cmmc2-toolkit."""
+__version__ = "0.1.0"

cmmc2_toolkit-0.2.0/cmmc2agent/cli.py

@@ -0,0 +1,94 @@
+"""cmmc2agent CLI entry point."""
+import click
+from cmmc2agent.config import load_config, TOML_TEMPLATE
+
+
+@click.group()
+def main():
+    """CMMC 2.0 scanner agent — posts results to a central dashboard."""
+
+
+@main.command()
+@click.option("--config", default=None, help="Path to cmmc2agent.toml")
+@click.option("--dry-run", is_flag=True, help="Run checks but do not post results.")
+def scan(config, dry_run):
+    """Run compliance checks and POST results to the dashboard."""
+    from cmmc2toolkit.detector import detect_platform
+    from cmmc2toolkit.adapters import get_adapter
+    from cmmc2agent.poster import post_findings
+
+    try:
+        cfg = load_config(config)
+    except (FileNotFoundError, RuntimeError) as e:
+        click.secho(str(e), fg="red")
+        raise SystemExit(1)
+
+    click.echo(f"Scanning: {cfg.scan_path}")
+    profile = detect_platform(cfg.scan_path)
+    click.echo(f"Platform: {profile.platform}  Language: {profile.language}")
+
+    try:
+        adapter  = get_adapter(profile)
+        findings = adapter.check_all()
+    except NotImplementedError as e:
+        click.secho(str(e), fg="yellow")
+        raise SystemExit(1)
+
+    passed = [f for f in findings if f.passed]
+    failed = [f for f in findings if not f.passed]
+    click.echo(f"Results : {len(passed)} passed / {len(failed)} failed")
+
+    for f in failed:
+        click.secho(f"  ✗ {f.practice_id}  {f.detail[:80]}", fg="red")
+    for f in passed:
+        click.secho(f"  ✓ {f.practice_id}  {f.detail[:80]}", fg="green")
+
+    if dry_run:
+        click.secho("\nDry run — results not posted.", fg="yellow")
+        return
+
+    click.echo(f"\nPosting to: {cfg.ingest_url}")
+    try:
+        result = post_findings(
+            ingest_url=cfg.ingest_url,
+            api_key=cfg.api_key,
+            project_id=cfg.project_id,
+            platform=profile.platform,
+            scan_path=cfg.scan_path,
+            findings=findings,
+        )
+        click.secho(
+            f"Dashboard updated — "
+            f"{result.get('passed',0)} passed, "
+            f"{result.get('failed',0)} failed, "
+            f"{result.get('skipped',0)} skipped.",
+            fg="green", bold=True,
+        )
+    except RuntimeError as e:
+        click.secho(f"Post failed: {e}", fg="red")
+        raise SystemExit(1)
+
+
+@main.command("init")
+@click.option("--dashboard-url", prompt="Central dashboard URL",
+              help="e.g. http://cmmc2.mycompany.com:5050")
+@click.option("--api-key",       prompt="API key",
+              help="Issued when you created the project on the dashboard.")
+@click.option("--project-id",    prompt="Project ID",
+              help="Shown on the dashboard home page after project creation.")
+@click.option("--scan-path",     prompt="Local scan path",
+              default=".", show_default=True,
+              help="Directory containing the app source code.")
+@click.option("--output", default="cmmc2agent.toml", show_default=True)
+def init_cmd(dashboard_url, api_key, project_id, scan_path, output):
+    """Interactively create a cmmc2agent.toml config file."""
+    from pathlib import Path
+    content = TOML_TEMPLATE.format(
+        dashboard_url=dashboard_url,
+        api_key=api_key,
+        project_id=project_id,
+        scan_path=scan_path,
+    )
+    Path(output).write_text(content)
+    click.secho(f"Config written to {output}", fg="green")
+    click.echo("Run `cmmc2agent scan` to send your first results to the dashboard.")

cmmc2_toolkit-0.2.0/cmmc2agent/config.py

@@ -0,0 +1,64 @@
+"""Load and validate cmmc2agent.toml config."""
+from dataclasses import dataclass
+from pathlib import Path
+
+try:
+    import tomllib
+except ImportError:
+    try:
+        import tomli as tomllib          # pip install tomli on Python < 3.11
+    except ImportError:
+        tomllib = None
+
+
+DEFAULT_CONFIG_PATHS = [
+    Path("cmmc2agent.toml"),
+    Path.home() / ".cmmc2" / "agent.toml",
+]
+
+
+@dataclass
+class AgentConfig:
+    dashboard_url: str
+    api_key: str
+    project_id: str
+    scan_path: str
+
+    @property
+    def ingest_url(self) -> str:
+        return self.dashboard_url.rstrip("/") + "/api/v1/ingest"
+
+
+def load_config(path: str | Path | None = None) -> AgentConfig:
+    if tomllib is None:
+        raise RuntimeError(
+            "TOML support not available. On Python < 3.11, run: pip install tomli"
+        )
+
+    candidates = [Path(path)] if path else DEFAULT_CONFIG_PATHS
+    for candidate in candidates:
+        if candidate.exists():
+            with open(candidate, "rb") as f:
+                data = tomllib.load(f)
+            return AgentConfig(
+                dashboard_url=data["dashboard_url"],
+                api_key=data["api_key"],
+                project_id=data["project_id"],
+                scan_path=data["scan_path"],
+            )
+
+    raise FileNotFoundError(
+        "No cmmc2agent.toml found. Run `cmmc2agent init` to create one, "
+        "or specify --config <path>."
+    )
+
+
+TOML_TEMPLATE = """\
+# cmmc2agent.toml — Scanner agent configuration
+# Generated by `cmmc2agent init`
+
+dashboard_url = "{dashboard_url}"
+api_key       = "{api_key}"
+project_id    = "{project_id}"
+scan_path     = "{scan_path}"
+"""

cmmc2_toolkit-0.2.0/cmmc2agent/poster.py

@@ -0,0 +1,43 @@
+"""HTTP poster — sends scan results to the central dashboard."""
+import json
+import urllib.request
+import urllib.error
+from cmmc2toolkit.models import Finding
+
+
+def post_findings(ingest_url: str, api_key: str, project_id: str,
+                  platform: str, scan_path: str,
+                  findings: list[Finding]) -> dict:
+    payload = json.dumps({
+        "project_id": project_id,
+        "platform":   platform,
+        "path":       scan_path,
+        "findings": [
+            {
+                "practice_id": f.practice_id,
+                "passed":      f.passed,
+                "detail":      f.detail,
+                "evidence":    f.evidence,
+            }
+            for f in findings
+        ],
+    }).encode()
+
+    req = urllib.request.Request(
+        ingest_url,
+        data=payload,
+        headers={
+            "Content-Type":  "application/json",
+            "X-CMMC2-Key":   api_key,
+        },
+        method="POST",
+    )
+
+    try:
+        with urllib.request.urlopen(req, timeout=30) as resp:
+            return json.loads(resp.read())
+    except urllib.error.HTTPError as e:
+        body = e.read().decode(errors="replace")
+        raise RuntimeError(f"Dashboard returned {e.code}: {body}") from e
+    except urllib.error.URLError as e:
+        raise RuntimeError(f"Could not reach dashboard at {ingest_url}: {e.reason}") from e

cmmc2_toolkit-0.2.0/cmmc2toolkit/__init__.py

@@ -0,0 +1,2 @@
+"""cmmc2-toolkit — CMMC 2.0 Level 2 compliance scanner and dashboard."""
+__version__ = "0.1.0"

cmmc2_toolkit-0.2.0/cmmc2toolkit/adapters/__init__.py

@@ -0,0 +1,3 @@
+from cmmc2toolkit.adapters.base import AdapterBase, get_adapter
+
+__all__ = ["AdapterBase", "get_adapter"]