devguard 0.2.0__py3-none-any.whl

devguard/checkers/container.py

@@ -0,0 +1,137 @@
+"""Container security checker."""
+
+import logging
+import re
+from pathlib import Path
+from typing import ClassVar
+
+from devguard.checkers.base import BaseChecker
+from devguard.models import CheckResult, Severity, Vulnerability
+
+logger = logging.getLogger(__name__)
+
+
+class ContainerChecker(BaseChecker):
+    """Check Dockerfiles for security best practices."""
+
+    check_type: ClassVar[str] = "container"
+
+    # Simple regex-based rules
+    RULES = [
+        {
+            "id": "run-as-root",
+            "pattern": r"^USER\s+root",
+            "severity": Severity.HIGH,
+            "summary": "Running as root user",
+            "description": "The container explicitly switches to root user. Use a non-privileged user instead.",
+        },
+        {
+            "id": "missing-user",
+            "severity": Severity.MEDIUM,
+            "summary": "No USER instruction",
+            "description": "Dockerfile does not switch to a non-privileged user. It will likely run as root.",
+            "check_func": lambda content: not re.search(r"^USER\s+", content, re.MULTILINE),
+        },
+        {
+            "id": "latest-tag",
+            "pattern": r"^FROM\s+[^:]+:latest",
+            "severity": Severity.MEDIUM,
+            "summary": "Using 'latest' tag",
+            "description": "Using the 'latest' tag makes builds non-reproducible and can introduce unexpected breaking changes.",
+        },
+        {
+            "id": "add-usage",
+            "pattern": r"^ADD\s+",
+            "severity": Severity.LOW,
+            "summary": "Using ADD instruction",
+            "description": "Use COPY instead of ADD unless you specifically need to extract tarballs or fetch remote URLs.",
+        },
+        {
+            "id": "exposed-secrets",
+            "pattern": r"(API_KEY|SECRET|PASSWORD|TOKEN)\s*=",
+            "severity": Severity.CRITICAL,
+            "summary": "Potential secret in Dockerfile",
+            "description": "Found a potential secret/credential embedded directly in the Dockerfile.",
+        },
+        {
+            "id": "sudo-usage",
+            "pattern": r"sudo\s+",
+            "severity": Severity.HIGH,
+            "summary": "Using sudo",
+            "description": "Avoid installing or using sudo in containers. It increases the attack surface.",
+        },
+    ]
+
+    async def check(self) -> CheckResult:
+        """Check Dockerfiles."""
+        vulnerabilities: list[Vulnerability] = []
+        errors: list[str] = []
+        metadata: dict = {"files_scanned": []}
+
+        # Find Dockerfiles
+        dockerfiles = self._find_dockerfiles()
+
+        for df in dockerfiles:
+            try:
+                vulns = self._scan_dockerfile(df)
+                vulnerabilities.extend(vulns)
+                metadata["files_scanned"].append(str(df))
+            except Exception as e:
+                errors.append(f"Error scanning {df}: {str(e)}")
+
+        return CheckResult(
+            check_type=self.check_type,
+            success=len(vulnerabilities) == 0 and len(errors) == 0,
+            vulnerabilities=vulnerabilities,
+            errors=errors,
+            metadata=metadata,
+        )
+
+    def _find_dockerfiles(self) -> list[Path]:
+        """Find Dockerfiles in current directory and subdirs."""
+        # Use simple recursion or glob
+        # We limit depth to avoid massive scans
+        base = Path.cwd()
+        found = []
+
+        # Check explicit "Dockerfile"
+        for path in base.rglob("Dockerfile*"):
+            if path.is_file() and "node_modules" not in str(path) and ".git" not in str(path):
+                found.append(path)
+
+        return found
+
+    def _scan_dockerfile(self, path: Path) -> list[Vulnerability]:
+        """Scan a single Dockerfile."""
+        vulns = []
+        try:
+            content = path.read_text(encoding="utf-8")
+        except UnicodeDecodeError:
+            return []
+
+        for rule in self.RULES:
+            match = False
+
+            if "check_func" in rule:
+                if rule["check_func"](content):  # type: ignore
+                    match = True
+            elif "pattern" in rule:
+                if re.search(rule["pattern"], content, re.MULTILINE | re.IGNORECASE):  # type: ignore
+                    match = True
+
+            if match:
+                vulns.append(
+                    Vulnerability(
+                        package_name=f"Dockerfile:{path.name}",
+                        package_version="N/A",
+                        severity=rule["severity"],  # type: ignore
+                        summary=rule["summary"],  # type: ignore
+                        description=rule["description"],  # type: ignore
+                        source="devguard-container-check",
+                        references=[
+                            "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"
+                        ],
+                    )
+                )
+
+        return vulns

devguard/checkers/domain.py

@@ -0,0 +1,189 @@
+"""Domain and SSL certificate checker."""
+
+import asyncio
+import logging
+import socket
+import ssl
+from datetime import UTC, datetime
+
+import httpx
+
+from devguard.checkers.base import BaseChecker
+from devguard.models import CheckResult, CheckStatus, DeploymentStatus, Finding, Severity
+
+logger = logging.getLogger(__name__)
+
+
+class DomainChecker(BaseChecker):
+    """Check domain health and SSL certificate expiry."""
+
+    check_type = "domain"
+
+    # SSL warning thresholds (days)
+    SSL_CRITICAL_DAYS = 7
+    SSL_WARNING_DAYS = 30
+
+    async def check(self) -> CheckResult:
+        """Check all domains for health and SSL status."""
+        deployments: list[DeploymentStatus] = []
+        findings: list[Finding] = []
+        errors: list[str] = []
+
+        domains = self.settings.domains_to_monitor
+        if not domains:
+            return CheckResult(
+                check_type=self.check_type,
+                success=True,
+                metadata={"skipped": "no domains configured (set DOMAINS_TO_MONITOR)"},
+            )
+
+        for domain in domains:
+            try:
+                # Check SSL certificate
+                ssl_info = await self._check_ssl(domain)
+
+                if ssl_info.get("error"):
+                    status = CheckStatus.UNHEALTHY
+                    findings.append(
+                        Finding(
+                            severity=Severity.HIGH,
+                            title=f"SSL check failed: {domain}",
+                            description=ssl_info["error"],
+                            resource=domain,
+                            remediation="Check domain DNS and certificate configuration",
+                        )
+                    )
+                else:
+                    days_until_expiry = ssl_info.get("days_until_expiry", 0)
+
+                    if days_until_expiry <= self.SSL_CRITICAL_DAYS:
+                        status = CheckStatus.UNHEALTHY
+                        findings.append(
+                            Finding(
+                                severity=Severity.CRITICAL,
+                                title=f"SSL certificate expiring soon: {domain}",
+                                description=f"Certificate expires in {days_until_expiry} days",
+                                resource=domain,
+                                remediation="Renew SSL certificate immediately",
+                            )
+                        )
+                    elif days_until_expiry <= self.SSL_WARNING_DAYS:
+                        status = CheckStatus.HEALTHY
+                        findings.append(
+                            Finding(
+                                severity=Severity.WARNING,
+                                title=f"SSL certificate expiring: {domain}",
+                                description=f"Certificate expires in {days_until_expiry} days",
+                                resource=domain,
+                                remediation="Plan SSL certificate renewal",
+                            )
+                        )
+                    else:
+                        status = CheckStatus.HEALTHY
+
+                deployments.append(
+                    DeploymentStatus(
+                        platform="domain",
+                        project_name=domain,
+                        deployment_id=domain,
+                        status=status,
+                        url=f"https://{domain}",
+                        metadata={
+                            "ssl_valid": not ssl_info.get("error"),
+                            "ssl_expiry": ssl_info.get("expiry"),
+                            "ssl_days_remaining": ssl_info.get("days_until_expiry"),
+                            "ssl_issuer": ssl_info.get("issuer"),
+                        },
+                    )
+                )
+
+            except httpx.HTTPStatusError as e:
+                errors.append(
+                    f"HTTP {e.response.status_code} checking {domain}: {e.response.text[:200]}"
+                )
+            except httpx.RequestError as e:
+                errors.append(f"Network error checking {domain}: {e}")
+            except TimeoutError:
+                errors.append(f"Timeout checking {domain}")
+            except Exception as e:
+                errors.append(f"Unexpected error checking {domain}: {e}")
+
+        all_healthy = all(d.status == CheckStatus.HEALTHY for d in deployments)
+
+        return CheckResult(
+            check_type=self.check_type,
+            success=len(errors) == 0 and all_healthy,
+            deployments=deployments,
+            findings=findings,
+            errors=errors,
+        )
+
+    async def _check_ssl(self, domain: str) -> dict:
+        """Check SSL certificate for a domain."""
+        try:
+            # Run in thread pool since ssl is blocking
+            loop = asyncio.get_event_loop()
+            return await loop.run_in_executor(None, self._get_ssl_info, domain)
+        except Exception as e:
+            return {"error": str(e)}
+
+    def _get_ssl_info(self, domain: str) -> dict:
+        """Get SSL certificate information (blocking)."""
+        try:
+            # First check DNS resolution
+            try:
+                socket.gethostbyname(domain)
+            except socket.gaierror as e:
+                return {"error": f"DNS resolution failed for {domain}: {e}"}
+
+            # Try SSL connection
+            context = ssl.create_default_context()
+            # Allow more lenient SSL for checking (we're just checking expiry, not validating trust)
+            context.check_hostname = True
+            context.verify_mode = ssl.CERT_REQUIRED
+
+            with socket.create_connection((domain, 443), timeout=10) as sock:
+                with context.wrap_socket(sock, server_hostname=domain) as ssock:
+                    cert = ssock.getpeercert()
+
+                    # Parse expiry date
+                    expiry_str = cert.get("notAfter", "")
+                    # Format: 'Dec 25 23:59:59 2025 GMT'
+                    expiry = datetime.strptime(expiry_str, "%b %d %H:%M:%S %Y %Z")
+                    expiry = expiry.replace(tzinfo=UTC)
+
+                    now = datetime.now(UTC)
+                    days_until_expiry = (expiry - now).days
+
+                    # Get issuer
+                    issuer_dict = dict(x[0] for x in cert.get("issuer", []))
+                    issuer = issuer_dict.get("organizationName", "Unknown")
+
+                    return {
+                        "expiry": expiry.isoformat(),
+                        "days_until_expiry": days_until_expiry,
+                        "issuer": issuer,
+                    }
+        except TimeoutError:
+            return {
+                "error": f"Connection timeout to {domain}:443 - domain may be down or behind firewall"
+            }
+        except socket.gaierror as e:
+            return {"error": f"DNS resolution failed for {domain}: {e}"}
+        except ssl.SSLError as e:
+            # More specific SSL error messages
+            error_msg = str(e)
+            if "certificate verify failed" in error_msg.lower():
+                return {"error": f"SSL certificate verification failed for {domain}: {e}"}
+            elif "handshake" in error_msg.lower():
+                return {"error": f"SSL handshake failed for {domain}: {e}"}
+            else:
+                return {"error": f"SSL error for {domain}: {e}"}
+        except ConnectionRefusedError:
+            return {"error": f"Connection refused to {domain}:443 - service may be down"}
+        except OSError as e:
+            if "Network is unreachable" in str(e):
+                return {"error": f"Network unreachable for {domain}: {e}"}
+            return {"error": f"Connection error for {domain}: {e}"}
+        except Exception as e:
+            return {"error": f"Failed to check {domain}: {e}"}

devguard/checkers/firecrawl.py

@@ -0,0 +1,117 @@
+"""Firecrawl API usage checker."""
+
+import logging
+
+import httpx
+
+from devguard.checkers.base import BaseChecker
+from devguard.http_client import create_client, retry_with_backoff
+from devguard.models import CheckResult, CostMetric
+
+logger = logging.getLogger(__name__)
+
+
+class FirecrawlChecker(BaseChecker):
+    """Check Firecrawl API credit usage."""
+
+    check_type = "firecrawl"
+
+    async def check(self) -> CheckResult:
+        """Check Firecrawl credit usage."""
+        errors: list[str] = []
+
+        if not self.settings.firecrawl_api_key:
+            return CheckResult(
+                check_type=self.check_type,
+                success=False,
+                deployments=[],
+                errors=["Firecrawl API key not configured"],
+            )
+
+        # Handle SecretStr
+        firecrawl_key = self.settings.firecrawl_api_key
+        if hasattr(firecrawl_key, "get_secret_value"):
+            firecrawl_key = firecrawl_key.get_secret_value()
+
+        headers = {
+            "Authorization": f"Bearer {firecrawl_key}",
+        }
+
+        try:
+            async with create_client() as client:
+
+                async def fetch_usage():
+                    response = await client.get(
+                        "https://api.firecrawl.dev/v2/team/credit-usage",
+                        headers=headers,
+                        timeout=10.0,
+                    )
+                    response.raise_for_status()
+                    return response
+
+                response = await retry_with_backoff(fetch_usage, max_retries=3)
+                data = response.json()
+
+                # Extract usage data
+                usage_data = data.get("data", {})
+                remaining = usage_data.get("remaining_credits", 0)
+                plan_credits = usage_data.get("plan_credits", 0)
+                usage_percent = (
+                    ((plan_credits - remaining) / plan_credits * 100) if plan_credits > 0 else 0
+                )
+
+                metadata = {
+                    "remaining_credits": remaining,
+                    "plan_credits": plan_credits,
+                    "usage_percent": round(usage_percent, 2),
+                    "billing_period_start": usage_data.get("billing_period_start"),
+                    "billing_period_end": usage_data.get("billing_period_end"),
+                }
+
+                # Create cost metric with estimated cost
+                # Firecrawl pricing: $0.005 per credit (standard plan)
+                # Hobby: $16/3000 = $0.0053, Standard: $83/100k = $0.00083
+                # Use $0.005 as standard estimate
+                credits_used = plan_credits - remaining
+                estimated_cost = max(0.0, credits_used * 0.005) if credits_used > 0 else 0.0
+
+                cost_metrics = [
+                    CostMetric(
+                        service="firecrawl",
+                        period="billing_period",
+                        amount=estimated_cost,
+                        usage=float(credits_used),
+                        limit=float(plan_credits),
+                        usage_percent=round(usage_percent, 2),
+                        metadata={
+                            "unit": "credits",
+                            "cost_per_credit": 0.005,
+                            "estimated": True,
+                        },
+                    )
+                ]
+
+                return CheckResult(
+                    check_type=self.check_type,
+                    success=True,
+                    deployments=[],
+                    errors=[],
+                    cost_metrics=cost_metrics,
+                    metadata=metadata,
+                )
+
+        except httpx.HTTPStatusError as e:
+            status_code = e.response.status_code
+            error_text = e.response.text[:100]
+            errors.append(f"HTTP {status_code}: {error_text}")
+        except httpx.RequestError as e:
+            errors.append(f"Network error: {str(e)}")
+        except Exception as e:
+            errors.append(f"Unexpected error: {str(e)}")
+
+        return CheckResult(
+            check_type=self.check_type,
+            success=False,
+            deployments=[],
+            errors=errors,
+        )

devguard/checkers/fly.py

@@ -0,0 +1,225 @@
+"""Fly.io deployment status checker."""
+
+import logging
+
+import httpx
+
+from devguard.checkers.base import BaseChecker
+from devguard.http_client import create_client, retry_with_backoff
+from devguard.models import CheckResult, CheckStatus, DeploymentStatus
+
+logger = logging.getLogger(__name__)
+
+
+class FlyChecker(BaseChecker):
+    """Check Fly.io deployments for health status."""
+
+    check_type = "fly"
+
+    async def check(self) -> CheckResult:
+        """Check Fly.io deployments."""
+        deployments: list[DeploymentStatus] = []
+        errors: list[str] = []
+
+        if not self.settings.fly_api_token:
+            return CheckResult(
+                check_type=self.check_type,
+                success=False,
+                deployments=[],
+                errors=["Fly.io API token not configured"],
+            )
+
+        # Handle SecretStr
+        fly_token = self.settings.fly_api_token
+        if hasattr(fly_token, "get_secret_value"):
+            fly_token = fly_token.get_secret_value()
+
+        headers = {
+            "Authorization": f"Bearer {fly_token}",
+        }
+
+        try:
+            async with create_client() as client:
+                # Get list of apps
+                apps = await self._get_apps(client, headers)
+
+                # Check status for each app
+                for app in apps:
+                    try:
+                        app_deployments = await self._get_app_status(client, headers, app)
+                        deployments.extend(app_deployments)
+                    except httpx.HTTPStatusError as e:
+                        status_code = e.response.status_code
+                        error_text = e.response.text[:100]
+                        errors.append(
+                            f"Error checking app {app}: HTTP {status_code} - {error_text}"
+                        )
+                    except httpx.RequestError as e:
+                        errors.append(f"Error checking app {app}: Network error - {str(e)}")
+                    except Exception as e:
+                        errors.append(f"Error checking app {app}: {str(e)}")
+
+        except httpx.RequestError as e:
+            errors.append(f"Error connecting to Fly.io API: {str(e)}")
+        except Exception as e:
+            errors.append(f"Error checking Fly.io: {str(e)}")
+
+        return CheckResult(
+            check_type=self.check_type,
+            success=len(errors) == 0,
+            deployments=deployments,
+            errors=errors,
+        )
+
+    async def _get_apps(self, client: httpx.AsyncClient, headers: dict) -> list[str]:
+        """Get list of apps to monitor."""
+        if self.settings.fly_apps_to_monitor:
+            return self.settings.fly_apps_to_monitor
+
+        # Get all apps
+        try:
+
+            async def fetch_apps():
+                response = await client.get(
+                    "https://api.machines.dev/v1/apps",
+                    headers=headers,
+                )
+                response.raise_for_status()
+                return response
+
+            response = await retry_with_backoff(fetch_apps, max_retries=3)
+            data = response.json()
+            return [app.get("name", "") for app in data if app.get("name")]
+        except httpx.HTTPStatusError as e:
+            logger.warning(f"Failed to fetch Fly.io apps: HTTP {e.response.status_code}")
+        except httpx.RequestError as e:
+            logger.warning(f"Failed to fetch Fly.io apps: {str(e)}")
+        except Exception as e:
+            logger.warning(f"Unexpected error fetching Fly.io apps: {str(e)}")
+
+        return []
+
+    async def _get_app_status(
+        self, client: httpx.AsyncClient, headers: dict, app_name: str
+    ) -> list[DeploymentStatus]:
+        """Get status for a Fly.io app."""
+        deployments: list[DeploymentStatus] = []
+
+        try:
+            # Get app status with retry
+            async def fetch_app():
+                response = await client.get(
+                    f"https://api.machines.dev/v1/apps/{app_name}",
+                    headers=headers,
+                )
+                response.raise_for_status()
+                return response
+
+            response = await retry_with_backoff(fetch_app, max_retries=3)
+            app_data = response.json()
+
+            # Get machines/instances with retry
+            async def fetch_machines():
+                response = await client.get(
+                    f"https://api.machines.dev/v1/apps/{app_name}/machines",
+                    headers=headers,
+                )
+                response.raise_for_status()
+                return response
+
+            machines = []
+            try:
+                machines_response = await retry_with_backoff(fetch_machines, max_retries=3)
+                machines_data = machines_response.json()
+                # API returns a list directly, not a dict with "machines" key
+                if isinstance(machines_data, list):
+                    machines = machines_data
+                else:
+                    machines = machines_data.get("machines", [])
+            except httpx.RequestError as e:
+                logger.warning(f"Failed to fetch machines for {app_name}: {str(e)}")
+
+            # Determine overall health based on machine states
+            status = CheckStatus.HEALTHY
+            status_reason = None
+
+            if not machines:
+                # App exists but has no machines - likely suspended or scaled to zero
+                # Check if app is explicitly suspended
+                app_state = app_data.get("state", "").lower()
+                if app_state == "suspended":
+                    status = CheckStatus.UNKNOWN
+                    status_reason = "App is suspended (intentional)"
+                else:
+                    status = CheckStatus.UNKNOWN
+                    status_reason = "No machines running (suspended or scaled to zero)"
+            else:
+                # Check machine states
+                running_count = 0
+                stopped_count = 0
+                failed_count = 0
+
+                for machine in machines:
+                    machine_state = machine.get("state", "").lower()
+                    if machine_state in ["started", "running"]:
+                        running_count += 1
+                    elif machine_state in ["stopped", "suspended"]:
+                        stopped_count += 1
+                    elif machine_state in ["destroyed", "failed"]:
+                        failed_count += 1
+
+                if failed_count > 0:
+                    status = CheckStatus.UNHEALTHY
+                    status_reason = f"{failed_count} machine(s) failed"
+                elif running_count == 0 and stopped_count > 0:
+                    status = CheckStatus.UNKNOWN
+                    status_reason = f"All {stopped_count} machine(s) stopped"
+                elif running_count > 0:
+                    status = CheckStatus.HEALTHY
+                    status_reason = f"{running_count} machine(s) running"
+
+            # Get latest deployment
+            latest_deployment = None
+            if machines:
+                # Find the most recent machine
+                latest_machine = max(
+                    machines,
+                    key=lambda m: m.get("created_at", ""),
+                    default=None,
+                )
+                if latest_machine:
+                    latest_deployment = latest_machine.get("id")
+
+            url = app_data.get("hostname")
+            if not url:
+                # Fallback to standard Fly.io domain if hostname is missing
+                url = f"{app_name}.fly.dev"
+
+            if url and not url.startswith("http"):
+                url = f"https://{url}"
+
+            deployment = DeploymentStatus(
+                platform="fly",
+                project_name=app_name,
+                deployment_id=latest_deployment or app_name,
+                status=status,
+                url=url,
+                metadata={
+                    "machines_count": len(machines),
+                    "app_id": app_data.get("id"),
+                    "status_reason": status_reason,
+                },
+            )
+
+            deployments.append(deployment)
+
+        except httpx.HTTPStatusError as e:
+            logger.warning(
+                f"Failed to get status for Fly.io app {app_name}: HTTP {e.response.status_code}"
+            )
+        except httpx.RequestError as e:
+            logger.warning(f"Network error checking Fly.io app {app_name}: {str(e)}")
+        except Exception as e:
+            logger.warning(f"Unexpected error checking Fly.io app {app_name}: {str(e)}")
+
+        return deployments