PyPI - gitlabcis - Versions diffs - 1.3.2__py3-none-any.whl - Mend

gitlabcis 1.3.2__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (218) hide show

gitlabcis/__init__.py ADDED Viewed

@@ -0,0 +1,12 @@
+# -------------------------------------------------------------------------
+from gitlabcis import benchmarks  # noqa: F401
+from gitlabcis.cli.output import output  # noqa: F401
+from gitlabcis.utils import countRecommendations  # noqa: F401
+from gitlabcis.utils import mapRecommendations  # noqa: F401
+from gitlabcis.utils import readRecommendations  # noqa: F401
+# -------------------------------------------------------------------------
+__author__ = 'nmcdonald+gitlabcis@gitlab.com'
+__version__ = '1.3.2'  # noqa: E999

gitlabcis/__main__.py ADDED Viewed

@@ -0,0 +1,7 @@
+# -------------------------------------------------------------------------
+from gitlabcis.cli import main
+# -------------------------------------------------------------------------
+main.main()

gitlabcis/benchmarks/__init__.py ADDED Viewed

@@ -0,0 +1,8 @@
+# -------------------------------------------------------------------------
+from . import source_code_1  # noqa: F401
+from . import build_pipelines_2  # noqa: F401
+from . import dependencies_3  # noqa: F401
+from . import artifacts_4  # noqa: F401
+from . import deployment_5  # noqa: F401
+# -------------------------------------------------------------------------

gitlabcis/benchmarks/artifacts_4/__init__.py ADDED Viewed

@@ -0,0 +1,4 @@
+from . import verification_4_1  # noqa: F401
+from . import access_to_artifacts_4_2  # noqa: F401
+from . import package_registries_4_3  # noqa: F401
+from . import origin_traceability_4_4  # noqa: F401

gitlabcis/benchmarks/artifacts_4/access_to_artifacts_4_2.py ADDED Viewed

@@ -0,0 +1,139 @@
+# -------------------------------------------------------------------------
+def limit_certifying_artifacts(glEntity, glObject, **kwargs):
+    """
+    id: 4.2.1
+    title: Ensure the authority to certify artifacts is limited
+    """
+    # We cannot automatically answer this check, therefore we SKIP:
+    return {None: 'This check requires validation'}
+# -------------------------------------------------------------------------
+def limit_artifact_uploaders(glEntity, glObject, **kwargs):
+    """
+    id: 4.2.2
+    title: Ensure number of permitted users who may upload new
+           artifacts is minimized
+    """
+    from gitlab.exceptions import (GitlabAuthenticationError, GitlabGetError,
+                                   GitlabHttpError)
+    try:
+        members = glEntity.members.list(all=True)
+        maintainer_and_above = sum(
+            1 for member in members if
+            member.access_level >= 40)
+        total_members = len(members)
+        maintainer_and_above_percentage = (
+            (maintainer_and_above / total_members) * 100
+        )
+        if maintainer_and_above_percentage < 20 or maintainer_and_above < 3:
+            return {True: 'Number of permitted users who can upload new '
+                    ' artifacts are limited'}
+        else:
+            return {False: 'Number of permitted users who can upload new '
+                    ' artifacts are not limited'}
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError) as e:
+        if e.response_code in [401, 403]:
+            return {None: 'Insufficient permissions'}
+# -------------------------------------------------------------------------
+def require_mfa_to_package_registry(glEntity, glObject, **kwargs):
+    """
+    id: 4.2.3
+    title: Ensure user access to the package registry utilizes Multi-
+           Factor Authentication (MFA)
+    """
+    from gitlab.exceptions import (GitlabAuthenticationError, GitlabGetError,
+                                   GitlabHttpError)
+    try:
+        settings = glObject.settings.get()
+        if settings.require_two_factor_authentication:
+            return {True: 'Enforce two-factor authentication is enabled'}
+        else:
+            return {False: 'Enforce two-factor authentication is not enabled'}
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError) as e:
+        if e.response_code in [401, 403]:
+            return {None: 'Insufficient permissions'}
+# -------------------------------------------------------------------------
+def external_auth_server(glEntity, glObject, **kwargs):
+    """
+    id: 4.2.4
+    title: Ensure user management of the package registry is not
+           local
+    """
+    # We cannot automatically answer this check, therefore we SKIP:
+    return {None: 'This check requires validation'}
+# -------------------------------------------------------------------------
+def restrict_anonymous_access(glEntity, glObject, **kwargs):
+    """
+    id: 4.2.5
+    title: Ensure anonymous access to artifacts is revoked
+    """
+    from gitlab.exceptions import (GitlabAuthenticationError, GitlabGetError,
+                                   GitlabHttpError)
+    try:
+        settings = glObject.settings.get()
+        project_visibility = settings.default_project_visibility
+        if (project_visibility == 'public'):
+            return {False: 'Project is Public'}
+        else:
+            return {True: f'Project visibility is {project_visibility}'}
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError) as e:
+        if e.response_code in [401, 403]:
+            return {None: 'Insufficient permissions'}
+# -------------------------------------------------------------------------
+def minimum_package_registry_admins(glEntity, glObject, **kwargs):
+    """
+    id: 4.2.6
+    title: Ensure minimum number of administrators are set for the
+           package registry
+    """
+    from gitlab.exceptions import (GitlabAuthenticationError, GitlabGetError,
+                                   GitlabHttpError)
+    try:
+        members = glEntity.members.list(all=True)
+        reporter_and_above = sum(
+            1 for member in members if
+            member.access_level >= 20)
+        total_members = len(members)
+        reporter_and_above_percentage = (
+            (reporter_and_above / total_members) * 100
+        )
+        if reporter_and_above_percentage < 40 or reporter_and_above < 3:
+            return {True: 'Build access is limited, less than 40% '
+                    'of the members have Reporter/Developer role or above'}
+        else:
+            return {False: 'Build access is not limited, over 40% '
+                    'of the members have Reporter/Developer role or above'}
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError) as e:
+        if e.response_code in [401, 403]:
+            return {None: 'Insufficient permissions'}

gitlabcis/benchmarks/artifacts_4/origin_traceability_4_4.py ADDED Viewed

@@ -0,0 +1,11 @@
+# -------------------------------------------------------------------------
+def artifact_origin_info(glEntity, glObject, **kwargs):
+    """
+    id: 4.4.1
+    title: Ensure artifacts contain information about their origin
+    """
+    # We cannot automatically answer this check, therefore we SKIP:
+    return {None: 'This check requires validation'}

gitlabcis/benchmarks/artifacts_4/package_registries_4_3.py ADDED Viewed

@@ -0,0 +1,105 @@
+# -------------------------------------------------------------------------
+def validate_signed_artifacts_on_upload(glEntity, glObject, **kwargs):
+    """
+    id: 4.3.1
+    title: Ensure all signed artifacts are validated upon uploading the
+           package registry
+    """
+    from gitlab.exceptions import (GitlabAuthenticationError, GitlabGetError,
+                                   GitlabHttpError, GitlabListError)
+    try:
+        commits = glEntity.commits.list(all=True)
+        for commit in commits:
+            comit_id = commit.id
+            commit_info = glEntity.commits.get(comit_id)
+            if commit_info.status is None:
+                return {False: 'Commits are not signed'}
+            if commit_info.status != 'verified':
+                return {False: 'There are unverified commits'}
+        return {True: 'All commits are verified'}
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError,
+            GitlabListError) as e:
+        if e.response_code in [401, 403]:
+            return {None: 'Insufficient permissions'}
+# -------------------------------------------------------------------------
+def all_artifact_versions_signed(glEntity, glObject, **kwargs):
+    """
+    id: 4.3.2
+    title: Ensure all versions of an existing artifact have their
+           signatures validated
+    """
+    from gitlab.exceptions import (GitlabAuthenticationError, GitlabGetError,
+                                   GitlabHttpError, GitlabListError)
+    try:
+        commits = glEntity.commits.list(all=True)
+        for commit in commits:
+            comit_id = commit.id
+            commit_info = glEntity.commits.get(comit_id)
+            if commit_info.status is None:
+                return {False: 'Commits are not signed'}
+            if commit_info.status != 'verified':
+                return {False: 'There are unverified commits'}
+        return {True: 'All commits are verified'}
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError,
+            GitlabListError) as e:
+        if e.response_code in [401, 403]:
+            return {None: 'Insufficient permissions'}
+# -------------------------------------------------------------------------
+def audit_package_registry_config(glEntity, glObject, **kwargs):
+    """
+    id: 4.3.3
+    title: Ensure changes in package registry configuration are
+           audited
+    """
+    # We cannot automatically answer this check, therefore we SKIP:
+    return {None: 'This check requires validation'}
+# -------------------------------------------------------------------------
+def secure_repo_webhooks(glEntity, glObject, **kwargs):
+    """
+    id: 4.3.4
+    title: Ensure webhooks of the repository are secured
+    """
+    from gitlab.exceptions import (GitlabAuthenticationError, GitlabGetError,
+                                   GitlabHttpError, GitlabListError)
+    try:
+        webhooks = glEntity.hooks.list()
+        if not webhooks:
+            return {True: 'No webhooks found'}
+        for webhook in webhooks:
+            if (webhook.url.startswith('https://') and
+                    webhook.enable_ssl_verification):
+                continue
+            elif webhook.url.startswith('https://'):
+                return {False: f'{webhook.url}' + ' uses '
+                        'HTTPS but SSL verification is disabled'}
+            else:
+                return {False: f'{webhook.url}' + ' is '
+                        'insecure (not using HTTPS)'}
+        return {True: 'All webhooks are secure'}
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError,
+            GitlabListError) as e:
+        if e.response_code in [401, 403]:
+            return {None: 'Insufficient permissions'}

gitlabcis/benchmarks/artifacts_4/verification_4_1.py ADDED Viewed

@@ -0,0 +1,83 @@
+# -------------------------------------------------------------------------
+def sign_artifacts_in_build_pipeline(glEntity, glObject, **kwargs):
+    """
+    id: 4.1.1
+    title: Ensure all artifacts are signed by the build pipeline itself
+    """
+    import io
+    import os
+    import zipfile
+    from gitlab.exceptions import (GitlabAuthenticationError, GitlabGetError,
+                                   GitlabHttpError, GitlabListError)
+    try:
+        Build_stage_jobs = []
+        build_stage = False
+        pipelines = glEntity.pipelines.list(get_all=False)
+        if not pipelines:
+            return {False: 'No pipelines found'}
+        latestPipeline = pipelines[0]
+        jobs = latestPipeline.jobs.list()
+        build_stage = []
+        for job in jobs:
+            if job.stage == 'build':
+                build_stage = True
+                Build_stage_jobs.append(job)
+        if not build_stage:
+            return {False: 'No build stages available'}
+        for job in Build_stage_jobs:
+            job_info = glEntity.jobs.get(job.id)
+            artifact = job_info.artifacts()
+            byte_stream = io.BytesIO(artifact)
+        with zipfile.ZipFile(byte_stream) as z:
+            file_list = z.namelist()
+        for file_name in file_list:
+            base_name, extension = os.path.splitext(file_name)
+            sig_file = f"{base_name}.sig"
+            if sig_file not in file_list:
+                return {False: 'Artifacts are not being signed'}
+        return {True: 'Artifacts are signed'}
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError,
+            GitlabListError) as e:
+        if e.response_code in [401, 403]:
+            return {None: 'Insufficient permissions'}
+# -------------------------------------------------------------------------
+def encrypt_artifacts_before_distribution(glEntity, glObject, **kwargs):
+    """
+    id: 4.1.2
+    title: Ensure artifacts are encrypted before distribution
+    """
+    # We cannot automatically answer this check, therefore we SKIP:
+    return {None: 'This check requires validation'}
+# -------------------------------------------------------------------------
+def only_authorized_platforms_can_decrypt_artifacts(
+        glEntity, glObject, **kwargs):
+    """
+    id: 4.1.3
+    title: Ensure only authorized platforms have decryption
+           capabilities of artifacts
+    """
+    # We cannot automatically answer this check, therefore we SKIP:
+    return {None: 'This check requires validation'}

gitlabcis/benchmarks/build_pipelines_2/__init__.py ADDED Viewed

@@ -0,0 +1,4 @@
+from . import build_environment_2_1  # noqa: F401
+from . import build_worker_2_2  # noqa: F401
+from . import pipeline_instructions_2_3  # noqa: F401
+from . import pipeline_integrity_2_4  # noqa: F401

gitlabcis/benchmarks/build_pipelines_2/build_environment_2_1.py ADDED Viewed

@@ -0,0 +1,268 @@
+# -------------------------------------------------------------------------
+def single_responsibility_pipeline(glEntity, glObject, **kwargs):
+    """
+    id: 2.1.1
+    title: Ensure each pipeline has a single responsibility
+    """
+    from gitlab.exceptions import (GitlabAuthenticationError, GitlabGetError,
+                                   GitlabHttpError, GitlabListError)
+    try:
+        pipelines = glEntity.pipelines.list(get_all=False)
+        if not pipelines:
+            return {True: 'No pipelines found'}
+        latestPipeline = pipelines[0]
+        jobs = latestPipeline.jobs.list()
+        buildStages = set()
+        multiBuildJobs = False
+        for job in jobs:
+            _stage = job.stage.lower()
+            if 'build' in _stage:
+                if _stage in buildStages:
+                    multiBuildJobs = True
+                    break
+                buildStages.add(_stage)
+        if len(buildStages) == 0:
+            return {None: 'No build stage found'}
+        # either there are multiple pipeline stages with "build" in the name
+        # or there are multiple jobs in those stages
+        if multiBuildJobs is True:
+            return {False: 'Multi build stages or build jobs found'}
+        # there's a single build stage, which has a single job:
+        return {True: 'Build phase has a single responsibility'}
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError,
+            GitlabListError) as e:
+        if e.response_code in [403, 401]:
+            return {None: 'Insufficient permissions'}
+# -------------------------------------------------------------------------
+def immutable_pipeline_infrastructure(glEntity, glObject, **kwargs):
+    """
+    id: 2.1.2
+    title: Ensure all aspects of the pipeline infrastructure and
+           configuration are immutable
+    """
+    # We cannot automatically answer this check, therefore we SKIP:
+    return {None: 'This check requires validation'}
+# -------------------------------------------------------------------------
+def build_logging(glEntity, glObject, **kwargs):
+    """
+    id: 2.1.3
+    title: Ensure the build environment is logged
+    """
+    # We cannot automatically answer this check, therefore we SKIP:
+    return {None: 'This check requires validation'}
+# -------------------------------------------------------------------------
+def build_automation(glEntity, glObject, **kwargs):
+    """
+    id: 2.1.4
+    title: Ensure the creation of the build environment is automated
+    """
+    from gitlab.exceptions import (GitlabAuthenticationError, GitlabGetError,
+                                   GitlabHttpError)
+    from gitlabcis.utils import ci
+    try:
+        gitlab_ci_yml = ci.getConfig(glEntity, glObject, **kwargs)
+        ciFile, reason = gitlab_ci_yml.popitem()
+        if ciFile in [None, False]:
+            return {ciFile: reason}
+        else:
+            return {True: 'The build environment creation is automated'}
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError) as e:
+        if e.response_code in [401, 403]:
+            return {None: 'Insufficient permissions'}
+# -------------------------------------------------------------------------
+def limit_build_access(glEntity, glObject, **kwargs):
+    """
+    id: 2.1.5
+    title: Ensure access to build environments is limited
+    """
+    from gitlab.exceptions import (GitlabAuthenticationError, GitlabGetError,
+                                   GitlabHttpError)
+    try:
+        members = glEntity.members.list(all=True)
+        reporter_and_above = sum(
+            1 for member in members if
+            member.access_level >= 20)
+        total_members = len(members)
+        reporter_and_above_percentage = (
+            (reporter_and_above / total_members) * 100
+        )
+        if reporter_and_above_percentage < 40 or reporter_and_above < 3:
+            return {True: 'Build access is limited, less than 40% '
+                    'of the members have Reporter/Developer role or above'}
+        else:
+            return {False: 'Build access is not limited, over 40% '
+                    'of the members have Reporter/Developer role or above'}
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError) as e:
+        if e.response_code in [401, 403]:
+            return {None: 'Insufficient permissions'}
+# -------------------------------------------------------------------------
+def authenticate_build_access(glEntity, glObject, **kwargs):
+    """
+    id: 2.1.6
+    title: Ensure users must authenticate to access the build
+           environment
+    """
+    from gitlab.exceptions import (GitlabAuthenticationError, GitlabGetError,
+                                   GitlabHttpError)
+    try:
+        members = glEntity.members.list(all=True)
+        reporter_and_above = sum(
+            1 for member in members if
+            member.access_level >= 20)
+        total_members = len(members)
+        reporter_and_above_percentage = (
+            (reporter_and_above / total_members) * 100
+        )
+        if reporter_and_above_percentage < 40 or reporter_and_above < 3:
+            return {True: 'Build access is limited, less than 40% '
+                    'of the members have Reporter/Developer role or above'}
+        else:
+            return {False: 'Build access is not limited, over 40% '
+                    'of the members have Reporter/Developer role or above'}
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError) as e:
+        if e.response_code in [401, 403]:
+            return {None: 'Insufficient permissions'}
+# -------------------------------------------------------------------------
+def limit_build_secrets_scope(glEntity, glObject, **kwargs):
+    """
+    id: 2.1.7
+    title: Ensure build secrets are limited to the minimal necessary
+           scope
+    """
+    # We cannot automatically answer this check, therefore we SKIP:
+    return {None: 'This check requires validation'}
+# -------------------------------------------------------------------------
+def vuln_scanning(glEntity, glObject, **kwargs):
+    """
+    id: 2.1.8
+    title: Ensure the build infrastructure is automatically scanned for
+           vulnerabilities
+    """
+    # We cannot automatically answer this check, therefore we SKIP:
+    return {None: 'This check requires validation.'}
+# -------------------------------------------------------------------------
+def disable_build_tools_default_passwords(glEntity, glObject, **kwargs):
+    """
+    id: 2.1.9
+    title: Ensure default passwords are not used
+    """
+    # We cannot automatically answer this check, therefore we SKIP:
+    return {None: 'This check requires validation.'}
+# -------------------------------------------------------------------------
+def secure_build_env_webhooks(glEntity, glObject, **kwargs):
+    """
+    id: 2.1.10
+    title: Ensure webhooks of the build environment are secured
+    """
+    from gitlab.exceptions import (GitlabAuthenticationError, GitlabGetError,
+                                   GitlabHttpError, GitlabListError)
+    try:
+        webhooks = glEntity.hooks.list()
+        if not webhooks:
+            return {True: 'No webhooks found'}
+        for webhook in webhooks:
+            if (webhook.url.startswith('https://') and
+                    webhook.enable_ssl_verification):
+                continue
+            elif webhook.url.startswith('https://'):
+                return {False: f'{webhook.url}' + ' uses '
+                        'HTTPS but SSL verification is disabled'}
+            else:
+                return {False: f'{webhook.url}' + ' is '
+                        'insecure (not using HTTPS)'}
+        return {True: 'All webhooks are secure'}
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError,
+            GitlabListError) as e:
+        if e.response_code in [401, 403]:
+            return {None: 'Insufficient permissions'}
+# -------------------------------------------------------------------------
+def build_env_admins(glEntity, glObject, **kwargs):
+    """
+    id: 2.1.11
+    title: Ensure minimum number of administrators are set for the
+           build environment
+    """
+    from gitlab.exceptions import (GitlabAuthenticationError, GitlabGetError,
+                                   GitlabHttpError)
+    try:
+        members = glEntity.members.list(all=True)
+        maintainer_and_above = sum(
+            1 for member in members if
+            member.access_level >= 40)
+        total_members = len(members)
+        maintainer_and_above_percentage = (
+            (maintainer_and_above / total_members) * 100
+        )
+        if maintainer_and_above_percentage < 20 or maintainer_and_above < 3:
+            return {True: 'Build access is limited, less than 20% '
+                    'of the members have Owner/Maintainer role'}
+        else:
+            return {False: 'Build access is not limited, over than 20% of '
+                    'the members have Owner/Maintainer role'}
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError) as e:
+        if e.response_code in [401, 403]:
+            return {None: 'Insufficient permissions'}