gitlabcis 1.3.2__py3-none-any.whl

gitlabcis/benchmarks/build_pipelines_2/build_worker_2_2.py

@@ -0,0 +1,129 @@
+# -------------------------------------------------------------------------
+
+
+def single_use_workers(glEntity, glObject, **kwargs):
+    """
+    id: 2.2.1
+    title: Ensure build workers are single-used
+    """
+
+    # We cannot automatically answer this check, therefore we SKIP:
+    return {None: 'This check requires validation'}
+
+# -------------------------------------------------------------------------
+
+
+def pass_worker_envs_and_commands(glEntity, glObject, **kwargs):
+    """
+    id: 2.2.2
+    title: Ensure build worker environments and commands are
+           passed and not pulled
+    """
+
+    # We cannot automatically answer this check, therefore we SKIP:
+    return {None: 'This check requires validation'}
+
+# -------------------------------------------------------------------------
+
+
+def segregate_worker_duties(glEntity, glObject, **kwargs):
+    """
+    id: 2.2.3
+    title: Ensure the duties of each build worker are segregated
+    """
+    from gitlab.exceptions import (GitlabAuthenticationError, GitlabGetError,
+                                   GitlabHttpError, GitlabListError)
+
+    try:
+        project_runners = glEntity.runners.list(get_all=True)
+        assigned_runners = [
+            runner for runner in project_runners
+            if not runner.is_shared
+        ]
+        if not assigned_runners:
+            return {False: 'No project_assigned_runners available'}
+        else:
+            return {True: 'project_assigned_runners available'}
+
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError,
+            GitlabListError) as e:
+        if e.response_code in [401, 403]:
+            return {None: 'Insufficient permissions'}
+
+# -------------------------------------------------------------------------
+
+
+def restrict_worker_connectivity(glEntity, glObject, **kwargs):
+    """
+    id: 2.2.4
+    title: Ensure build workers have minimal network connectivity
+    """
+
+    # We cannot automatically answer this check, therefore we SKIP:
+    return {None: 'This check requires validation'}
+
+# -------------------------------------------------------------------------
+
+
+def worker_runtime_security(glEntity, glObject, **kwargs):
+    """
+    id: 2.2.5
+    title: Ensure run-time security is enforced for build workers
+    """
+
+    # We cannot automatically answer this check, therefore we SKIP:
+    return {None: 'This check requires validation'}
+
+# -------------------------------------------------------------------------
+
+
+def build_worker_vuln_scanning(glEntity, glObject, **kwargs):
+    """
+    id: 2.2.6
+    title: Ensure build workers are automatically scanned for
+           vulnerabilities
+    """
+
+    # We cannot automatically answer this check, therefore we SKIP:
+    return {None: 'This check requires validation'}
+
+# -------------------------------------------------------------------------
+
+
+def store_worker_config(glEntity, glObject, **kwargs):
+    """
+    id: 2.2.7
+    title: Ensure build workers' deployment configuration is stored in
+           a version control platform
+    """
+    from gitlab.exceptions import (GitlabAuthenticationError, GitlabGetError,
+                                   GitlabHttpError)
+
+    from gitlabcis.utils import ci
+
+    try:
+        gitlab_ci_yml = ci.getConfig(glEntity, glObject, **kwargs)
+
+        ciFile, reason = gitlab_ci_yml.popitem()
+
+        if ciFile in [None, False]:
+            return {ciFile: reason}
+        else:
+            return {True: 'Build workers deployment configuration '
+                    'is stored in a version control platform'}
+
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError) as e:
+        if e.response_code in [401, 403]:
+            return {None: 'Insufficient permissions'}
+
+# -------------------------------------------------------------------------
+
+
+def monitor_worker_resource_consumption(glEntity, glObject, **kwargs):
+    """
+    id: 2.2.8
+    title: Ensure resource consumption of build workers is monitored
+    """
+
+    # We cannot automatically answer this check, therefore we SKIP:
+    return {None: 'This check requires validation'}

gitlabcis/benchmarks/build_pipelines_2/pipeline_instructions_2_3.py

@@ -0,0 +1,444 @@
+# -------------------------------------------------------------------------
+
+
+def build_steps_as_code(glEntity, glObject, **kwargs):
+    """
+    id: 2.3.1
+    title: Ensure all build steps are defined as code
+    """
+
+    from gitlab.exceptions import (GitlabAuthenticationError, GitlabGetError,
+                                   GitlabHttpError)
+
+    from gitlabcis.utils import ci
+
+    try:
+        gitlab_ci_yml = ci.getConfig(glEntity, glObject, **kwargs)
+
+        ciFile, reason = gitlab_ci_yml.popitem()
+
+        if ciFile in [None, False]:
+            return {ciFile: reason}
+        else:
+            return {True: 'Build steps are defined as code'}
+
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError) as e:
+        if e.response_code in [401, 403]:
+            return {None: 'Insufficient permissions'}
+
+
+# -------------------------------------------------------------------------
+
+
+def build_stage_io(glEntity, glObject, **kwargs):
+    """
+    id: 2.3.2
+    title: Ensure steps have clearly defined build stage input and
+           output
+    """
+
+    import base64
+
+    import yaml
+    from gitlab.exceptions import (GitlabAuthenticationError, GitlabGetError,
+                                   GitlabHttpError)
+
+    from gitlabcis.utils import ci
+
+    try:
+        gitlab_ci_yml = ci.getConfig(glEntity, glObject, **kwargs)
+
+        ciFile, reason = gitlab_ci_yml.popitem()
+
+        if ciFile in [None, False]:
+            return {ciFile: reason}
+
+        gl_ci_yml_content = ciFile.content
+        gl_ci_yml_decode = base64.b64decode(gl_ci_yml_content).decode('utf-8')
+        gitlab_ci_yml_dict = yaml.safe_load(gl_ci_yml_decode)
+        if not gitlab_ci_yml_dict:
+            return {False: 'gitlab_ci_yml file is empty'}
+        else:
+            if ('stages' in gitlab_ci_yml_dict
+                    and 'build' in gitlab_ci_yml_dict['stages']):
+                build_jobs = [
+                    job_name for job_name, job in gitlab_ci_yml_dict.items()
+                    if isinstance(job, dict) and job.get('stage') == 'build'
+                ]
+                if not build_jobs:
+                    return {True: 'No build stage detected'
+                            ' in gitlab_ci_yml'}
+                for job_name in build_jobs:
+                    job = gitlab_ci_yml_dict[job_name]
+                    if 'script' in job:
+                        if 'artifacts' in job:
+                            continue
+                        else:
+                            return {False: 'No output found for a '
+                                    'job in the build stage'}
+                    else:
+                        return {False: 'No script found for '
+                                'a job in the build stage'}
+            else:
+                return {False: 'No build stages detected in gitlab_ci_yml'}
+            return {True: 'input and output has defined '
+                    'for each build stage.'}
+
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError) as e:
+        if e.response_code in [401, 403]:
+            return {None: 'Insufficient permissions'}
+
+
+# -------------------------------------------------------------------------
+
+
+def secure_pipeline_output(glEntity, glObject, **kwargs):
+    """
+    id: 2.3.3
+    title: Ensure output is written to a separate, secured storage
+           repository
+    """
+
+    # We cannot automatically answer this check, therefore we SKIP:
+    return {None: 'This check requires validation'}
+
+# -------------------------------------------------------------------------
+
+
+def track_pipeline_files(glEntity, glObject, **kwargs):
+    """
+    id: 2.3.4
+    title: Ensure changes to pipeline files are tracked and reviewed
+    """
+
+    from gitlab.exceptions import (GitlabAuthenticationError, GitlabGetError,
+                                   GitlabHttpError)
+
+    from gitlabcis.utils import ci
+
+    try:
+        gitlab_ci_yml = ci.getConfig(glEntity, glObject, **kwargs)
+
+        ciFile, reason = gitlab_ci_yml.popitem()
+
+        if ciFile in [None, False]:
+            return {ciFile: reason}
+        else:
+            return {True: 'changes to pipeline files are '
+                    'being tracked and reviewed'}
+
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError) as e:
+        if e.response_code in [401, 403]:
+            return {None: 'Insufficient permissions'}
+
+
+# -------------------------------------------------------------------------
+
+
+def limit_pipeline_triggers(glEntity, glObject, **kwargs):
+    """
+    id: 2.3.5
+    title: Ensure access to build process triggering is minimized
+    """
+
+    from gitlab.exceptions import (GitlabAuthenticationError, GitlabGetError,
+                                   GitlabHttpError, GitlabListError)
+
+    try:
+        protected_environments = glEntity.protected_environments.list()
+        if not protected_environments:
+            return {False: 'No protected environment detected'}
+        return {None: 'This check requires validation'}
+
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError,
+            GitlabListError) as e:
+        if e.response_code in [401, 403]:
+            return {None: 'Insufficient permissions'}
+
+
+# -------------------------------------------------------------------------
+
+
+def pipeline_misconfiguration_scanning(glEntity, glObject, **kwargs):
+    """
+    id: 2.3.6
+    title: Ensure pipelines are automatically scanned for
+           misconfigurations
+    """
+
+    import yaml
+    from gitlab.exceptions import (GitlabAuthenticationError, GitlabGetError,
+                                   GitlabHttpError)
+    from gql import Client, gql
+    from gql.transport.exceptions import (TransportAlreadyConnected,
+                                          TransportServerError)
+    from gql.transport.requests import RequestsHTTPTransport
+    from graphql import GraphQLError
+
+    try:
+
+        variables = {
+            'fullPath': glEntity.path_with_namespace
+        }
+
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError) as e:
+        if e.response_code in [401, 403]:
+            return {None: 'Insufficient permissions'}
+
+    client = Client(
+        transport=RequestsHTTPTransport(
+            url=kwargs.get('graphQLEndpoint'),
+            headers=kwargs.get('graphQLHeaders'),
+            use_json=True
+        ),
+        fetch_schema_from_transport=True
+    )
+
+    query = gql('''
+    query GetSecurityScanners($fullPath: ID!) {
+        project(fullPath: $fullPath) {
+            scanExecutionPolicies {
+            nodes {
+                name
+                enabled
+                yaml
+             }
+          }
+        }
+        }
+    ''')
+
+    try:
+
+        results = client.execute(query, variable_values=variables)
+
+    except (GraphQLError, TransportServerError, TransportAlreadyConnected):
+        return {None: 'Error: Issue with GraphQL Query'}
+
+    # when pytest runs without auth:
+    except AttributeError:
+        return {None: 'Insufficient permissions'}
+
+    try:
+        required_scans = [
+            'dast', 'secret_detection', 'cluster_image_scanning',
+            'container_scanning', 'sast', 'sast_iac', 'dependency_scanning'
+        ]
+
+        scans_found = set()
+        dast_policy_found = False
+        sast_policy_found = False
+        for policy in results['project']['scanExecutionPolicies']['nodes']:
+            if policy.get('enabled') is True:
+                policy_yaml = yaml.safe_load(policy.get('yaml', ''))
+                actions = policy_yaml.get('actions', [])
+                rules = policy_yaml.get('rules', [])
+                for action in actions:
+                    scans_found.add(action.get('scan'))
+                    if action.get('scan') == 'sast':
+                        for rule in rules:
+                            if (
+                                rule.get('type') == 'pipeline'
+                                and '*' in rule.get('branches', [])
+                            ):
+                                sast_policy_found = True
+                    elif action.get('scan') == 'dast':
+                        for rule in rules:
+                            if (
+                                rule.get('type') == 'pipeline'
+                                and '*' in rule.get('branches', [])
+                            ):
+                                dast_policy_found = True
+        missing_scans = [
+            scan for scan in required_scans
+            if scan not in scans_found
+            ]
+        if (dast_policy_found and sast_policy_found):
+            if missing_scans:
+                return {
+                    True: (
+                        'Scan Execution Policy for sast and dast is '
+                        'enabled and triggers for all pipelines and '
+                        'branches. Other missing scans for manual review:'
+                        f'{", ".join(missing_scans)}'
+                    )
+                }
+            else:
+                return {
+                    True: (
+                        'Scan Execution Policy for sast and dast is '
+                        'enabled and triggers for all pipelines and '
+                        'branches. All required scans are covered.'
+                    )
+                }
+        else:
+            return {
+                False: (
+                    'Required Scan Execution Policy '
+                    'is not enabled to trigger for all pipelines '
+                    'and branches. Missing scans to '
+                    f'review: {", ".join(missing_scans)}'
+                )
+            }
+    except KeyError:
+        return {False: 'Scan Execution Policy was not found'}
+
+
+# -------------------------------------------------------------------------
+
+
+def pipeline_vuln_scanning(glEntity, glObject, **kwargs):
+    """
+    id: 2.3.7
+    title: Ensure pipelines are automatically scanned for
+           vulnerabilities
+    """
+
+    import yaml
+    from gitlab.exceptions import (GitlabAuthenticationError, GitlabGetError,
+                                   GitlabHttpError)
+    from gql import Client, gql
+    from gql.transport.exceptions import (TransportAlreadyConnected,
+                                          TransportServerError)
+    from gql.transport.requests import RequestsHTTPTransport
+    from graphql import GraphQLError
+
+    try:
+
+        variables = {
+            'fullPath': glEntity.path_with_namespace
+        }
+
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError) as e:
+        if e.response_code in [401, 403]:
+            return {None: 'Insufficient permissions'}
+
+    client = Client(
+        transport=RequestsHTTPTransport(
+            url=kwargs.get('graphQLEndpoint'),
+            headers=kwargs.get('graphQLHeaders'),
+            use_json=True
+        ),
+        fetch_schema_from_transport=True
+    )
+
+    query = gql('''
+    query GetSecurityScanners($fullPath: ID!) {
+        project(fullPath: $fullPath) {
+            scanExecutionPolicies {
+            nodes {
+                name
+                enabled
+                yaml
+             }
+          }
+        }
+        }
+    ''')
+
+    try:
+
+        results = client.execute(query, variable_values=variables)
+
+    except (GraphQLError, TransportServerError, TransportAlreadyConnected):
+        return {None: 'Error: Issue with GraphQL Query'}
+
+    # pytest no auth:
+    except AttributeError:
+        return {None: 'Insufficient permissions'}
+
+    try:
+        required_scans = [
+            'dast', 'secret_detection', 'cluster_image_scanning',
+            'container_scanning', 'sast', 'sast_iac', 'dependency_scanning'
+        ]
+
+        scans_found = set()
+        dast_policy_found = False
+        sast_policy_found = False
+        for policy in results['project']['scanExecutionPolicies']['nodes']:
+            if policy.get('enabled') is True:
+                policy_yaml = yaml.safe_load(policy.get('yaml', ''))
+                actions = policy_yaml.get('actions', [])
+                rules = policy_yaml.get('rules', [])
+                for action in actions:
+                    scans_found.add(action.get('scan'))
+                    if action.get('scan') == 'sast':
+                        for rule in rules:
+                            if (
+                                rule.get('type') == 'pipeline'
+                                and '*' in rule.get('branches', [])
+                            ):
+                                sast_policy_found = True
+                    elif action.get('scan') == 'dast':
+                        for rule in rules:
+                            if (
+                                rule.get('type') == 'pipeline'
+                                and '*' in rule.get('branches', [])
+                            ):
+                                dast_policy_found = True
+        missing_scans = [
+            scan for scan in required_scans
+            if scan not in scans_found
+            ]
+        if (dast_policy_found and sast_policy_found):
+            if missing_scans:
+                return {
+                    True: (
+                        'Scan Execution Policy for sast and dast is '
+                        'enabled and triggers for all pipelines and '
+                        'branches. Other missing scans for manual review:'
+                        f'{", ".join(missing_scans)}'
+                    )
+                }
+            else:
+                return {
+                    True: (
+                        'Scan Execution Policy for sast and dast is '
+                        'enabled and triggers for all pipelines and '
+                        'branches. All required scans are covered.'
+                    )
+                }
+        else:
+            return {
+                False: (
+                    'Required Scan Execution Policy '
+                    'is not enabled to trigger for all pipelines '
+                    'and branches. Missing scans to '
+                    f'review: {", ".join(missing_scans)}'
+                )
+            }
+    except KeyError:
+        return {False: 'Scan Execution Policy was not found'}
+
+
+# -------------------------------------------------------------------------
+
+
+def pipeline_secret_scanning(glEntity, glObject, **kwargs):
+    """
+    id: 2.3.8
+    title: Ensure scanners are in place to identify and prevent
+           sensitive data in pipeline files
+    """
+
+    from gitlab.exceptions import (GitlabAuthenticationError, GitlabGetError,
+                                   GitlabHttpError)
+
+    from gitlabcis.utils import ci
+
+    try:
+
+        _result = ci.searchConfig(
+            glEntity, glObject, 'secret-detection')
+
+        result, reason = _result.popitem()
+
+        if result is True:
+            return {True: 'Secret-Detection is enabled'}
+        else:
+            return {False: 'Secret-Detection is not enabled'}
+
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError) as e:
+        if e.response_code in [401, 403]:
+            return {None: 'Insufficient permissions'}