gitlabcis 1.3.2__py3-none-any.whl

gitlabcis/benchmarks/build_pipelines_2/pipeline_integrity_2_4.py

@@ -0,0 +1,146 @@
+# -------------------------------------------------------------------------
+
+
+def sign_artifacts(glEntity, glObject, **kwargs):
+    """
+    id: 2.4.1
+    title: Ensure all artifacts on all releases are signed
+    """
+
+    # We cannot automatically answer this check, thereforewe  SKIP:
+    return {None: 'This check requires validation'}
+
+# -------------------------------------------------------------------------
+
+
+def lock_dependencies(glEntity, glObject, **kwargs):
+    """
+    id: 2.4.2
+    title: Ensure all external dependencies used in the build
+           process are locked
+    """
+
+    # We cannot automatically answer this check, therefore we SKIP:
+    return {None: 'This check requires validation'}
+
+# -------------------------------------------------------------------------
+
+
+def validate_dependencies(glEntity, glObject, **kwargs):
+    """
+    id: 2.4.3
+    title: Ensure dependencies are validated before being used
+    """
+
+    from gitlab.exceptions import (GitlabAuthenticationError, GitlabGetError,
+                                   GitlabHttpError)
+
+    from gitlabcis.utils import ci
+
+    try:
+        return ci.searchConfig(
+            glEntity, glObject, 'dependency-scanning')
+
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError) as e:
+        if e.response_code in [401, 403]:
+            return {None: 'Insufficient permissions'}
+
+# -------------------------------------------------------------------------
+
+
+def create_reproducible_artifacts(glEntity, glObject, **kwargs):
+    """
+    id: 2.4.4
+    title: Ensure the build pipeline creates reproducible artifacts
+    """
+
+    import base64
+
+    import yaml
+    from gitlab.exceptions import (GitlabAuthenticationError, GitlabGetError,
+                                   GitlabHttpError)
+
+    from gitlabcis.utils import ci
+
+    try:
+        gitlab_ci_yml = ci.getConfig(glEntity, glObject, **kwargs)
+
+        ciFile, reason = gitlab_ci_yml.popitem()
+
+        if ciFile in [None, False]:
+            return {ciFile: reason}
+
+        gl_ci_yml_content = ciFile.content
+        gl_ci_yml_decode = base64.b64decode(gl_ci_yml_content).decode('utf-8')
+        gitlab_ci_yml_dict = yaml.safe_load(gl_ci_yml_decode)
+        if gitlab_ci_yml_dict is None:
+            return {False: 'gitlab_ci_yml file not found'}
+        else:
+            if ('stages' in gitlab_ci_yml_dict
+                    and 'build' in gitlab_ci_yml_dict['stages']):
+                build_jobs = [
+                    job_name for job_name, job in gitlab_ci_yml_dict.items()
+                    if isinstance(job, dict) and job.get('stage') == 'build'
+                ]
+                if not build_jobs:
+                    return {True: 'No built stage detected'
+                            ' in gitlab_ci_yml'}
+                for job_name in build_jobs:
+                    job = gitlab_ci_yml_dict[job_name]
+                    if 'artifacts' in job:
+                        continue
+                    else:
+                        return {False: 'No artifacts found for a '
+                                'job in the build stage'}
+            else:
+                return {True: 'No stages detected in gitlab_ci_yml'}
+            return {True: 'Build pipeline creates reproducible artifacts'}
+
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError) as e:
+        if e.response_code in [401, 403]:
+            return {None: 'Insufficient permissions'}
+
+# -------------------------------------------------------------------------
+
+
+def pipeline_produces_sbom(glEntity, glObject, **kwargs):
+    """
+    id: 2.4.5
+    title: Ensure pipeline steps produce a Software Bill of Materials
+    """
+
+    from gitlab.exceptions import (GitlabAuthenticationError, GitlabGetError,
+                                   GitlabHttpError)
+
+    from gitlabcis.utils import ci
+
+    try:
+        _result = ci.searchConfig(
+            glEntity, glObject, 'dependency-scanning')
+
+        result, reason = _result.popitem()
+
+        if result is True:
+            return {True: 'dependency-scanning is enabled,'
+                    ' review CycloneDX SBOMs which named '
+                    'gl-sbom--.cdx.json, available as job '
+                    'artifacts of the dependency scanning job.'}
+        else:
+            return {result: reason}
+
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError) as e:
+        if e.response_code in [401, 403]:
+            return {None: 'Insufficient permissions'}
+
+# -------------------------------------------------------------------------
+
+
+def pipeline_sign_sbom(glEntity, glObject, **kwargs):
+    """
+    id: 2.4.6
+    title: Ensure pipeline steps sign the Software Bill of
+           Materials -(SBOM) produced
+    """
+
+    # We cannot automatically answer this check, therefore we SKIP:
+    return {None: 'This check requires validation'}

gitlabcis/benchmarks/dependencies_3/__init__.py

@@ -0,0 +1,2 @@
+from . import third_party_packages_3_1  # noqa: F401
+from . import validate_packages_3_2  # noqa: F401

gitlabcis/benchmarks/dependencies_3/third_party_packages_3_1.py

@@ -0,0 +1,171 @@
+# -------------------------------------------------------------------------
+
+
+def verify_artifacts(glEntity, glObject, **kwargs):
+    """
+    id: 3.1.1
+    title: Ensure third-party artifacts and open-source
+           libraries are verified
+    """
+
+    # We cannot automatically answer this check, therefore we SKIP:
+    return {None: 'This check requires validation'}
+
+# -------------------------------------------------------------------------
+
+
+def third_party_sbom_required(glEntity, glObject, **kwargs):
+    """
+    id: 3.1.2
+    title: Ensure Software Bill of Materials (SBOM) is required from
+           all third-party suppliers
+    """
+
+    # We cannot automatically answer this check, therefore we SKIP:
+    return {None: 'This check requires validation'}
+
+# -------------------------------------------------------------------------
+
+
+def verify_signed_metadata(glEntity, glObject, **kwargs):
+    """
+    id: 3.1.3
+    title: Ensure signed metadata of the build process is required and
+           verified
+    """
+
+    # We cannot automatically answer this check, therefore we SKIP:
+    return {None: 'This check requires validation'}
+
+# -------------------------------------------------------------------------
+
+
+def monitor_dependencies(glEntity, glObject, **kwargs):
+    """
+    id: 3.1.4
+    title: Ensure dependencies are monitored between open-source
+           components
+    """
+
+    from gitlab.exceptions import GitlabGetError, GitlabHttpError
+    from gitlab.exceptions import GitlabAuthenticationError
+    from gql import gql
+    from graphql import GraphQLError
+    from gql.transport.exceptions import TransportServerError
+    from gql.transport.exceptions import TransportAlreadyConnected
+    from gql import Client
+    from gql.transport.requests import RequestsHTTPTransport
+
+    try:
+
+        variables = {
+            'fullPath': glEntity.path_with_namespace
+        }
+
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError) as e:
+        if e.response_code in [401, 403]:
+            return {None: 'Insufficient permissions'}
+
+    client = Client(
+        transport=RequestsHTTPTransport(
+            url=kwargs.get('graphQLEndpoint'),
+            headers=kwargs.get('graphQLHeaders'),
+            use_json=True
+        ),
+        fetch_schema_from_transport=True
+    )
+
+    query = gql('''
+    query GetSecurityScanners($fullPath: ID!) {
+        project(fullPath: $fullPath) {
+            securityScanners {
+                enabled
+            }
+        }
+    }
+    ''')
+
+    try:
+
+        results = client.execute(query, variable_values=variables)
+
+    except (GraphQLError, TransportServerError, TransportAlreadyConnected):
+        return {None: 'Error: Issue with GraphQL Query'}
+
+    # pytest no auth
+    except AttributeError:
+        return {None: 'Insufficient permissions'}
+
+    try:
+        enabledScanners = results["project"]["securityScanners"]["enabled"]
+        dependencyScanningEnabled = "DEPENDENCY_SCANNING" in enabledScanners
+        containerScanningEnabled = "CONTAINER_SCANNING" in enabledScanners
+        if (dependencyScanningEnabled and containerScanningEnabled):
+            return {True: 'DEPENDENCY SCANNING and '
+                    'CONTAINER SCANNING are enabled'}
+        elif (dependencyScanningEnabled and not containerScanningEnabled):
+            return {False: 'DEPENDENCY SCANNING is enabled but '
+                    'CONTAINER SCANNING is not enabled'}
+        elif (containerScanningEnabled and not dependencyScanningEnabled):
+            return {False: 'CONTAINER SCANNING is enabled '
+                    'but DEPENDENCY SCANNING is not enabled'}
+        return {False: 'CONTAINER SCANNING and DEPENDENCY SCANNING '
+                'are not enabled'}
+
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError) as e:
+        if e.response_code in [401, 403]:
+            return {None: 'Insufficient permissions'}
+
+    except KeyError:
+        return {False: 'No scanners enabled'}
+
+# -------------------------------------------------------------------------
+
+
+def define_package_managers(glEntity, glObject, **kwargs):
+    """
+    id: 3.1.5
+    title: Ensure trusted package managers and repositories are
+           defined and prioritized
+    """
+
+    # We cannot automatically answer this check, therefore we SKIP:
+    return {None: 'This check requires validation'}
+
+# -------------------------------------------------------------------------
+
+
+def dependency_sbom(glEntity, glObject, **kwargs):
+    """
+    id: 3.1.6
+    title: Ensure a signed Software Bill of Materials (SBOM) of the
+           code is supplied
+    """
+
+    # We cannot automatically answer this check, therefore we SKIP:
+    return {None: 'This check requires validation'}
+
+# -------------------------------------------------------------------------
+
+
+def pin_dependency_version(glEntity, glObject, **kwargs):
+    """
+    id: 3.1.7
+    title: Ensure dependencies are pinned to a specific, verified
+           version
+    """
+
+    # We cannot automatically answer this check, therefore we SKIP:
+    return {None: 'This check requires validation'}
+
+# ------------------------------------------------------------------------
+
+
+def packages_over_60_days_old(glEntity, glObject, **kwargs):
+    """
+    id: 3.1.8
+    title: Ensure all packages used are more than 60 days old
+    """
+
+    # We cannot automatically answer this check, therefore we SKIP:
+    return {None: 'This check requires validation'}

gitlabcis/benchmarks/dependencies_3/validate_packages_3_2.py

@@ -0,0 +1,182 @@
+# -------------------------------------------------------------------------
+
+
+def org_wide_dependency_policy(glEntity, glObject, **kwargs):
+    """
+    id: 3.2.1
+    title: Ensure an organization-wide dependency usage policy
+    is enforced
+    """
+
+    from gitlab.exceptions import GitlabGetError, GitlabHttpError
+    from gitlab.exceptions import GitlabAuthenticationError
+    from gql import gql
+    from graphql import GraphQLError
+    from gql.transport.exceptions import TransportServerError
+    import yaml
+    from gql.transport.exceptions import TransportAlreadyConnected
+    from gql import Client
+    from gql.transport.requests import RequestsHTTPTransport
+
+    try:
+
+        variables = {
+            'fullPath': glEntity.path_with_namespace
+        }
+
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError) as e:
+        if e.response_code in [401, 403]:
+            return {None: 'Insufficient permissions'}
+
+    client = Client(
+        transport=RequestsHTTPTransport(
+            url=kwargs.get('graphQLEndpoint'),
+            headers=kwargs.get('graphQLHeaders'),
+            use_json=True
+        ),
+        fetch_schema_from_transport=True
+    )
+
+    query = gql('''
+    query GetSecurityScanners($fullPath: ID!) {
+        project(fullPath: $fullPath) {
+            scanExecutionPolicies {
+            nodes {
+                name
+                enabled
+                yaml
+             }
+          }
+        }
+        }
+    ''')
+
+    try:
+
+        results = client.execute(query, variable_values=variables)
+
+    except (GraphQLError, TransportServerError, TransportAlreadyConnected):
+        return {None: 'Error: Issue with GraphQL Query'}
+
+    # pytest no auth:
+    except AttributeError:
+        return {None: 'Insufficient permissions'}
+
+    try:
+        secret_detection_policy_found = False
+        for policy in results['project']['scanExecutionPolicies']['nodes']:
+            if policy.get('enabled') is True:
+                policy_yaml = yaml.safe_load(policy.get('yaml', ''))
+                actions = policy_yaml.get('actions', [])
+                for action in actions:
+                    if action.get('scan') == 'dependency_scanning':
+                        secret_detection_policy_found = True
+
+        if secret_detection_policy_found:
+            return {
+                True: (
+                    'Scan Execution Policy for dependency_scanning is '
+                    'enabled'
+                    )
+                }
+        else:
+            return {
+                False: (
+                    'Scan Execution Policy for dependency_scanning '
+                    'is not enabled'
+                )
+            }
+
+    except KeyError:
+        return {False: 'Scan Execution Policy was not found'}
+
+
+# -------------------------------------------------------------------------
+
+
+def package_vuln_scanning(glEntity, glObject, **kwargs):
+    """
+    id: 3.2.2
+    title: Ensure packages are automatically scanned for known
+           vulnerabilities
+    """
+
+    from gitlab.exceptions import GitlabGetError, GitlabHttpError
+    from gitlab.exceptions import GitlabAuthenticationError
+
+    from gitlabcis.utils import ci
+
+    try:
+        settings = glObject.settings.get()
+
+        if settings.auto_devops_enabled is True:
+            return {True: 'Dependency Scanning is '
+                          'enabled via Auto DevOps'}
+
+        return ci.searchConfig(
+            glEntity, glObject, 'dependency_scanning')
+
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError) as e:
+        if e.response_code in [401, 403]:
+            return {None: 'Insufficient permissions'}
+
+
+# -------------------------------------------------------------------------
+
+
+def package_license_scanning(glEntity, glObject, **kwargs):
+    """
+    id: 3.2.3
+    title: Ensure packages are automatically scanned
+           for license implications
+    """
+
+    from gitlab.exceptions import GitlabGetError, GitlabHttpError
+    from gitlab.exceptions import GitlabAuthenticationError
+
+    from gitlabcis.utils import ci
+
+    try:
+        settings = glObject.settings.get()
+
+        _successAddon = ('On GitLab self-managed, you also can choose '
+                         'package registry metadata to synchronize '
+                         'in the Admin Area for the GitLab instance. '
+                         'You also must allow outbound network traffic '
+                         'from your GitLab instance to the domain '
+                         'storage.googleapis.com.')
+
+        if settings.auto_devops_enabled is True:
+            return {True: 'Dependency Scanning which is required so '
+                          'packages be automatically scanned is '
+                          f'enabled via Auto DevOps. {_successAddon}'}
+
+        _result = ci.searchConfig(
+            glEntity, glObject, 'dependency_scanning')
+
+        result, reason = _result.popitem()
+
+        if result is True:
+            return {True: 'Dependency Scanning which is required for '
+                          'packages to be automatically scanned is '
+                          f'configured in .gitlab-ci.yml. {_successAddon}'}
+        else:
+            return {result: reason}
+
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError) as e:
+        if e.response_code in [401, 403]:
+            return {None: 'Insufficient permissions'}
+
+
+# -------------------------------------------------------------------------
+
+
+def package_ownership_change(glEntity, glObject, **kwargs):
+    """
+    id: 3.2.4
+    title: Ensure packages are automatically scanned for
+           ownership change
+    """
+
+    # We cannot automatically answer this check, therefore we SKIP:
+    return {None: 'This check requires validation'}

gitlabcis/benchmarks/deployment_5/__init__.py

@@ -0,0 +1,2 @@
+from . import deployment_configuration_5_1  # noqa: F401
+from . import deployment_environment_5_2  # noqa: F401

gitlabcis/benchmarks/deployment_5/deployment_configuration_5_1.py

@@ -0,0 +1,165 @@
+# -------------------------------------------------------------------------
+
+
+def separate_deployment_config(glEntity, glObject, **kwargs):
+    """
+    id: 5.1.1
+    title: Ensure deployment configuration files are separated from
+           source code
+    """
+
+    from gitlab.exceptions import (GitlabAuthenticationError, GitlabGetError,
+                                   GitlabHttpError)
+
+    from gitlabcis.utils import ci
+
+    try:
+        # get the ci config file obj:
+        gitlab_ci_yml = ci.getConfig(glEntity, glObject, **kwargs)
+
+        ciFile, reason = gitlab_ci_yml.popitem()
+
+        if ciFile in [None, False]:
+            return {ciFile: reason}
+
+        # check its existance:
+        if ciFile.file_path is None:
+            return {False: 'separate ci config file not set for project'}
+
+        # check for sub dirs:
+        if '/' not in ciFile.file_path:
+            return {False: 'ci config file is available but not in '
+                    'a separated path'}
+
+        return {True: 'ci config yml file is available, '
+                'and stored separately from this project '
+                'source code'}
+
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError) as e:
+        if e.response_code in [401, 403]:
+            return {None: 'Insufficient permissions'}
+
+
+# -------------------------------------------------------------------------
+
+
+def audit_deployment_config(glEntity, glObject, **kwargs):
+    """
+    id: 5.1.2
+    title: Ensure changes in deployment configuration are audited
+    """
+
+    from gitlab.exceptions import (GitlabAuthenticationError, GitlabGetError,
+                                   GitlabHttpError, GitlabLicenseError,
+                                   GitlabListError)
+
+    from gitlabcis.utils import ci
+
+    try:
+
+        # get the ci config file obj:
+        gitlab_ci_yml = ci.getConfig(glEntity, glObject, **kwargs)
+
+        ciFile, reason = gitlab_ci_yml.popitem()
+
+        if ciFile in [None, False]:
+            return {ciFile: reason}
+
+        for approval in glEntity.approvalrules.list(get_all=True):
+            if approval.approvals_required < 1:
+                return {False: 'at least one approval is required '
+                        'for code changes'}
+
+        if glObject.get_license().get('plan') not in ['premium', 'ultimate']:
+            return {False: 'License does not allow audit'}
+
+        return {True: 'Changes are audited , reviewed and tracked'}
+
+    except (GitlabHttpError, GitlabGetError, GitlabLicenseError,
+            GitlabAuthenticationError, GitlabListError) as e:
+        if e.response_code in [401, 403]:
+            return {None: 'Insufficient permissions'}
+
+
+# -------------------------------------------------------------------------
+
+
+def secret_scan_deployment_config(glEntity, glObject, **kwargs):
+    """
+    id: 5.1.3
+    title: Ensure scanners are in place to identify and prevent
+           sensitive data in deployment configuration
+    """
+
+    from gitlab.exceptions import (GitlabAuthenticationError, GitlabGetError,
+                                   GitlabHttpError)
+
+    from gitlabcis.utils import ci
+
+    try:
+        return ci.searchConfig(
+            glEntity, glObject, 'Secret-Detection')
+
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError) as e:
+        if e.response_code in [401, 403]:
+            return {None: 'Insufficient permissions'}
+
+# -------------------------------------------------------------------------
+
+
+def limit_deployment_config_access(glEntity, glObject, **kwargs):
+    """
+    id: 5.1.4
+    title: Limit access to deployment configurations
+    """
+
+    # We cannot automatically answer this check, therefore we SKIP:
+    return {None: 'This check requires validation'}
+
+
+# -------------------------------------------------------------------------
+
+
+def scan_iac(glEntity, glObject, **kwargs):
+    """
+    id: 5.1.5
+    title: Scan Infrastructure as Code (IaC)
+    """
+
+    from gitlab.exceptions import (GitlabAuthenticationError, GitlabGetError,
+                                   GitlabHttpError)
+
+    from gitlabcis.utils import ci
+
+    try:
+        return ci.searchConfig(
+            glEntity, glObject, 'SAST-IaC')
+
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError) as e:
+        if e.response_code in [401, 403]:
+            return {None: 'Insufficient permissions'}
+
+# -------------------------------------------------------------------------
+
+
+def verify_deployment_config(glEntity, glObject, **kwargs):
+    """
+    id: 5.1.6
+    title: Ensure deployment configuration manifests are verified
+    """
+
+    # We cannot automatically answer this check, therefore we SKIP:
+    return {None: 'This check requires validation'}
+
+# -------------------------------------------------------------------------
+
+
+def pin_deployment_config_manifests(glEntity, glObject, **kwargs):
+    """
+    id: 5.1.7
+    title: Ensure deployment configuration manifests are pinned to a
+           specific, verified version
+    """
+
+    # We cannot automatically answer this check, therefore we SKIP:
+    return {None: 'This check requires validation'}