gitlabcis 1.3.2__tar.gz

gitlabcis-1.3.2/.commitlintrc

@@ -0,0 +1,10 @@
+{
+  "extends": ["@commitlint/config-angular"],
+  "rules": {
+    "type-enum": [2, "always", [
+      "build", "chore", "ci", "docs", "feat", "fix", "perf", "refactor", "style", "test"
+    ]],
+    "subject-case": [2, "never", ["start-case", "pascal-case", "upper-case"]],
+    "header-max-length": [2, "always", 72]
+  }
+}

gitlabcis-1.3.2/.gitignore

@@ -0,0 +1,67 @@
+# Files that might appear in the root of a volume
+.DocumentRevisions-V100
+.fseventsd
+.Spotlight-V100
+.TemporaryItems
+.Trashes
+.VolumeIcon.icns
+.com.apple.timemachine.donotpresent
+
+# Directories potentially created on remote AFP share
+.AppleDB
+.AppleDesktop
+Network Trash Folder
+Temporary Items
+.apdisk
+
+# Apple stuff
+.DS_Store
+.AppleDouble
+.LSOverride
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# Tests
+.pytest_cache
+coverage.xml
+results.csv
+results.json
+results.txt
+results.xml
+results.yaml
+htmlcov/*
+.coverage
+.coverage.*
+.tox
+pytestdebug.log

gitlabcis-1.3.2/.gitlab/.gitlab-ci.yml

@@ -0,0 +1,247 @@
+# -----------------------------------------------------------------------------
+
+image: python:3.12
+
+# -----------------------------------------------------------------------------
+
+stages:
+  - lint
+  - test
+  - build
+  - compatibility
+  - release
+
+# -----------------------------------------------------------------------------
+# Security Scanning:
+# -----------------------------------------------------------------------------
+
+include:
+  # Sec templates:
+  - template: Security/SAST.gitlab-ci.yml
+  - template: Security/Dependency-Scanning.gitlab-ci.yml
+  - template: Security/Secret-Detection.gitlab-ci.yml
+
+sast:
+  stage: test
+  interruptible: true
+  needs: []
+
+bandit:
+  stage: test
+  interruptible: true
+  script:
+    - make install
+    - tox -e bandit
+  rules:
+    - when: always
+
+# -----------------------------------------------------------------------------
+# Linting tests:
+# -----------------------------------------------------------------------------
+
+commit:
+  stage: lint
+  image: node:latest
+  script:
+    - npm install -g @commitlint/cli @commitlint/config-angular
+    # get a copy of main
+    - git fetch origin $CI_MERGE_REQUEST_TARGET_BRANCH_NAME
+    # ensure that the angular commit msg type is followed
+    - git log --pretty=format:%s $CI_MERGE_REQUEST_DIFF_BASE_SHA..$CI_COMMIT_SHA | commitlint --config .commitlintrc
+  only:
+    - merge_requests
+
+docs:
+  stage: lint
+  image: node:latest
+  script:
+    - npm install -g markdownlint-cli
+    - markdownlint **/*.md
+  rules:
+    - when: always
+
+codebase:flake8:
+  stage: lint
+  interruptible: true
+  script:
+    - make install
+    - tox -e flake8
+  rules:
+    - when: always
+
+benchmarks:baseline:
+  stage: lint
+  interruptible: true
+  script:
+    - make install
+    - tox -e baseline
+  rules:
+    - when: always
+
+benchmarks:yamllint:
+  stage: lint
+  interruptible: true
+  script:
+    - make install
+    - tox -e yamllint
+  rules:
+    - when: always
+
+codebase:benchmarks:
+  stage: lint
+  interruptible: true
+  script:
+    - make install
+    - tox -e benchmarks
+  rules:
+    - when: always
+
+# -----------------------------------------------------------------------------
+# Build:
+# -----------------------------------------------------------------------------
+
+build:
+  stage: build
+  interruptible: true
+  variables:
+    COSIGN_YES: true
+    COSIGN_VERSION: 2.4.1
+  id_tokens:
+    SIGSTORE_ID_TOKEN:
+      aud: sigstore
+  before_script:
+    - apt-get install wget
+    - wget -q https://github.com/sigstore/cosign/releases/download/v$COSIGN_VERSION/cosign-linux-amd64 -O /usr/local/bin/cosign
+    - chmod +x /usr/local/bin/cosign
+  script:
+    - make clean
+    - make install
+    - make build
+    - cosign sign-blob dist/gitlabcis-*.tar.gz --bundle cosign.bundle --output-signature gitlabcis.sig
+    - twine check dist/*
+  rules:
+    - when: always
+  artifacts:
+    untracked: false
+    when: on_success
+    access: all
+    expire_in: 7 days
+    paths:
+      - dist/*
+      - cosign.bundle
+      - gitlabcis.sig
+
+# -----------------------------------------------------------------------------
+# Code coverage:
+# -----------------------------------------------------------------------------
+
+coverage:
+  stage: test
+  interruptible: true
+  script:
+    - make install
+    - tox -e cover
+  coverage: '/TOTAL.*? (100(?:\.0+)?\%|[1-9]?\d(?:\.\d+)?\%)$/'
+  rules:
+    - when: always
+
+# -----------------------------------------------------------------------------
+# Compatibility tests:
+# -----------------------------------------------------------------------------
+
+python:3.13:
+  stage: compatibility
+  image: python:3.13
+  script:
+    - make install
+    - tox -e py313
+  rules:
+    - when: always
+
+python:3.12:
+  stage: compatibility
+  image: python:3.12
+  script:
+    - make install
+    - tox -e py312
+  rules:
+    - when: always
+
+python:3.11:
+  stage: compatibility
+  image: python:3.11
+  script:
+    - make install
+    - tox -e py311
+  rules:
+    - when: always
+
+python:3.10:
+  stage: compatibility
+  image: python:3.10
+  script:
+    - make install
+    - tox -e py310
+  rules:
+    - when: always
+
+python:3.9:
+  stage: compatibility
+  image: python:3.9
+  script:
+    - make install
+    - tox -e py39
+  rules:
+    - when: always
+
+python:3.8:
+  stage: compatibility
+  image: python:3.8
+  script:
+    - make install
+    - tox -e py38
+  rules:
+    - when: always
+
+# -----------------------------------------------------------------------------
+# GitLab & Pypi release using python-semantic-release
+# -----------------------------------------------------------------------------
+
+release:
+  variables:
+    GIT_DEPTH: 0
+    GIT_STRATEGY: "clone"
+    TWINE_USERNAME: __token__
+    TWINE_PASSWORD: $PYPI_TOKEN
+  stage: release
+  script:
+    # ensure we don't have a detatched head in the pipeline
+    # and that there is no untracked files in the dir
+    # remove previous build files as we will overwrite if there's a new version:
+    - git stash -u && git checkout main && git fetch --all && rm dist/**
+
+    # install release deps
+    - python3 -m pip install -q .[build]
+
+    # publish a new release (only if the commit msg matches)
+    - semantic-release version && semantic-release publish
+
+    # Check if there are files in the /dist folder
+    # this only will occur if semantic-release wants to publish a new version:
+    - if [ -z "$(ls -A dist)" ]; then
+        echo "No version to publish";
+        exit 0;
+      else
+        echo "Publishing new version";
+        twine upload --config-file .pypirc --repository pypi --verbose dist/*;
+        export TWINE_USERNAME="gitlab-ci-token" && export TWINE_PASSWORD="$CI_JOB_TOKEN";
+        twine upload --config-file .pypirc --repository gitlab --verbose dist/*;
+      fi
+
+  rules:
+    # only run on main branch
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+      when: always
+    # skip the job if it's triggered by a release commit
+    - if: '$CI_COMMIT_MESSAGE =~ /^chore\(release\): bump version/'
+      when: never

gitlabcis-1.3.2/.gitlab/CODEOWNERS

@@ -0,0 +1,5 @@
+# Core:
+/ @smeadzinger @ayofan @nrosandich @nmcd @mjozenazemian
+
+# Recommendations:
+/gitlabcis/recommendations @smeadzinger

gitlabcis-1.3.2/.gitlab/issue_templates/bug.md

@@ -0,0 +1,14 @@
+### BUG
+<!-- Thanks for taking the time to fill out this bug report! -->
+
+#### What happened?
+<!-- Also tell us what you expected to happen? -->
+
+#### Version
+<!-- What version of gitlabcis are you running? -->
+
+#### Logs
+<!-- Attach any relevant logs -->
+
+/labels ~"bug" ~"priority::4"
+cc: @nmcd

gitlabcis-1.3.2/.gitlab/issue_templates/feature.md

@@ -0,0 +1,11 @@
+### [FEATURE]
+
+<!-- Thanks for taking the time to fill out this feature request! -->
+
+#### Details
+
+<!-- Also attach any relevant screenshots/docs/links to this request -->
+
+/labels ~"priority::4" ~"feature::enhancement"
+
+cc: @nmcd

gitlabcis-1.3.2/.gitlab/issue_templates/vuln.md

@@ -0,0 +1,29 @@
+### Summary
+
+<!-- Summarize the vuln encountered concisely. -->
+
+### Steps to reproduce
+
+<!-- Describe how one can reproduce the issue - this is very important. Please use an ordered list. -->
+
+### What is the current *bug* behavior?
+
+<!-- Describe what actually happens. -->
+
+### Relevant logs and/or screenshots
+
+<!-- Paste any relevant logs - please use code blocks (```) to format console output, logs, and code
+ as it's tough to read otherwise. -->
+
+### Possible fixes
+
+<!-- If you can, link to the line of code that might be responsible for the problem. -->
+
+---
+
+<!-- Do not edit past here unless you are certain of the impact -->
+
+cc @nmcd
+
+/label ~"type::bug" ~"bug::vulnerability"
+/confidential

gitlabcis-1.3.2/.gitlab/merge_request_templates/default.md

@@ -0,0 +1,91 @@
+### Description
+<!-- What changes are being introduced? -->
+
+## Requester
+<!-- Please ensure the checklist items are complete before requesting a review of this MR-->
+
+<details><summary>Requester Checklist</summary>
+
+- If this change modifies [benchmark functions](https://gitlab.com/gitlab-org/govern/compliance/engineering/cis/gitlabcis/-/tree/main/gitlabcis/benchmarks?ref_type=heads):
+  - The function:
+    - [ ] Name matches the `name` of the yaml recommendation
+    - [ ] Returns a `dict` containing:
+      - `True` or `False` (if the check passed/failed)
+      - `None` for skipped checks
+      - a `str` with the reason why (e.g. `{None: 'This check requires validation'}`)
+    - [ ] The `docstring` contains the id and title of the recommendation to check
+  - Limitations:
+    - [ ] Any limitations for the function are added to [docs/limitations.md](https://gitlab.com/gitlab-org/govern/compliance/engineering/cis/gitlabcis/-/tree/main/docs/limitations.md)
+- If this change modifies [recommendations](https://gitlab.com/gitlab-org/govern/compliance/engineering/cis/gitlabcis/-/tree/main/gitlabcis/recommendations):
+  - [ ] Ensure approval from `CODEOWNERS` is obtained
+- [ ] All unit tests pass before requesting review
+- [ ] This merge request's title matches the prefixes allowed in `.commitlintrc`
+- [ ] Remove _Draft_ phase from the MR
+
+</details>
+
+## Reviewer(s)
+<!-- Please ensure this MR meets the requirements before approving & merging -->
+
+<details><summary>Reviewer Checklist</summary>
+
+- If this change modifies [benchmark functions](https://gitlab.com/gitlab-org/govern/compliance/engineering/cis/gitlabcis/-/tree/main/gitlabcis/benchmarks?ref_type=heads):
+  - [ ] The function(s) satisfy the recommendation _(see the `audit` section in the yaml file)_
+    - i.e. does this function address the recommendation benchmark check
+- [ ] This merge request's title matches the prefixes allowed in `.commitlintrc`
+- [ ] All tests have passed successfully
+
+</details>
+
+### Local validation
+<!-- You can validate benchmark functions by following the below steps -->
+
+To validate changes to benchmark functions for this merge request, follow the below:
+
+<details><summary>validation steps</summary>
+
+Clone the repo:
+
+```sh
+git clone git@gitlab.com:gitlab-com/gl-security/security-operations/sirt/automation/cis-benchmark-scanner.git
+cd cis-benchmark-scanner
+```
+
+Checkout into the merge request branch:
+
+```sh
+git checkout $branchRequestingToMerge
+```
+
+Install the version in the merge request:
+
+```sh
+make install
+```
+
+Validate the function(s) against a project:
+
+```sh
+gitlabcis https://gitlab.example.com/path/to/project
+```
+
+To test a single benchmark functon:
+
+```sh
+gitlabcis https://gitlab.example.com/path/to/project \
+    -ids 1.1.1
+```
+
+</details>
+
+<!-- Labels, assignee & tags -->
+
+/label ~"SIRT_Tooling"
+
+/label ~"SIRT_Automation::Maintenance"
+
+/label ~"SIRT_Phase::Backlog"
+
+/assign me
+
+/draft

gitlabcis-1.3.2/.markdownlint.yaml

@@ -0,0 +1,16 @@
+# Default state for all rules
+default: true
+
+# MD013/line-length - Ignore Line length
+MD013: false
+
+# MD033/no-inline-html - Allow lists in tables
+MD033:
+  allowed_elements:
+    - "li"
+    - "ul"
+    - "summary"
+    - "details"
+
+# This rule conflicts with issue templates
+MD041: false

gitlabcis-1.3.2/.markdownlintignore

@@ -0,0 +1,4 @@
+build
+dist
+venv
+CHANGELOG.md

gitlabcis-1.3.2/.pre-commit-config.yaml

@@ -0,0 +1,37 @@
+repos:
+  - repo: https://github.com/alessandrojcm/commitlint-pre-commit-hook
+    rev: v9.18.0
+    hooks:
+        - id: commitlint
+          stages: [commit-msg]
+          additional_dependencies: ['@commitlint/config-angular']
+          args: ['--config', '.commitlintrc', '--verbose']
+
+  - repo: https://github.com/igorshubovych/markdownlint-cli
+    rev: v0.41.0
+    hooks:
+      - id: markdownlint
+        args: ["**/*.md", "-c", ".markdownlint.yaml"]
+
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.19.2
+    hooks:
+      - id: gitleaks
+        stages: [commit, push]
+        args: ['detect', '--no-banner']
+
+  - repo: https://github.com/pycqa/isort
+    rev: 5.13.2
+    hooks:
+      - id: isort
+
+  - repo: https://github.com/psf/black
+    rev: 24.8.0
+    hooks:
+      - id: black
+        args: ['-S', '--line-length=79', '--diff']
+
+  - repo: https://github.com/pycqa/flake8
+    rev: 7.1.1
+    hooks:
+      - id: flake8

gitlabcis-1.3.2/.pypirc

@@ -0,0 +1,14 @@
+[distutils]
+index-servers =
+    gitlab
+    testpypi
+    pypi
+
+[gitlab]
+repository = https://gitlab.com/api/v4/projects/57279821/packages/pypi
+
+[testpypi]
+repository = https://test.pypi.org/legacy/
+
+[pypi]
+repository = https://upload.pypi.org/legacy/

gitlabcis-1.3.2/.yamllint.yml

@@ -0,0 +1,6 @@
+extends: default
+
+rules:
+  line-length: disable
+  indentation: disable
+  trailing-spaces: disable