prowler-cloud 5.13.1__py3-none-any.whl → 5.14.1__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- dashboard/__main__.py +2 -1
- dashboard/compliance/c5_azure.py +43 -0
- dashboard/compliance/fedramp_20x_ksi_low_aws.py +46 -0
- dashboard/compliance/fedramp_20x_ksi_low_azure.py +46 -0
- dashboard/compliance/fedramp_20x_ksi_low_gcp.py +46 -0
- dashboard/compliance/hipaa_gcp.py +25 -0
- dashboard/compliance/nist_csf_2_0_aws.py +24 -0
- dashboard/compliance/prowler_threatscore_kubernetes.py +28 -0
- prowler/AGENTS.md +366 -0
- prowler/CHANGELOG.md +93 -2
- prowler/__main__.py +54 -7
- prowler/compliance/aws/ens_rd2022_aws.json +1 -1
- prowler/compliance/aws/fedramp_20x_ksi_low_aws.json +347 -0
- prowler/compliance/aws/nis2_aws.json +1 -1
- prowler/compliance/aws/nist_csf_2.0_aws.json +1781 -0
- prowler/compliance/azure/c5_azure.json +9471 -0
- prowler/compliance/azure/ens_rd2022_azure.json +1 -1
- prowler/compliance/azure/fedramp_20x_ksi_low_azure.json +358 -0
- prowler/compliance/azure/nis2_azure.json +1 -1
- prowler/compliance/gcp/c5_gcp.json +9401 -0
- prowler/compliance/gcp/ens_rd2022_gcp.json +1 -1
- prowler/compliance/gcp/fedramp_20x_ksi_low_gcp.json +293 -0
- prowler/compliance/gcp/hipaa_gcp.json +415 -0
- prowler/compliance/gcp/nis2_gcp.json +1 -1
- prowler/compliance/github/cis_1.0_github.json +6 -2
- prowler/compliance/kubernetes/prowler_threatscore_kubernetes.json +1269 -0
- prowler/compliance/m365/prowler_threatscore_m365.json +6 -6
- prowler/compliance/{oci/cis_3.0_oci.json → oraclecloud/cis_3.0_oraclecloud.json} +1 -1
- prowler/config/config.py +59 -5
- prowler/config/config.yaml +3 -0
- prowler/lib/check/check.py +1 -9
- prowler/lib/check/checks_loader.py +65 -1
- prowler/lib/check/models.py +12 -2
- prowler/lib/check/utils.py +1 -7
- prowler/lib/cli/parser.py +17 -7
- prowler/lib/mutelist/mutelist.py +15 -7
- prowler/lib/outputs/compliance/c5/c5_azure.py +92 -0
- prowler/lib/outputs/compliance/c5/c5_gcp.py +92 -0
- prowler/lib/outputs/compliance/c5/models.py +54 -0
- prowler/lib/outputs/compliance/cis/{cis_oci.py → cis_oraclecloud.py} +7 -7
- prowler/lib/outputs/compliance/cis/models.py +3 -3
- prowler/lib/outputs/compliance/prowler_threatscore/models.py +29 -0
- prowler/lib/outputs/compliance/prowler_threatscore/prowler_threatscore_kubernetes.py +98 -0
- prowler/lib/outputs/finding.py +16 -5
- prowler/lib/outputs/html/html.py +10 -8
- prowler/lib/outputs/outputs.py +1 -1
- prowler/lib/outputs/summary_table.py +1 -1
- prowler/lib/powershell/powershell.py +12 -11
- prowler/lib/scan/scan.py +105 -24
- prowler/lib/utils/utils.py +1 -1
- prowler/providers/aws/aws_regions_by_service.json +73 -15
- prowler/providers/aws/lib/quick_inventory/quick_inventory.py +1 -1
- prowler/providers/aws/lib/security_hub/security_hub.py +1 -1
- prowler/providers/aws/services/account/account_service.py +1 -1
- prowler/providers/aws/services/awslambda/awslambda_function_using_supported_runtimes/awslambda_function_using_supported_runtimes.metadata.json +1 -3
- prowler/providers/aws/services/cloudwatch/cloudwatch_alarm_actions_alarm_state_configured/cloudwatch_alarm_actions_alarm_state_configured.metadata.json +23 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_alarm_actions_enabled/cloudwatch_alarm_actions_enabled.metadata.json +21 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_acls_alarm_configured/cloudwatch_changes_to_network_acls_alarm_configured.metadata.json +23 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_gateways_alarm_configured/cloudwatch_changes_to_network_gateways_alarm_configured.metadata.json +24 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_route_tables_alarm_configured/cloudwatch_changes_to_network_route_tables_alarm_configured.metadata.json +21 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_vpcs_alarm_configured/cloudwatch_changes_to_vpcs_alarm_configured.metadata.json +17 -11
- prowler/providers/aws/services/cloudwatch/cloudwatch_cross_account_sharing_disabled/cloudwatch_cross_account_sharing_disabled.metadata.json +20 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_group_kms_encryption_enabled/cloudwatch_log_group_kms_encryption_enabled.metadata.json +22 -13
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_group_no_secrets_in_logs/cloudwatch_log_group_no_secrets_in_logs.metadata.json +22 -17
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_group_not_publicly_accessible/cloudwatch_log_group_not_publicly_accessible.metadata.json +18 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_group_retention_policy_specific_days_enabled/cloudwatch_log_group_retention_policy_specific_days_enabled.metadata.json +27 -13
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled.metadata.json +20 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled.metadata.json +22 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_authentication_failures/cloudwatch_log_metric_filter_authentication_failures.metadata.json +25 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_aws_organizations_changes/cloudwatch_log_metric_filter_aws_organizations_changes.metadata.json +23 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk.metadata.json +17 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes.metadata.json +21 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_policy_changes/cloudwatch_log_metric_filter_policy_changes.metadata.json +21 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_root_usage/cloudwatch_log_metric_filter_root_usage.metadata.json +27 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_security_group_changes/cloudwatch_log_metric_filter_security_group_changes.metadata.json +22 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_sign_in_without_mfa/cloudwatch_log_metric_filter_sign_in_without_mfa.metadata.json +26 -12
- prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_unauthorized_api_calls/cloudwatch_log_metric_filter_unauthorized_api_calls.metadata.json +25 -12
- prowler/providers/aws/services/codeartifact/codeartifact_packages_external_public_publishing_disabled/codeartifact_packages_external_public_publishing_disabled.metadata.json +20 -11
- prowler/providers/aws/services/codebuild/codebuild_project_logging_enabled/codebuild_project_logging_enabled.metadata.json +22 -12
- prowler/providers/aws/services/codebuild/codebuild_project_no_secrets_in_variables/codebuild_project_no_secrets_in_variables.metadata.json +28 -12
- prowler/providers/aws/services/codebuild/codebuild_project_not_publicly_accessible/codebuild_project_not_publicly_accessible.metadata.json +22 -12
- prowler/providers/aws/services/codebuild/codebuild_project_older_90_days/codebuild_project_older_90_days.metadata.json +15 -10
- prowler/providers/aws/services/codebuild/codebuild_project_s3_logs_encrypted/codebuild_project_s3_logs_encrypted.metadata.json +19 -11
- prowler/providers/aws/services/codebuild/codebuild_project_source_repo_url_no_sensitive_credentials/codebuild_project_source_repo_url_no_sensitive_credentials.metadata.json +21 -12
- prowler/providers/aws/services/codebuild/codebuild_project_user_controlled_buildspec/codebuild_project_user_controlled_buildspec.metadata.json +19 -12
- prowler/providers/aws/services/codebuild/codebuild_project_uses_allowed_github_organizations/codebuild_project_uses_allowed_github_organizations.metadata.json +24 -13
- prowler/providers/aws/services/codebuild/codebuild_report_group_export_encrypted/codebuild_report_group_export_encrypted.metadata.json +35 -13
- prowler/providers/aws/services/codepipeline/__init__.py +0 -0
- prowler/providers/aws/services/codepipeline/codepipeline_client.py +6 -0
- prowler/providers/aws/services/codepipeline/codepipeline_project_repo_private/__init__.py +0 -0
- prowler/providers/aws/services/codepipeline/codepipeline_project_repo_private/codepipeline_project_repo_private.metadata.json +30 -0
- prowler/providers/aws/services/codepipeline/codepipeline_project_repo_private/codepipeline_project_repo_private.py +95 -0
- prowler/providers/aws/services/codepipeline/codepipeline_service.py +164 -0
- prowler/providers/aws/services/directconnect/directconnect_connection_redundancy/directconnect_connection_redundancy.metadata.json +18 -12
- prowler/providers/aws/services/directconnect/directconnect_virtual_interface_redundancy/directconnect_virtual_interface_redundancy.metadata.json +18 -12
- prowler/providers/aws/services/documentdb/documentdb_cluster_backup_enabled/documentdb_cluster_backup_enabled.metadata.json +24 -13
- prowler/providers/aws/services/documentdb/documentdb_cluster_cloudwatch_log_export/documentdb_cluster_cloudwatch_log_export.metadata.json +23 -13
- prowler/providers/aws/services/documentdb/documentdb_cluster_deletion_protection/documentdb_cluster_deletion_protection.metadata.json +24 -13
- prowler/providers/aws/services/documentdb/documentdb_cluster_multi_az_enabled/documentdb_cluster_multi_az_enabled.metadata.json +19 -13
- prowler/providers/aws/services/documentdb/documentdb_cluster_public_snapshot/documentdb_cluster_public_snapshot.metadata.json +20 -10
- prowler/providers/aws/services/documentdb/documentdb_cluster_storage_encrypted/documentdb_cluster_storage_encrypted.metadata.json +26 -13
- prowler/providers/aws/services/drs/drs_job_exist/drs_job_exist.metadata.json +20 -10
- prowler/providers/aws/services/dynamodb/dynamodb_accelerator_cluster_encryption_enabled/dynamodb_accelerator_cluster_encryption_enabled.metadata.json +18 -11
- prowler/providers/aws/services/dynamodb/dynamodb_accelerator_cluster_in_transit_encryption_enabled/dynamodb_accelerator_cluster_in_transit_encryption_enabled.metadata.json +16 -11
- prowler/providers/aws/services/dynamodb/dynamodb_accelerator_cluster_multi_az/dynamodb_accelerator_cluster_multi_az.metadata.json +21 -13
- prowler/providers/aws/services/dynamodb/dynamodb_table_autoscaling_enabled/dynamodb_table_autoscaling_enabled.metadata.json +20 -12
- prowler/providers/aws/services/dynamodb/dynamodb_table_cross_account_access/dynamodb_table_cross_account_access.metadata.json +17 -10
- prowler/providers/aws/services/dynamodb/dynamodb_table_deletion_protection_enabled/dynamodb_table_deletion_protection_enabled.metadata.json +21 -13
- prowler/providers/aws/services/dynamodb/dynamodb_table_protected_by_backup_plan/dynamodb_table_protected_by_backup_plan.metadata.json +18 -12
- prowler/providers/aws/services/dynamodb/dynamodb_tables_kms_cmk_encryption_enabled/dynamodb_tables_kms_cmk_encryption_enabled.metadata.json +18 -12
- prowler/providers/aws/services/dynamodb/dynamodb_tables_pitr_enabled/dynamodb_tables_pitr_enabled.metadata.json +19 -12
- prowler/providers/aws/services/ecr/ecr_registry_scan_images_on_push_enabled/ecr_registry_scan_images_on_push_enabled.metadata.json +16 -11
- prowler/providers/aws/services/ecr/ecr_repositories_lifecycle_policy_enabled/ecr_repositories_lifecycle_policy_enabled.metadata.json +22 -13
- prowler/providers/aws/services/ecr/ecr_repositories_not_publicly_accessible/ecr_repositories_not_publicly_accessible.metadata.json +19 -13
- prowler/providers/aws/services/ecr/ecr_repositories_scan_images_on_push_enabled/ecr_repositories_scan_images_on_push_enabled.metadata.json +21 -13
- prowler/providers/aws/services/ecr/ecr_repositories_scan_vulnerabilities_in_latest_image/ecr_repositories_scan_vulnerabilities_in_latest_image.metadata.json +22 -12
- prowler/providers/aws/services/ecr/ecr_repositories_tag_immutability/ecr_repositories_tag_immutability.metadata.json +20 -12
- prowler/providers/aws/services/ecs/ecs_cluster_container_insights_enabled/ecs_cluster_container_insights_enabled.metadata.json +21 -11
- prowler/providers/aws/services/ecs/ecs_service_fargate_latest_platform_version/ecs_service_fargate_latest_platform_version.metadata.json +20 -11
- prowler/providers/aws/services/ecs/ecs_service_no_assign_public_ip/ecs_service_no_assign_public_ip.metadata.json +18 -12
- prowler/providers/aws/services/ecs/ecs_task_definitions_containers_readonly_access/ecs_task_definitions_containers_readonly_access.metadata.json +20 -13
- prowler/providers/aws/services/ecs/ecs_task_definitions_host_namespace_not_shared/ecs_task_definitions_host_namespace_not_shared.metadata.json +21 -13
- prowler/providers/aws/services/ecs/ecs_task_definitions_host_networking_mode_users/ecs_task_definitions_host_networking_mode_users.metadata.json +26 -13
- prowler/providers/aws/services/ecs/ecs_task_definitions_logging_block_mode/ecs_task_definitions_logging_block_mode.metadata.json +19 -12
- prowler/providers/aws/services/ecs/ecs_task_definitions_logging_enabled/ecs_task_definitions_logging_enabled.metadata.json +18 -12
- prowler/providers/aws/services/ecs/ecs_task_definitions_no_environment_secrets/ecs_task_definitions_no_environment_secrets.metadata.json +16 -12
- prowler/providers/aws/services/ecs/ecs_task_definitions_no_privileged_containers/ecs_task_definitions_no_privileged_containers.metadata.json +21 -14
- prowler/providers/aws/services/ecs/ecs_task_set_no_assign_public_ip/ecs_task_set_no_assign_public_ip.metadata.json +19 -13
- prowler/providers/aws/services/eks/eks_cluster_deletion_protection_enabled/eks_cluster_deletion_protection_enabled.metadata.json +20 -13
- prowler/providers/aws/services/eks/eks_cluster_kms_cmk_encryption_in_secrets_enabled/eks_cluster_kms_cmk_encryption_in_secrets_enabled.metadata.json +20 -13
- prowler/providers/aws/services/eks/eks_cluster_network_policy_enabled/eks_cluster_network_policy_enabled.metadata.json +20 -14
- prowler/providers/aws/services/eks/eks_cluster_not_publicly_accessible/eks_cluster_not_publicly_accessible.metadata.json +22 -13
- prowler/providers/aws/services/eks/eks_cluster_private_nodes_enabled/eks_cluster_private_nodes_enabled.metadata.json +19 -13
- prowler/providers/aws/services/eks/eks_cluster_uses_a_supported_version/eks_cluster_uses_a_supported_version.metadata.json +21 -12
- prowler/providers/aws/services/eks/eks_control_plane_logging_all_types_enabled/eks_control_plane_logging_all_types_enabled.metadata.json +20 -13
- prowler/providers/aws/services/elasticache/elasticache_cluster_uses_public_subnet/elasticache_cluster_uses_public_subnet.metadata.json +20 -12
- prowler/providers/aws/services/elasticache/elasticache_redis_cluster_auto_minor_version_upgrades/elasticache_redis_cluster_auto_minor_version_upgrades.metadata.json +21 -12
- prowler/providers/aws/services/elasticache/elasticache_redis_cluster_automatic_failover_enabled/elasticache_redis_cluster_automatic_failover_enabled.metadata.json +20 -13
- prowler/providers/aws/services/elasticache/elasticache_redis_cluster_backup_enabled/elasticache_redis_cluster_backup_enabled.metadata.json +23 -13
- prowler/providers/aws/services/elasticache/elasticache_redis_cluster_in_transit_encryption_enabled/elasticache_redis_cluster_in_transit_encryption_enabled.metadata.json +21 -12
- prowler/providers/aws/services/elasticache/elasticache_redis_cluster_multi_az_enabled/elasticache_redis_cluster_multi_az_enabled.metadata.json +22 -14
- prowler/providers/aws/services/elasticache/elasticache_redis_cluster_rest_encryption_enabled/elasticache_redis_cluster_rest_encryption_enabled.metadata.json +20 -11
- prowler/providers/aws/services/elasticache/elasticache_redis_replication_group_auth_enabled/elasticache_redis_replication_group_auth_enabled.metadata.json +23 -13
- prowler/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_cloudwatch_logging_enabled/elasticbeanstalk_environment_cloudwatch_logging_enabled.metadata.json +18 -12
- prowler/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_enhanced_health_reporting/elasticbeanstalk_environment_enhanced_health_reporting.metadata.json +17 -12
- prowler/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_managed_updates_enabled/elasticbeanstalk_environment_managed_updates_enabled.metadata.json +17 -11
- prowler/providers/aws/services/elb/elb_connection_draining_enabled/elb_connection_draining_enabled.metadata.json +22 -13
- prowler/providers/aws/services/elb/elb_cross_zone_load_balancing_enabled/elb_cross_zone_load_balancing_enabled.metadata.json +24 -13
- prowler/providers/aws/services/elb/elb_desync_mitigation_mode/elb_desync_mitigation_mode.metadata.json +20 -11
- prowler/providers/aws/services/elb/elb_insecure_ssl_ciphers/elb_insecure_ssl_ciphers.metadata.json +20 -10
- prowler/providers/aws/services/elb/elb_internet_facing/elb_internet_facing.metadata.json +20 -11
- prowler/providers/aws/services/elb/elb_is_in_multiple_az/elb_is_in_multiple_az.metadata.json +20 -12
- prowler/providers/aws/services/elb/elb_logging_enabled/elb_logging_enabled.metadata.json +19 -12
- prowler/providers/aws/services/elb/elb_ssl_listeners/elb_ssl_listeners.metadata.json +19 -11
- prowler/providers/aws/services/elb/elb_ssl_listeners_use_acm_certificate/elb_ssl_listeners_use_acm_certificate.metadata.json +17 -12
- prowler/providers/aws/services/elbv2/elbv2_cross_zone_load_balancing_enabled/elbv2_cross_zone_load_balancing_enabled.metadata.json +21 -13
- prowler/providers/aws/services/elbv2/elbv2_deletion_protection/elbv2_deletion_protection.metadata.json +19 -11
- prowler/providers/aws/services/elbv2/elbv2_desync_mitigation_mode/elbv2_desync_mitigation_mode.metadata.json +21 -12
- prowler/providers/aws/services/elbv2/elbv2_insecure_ssl_ciphers/elbv2_insecure_ssl_ciphers.metadata.json +18 -11
- prowler/providers/aws/services/elbv2/elbv2_internet_facing/elbv2_internet_facing.metadata.json +17 -10
- prowler/providers/aws/services/elbv2/elbv2_is_in_multiple_az/elbv2_is_in_multiple_az.metadata.json +22 -13
- prowler/providers/aws/services/elbv2/elbv2_listeners_underneath/elbv2_listeners_underneath.metadata.json +18 -12
- prowler/providers/aws/services/elbv2/elbv2_logging_enabled/elbv2_logging_enabled.metadata.json +17 -12
- prowler/providers/aws/services/elbv2/elbv2_nlb_tls_termination_enabled/elbv2_nlb_tls_termination_enabled.metadata.json +18 -11
- prowler/providers/aws/services/elbv2/elbv2_ssl_listeners/elbv2_ssl_listeners.metadata.json +18 -12
- prowler/providers/aws/services/elbv2/elbv2_waf_acl_attached/elbv2_waf_acl_attached.metadata.json +16 -11
- prowler/providers/aws/services/emr/emr_cluster_account_public_block_enabled/emr_cluster_account_public_block_enabled.metadata.json +21 -13
- prowler/providers/aws/services/emr/emr_cluster_master_nodes_no_public_ip/emr_cluster_master_nodes_no_public_ip.metadata.json +24 -11
- prowler/providers/aws/services/emr/emr_cluster_publicly_accesible/emr_cluster_publicly_accesible.metadata.json +18 -11
- prowler/providers/aws/services/eventbridge/eventbridge_bus_cross_account_access/eventbridge_bus_cross_account_access.metadata.json +26 -13
- prowler/providers/aws/services/eventbridge/eventbridge_bus_exposed/eventbridge_bus_exposed.metadata.json +21 -11
- prowler/providers/aws/services/eventbridge/eventbridge_global_endpoint_event_replication_enabled/eventbridge_global_endpoint_event_replication_enabled.metadata.json +24 -13
- prowler/providers/aws/services/eventbridge/eventbridge_schema_registry_cross_account_access/eventbridge_schema_registry_cross_account_access.metadata.json +26 -14
- prowler/providers/aws/services/firehose/firehose_stream_encrypted_at_rest/firehose_stream_encrypted_at_rest.metadata.json +26 -15
- prowler/providers/aws/services/firehose/firehose_stream_encrypted_at_rest/firehose_stream_encrypted_at_rest.py +15 -16
- prowler/providers/aws/services/fms/fms_policy_compliant/fms_policy_compliant.metadata.json +23 -11
- prowler/providers/aws/services/fsx/fsx_file_system_copy_tags_to_backups_enabled/fsx_file_system_copy_tags_to_backups_enabled.metadata.json +19 -12
- prowler/providers/aws/services/fsx/fsx_file_system_copy_tags_to_volumes_enabled/fsx_file_system_copy_tags_to_volumes_enabled.metadata.json +17 -12
- prowler/providers/aws/services/fsx/fsx_windows_file_system_multi_az_enabled/fsx_windows_file_system_multi_az_enabled.metadata.json +22 -13
- prowler/providers/aws/services/glacier/glacier_vaults_policy_public_access/glacier_vaults_policy_public_access.metadata.json +21 -12
- prowler/providers/aws/services/iam/lib/policy.py +24 -16
- prowler/providers/aws/services/kinesis/kinesis_stream_data_retention_period/kinesis_stream_data_retention_period.metadata.json +21 -13
- prowler/providers/aws/services/kinesis/kinesis_stream_encrypted_at_rest/kinesis_stream_encrypted_at_rest.metadata.json +22 -13
- prowler/providers/azure/services/cosmosdb/cosmosdb_service.py +7 -2
- prowler/providers/azure/services/defender/defender_service.py +4 -2
- prowler/providers/azure/services/postgresql/postgresql_flexible_server_entra_id_authentication_enabled/__init__.py +0 -0
- prowler/providers/azure/services/postgresql/postgresql_flexible_server_entra_id_authentication_enabled/postgresql_flexible_server_entra_id_authentication_enabled.metadata.json +36 -0
- prowler/providers/azure/services/postgresql/postgresql_flexible_server_entra_id_authentication_enabled/postgresql_flexible_server_entra_id_authentication_enabled.py +43 -0
- prowler/providers/azure/services/postgresql/postgresql_service.py +66 -9
- prowler/providers/azure/services/storage/storage_service.py +13 -4
- prowler/providers/azure/services/vm/vm_service.py +4 -7
- prowler/providers/common/arguments.py +19 -16
- prowler/providers/common/provider.py +2 -18
- prowler/providers/gcp/services/artifacts/artifacts_container_analysis_enabled/artifacts_container_analysis_enabled.metadata.json +16 -15
- prowler/providers/gcp/services/cloudresourcemanager/cloudresourcemanager_service.py +30 -4
- prowler/providers/gcp/services/cloudstorage/cloudstorage_audit_logs_enabled/__init__.py +0 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_audit_logs_enabled/cloudstorage_audit_logs_enabled.metadata.json +36 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_audit_logs_enabled/cloudstorage_audit_logs_enabled.py +61 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_log_retention_policy_lock/cloudstorage_bucket_log_retention_policy_lock.metadata.json +12 -9
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_log_retention_policy_lock/cloudstorage_bucket_log_retention_policy_lock.py +10 -3
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_logging_enabled/__init__.py +0 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_logging_enabled/cloudstorage_bucket_logging_enabled.metadata.json +36 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_logging_enabled/cloudstorage_bucket_logging_enabled.py +40 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_soft_delete_enabled/__init__.py +0 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_soft_delete_enabled/cloudstorage_bucket_soft_delete_enabled.metadata.json +36 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_soft_delete_enabled/cloudstorage_bucket_soft_delete_enabled.py +31 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_sufficient_retention_period/__init__.py +0 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_sufficient_retention_period/cloudstorage_bucket_sufficient_retention_period.metadata.json +35 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_sufficient_retention_period/cloudstorage_bucket_sufficient_retention_period.py +55 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_versioning_enabled/__init__.py +0 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_versioning_enabled/cloudstorage_bucket_versioning_enabled.metadata.json +36 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_versioning_enabled/cloudstorage_bucket_versioning_enabled.py +30 -0
- prowler/providers/gcp/services/cloudstorage/cloudstorage_service.py +48 -2
- prowler/providers/github/services/organization/organization_default_repository_permission_strict/__init__.py +0 -0
- prowler/providers/github/services/organization/organization_default_repository_permission_strict/organization_default_repository_permission_strict.metadata.json +35 -0
- prowler/providers/github/services/organization/organization_default_repository_permission_strict/organization_default_repository_permission_strict.py +36 -0
- prowler/providers/github/services/organization/organization_members_mfa_required/organization_members_mfa_required.metadata.json +14 -8
- prowler/providers/github/services/organization/organization_repository_creation_limited/__init__.py +0 -0
- prowler/providers/github/services/organization/organization_repository_creation_limited/organization_repository_creation_limited.metadata.json +30 -0
- prowler/providers/github/services/organization/organization_repository_creation_limited/organization_repository_creation_limited.py +106 -0
- prowler/providers/github/services/organization/organization_service.py +84 -10
- prowler/providers/iac/iac_provider.py +279 -55
- prowler/providers/kubernetes/services/etcd/etcd_client_cert_auth/etcd_client_cert_auth.metadata.json +18 -13
- prowler/providers/kubernetes/services/etcd/etcd_no_auto_tls/etcd_no_auto_tls.metadata.json +16 -11
- prowler/providers/kubernetes/services/etcd/etcd_no_peer_auto_tls/etcd_no_peer_auto_tls.metadata.json +16 -11
- prowler/providers/kubernetes/services/etcd/etcd_peer_client_cert_auth/etcd_peer_client_cert_auth.metadata.json +18 -13
- prowler/providers/kubernetes/services/etcd/etcd_peer_tls_config/etcd_peer_tls_config.metadata.json +16 -12
- prowler/providers/kubernetes/services/etcd/etcd_tls_encryption/etcd_tls_encryption.metadata.json +16 -11
- prowler/providers/kubernetes/services/etcd/etcd_unique_ca/etcd_unique_ca.metadata.json +16 -10
- prowler/providers/m365/lib/powershell/m365_powershell.py +80 -93
- prowler/providers/m365/m365_provider.py +1 -6
- prowler/providers/m365/services/exchange/exchange_mailbox_policy_additional_storage_restricted/exchange_mailbox_policy_additional_storage_restricted.py +17 -21
- prowler/providers/m365/services/exchange/exchange_service.py +18 -12
- prowler/providers/m365/services/sharepoint/sharepoint_external_sharing_managed/sharepoint_external_sharing_managed.py +9 -7
- prowler/providers/mongodbatlas/exceptions/exceptions.py +16 -0
- prowler/providers/mongodbatlas/mongodbatlas_provider.py +15 -3
- prowler/providers/mongodbatlas/services/projects/projects_auditing_enabled/projects_auditing_enabled.metadata.json +20 -9
- prowler/providers/mongodbatlas/services/projects/projects_network_access_list_exposed_to_internet/projects_network_access_list_exposed_to_internet.metadata.json +14 -9
- prowler/providers/oraclecloud/lib/arguments/arguments.py +4 -13
- prowler/providers/oraclecloud/lib/service/service.py +3 -3
- prowler/providers/oraclecloud/{oci_provider.py → oraclecloud_provider.py} +15 -15
- prowler/providers/oraclecloud/services/analytics/analytics_instance_access_restricted/analytics_instance_access_restricted.metadata.json +20 -16
- prowler/providers/oraclecloud/services/audit/audit_log_retention_period_365_days/audit_log_retention_period_365_days.metadata.json +17 -17
- prowler/providers/oraclecloud/services/blockstorage/blockstorage_block_volume_encrypted_with_cmk/blockstorage_block_volume_encrypted_with_cmk.metadata.json +17 -19
- prowler/providers/oraclecloud/services/blockstorage/blockstorage_boot_volume_encrypted_with_cmk/blockstorage_boot_volume_encrypted_with_cmk.metadata.json +18 -18
- prowler/providers/oraclecloud/services/cloudguard/cloudguard_enabled/cloudguard_enabled.metadata.json +17 -18
- prowler/providers/oraclecloud/services/compute/compute_instance_in_transit_encryption_enabled/compute_instance_in_transit_encryption_enabled.metadata.json +1 -1
- prowler/providers/oraclecloud/services/compute/compute_instance_legacy_metadata_endpoint_disabled/compute_instance_legacy_metadata_endpoint_disabled.metadata.json +1 -1
- prowler/providers/oraclecloud/services/compute/compute_instance_secure_boot_enabled/compute_instance_secure_boot_enabled.metadata.json +1 -1
- prowler/providers/oraclecloud/services/database/database_autonomous_database_access_restricted/database_autonomous_database_access_restricted.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_notification_topic_and_subscription_exists/events_notification_topic_and_subscription_exists.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_cloudguard_problems/events_rule_cloudguard_problems.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_iam_group_changes/events_rule_iam_group_changes.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_iam_policy_changes/events_rule_iam_policy_changes.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_identity_provider_changes/events_rule_identity_provider_changes.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_idp_group_mapping_changes/events_rule_idp_group_mapping_changes.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_local_user_authentication/events_rule_local_user_authentication.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_network_gateway_changes/events_rule_network_gateway_changes.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_network_security_group_changes/events_rule_network_security_group_changes.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_route_table_changes/events_rule_route_table_changes.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_security_list_changes/events_rule_security_list_changes.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_user_changes/events_rule_user_changes.metadata.json +1 -1
- prowler/providers/oraclecloud/services/events/events_rule_vcn_changes/events_rule_vcn_changes.metadata.json +1 -1
- prowler/providers/oraclecloud/services/filestorage/filestorage_file_system_encrypted_with_cmk/filestorage_file_system_encrypted_with_cmk.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_iam_admins_cannot_update_tenancy_admins/identity_iam_admins_cannot_update_tenancy_admins.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_instance_principal_used/identity_instance_principal_used.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_no_resources_in_root_compartment/identity_no_resources_in_root_compartment.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_non_root_compartment_exists/identity_non_root_compartment_exists.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_password_policy_expires_within_365_days/identity_password_policy_expires_within_365_days.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_password_policy_minimum_length_14/identity_password_policy_minimum_length_14.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_password_policy_prevents_reuse/identity_password_policy_prevents_reuse.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_service_level_admins_exist/identity_service_level_admins_exist.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_tenancy_admin_permissions_limited/identity_tenancy_admin_permissions_limited.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_tenancy_admin_users_no_api_keys/identity_tenancy_admin_users_no_api_keys.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_user_api_keys_rotated_90_days/identity_user_api_keys_rotated_90_days.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_user_auth_tokens_rotated_90_days/identity_user_auth_tokens_rotated_90_days.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_user_customer_secret_keys_rotated_90_days/identity_user_customer_secret_keys_rotated_90_days.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_user_db_passwords_rotated_90_days/identity_user_db_passwords_rotated_90_days.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_user_mfa_enabled_console_access/identity_user_mfa_enabled_console_access.metadata.json +1 -1
- prowler/providers/oraclecloud/services/identity/identity_user_valid_email_address/identity_user_valid_email_address.metadata.json +1 -1
- prowler/providers/oraclecloud/services/integration/integration_instance_access_restricted/integration_instance_access_restricted.metadata.json +1 -1
- prowler/providers/oraclecloud/services/kms/kms_key_rotation_enabled/kms_key_rotation_enabled.metadata.json +1 -1
- prowler/providers/oraclecloud/services/network/network_default_security_list_restricts_traffic/network_default_security_list_restricts_traffic.metadata.json +1 -1
- prowler/providers/oraclecloud/services/network/network_security_group_ingress_from_internet_to_rdp_port/network_security_group_ingress_from_internet_to_rdp_port.metadata.json +1 -1
- prowler/providers/oraclecloud/services/network/network_security_group_ingress_from_internet_to_ssh_port/network_security_group_ingress_from_internet_to_ssh_port.metadata.json +1 -1
- prowler/providers/oraclecloud/services/network/network_security_list_ingress_from_internet_to_rdp_port/network_security_list_ingress_from_internet_to_rdp_port.metadata.json +1 -1
- prowler/providers/oraclecloud/services/network/network_security_list_ingress_from_internet_to_ssh_port/network_security_list_ingress_from_internet_to_ssh_port.metadata.json +1 -1
- prowler/providers/oraclecloud/services/network/network_vcn_subnet_flow_logs_enabled/network_vcn_subnet_flow_logs_enabled.metadata.json +1 -1
- prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_encrypted_with_cmk/objectstorage_bucket_encrypted_with_cmk.metadata.json +1 -1
- prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_logging_enabled/objectstorage_bucket_logging_enabled.metadata.json +1 -1
- prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_not_publicly_accessible/objectstorage_bucket_not_publicly_accessible.metadata.json +1 -1
- prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_versioning_enabled/objectstorage_bucket_versioning_enabled.metadata.json +1 -1
- {prowler_cloud-5.13.1.dist-info → prowler_cloud-5.14.1.dist-info}/METADATA +17 -16
- {prowler_cloud-5.13.1.dist-info → prowler_cloud-5.14.1.dist-info}/RECORD +298 -249
- /prowler/compliance/{oci → oraclecloud}/__init__.py +0 -0
- {prowler_cloud-5.13.1.dist-info → prowler_cloud-5.14.1.dist-info}/LICENSE +0 -0
- {prowler_cloud-5.13.1.dist-info → prowler_cloud-5.14.1.dist-info}/WHEEL +0 -0
- {prowler_cloud-5.13.1.dist-info → prowler_cloud-5.14.1.dist-info}/entry_points.txt +0 -0
dashboard/__main__.py
CHANGED
|
@@ -35,7 +35,8 @@ dashboard = dash.Dash(
|
|
|
35
35
|
|
|
36
36
|
# Logo
|
|
37
37
|
prowler_logo = html.Img(
|
|
38
|
-
src="https://
|
|
38
|
+
src="https://cdn.prod.website-files.com/68c4ec3f9fb7b154fbcb6e36/68ffb46d40ed7faa37a592a5_prowler-logo.png",
|
|
39
|
+
alt="Prowler Logo",
|
|
39
40
|
)
|
|
40
41
|
|
|
41
42
|
menu_icons = {
|
|
@@ -0,0 +1,43 @@
|
|
|
1
|
+
import warnings
|
|
2
|
+
|
|
3
|
+
from dashboard.common_methods import get_section_containers_3_levels
|
|
4
|
+
|
|
5
|
+
warnings.filterwarnings("ignore")
|
|
6
|
+
|
|
7
|
+
|
|
8
|
+
def get_table(data):
|
|
9
|
+
data["REQUIREMENTS_DESCRIPTION"] = (
|
|
10
|
+
data["REQUIREMENTS_ID"] + " - " + data["REQUIREMENTS_DESCRIPTION"]
|
|
11
|
+
)
|
|
12
|
+
|
|
13
|
+
data["REQUIREMENTS_DESCRIPTION"] = data["REQUIREMENTS_DESCRIPTION"].apply(
|
|
14
|
+
lambda x: x[:150] + "..." if len(str(x)) > 150 else x
|
|
15
|
+
)
|
|
16
|
+
|
|
17
|
+
data["REQUIREMENTS_ATTRIBUTES_SECTION"] = data[
|
|
18
|
+
"REQUIREMENTS_ATTRIBUTES_SECTION"
|
|
19
|
+
].apply(lambda x: x[:80] + "..." if len(str(x)) > 80 else x)
|
|
20
|
+
|
|
21
|
+
data["REQUIREMENTS_ATTRIBUTES_SUBSECTION"] = data[
|
|
22
|
+
"REQUIREMENTS_ATTRIBUTES_SUBSECTION"
|
|
23
|
+
].apply(lambda x: x[:150] + "..." if len(str(x)) > 150 else x)
|
|
24
|
+
|
|
25
|
+
aux = data[
|
|
26
|
+
[
|
|
27
|
+
"REQUIREMENTS_DESCRIPTION",
|
|
28
|
+
"REQUIREMENTS_ATTRIBUTES_SECTION",
|
|
29
|
+
"REQUIREMENTS_ATTRIBUTES_SUBSECTION",
|
|
30
|
+
"CHECKID",
|
|
31
|
+
"STATUS",
|
|
32
|
+
"REGION",
|
|
33
|
+
"ACCOUNTID",
|
|
34
|
+
"RESOURCEID",
|
|
35
|
+
]
|
|
36
|
+
]
|
|
37
|
+
|
|
38
|
+
return get_section_containers_3_levels(
|
|
39
|
+
aux,
|
|
40
|
+
"REQUIREMENTS_ATTRIBUTES_SECTION",
|
|
41
|
+
"REQUIREMENTS_ATTRIBUTES_SUBSECTION",
|
|
42
|
+
"REQUIREMENTS_DESCRIPTION",
|
|
43
|
+
)
|
|
@@ -0,0 +1,46 @@
|
|
|
1
|
+
import warnings
|
|
2
|
+
|
|
3
|
+
from dashboard.common_methods import get_section_containers_cis
|
|
4
|
+
|
|
5
|
+
warnings.filterwarnings("ignore")
|
|
6
|
+
|
|
7
|
+
|
|
8
|
+
def get_table(data):
|
|
9
|
+
aux = data[
|
|
10
|
+
[
|
|
11
|
+
"REQUIREMENTS_ID",
|
|
12
|
+
"REQUIREMENTS_DESCRIPTION",
|
|
13
|
+
"REQUIREMENTS_ATTRIBUTES_SECTION",
|
|
14
|
+
"CHECKID",
|
|
15
|
+
"STATUS",
|
|
16
|
+
"REGION",
|
|
17
|
+
"ACCOUNTID",
|
|
18
|
+
"RESOURCEID",
|
|
19
|
+
]
|
|
20
|
+
].copy()
|
|
21
|
+
|
|
22
|
+
# Shorten the long FedRAMP KSI descriptions for better display
|
|
23
|
+
ksi_short_names = {
|
|
24
|
+
"A secure cloud service offering will protect user data, control access, and apply zero trust principles": "Identity and Access Management",
|
|
25
|
+
"A secure cloud service offering will use cloud native architecture and design principles to enforce and enhance the Confidentiality, Integrity and Availability of the system": "Cloud Native Architecture",
|
|
26
|
+
"A secure cloud service provider will ensure that all system changes are properly documented and configuration baselines are updated accordingly": "Change Management",
|
|
27
|
+
"A secure cloud service provider will continuously educate their employees on cybersecurity measures, testing them regularly": "Cybersecurity Education",
|
|
28
|
+
"A secure cloud service offering will document, report, and analyze security incidents to ensure regulatory compliance and continuous security improvement": "Incident Reporting",
|
|
29
|
+
"A secure cloud service offering will monitor, log, and audit all important events, activity, and changes": "Monitoring, Logging, and Auditing",
|
|
30
|
+
"A secure cloud service offering will have intentional, organized, universal guidance for how every information resource, including personnel, is secured": "Policy and Inventory",
|
|
31
|
+
"A secure cloud service offering will define, maintain, and test incident response plan(s) and recovery capabilities to ensure minimal service disruption and data loss": "Recovery Planning",
|
|
32
|
+
"A secure cloud service offering will follow FedRAMP encryption policies, continuously verify information resource integrity, and restrict access to third-party information resources": "Service Configuration",
|
|
33
|
+
"A secure cloud service offering will understand, monitor, and manage supply chain risks from third-party information resources": "Third-Party Information Resources",
|
|
34
|
+
}
|
|
35
|
+
|
|
36
|
+
# Replace long descriptions with short names - use contains for partial matching
|
|
37
|
+
if not aux.empty:
|
|
38
|
+
for long_desc, short_name in ksi_short_names.items():
|
|
39
|
+
mask = aux["REQUIREMENTS_DESCRIPTION"].str.contains(
|
|
40
|
+
long_desc, na=False, regex=False
|
|
41
|
+
)
|
|
42
|
+
aux.loc[mask, "REQUIREMENTS_DESCRIPTION"] = short_name
|
|
43
|
+
|
|
44
|
+
return get_section_containers_cis(
|
|
45
|
+
aux, "REQUIREMENTS_ID", "REQUIREMENTS_ATTRIBUTES_SECTION"
|
|
46
|
+
)
|
|
@@ -0,0 +1,46 @@
|
|
|
1
|
+
import warnings
|
|
2
|
+
|
|
3
|
+
from dashboard.common_methods import get_section_containers_cis
|
|
4
|
+
|
|
5
|
+
warnings.filterwarnings("ignore")
|
|
6
|
+
|
|
7
|
+
|
|
8
|
+
def get_table(data):
|
|
9
|
+
aux = data[
|
|
10
|
+
[
|
|
11
|
+
"REQUIREMENTS_ID",
|
|
12
|
+
"REQUIREMENTS_DESCRIPTION",
|
|
13
|
+
"REQUIREMENTS_ATTRIBUTES_SECTION",
|
|
14
|
+
"CHECKID",
|
|
15
|
+
"STATUS",
|
|
16
|
+
"REGION",
|
|
17
|
+
"ACCOUNTID",
|
|
18
|
+
"RESOURCEID",
|
|
19
|
+
]
|
|
20
|
+
].copy()
|
|
21
|
+
|
|
22
|
+
# Shorten the long FedRAMP KSI descriptions for better display
|
|
23
|
+
ksi_short_names = {
|
|
24
|
+
"A secure cloud service offering will protect user data, control access, and apply zero trust principles": "Identity and Access Management",
|
|
25
|
+
"A secure cloud service offering will use cloud native architecture and design principles to enforce and enhance the Confidentiality, Integrity and Availability of the system": "Cloud Native Architecture",
|
|
26
|
+
"A secure cloud service provider will ensure that all system changes are properly documented and configuration baselines are updated accordingly": "Change Management",
|
|
27
|
+
"A secure cloud service provider will continuously educate their employees on cybersecurity measures, testing them regularly": "Cybersecurity Education",
|
|
28
|
+
"A secure cloud service offering will document, report, and analyze security incidents to ensure regulatory compliance and continuous security improvement": "Incident Reporting",
|
|
29
|
+
"A secure cloud service offering will monitor, log, and audit all important events, activity, and changes": "Monitoring, Logging, and Auditing",
|
|
30
|
+
"A secure cloud service offering will have intentional, organized, universal guidance for how every information resource, including personnel, is secured": "Policy and Inventory",
|
|
31
|
+
"A secure cloud service offering will define, maintain, and test incident response plan(s) and recovery capabilities to ensure minimal service disruption and data loss": "Recovery Planning",
|
|
32
|
+
"A secure cloud service offering will follow FedRAMP encryption policies, continuously verify information resource integrity, and restrict access to third-party information resources": "Service Configuration",
|
|
33
|
+
"A secure cloud service offering will understand, monitor, and manage supply chain risks from third-party information resources": "Third-Party Information Resources",
|
|
34
|
+
}
|
|
35
|
+
|
|
36
|
+
# Replace long descriptions with short names - use contains for partial matching
|
|
37
|
+
if not aux.empty:
|
|
38
|
+
for long_desc, short_name in ksi_short_names.items():
|
|
39
|
+
mask = aux["REQUIREMENTS_DESCRIPTION"].str.contains(
|
|
40
|
+
long_desc, na=False, regex=False
|
|
41
|
+
)
|
|
42
|
+
aux.loc[mask, "REQUIREMENTS_DESCRIPTION"] = short_name
|
|
43
|
+
|
|
44
|
+
return get_section_containers_cis(
|
|
45
|
+
aux, "REQUIREMENTS_ID", "REQUIREMENTS_ATTRIBUTES_SECTION"
|
|
46
|
+
)
|
|
@@ -0,0 +1,46 @@
|
|
|
1
|
+
import warnings
|
|
2
|
+
|
|
3
|
+
from dashboard.common_methods import get_section_containers_cis
|
|
4
|
+
|
|
5
|
+
warnings.filterwarnings("ignore")
|
|
6
|
+
|
|
7
|
+
|
|
8
|
+
def get_table(data):
|
|
9
|
+
aux = data[
|
|
10
|
+
[
|
|
11
|
+
"REQUIREMENTS_ID",
|
|
12
|
+
"REQUIREMENTS_DESCRIPTION",
|
|
13
|
+
"REQUIREMENTS_ATTRIBUTES_SECTION",
|
|
14
|
+
"CHECKID",
|
|
15
|
+
"STATUS",
|
|
16
|
+
"REGION",
|
|
17
|
+
"ACCOUNTID",
|
|
18
|
+
"RESOURCEID",
|
|
19
|
+
]
|
|
20
|
+
].copy()
|
|
21
|
+
|
|
22
|
+
# Shorten the long FedRAMP KSI descriptions for better display
|
|
23
|
+
ksi_short_names = {
|
|
24
|
+
"A secure cloud service offering will protect user data, control access, and apply zero trust principles": "Identity and Access Management",
|
|
25
|
+
"A secure cloud service offering will use cloud native architecture and design principles to enforce and enhance the Confidentiality, Integrity and Availability of the system": "Cloud Native Architecture",
|
|
26
|
+
"A secure cloud service provider will ensure that all system changes are properly documented and configuration baselines are updated accordingly": "Change Management",
|
|
27
|
+
"A secure cloud service provider will continuously educate their employees on cybersecurity measures, testing them regularly": "Cybersecurity Education",
|
|
28
|
+
"A secure cloud service offering will document, report, and analyze security incidents to ensure regulatory compliance and continuous security improvement": "Incident Reporting",
|
|
29
|
+
"A secure cloud service offering will monitor, log, and audit all important events, activity, and changes": "Monitoring, Logging, and Auditing",
|
|
30
|
+
"A secure cloud service offering will have intentional, organized, universal guidance for how every information resource, including personnel, is secured": "Policy and Inventory",
|
|
31
|
+
"A secure cloud service offering will define, maintain, and test incident response plan(s) and recovery capabilities to ensure minimal service disruption and data loss": "Recovery Planning",
|
|
32
|
+
"A secure cloud service offering will follow FedRAMP encryption policies, continuously verify information resource integrity, and restrict access to third-party information resources": "Service Configuration",
|
|
33
|
+
"A secure cloud service offering will understand, monitor, and manage supply chain risks from third-party information resources": "Third-Party Information Resources",
|
|
34
|
+
}
|
|
35
|
+
|
|
36
|
+
# Replace long descriptions with short names - use contains for partial matching
|
|
37
|
+
if not aux.empty:
|
|
38
|
+
for long_desc, short_name in ksi_short_names.items():
|
|
39
|
+
mask = aux["REQUIREMENTS_DESCRIPTION"].str.contains(
|
|
40
|
+
long_desc, na=False, regex=False
|
|
41
|
+
)
|
|
42
|
+
aux.loc[mask, "REQUIREMENTS_DESCRIPTION"] = short_name
|
|
43
|
+
|
|
44
|
+
return get_section_containers_cis(
|
|
45
|
+
aux, "REQUIREMENTS_ID", "REQUIREMENTS_ATTRIBUTES_SECTION"
|
|
46
|
+
)
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
import warnings
|
|
2
|
+
|
|
3
|
+
from dashboard.common_methods import get_section_containers_format3
|
|
4
|
+
|
|
5
|
+
warnings.filterwarnings("ignore")
|
|
6
|
+
|
|
7
|
+
|
|
8
|
+
def get_table(data):
|
|
9
|
+
|
|
10
|
+
aux = data[
|
|
11
|
+
[
|
|
12
|
+
"REQUIREMENTS_ID",
|
|
13
|
+
"REQUIREMENTS_ATTRIBUTES_SECTION",
|
|
14
|
+
"REQUIREMENTS_DESCRIPTION",
|
|
15
|
+
"CHECKID",
|
|
16
|
+
"STATUS",
|
|
17
|
+
"REGION",
|
|
18
|
+
"ACCOUNTID",
|
|
19
|
+
"RESOURCEID",
|
|
20
|
+
]
|
|
21
|
+
].copy()
|
|
22
|
+
|
|
23
|
+
return get_section_containers_format3(
|
|
24
|
+
aux, "REQUIREMENTS_ATTRIBUTES_SECTION", "REQUIREMENTS_ID"
|
|
25
|
+
)
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
import warnings
|
|
2
|
+
|
|
3
|
+
from dashboard.common_methods import get_section_containers_format3
|
|
4
|
+
|
|
5
|
+
warnings.filterwarnings("ignore")
|
|
6
|
+
|
|
7
|
+
|
|
8
|
+
def get_table(data):
|
|
9
|
+
aux = data[
|
|
10
|
+
[
|
|
11
|
+
"REQUIREMENTS_ID",
|
|
12
|
+
"REQUIREMENTS_ATTRIBUTES_SECTION",
|
|
13
|
+
"REQUIREMENTS_DESCRIPTION",
|
|
14
|
+
"CHECKID",
|
|
15
|
+
"STATUS",
|
|
16
|
+
"REGION",
|
|
17
|
+
"ACCOUNTID",
|
|
18
|
+
"RESOURCEID",
|
|
19
|
+
]
|
|
20
|
+
].copy()
|
|
21
|
+
|
|
22
|
+
return get_section_containers_format3(
|
|
23
|
+
aux, "REQUIREMENTS_ATTRIBUTES_SECTION", "REQUIREMENTS_ID"
|
|
24
|
+
)
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
import warnings
|
|
2
|
+
|
|
3
|
+
from dashboard.common_methods import get_section_containers_threatscore
|
|
4
|
+
|
|
5
|
+
warnings.filterwarnings("ignore")
|
|
6
|
+
|
|
7
|
+
|
|
8
|
+
def get_table(data):
|
|
9
|
+
aux = data[
|
|
10
|
+
[
|
|
11
|
+
"REQUIREMENTS_ID",
|
|
12
|
+
"REQUIREMENTS_DESCRIPTION",
|
|
13
|
+
"REQUIREMENTS_ATTRIBUTES_SECTION",
|
|
14
|
+
"REQUIREMENTS_ATTRIBUTES_SUBSECTION",
|
|
15
|
+
"CHECKID",
|
|
16
|
+
"STATUS",
|
|
17
|
+
"REGION",
|
|
18
|
+
"ACCOUNTID",
|
|
19
|
+
"RESOURCEID",
|
|
20
|
+
]
|
|
21
|
+
].copy()
|
|
22
|
+
|
|
23
|
+
return get_section_containers_threatscore(
|
|
24
|
+
aux,
|
|
25
|
+
"REQUIREMENTS_ATTRIBUTES_SECTION",
|
|
26
|
+
"REQUIREMENTS_ATTRIBUTES_SUBSECTION",
|
|
27
|
+
"REQUIREMENTS_ID",
|
|
28
|
+
)
|
prowler/AGENTS.md
ADDED
|
@@ -0,0 +1,366 @@
|
|
|
1
|
+
# Prowler SDK Agent Guide
|
|
2
|
+
|
|
3
|
+
**Complete guide for AI agents and developers working on the Prowler SDK - the core Python security scanning engine.**
|
|
4
|
+
|
|
5
|
+
## Project Overview
|
|
6
|
+
|
|
7
|
+
The Prowler SDK is the core Python engine that powers Prowler's cloud security assessment capabilities. It provides:
|
|
8
|
+
|
|
9
|
+
- **Multi-cloud Security Scanning**: AWS, Azure, GCP, Kubernetes, GitHub, M365, Oracle Cloud, MongoDB Atlas, and more
|
|
10
|
+
- **Compliance Frameworks**: 30+ frameworks including CIS, NIST, PCI-DSS, SOC2, GDPR
|
|
11
|
+
- **1000+ Security Checks**: Comprehensive coverage across all supported providers
|
|
12
|
+
- **Multiple Output Formats**: JSON, CSV, HTML, ASFF, OCSF, and compliance-specific formats
|
|
13
|
+
|
|
14
|
+
## Mission & Scope
|
|
15
|
+
|
|
16
|
+
- Maintain and enhance the core Prowler SDK functionality with security and stability as top priorities
|
|
17
|
+
- Follow best practices for Python patterns, code style, security, and comprehensive testing
|
|
18
|
+
- To get more information about development guidelines, please refer to the Prowler Developer Guide in `docs/developer-guide/`
|
|
19
|
+
|
|
20
|
+
---
|
|
21
|
+
|
|
22
|
+
## Architecture Rules
|
|
23
|
+
|
|
24
|
+
### 1. Provider Architecture Pattern
|
|
25
|
+
|
|
26
|
+
All Prowler providers MUST follow the established pattern:
|
|
27
|
+
|
|
28
|
+
```
|
|
29
|
+
prowler/providers/{provider}/
|
|
30
|
+
├── {provider}_provider.py # Main provider class
|
|
31
|
+
├── models.py # Provider-specific models
|
|
32
|
+
├── config.py # Provider configuration
|
|
33
|
+
├── exceptions/ # Provider-specific exceptions
|
|
34
|
+
├── lib/ # Provider libraries (as minimun it should have implemented the next folders: service, arguments, mutelist)
|
|
35
|
+
│ ├── service/ # Provider-specific service class to be inherited by all services of the provider
|
|
36
|
+
│ ├── arguments/ # Provider-specific CLI arguments parser
|
|
37
|
+
│ └── mutelist/ # Provider-specific mutelist functionality
|
|
38
|
+
└── services/ # All provider services to be audited
|
|
39
|
+
└── {service}/ # Individual service
|
|
40
|
+
├── {service}_service.py # Class to fetch the needed resources from the API and store them to be used by the checks
|
|
41
|
+
├── {service}_client.py # Python instance of the service class to be used by the checks
|
|
42
|
+
└── {check_name}/ # Individual check folder
|
|
43
|
+
├── {check_name}.py # Python class to implement the check logic
|
|
44
|
+
└── {check_name}.metadata.json # JSON file to store the check metadata
|
|
45
|
+
└── {check_name_2}/ # Other checks can be added to the same service folder
|
|
46
|
+
├── {check_name_2}.py
|
|
47
|
+
└── {check_name_2}.metadata.json
|
|
48
|
+
...
|
|
49
|
+
└── {service_2}/ # Other services can be added to the same provider folder
|
|
50
|
+
...
|
|
51
|
+
```
|
|
52
|
+
|
|
53
|
+
### 2. Check Implementation Standards
|
|
54
|
+
|
|
55
|
+
Every security check MUST implement:
|
|
56
|
+
|
|
57
|
+
```python
|
|
58
|
+
from prowler.lib.check.models import Check, CheckReport<Provider>
|
|
59
|
+
from prowler.providers.<provider>.services.<service>.<service>_client import <service>_client
|
|
60
|
+
|
|
61
|
+
class check_name(Check):
|
|
62
|
+
"""Ensure that <resource> meets <security_requirement>."""
|
|
63
|
+
def execute(self) -> list[CheckReport<Provider>]:
|
|
64
|
+
"""Execute the check logic.
|
|
65
|
+
|
|
66
|
+
Returns:
|
|
67
|
+
A list of reports containing the result of the check.
|
|
68
|
+
"""
|
|
69
|
+
findings = []
|
|
70
|
+
# Check implementation here
|
|
71
|
+
for resource in <service>_client.<resources>:
|
|
72
|
+
# Security validation logic
|
|
73
|
+
report = CheckReport<Provider>(metadata=self.metadata(), resource=resource)
|
|
74
|
+
report.status = "PASS" | "FAIL"
|
|
75
|
+
report.status_extended = "Detailed explanation"
|
|
76
|
+
findings.append(report) # Add the report to the list of findings
|
|
77
|
+
return findings
|
|
78
|
+
```
|
|
79
|
+
|
|
80
|
+
### 3. Compliance Framework Integration
|
|
81
|
+
|
|
82
|
+
All compliance frameworks must be defined in:
|
|
83
|
+
- `prowler/compliance/{provider}/{framework}.json`
|
|
84
|
+
- Follow the established Compliance model structure
|
|
85
|
+
- Include proper requirement mappings and metadata
|
|
86
|
+
|
|
87
|
+
---
|
|
88
|
+
|
|
89
|
+
## Tech Stack
|
|
90
|
+
|
|
91
|
+
- **Language**: Python 3.9+
|
|
92
|
+
- **Dependency Management**: Poetry 2+
|
|
93
|
+
- **CLI Framework**: Custom argument parser with provider-specific subcommands
|
|
94
|
+
- **Testing**: Pytest with extensive unit and integration tests
|
|
95
|
+
- **Code Quality**: Pre-commit hooks for Black, Flake8, Pylint, Bandit for security scanning
|
|
96
|
+
|
|
97
|
+
## Commands
|
|
98
|
+
|
|
99
|
+
### Development Environment
|
|
100
|
+
|
|
101
|
+
```bash
|
|
102
|
+
# Core development setup
|
|
103
|
+
poetry install --with dev # Install all dependencies
|
|
104
|
+
poetry run pre-commit install # Install pre-commit hooks
|
|
105
|
+
|
|
106
|
+
# Code quality
|
|
107
|
+
poetry run pre-commit run --all-files
|
|
108
|
+
|
|
109
|
+
# Run tests
|
|
110
|
+
poetry run pytest -n auto -vvv -s -x tests/
|
|
111
|
+
```
|
|
112
|
+
|
|
113
|
+
### Running Prowler CLI
|
|
114
|
+
|
|
115
|
+
```bash
|
|
116
|
+
# Run Prowler
|
|
117
|
+
poetry run python prowler-cli.py --help
|
|
118
|
+
|
|
119
|
+
# Run Prowler with a specific provider
|
|
120
|
+
poetry run python prowler-cli.py <provider>
|
|
121
|
+
|
|
122
|
+
# Run Prowler with error logging
|
|
123
|
+
poetry run python prowler-cli.py <provider> --log-level ERROR --verbose
|
|
124
|
+
|
|
125
|
+
# Run specific checks
|
|
126
|
+
poetry run python prowler-cli.py <provider> --checks <check_name_1> <check_name_2>
|
|
127
|
+
```
|
|
128
|
+
|
|
129
|
+
## Project Structure
|
|
130
|
+
|
|
131
|
+
```
|
|
132
|
+
prowler/
|
|
133
|
+
├── __main__.py # Main CLI entry point
|
|
134
|
+
├── config/ # Global configuration
|
|
135
|
+
│ ├── config.py # Core configuration settings
|
|
136
|
+
│ └── __init__.py
|
|
137
|
+
├── lib/ # Core library functions
|
|
138
|
+
│ ├── check/ # Check execution engine
|
|
139
|
+
│ │ ├── check.py # Check execution logic
|
|
140
|
+
│ │ ├── checks_loader.py # Dynamic check loading
|
|
141
|
+
│ │ ├── compliance.py # Compliance framework handling
|
|
142
|
+
│ │ └── models.py # Check and report models
|
|
143
|
+
│ ├── cli/ # Command-line interface
|
|
144
|
+
│ │ └── parser.py # Argument parsing
|
|
145
|
+
│ ├── outputs/ # Output format handlers
|
|
146
|
+
│ │ ├── csv/ # CSV output
|
|
147
|
+
│ │ ├── html/ # HTML reports
|
|
148
|
+
│ │ ├── json/ # JSON formats
|
|
149
|
+
│ │ └── compliance/ # Compliance reports
|
|
150
|
+
│ ├── scan/ # Scan orchestration
|
|
151
|
+
│ ├── utils/ # Utility functions
|
|
152
|
+
│ └── mutelist/ # Mute list functionality
|
|
153
|
+
├── providers/ # Cloud provider implementations
|
|
154
|
+
│ ├── aws/ # AWS provider
|
|
155
|
+
│ ├── azure/ # Azure provider
|
|
156
|
+
│ ├── gcp/ # Google Cloud provider
|
|
157
|
+
│ ├── kubernetes/ # Kubernetes provider
|
|
158
|
+
│ ├── github/ # GitHub provider
|
|
159
|
+
│ ├── m365/ # Microsoft 365 provider
|
|
160
|
+
│ ├── mongodbatlas/ # MongoDB Atlas provider
|
|
161
|
+
│ ├── oci/ # Oracle Cloud provider
|
|
162
|
+
│ ├── ...
|
|
163
|
+
│ └── common/ # Shared provider utilities
|
|
164
|
+
├── compliance/ # Compliance framework definitions
|
|
165
|
+
│ ├── aws/ # AWS compliance frameworks
|
|
166
|
+
│ ├── azure/ # Azure compliance frameworks
|
|
167
|
+
│ ├── gcp/ # GCP compliance frameworks
|
|
168
|
+
│ ├── ...
|
|
169
|
+
└── exceptions/ # Global exception definitions
|
|
170
|
+
```
|
|
171
|
+
|
|
172
|
+
## Key Components
|
|
173
|
+
|
|
174
|
+
### 1. Provider System
|
|
175
|
+
|
|
176
|
+
Each cloud provider implements:
|
|
177
|
+
|
|
178
|
+
```python
|
|
179
|
+
class Provider:
|
|
180
|
+
"""Base provider class"""
|
|
181
|
+
|
|
182
|
+
def __init__(self, arguments):
|
|
183
|
+
self.session = self._setup_session(arguments)
|
|
184
|
+
self.regions = self._get_regions()
|
|
185
|
+
# Initialize all services
|
|
186
|
+
|
|
187
|
+
def _setup_session(self, arguments):
|
|
188
|
+
"""Provider-specific authentication"""
|
|
189
|
+
pass
|
|
190
|
+
|
|
191
|
+
def _get_regions(self):
|
|
192
|
+
"""Get available regions for provider"""
|
|
193
|
+
pass
|
|
194
|
+
```
|
|
195
|
+
|
|
196
|
+
### 2. Check Engine
|
|
197
|
+
|
|
198
|
+
The check execution system:
|
|
199
|
+
|
|
200
|
+
- **Dynamic Loading**: Automatically discovers and loads checks
|
|
201
|
+
- **Parallel Execution**: Runs checks in parallel for performance
|
|
202
|
+
- **Error Isolation**: Individual check failures don't affect others
|
|
203
|
+
- **Comprehensive Reporting**: Detailed findings with remediation guidance
|
|
204
|
+
|
|
205
|
+
### 3. Compliance Framework Engine
|
|
206
|
+
|
|
207
|
+
Compliance frameworks are defined as JSON files mapping checks to requirements:
|
|
208
|
+
|
|
209
|
+
```json
|
|
210
|
+
{
|
|
211
|
+
"Framework": "CIS",
|
|
212
|
+
"Name": "CIS Amazon Web Services Foundations Benchmark v2.0.0",
|
|
213
|
+
"Version": "2.0",
|
|
214
|
+
"Provider": "AWS",
|
|
215
|
+
"Description": "The CIS Amazon Web Services Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings.",
|
|
216
|
+
"Requirements": [
|
|
217
|
+
{
|
|
218
|
+
"Id": "1.1",
|
|
219
|
+
"Description": "Maintain current contact details",
|
|
220
|
+
"Checks": ["account_contact_details_configured"]
|
|
221
|
+
}
|
|
222
|
+
]
|
|
223
|
+
}
|
|
224
|
+
```
|
|
225
|
+
|
|
226
|
+
### 4. Output System
|
|
227
|
+
|
|
228
|
+
Multiple output formats supported:
|
|
229
|
+
|
|
230
|
+
- **JSON**: Machine-readable findings
|
|
231
|
+
- **CSV**: Spreadsheet-compatible format
|
|
232
|
+
- **HTML**: Interactive web reports
|
|
233
|
+
- **ASFF**: AWS Security Finding Format
|
|
234
|
+
- **OCSF**: Open Cybersecurity Schema Framework
|
|
235
|
+
|
|
236
|
+
## Development Patterns
|
|
237
|
+
|
|
238
|
+
### Adding New Cloud Providers
|
|
239
|
+
|
|
240
|
+
1. **Create Provider Structure**:
|
|
241
|
+
```bash
|
|
242
|
+
mkdir -p prowler/providers/{provider}
|
|
243
|
+
mkdir -p prowler/providers/{provider}/services
|
|
244
|
+
mkdir -p prowler/providers/{provider}/lib/{service,arguments,mutelist}
|
|
245
|
+
mkdir -p prowler/providers/{provider}/exceptions
|
|
246
|
+
```
|
|
247
|
+
|
|
248
|
+
2. **Implement Provider Class**:
|
|
249
|
+
```python
|
|
250
|
+
from prowler.providers.common.provider import Provider
|
|
251
|
+
|
|
252
|
+
class NewProvider(Provider):
|
|
253
|
+
def __init__(self, arguments):
|
|
254
|
+
super().__init__(arguments)
|
|
255
|
+
# Provider-specific initialization
|
|
256
|
+
```
|
|
257
|
+
|
|
258
|
+
3. **Add Provider to CLI**:
|
|
259
|
+
Update `prowler/lib/cli/parser.py` to include new provider arguments.
|
|
260
|
+
|
|
261
|
+
### Adding New Security Checks
|
|
262
|
+
|
|
263
|
+
The most common high level steps to create a new check are:
|
|
264
|
+
|
|
265
|
+
1. Prerequisites:
|
|
266
|
+
- Verify the check does not already exist by searching in the same service folder as `prowler/providers/<provider>/services/<service>/<check_name_want_to_implement>/`.
|
|
267
|
+
- Ensure required provider and service exist. If not, you will need to create them first.
|
|
268
|
+
- Confirm the service has implemented all required methods and attributes for the check (in most cases, you will need to add or modify some methods in the service to get the data you need for the check).
|
|
269
|
+
2. Navigate to the service directory. The path should be as follows: `prowler/providers/<provider>/services/<service>`.
|
|
270
|
+
3. Create a check-specific folder. The path should follow this pattern: `prowler/providers/<provider>/services/<service>/<check_name_want_to_implement>`. Adhere to the [Naming Format for Checks](/developer-guide/checks#naming-format-for-checks).
|
|
271
|
+
4. Create the check files, you can use next commands:
|
|
272
|
+
```bash
|
|
273
|
+
mkdir -p prowler/providers/<provider>/services/<service>/<check_name_want_to_implement>
|
|
274
|
+
touch prowler/providers/<provider>/services/<service>/<check_name_want_to_implement>/__init__.py
|
|
275
|
+
touch prowler/providers/<provider>/services/<service>/<check_name_want_to_implement>/<check_name_want_to_implement>.py
|
|
276
|
+
touch prowler/providers/<provider>/services/<service>/<check_name_want_to_implement>/<check_name_want_to_implement>.metadata.json
|
|
277
|
+
```
|
|
278
|
+
5. Run the check locally to ensure it works as expected. For checking you can use the CLI in the next way:
|
|
279
|
+
- To ensure the check has been detected by Prowler: `poetry run python prowler-cli.py <provider> --list-checks | grep <check_name>`.
|
|
280
|
+
- To run the check, to find possible issues: `poetry run python prowler-cli.py <provider> --log-level ERROR --verbose --check <check_name>`.
|
|
281
|
+
6. Create comprehensive tests for the check that cover multiple scenarios including both PASS (compliant) and FAIL (non-compliant) cases. For detailed information about test structure and implementation guidelines, refer to the [Testing](/developer-guide/unit-testing) documentation.
|
|
282
|
+
7. If the check and its corresponding tests are working as expected, you can submit a PR to Prowler.
|
|
283
|
+
|
|
284
|
+
### Adding Compliance Frameworks
|
|
285
|
+
|
|
286
|
+
1. **Create Framework File**:
|
|
287
|
+
```bash
|
|
288
|
+
# Create prowler/compliance/{provider}/{framework}.json
|
|
289
|
+
```
|
|
290
|
+
|
|
291
|
+
2. **Define Requirements**:
|
|
292
|
+
Map framework requirements to existing checks.
|
|
293
|
+
|
|
294
|
+
3. **Test Compliance**:
|
|
295
|
+
```bash
|
|
296
|
+
poetry run python -m prowler {provider} --compliance {framework}
|
|
297
|
+
```
|
|
298
|
+
|
|
299
|
+
## Code Quality Standards
|
|
300
|
+
|
|
301
|
+
### 1. Python Style
|
|
302
|
+
|
|
303
|
+
- **PEP 8 Compliance**: Enforced by black and flake8
|
|
304
|
+
- **Type Hints**: Required for all public functions
|
|
305
|
+
- **Docstrings**: Required for all classes and methods
|
|
306
|
+
- **Import Organization**: Use isort for consistent import ordering
|
|
307
|
+
|
|
308
|
+
```python
|
|
309
|
+
import standard_library
|
|
310
|
+
|
|
311
|
+
from third_party import library
|
|
312
|
+
|
|
313
|
+
from prowler.lib import internal_module
|
|
314
|
+
|
|
315
|
+
class ExampleClass:
|
|
316
|
+
"""Class docstring."""
|
|
317
|
+
|
|
318
|
+
def method(self, param: str) -> dict | list | None:
|
|
319
|
+
"""Method docstring.
|
|
320
|
+
|
|
321
|
+
Args:
|
|
322
|
+
param: Description of parameter
|
|
323
|
+
|
|
324
|
+
Returns:
|
|
325
|
+
Description of return value
|
|
326
|
+
"""
|
|
327
|
+
return None
|
|
328
|
+
```
|
|
329
|
+
|
|
330
|
+
### 2. Error Handling
|
|
331
|
+
|
|
332
|
+
```python
|
|
333
|
+
from prowler.lib.logger import logger
|
|
334
|
+
|
|
335
|
+
try:
|
|
336
|
+
# Risky operation
|
|
337
|
+
result = api_call()
|
|
338
|
+
except ProviderSpecificException as e:
|
|
339
|
+
logger.error(f"Provider error: {e}")
|
|
340
|
+
# Graceful handling
|
|
341
|
+
except Exception as e:
|
|
342
|
+
logger.error(f"Unexpected error: {e}")
|
|
343
|
+
# Never let checks crash the entire scan
|
|
344
|
+
```
|
|
345
|
+
|
|
346
|
+
### 3. Security Practices
|
|
347
|
+
|
|
348
|
+
- **No Hardcoded Secrets**: Use environment variables or secure credential management
|
|
349
|
+
- **Input Validation**: Validate all external inputs
|
|
350
|
+
- **Principle of Least Privilege**: Request minimal necessary permissions
|
|
351
|
+
- **Secure Defaults**: Default to secure configurations
|
|
352
|
+
|
|
353
|
+
## Testing Guidelines
|
|
354
|
+
|
|
355
|
+
### Unit Tests
|
|
356
|
+
|
|
357
|
+
- **100% Coverage Goal**: Aim for complete test coverage
|
|
358
|
+
- **Mock External Services**: Use mock objects to simulate the external services
|
|
359
|
+
- **Test Edge Cases**: Include error conditions and boundary cases
|
|
360
|
+
|
|
361
|
+
## References
|
|
362
|
+
|
|
363
|
+
- **Root Project Guide**: `../AGENTS.md` (takes priority for cross-component guidance)
|
|
364
|
+
- **Provider Examples**: Reference existing providers for implementation patterns
|
|
365
|
+
- **Check Examples**: Study existing checks for proper implementation patterns
|
|
366
|
+
- **Compliance Framework Examples**: Review existing frameworks for structure
|