regscale-cli 6.20.9.1__py3-none-any.whl → 6.21.0.0__py3-none-any.whl

regscale/integrations/commercial/wizv2/constants.py

@@ -12,6 +12,11 @@ VULNERABILITY_FILE_PATH = "artifacts/wiz_vulnerabilities.json"
 CLOUD_CONFIG_FINDINGS_FILE_PATH = "artifacts/wiz_cloud_config_findings.json"
 HOST_VULNERABILITY_FILE_PATH = "artifacts/wiz_host_vulnerabilities.json"
 DATA_FINDINGS_FILE_PATH = "artifacts/wiz_data_findings.json"
+SECRET_FINDINGS_FILE_PATH = "artifacts/wiz_secret_findings.json"
+NETWORK_EXPOSURE_FILE_PATH = "artifacts/wiz_network_exposures.json"
+END_OF_LIFE_FILE_PATH = "artifacts/wiz_end_of_life.json"
+EXTERNAL_ATTACK_SURFACE_FILE_PATH = "artifacts/wiz_external_attack_surface.json"
+EXCESSIVE_ACCESS_FILE_PATH = "artifacts/wiz_excessive_access.json"
 CONTENT_TYPE = "application/json"
 RATE_LIMIT_MSG = "Rate limit exceeded"
 PROVIDER = "Provider ID"
@@ -102,6 +107,80 @@ ASSET_TYPE_MAPPING = {
     "DATA_WORKFLOW": "Other",
 }
 
+RECOMMENDED_WIZ_INVENTORY_TYPES = [
+    # Compute resources
+    "CONTAINER",
+    "CONTAINER_GROUP",
+    "CONTAINER_IMAGE",
+    "POD",
+    "SERVERLESS",
+    "SERVERLESS_PACKAGE",
+    "VIRTUAL_DESKTOP",
+    "VIRTUAL_MACHINE",
+    "VIRTUAL_MACHINE_IMAGE",
+    # Network and exposure
+    "API_GATEWAY",
+    "CDN",
+    "CERTIFICATE",
+    "DNS_RECORD",
+    "ENDPOINT",
+    "FIREWALL",
+    "GATEWAY",
+    "LOAD_BALANCER",
+    "MANAGED_CERTIFICATE",
+    "NETWORK_ADDRESS",
+    "NETWORK_INTERFACE",
+    "PRIVATE_ENDPOINT",
+    "PRIVATE_LINK",
+    "PROXY",
+    "WEB_SERVICE",
+    # Storage and data
+    "BACKUP_SERVICE",
+    "BUCKET",
+    "DATABASE",
+    "DATA_WORKLOAD",
+    "DB_SERVER",
+    "FILE_SYSTEM_SERVICE",
+    "SECRET",
+    "SECRET_CONTAINER",
+    "STORAGE_ACCOUNT",
+    "VOLUME",
+    # Identity and access management
+    "ACCESS_ROLE",
+    # "ACCESS_ROLE_BINDING",
+    "AUTHENTICATION_CONFIGURATION",
+    "IAM_BINDING",
+    "RAW_ACCESS_POLICY",
+    "SERVICE_ACCOUNT",
+    # Development and CI/CD
+    "APPLICATION",
+    "CICD_SERVICE",
+    "CONFIG_MAP",
+    "CONTAINER_REGISTRY",
+    "CONTAINER_SERVICE",
+    # Kubernetes resources
+    "CONTROLLER_REVISION",
+    "KUBERNETES_CLUSTER",
+    "KUBERNETES_INGRESS",
+    "KUBERNETES_NODE",
+    "KUBERNETES_SERVICE",
+    "NAMESPACE",
+    # Infrastructure and management
+    "CLOUD_LOG_CONFIGURATION",
+    "CLOUD_ORGANIZATION",
+    "DOMAIN",
+    "EMAIL_SERVICE",
+    "ENCRYPTION_KEY",
+    "MANAGEMENT_SERVICE",
+    "MESSAGING_SERVICE",
+    "REGISTERED_DOMAIN",
+    "RESOURCE_GROUP",
+    "SERVICE_CONFIGURATION",
+    "SUBNET",
+    "SUBSCRIPTION",
+    "VIRTUAL_NETWORK",
+]
+
 INVENTORY_QUERY = """
     query CloudResourceSearch(
     $filterBy: CloudResourceFilters
@@ -926,6 +1005,11 @@ class WizVulnerabilityType(Enum):
     DATA_FINDING = "data_finding"
     VULNERABILITY = "vulnerability"
     CONFIGURATION = "configuration_finding"
+    SECRET_FINDING = "secret_finding"
+    END_OF_LIFE_FINDING = "end_of_life_finding"
+    NETWORK_EXPOSURE_FINDING = "network_exposure_finding"
+    EXTERNAL_ATTACH_SURFACE = "external_attack_surface"
+    EXCESSIVE_ACCESS_FINDING = "excessive_access_finding"
     ISSUE = "issue"
 
 
@@ -995,6 +1079,73 @@ def get_wiz_vulnerability_queries(project_id: str, filter_by: Optional[dict] = N
                 "groupBy": "GRAPH_ENTITY",
             },
         },
+        {
+            "type": WizVulnerabilityType.SECRET_FINDING,
+            "query": SECRET_FINDINGS_QUERY,
+            "topic_key": "secretInstances",
+            "file_path": SECRET_FINDINGS_FILE_PATH,
+            "asset_lookup": "resource",
+            "variables": {
+                "first": 200,
+                "fetchTotalCount": True,
+                "filterBy": {"projectId": [project_id]},
+                "orderBy": {"field": "RELATED_ISSUE_SEVERITY", "direction": "DESC"},
+            },
+        },
+        {
+            "type": WizVulnerabilityType.NETWORK_EXPOSURE_FINDING,
+            "query": NETWORK_EXPOSURE_QUERY,
+            "topic_key": "networkExposures",
+            "file_path": NETWORK_EXPOSURE_FILE_PATH,
+            "asset_lookup": "exposedEntity",
+            "variables": {
+                "first": 200,
+                "filterBy": {
+                    "type": ["PUBLIC_INTERNET"],
+                },
+            },
+        },
+        {
+            "type": WizVulnerabilityType.END_OF_LIFE_FINDING,
+            "query": END_OF_LIFE_QUERY,
+            "topic_key": "vulnerabilityFindings",
+            "file_path": END_OF_LIFE_FILE_PATH,
+            "asset_lookup": "vulnerableAsset",
+            "variables": {
+                "first": 200,
+                "orderBy": {"field": "TECHNOLOGY_END_OF_LIFE_DATE", "direction": "DESC"},
+                "includeRelatedIssueAnalytics": True,
+                "filterBy": {"isEndOfLife": True, "projectId": [project_id]},
+            },
+        },
+        {
+            "type": WizVulnerabilityType.EXTERNAL_ATTACH_SURFACE,
+            "query": EXTERNAL_ATTACK_SURFACE_QUERY,
+            "topic_key": "networkExposures",
+            "file_path": EXTERNAL_ATTACK_SURFACE_FILE_PATH,
+            "asset_lookup": "exposedEntity",
+            "variables": {
+                "first": 200,
+                "filterBy": {
+                    "type": ["PUBLIC_INTERNET"],
+                },
+            },
+        },
+        {
+            "type": WizVulnerabilityType.EXCESSIVE_ACCESS_FINDING,
+            "query": EXCESSIVE_ACCESS_QUERY,
+            "topic_key": "excessiveAccessFindings",
+            "file_path": EXCESSIVE_ACCESS_FILE_PATH,
+            "asset_lookup": "scope",
+            "variables": {
+                "first": 200,
+                "filterBy": {
+                    "status": {"equals": ["OPEN"]},
+                },
+            },
+        },
+        # Note: EXCESSIVE_ACCESS_FINDING temporarily disabled due to 422 Unprocessable Entity error
+        # This may indicate the feature is not available for all Wiz tenants or requires different permissions
     ]
 
 
@@ -1031,3 +1182,608 @@ def get_wiz_issue_queries(project_id: str, filter_by: Optional[dict] = None) ->
             },
         },
     ]
+
+
+SECRET_FINDINGS_QUERY = """query SecretFindingsTable($after: String, $first: Int, $filterBy: SecretInstanceFilters, $orderBy: SecretInstanceOrder, $fetchTotalCount: Boolean = true) {
+  secretInstances(
+    filterBy: $filterBy
+    first: $first
+    after: $after
+    orderBy: $orderBy
+  ) {
+    nodes {
+      id
+      name
+      type
+      confidence
+      severity
+      isEncrypted
+      isManaged
+      externalId
+      status
+      firstSeenAt
+      lastSeenAt
+      lastModifiedAt
+      lastUpdatedAt
+      resolvedAt
+      validationStatus
+      passwordDetails {
+        isComplex
+        length
+        entropy
+      }
+      rule {
+        id
+        name
+        type
+        validityCheckSupported
+        isAiPowered
+      }
+      projects {
+        id
+        name
+        slug
+        isFolder
+      }
+      secretDataEntities {
+        id
+        name
+        type
+        properties
+      }
+      relatedIssueAnalytics {
+        issueCount
+        informationalSeverityCount
+        lowSeverityCount
+        mediumSeverityCount
+        highSeverityCount
+        criticalSeverityCount
+      }
+      resource {
+        ...SecretFindingResourceDetails
+        cloudAccount {
+          id
+          externalId
+          name
+          cloudProvider
+        }
+        tags {
+          key
+          value
+        }
+      }
+    }
+    pageInfo {
+      hasNextPage
+      endCursor
+    }
+    totalCount @include(if: $fetchTotalCount)
+  }
+}
+
+    fragment SecretFindingResourceDetails on SecretInstanceResource {
+  id
+  name
+  type
+  externalId
+  status
+  nativeType
+  region
+  typedProperties {
+    ... on SecretInstanceResourceRepositoryBranch {
+      repository {
+        id
+        name
+      }
+    }
+  }
+}
+
+# variables:
+# {
+#   "fetchTotalCount": true,
+#   "first": 20,
+#   "filterBy": {},
+#   "orderBy": {
+#     "field": "RELATED_ISSUE_SEVERITY",
+#     "direction": "DESC"
+#   }
+# }
+"""
+
+
+NETWORK_EXPOSURE_QUERY = """query NetworkExposuresTable($filterBy: NetworkExposureFilters, $first: Int, $after: String) {
+  networkExposures(filterBy: $filterBy, first: $first, after: $after) {
+    nodes {
+      id
+      exposedEntity {
+        id
+        name
+        type
+        properties
+      }
+      accessibleFrom {
+        id
+        name
+        type
+        properties
+      }
+      sourceIpRange
+      destinationIpRange
+      portRange
+      appProtocols
+      networkProtocols
+      path {
+        id
+        name
+        type
+        properties
+      }
+      customIPRanges {
+        id
+        name
+        ipRanges
+      }
+      firstSeenAt
+      applicationEndpoints {
+        id
+        name
+        type
+        properties
+      }
+      type
+    }
+    pageInfo {
+      hasNextPage
+      endCursor
+    }
+    totalCount
+  }
+}
+
+# variables:
+# {
+#   "first": 20,
+#   "filterBy": {
+#     "type": [
+#       "PUBLIC_INTERNET"
+#     ],
+#     "publicInternetExposureFilters": {}
+#   }
+# }
+"""
+
+END_OF_LIFE_QUERY = """query EndOfLifeFindingsTable($filterBy: VulnerabilityFindingFilters, $first: Int, $after: String, $orderBy: VulnerabilityFindingOrder = {direction: DESC, field: CREATED_AT}, $includeRelatedIssueAnalytics: Boolean = false) {
+  vulnerabilityFindings(
+    filterBy: $filterBy
+    first: $first
+    after: $after
+    orderBy: $orderBy
+  ) {
+    nodes {
+      ...VulnerabilityFindingFragment
+      technologyEndOfLifeAt
+      relatedIssueAnalytics @include(if: $includeRelatedIssueAnalytics) {
+        ...VulnerabilityFindingRelatedIssueAnalyticsFragment
+      }
+    }
+    pageInfo {
+      hasNextPage
+      endCursor
+    }
+  }
+}
+
+    fragment VulnerabilityFindingFragment on VulnerabilityFinding {
+  id
+  name
+  detailedName
+  description
+  severity
+  status
+  fixedVersion
+  detectionMethod
+  firstDetectedAt
+  lastDetectedAt
+  resolvedAt
+  validatedInRuntime
+  hasTriggerableRemediation
+  dataSourceName
+  fixDate
+  fixDateBefore
+  publishedDate
+  version
+  isOperatingSystemEndOfLife
+  recommendedVersion
+  locationPath
+  artifactType {
+    ...SBOMArtifactTypeFragment
+  }
+  projects {
+    id
+    name
+    slug
+    isFolder
+  }
+  ignoreRules {
+    id
+  }
+  layerMetadata {
+    id
+    details
+    isBaseLayer
+  }
+  vulnerableAsset {
+    ... on VulnerableAssetBase {
+      id
+      type
+      name
+      cloudPlatform
+      subscriptionName
+      subscriptionExternalId
+      subscriptionId
+      tags
+      hasLimitedInternetExposure
+      hasWideInternetExposure
+      isAccessibleFromVPN
+      isAccessibleFromOtherVnets
+      isAccessibleFromOtherSubscriptions
+      nativeType
+      externalId
+      providerUniqueId
+    }
+    ... on VulnerableAssetVirtualMachine {
+      id
+      type
+      name
+      cloudPlatform
+      subscriptionName
+      subscriptionExternalId
+      subscriptionId
+      tags
+      operatingSystem
+      imageName
+      imageId
+      imageNativeType
+      hasLimitedInternetExposure
+      hasWideInternetExposure
+      isAccessibleFromVPN
+      isAccessibleFromOtherVnets
+      isAccessibleFromOtherSubscriptions
+      computeInstanceGroup {
+        id
+        externalId
+        name
+        replicaCount
+        tags
+      }
+      nativeType
+    }
+    ... on VulnerableAssetServerless {
+      id
+      type
+      name
+      cloudPlatform
+      subscriptionName
+      subscriptionExternalId
+      subscriptionId
+      tags
+      hasLimitedInternetExposure
+      hasWideInternetExposure
+      isAccessibleFromVPN
+      isAccessibleFromOtherVnets
+      isAccessibleFromOtherSubscriptions
+      nativeType
+    }
+    ... on VulnerableAssetContainerImage {
+      id
+      type
+      name
+      cloudPlatform
+      subscriptionName
+      subscriptionExternalId
+      subscriptionId
+      tags
+      hasLimitedInternetExposure
+      hasWideInternetExposure
+      isAccessibleFromVPN
+      isAccessibleFromOtherVnets
+      isAccessibleFromOtherSubscriptions
+      repository {
+        vertexId
+        name
+      }
+      registry {
+        vertexId
+        name
+      }
+      scanSource
+      executionControllers {
+        ...VulnerableAssetExecutionControllerDetails
+      }
+      nativeType
+      tagReferences
+    }
+    ... on VulnerableAssetContainer {
+      id
+      type
+      name
+      cloudPlatform
+      subscriptionName
+      subscriptionExternalId
+      subscriptionId
+      tags
+      hasLimitedInternetExposure
+      hasWideInternetExposure
+      isAccessibleFromVPN
+      isAccessibleFromOtherVnets
+      isAccessibleFromOtherSubscriptions
+      executionControllers {
+        ...VulnerableAssetExecutionControllerDetails
+      }
+      nativeType
+    }
+    ... on VulnerableAssetRepositoryBranch {
+      id
+      type
+      name
+      cloudPlatform
+      repositoryId
+      repositoryName
+      nativeType
+    }
+    ... on VulnerableAssetEndpoint {
+      id
+      type
+      name
+      cloudPlatform
+      subscriptionName
+      subscriptionExternalId
+      subscriptionId
+      tags
+      hasLimitedInternetExposure
+      hasWideInternetExposure
+      isAccessibleFromVPN
+      isAccessibleFromOtherVnets
+      isAccessibleFromOtherSubscriptions
+      nativeType
+    }
+    ... on VulnerableAssetPaaSResource {
+      id
+      type
+      name
+      cloudPlatform
+      subscriptionName
+      subscriptionExternalId
+      subscriptionId
+      tags
+      nativeType
+    }
+    ... on VulnerableAssetVirtualMachineImage {
+      id
+      type
+      name
+      cloudPlatform
+      subscriptionName
+      subscriptionExternalId
+      subscriptionId
+      tags
+      hasLimitedInternetExposure
+      hasWideInternetExposure
+      isAccessibleFromVPN
+      isAccessibleFromOtherVnets
+      isAccessibleFromOtherSubscriptions
+      nativeType
+    }
+    ... on VulnerableAssetNetworkAddress {
+      subscriptionId
+      subscriptionName
+      subscriptionExternalId
+      tags
+      address
+      addressType
+    }
+    ... on VulnerableAssetCommon {
+      id
+      type
+      name
+      cloudPlatform
+      subscriptionName
+      subscriptionExternalId
+      subscriptionId
+      tags
+      nativeType
+    }
+  }
+}
+
+
+    fragment SBOMArtifactTypeFragment on SBOMArtifactType {
+  group
+  codeLibraryLanguage
+  osPackageManager
+  hostedTechnology {
+    id
+    name
+    icon
+  }
+  plugin
+  custom
+}
+
+
+    fragment VulnerableAssetExecutionControllerDetails on VulnerableAssetExecutionController {
+  id
+  entityType
+  externalId
+  providerUniqueId
+  name
+  subscriptionExternalId
+  subscriptionId
+  subscriptionName
+  ancestors {
+    id
+    name
+    entityType
+    externalId
+    providerUniqueId
+  }
+}
+
+
+    fragment VulnerabilityFindingRelatedIssueAnalyticsFragment on VulnerabilityFindingRelatedIssueAnalytics {
+  issueCount
+  informationalSeverityCount
+  lowSeverityCount
+  mediumSeverityCount
+  highSeverityCount
+  criticalSeverityCount
+}
+
+# variables:
+# {
+#   "orderBy": {
+#     "field": "TECHNOLOGY_END_OF_LIFE_DATE",
+#     "direction": "DESC"
+#   },
+#   "includeRelatedIssueAnalytics": true,
+#   "first": 30,
+#   "filterBy": {
+#     "isEndOfLife": true
+#   }
+# }
+"""
+
+EXTERNAL_ATTACK_SURFACE_QUERY = """query NetworkExposuresTable($filterBy: NetworkExposureFilters, $first: Int, $after: String) {
+  networkExposures(filterBy: $filterBy, first: $first, after: $after) {
+    nodes {
+      id
+      exposedEntity {
+        id
+        name
+        type
+        properties
+      }
+      accessibleFrom {
+        id
+        name
+        type
+        properties
+      }
+      sourceIpRange
+      destinationIpRange
+      portRange
+      appProtocols
+      networkProtocols
+      path {
+        id
+        name
+        type
+        properties
+      }
+      customIPRanges {
+        id
+        name
+        ipRanges
+      }
+      firstSeenAt
+      applicationEndpoints {
+        id
+        name
+        type
+        properties
+      }
+      type
+    }
+    pageInfo {
+      hasNextPage
+      endCursor
+    }
+    totalCount
+  }
+}"""
+
+EXCESSIVE_ACCESS_QUERY = """query ExcessiveAccessFindingsTable($filterBy: ExcessiveAccessFindingFilters, $first: Int, $after: String) {
+  excessiveAccessFindings(filterBy: $filterBy, first: $first, after: $after) {
+    nodes {
+      ...ExcessiveAccessFindingDetails
+    }
+    pageInfo {
+      hasNextPage
+      endCursor
+    }
+    totalCount
+  }
+}
+
+    fragment ExcessiveAccessFindingDetails on ExcessiveAccessFinding {
+  id
+  projects {
+    id
+    name
+    slug
+    isFolder
+  }
+  name
+  status
+  severity
+  remediationType
+  excessiveServices
+  hasUnusedAdminPermissions
+  hasUnusedHighPermissions
+  hasUnusedDataPermissions
+  builtInPolicyRemediationName
+  scope {
+    graphEntity {
+      id
+      name
+      type
+      properties
+    }
+  }
+  description
+  documentationUrl
+  remediationInstructions
+  principal {
+    graphEntity {
+      id
+      name
+      type
+      properties
+    }
+    cloudAccount {
+      id
+      name
+      externalId
+      cloudProvider
+    }
+  }
+  context {
+    graphEntity {
+      id
+      name
+      type
+      properties
+    }
+  }
+  relatedIssueAnalytics {
+    issueCount
+    criticalSeverityCount
+    highSeverityCount
+    mediumSeverityCount
+    lowSeverityCount
+  }
+}
+
+# variables:
+# {
+#   "first": 20,
+#   "filterBy": {
+#     "status": {
+#       "equals": [
+#         "OPEN"
+#       ]
+#     }
+#   }
+# }
+"""