regscale-cli 6.21.0.0__py3-none-any.whl → 6.21.2.0__py3-none-any.whl

regscale/integrations/commercial/wizv2/click.py

@@ -9,8 +9,8 @@ from typing import Optional
 import click
 
 from regscale.integrations.commercial.wizv2.variables import WizVariables
-from regscale.models import regscale_id, regscale_module
-from regscale.models.app_models.click import regscale_ssp_id
+from regscale.models import regscale_id
+from regscale.models.app_models.click import regscale_ssp_id, regscale_module
 
 logger = logging.getLogger("regscale")
 
@@ -333,12 +333,11 @@ def add_report_evidence(
     "--wiz_project_id",
     "-p",
     prompt="Enter the Wiz project ID",
-    help="Enter the Wiz Project ID.  Options include: projects, \
-          policies, supplychain, securityplans, components.",
+    help="Enter the Wiz Project ID for policy compliance sync.",
     required=True,
 )
-@regscale_id(help="RegScale will create and update issues as children of this record.")
-@regscale_module()
+@regscale_id(help="RegScale will create and update control assessments as children of this record.")
+@regscale_module(required=True, default="securityplans", prompt=False)
 @click.option(  # type: ignore
     "--client_id",
     "-i",
@@ -356,20 +355,49 @@ def add_report_evidence(
     required=False,
 )
 @click.option(  # type: ignore
-    "--catalog_id",
-    "-c",
-    help="RegScale Catalog ID for the selected framework.",
-    hide_input=False,
+    "--framework_id",
+    "-f",
+    help="Wiz framework ID or shorthand (e.g., 'nist', 'aws', 'wf-id-4'). Use --list-frameworks to see options. Default: wf-id-4 (NIST SP 800-53 Rev 5)",
+    default="wf-id-4",
     required=False,
-    default=None,
 )
 @click.option(  # type: ignore
-    "--framework",
-    "-f",
-    type=click.Choice(["CSF", "NIST800-53R5", "NIST800-53R4"], case_sensitive=False),  # type: ignore
-    help="Choose either one of the Frameworks",
-    default="NIST800-53R5",
-    required=True,
+    "--list-frameworks",
+    "-lf",
+    is_flag=True,
+    help="List all available framework options and shortcuts",
+    default=False,
+)
+@click.option(  # type: ignore
+    "--create-issues/--no-create-issues",
+    "-ci/-ni",
+    default=True,
+    help="Create issues for failed policy assessments (default: enabled)",
+)
+@click.option(  # type: ignore
+    "--update-control-status/--no-update-control-status",
+    "-ucs/-nucs",
+    default=True,
+    help="Update control implementation status based on assessment results (default: enabled)",
+)
+@click.option(  # type: ignore
+    "--create-poams/--no-create-poams",
+    "-cp/-ncp",
+    default=False,
+    help="Mark created issues as POAMs (default: disabled)",
+)
+@click.option(  # type: ignore
+    "--refresh/--no-refresh",
+    "-r/-nr",
+    default=False,
+    help="Force refresh and ignore cached data (default: use cache if available)",
+)
+@click.option(  # type: ignore
+    "--cache-duration",
+    "-cd",
+    type=click.INT,
+    default=1440,
+    help="Cache duration in minutes - reuse cached data if newer than this (default: 1440 minutes / 1 day)",
 )
 def sync_compliance(
     wiz_project_id,
@@ -377,23 +405,74 @@ def sync_compliance(
     regscale_module,
     client_id,
     client_secret,
-    catalog_id,
-    framework,
+    framework_id,
+    list_frameworks,
+    create_issues,
+    update_control_status,
+    create_poams,
+    refresh,
+    cache_duration,
 ):
-    """Sync compliance posture from Wiz to RegScale"""
-    from regscale.integrations.commercial.wizv2.utils import _sync_compliance
+    """
+    Sync policy compliance assessments from Wiz to RegScale.
+
+    This command fetches policy assessment data from Wiz and creates:
+    - Control assessments based on policy compliance results
+    - Issues for failed policy assessments (if --create-issues enabled)
+    - Updates to control implementation status (if --update-control-status enabled)
+    - JSON output file with policy compliance data in artifacts/wiz/ directory
+    - Cached framework mapping for improved performance
+
+    CACHING:
+    By default, the command will reuse cached policy data if it's newer than the cache
+    duration (default: 60 minutes). Use --refresh to force fresh data from Wiz.
+    Use --cache-duration to adjust how long cached data is considered valid.
+    """
+    from regscale.integrations.commercial.wizv2.policy_compliance import (
+        WizPolicyComplianceIntegration,
+        list_available_frameworks,
+        resolve_framework_id,
+    )
 
+    # Handle --list-frameworks flag
+    if list_frameworks:
+        click.echo(list_available_frameworks())
+        return
+
+    # Use environment variables if not provided
     if not client_secret:
         client_secret = WizVariables.wizClientSecret
     if not client_id:
         client_id = WizVariables.wizClientId
 
-    _sync_compliance(
+    # Resolve framework ID using the enhanced framework resolution
+    try:
+        resolved_framework_id = resolve_framework_id(framework_id.lower())
+        if resolved_framework_id != framework_id:
+            from regscale.integrations.commercial.wizv2.policy_compliance import FRAMEWORK_MAPPINGS
+
+            framework_name = FRAMEWORK_MAPPINGS.get(resolved_framework_id, resolved_framework_id)
+            click.echo(f"🔍 Resolved '{framework_id}' to '{framework_name}' ({resolved_framework_id})")
+    except ValueError as e:
+        click.echo(f"❌ {str(e)}")
+        click.echo("\nUse --list-frameworks to see all available options.")
+        return
+
+    # Create and run the policy compliance integration
+    policy_integration = WizPolicyComplianceIntegration(
+        plan_id=regscale_id,
         wiz_project_id=wiz_project_id,
-        regscale_id=regscale_id,
-        regscale_module=regscale_module,
         client_id=client_id,
         client_secret=client_secret,
-        catalog_id=catalog_id,
-        framework=framework,
+        framework_id=resolved_framework_id,
+        regscale_module=regscale_module,
+        create_poams=create_poams,
+        cache_duration_minutes=cache_duration,
+        force_refresh=refresh,
+    )
+
+    # Run the policy compliance sync
+    policy_integration.sync_policy_compliance(
+        create_issues=create_issues,
+        update_control_status=update_control_status,
     )

regscale/integrations/commercial/wizv2/constants.py

@@ -3,7 +3,225 @@
 from enum import Enum
 from typing import List, Optional
 
-from regscale.models import IssueSeverity
+from regscale.models import IssueSeverity, regscale_models
+
+WIZ_POLICY_QUERY = """
+query PolicyAssessmentsTable($filterBy: PolicyAssessmentFilters, $first: Int, $after: String) {
+  policyAssessments(filterBy: $filterBy, first: $first, after: $after) {
+    nodes {
+      id
+      policy {
+        ... on CloudConfigurationRule {
+          id
+          shortId
+          name
+          ruleDescription: description
+          severity
+          graphId
+          remediationInstructions
+          risks
+          threats
+          securitySubCategories {
+            ...SecuritySubCategoriesDetails
+          }
+        }
+        ... on Control {
+          id
+          name
+          description
+          lastRunAt
+          lastRunError
+          lastSuccessfulRunAt
+          severity
+          risks
+          threats
+          securitySubCategories {
+            ...SecuritySubCategoriesDetails
+          }
+        }
+        ... on HostConfigurationRule {
+          id
+          name
+          shortName
+          remediationInstructions
+          risks
+          threats
+          securitySubCategories {
+            ...SecuritySubCategoriesDetails
+          }
+        }
+      }
+      result
+      resource {
+        id
+        name
+        type
+        region
+        tags { key value }
+        subscription { id name externalId cloudProvider }
+      }
+      output {
+        ... on Issue { id issueStatus: status }
+        ... on ConfigurationFinding { id name cloudConfigurationFindingStatus: status remediation }
+        ... on HostConfigurationRuleAssessment { id hostConfigurationRule: rule { id name shortName description remediationInstructions } }
+      }
+    }
+    pageInfo { hasNextPage endCursor }
+    totalCount
+  }
+}
+
+fragment SecuritySubCategoriesDetails on SecuritySubCategory {
+  description
+  id
+  resolutionRecommendation
+  title
+  externalId
+  category { id name framework { id name enabled } }
+}
+"""
+
+WIZ_FRAMEWORK_QUERY = """
+query SecurityFrameworksTable($first: Int, $after: String, $filterBy: SecurityFrameworkFilters) {
+  securityFrameworks(first: $first, after: $after, filterBy: $filterBy) {
+    nodes { policyTypes ...SecurityFrameworkFragment }
+    pageInfo { hasNextPage endCursor }
+    totalCount
+  }
+}
+
+fragment SecurityFrameworkFragment on SecurityFramework {
+  id
+  name
+  description
+  builtin
+  enabled
+  parentFramework { id name }
+}
+"""
+
+# Comprehensive framework mappings with shorthand names for easy CLI usage
+FRAMEWORK_MAPPINGS = {
+    "wf-id-4": "NIST SP 800-53 Revision 5",
+    "wf-id-48": "NIST SP 800-53 Revision 4",
+    "wf-id-5": "FedRAMP (Moderate and Low levels)",
+    "wf-id-17": "CIS Controls v7.1",
+    "wf-id-24": "CIS Controls v8",
+    "wf-id-6": "CIS AWS v1.2.0",
+    "wf-id-7": "CIS AWS v1.3.0",
+    "wf-id-32": "CIS AWS v1.4.0",
+    "wf-id-45": "CIS AWS v1.5.0",
+    "wf-id-84": "CIS AWS v2.0.0",
+    "wf-id-98": "CIS AWS v3.0.0",
+    "wf-id-197": "CIS AWS v4.0.0",
+    "wf-id-50": "AWS Foundational Security Best Practices v1.0.0",
+    "wf-id-124": "AWS Well-Architected Framework (Section 2 - Security)",
+    "wf-id-8": "CIS Azure v1.3.0",
+    "wf-id-35": "CIS Azure v1.4.0",
+    "wf-id-52": "CIS Azure v1.5.0",
+    "wf-id-74": "CIS Azure v2.0.0",
+    "wf-id-100": "CIS Azure v2.1.0",
+    "wf-id-196": "CIS Azure v2.1.0 (Latest)",
+    "wf-id-40": "Azure Security Benchmark v3",
+    "wf-id-9": "CIS GCP v1.1.0",
+    "wf-id-36": "CIS GCP v1.2.0",
+    "wf-id-53": "CIS GCP v1.3.0",
+    "wf-id-85": "CIS GCP v2.0.0",
+    "wf-id-25": "CIS AKS v1.0.0",
+    "wf-id-68": "CIS AKS v1.2.0",
+    "wf-id-75": "CIS AKS v1.3.0",
+    "wf-id-93": "CIS AKS v1.4.0",
+    "wf-id-162": "CIS AKS v1.5.0",
+    "wf-id-218": "CIS AKS v1.6.0",
+    "wf-id-23": "CIS EKS v1.0.1",
+    "wf-id-67": "CIS EKS v1.1.0",
+    "wf-id-86": "CIS EKS v1.2.0",
+    "wf-id-18": "CIS Kubernetes v1.5.1",
+    "wf-id-66": "CIS Kubernetes v1.6.1",
+    "wf-id-87": "CIS Kubernetes v1.7.0",
+    "wf-id-76": "SOC 2 Type I",
+    "wf-id-16": "ISO/IEC 27001:2013",
+    "wf-id-19": "PCI DSS v3.2.1",
+    "wf-id-78": "PCI DSS v4.0",
+    "wf-id-79": "GDPR",
+    "wf-id-64": "CCPA/CPRA",
+    "wf-id-77": "CCF (The Adobe Common Controls Framework)",
+    "wf-id-70": "Canadian PBMM (ITSG-33)",
+    "wf-id-111": "C5 - Cloud Computing Compliance Criteria Catalogue",
+    "wf-id-161": "CAF (Cyber Assessment Framework by NCSC)",
+    "wf-id-90": "APRA CPG 234",
+    "wf-id-207": "CISA Security Requirements for EO 14117",
+    "wf-id-214": "5Rs - Wiz for Data Security",
+    "wf-id-225": "Wiz for Risk Assessment",
+}
+
+FRAMEWORK_SHORTCUTS = {
+    "nist": "wf-id-4",
+    "nist53r5": "wf-id-4",
+    "nist53r4": "wf-id-48",
+    "fedramp": "wf-id-5",
+    "cis": "wf-id-24",
+    "cisv8": "wf-id-24",
+    "cisv7": "wf-id-17",
+    "aws": "wf-id-197",
+    "azure": "wf-id-196",
+    "gcp": "wf-id-85",
+    "k8s": "wf-id-87",
+    "kubernetes": "wf-id-87",
+    "eks": "wf-id-86",
+    "aks": "wf-id-218",
+    "soc2": "wf-id-76",
+    "iso27001": "wf-id-16",
+    "pci": "wf-id-78",
+    "gdpr": "wf-id-79",
+    "ccpa": "wf-id-64",
+    "aws-foundational": "wf-id-50",
+    "aws-wellarchitected": "wf-id-124",
+    "azure-benchmark": "wf-id-40",
+}
+
+FRAMEWORK_CATEGORIES = {
+    "NIST Frameworks": ["wf-id-4", "wf-id-48", "wf-id-5"],
+    "CIS Controls": ["wf-id-17", "wf-id-24"],
+    "AWS Security": [
+        "wf-id-197",
+        "wf-id-50",
+        "wf-id-124",
+        "wf-id-6",
+        "wf-id-7",
+        "wf-id-32",
+        "wf-id-45",
+        "wf-id-84",
+        "wf-id-98",
+    ],
+    "Azure Security": [
+        "wf-id-196",
+        "wf-id-40",
+        "wf-id-8",
+        "wf-id-35",
+        "wf-id-52",
+        "wf-id-74",
+        "wf-id-100",
+    ],
+    "Google Cloud Security": ["wf-id-85", "wf-id-9", "wf-id-36", "wf-id-53"],
+    "Kubernetes Security": [
+        "wf-id-87",
+        "wf-id-86",
+        "wf-id-218",
+        "wf-id-18",
+        "wf-id-23",
+        "wf-id-25",
+        "wf-id-66",
+        "wf-id-67",
+        "wf-id-68",
+        "wf-id-75",
+        "wf-id-93",
+        "wf-id-162",
+    ],
+    "Industry Standards": ["wf-id-76", "wf-id-16", "wf-id-78", "wf-id-19"],
+    "Privacy & Data Protection": ["wf-id-79", "wf-id-64", "wf-id-214"],
+    "Government/Regulatory": ["wf-id-70", "wf-id-111", "wf-id-161", "wf-id-90", "wf-id-207"],
+}
 
 SBOM_FILE_PATH = "artifacts/wiz_sbom.json"
 INVENTORY_FILE_PATH = "artifacts/wiz_inventory.json"
@@ -181,6 +399,36 @@ RECOMMENDED_WIZ_INVENTORY_TYPES = [
     "VIRTUAL_NETWORK",
 ]
 
+# This is the set of technology deploymentModels and CloudResource types which we
+# map to the asset category Hardware (instead of Software) when the useWizHardwareTypes
+# feature is enabled.
+# So either things which are hardware-like, or which use technologies that, in turn,
+# imply they are hardware-like.
+# Note that using technology deploymentModels can grab things such as virutal machine
+# image files in addition to actual virtual machines. While this doesn't fit with
+# general concepts of "hardware", for the purposes of attestation, it is the correct
+# choice, as we may be certifying a source image that dynamic resources are created from,
+# rather than attempt to document a variable pool of auto-scaled resources.
+DEFAULT_WIZ_HARDWARE_TYPES = [
+    # CloudResource types
+    "VIRTUAL_MACHINE",
+    "VIRTUAL_MACHINE_IMAGE",
+    "CONTAINER",
+    "CONTAINER_IMAGE",
+    "DB_SERVER",
+    # technology deploymentModels
+    "SERVER_APPLICATION",
+    "CLIENT_APPLICATION",
+    "VIRTUAL_APPLIANCE",
+]
+
+# This maps CPE part values to Asset categories.
+CPE_PART_TO_CATEGORY_MAPPING = {
+    "h": regscale_models.AssetCategory.Hardware,  # Hardware
+    "a": regscale_models.AssetCategory.Software,  # Application
+    "o": regscale_models.AssetCategory.Software,  # Other? Operating system? (includes OSs and firmware)
+}
+
 INVENTORY_QUERY = """
     query CloudResourceSearch(
     $filterBy: CloudResourceFilters