regscale-cli 6.26.0.0__py3-none-any.whl → 6.27.0.1__py3-none-any.whl

regscale/integrations/commercial/tenablev2/stig_parsers.py

@@ -8,7 +8,89 @@ from regscale.core.app.utils.app_utils import get_current_datetime
 from regscale.integrations.scanner_integration import IntegrationFinding, issue_due_date
 from regscale.models import regscale_models
 
-logger = logging.getLogger(__name__)
+logger = logging.getLogger("regscale")
+
+# Constants
+DEFAULT_CCI_REF = "CCI-000366"  # Default CCI reference for STIG findings
+UNKNOWN_VULN_NUM = "unknown"
+_SOLUTION_KEYWORD = "Solution:"
+_REFERENCE_INFO_KEYWORD = "Reference Information:"
+
+# Status mapping for STIG results
+_RESULT_STATUS_MAP = {
+    "PASSED": regscale_models.ChecklistStatus.PASS,
+    "FAILED": regscale_models.ChecklistStatus.FAIL,
+    "ERROR": regscale_models.ChecklistStatus.FAIL,
+    "NOT APPLICABLE": regscale_models.ChecklistStatus.NOT_APPLICABLE,
+    "NOT_APPLICABLE": regscale_models.ChecklistStatus.NOT_APPLICABLE,
+}
+
+# Severity mapping for STIG findings
+_SEVERITY_MAP = {
+    "critical": regscale_models.IssueSeverity.Critical,
+    "high": regscale_models.IssueSeverity.High,
+    "medium": regscale_models.IssueSeverity.Moderate,
+    "low": regscale_models.IssueSeverity.Low,
+}
+
+
+def _extract_field(pattern: str, text: str, flags: Union[int, re.RegexFlag] = 0, group: int = 1) -> str:
+    """
+    Extracts a field from a string using a regular expression.
+
+    :param str pattern: The regular expression pattern to search for
+    :param str text: The string to search in
+    :param int flags: Optional regular expression flags, defaults to 0
+    :param int group: The group number to return from the match, defaults to 1
+    :return: The extracted field as a string. Empty string if no match was found
+    :rtype: str
+    """
+    match = re.search(pattern, text, flags)
+    return match.group(group).strip() if match else ""
+
+
+def _extract_reference_dict(output: str) -> dict:
+    """
+    Extract and parse reference information into dictionary.
+
+    :param str output: The STIG output string
+    :return: Dictionary of reference information
+    :rtype: dict
+    """
+    ref_info = _extract_field(r"Reference Information:\s*(.+)", output, flags=re.DOTALL)
+    ref_dict = {}
+    for item in ref_info.split(","):
+        if "|" in item:
+            parts = item.split("|", 1)
+            if len(parts) == 2:
+                ref_dict[parts[0].strip()] = parts[1].strip()
+    return ref_dict
+
+
+def _map_result_to_status(result: str) -> regscale_models.ChecklistStatus:
+    """
+    Map result string to ChecklistStatus enum.
+
+    :param str result: The result string from STIG output
+    :return: ChecklistStatus enum value
+    :rtype: regscale_models.ChecklistStatus
+    """
+    result_key = result.upper().replace("_", " ").strip()
+    if result_key not in _RESULT_STATUS_MAP:
+        logger.warning("Result '%s' not found in status map", result)
+        return regscale_models.ChecklistStatus.NOT_REVIEWED
+    return _RESULT_STATUS_MAP[result_key]
+
+
+def _map_severity_to_enum(severity: str) -> regscale_models.IssueSeverity:
+    """
+    Map severity string to IssueSeverity enum.
+
+    :param str severity: The severity string
+    :return: IssueSeverity enum value
+    :rtype: regscale_models.IssueSeverity
+    """
+    return _SEVERITY_MAP.get(severity.lower(), regscale_models.IssueSeverity.NotAssigned)
 
 
 def parse_stig_output(output: str, finding: IntegrationFinding) -> IntegrationFinding:
@@ -20,43 +102,39 @@ def parse_stig_output(output: str, finding: IntegrationFinding) -> IntegrationFi
     :return: An IntegrationFinding object containing the parsed finding information.
     :rtype: IntegrationFinding
     """
-
-    def _extract_field(pattern: str, text: str, flags: Union[int, re.RegexFlag] = 0, group: int = 1) -> str:
-        """
-        Extracts a field from a string using a regular expression
-
-        :param str pattern: The regular expression pattern to search for
-        :param str text: The string to search in
-        :param int flags: Optional regular expression flags, defaults to 0
-        :param int group: The group number to return from the match, defaults to 1
-        :return: The extracted field as a string. Empty string if no match was found
-        :rtype: str
-        """
-        match = re.search(pattern, text, flags)
-        return match.group(group).strip() if match else ""
-
-    # Extract fields
-    check_name_full = _extract_field(r"Check Name:\s*(.*?)\n", output, flags=re.DOTALL | re.MULTILINE)
+    # Extract fields using optimized regex patterns (preventing catastrophic backtracking)
+    check_name_full = _extract_field(r"Check Name:\s*([^\n]+)", output)
     check_name_parts = check_name_full.split(":", 1)
     rule_id = check_name_parts[0].strip()
     check_description = check_name_parts[1].strip() if len(check_name_parts) > 1 else ""
 
+    # Extract baseline from Target keyword
     baseline = _extract_field(r"(.*?)\s+Target\s+(.*)", check_description, group=2)
-    if target_match := _extract_field(r"(.*?)\s+Target\s+(.*)", check_description):
+    target_match = _extract_field(r"(.*?)\s+Target\s+(.*)", check_description)
+    if target_match:
         check_description = check_description[: check_description.find(target_match) + len(target_match)].strip()
 
-    information = _extract_field(r"Information:\s*(.*?)\n", output, flags=re.DOTALL | re.MULTILINE)
-    vuln_discuss = _extract_field(r"VulnDiscussion='(.*?)'\s", output, flags=re.DOTALL | re.MULTILINE)
-    result = _extract_field(r"Result:\s*(.*?)(?:\n|$)", output, flags=re.IGNORECASE | re.DOTALL)
-    solution = _extract_field(r"Solution:\s*(.*?)\n\nReference Information:", output, flags=re.DOTALL | re.MULTILINE)
+    information = _extract_field(r"Information:\s*([^\n]+)", output)
+    vuln_discuss = _extract_field(r"VulnDiscussion='([^']+)'\s", output)
+    result = _extract_field(r"Result:\s*([^\n]+)", output, flags=re.IGNORECASE)
+    # Extract solution using a safe pattern that avoids backtracking
+    # Split on reference keyword and take the solution section
+    if _SOLUTION_KEYWORD in output and _REFERENCE_INFO_KEYWORD in output:
+        solution_start = output.find(_SOLUTION_KEYWORD) + len(_SOLUTION_KEYWORD)
+        ref_start = output.find(_REFERENCE_INFO_KEYWORD, solution_start)
+        solution = output[solution_start:ref_start].strip()
+    elif _SOLUTION_KEYWORD in output:
+        solution_start = output.find(_SOLUTION_KEYWORD) + len(_SOLUTION_KEYWORD)
+        solution = output[solution_start:].strip()
+    else:
+        solution = ""
 
-    # Extract reference information
-    ref_info = _extract_field(r"Reference Information:\s*(.*)", output, flags=re.DOTALL | re.MULTILINE)
-    ref_dict = dict(item.split("|", 1) for item in ref_info.split(",") if "|" in item)
+    # Extract reference information using helper function
+    ref_dict = _extract_reference_dict(output)
 
     # Extract specific references
-    cci_ref = ref_dict.get("CCI", "CCI-000366")
-    severity = ref_dict.get("SEVERITY", "").lower()
+    cci_ref = ref_dict.get("CCI", DEFAULT_CCI_REF)
+    severity_str = ref_dict.get("SEVERITY", "").lower()
     oval_def = ref_dict.get("OVAL-DEF", "")
     generated_date = ref_dict.get("GENERATED-DATE", "")
     updated_date = ref_dict.get("UPDATED-DATE", "")
@@ -64,36 +142,19 @@ def parse_stig_output(output: str, finding: IntegrationFinding) -> IntegrationFi
     rule_id_full = ref_dict.get("RULE-ID", "")
     group_id = ref_dict.get("GROUP-ID", "")
 
+    # Extract vulnerability number
     vuln_num_match = re.search(r"SV-\d+r\d+_rule", rule_id)
-    vuln_num = vuln_num_match.group(0) if vuln_num_match else "unknown"
+    vuln_num = vuln_num_match.group(0) if vuln_num_match else UNKNOWN_VULN_NUM
 
     title = f"{vuln_num}: {check_description}"
     issue_title = title
 
-    status_map = {
-        "PASSED": regscale_models.ChecklistStatus.PASS,
-        "FAILED": regscale_models.ChecklistStatus.FAIL,
-        "ERROR": regscale_models.ChecklistStatus.FAIL,
-        "NOT APPLICABLE": regscale_models.ChecklistStatus.NOT_APPLICABLE,
-        "NOT_APPLICABLE": regscale_models.ChecklistStatus.NOT_APPLICABLE,
-    }
+    # Map result to status using helper function
+    status = _map_result_to_status(result)
 
-    result_key = result.upper().replace("_", " ").strip()
-    if result_key not in status_map:
-        logger.warning(f"Result '{result}' not found in status map")
-        status = regscale_models.ChecklistStatus.NOT_REVIEWED
-    else:
-        status = status_map[result_key]
-
-    # Map severity to IssueSeverity enum
-    priority = (severity or "").title()
-    severity_map = {
-        "critical": regscale_models.IssueSeverity.Critical,
-        "high": regscale_models.IssueSeverity.High,
-        "medium": regscale_models.IssueSeverity.Moderate,
-        "low": regscale_models.IssueSeverity.Low,
-    }
-    severity = severity_map.get(severity.lower(), regscale_models.IssueSeverity.NotAssigned)
+    # Map severity to IssueSeverity enum using helper function
+    priority = (severity_str or "").title()
+    severity = _map_severity_to_enum(severity_str)
 
     results = (
         f"Vulnerability Number: {vuln_num}, Severity: {severity.value}, "
@@ -132,9 +193,4 @@ def parse_stig_output(output: str, finding: IntegrationFinding) -> IntegrationFi
     finding.rule_id_full = rule_id_full
     finding.group_id = group_id
 
-    # Future values
-    # finding.comments = ""
-    # finding.poam_comments = ""
-    # finding.rule_version = ""
-
     return finding

regscale/integrations/commercial/wizv2/WizDataMixin.py

@@ -5,7 +5,7 @@ from datetime import datetime, timedelta
 from typing import Optional, Dict, Any, List
 
 from regscale.core.app.utils.app_utils import error_and_exit, check_file_path
-from regscale.integrations.commercial.wizv2.constants import CONTENT_TYPE
+from regscale.integrations.commercial.wizv2.core.constants import CONTENT_TYPE
 from regscale.core.app.application import Application
 from regscale.utils import PaginatedGraphQLClient
 

regscale/integrations/commercial/wizv2/click.py

@@ -25,7 +25,7 @@ def wiz():
 @click.option("--client_secret", default=None, hide_input=True, required=False)  # type: ignore
 def authenticate(client_id, client_secret):
     """Authenticate to Wiz."""
-    from regscale.integrations.commercial.wizv2.wiz_auth import wiz_authenticate
+    from regscale.integrations.commercial.wizv2.core.auth import wiz_authenticate
 
     wiz_authenticate(client_id, client_secret)
 
@@ -136,7 +136,7 @@ def issues(
     Process Issues from Wiz into RegScale
     """
     from regscale.core.app.utils.app_utils import check_license
-    from regscale.integrations.commercial.wizv2.wiz_auth import wiz_authenticate
+    from regscale.integrations.commercial.wizv2.core.auth import wiz_authenticate
     from regscale.integrations.commercial.wizv2.issue import WizIssue
     import json
 
@@ -191,7 +191,7 @@ def attach_sbom(
     standard="CycloneDX",
 ):
     """Download SBOMs from a Wiz report by ID and add them to the corresponding RegScale assets."""
-    from regscale.integrations.commercial.wizv2.wiz_auth import wiz_authenticate
+    from regscale.integrations.commercial.wizv2.core.auth import wiz_authenticate
     from regscale.integrations.commercial.wizv2.utils import fetch_sbom_report
 
     if client_secret is None:
@@ -212,15 +212,6 @@ def attach_sbom(
     )
 
 
-@wiz.command()
-def threats():
-    """Process threats from Wiz -> Coming soon"""
-    from regscale.core.app.utils.app_utils import check_license
-
-    check_license()
-    logger.info("Threats - COMING SOON")
-
-
 @wiz.command()
 @click.option(  # type: ignore
     "--wiz_project_id",
@@ -300,8 +291,12 @@ def vulnerabilities(
 )
 @click.option("--evidence_id", "-e", help="Wiz Evidence ID", required=True, type=int)  # type: ignore
 @click.option("--report_id", "-r", help="Wiz Report ID", required=True)  # type: ignore
-@click.option("--report_file_name", "-n", help="Report file name", default="evidence_report", required=False)  # type: ignore
-@click.option("--report_file_extension", "-e", help="Report file extension", default="csv", required=False)  # type: ignore
+@click.option(
+    "--report_file_name", "-n", help="Report file name", default="evidence_report", required=False
+)  # type: ignore
+@click.option(
+    "--report_file_extension", "-e", help="Report file extension", default="csv", required=False
+)  # type: ignore
 def add_report_evidence(
     client_id,
     client_secret,
@@ -311,7 +306,7 @@ def add_report_evidence(
     report_file_extension: str = "csv",
 ):
     """Download a Wiz report by ID and Attach to Evidence locker"""
-    from regscale.integrations.commercial.wizv2.wiz_auth import wiz_authenticate
+    from regscale.integrations.commercial.wizv2.core.auth import wiz_authenticate
     from regscale.integrations.commercial.wizv2.utils import fetch_report_by_id
 
     if client_secret is None:
@@ -324,7 +319,10 @@ def add_report_evidence(
         client_secret=client_secret,
     )
     fetch_report_by_id(
-        report_id, parent_id=evidence_id, report_file_name=report_file_name, report_file_extension=report_file_extension
+        report_id,
+        parent_id=evidence_id,
+        report_file_name=report_file_name,
+        report_file_extension=report_file_extension,
     )
 
 
@@ -361,7 +359,10 @@ def add_report_evidence(
 @click.option(  # type: ignore
     "--framework_id",
     "-f",
-    help="Wiz framework ID or shorthand (e.g., 'nist', 'aws', 'wf-id-4'). Use --list-frameworks to see options. Default: wf-id-4 (NIST SP 800-53 Rev 5)",
+    help=(
+        "Wiz framework ID or shorthand (e.g., 'nist', 'aws', 'wf-id-4'). "
+        "Use --list-frameworks to see options. Default: wf-id-4 (NIST SP 800-53 Rev 5)"
+    ),
     default="wf-id-4",
     required=False,
 )
@@ -420,67 +421,51 @@ def sync_compliance(
     """
     Sync policy compliance assessments from Wiz to RegScale.
 
-    This command fetches policy assessment data from Wiz and creates:
+    This command now uses CSV compliance reports from Wiz instead of GraphQL API.
+    It creates:
     - Control assessments based on policy compliance results
     - Issues for failed policy assessments (if --create-issues enabled)
     - Updates to control implementation status (if --update-control-status enabled)
-    - JSON output file with policy compliance data in artifacts/wiz/ directory
-    - Cached framework mapping for improved performance
 
-    CACHING:
-    By default, the command will reuse cached policy data if it's newer than the cache
-    duration (default: 60 minutes). Use --refresh to force fresh data from Wiz.
-    Use --cache-duration to adjust how long cached data is considered valid.
+    NOTE: This command is deprecated. Use 'compliance_report' command instead.
     """
-    from regscale.integrations.commercial.wizv2.policy_compliance import (
-        WizPolicyComplianceIntegration,
-        list_available_frameworks,
-        resolve_framework_id,
-    )
+    click.echo("⚠️  sync_compliance is deprecated and now uses compliance_report implementation.")
+    click.echo("    Consider using 'regscale wiz compliance_report' directly for future use.\n")
 
-    # Handle --list-frameworks flag
+    # Handle --list-frameworks flag (no longer supported, inform user)
     if list_frameworks:
-        click.echo(list_available_frameworks())
+        click.echo("❌  --list-frameworks is no longer supported in the deprecated sync_compliance command.")
+        click.echo("    Please use 'regscale wiz compliance_report' instead.\n")
         return
 
     # Use environment variables if not provided
-    if client_secret is None:
+    if client_secret is None or client_secret == "":
         client_secret = WizVariables.wizClientSecret
-    if client_id is None:
+    if client_id is None or client_id == "":
         client_id = WizVariables.wizClientId
 
-    # Resolve framework ID using the enhanced framework resolution
-    try:
-        resolved_framework_id = resolve_framework_id(framework_id.lower())
-        if resolved_framework_id != framework_id:
-            from regscale.integrations.commercial.wizv2.policy_compliance import FRAMEWORK_MAPPINGS
-
-            framework_name = FRAMEWORK_MAPPINGS.get(resolved_framework_id, resolved_framework_id)
-            click.echo(f"🔍 Resolved '{framework_id}' to '{framework_name}' ({resolved_framework_id})")
-    except ValueError as e:
-        click.echo(f"❌ {str(e)}")
-        click.echo("\nUse --list-frameworks to see all available options.")
-        return
+    # Import compliance_report processor instead of GraphQL-based integration
+    from regscale.integrations.commercial.wizv2.compliance_report import WizComplianceReportProcessor
 
-    # Create and run the policy compliance integration
-    policy_integration = WizPolicyComplianceIntegration(
+    # Create processor with similar options to compliance_report command
+    processor = WizComplianceReportProcessor(
         plan_id=regscale_id,
         wiz_project_id=wiz_project_id,
         client_id=client_id,
         client_secret=client_secret,
-        framework_id=resolved_framework_id,
         regscale_module=regscale_module,
         create_poams=create_poams,
-        cache_duration_minutes=cache_duration,
-        force_refresh=refresh,
-    )
-
-    # Run the policy compliance sync
-    policy_integration.sync_policy_compliance(
         create_issues=create_issues,
         update_control_status=update_control_status,
+        report_file_path=None,  # Will create new report
+        force_fresh_report=refresh,  # Map --refresh to force_fresh_report
+        reuse_existing_reports=not refresh,  # Inverse of refresh
+        bypass_control_filtering=True,  # Enable for performance
     )
 
+    # Process the compliance report using new ComplianceIntegration pattern
+    processor.process_compliance_sync()
+
 
 @wiz.command(name="compliance_report")
 @click.option(
@@ -496,7 +481,7 @@ def sync_compliance(
     "--client_id",
     "-i",
     help="Wiz Client ID, or can be set as environment variable wizClientId",
-    default="",
+    default=None,
     hide_input=False,
     required=False,
 )
@@ -504,7 +489,7 @@ def sync_compliance(
     "--client_secret",
     "-s",
     help="Wiz Client Secret, or can be set as environment variable wizClientSecret",
-    default="",
+    default=None,
     hide_input=True,
     required=False,
 )
@@ -581,10 +566,10 @@ def compliance_report(
     """
     from regscale.integrations.commercial.wizv2.compliance_report import WizComplianceReportProcessor
 
-    # Use environment variables if not provided
-    if client_secret is None:
+    # Use environment variables if not provided or empty
+    if not client_secret:
         client_secret = WizVariables.wizClientSecret
-    if client_id is None:
+    if not client_id:
         client_id = WizVariables.wizClientId
 
     # Create and run the compliance report processor

regscale/integrations/commercial/wizv2/compliance/__init__.py

@@ -0,0 +1,15 @@
+"""Compliance-specific functionality for Wiz integration."""
+
+from regscale.integrations.commercial.wizv2.compliance.helpers import (
+    AssetConsolidator,
+    ControlAssessmentProcessor,
+    ControlImplementationCache,
+    IssueFieldSetter,
+)
+
+__all__ = [
+    "AssetConsolidator",
+    "ControlAssessmentProcessor",
+    "ControlImplementationCache",
+    "IssueFieldSetter",
+]

regscale/integrations/commercial/wizv2/{policy_compliance_helpers.py → compliance/helpers.py}

@@ -266,32 +266,39 @@ class IssueFieldSetter:
             )
 
             for impl in implementations:
-                if not hasattr(impl, "controlID") or not impl.controlID:
-                    continue
-
-                # Check cache for security control
-                security_control = self.cache.get_security_control(impl.controlID)
-                if not security_control:
-                    security_control = regscale_models.SecurityControl.get_object(object_id=impl.controlID)
-                    if security_control:
-                        self.cache.set_security_control(impl.controlID, security_control)
-
-                if security_control and hasattr(security_control, "controlId"):
-                    from regscale.integrations.commercial.wizv2.policy_compliance import WizPolicyComplianceIntegration
-
-                    impl_control_id = WizPolicyComplianceIntegration._normalize_control_id_string(
-                        security_control.controlId
-                    )
-
-                    if impl_control_id == control_id:
-                        logger.debug(f"✓ Found control implementation {impl.id} for control {control_id}")
-                        return impl.id
+                if impl_id := self._check_implementation_match(impl, control_id):
+                    return impl_id
 
             return None
         except Exception as e:
             logger.error(f"Error finding control implementation for {control_id}: {e}")
             return None
 
+    def _check_implementation_match(self, impl, control_id: str) -> Optional[int]:
+        """Check if implementation matches the control ID."""
+        if not hasattr(impl, "controlID") or not impl.controlID:
+            return None
+
+        # Check cache for security control
+        security_control = self.cache.get_security_control(impl.controlID)
+        if not security_control:
+            security_control = regscale_models.SecurityControl.get_object(object_id=impl.controlID)
+            if security_control:
+                self.cache.set_security_control(impl.controlID, security_control)
+
+        if not security_control or not hasattr(security_control, "controlId"):
+            return None
+
+        from regscale.integrations.commercial.wizv2.policy_compliance import WizPolicyComplianceIntegration
+
+        impl_control_id = WizPolicyComplianceIntegration._normalize_control_id_string(security_control.controlId)
+
+        if impl_control_id == control_id:
+            logger.debug(f"✓ Found control implementation {impl.id} for control {control_id}")
+            return impl.id
+
+        return None
+
     def _get_or_find_assessment_id(self, impl_id: int) -> Optional[int]:
         """
         Get assessment ID from cache or database.
@@ -480,22 +487,26 @@ class ControlAssessmentProcessor:
             assessments = regscale_models.Assessment.get_all_by_parent(parent_id=impl_id, parent_module="controls")
 
             for assessment in assessments:
-                if hasattr(assessment, "actualFinish") and assessment.actualFinish:
-                    try:
-                        if isinstance(assessment.actualFinish, str):
-                            assessment_date = regscale_string_to_datetime(assessment.actualFinish).date()
-                        elif hasattr(assessment.actualFinish, "date"):
-                            assessment_date = assessment.actualFinish.date()
-                        else:
-                            assessment_date = assessment.actualFinish
+                if assessment_date := self._get_assessment_date(assessment):
+                    if assessment_date == today:
+                        self.cache.set_assessment(impl_id, assessment)
+                        return assessment
 
-                        if assessment_date == today:
-                            self.cache.set_assessment(impl_id, assessment)
-                            return assessment
-                    except Exception:
-                        continue
+            return None
+        except Exception:
+            return None
 
+    def _get_assessment_date(self, assessment):
+        """Extract date from assessment actualFinish field."""
+        if not hasattr(assessment, "actualFinish") or not assessment.actualFinish:
             return None
+
+        try:
+            if isinstance(assessment.actualFinish, str):
+                return regscale_string_to_datetime(assessment.actualFinish).date()
+            if hasattr(assessment.actualFinish, "date"):
+                return assessment.actualFinish.date()
+            return assessment.actualFinish
         except Exception:
             return None
 
@@ -511,8 +522,14 @@ class ControlAssessmentProcessor:
         result_color = "#d32f2f" if result == "Fail" else "#2e7d32"
         bg_color = "#ffebee" if result == "Fail" else "#e8f5e8"
 
-        html_parts = [
-            f"""
+        header_html = self._create_report_header(control_id, result, result_color, bg_color, len(compliance_items))
+        summary_html = self._create_report_summary(compliance_items) if compliance_items else ""
+
+        return "\n".join([header_html, summary_html])
+
+    def _create_report_header(self, control_id: str, result: str, result_color: str, bg_color: str, total: int) -> str:
+        """Create HTML header section for assessment report."""
+        return f"""
             <div style="margin-bottom: 20px; padding: 15px; border: 2px solid {result_color};
                         border-radius: 5px; background-color: {bg_color};">
                 <h3 style="margin: 0 0 10px 0; color: {result_color};">
@@ -522,34 +539,24 @@ class ControlAssessmentProcessor:
                    <span style="color: {result_color}; font-weight: bold;">{result}</span></p>
                 <p><strong>Assessment Date:</strong> {self.scan_date}</p>
                 <p><strong>Framework:</strong> {self.framework}</p>
-                <p><strong>Total Policy Assessments:</strong> {len(compliance_items)}</p>
+                <p><strong>Total Policy Assessments:</strong> {total}</p>
             </div>
             """
-        ]
-
-        if compliance_items:
-            pass_count = len(
-                [
-                    item
-                    for item in compliance_items
-                    if hasattr(item, "compliance_result")
-                    and item.compliance_result in ["PASS", "PASSED", "pass", "passed"]
-                ]
-            )
-            fail_count = len(compliance_items) - pass_count
 
-            unique_resources = set()
-            unique_policies = set()
+    def _create_report_summary(self, compliance_items: List[Any]) -> str:
+        """Create HTML summary section for assessment report."""
+        pass_count = len(
+            [
+                item
+                for item in compliance_items
+                if hasattr(item, "compliance_result") and item.compliance_result in ["PASS", "PASSED", "pass", "passed"]
+            ]
+        )
+        fail_count = len(compliance_items) - pass_count
 
-            for item in compliance_items:
-                if hasattr(item, "resource_id"):
-                    unique_resources.add(item.resource_id)
-                if hasattr(item, "description") and item.description:
-                    policy_desc = item.description[:50] + "..." if len(item.description) > 50 else item.description
-                    unique_policies.add(policy_desc)
+        unique_resources, unique_policies = self._extract_unique_items(compliance_items)
 
-            html_parts.append(
-                f"""
+        return f"""
             <div style="margin-top: 20px;">
                 <h4>Assessment Summary</h4>
                 <p><strong>Policy Assessments:</strong> {len(compliance_items)} total</p>
@@ -559,6 +566,17 @@ class ControlAssessmentProcessor:
                 <p><strong>Failing:</strong> <span style="color: #d32f2f;">{fail_count}</span></p>
             </div>
             """
-            )
 
-        return "\n".join(html_parts)
+    def _extract_unique_items(self, compliance_items: List[Any]):
+        """Extract unique resources and policies from compliance items."""
+        unique_resources = set()
+        unique_policies = set()
+
+        for item in compliance_items:
+            if hasattr(item, "resource_id"):
+                unique_resources.add(item.resource_id)
+            if hasattr(item, "description") and item.description:
+                policy_desc = item.description[:50] + "..." if len(item.description) > 50 else item.description
+                unique_policies.add(policy_desc)
+
+        return unique_resources, unique_policies