security-use 0.1.1__py3-none-any.whl → 0.2.9__py3-none-any.whl

security_use/fixers/iac_fixer.py

@@ -10,182 +10,260 @@ from typing import Optional
 
 
 @dataclass
-class FixResult:
+class IaCFixResult:
     """Result of applying or suggesting a fix."""
     success: bool
-    file_modified: str = ""
-    old_version: str = ""
-    new_version: str = ""
-    diff: str = ""
+    file_path: str = ""
+    rule_id: str = ""
+    resource_name: str = ""
     before: str = ""
     after: str = ""
     explanation: str = ""
     error: Optional[str] = None
 
 
-# Fix mappings for known rules
+# Fix mappings for known rules - using CKV rule IDs from scanner
 IAC_FIXES = {
-    "S3_PUBLIC_ACCESS": {
-        "pattern": r'acl\s*=\s*"public-read"',
+    # S3 Bucket Rules
+    "CKV_AWS_20": {  # S3 bucket with public access
+        "pattern": r'acl\s*=\s*"public-read(?:-write)?"',
         "replacement": 'acl = "private"',
-        "explanation": "Changed S3 bucket ACL from public-read to private to prevent unauthorized public access.",
+        "explanation": "Changed S3 bucket ACL from public to private to prevent unauthorized access.",
     },
-    "S3_VERSIONING_DISABLED": {
-        "pattern": r'versioning\s*=\s*false',
-        "replacement": 'versioning = true',
-        "explanation": "Enabled S3 bucket versioning to allow recovery of accidentally deleted objects.",
+    "CKV_AWS_19": {  # S3 bucket without encryption - handled via additions
+        "skip": True,  # Use additions instead for cleaner handling
+        "explanation": "Added server-side encryption configuration to S3 bucket.",
     },
-    "SG_OPEN_INGRESS": {
+    # Security Group Rules
+    "CKV_AWS_23": {  # Security group allows unrestricted ingress
         "pattern": r'cidr_blocks\s*=\s*\[\s*"0\.0\.0\.0/0"\s*\]',
-        "replacement": 'cidr_blocks = ["10.0.0.0/8"]',
-        "explanation": "Restricted security group ingress to private IP range. Update this to your specific IP range.",
+        "replacement": 'cidr_blocks = ["10.0.0.0/8"]  # TODO: Restrict to your IP range',
+        "explanation": "Restricted security group ingress to private IP range. Update to your specific IP range.",
     },
-    "RDS_PUBLIC": {
-        "pattern": r'publicly_accessible\s*=\s*true',
-        "replacement": 'publicly_accessible = false',
-        "explanation": "Disabled public accessibility for RDS instance. Access via VPC or bastion host instead.",
+    # RDS Rules
+    "CKV_AWS_16": {  # RDS instance without encryption
+        "pattern": r'(resource\s+"aws_db_instance"\s+"[^"]+"\s*\{)',
+        "replacement": r'\1\n  storage_encrypted = true',
+        "explanation": "Enabled storage encryption for RDS instance.",
+        "multiline": True,
     },
-    "EBS_UNENCRYPTED": {
+    # EBS Rules
+    "CKV_AWS_3": {  # EBS volume without encryption
         "pattern": r'encrypted\s*=\s*false',
         "replacement": 'encrypted = true',
         "explanation": "Enabled EBS volume encryption to protect data at rest.",
     },
-    "IAM_WILDCARD_ACTION": {
+    # CloudTrail Rules
+    "CKV_AWS_35": {  # CloudTrail not logging all events
+        "pattern": r'is_multi_region_trail\s*=\s*false',
+        "replacement": 'is_multi_region_trail = true',
+        "explanation": "Enabled multi-region CloudTrail logging.",
+    },
+    # IAM Rules
+    "CKV_AWS_40": {  # IAM policy with wildcard action
         "pattern": r'"Action"\s*:\s*"\*"',
-        "replacement": '"Action": ["s3:GetObject", "s3:PutObject"]',
+        "replacement": '"Action": ["s3:GetObject", "s3:PutObject"]  # TODO: Specify required actions',
         "explanation": "Replaced wildcard action with specific actions. Update to your required actions.",
     },
-    "CLOUDTRAIL_DISABLED": {
-        "pattern": r'enable_logging\s*=\s*false',
-        "replacement": 'enable_logging = true',
-        "explanation": "Enabled CloudTrail logging to maintain audit trail.",
-    },
-    "KMS_KEY_ROTATION": {
+    # KMS Rules
+    "CKV_AWS_7": {  # KMS key rotation disabled
         "pattern": r'enable_key_rotation\s*=\s*false',
         "replacement": 'enable_key_rotation = true',
         "explanation": "Enabled KMS key rotation for improved security compliance.",
     },
 }
 
+# Additional patterns for adding missing configurations
+IAC_ADDITIONS = {
+    "CKV_AWS_19": {  # S3 bucket without encryption - add block if not present
+        "resource_type": "aws_s3_bucket",
+        "check_pattern": r'server_side_encryption_configuration',
+        "add_block": '''
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        sse_algorithm = "AES256"
+      }
+    }
+  }''',
+        "explanation": "Added server-side encryption configuration to S3 bucket.",
+    },
+    "CKV_AWS_3": {  # EBS volume - add encrypted = true if not present
+        "resource_type": "aws_ebs_volume",
+        "check_pattern": r'encrypted\s*=',
+        "add_block": '\n  encrypted = true',
+        "explanation": "Added encryption setting to EBS volume.",
+    },
+    "CKV_AWS_16": {  # RDS - add storage_encrypted if not present
+        "resource_type": "aws_db_instance",
+        "check_pattern": r'storage_encrypted\s*=',
+        "add_block": '\n  storage_encrypted = true',
+        "explanation": "Added storage encryption to RDS instance.",
+    },
+}
+
 
 class IaCFixer:
     """Fixer for Infrastructure as Code security issues."""
 
     def __init__(self):
         self.fixes = IAC_FIXES
+        self.additions = IAC_ADDITIONS
 
-    def fix(
+    def fix_finding(
         self,
         file_path: str,
         rule_id: str,
+        resource_name: str,
         line_number: Optional[int] = None,
-        auto_apply: bool = False
-    ) -> FixResult:
+        auto_apply: bool = True
+    ) -> IaCFixResult:
         """Fix an IaC security issue.
 
         Args:
             file_path: Path to the IaC file.
             rule_id: ID of the security rule that was violated.
+            resource_name: Name of the resource with the issue.
             line_number: Optional line number where the issue is located.
             auto_apply: If True, apply the fix. If False, only suggest.
 
         Returns:
-            FixResult with the fix details.
+            IaCFixResult with the fix details.
         """
         path_obj = Path(file_path)
 
         if not path_obj.exists():
-            return FixResult(
+            return IaCFixResult(
                 success=False,
+                file_path=file_path,
+                rule_id=rule_id,
                 error=f"File does not exist: {file_path}"
             )
 
-        if rule_id not in self.fixes:
-            return FixResult(
-                success=False,
-                error=f"No fix available for rule: {rule_id}"
-            )
-
-        fix_info = self.fixes[rule_id]
-
         try:
             content = path_obj.read_text()
-            lines = content.split("\n")
+            original_content = content
+            fix_applied = False
+            explanation = ""
+
+            # Try pattern replacement first
+            if rule_id in self.fixes:
+                fix_info = self.fixes[rule_id]
+
+                # Skip if marked to use additions instead
+                if fix_info.get("skip"):
+                    pass  # Fall through to additions
+                else:
+                    flags = re.IGNORECASE | re.MULTILINE
+                    if fix_info.get("multiline"):
+                        flags |= re.DOTALL
 
-            # Find the problematic section
-            pattern = re.compile(fix_info["pattern"], re.IGNORECASE | re.MULTILINE)
-            match = pattern.search(content)
+                    pattern = re.compile(fix_info["pattern"], flags)
 
-            if not match:
-                return FixResult(
+                    if pattern.search(content):
+                        content = pattern.sub(fix_info["replacement"], content, count=1)
+                        fix_applied = True
+                        explanation = fix_info["explanation"]
+
+            # Try adding missing configuration blocks
+            if not fix_applied and rule_id in self.additions:
+                add_info = self.additions[rule_id]
+                resource_type = add_info["resource_type"]
+                check_pattern = add_info["check_pattern"]
+
+                # Check if already has this configuration in the file
+                if re.search(check_pattern, content, re.IGNORECASE):
+                    return IaCFixResult(
+                        success=False,
+                        file_path=file_path,
+                        rule_id=rule_id,
+                        resource_name=resource_name,
+                        error="Configuration already exists in file"
+                    )
+
+                # Find the resource block - match balanced braces
+                resource_start_pattern = rf'resource\s+"{resource_type}"\s+"{re.escape(resource_name)}"\s*\{{'
+                match = re.search(resource_start_pattern, content)
+
+                if match:
+                    # Find the matching closing brace
+                    start_pos = match.end() - 1  # Position of opening brace
+                    brace_count = 1
+                    pos = start_pos + 1
+
+                    while pos < len(content) and brace_count > 0:
+                        if content[pos] == '{':
+                            brace_count += 1
+                        elif content[pos] == '}':
+                            brace_count -= 1
+                        pos += 1
+
+                    if brace_count == 0:
+                        # Insert the new block before the closing brace
+                        insert_pos = pos - 1
+                        new_content = content[:insert_pos] + add_info["add_block"] + "\n" + content[insert_pos:]
+                        content = new_content
+                        fix_applied = True
+                        explanation = add_info["explanation"]
+
+            if not fix_applied:
+                return IaCFixResult(
                     success=False,
-                    error=f"Could not find the issue pattern for rule {rule_id}"
+                    file_path=file_path,
+                    rule_id=rule_id,
+                    resource_name=resource_name,
+                    error=f"No automatic fix available for rule {rule_id} or pattern not found"
                 )
 
-            # Get the before snippet
-            match_line = content[:match.start()].count("\n")
-            start_line = max(0, match_line - 2)
-            end_line = min(len(lines), match_line + 5)
-            before_snippet = "\n".join(lines[start_line:end_line])
+            # Get before/after snippets
+            before_lines = original_content.split("\n")
+            after_lines = content.split("\n")
 
-            # Apply the fix
-            new_content = pattern.sub(fix_info["replacement"], content, count=1)
-            new_lines = new_content.split("\n")
+            # Find changed region
+            start_line = 0
+            end_line = len(before_lines)
+            if line_number:
+                start_line = max(0, line_number - 3)
+                end_line = min(len(before_lines), line_number + 10)
 
-            # Get the after snippet
-            after_snippet = "\n".join(new_lines[start_line:end_line])
-
-            # Generate diff
-            diff = self._generate_diff(content, new_content)
+            before_snippet = "\n".join(before_lines[start_line:end_line])
+            after_snippet = "\n".join(after_lines[start_line:min(len(after_lines), end_line + 5)])
 
             if auto_apply:
-                # Write the fixed content
-                path_obj.write_text(new_content)
-                return FixResult(
+                path_obj.write_text(content)
+                return IaCFixResult(
                     success=True,
-                    file_modified=file_path,
-                    diff=diff,
+                    file_path=file_path,
+                    rule_id=rule_id,
+                    resource_name=resource_name,
                     before=before_snippet,
                     after=after_snippet,
-                    explanation=fix_info["explanation"],
+                    explanation=explanation,
                 )
             else:
-                # Return suggested fix without applying
-                return FixResult(
+                return IaCFixResult(
                     success=True,
+                    file_path=file_path,
+                    rule_id=rule_id,
+                    resource_name=resource_name,
                     before=before_snippet,
                     after=after_snippet,
-                    diff=diff,
-                    explanation=fix_info["explanation"],
+                    explanation=explanation,
                 )
 
         except Exception as e:
-            return FixResult(
+            return IaCFixResult(
                 success=False,
+                file_path=file_path,
+                rule_id=rule_id,
                 error=str(e)
             )
 
-    def _generate_diff(self, old_content: str, new_content: str) -> str:
-        """Generate a unified diff of the changes."""
-        old_lines = old_content.split("\n")
-        new_lines = new_content.split("\n")
-
-        diff_lines = []
-        for i, (old_line, new_line) in enumerate(zip(old_lines, new_lines)):
-            if old_line != new_line:
-                diff_lines.append(f"-{old_line}")
-                diff_lines.append(f"+{new_line}")
-
-        # Handle length differences
-        if len(old_lines) > len(new_lines):
-            for line in old_lines[len(new_lines):]:
-                diff_lines.append(f"-{line}")
-        elif len(new_lines) > len(old_lines):
-            for line in new_lines[len(old_lines):]:
-                diff_lines.append(f"+{line}")
-
-        return "\n".join(diff_lines) if diff_lines else "No changes"
-
     def get_available_fixes(self) -> list[str]:
         """Get list of rule IDs that have available fixes."""
-        return list(self.fixes.keys())
+        all_rules = set(self.fixes.keys()) | set(self.additions.keys())
+        return sorted(list(all_rules))
+
+    def has_fix(self, rule_id: str) -> bool:
+        """Check if a fix is available for a rule."""
+        return rule_id in self.fixes or rule_id in self.additions

security_use/iac/rules/azure.py

@@ -0,0 +1,246 @@
+"""Azure security rules for IaC scanning."""
+
+from security_use.models import Severity
+from security_use.iac.base import IaCResource
+from security_use.iac.rules.base import Rule, RuleResult
+
+
+class AzureStoragePublicAccessRule(Rule):
+    """Check that Azure Storage accounts do not allow public access."""
+
+    RULE_ID = "CKV_AZURE_19"
+    TITLE = "Storage account with public access"
+    SEVERITY = Severity.CRITICAL
+    DESCRIPTION = (
+        "Azure Storage account allows public access. This can expose "
+        "sensitive data to unauthorized users."
+    )
+    REMEDIATION = (
+        "Set allow_blob_public_access to false and configure private endpoints."
+    )
+    RESOURCE_TYPES = ["azurerm_storage_account", "Microsoft.Storage/storageAccounts"]
+
+    def evaluate(self, resource: IaCResource) -> RuleResult:
+        """Check if Storage account allows public access."""
+        # Terraform
+        allow_public = resource.get_config("allow_blob_public_access", default=True)
+
+        # ARM template
+        if allow_public:
+            properties = resource.get_config("properties", default={})
+            allow_public = properties.get("allowBlobPublicAccess", True)
+
+        fix_code = None
+        if allow_public:
+            fix_code = "allow_blob_public_access = false"
+
+        return self._create_result(not allow_public, resource, fix_code)
+
+
+class AzureStorageEncryptionRule(Rule):
+    """Check that Azure Storage accounts have encryption enabled."""
+
+    RULE_ID = "CKV_AZURE_3"
+    TITLE = "Storage account without encryption"
+    SEVERITY = Severity.HIGH
+    DESCRIPTION = (
+        "Azure Storage account does not have encryption at rest enabled. "
+        "Data should be encrypted to protect sensitive information."
+    )
+    REMEDIATION = (
+        "Enable blob encryption services and configure customer-managed keys."
+    )
+    RESOURCE_TYPES = ["azurerm_storage_account", "Microsoft.Storage/storageAccounts"]
+
+    def evaluate(self, resource: IaCResource) -> RuleResult:
+        """Check if Storage account has encryption enabled."""
+        has_encryption = False
+
+        # Terraform
+        blob_properties = resource.get_config("blob_properties", default={})
+        if blob_properties:
+            has_encryption = True
+
+        # ARM template - encryption is enabled by default since 2017
+        properties = resource.get_config("properties", default={})
+        encryption = properties.get("encryption", {})
+        if encryption.get("services", {}).get("blob", {}).get("enabled"):
+            has_encryption = True
+
+        # Check for minimum TLS version
+        min_tls = resource.get_config("min_tls_version", default="")
+        if min_tls == "TLS1_2":
+            has_encryption = True
+
+        return self._create_result(has_encryption, resource)
+
+
+class AzureNSGOpenIngressRule(Rule):
+    """Check that Azure NSG doesn't allow unrestricted ingress."""
+
+    RULE_ID = "CKV_AZURE_9"
+    TITLE = "NSG allows unrestricted inbound traffic"
+    SEVERITY = Severity.HIGH
+    DESCRIPTION = (
+        "Network Security Group allows inbound traffic from 0.0.0.0/0 or * "
+        "on sensitive ports. This exposes services to the entire internet."
+    )
+    REMEDIATION = (
+        "Restrict source addresses to specific IP ranges or Azure service tags. "
+        "Avoid using * or 0.0.0.0/0 as the source."
+    )
+    RESOURCE_TYPES = [
+        "azurerm_network_security_rule",
+        "azurerm_network_security_group",
+        "Microsoft.Network/networkSecurityGroups",
+    ]
+
+    SENSITIVE_PORTS = ["22", "3389", "3306", "5432", "1433", "27017", "6379"]
+
+    def evaluate(self, resource: IaCResource) -> RuleResult:
+        """Check if NSG has open ingress on sensitive ports."""
+        has_open_ingress = False
+
+        # Terraform: Check security_rule blocks
+        rules = resource.get_config("security_rule", default=[])
+        if isinstance(rules, list):
+            for rule in rules:
+                if self._is_open_rule(rule):
+                    has_open_ingress = True
+                    break
+
+        # Standalone security rule
+        if resource.resource_type == "azurerm_network_security_rule":
+            if self._is_open_rule(resource.config):
+                has_open_ingress = True
+
+        fix_code = None
+        if has_open_ingress:
+            fix_code = "# Restrict source_address_prefix to specific IP ranges"
+
+        return self._create_result(not has_open_ingress, resource, fix_code)
+
+    def _is_open_rule(self, rule: dict) -> bool:
+        """Check if a rule allows open inbound access."""
+        direction = rule.get("direction", "").lower()
+        access = rule.get("access", "").lower()
+        source = rule.get("source_address_prefix", "")
+
+        if direction != "inbound" or access != "allow":
+            return False
+
+        if source not in ["*", "0.0.0.0/0", "Internet"]:
+            return False
+
+        # Check ports
+        dest_port = rule.get("destination_port_range", "")
+        dest_ports = rule.get("destination_port_ranges", [])
+
+        if dest_port == "*" or "*" in dest_ports:
+            return True
+
+        for port in self.SENSITIVE_PORTS:
+            if dest_port == port or port in dest_ports:
+                return True
+
+        return False
+
+
+class AzureSQLEncryptionRule(Rule):
+    """Check that Azure SQL databases have encryption enabled."""
+
+    RULE_ID = "CKV_AZURE_24"
+    TITLE = "SQL database without transparent data encryption"
+    SEVERITY = Severity.HIGH
+    DESCRIPTION = (
+        "Azure SQL database does not have transparent data encryption (TDE) enabled. "
+        "TDE protects data at rest by encrypting the database files."
+    )
+    REMEDIATION = (
+        "Enable transparent data encryption for the SQL database. "
+        "TDE is enabled by default for Azure SQL Database."
+    )
+    RESOURCE_TYPES = [
+        "azurerm_mssql_database",
+        "azurerm_sql_database",
+        "Microsoft.Sql/servers/databases",
+    ]
+
+    def evaluate(self, resource: IaCResource) -> RuleResult:
+        """Check if SQL database has TDE enabled."""
+        # Terraform - check if TDE is explicitly disabled
+        transparent_encryption = resource.get_config(
+            "transparent_data_encryption_enabled", default=True
+        )
+
+        fix_code = None
+        if not transparent_encryption:
+            fix_code = "transparent_data_encryption_enabled = true"
+
+        return self._create_result(bool(transparent_encryption), resource, fix_code)
+
+
+class AzureKeyVaultSoftDeleteRule(Rule):
+    """Check that Azure Key Vault has soft delete enabled."""
+
+    RULE_ID = "CKV_AZURE_42"
+    TITLE = "Key Vault without soft delete"
+    SEVERITY = Severity.MEDIUM
+    DESCRIPTION = (
+        "Azure Key Vault does not have soft delete enabled. "
+        "Soft delete protects against accidental deletion of secrets and keys."
+    )
+    REMEDIATION = (
+        "Enable soft delete and purge protection for the Key Vault."
+    )
+    RESOURCE_TYPES = ["azurerm_key_vault", "Microsoft.KeyVault/vaults"]
+
+    def evaluate(self, resource: IaCResource) -> RuleResult:
+        """Check if Key Vault has soft delete enabled."""
+        # Soft delete is enabled by default since Feb 2025
+        soft_delete = resource.get_config("soft_delete_retention_days", default=90)
+        purge_protection = resource.get_config("purge_protection_enabled", default=False)
+
+        passed = soft_delete > 0 and purge_protection
+
+        fix_code = None
+        if not passed:
+            fix_code = "soft_delete_retention_days = 90\npurge_protection_enabled = true"
+
+        return self._create_result(passed, resource, fix_code)
+
+
+class AzureActivityLogRetentionRule(Rule):
+    """Check that Azure activity logs have sufficient retention."""
+
+    RULE_ID = "CKV_AZURE_37"
+    TITLE = "Activity log with insufficient retention"
+    SEVERITY = Severity.MEDIUM
+    DESCRIPTION = (
+        "Azure activity logs do not have sufficient retention period. "
+        "Logs should be retained for at least 365 days for compliance."
+    )
+    REMEDIATION = (
+        "Configure activity log retention to at least 365 days or export to storage."
+    )
+    RESOURCE_TYPES = [
+        "azurerm_monitor_log_profile",
+        "Microsoft.Insights/logprofiles",
+    ]
+
+    def evaluate(self, resource: IaCResource) -> RuleResult:
+        """Check if activity logs have sufficient retention."""
+        retention = resource.get_config("retention_policy", default={})
+        enabled = retention.get("enabled", False)
+        days = retention.get("days", 0)
+
+        passed = enabled and days >= 365
+
+        fix_code = None
+        if not passed:
+            fix_code = '''retention_policy {
+  enabled = true
+  days    = 365
+}'''
+
+        return self._create_result(passed, resource, fix_code)