security-use 0.1.1__py3-none-any.whl → 0.2.9__py3-none-any.whl

security_use/iac/rules/gcp.py

@@ -0,0 +1,255 @@
+"""GCP security rules for IaC scanning."""
+
+from security_use.models import Severity
+from security_use.iac.base import IaCResource
+from security_use.iac.rules.base import Rule, RuleResult
+
+
+class GCSBucketPublicAccessRule(Rule):
+    """Check that GCS buckets do not allow public access."""
+
+    RULE_ID = "CKV_GCP_5"
+    TITLE = "Cloud Storage bucket with public access"
+    SEVERITY = Severity.CRITICAL
+    DESCRIPTION = (
+        "Cloud Storage bucket is publicly accessible. This can expose "
+        "sensitive data to unauthorized users."
+    )
+    REMEDIATION = (
+        "Remove allUsers and allAuthenticatedUsers from bucket IAM bindings. "
+        "Use uniform bucket-level access."
+    )
+    RESOURCE_TYPES = [
+        "google_storage_bucket",
+        "google_storage_bucket_iam_binding",
+        "google_storage_bucket_iam_member",
+    ]
+
+    def evaluate(self, resource: IaCResource) -> RuleResult:
+        """Check if GCS bucket allows public access."""
+        has_public_access = False
+
+        # Check IAM bindings
+        members = resource.get_config("members", default=[])
+        member = resource.get_config("member", default="")
+
+        public_principals = ["allUsers", "allAuthenticatedUsers"]
+
+        if any(m in members for m in public_principals):
+            has_public_access = True
+
+        if member in public_principals:
+            has_public_access = True
+
+        fix_code = None
+        if has_public_access:
+            fix_code = "# Remove allUsers and allAuthenticatedUsers from members"
+
+        return self._create_result(not has_public_access, resource, fix_code)
+
+
+class GCSBucketEncryptionRule(Rule):
+    """Check that GCS buckets have encryption configured."""
+
+    RULE_ID = "CKV_GCP_6"
+    TITLE = "Cloud Storage bucket without customer-managed encryption"
+    SEVERITY = Severity.HIGH
+    DESCRIPTION = (
+        "Cloud Storage bucket does not use customer-managed encryption keys (CMEK). "
+        "While GCS encrypts data by default, CMEK provides additional control."
+    )
+    REMEDIATION = (
+        "Configure a Cloud KMS key for bucket encryption."
+    )
+    RESOURCE_TYPES = ["google_storage_bucket"]
+
+    def evaluate(self, resource: IaCResource) -> RuleResult:
+        """Check if GCS bucket uses CMEK."""
+        encryption = resource.get_config("encryption", default={})
+        default_kms_key = encryption.get("default_kms_key_name")
+
+        has_cmek = bool(default_kms_key)
+
+        fix_code = None
+        if not has_cmek:
+            fix_code = '''encryption {
+  default_kms_key_name = "projects/PROJECT/locations/LOCATION/keyRings/KEYRING/cryptoKeys/KEY"
+}'''
+
+        return self._create_result(has_cmek, resource, fix_code)
+
+
+class GCPFirewallOpenIngressRule(Rule):
+    """Check that GCP firewall rules don't allow unrestricted ingress."""
+
+    RULE_ID = "CKV_GCP_2"
+    TITLE = "Firewall rule allows unrestricted ingress"
+    SEVERITY = Severity.HIGH
+    DESCRIPTION = (
+        "Firewall rule allows ingress from 0.0.0.0/0 on sensitive ports. "
+        "This exposes services to the entire internet."
+    )
+    REMEDIATION = (
+        "Restrict source_ranges to specific IP ranges. "
+        "Avoid using 0.0.0.0/0 as the source."
+    )
+    RESOURCE_TYPES = ["google_compute_firewall"]
+
+    SENSITIVE_PORTS = ["22", "3389", "3306", "5432", "1433", "27017", "6379"]
+
+    def evaluate(self, resource: IaCResource) -> RuleResult:
+        """Check if firewall rule has open ingress on sensitive ports."""
+        has_open_ingress = False
+
+        direction = resource.get_config("direction", default="INGRESS")
+        if direction.upper() != "INGRESS":
+            return self._create_result(True, resource)
+
+        source_ranges = resource.get_config("source_ranges", default=[])
+
+        if "0.0.0.0/0" not in source_ranges:
+            return self._create_result(True, resource)
+
+        # Check if sensitive ports are exposed
+        allow_rules = resource.get_config("allow", default=[])
+        if isinstance(allow_rules, list):
+            for rule in allow_rules:
+                ports = rule.get("ports", [])
+                if not ports:
+                    # No port restriction means all ports
+                    has_open_ingress = True
+                    break
+                for port in ports:
+                    if port in self.SENSITIVE_PORTS or "-" in str(port):
+                        has_open_ingress = True
+                        break
+
+        fix_code = None
+        if has_open_ingress:
+            fix_code = '# Restrict source_ranges to specific IP ranges instead of ["0.0.0.0/0"]'
+
+        return self._create_result(not has_open_ingress, resource, fix_code)
+
+
+class GCPCloudSQLEncryptionRule(Rule):
+    """Check that Cloud SQL instances have encryption enabled."""
+
+    RULE_ID = "CKV_GCP_14"
+    TITLE = "Cloud SQL instance without customer-managed encryption"
+    SEVERITY = Severity.HIGH
+    DESCRIPTION = (
+        "Cloud SQL instance does not use customer-managed encryption keys (CMEK). "
+        "While Cloud SQL encrypts data by default, CMEK provides additional control."
+    )
+    REMEDIATION = (
+        "Configure a Cloud KMS key for Cloud SQL encryption."
+    )
+    RESOURCE_TYPES = ["google_sql_database_instance"]
+
+    def evaluate(self, resource: IaCResource) -> RuleResult:
+        """Check if Cloud SQL uses CMEK."""
+        settings = resource.get_config("settings", default={})
+        ip_config = settings.get("ip_configuration", {})
+
+        # Check for encryption key
+        encryption_key = resource.get_config("encryption_key_name")
+
+        has_cmek = bool(encryption_key)
+
+        fix_code = None
+        if not has_cmek:
+            fix_code = 'encryption_key_name = "projects/PROJECT/locations/LOCATION/keyRings/KEYRING/cryptoKeys/KEY"'
+
+        return self._create_result(has_cmek, resource, fix_code)
+
+
+class GCPKMSKeyRotationRule(Rule):
+    """Check that Cloud KMS keys have rotation configured."""
+
+    RULE_ID = "CKV_GCP_43"
+    TITLE = "KMS key without rotation"
+    SEVERITY = Severity.MEDIUM
+    DESCRIPTION = (
+        "Cloud KMS key does not have automatic rotation configured. "
+        "Regular key rotation limits the impact of key compromise."
+    )
+    REMEDIATION = (
+        "Configure automatic key rotation with a rotation period of 90 days or less."
+    )
+    RESOURCE_TYPES = ["google_kms_crypto_key"]
+
+    def evaluate(self, resource: IaCResource) -> RuleResult:
+        """Check if KMS key has rotation configured."""
+        rotation_period = resource.get_config("rotation_period")
+
+        has_rotation = bool(rotation_period)
+
+        fix_code = None
+        if not has_rotation:
+            fix_code = 'rotation_period = "7776000s"  # 90 days'
+
+        return self._create_result(has_rotation, resource, fix_code)
+
+
+class GCPServiceAccountKeyRule(Rule):
+    """Check that service account keys are managed properly."""
+
+    RULE_ID = "CKV_GCP_41"
+    TITLE = "Service account with user-managed keys"
+    SEVERITY = Severity.MEDIUM
+    DESCRIPTION = (
+        "Service account has user-managed keys. User-managed keys are a security "
+        "risk as they can be leaked or stolen. Prefer using attached service accounts."
+    )
+    REMEDIATION = (
+        "Use attached service accounts or workload identity instead of user-managed keys."
+    )
+    RESOURCE_TYPES = ["google_service_account_key"]
+
+    def evaluate(self, resource: IaCResource) -> RuleResult:
+        """Flag user-managed service account keys."""
+        # Any google_service_account_key resource is a user-managed key
+        fix_code = "# Remove user-managed keys and use workload identity or attached service accounts"
+
+        return self._create_result(False, resource, fix_code)
+
+
+class GCPAuditLoggingRule(Rule):
+    """Check that audit logging is enabled for GCP projects."""
+
+    RULE_ID = "CKV_GCP_32"
+    TITLE = "Audit logging not enabled"
+    SEVERITY = Severity.MEDIUM
+    DESCRIPTION = (
+        "Audit logging is not enabled for all services. "
+        "Audit logs are essential for security monitoring and compliance."
+    )
+    REMEDIATION = (
+        "Enable audit logging for all services using google_project_iam_audit_config."
+    )
+    RESOURCE_TYPES = ["google_project_iam_audit_config"]
+
+    def evaluate(self, resource: IaCResource) -> RuleResult:
+        """Check if comprehensive audit logging is configured."""
+        service = resource.get_config("service", default="")
+        audit_log_configs = resource.get_config("audit_log_config", default=[])
+
+        # Check if auditing all services
+        if service == "allServices":
+            if isinstance(audit_log_configs, list) and len(audit_log_configs) > 0:
+                return self._create_result(True, resource)
+
+        fix_code = '''resource "google_project_iam_audit_config" "all" {
+  service = "allServices"
+  audit_log_config {
+    log_type = "ADMIN_READ"
+  }
+  audit_log_config {
+    log_type = "DATA_READ"
+  }
+  audit_log_config {
+    log_type = "DATA_WRITE"
+  }
+}'''
+
+        return self._create_result(False, resource, fix_code)

security_use/iac/rules/kubernetes.py

@@ -0,0 +1,429 @@
+"""Kubernetes security rules for IaC scanning."""
+
+from security_use.models import Severity
+from security_use.iac.base import IaCResource
+from security_use.iac.rules.base import Rule, RuleResult
+
+
+class K8sRunAsRootRule(Rule):
+    """Check that containers don't run as root."""
+
+    RULE_ID = "CKV_K8S_6"
+    TITLE = "Container running as root"
+    SEVERITY = Severity.HIGH
+    DESCRIPTION = (
+        "Container is configured to run as root user. Running as root "
+        "increases the risk of container breakout and privilege escalation."
+    )
+    REMEDIATION = (
+        "Set securityContext.runAsNonRoot to true and specify a non-root runAsUser."
+    )
+    RESOURCE_TYPES = [
+        "kubernetes_pod",
+        "kubernetes_deployment",
+        "kubernetes_stateful_set",
+        "kubernetes_daemon_set",
+        "kubernetes_job",
+        "kubernetes_cron_job",
+        "Pod",
+        "Deployment",
+        "StatefulSet",
+        "DaemonSet",
+        "Job",
+        "CronJob",
+    ]
+
+    def evaluate(self, resource: IaCResource) -> RuleResult:
+        """Check if container runs as root."""
+        runs_as_root = False
+
+        # Get pod spec - handle different resource types
+        spec = self._get_pod_spec(resource)
+        if not spec:
+            return self._create_result(True, resource)
+
+        # Check pod-level security context
+        pod_security = spec.get("securityContext", {})
+        run_as_non_root = pod_security.get("runAsNonRoot", False)
+        run_as_user = pod_security.get("runAsUser")
+
+        # If pod-level says non-root, we're good
+        if run_as_non_root or (run_as_user is not None and run_as_user != 0):
+            return self._create_result(True, resource)
+
+        # Check container-level security context
+        containers = spec.get("containers", [])
+        for container in containers:
+            container_security = container.get("securityContext", {})
+            container_run_as_user = container_security.get("runAsUser")
+            container_run_as_non_root = container_security.get("runAsNonRoot", False)
+
+            if container_run_as_user == 0:
+                runs_as_root = True
+                break
+
+            if not container_run_as_non_root and run_as_user is None and container_run_as_user is None:
+                runs_as_root = True
+                break
+
+        fix_code = None
+        if runs_as_root:
+            fix_code = '''securityContext:
+  runAsNonRoot: true
+  runAsUser: 1000'''
+
+        return self._create_result(not runs_as_root, resource, fix_code)
+
+    def _get_pod_spec(self, resource: IaCResource) -> dict:
+        """Extract pod spec from various resource types."""
+        config = resource.config
+
+        # Direct pod
+        if "spec" in config and "containers" in config.get("spec", {}):
+            return config["spec"]
+
+        # Deployment/StatefulSet/etc with template
+        spec = config.get("spec", {})
+        template = spec.get("template", {})
+        if "spec" in template:
+            return template["spec"]
+
+        # Terraform kubernetes_pod
+        pod_spec = config.get("spec", [{}])
+        if isinstance(pod_spec, list) and pod_spec:
+            return pod_spec[0]
+
+        return {}
+
+
+class K8sPrivilegedContainerRule(Rule):
+    """Check that containers don't run in privileged mode."""
+
+    RULE_ID = "CKV_K8S_1"
+    TITLE = "Privileged container"
+    SEVERITY = Severity.CRITICAL
+    DESCRIPTION = (
+        "Container is running in privileged mode. Privileged containers have "
+        "full access to the host and can escape container isolation."
+    )
+    REMEDIATION = (
+        "Set securityContext.privileged to false."
+    )
+    RESOURCE_TYPES = [
+        "kubernetes_pod",
+        "kubernetes_deployment",
+        "Pod",
+        "Deployment",
+        "StatefulSet",
+        "DaemonSet",
+    ]
+
+    def evaluate(self, resource: IaCResource) -> RuleResult:
+        """Check if container runs privileged."""
+        is_privileged = False
+
+        spec = self._get_pod_spec(resource)
+        if not spec:
+            return self._create_result(True, resource)
+
+        containers = spec.get("containers", [])
+        for container in containers:
+            security = container.get("securityContext", {})
+            if security.get("privileged", False):
+                is_privileged = True
+                break
+
+        fix_code = None
+        if is_privileged:
+            fix_code = '''securityContext:
+  privileged: false'''
+
+        return self._create_result(not is_privileged, resource, fix_code)
+
+    def _get_pod_spec(self, resource: IaCResource) -> dict:
+        """Extract pod spec from various resource types."""
+        config = resource.config
+        if "spec" in config and "containers" in config.get("spec", {}):
+            return config["spec"]
+        spec = config.get("spec", {})
+        template = spec.get("template", {})
+        if "spec" in template:
+            return template["spec"]
+        return {}
+
+
+class K8sResourceLimitsRule(Rule):
+    """Check that containers have resource limits defined."""
+
+    RULE_ID = "CKV_K8S_11"
+    TITLE = "Container without resource limits"
+    SEVERITY = Severity.MEDIUM
+    DESCRIPTION = (
+        "Container does not have resource limits defined. Without limits, "
+        "a container can consume all available resources on the node."
+    )
+    REMEDIATION = (
+        "Define resources.limits for CPU and memory."
+    )
+    RESOURCE_TYPES = [
+        "kubernetes_pod",
+        "kubernetes_deployment",
+        "Pod",
+        "Deployment",
+        "StatefulSet",
+        "DaemonSet",
+    ]
+
+    def evaluate(self, resource: IaCResource) -> RuleResult:
+        """Check if container has resource limits."""
+        has_limits = True
+
+        spec = self._get_pod_spec(resource)
+        if not spec:
+            return self._create_result(True, resource)
+
+        containers = spec.get("containers", [])
+        for container in containers:
+            resources = container.get("resources", {})
+            limits = resources.get("limits", {})
+
+            if not limits.get("cpu") or not limits.get("memory"):
+                has_limits = False
+                break
+
+        fix_code = None
+        if not has_limits:
+            fix_code = '''resources:
+  limits:
+    cpu: "500m"
+    memory: "512Mi"
+  requests:
+    cpu: "100m"
+    memory: "128Mi"'''
+
+        return self._create_result(has_limits, resource, fix_code)
+
+    def _get_pod_spec(self, resource: IaCResource) -> dict:
+        """Extract pod spec from various resource types."""
+        config = resource.config
+        if "spec" in config and "containers" in config.get("spec", {}):
+            return config["spec"]
+        spec = config.get("spec", {})
+        template = spec.get("template", {})
+        if "spec" in template:
+            return template["spec"]
+        return {}
+
+
+class K8sHostNetworkRule(Rule):
+    """Check that pods don't use host network namespace."""
+
+    RULE_ID = "CKV_K8S_19"
+    TITLE = "Pod using host network"
+    SEVERITY = Severity.HIGH
+    DESCRIPTION = (
+        "Pod is configured to use the host network namespace. This allows "
+        "the container to access all network interfaces on the host."
+    )
+    REMEDIATION = (
+        "Set hostNetwork to false unless absolutely necessary."
+    )
+    RESOURCE_TYPES = [
+        "kubernetes_pod",
+        "kubernetes_deployment",
+        "Pod",
+        "Deployment",
+        "StatefulSet",
+        "DaemonSet",
+    ]
+
+    def evaluate(self, resource: IaCResource) -> RuleResult:
+        """Check if pod uses host network."""
+        spec = self._get_pod_spec(resource)
+        if not spec:
+            return self._create_result(True, resource)
+
+        host_network = spec.get("hostNetwork", False)
+
+        fix_code = None
+        if host_network:
+            fix_code = "hostNetwork: false"
+
+        return self._create_result(not host_network, resource, fix_code)
+
+    def _get_pod_spec(self, resource: IaCResource) -> dict:
+        """Extract pod spec from various resource types."""
+        config = resource.config
+        if "spec" in config and "containers" in config.get("spec", {}):
+            return config["spec"]
+        spec = config.get("spec", {})
+        template = spec.get("template", {})
+        if "spec" in template:
+            return template["spec"]
+        return {}
+
+
+class K8sSecretsEnvVarsRule(Rule):
+    """Check that secrets are not exposed as environment variables."""
+
+    RULE_ID = "CKV_K8S_35"
+    TITLE = "Secrets exposed as environment variables"
+    SEVERITY = Severity.MEDIUM
+    DESCRIPTION = (
+        "Secrets are exposed as environment variables. Environment variables "
+        "can be logged or exposed through process listings. Use volume mounts instead."
+    )
+    REMEDIATION = (
+        "Mount secrets as volumes instead of using envFrom with secretRef."
+    )
+    RESOURCE_TYPES = [
+        "kubernetes_pod",
+        "kubernetes_deployment",
+        "Pod",
+        "Deployment",
+        "StatefulSet",
+        "DaemonSet",
+    ]
+
+    def evaluate(self, resource: IaCResource) -> RuleResult:
+        """Check if secrets are exposed as env vars."""
+        secrets_in_env = False
+
+        spec = self._get_pod_spec(resource)
+        if not spec:
+            return self._create_result(True, resource)
+
+        containers = spec.get("containers", [])
+        for container in containers:
+            # Check envFrom with secretRef
+            env_from = container.get("envFrom", [])
+            for env in env_from:
+                if "secretRef" in env:
+                    secrets_in_env = True
+                    break
+
+            # Check individual env vars with secretKeyRef
+            env_vars = container.get("env", [])
+            for env in env_vars:
+                value_from = env.get("valueFrom", {})
+                if "secretKeyRef" in value_from:
+                    secrets_in_env = True
+                    break
+
+            if secrets_in_env:
+                break
+
+        fix_code = None
+        if secrets_in_env:
+            fix_code = '''# Mount secrets as volumes instead
+volumeMounts:
+  - name: secret-volume
+    mountPath: "/etc/secrets"
+    readOnly: true
+volumes:
+  - name: secret-volume
+    secret:
+      secretName: my-secret'''
+
+        return self._create_result(not secrets_in_env, resource, fix_code)
+
+    def _get_pod_spec(self, resource: IaCResource) -> dict:
+        """Extract pod spec from various resource types."""
+        config = resource.config
+        if "spec" in config and "containers" in config.get("spec", {}):
+            return config["spec"]
+        spec = config.get("spec", {})
+        template = spec.get("template", {})
+        if "spec" in template:
+            return template["spec"]
+        return {}
+
+
+class K8sReadOnlyRootFilesystemRule(Rule):
+    """Check that containers use read-only root filesystem."""
+
+    RULE_ID = "CKV_K8S_22"
+    TITLE = "Container without read-only root filesystem"
+    SEVERITY = Severity.MEDIUM
+    DESCRIPTION = (
+        "Container does not have a read-only root filesystem. A read-only "
+        "filesystem prevents malicious writes to the container filesystem."
+    )
+    REMEDIATION = (
+        "Set securityContext.readOnlyRootFilesystem to true."
+    )
+    RESOURCE_TYPES = [
+        "kubernetes_pod",
+        "kubernetes_deployment",
+        "Pod",
+        "Deployment",
+        "StatefulSet",
+        "DaemonSet",
+    ]
+
+    def evaluate(self, resource: IaCResource) -> RuleResult:
+        """Check if container has read-only root filesystem."""
+        has_readonly = True
+
+        spec = self._get_pod_spec(resource)
+        if not spec:
+            return self._create_result(True, resource)
+
+        containers = spec.get("containers", [])
+        for container in containers:
+            security = container.get("securityContext", {})
+            if not security.get("readOnlyRootFilesystem", False):
+                has_readonly = False
+                break
+
+        fix_code = None
+        if not has_readonly:
+            fix_code = '''securityContext:
+  readOnlyRootFilesystem: true'''
+
+        return self._create_result(has_readonly, resource, fix_code)
+
+    def _get_pod_spec(self, resource: IaCResource) -> dict:
+        """Extract pod spec from various resource types."""
+        config = resource.config
+        if "spec" in config and "containers" in config.get("spec", {}):
+            return config["spec"]
+        spec = config.get("spec", {})
+        template = spec.get("template", {})
+        if "spec" in template:
+            return template["spec"]
+        return {}
+
+
+class K8sNetworkPolicyRule(Rule):
+    """Check that namespaces have network policies defined."""
+
+    RULE_ID = "CKV_K8S_24"
+    TITLE = "Missing network policy"
+    SEVERITY = Severity.MEDIUM
+    DESCRIPTION = (
+        "No network policy is defined for this namespace. Without network "
+        "policies, all pods can communicate with each other by default."
+    )
+    REMEDIATION = (
+        "Define NetworkPolicy resources to restrict pod-to-pod communication."
+    )
+    RESOURCE_TYPES = ["kubernetes_namespace", "Namespace"]
+
+    def evaluate(self, resource: IaCResource) -> RuleResult:
+        """Flag namespaces that should have network policies."""
+        # This is a best-effort check - we can't verify NetworkPolicy exists
+        # from the namespace resource alone
+
+        fix_code = '''apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-all
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress'''
+
+        # Default to warning to encourage network policies
+        return self._create_result(False, resource, fix_code)