security-use 0.1.1__py3-none-any.whl

security_use/iac/terraform.py

@@ -0,0 +1,177 @@
+"""Terraform HCL2 parser."""
+
+import re
+from typing import Any, Optional
+
+import hcl2
+
+from security_use.iac.base import IaCParser, IaCResource, ParseResult
+
+
+class TerraformParser(IaCParser):
+    """Parser for Terraform .tf files (HCL2 format)."""
+
+    # Resource type to provider mapping
+    PROVIDER_PREFIXES = {
+        "aws_": "aws",
+        "azurerm_": "azure",
+        "google_": "gcp",
+        "kubernetes_": "kubernetes",
+        "helm_": "helm",
+        "docker_": "docker",
+    }
+
+    def parse(self, content: str, file_path: str = "<string>") -> ParseResult:
+        """Parse Terraform HCL2 content.
+
+        Args:
+            content: HCL2 file content.
+            file_path: Path to the file.
+
+        Returns:
+            ParseResult with resources and any errors.
+        """
+        result = ParseResult()
+
+        try:
+            # Parse HCL2
+            parsed = hcl2.loads(content)
+        except Exception as e:
+            result.errors.append(f"Failed to parse {file_path}: {e}")
+            return result
+
+        # Extract resources
+        for resource_block in parsed.get("resource", []):
+            for resource_type, instances in resource_block.items():
+                # instances is a dict: {resource_name: config, ...}
+                for resource_name, config in instances.items():
+                    line_number = self._find_resource_line(
+                        content, resource_type, resource_name
+                    )
+
+                    resource = IaCResource(
+                        resource_type=resource_type,
+                        name=resource_name,
+                        config=config if isinstance(config, dict) else {},
+                        file_path=file_path,
+                        line_number=line_number,
+                        provider=self._get_provider(resource_type),
+                    )
+                    result.resources.append(resource)
+
+        # Extract data sources
+        for data_block in parsed.get("data", []):
+            for data_type, instances in data_block.items():
+                # instances is a dict: {data_name: config, ...}
+                for data_name, config in instances.items():
+                    line_number = self._find_data_line(
+                        content, data_type, data_name
+                    )
+
+                    resource = IaCResource(
+                        resource_type=f"data.{data_type}",
+                        name=data_name,
+                        config=config if isinstance(config, dict) else {},
+                        file_path=file_path,
+                        line_number=line_number,
+                        provider=self._get_provider(data_type),
+                    )
+                    result.resources.append(resource)
+
+        # Extract variables
+        for var_block in parsed.get("variable", []):
+            for var_name, var_config in var_block.items():
+                result.variables[var_name] = var_config
+
+        # Extract outputs
+        for output_block in parsed.get("output", []):
+            for output_name, output_config in output_block.items():
+                result.outputs[output_name] = output_config
+
+        return result
+
+    def _find_resource_line(
+        self, content: str, resource_type: str, resource_name: str
+    ) -> int:
+        """Find the line number where a resource is defined."""
+        pattern = rf'resource\s+"{re.escape(resource_type)}"\s+"{re.escape(resource_name)}"'
+        return self._find_pattern_line(content, pattern)
+
+    def _find_data_line(
+        self, content: str, data_type: str, data_name: str
+    ) -> int:
+        """Find the line number where a data source is defined."""
+        pattern = rf'data\s+"{re.escape(data_type)}"\s+"{re.escape(data_name)}"'
+        return self._find_pattern_line(content, pattern)
+
+    def _find_pattern_line(self, content: str, pattern: str) -> int:
+        """Find line number matching a pattern."""
+        lines = content.split("\n")
+        for i, line in enumerate(lines, start=1):
+            if re.search(pattern, line):
+                return i
+        return 1  # Default to line 1 if not found
+
+    def _get_provider(self, resource_type: str) -> str:
+        """Determine provider from resource type."""
+        for prefix, provider in self.PROVIDER_PREFIXES.items():
+            if resource_type.startswith(prefix):
+                return provider
+        return "unknown"
+
+    @classmethod
+    def supported_extensions(cls) -> list[str]:
+        """Return supported file extensions."""
+        return [".tf"]
+
+
+class TerraformPlanParser(IaCParser):
+    """Parser for Terraform plan JSON output."""
+
+    def parse(self, content: str, file_path: str = "<string>") -> ParseResult:
+        """Parse Terraform plan JSON.
+
+        Args:
+            content: JSON plan output.
+            file_path: Path to the file.
+
+        Returns:
+            ParseResult with planned resources.
+        """
+        import json
+
+        result = ParseResult()
+
+        try:
+            plan = json.loads(content)
+        except json.JSONDecodeError as e:
+            result.errors.append(f"Failed to parse {file_path}: {e}")
+            return result
+
+        # Extract planned resources from resource_changes
+        for change in plan.get("resource_changes", []):
+            if change.get("change", {}).get("actions", []) == ["no-op"]:
+                continue
+
+            resource_type = change.get("type", "unknown")
+            resource_name = change.get("name", "unknown")
+
+            # Get the planned values
+            after = change.get("change", {}).get("after", {})
+
+            resource = IaCResource(
+                resource_type=resource_type,
+                name=resource_name,
+                config=after if isinstance(after, dict) else {},
+                file_path=file_path,
+                line_number=1,
+                provider=change.get("provider_name", "unknown").split("/")[-1],
+            )
+            result.resources.append(resource)
+
+        return result
+
+    @classmethod
+    def supported_extensions(cls) -> list[str]:
+        """Return supported file extensions."""
+        return [".tfplan.json", ".tfplan"]

security_use/iac_scanner.py

@@ -0,0 +1,215 @@
+"""IaC scanner for detecting security misconfigurations."""
+
+from pathlib import Path
+from typing import Optional
+
+from security_use.models import IaCFinding, ScanResult
+from security_use.iac.base import IaCParser, IaCResource
+from security_use.iac.terraform import TerraformParser
+from security_use.iac.cloudformation import CloudFormationParser
+from security_use.iac.rules.registry import get_registry
+
+
+class IaCScanner:
+    """Scanner for Infrastructure as Code files."""
+
+    # File extensions to parser mapping
+    PARSERS: dict[str, type[IaCParser]] = {
+        ".tf": TerraformParser,
+        ".yaml": CloudFormationParser,
+        ".yml": CloudFormationParser,
+        ".json": CloudFormationParser,
+        ".template": CloudFormationParser,
+    }
+
+    # Patterns for identifying IaC files
+    IAC_FILE_PATTERNS = [
+        "*.tf",
+        "*.yaml",
+        "*.yml",
+        "*.json",
+        "**/terraform/**/*.tf",
+        "**/cloudformation/**/*.yaml",
+        "**/cloudformation/**/*.yml",
+        "**/cdk.out/**/*.json",
+    ]
+
+    def __init__(self) -> None:
+        """Initialize the IaC scanner."""
+        self._registry = get_registry()
+
+    def scan_path(self, path: Path) -> ScanResult:
+        """Scan a path for IaC security issues.
+
+        Args:
+            path: File or directory path to scan.
+
+        Returns:
+            ScanResult containing IaC findings.
+        """
+        result = ScanResult()
+
+        if path.is_file():
+            files = [path]
+        else:
+            files = self._find_iac_files(path)
+
+        for file_path in files:
+            try:
+                content = file_path.read_text(encoding="utf-8")
+                file_result = self.scan_content(content, str(file_path))
+                result.iac_findings.extend(file_result.iac_findings)
+                result.scanned_files.append(str(file_path))
+                result.errors.extend(file_result.errors)
+            except Exception as e:
+                result.errors.append(f"Error scanning {file_path}: {e}")
+
+        return result
+
+    def scan_content(self, content: str, file_path: str) -> ScanResult:
+        """Scan IaC file content for security issues.
+
+        Args:
+            content: The file content to scan.
+            file_path: Path to the file (for parser selection and reporting).
+
+        Returns:
+            ScanResult containing IaC findings.
+        """
+        result = ScanResult()
+
+        # Get appropriate parser
+        parser = self._get_parser(file_path)
+        if parser is None:
+            return result
+
+        # Parse the file
+        parse_result = parser.parse(content, file_path)
+        result.errors.extend(parse_result.errors)
+
+        if not parse_result.resources:
+            return result
+
+        # Evaluate rules against resources
+        findings = self._evaluate_resources(parse_result.resources, file_path)
+        result.iac_findings = findings
+
+        return result
+
+    def _evaluate_resources(
+        self, resources: list[IaCResource], file_path: str
+    ) -> list[IaCFinding]:
+        """Evaluate security rules against resources.
+
+        Args:
+            resources: List of parsed IaC resources.
+            file_path: Path to the source file.
+
+        Returns:
+            List of IaC findings.
+        """
+        findings = []
+        rules = self._registry.get_all()
+
+        for resource in resources:
+            for rule in rules:
+                if rule.applies_to(resource):
+                    rule_result = rule.evaluate(resource)
+                    if not rule_result.passed:
+                        finding = IaCFinding(
+                            rule_id=rule_result.rule_id,
+                            title=rule_result.title,
+                            severity=rule_result.severity,
+                            resource_type=resource.resource_type,
+                            resource_name=resource.name,
+                            file_path=file_path,
+                            line_number=resource.line_number,
+                            description=rule_result.description,
+                            remediation=rule_result.remediation,
+                            fix_code=rule_result.fix_code,
+                        )
+                        findings.append(finding)
+
+        return findings
+
+    def _find_iac_files(self, directory: Path) -> list[Path]:
+        """Find all IaC files in a directory.
+
+        Args:
+            directory: Directory to search.
+
+        Returns:
+            List of IaC file paths.
+        """
+        files = []
+
+        # Find Terraform files
+        files.extend(directory.rglob("*.tf"))
+
+        # Find CloudFormation files (exclude node_modules, etc.)
+        for ext in [".yaml", ".yml", ".json"]:
+            for file_path in directory.rglob(f"*{ext}"):
+                # Skip common non-IaC directories
+                if self._should_skip_path(file_path):
+                    continue
+
+                # Check if it looks like a CloudFormation template
+                if self._is_likely_cloudformation(file_path):
+                    files.append(file_path)
+
+        return files
+
+    def _should_skip_path(self, path: Path) -> bool:
+        """Check if a path should be skipped."""
+        skip_dirs = {
+            "node_modules",
+            ".git",
+            ".terraform",
+            "__pycache__",
+            "venv",
+            ".venv",
+            "dist",
+            "build",
+        }
+
+        for part in path.parts:
+            if part in skip_dirs:
+                return True
+        return False
+
+    def _is_likely_cloudformation(self, path: Path) -> bool:
+        """Check if a file is likely a CloudFormation template."""
+        # Check common CloudFormation directory names
+        cf_dirs = {"cloudformation", "cfn", "templates", "cdk.out"}
+        if any(d in str(path).lower() for d in cf_dirs):
+            return True
+
+        # Check filename patterns
+        name = path.name.lower()
+        if any(
+            pattern in name
+            for pattern in ["template", "stack", "cloudformation", "cfn"]
+        ):
+            return True
+
+        # For JSON/YAML files in root, we'd need to peek at content
+        # to determine if it's CloudFormation
+        return False
+
+    def _get_parser(self, file_path: str) -> Optional[IaCParser]:
+        """Get the appropriate parser for a file.
+
+        Args:
+            file_path: Path to the file.
+
+        Returns:
+            Parser instance or None if unsupported.
+        """
+        path = Path(file_path)
+        suffix = path.suffix.lower()
+
+        parser_class = self.PARSERS.get(suffix)
+        if parser_class:
+            return parser_class()
+
+        return None

security_use/models.py

@@ -0,0 +1,139 @@
+"""Data models for security scan results."""
+
+from dataclasses import dataclass, field
+from enum import Enum
+from typing import Optional
+
+
+class Severity(Enum):
+    """Vulnerability severity levels."""
+
+    CRITICAL = "CRITICAL"
+    HIGH = "HIGH"
+    MEDIUM = "MEDIUM"
+    LOW = "LOW"
+    UNKNOWN = "UNKNOWN"
+
+    @classmethod
+    def from_cvss(cls, score: Optional[float]) -> "Severity":
+        """Convert CVSS score to severity level."""
+        if score is None:
+            return cls.UNKNOWN
+        if score >= 9.0:
+            return cls.CRITICAL
+        if score >= 7.0:
+            return cls.HIGH
+        if score >= 4.0:
+            return cls.MEDIUM
+        return cls.LOW
+
+
+@dataclass
+class Vulnerability:
+    """Represents a vulnerability in a dependency."""
+
+    id: str
+    package: str
+    installed_version: str
+    severity: Severity
+    title: str
+    description: str
+    affected_versions: str
+    fixed_version: Optional[str] = None
+    cvss_score: Optional[float] = None
+    references: list[str] = field(default_factory=list)
+
+    def to_dict(self) -> dict:
+        """Convert to dictionary representation."""
+        return {
+            "id": self.id,
+            "package": self.package,
+            "installed_version": self.installed_version,
+            "severity": self.severity.value,
+            "title": self.title,
+            "description": self.description,
+            "affected_versions": self.affected_versions,
+            "fixed_version": self.fixed_version,
+            "cvss_score": self.cvss_score,
+            "references": self.references,
+        }
+
+
+@dataclass
+class IaCFinding:
+    """Represents a security finding in Infrastructure as Code."""
+
+    rule_id: str
+    title: str
+    severity: Severity
+    resource_type: str
+    resource_name: str
+    file_path: str
+    line_number: int
+    description: str
+    remediation: str
+    fix_code: Optional[str] = None
+
+    def to_dict(self) -> dict:
+        """Convert to dictionary representation."""
+        return {
+            "rule_id": self.rule_id,
+            "title": self.title,
+            "severity": self.severity.value,
+            "resource_type": self.resource_type,
+            "resource_name": self.resource_name,
+            "file_path": self.file_path,
+            "line_number": self.line_number,
+            "description": self.description,
+            "remediation": self.remediation,
+            "fix_code": self.fix_code,
+        }
+
+
+@dataclass
+class ScanResult:
+    """Combined result from all security scans."""
+
+    vulnerabilities: list[Vulnerability] = field(default_factory=list)
+    iac_findings: list[IaCFinding] = field(default_factory=list)
+    scanned_files: list[str] = field(default_factory=list)
+    errors: list[str] = field(default_factory=list)
+
+    @property
+    def total_issues(self) -> int:
+        """Total number of security issues found."""
+        return len(self.vulnerabilities) + len(self.iac_findings)
+
+    @property
+    def critical_count(self) -> int:
+        """Count of critical severity issues."""
+        return sum(
+            1
+            for v in self.vulnerabilities
+            if v.severity == Severity.CRITICAL
+        ) + sum(
+            1
+            for f in self.iac_findings
+            if f.severity == Severity.CRITICAL
+        )
+
+    @property
+    def high_count(self) -> int:
+        """Count of high severity issues."""
+        return sum(
+            1 for v in self.vulnerabilities if v.severity == Severity.HIGH
+        ) + sum(1 for f in self.iac_findings if f.severity == Severity.HIGH)
+
+    def to_dict(self) -> dict:
+        """Convert to dictionary representation."""
+        return {
+            "vulnerabilities": [v.to_dict() for v in self.vulnerabilities],
+            "iac_findings": [f.to_dict() for f in self.iac_findings],
+            "scanned_files": self.scanned_files,
+            "errors": self.errors,
+            "summary": {
+                "total_issues": self.total_issues,
+                "critical": self.critical_count,
+                "high": self.high_count,
+            },
+        }