seesec-dpdp-scanner 0.3.0__tar.gz

seesec_dpdp_scanner-0.3.0/LICENSE

@@ -0,0 +1,91 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form.
+
+      "Work" shall mean the work of authorship made available under the License.
+
+      "Contribution" shall mean any work of authorship submitted to the Licensor
+      for inclusion in the Work.
+
+      "Contributor" shall mean Licensor and any Legal Entity on behalf of whom a
+      Contribution has been received by the Licensor.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      patent license to make, have made, use, offer to sell, sell,
+      import, and otherwise transfer the Work.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work; and
+
+      (d) If the Work includes a "NOTICE" text file, You must include
+          a readable copy of the attribution notices contained within.
+
+   5. Submission of Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor.
+
+   7. Disclaimer of Warranty. The Work is provided on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND.
+
+   8. Limitation of Liability. In no event shall any Contributor be
+      liable to You for damages.
+
+   9. Accepting Warranty or Additional Liability.
+
+   Copyright 2026 DPDP Scanner Contributors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

seesec_dpdp_scanner-0.3.0/PKG-INFO

@@ -0,0 +1,198 @@
+Metadata-Version: 2.4
+Name: seesec-dpdp-scanner
+Version: 0.3.0
+Summary: Seesec DPDP Act 2023 Compliance Scanner — audit AWS, code, and files for DPDP violations
+Author-email: "Seesec Infotech Pvt. Ltd." <opensource@seesec.io>
+Project-URL: Homepage, https://seesec.io/
+Project-URL: Repository, https://github.com/seesec-infotech/dpdp-scanner
+Project-URL: Documentation, https://github.com/seesec-infotech/dpdp-scanner#readme
+Keywords: dpdp,compliance,security,aws,pii,scanner,india
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: Developers
+Classifier: Intended Audience :: Information Technology
+Classifier: License :: OSI Approved :: Apache Software License
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Security
+Requires-Python: >=3.11
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: boto3>=1.34.0
+Requires-Dist: typer>=0.12.0
+Requires-Dist: rich>=13.7.0
+Requires-Dist: cryptography>=41.0.0
+Provides-Extra: dev
+Requires-Dist: pytest>=8.0; extra == "dev"
+Requires-Dist: pytest-cov>=5.0; extra == "dev"
+Requires-Dist: moto[dynamodb,ec2,guardduty,iam,kms,lambda,logs,rds,s3,secretsmanager,sns,sqs,sts]>=5.0; extra == "dev"
+Dynamic: license-file
+
+# Seesec DPDP Scanner
+
+> 🛡️ India's first DPDP Act 2023 compliance scanner — audit AWS accounts, source code, and files for DPDP violations.
+
+[![Tests](https://img.shields.io/badge/tests-64%20passed-green)]() [![Checks](https://img.shields.io/badge/AWS%20checks-51-blue)]() [![Python](https://img.shields.io/badge/python-3.11%2B-blue)]() [![License](https://img.shields.io/badge/license-Apache%202.0-orange)]()
+
+Built by **[Seesec Infotech Pvt. Ltd.](https://seesec.io)** 🇮🇳
+
+---
+
+## ⚡ Quick Start
+
+```bash
+# Install
+pip install seesec-dpdp-scanner
+
+# Scan your AWS account (scans ALL regions by default)
+aws sso login --profile your-profile
+dpdp aws --profile your-profile -o report.html
+
+# Scan only a specific region
+dpdp aws --profile your-profile --region ap-south-1
+
+# Scan files for PII leakage (Aadhaar, PAN, credit cards...)
+dpdp pii /path/to/logs -o pii-report.html
+
+# Scan source code for hardcoded secrets & crypto misuse
+dpdp code /path/to/repo -o code-report.html
+
+# Encrypt sensitive data (DPDP-compliant AES-256-GCM)
+dpdp crypto encrypt --data "1234-5678-9012" --key-id alias/my-kms-key
+```
+
+## 🔍 What It Scans — 51 AWS Checks
+
+```bash
+# See all checks
+dpdp aws --list-checks
+```
+
+### AWS Account (`dpdp aws`) — Scans ALL Regions by Default
+| Family | Checks | DPDP Section |
+|--------|--------|-------------|
+| 🔐 Encryption (ENC) | S3, RDS, DynamoDB, EBS, SQS, SNS, KMS, Redshift, ElastiCache, S3 versioning, MFA Delete, Account S3 Block | Sec 8(5), Rule 6(1)(a) |
+| 👤 IAM (IAM) | Root MFA, password policy, user MFA, stale keys, wildcard policies, unused roles | Sec 8(5), Rule 6(1)(b) |
+| 📋 Logging (LOG) | CloudTrail, CloudWatch, VPC Flow Logs, S3 access logs, API Gateway, SSM Session Manager | Sec 8(5), Rule 6(1)(c-d) |
+| 🌍 Data Residency (RES) | S3/RDS/Lambda in Indian regions | Sec 16 |
+| 🚨 Breach Readiness (BRE) | GuardDuty, Security Hub | Sec 8(6) |
+| 🔑 Secrets (SEC) | Lambda env secrets, Secrets Manager rotation, ECR image scanning | Sec 8(5) |
+| 🌐 Network (NET) | Security group DB ports, ELB TLS 1.2+, CloudFront HTTPS, ACM cert expiry, WAF on ALBs | Sec 8(5) |
+| 🗑️ Retention (RET) | S3 lifecycle, RDS backups, RDS deletion protection, RDS Multi-AZ, DynamoDB PITR | Sec 8(7) |
+| ⚙️ Config (CFG) | AWS Config recording, IAM Access Analyzer | Sec 8(5) |
+
+**Smart scanning:** Global services (IAM, S3, CloudFront) are scanned once. Regional services are scanned per-region.
+
+### PII Scanner (`dpdp pii`)
+Detects Indian PII with checksum validation to minimize false positives:
+- **Aadhaar** (Verhoeff checksum) · **PAN** (4th-char type validation)
+- **Credit Cards** (Luhn algorithm) · **Indian Mobiles** · **Emails**
+- **Passports** · **Voter ID** · **GSTIN** · **UPI IDs** · **DOB patterns**
+
+### Code Scanner (`dpdp code`)
+18 static analysis rules detecting:
+- Hardcoded passwords, API keys, AWS keys, connection strings
+- Crypto misuse (ECB mode, DES/RC4, MD5/SHA1, static IVs)
+- PII in log statements, URL parameters, and exception messages
+- Disabled SSL verification
+
+### Crypto Toolkit (`dpdp crypto`)
+- **Encrypt/Decrypt**: AES-256-GCM with KMS Envelope Encryption
+- **Blind Indexing**: HMAC-SHA256 for searching encrypted fields
+- **Format Validation**: Verify DPDP ciphertext structure
+
+## 📊 Output Formats
+
+| Format | Command | Use Case |
+|--------|---------|----------|
+| Terminal | `dpdp aws` | Interactive use |
+| HTML | `dpdp aws -o report.html` | Share with management |
+| JSON | `dpdp aws -o report.json` | CI/CD pipelines |
+| SARIF | `dpdp aws -o report.sarif` | GitHub Code Scanning |
+| CSV | `dpdp aws -o report.csv` | Spreadsheets / Excel |
+
+## 🛡️ Authentication
+
+The scanner uses `boto3` and supports all standard AWS credential methods:
+
+```bash
+# Option 1: AWS SSO (recommended for enterprises)
+aws sso login --profile my-profile
+dpdp aws --profile my-profile
+
+# Option 2: Environment Variables (for CI/CD)
+export AWS_ACCESS_KEY_ID="..."
+export AWS_SECRET_ACCESS_KEY="..."
+dpdp aws
+
+# Option 3: IAM Instance Roles (for EC2/ECS)
+# No configuration needed — boto3 detects it automatically
+dpdp aws
+```
+
+## 🔇 Suppressing False Positives
+
+Create a `.dpdpignore` file in your project root:
+
+```bash
+# Ignore AWS-managed CloudFormation buckets
+DPDP-ENC-001:cf-templates-*
+DPDP-ENC-002:cf-templates-*
+
+# Ignore a specific check entirely
+DPDP-RES-001
+
+# Ignore all checks for a test resource
+*:my-test-bucket
+```
+
+## 🏗️ Multi-Region Scanning
+
+```bash
+# Default: scans ALL enabled AWS regions
+dpdp aws
+
+# Scan only Mumbai
+dpdp aws --region ap-south-1
+
+# Filter by check family
+dpdp aws --checks ENC          # Only encryption checks
+dpdp aws --checks IAM          # Only IAM checks
+dpdp aws --severity critical   # Only critical findings
+```
+
+## 🚀 CI/CD Integration
+
+### GitHub Actions
+```yaml
+- name: DPDP Compliance Scan
+  run: |
+    pip install seesec-dpdp-scanner
+    dpdp aws -o dpdp-report.sarif
+    
+- name: Upload SARIF
+  uses: github/codeql-action/upload-sarif@v3
+  with:
+    sarif_file: dpdp-report.sarif
+```
+
+Exit codes: `0` = no violations, `1` = violations found.
+
+## 🧪 Development
+
+```bash
+git clone https://github.com/seesec-infotech/dpdp-scanner
+cd dpdp-scanner
+python3 -m venv .venv && source .venv/bin/activate
+pip install -e ".[dev]"
+pytest tests/ -v
+```
+
+## 📜 License
+
+Apache 2.0 — see [LICENSE](LICENSE)
+
+---
+
+<p align="center">
+  <strong>Made with ❤️ in India by <a href="https://seesec.io">Seesec Infotech</a></strong>
+</p>

seesec_dpdp_scanner-0.3.0/README.md

@@ -0,0 +1,169 @@
+# Seesec DPDP Scanner
+
+> 🛡️ India's first DPDP Act 2023 compliance scanner — audit AWS accounts, source code, and files for DPDP violations.
+
+[![Tests](https://img.shields.io/badge/tests-64%20passed-green)]() [![Checks](https://img.shields.io/badge/AWS%20checks-51-blue)]() [![Python](https://img.shields.io/badge/python-3.11%2B-blue)]() [![License](https://img.shields.io/badge/license-Apache%202.0-orange)]()
+
+Built by **[Seesec Infotech Pvt. Ltd.](https://seesec.io)** 🇮🇳
+
+---
+
+## ⚡ Quick Start
+
+```bash
+# Install
+pip install seesec-dpdp-scanner
+
+# Scan your AWS account (scans ALL regions by default)
+aws sso login --profile your-profile
+dpdp aws --profile your-profile -o report.html
+
+# Scan only a specific region
+dpdp aws --profile your-profile --region ap-south-1
+
+# Scan files for PII leakage (Aadhaar, PAN, credit cards...)
+dpdp pii /path/to/logs -o pii-report.html
+
+# Scan source code for hardcoded secrets & crypto misuse
+dpdp code /path/to/repo -o code-report.html
+
+# Encrypt sensitive data (DPDP-compliant AES-256-GCM)
+dpdp crypto encrypt --data "1234-5678-9012" --key-id alias/my-kms-key
+```
+
+## 🔍 What It Scans — 51 AWS Checks
+
+```bash
+# See all checks
+dpdp aws --list-checks
+```
+
+### AWS Account (`dpdp aws`) — Scans ALL Regions by Default
+| Family | Checks | DPDP Section |
+|--------|--------|-------------|
+| 🔐 Encryption (ENC) | S3, RDS, DynamoDB, EBS, SQS, SNS, KMS, Redshift, ElastiCache, S3 versioning, MFA Delete, Account S3 Block | Sec 8(5), Rule 6(1)(a) |
+| 👤 IAM (IAM) | Root MFA, password policy, user MFA, stale keys, wildcard policies, unused roles | Sec 8(5), Rule 6(1)(b) |
+| 📋 Logging (LOG) | CloudTrail, CloudWatch, VPC Flow Logs, S3 access logs, API Gateway, SSM Session Manager | Sec 8(5), Rule 6(1)(c-d) |
+| 🌍 Data Residency (RES) | S3/RDS/Lambda in Indian regions | Sec 16 |
+| 🚨 Breach Readiness (BRE) | GuardDuty, Security Hub | Sec 8(6) |
+| 🔑 Secrets (SEC) | Lambda env secrets, Secrets Manager rotation, ECR image scanning | Sec 8(5) |
+| 🌐 Network (NET) | Security group DB ports, ELB TLS 1.2+, CloudFront HTTPS, ACM cert expiry, WAF on ALBs | Sec 8(5) |
+| 🗑️ Retention (RET) | S3 lifecycle, RDS backups, RDS deletion protection, RDS Multi-AZ, DynamoDB PITR | Sec 8(7) |
+| ⚙️ Config (CFG) | AWS Config recording, IAM Access Analyzer | Sec 8(5) |
+
+**Smart scanning:** Global services (IAM, S3, CloudFront) are scanned once. Regional services are scanned per-region.
+
+### PII Scanner (`dpdp pii`)
+Detects Indian PII with checksum validation to minimize false positives:
+- **Aadhaar** (Verhoeff checksum) · **PAN** (4th-char type validation)
+- **Credit Cards** (Luhn algorithm) · **Indian Mobiles** · **Emails**
+- **Passports** · **Voter ID** · **GSTIN** · **UPI IDs** · **DOB patterns**
+
+### Code Scanner (`dpdp code`)
+18 static analysis rules detecting:
+- Hardcoded passwords, API keys, AWS keys, connection strings
+- Crypto misuse (ECB mode, DES/RC4, MD5/SHA1, static IVs)
+- PII in log statements, URL parameters, and exception messages
+- Disabled SSL verification
+
+### Crypto Toolkit (`dpdp crypto`)
+- **Encrypt/Decrypt**: AES-256-GCM with KMS Envelope Encryption
+- **Blind Indexing**: HMAC-SHA256 for searching encrypted fields
+- **Format Validation**: Verify DPDP ciphertext structure
+
+## 📊 Output Formats
+
+| Format | Command | Use Case |
+|--------|---------|----------|
+| Terminal | `dpdp aws` | Interactive use |
+| HTML | `dpdp aws -o report.html` | Share with management |
+| JSON | `dpdp aws -o report.json` | CI/CD pipelines |
+| SARIF | `dpdp aws -o report.sarif` | GitHub Code Scanning |
+| CSV | `dpdp aws -o report.csv` | Spreadsheets / Excel |
+
+## 🛡️ Authentication
+
+The scanner uses `boto3` and supports all standard AWS credential methods:
+
+```bash
+# Option 1: AWS SSO (recommended for enterprises)
+aws sso login --profile my-profile
+dpdp aws --profile my-profile
+
+# Option 2: Environment Variables (for CI/CD)
+export AWS_ACCESS_KEY_ID="..."
+export AWS_SECRET_ACCESS_KEY="..."
+dpdp aws
+
+# Option 3: IAM Instance Roles (for EC2/ECS)
+# No configuration needed — boto3 detects it automatically
+dpdp aws
+```
+
+## 🔇 Suppressing False Positives
+
+Create a `.dpdpignore` file in your project root:
+
+```bash
+# Ignore AWS-managed CloudFormation buckets
+DPDP-ENC-001:cf-templates-*
+DPDP-ENC-002:cf-templates-*
+
+# Ignore a specific check entirely
+DPDP-RES-001
+
+# Ignore all checks for a test resource
+*:my-test-bucket
+```
+
+## 🏗️ Multi-Region Scanning
+
+```bash
+# Default: scans ALL enabled AWS regions
+dpdp aws
+
+# Scan only Mumbai
+dpdp aws --region ap-south-1
+
+# Filter by check family
+dpdp aws --checks ENC          # Only encryption checks
+dpdp aws --checks IAM          # Only IAM checks
+dpdp aws --severity critical   # Only critical findings
+```
+
+## 🚀 CI/CD Integration
+
+### GitHub Actions
+```yaml
+- name: DPDP Compliance Scan
+  run: |
+    pip install seesec-dpdp-scanner
+    dpdp aws -o dpdp-report.sarif
+    
+- name: Upload SARIF
+  uses: github/codeql-action/upload-sarif@v3
+  with:
+    sarif_file: dpdp-report.sarif
+```
+
+Exit codes: `0` = no violations, `1` = violations found.
+
+## 🧪 Development
+
+```bash
+git clone https://github.com/seesec-infotech/dpdp-scanner
+cd dpdp-scanner
+python3 -m venv .venv && source .venv/bin/activate
+pip install -e ".[dev]"
+pytest tests/ -v
+```
+
+## 📜 License
+
+Apache 2.0 — see [LICENSE](LICENSE)
+
+---
+
+<p align="center">
+  <strong>Made with ❤️ in India by <a href="https://seesec.io">Seesec Infotech</a></strong>
+</p>

seesec_dpdp_scanner-0.3.0/dpdp/__init__.py

@@ -0,0 +1,2 @@
+"""DPDP Scanner — India's DPDP Act 2023 compliance auditing tool."""
+__version__ = "0.3.0"