Skip to content

Commit

Permalink
chore: generate AWS compliance specs based on checks
Browse files Browse the repository at this point in the history
Signed-off-by: Nikita Pivkin <[email protected]>
  • Loading branch information
nikpivkin committed Sep 26, 2024
1 parent f7972d6 commit 0609a3f
Show file tree
Hide file tree
Showing 5 changed files with 543 additions and 450 deletions.
21 changes: 21 additions & 0 deletions .github/workflows/verify-specs.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
name: Verify Specs
on:
pull_request:
merge_group:
jobs:
build:
name: Verify Specs
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version-file: go.mod

- run: |
make generate-specs
if [ -n "$(git status --porcelain)" ]; then
echo "Run 'generate-specs' and push it"
exit 1
fi
6 changes: 5 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -49,4 +49,8 @@ verify-bundle:
rm scripts/bundle.tar.gz

build-opa:
go build ./cmd/opa
go build ./cmd/opa

.PHONY: generate-specs
generate-specs:
go run ./cmd/specs
93 changes: 93 additions & 0 deletions cmd/specs/main.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,93 @@
package main

import (
"fmt"
"os"
"path/filepath"
"sort"
"strings"

"gopkg.in/yaml.v3"

"github.com/aquasecurity/trivy/pkg/iac/framework"
"github.com/aquasecurity/trivy/pkg/iac/rego"
"github.com/aquasecurity/trivy/pkg/iac/rules"
iacTypes "github.com/aquasecurity/trivy/pkg/iac/types"
)

const complianceDirPath = "pkg/specs/compliance/"

var specs = map[framework.Framework]*iacTypes.Spec{
framework.CIS_AWS_1_2: {
ID: "aws-cis-1.2",
Title: "AWS CIS Foundations v1.2",
Description: "AWS CIS Foundations",
Version: "1.2",
Platform: "aws",
Type: "cis",
RelatedResources: []string{
"https://www.cisecurity.org/benchmark/amazon_web_services",
},
},
framework.CIS_AWS_1_4: {
ID: "aws-cis-1.4",
Title: "AWS CIS Foundations v1.4",
Description: "AWS CIS Foundations",
Version: "1.4",
Platform: "aws",
Type: "cis",
RelatedResources: []string{
"https://www.cisecurity.org/benchmark/amazon_web_services",
},
},
}

func main() {
frameworks := make([]framework.Framework, 0, len(specs))
for f := range specs {
frameworks = append(frameworks, f)
}

// Clean up all Go checks
rules.Reset()

// Load Rego checks
rego.LoadAndRegister()

for _, rule := range rules.GetRegistered(frameworks...) {
for f, controlIDs := range rule.Frameworks {
for _, id := range controlIDs {
specs[f].Controls = append(specs[f].Controls, iacTypes.Control{
ID: id,
Name: rule.ShortCode,
Description: rule.Summary,
Severity: iacTypes.Severity(rule.Severity),
Checks: []iacTypes.SpecCheck{{ID: rule.AVDID}},
})
}
}
}

for _, spec := range specs {
sort.Slice(spec.Controls, func(i, j int) bool {
return strings.Compare(spec.Controls[i].ID, spec.Controls[j].ID) < 0
})
}

for _, c := range specs {
if err := writeCompliance(c, complianceDirPath); err != nil {
panic(err)
}
}
}

func writeCompliance(spec *iacTypes.Spec, path string) error {
file, err := os.Create(filepath.Join(path, fmt.Sprintf("%s.yaml", spec.ID)))
if err != nil {
return err
}
defer file.Close()
encoder := yaml.NewEncoder(file)
encoder.SetIndent(2)
return encoder.Encode(iacTypes.ComplianceSpec{Spec: *spec})
}
Loading

0 comments on commit 0609a3f

Please sign in to comment.