Feat/asharp model

.eslintrc.json

@@ -1,16 +1,14 @@
 {
-    "env": {
-        "browser": true,
-        "node": true,
-        "es2021": true
-    },
-    "extends": "eslint:recommended",
-    "overrides": [
-    ],
-    "parserOptions": {
-        "ecmaVersion": "latest",
-        "sourceType": "module"
-    },
-    "rules": {
-    }
+  "env": {
+    "browser": true,
+    "es2021": true,
+    "node": true
+  },
+  "extends": "eslint:recommended",
+  "overrides": [],
+  "parserOptions": {
+    "ecmaVersion": "latest",
+    "sourceType": "module"
+  },
+  "rules": {}
 }

.gitignore

@@ -7,6 +7,10 @@ ash_output
 *.bak
 src/automated_security_helper/models/*generated*
 !tests/test_data/aggregated_results.txt
+refactoring/
+tests/test_data/scanners/cdk/test.yaml_cdk_nag_results/cdk_nag_results_*/
+test_output.json
+tests/pytest-temp/
 
 ### macOS ###
 # General
@@ -94,6 +98,7 @@ coverage.xml
 .hypothesis/
 .pytest_cache/
 cover/
+test-results/
 
 # Translations
 *.mo

.pre-commit-config.yaml

@@ -0,0 +1,26 @@
+# See https://pre-commit.com for more information
+# See https://pre-commit.com/hooks.html for more hooks
+repos:
+  - repo: local
+    hooks:
+      - id: generate-schemas
+        name: Generate ASH JSON schemas
+        entry: poetry run schemagen
+        language: system
+        pass_filenames: false
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      - id: pretty-format-json
+        args:
+          - "--autofix"
+          - "--indent=2"
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    # Ruff version.
+    rev: v0.11.2
+    hooks:
+      # Run the linter.
+      - id: ruff
+        args: [--fix]
+      # Run the formatter.
+      - id: ruff-format

.vscode/launch.json

@@ -0,0 +1,33 @@
+{
+  "configurations": [
+    {
+      "args": [
+        "--source",
+        "${workspaceFolder}",
+        "--output",
+        "${workspaceFolder}/ash_output",
+        "--verbose",
+        "--config",
+        "${workspaceFolder}/ash.yaml",
+        "--strategy",
+        "parallel",
+        "--scanners",
+        "cdknag"
+      ],
+      "console": "integratedTerminal",
+      "name": "ASH: Test Orchestrator",
+      "program": "./src/automated_security_helper/orchestrator.py",
+      "request": "launch",
+      "type": "debugpy"
+    },
+    {
+      "args": [],
+      "console": "integratedTerminal",
+      "name": "ASH: Test CDK Nag Headless Wrapper",
+      "program": "./src/automated_security_helper/utils/cdk_nag_wrapper.py",
+      "request": "launch",
+      "type": "debugpy"
+    }
+  ],
+  "version": "0.2.0"
+}

DEVELOPMENT.md

@@ -0,0 +1,95 @@
+# Local Development Setup Guide
+
+This guide will help you set up your local development environment for the Automated Security Helper project.
+
+## Prerequisites
+
+- Python 3.10 or later
+- Poetry (Python package manager)
+
+## Setting up Poetry
+
+1. Install Poetry on your system:
+```bash
+curl -sSL https://install.python-poetry.org | python3 -
+```
+
+2. Verify Poetry installation:
+```bash
+poetry --version
+```
+
+## Project Setup
+
+1. Clone the repository:
+```bash
+git clone https://github.com/awslabs/automated-security-helper.git
+cd automated-security-helper
+```
+
+2. Install project dependencies:
+```bash
+poetry install
+```
+This command will:
+- Create a virtual environment
+- Install all dependencies from pyproject.toml
+- Set up the project in development mode
+
+3. Activate the virtual environment:
+```bash
+poetry shell
+```
+
+## Testing
+
+Run the test suite:
+```bash
+pytest
+```
+
+## Development Commands
+
+- Format and lint code:
+```bash
+poetry run ruff .
+```
+
+- Run a specific script:
+```bash
+poetry run asharp
+```
+
+## Project Dependencies
+
+The project uses the following key dependencies:
+- Python
+- bandit
+- checkov
+- pydantic
+
+Development dependencies include:
+- ruff
+- pytest
+- pytest-cov
+
+## Troubleshooting
+
+If you encounter any issues:
+
+1. Verify your Python version matches the required version (3.10+):
+```bash
+python --version
+```
+
+2. Try cleaning and rebuilding the environment:
+```bash
+poetry env remove python
+poetry install
+```
+
+3. Update Poetry and dependencies:
+```bash
+poetry self update
+poetry update
+```

Dockerfile

@@ -57,21 +57,22 @@ RUN apt-get update && \
     rm -rf /var/lib/apt/lists/*
 
 #
-# Install nodejs@18 using latest recommended method
+# Install nodejs@20 using latest recommended method
 #
 RUN set -uex; \
     apt-get update; \
     apt-get install -y ca-certificates curl gnupg; \
     mkdir -p /etc/apt/keyrings; \
     curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key \
      | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg; \
-    NODE_MAJOR=18; \
+    NODE_MAJOR=20; \
     echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_$NODE_MAJOR.x nodistro main" \
      > /etc/apt/sources.list.d/nodesource.list; \
     apt-get -qy update; \
     apt-get -qy install nodejs;
+
 #
-# Install and upgrade pip
+# Python (no-op other than updating pip --- Python deps managed via Poetry @ pyproject.toml)
 #
 RUN wget https://bootstrap.pypa.io/get-pip.py && python3 get-pip.py
 RUN python3 -m pip install --no-cache-dir --upgrade pip
@@ -83,24 +84,17 @@ RUN git clone https://github.com/awslabs/git-secrets.git && \
     cd git-secrets && \
     make install
 
-#
-# Python
-#
-RUN python3 -m pip install --no-cache-dir \
-    bandit \
-    nbconvert \
-    jupyterlab
 
 #
 # YAML (Checkov, cfn-nag)
 #
 RUN echo "gem: --no-document" >> /etc/gemrc && \
-    python3 -m pip install checkov pathspec && \
     gem install cfn-nag
 
 #
-# JavaScript: (no-op --- node is already installed in the image, nothing else needed)
+# JavaScript:
 #
+RUN npm install -g npm pnpm yarn
 
 #
 # Grype/Syft/Semgrep - Also sets default location env vars for root user for CI compat
@@ -115,8 +109,6 @@ RUN curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh |
 RUN curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | \
     sh -s -- -b /usr/local/bin
 
-RUN python3 -m pip install semgrep
-
 RUN set -uex; if [[ "${OFFLINE}" == "YES" ]]; then \
         grype db update && \
         mkdir -p ${SEMGREP_RULES_CACHE_DIR} && \
@@ -145,25 +137,22 @@ RUN mkdir -p /src && \
 #
 # Install CDK Nag stub dependencies
 #
-# Update NPM to latest
 COPY ./utils/cdk-nag-scan /ash/utils/cdk-nag-scan/
 # Limit memory size available for Node to prevent segmentation faults during npm install
 ENV NODE_OPTIONS=--max_old_space_size=512
-RUN npm install -g npm pnpm yarn && \
-    cd /ash/utils/cdk-nag-scan && \
+RUN cd /ash/utils/cdk-nag-scan && \
     npm install --quiet
 
 #
 # COPY ASH source to /ash instead of / to isolate
 #
-COPY ./utils/cfn-to-cdk /ash/utils/cfn-to-cdk/
+COPY --from=poetry-reqs /src/dist/*.whl .
+COPY ./pyproject.toml /ash/pyproject.toml
+RUN python3 -m pip install *.whl && rm *.whl
+
 COPY ./utils/*.* /ash/utils/
 COPY ./appsec_cfn_rules /ash/appsec_cfn_rules/
 COPY ./ash-multi /ash/ash
-COPY ./pyproject.toml /ash/pyproject.toml
-
-COPY --from=poetry-reqs /src/dist/*.whl .
-RUN python3 -m pip install *.whl && rm *.whl
 
 #
 # Make sure the ash script is executable
@@ -241,4 +230,4 @@ HEALTHCHECK --interval=12s --timeout=12s --start-period=30s \
     CMD type ash || exit 1
 
 ENTRYPOINT [ ]
-CMD [ "ash" ]
+CMD [ "ashv3", "--verbose", "--source", "/src", "--output","/out", "--strategy", "sequential", "--scanners", "bandit,cdknag" ]

LICENSE

@@ -199,4 +199,4 @@
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
-   limitations under the License.
+   limitations under the License.

NOTICE

@@ -1 +1 @@
-Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.

appsec_cfn_rules/KeyPairAsCFnParameterRule.rb

@@ -18,11 +18,11 @@ def rule_id
   def audit_impl(cfn_model)
 
     parameters = cfn_model.parameters.select do |name, properties|
-      
-      # TODO: find way to preserve the line number from properties.type["line"] 
+
+      # TODO: find way to preserve the line number from properties.type["line"]
       properties.type["value"] == "AWS::EC2::KeyPair::KeyName"
     end
 
     parameters.values.map(&:id)
   end
-end
+end

appsec_cfn_rules/ResourcePolicyStarAccessVerbPolicyRule.rb

@@ -39,4 +39,4 @@ def audit_impl(cfn_model)
 
     logical_resource_ids
   end
-end
+end

appsec_cfn_rules/StarResourceAccessPolicyRule.rb

@@ -38,4 +38,4 @@ def audit_impl(cfn_model)
 
     logical_resource_ids
   end
-end
+end

appsec_cfn_rules/beta/PasswordAsCFnParameterRule.rb

@@ -18,8 +18,8 @@ def rule_id
   def audit_impl(cfn_model)
 
     parameters = cfn_model.parameters.select do |name, properties|
-      
-      # TODO: find way to preserve the line number from properties.type["line"] 
+
+      # TODO: find way to preserve the line number from properties.type["line"]
       name.downcase.include?("password") and
       properties.type["value"] == "String" and
       properties.allowedValues != [true, false] and
@@ -28,4 +28,4 @@ def audit_impl(cfn_model)
 
     parameters.values.map(&:id)
   end
-end
+end

ash

@@ -187,7 +187,7 @@ else
           ${MOUNT_OUTPUT_DIR} \
           ${DOCKER_RUN_EXTRA_ARGS} \
           ${ASH_IMAGE_NAME} \
-            ash \
+            ashv3 \
               --source-dir /src  \
               ${OUTPUT_DIR_OPTION}  \
               $ASH_ARGS