awslabs
diff --git a/‎dev-tools/scripts/quality_check.py‎
Lines changed: 165 additions & 181 deletions b/‎dev-tools/scripts/quality_check.py‎
Lines changed: 165 additions & 181 deletions
diff --git a/‎dev-tools/security/security_scan.py‎
Lines changed: 142 additions & 96 deletions b/‎dev-tools/security/security_scan.py‎
Lines changed: 142 additions & 96 deletions
@@ -17,144 +17,190 @@
 
 class SecurityScanner:
     """Comprehensive security scanner for the project."""
-    
+
     def __init__(self, project_root: Path):
         """Initialize security scanner."""
         self.project_root = project_root
         self.results = {}
         self.sarif_files = []
-        
+
     def run_bandit(self) -> Tuple[bool, str]:
         """Run Bandit security linter with SARIF output."""
         print("Running Bandit security analysis...")
-        
+
         try:
             # Check if bandit-sarif-formatter is available
             try:
                 import bandit_sarif_formatter
+
                 sarif_available = True
             except ImportError:
                 sarif_available = False
                 print("WARNING: bandit-sarif-formatter not available, falling back to JSON")
-            
+
             # Generate JSON output (always)
-            subprocess.run([
-                "python", "-m", "bandit", "-r", "src/",
-                "-f", "json", "-o", "bandit-report.json"
-            ], cwd=self.project_root, check=False)
-            
+            subprocess.run(
+                ["python", "-m", "bandit", "-r", "src/", "-f", "json", "-o", "bandit-report.json"],
+                cwd=self.project_root,
+                check=False,
+            )
+
             # Generate SARIF output if formatter is available
             if sarif_available:
-                subprocess.run([
-                    "python", "-m", "bandit", "-r", "src/",
-                    "-f", "sarif", "-o", "bandit-report.sarif"
-                ], cwd=self.project_root, check=False)
-                
+                subprocess.run(
+                    [
+                        "python",
+                        "-m",
+                        "bandit",
+                        "-r",
+                        "src/",
+                        "-f",
+                        "sarif",
+                        "-o",
+                        "bandit-report.sarif",
+                    ],
+                    cwd=self.project_root,
+                    check=False,
+                )
+
                 self.sarif_files.append("bandit-report.sarif")
                 print("SUCCESS: Bandit SARIF report generated for GitHub Security integration")
-            
+
             return True, "Bandit scan completed"
-            
+
         except Exception as e:
             return False, f"Bandit scan failed: {e}"
-    
+
     def run_safety(self) -> Tuple[bool, str]:
         """Run Safety dependency vulnerability check."""
         print("Running Safety dependency scan...")
-        
+
         try:
-            result = subprocess.run([
-                "python", "-m", "safety", "check", "--json"
-            ], cwd=self.project_root, capture_output=True, text=True)
-            
+            result = subprocess.run(
+                ["python", "-m", "safety", "check", "--json"],
+                cwd=self.project_root,
+                capture_output=True,
+                text=True,
+            )
+
             with open(self.project_root / "safety-report.json", "w") as f:
                 f.write(result.stdout)
-            
+
             return True, "Safety scan completed"
-            
+
         except Exception as e:
             return False, f"Safety scan failed: {e}"
-    
+
     def run_trivy(self) -> Tuple[bool, str]:
         """Run Trivy container vulnerability scan."""
         print("Running Trivy container security scan...")
-        
+
         try:
             # Build image
-            subprocess.run([
-                "docker", "build", "-t", "security-scan:latest", "."
-            ], cwd=self.project_root, check=True)
-            
+            subprocess.run(
+                ["docker", "build", "-t", "security-scan:latest", "."],
+                cwd=self.project_root,
+                check=True,
+            )
+
             # SARIF output
-            subprocess.run([
-                "trivy", "image", "--format", "sarif",
-                "--output", "trivy-results.sarif",
-                "security-scan:latest"
-            ], cwd=self.project_root, check=False)
-            
+            subprocess.run(
+                [
+                    "trivy",
+                    "image",
+                    "--format",
+                    "sarif",
+                    "--output",
+                    "trivy-results.sarif",
+                    "security-scan:latest",
+                ],
+                cwd=self.project_root,
+                check=False,
+            )
+
             # JSON output
-            subprocess.run([
-                "trivy", "image", "--format", "json",
-                "--output", "trivy-results.json",
-                "security-scan:latest"
-            ], cwd=self.project_root, check=False)
-            
+            subprocess.run(
+                [
+                    "trivy",
+                    "image",
+                    "--format",
+                    "json",
+                    "--output",
+                    "trivy-results.json",
+                    "security-scan:latest",
+                ],
+                cwd=self.project_root,
+                check=False,
+            )
+
             self.sarif_files.append("trivy-results.sarif")
             return True, "Trivy scan completed"
-            
+
         except Exception as e:
             return False, f"Trivy scan failed: {e}"
-    
+
     def run_hadolint(self) -> Tuple[bool, str]:
         """Run Hadolint Dockerfile security scan."""
         print("Running Hadolint Dockerfile scan...")
-        
+
         try:
-            subprocess.run([
-                "hadolint", "Dockerfile", "--format", "sarif"
-            ], cwd=self.project_root, 
-            stdout=open(self.project_root / "hadolint-results.sarif", "w"),
-            check=False)
-            
+            subprocess.run(
+                ["hadolint", "Dockerfile", "--format", "sarif"],
+                cwd=self.project_root,
+                stdout=open(self.project_root / "hadolint-results.sarif", "w"),
+                check=False,
+            )
+
             self.sarif_files.append("hadolint-results.sarif")
             return True, "Hadolint scan completed"
-            
+
         except Exception as e:
             return False, f"Hadolint scan failed: {e}"
-    
+
     def generate_sbom(self) -> Tuple[bool, str]:
         """Generate Software Bill of Materials."""
         print("Generating SBOM files...")
-        
+
         try:
             # Python dependencies SBOM with pip-audit (only CycloneDX format is supported)
-            subprocess.run([
-                "python", "-m", "pip_audit", "--format=cyclonedx-json",
-                "--output=python-sbom-cyclonedx.json"
-            ], cwd=self.project_root, check=False)
-            
+            subprocess.run(
+                [
+                    "python",
+                    "-m",
+                    "pip_audit",
+                    "--format=cyclonedx-json",
+                    "--output=python-sbom-cyclonedx.json",
+                ],
+                cwd=self.project_root,
+                check=False,
+            )
+
             # Check if Syft is available
             if subprocess.run(["which", "syft"], capture_output=True).returncode == 0:
                 # Project SBOM with Syft
-                subprocess.run([
-                    "syft", ".", "-o", "spdx-json=project-sbom-spdx.json"
-                ], cwd=self.project_root, check=False)
-                
-                subprocess.run([
-                    "syft", ".", "-o", "cyclonedx-json=project-sbom-cyclonedx.json"
-                ], cwd=self.project_root, check=False)
+                subprocess.run(
+                    ["syft", ".", "-o", "spdx-json=project-sbom-spdx.json"],
+                    cwd=self.project_root,
+                    check=False,
+                )
+
+                subprocess.run(
+                    ["syft", ".", "-o", "cyclonedx-json=project-sbom-cyclonedx.json"],
+                    cwd=self.project_root,
+                    check=False,
+                )
             else:
                 print("Syft not available - skipping project SBOM generation")
-            
+
             return True, "SBOM generation completed"
-            
+
         except Exception as e:
             return False, f"SBOM generation failed: {e}"
-    
+
     def generate_report(self) -> str:
         """Generate comprehensive security report."""
         print("Generating security report...")
-        
+
         report = {
             "scan_timestamp": subprocess.check_output(["date", "-u"]).decode().strip(),
             "project": "Open Host Factory Plugin",
@@ -166,14 +212,14 @@ def generate_report(self) -> str:
                 "Address high and critical severity vulnerabilities first",
                 "Update dependencies with known vulnerabilities",
                 "Review container base image for security updates",
-                "Implement security controls for identified issues"
-            ]
+                "Implement security controls for identified issues",
+            ],
         }
-        
+
         # Write JSON report
         with open(self.project_root / "security-report.json", "w") as f:
             json.dump(report, f, indent=2)
-        
+
         # Write markdown summary
         md_report = f"""# Security Scan Report
 
@@ -183,19 +229,19 @@ def generate_report(self) -> str:
 ## Scans Performed
 
 """
-        
+
         for scan, (success, message) in self.results.items():
             status = "PASS" if success else "FAIL"
             md_report += f"- **{status}**: {scan} - {message}\n"
-        
+
         md_report += f"""
 ## Generated Files
 
 ### SARIF Files (for GitHub Security tab)
 """
         for sarif_file in self.sarif_files:
             md_report += f"- `{sarif_file}`\n"
-        
+
         md_report += """
 ### Report Files
 - `security-report.json` - Detailed JSON report
@@ -221,59 +267,59 @@ def generate_report(self) -> str:
 - **pip-audit**: Python package vulnerability scanner
 - **Syft**: SBOM generator
 """
-        
+
         with open(self.project_root / "security-report.md", "w") as f:
             f.write(md_report)
-        
+
         return "security-report.md"
-    
+
     def run_all_scans(self, include_container: bool = True) -> Dict[str, Tuple[bool, str]]:
         """Run all security scans."""
         print("Starting comprehensive security scan...")
-        
+
         # Core security scans
         self.results["Bandit"] = self.run_bandit()
         self.results["Safety"] = self.run_safety()
         self.results["SBOM Generation"] = self.generate_sbom()
-        
+
         # Container scans (optional)
         if include_container:
             self.results["Trivy"] = self.run_trivy()
             self.results["Hadolint"] = self.run_hadolint()
-        
+
         # Generate report
         report_file = self.generate_report()
         print(f"Security report generated: {report_file}")
-        
+
         return self.results
 
 
 def main():
     """Main entry point."""
     parser = argparse.ArgumentParser(description="Comprehensive security scanner")
-    parser.add_argument("--no-container", action="store_true",
-                       help="Skip container security scans")
-    parser.add_argument("--project-root", type=Path, default=Path.cwd(),
-                       help="Project root directory")
-    
+    parser.add_argument("--no-container", action="store_true", help="Skip container security scans")
+    parser.add_argument(
+        "--project-root", type=Path, default=Path.cwd(), help="Project root directory"
+    )
+
     args = parser.parse_args()
-    
+
     scanner = SecurityScanner(args.project_root)
     results = scanner.run_all_scans(include_container=not args.no_container)
-    
+
     # Print summary
-    print("\n" + "="*60)
+    print("\n" + "=" * 60)
     print("SECURITY SCAN SUMMARY")
-    print("="*60)
-    
+    print("=" * 60)
+
     all_passed = True
     for scan, (success, message) in results.items():
         status = "PASS" if success else "FAIL"
         print(f"{status}: {scan} - {message}")
         if not success:
             all_passed = False
-    
-    print("="*60)
+
+    print("=" * 60)
     if all_passed:
         print("All security scans completed successfully")
         sys.exit(0)